ansible.fftdf.supernode/roles/21-install-wireguard/tasks/main.yml

91 lines
2.3 KiB
YAML

- name: Install Wireguard
apt: name={{ item }} state=latest update_cache=yes
with_items:
- wireguard
- name: Register if config/private key already exists on target host
ansible.builtin.stat:
path: /etc/wireguard/vpn01.conf
register: wireguard__register_config_file
tags:
- wg-generate-keys
- wg-config
- name: WireGuard private key handling for new keys
block:
- name: Generate WireGuard private key
ansible.builtin.command: "wg genkey"
register: wireguard__register_private_key
changed_when: false
tags:
- wg-generate-keys
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
tags:
- wg-generate-keys
when:
- not wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: WireGuard private key handling for existing keys
block:
- name: Read WireGuard config file
ansible.builtin.slurp:
src: /etc/wireguard/vpn01.conf
register: wireguard__register_config
tags:
- wg-config
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
tags:
- wg-config
when:
- wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
- name: Derive WireGuard public key
ansible.builtin.command: "wg pubkey"
args:
stdin: "{{ wireguard_private_key }}"
register: wireguard__register_public_key
changed_when: false
check_mode: false
tags:
- wg-config
- name: Set public key fact
ansible.builtin.set_fact:
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
tags:
- wg-config
- name: Create WireGuard configuration directory
ansible.builtin.file:
dest: /etc/wireguard/
state: directory
mode: 0700
tags:
- wg-config
- name: Generate WireGuard configuration file
ansible.builtin.template:
src: wg.conf.j2
dest: /etc/wireguard/vpn01.conf
owner: root
group: root
mode: 755
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Start and enable WireGuard service
ansible.builtin.service:
name: "wg-quick@vpn01"
state: started
enabled: yes