infra/playbooks/roles/wireguard-mesh/tasks/main.yml

---

- name: Install wireguard
  ansible.builtin.apt:
    name:
      - wireguard
      - ufw
    state: present

- name: Get node ips from dns records
  ansible.builtin.shell: "dig +short {{ item }} | tail -n1"
  register: wireguard_node_ip
  with_items: "{{ groups['wireguard-mesh'] }}"

- name: Massage node ips
  ansible.builtin.set_fact: >
    wireguard_node_ips={{ wireguard_node_ips|default({})
    | combine( {item.item: item.stdout} ) }}
  with_items: "{{ wireguard_node_ip.results }}"

- name: Allow wireguard endpoint ufw
  ansible.builtin.ufw:
    rule: allow
    port: "{{ wireguard_listen_port }}"
    proto: 'udp'

- name: Generate Wireguard keypair
  ansible.builtin.shell: >
    wg genkey | tee /etc/wireguard/privatekey
    | wg pubkey | tee /etc/wireguard/publickey
  args:
    creates: /etc/wireguard/privatekey

- name: Register private key
  ansible.builtin.shell: cat /etc/wireguard/privatekey
  register: wireguard_private_key
  changed_when: false

- name: Register public key
  ansible.builtin.shell: cat /etc/wireguard/publickey
  register: wireguard_public_key
  changed_when: false

- name: Generate Preshared keyskeypair
  ansible.builtin.shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"
  args:
    creates: "/etc/wireguard/psk-{{ item }}"
  when: inventory_hostname < item
  with_items: "{{ groups['wireguard-mesh'] }}"

- name: Register preshared key
  ansible.builtin.shell: "cat /etc/wireguard/psk-{{ item }}"
  register: wireguard_preshared_key
  changed_when: false
  when: inventory_hostname < item
  with_items: "{{ groups['wireguard-mesh'] }}"

- name: Massage preshared keys
  ansible.builtin.set_fact: >
    wireguard_preshared_keys={{ wireguard_preshared_keys|default({})
    | combine( {item.item: item.stdout} ) }}
  when: item.skipped is not defined
  with_items: "{{ wireguard_preshared_key.results }}"

- name: Build config
  ansible.builtin.template:
    src: inframesh.conf.j2
    dest: /etc/wireguard/inframesh.conf
    owner: root
    mode: 0640

- name: Enable wireguard
  ansible.builtin.systemd:
    name: wg-quick@inframesh
    enabled: true

- name: Hotreload wireguard
  ansible.builtin.shell: >
    bash -c
    "wg syncconf inframesh <(wg-quick strip inframesh)"
wireguard 2024-03-24 22:51:07 -04:00			`---`

			`- name: Install wireguard`
			`ansible.builtin.apt:`
			`name:`
			`- wireguard`
			`- ufw`
			`state: present`

			`- name: Get node ips from dns records`
			`ansible.builtin.shell: "dig +short {{ item }} \| tail -n1"`
			`register: wireguard_node_ip`
			`with_items: "{{ groups['wireguard-mesh'] }}"`

			`- name: Massage node ips`
			`ansible.builtin.set_fact: >`
			`wireguard_node_ips={{ wireguard_node_ips\|default({})`
			`\| combine( {item.item: item.stdout} ) }}`
			`with_items: "{{ wireguard_node_ip.results }}"`

			`- name: Allow wireguard endpoint ufw`
			`ansible.builtin.ufw:`
			`rule: allow`
			`port: "{{ wireguard_listen_port }}"`
			`proto: 'udp'`

			`- name: Generate Wireguard keypair`
			`ansible.builtin.shell: >`
			`wg genkey \| tee /etc/wireguard/privatekey`
			`\| wg pubkey \| tee /etc/wireguard/publickey`
			`args:`
			`creates: /etc/wireguard/privatekey`

			`- name: Register private key`
			`ansible.builtin.shell: cat /etc/wireguard/privatekey`
			`register: wireguard_private_key`
			`changed_when: false`

			`- name: Register public key`
			`ansible.builtin.shell: cat /etc/wireguard/publickey`
			`register: wireguard_public_key`
			`changed_when: false`

			`- name: Generate Preshared keyskeypair`
			`ansible.builtin.shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"`
			`args:`
			`creates: "/etc/wireguard/psk-{{ item }}"`
			`when: inventory_hostname < item`
			`with_items: "{{ groups['wireguard-mesh'] }}"`

			`- name: Register preshared key`
			`ansible.builtin.shell: "cat /etc/wireguard/psk-{{ item }}"`
			`register: wireguard_preshared_key`
			`changed_when: false`
			`when: inventory_hostname < item`
			`with_items: "{{ groups['wireguard-mesh'] }}"`

			`- name: Massage preshared keys`
			`ansible.builtin.set_fact: >`
			`wireguard_preshared_keys={{ wireguard_preshared_keys\|default({})`
			`\| combine( {item.item: item.stdout} ) }}`
			`when: item.skipped is not defined`
			`with_items: "{{ wireguard_preshared_key.results }}"`

			`- name: Build config`
			`ansible.builtin.template:`
			`src: inframesh.conf.j2`
			`dest: /etc/wireguard/inframesh.conf`
			`owner: root`
			`mode: 0640`

			`- name: Enable wireguard`
			`ansible.builtin.systemd:`
			`name: wg-quick@inframesh`
			`enabled: true`

			`- name: Hotreload wireguard`
			`ansible.builtin.shell: >`
			`bash -c`
			`"wg syncconf inframesh <(wg-quick strip inframesh)"`