--- # Copyright (C) 2018-2020 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Gather instance facts setup: - include_tasks: file: "{{ item }}" apply: tags: - wg-install with_first_found: - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version }}.yml" - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - "setup-{{ ansible_distribution|lower }}.yml" - "setup-{{ ansible_os_family|lower }}.yml" tags: - wg-install - name: Enable WireGuard kernel module modprobe: name: wireguard state: present register: wireguard__register_module_enabled until: wireguard__register_module_enabled is succeeded retries: 10 delay: 10 failed_when: wireguard__register_module_enabled is failure tags: - wg-install when: not ansible_os_family == 'Darwin' - name: Generate keys | Check wg syncconf subcommand status block: - name: Register if config/private key already exists on target host stat: path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" register: wireguard__register_config_file - name: Get wg subcommands command: "wg --help" register: wireguard__register_subcommands changed_when: false check_mode: false - name: Check if wg syncconf subcommand is available set_fact: wg_syncconf: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}" - name: Show syncconf subcommand status debug: var: wg_syncconf tags: - wg-generate-keys - wg-config - name: WireGuard private key handling for new keys block: - name: Generate WireGuard private key command: "wg genkey" register: wireguard__register_private_key changed_when: false no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-generate-keys - name: Set private key fact set_fact: wireguard_private_key: "{{ wireguard__register_private_key.stdout }}" no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-generate-keys when: - not wireguard__register_config_file.stat.exists - wireguard_private_key is not defined - name: WireGuard private key handling for existing keys block: - name: Read WireGuard config file slurp: src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" register: wireguard__register_config no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config - name: Set private key fact set_fact: wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config when: - wireguard__register_config_file.stat.exists - wireguard_private_key is not defined - name: Derive WireGuard public key command: "wg pubkey" args: stdin: "{{ wireguard_private_key }}" register: wireguard__register_public_key changed_when: false check_mode: false no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config - name: Set public key fact set_fact: wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}" tags: - wg-config - name: Create WireGuard configuration directory file: dest: "{{ wireguard_remote_directory }}" state: directory mode: 0700 tags: - wg-config - name: Generate WireGuard configuration file template: src: etc/wireguard/wg.conf.j2 dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" owner: "{{ wireguard_conf_owner }}" group: "{{ wireguard_conf_group }}" mode: "{{ wireguard_conf_mode }}" no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config notify: - reconfigure wireguard - name: Ensure legacy reload-module-on-update is absent file: dest: "{{ wireguard_remote_directory }}/.reload-module-on-update" state: absent tags: - wg-config - name: Start and enable WireGuard service service: name: "wg-quick@{{ wireguard_interface }}" state: "{{ wireguard_service_state }}" enabled: "{{ wireguard_service_enabled }}" when: not ansible_os_family == 'Darwin'