commit bc06adc15a9957d633939bc6cfac436946b2497a
Author: Vi Truchseß <vi.truchsess@sap.com>
Date:   Wed Feb 8 15:04:36 2023 +0100

    initial commit

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e020e85
--- /dev/null
+++ b/README.md
@@ -0,0 +1,5 @@
+# wg-roadwarrior
+Ansible Playbook for a simple Wireguard VPN
+
+# License
+All code In this repository is piblished as Public Domain and may be used by anyone without any restrictions
diff --git a/hosts example.yml b/hosts example.yml
new file mode 100644
index 0000000..eea9f13
--- /dev/null
+++ b/hosts example.yml	
@@ -0,0 +1,30 @@
+all:
+  children:
+    wg_server:
+      hosts:
+        vpnserver:
+          wg_key: q2w3e4r5t6
+          wg_ip4: "10.0.0.0/24"
+          wg_ip6: "fd01::/64"
+          wg_dns: "1.2.3.4"
+          wg_hostname: "vpn.example.com"
+          wg_port: "666"
+          wg_routes:
+            - "0.0.0.0/0"
+            - "::/0"
+          wg_interface: "wg0"
+          wg_extraconf:
+            - "PostUp = ip6tables -t nat -A POSTROUTING -s fd01::/64 -o eth0 ! -d fc00::/7 -j MASQUERADE"
+            - "PreDown = ip6tables -t nat -D POSTROUTING -s fd01::/64 -o eth0 ! -d fc00::/7 -j MASQUERADE"
+    wg_clients:
+      hosts:
+        client_1:
+          wg_key: asdfg
+          wg_ip4: "10.0.0.2"
+          wg_ip6: "fd01::2"
+        clinet_2:
+          wg_key: qwerty
+          wg_ip4: "10.0.0.3"
+          wg_ip6: "fd01::3"
+
+# vim: shiftwidth=2
diff --git a/wg_client.j2 b/wg_client.j2
new file mode 100644
index 0000000..b09868f
--- /dev/null
+++ b/wg_client.j2
@@ -0,0 +1,18 @@
+{% set client = hostvars[item] %}
+{% set servername = groups['wg_server'][0] %}
+{% set server = hostvars[servername] %}
+[Interface]
+PrivateKey = {{ client.wg_key }}
+{% if client.wg_ip4 | default(false) %}
+Address = {{ client.wg_ip4 }}
+{% endif %}
+{% if client.wg_ip6 | default(false) %}
+Address = {{ client.wg_ip6 }}
+{% endif %}
+DNS = {{ server.wg_dns }}
+
+[Peer]
+PublicKey = {{ server_pubkey.stdout }}
+Endpoint = {{ server.wg_hostname }}:{{ server.wg_port }}
+AllowedIPs = {{ server.wg_routes | join(',') }}
+PersistentKeepalive = 25
\ No newline at end of file
diff --git a/wg_server.j2 b/wg_server.j2
new file mode 100644
index 0000000..c2b2e7e
--- /dev/null
+++ b/wg_server.j2
@@ -0,0 +1,31 @@
+[Interface]
+PrivateKey = {{ wg_key }}
+ListenPort = {{ wg_port }}
+{% if wg_ip4 | default(false) %}
+Address = {{ wg_ip4 }}
+{% endif %}
+{% if wg_ip6 | default(false) %}
+Address = {{ wg_ip6 }}
+{% endif %}
+{% if wg_extraconf | default(false) %}
+{% for line in wg_extraconf %}
+{{ line }}
+{% endfor %}
+{% endif %}
+
+{% for clientname in groups['wg_clients'] %}
+{% set ip4 = hostvars[clientname].wg_ip4 | default(false) %}
+{% set ip6 = hostvars[clientname].wg_ip6 | default(false) %}
+{% set wg_pubkey = pubkeys.results | selectattr('item', 'match', clientname) | map(attribute='stdout') | first %}
+#{{ clientname }}
+[Peer]
+PublicKey = {{ wg_pubkey }}
+{% if ip4 and ip6 %}
+AllowedIPs = {{ ip4 }},{{ ip6 }}
+{% elif ip4 %}
+AllowedIPs = {{ ip4 }}
+{% elif ip6 %}
+AllowedIPs = {{ ip6 }}
+{% endif %}
+
+{% endfor %}
\ No newline at end of file
diff --git a/wireguard.yml b/wireguard.yml
new file mode 100644
index 0000000..56a2904
--- /dev/null
+++ b/wireguard.yml
@@ -0,0 +1,54 @@
+- name: Setup Wireguard server
+  hosts: wg_server
+  tasks:
+    - name: Install wireguard
+      apt:
+        name:
+          - wireguard
+          - wireguard-tools
+        state: present
+      when: ansible_facts['os_family'] == "Debian"
+    - name: generate public keys
+      shell: "echo \"{{ hostvars[item].wg_key }}\" | wg pubkey"
+      register: pubkeys
+      delegate_to: localhost
+      changed_when: false
+      with_items: "{{ groups['wg_clients'] | list }}"
+    - name: Generate Server wg-config
+      template:
+        src: wg_server.j2
+        dest: "/etc/wireguard/{{ wg_interface }}.conf"
+      notify: read wg config
+#    - name: Gemerate debian-specific interface-config
+#      template:
+#        src: debian_interface.j2
+#        dest: "/etc/network/interfaces.d/{{ wg_interface }}"
+#      when: ansible_facts['os_family'] == "Debian"
+#      notify: reload interface
+    - name: Start and enable wg-quick service
+      service:
+        name: "wg-quick@{{ wg_interface }}"
+        state: started
+        enabled: true
+  handlers:
+    - name: read wg config
+      shell: "wg syncconf {{ wg_interface }} <(wg-quick strip {{ wg_interface }})"
+#      command: "wg setconf {{ wg_interface }} /etc/wireguard/{{ wg_interface }}.conf"
+#    - name: reload interface
+#      shell: "ifdown {{ wg_interface }}; ifup {{ wg_interface }}"
+- name: Generate client configs
+  hosts: localhost
+  tasks:
+    - name: Ensure cient conf directory exists
+      file:
+        path: wg_clients
+        state: directory
+    - name: generate server pubkey
+      shell: "echo \"{{ hostvars[groups['wg_server'][0]].wg_key }}\" | wg pubkey"
+      register: server_pubkey
+      changed_when: false
+    - name: generate client config
+      template:
+        src: wg_client.j2
+        dest: "wg_clients/wg_{{ item }}.conf"
+      with_items: "{{ groups['wg_clients'] | list }}"
\ No newline at end of file