init

2 files changed, 97 insertions, 0 deletions

diff --git a/playbooks/roles/wireguard-mesh/tasks/main.yml b/playbooks/roles/wireguard-mesh/tasks/main.yml
new file mode 100644
index 0000000..9f9419f
--- /dev/null
+++ b/playbooks/roles/wireguard-mesh/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+
+- name: Install wireguard
+  ansible.builtin.apt:
+    name:
+      - wireguard
+      - ufw
+    state: present
+
+- name: Get node ips from dns records
+  ansible.builtin.shell: "dig +short {{ item }} | tail -n1"
+  register: wireguard_node_ip
+  with_items: "{{ groups['wireguard-mesh'] }}"
+
+- name: Massage node ips
+  ansible.builtin.set_fact: >
+    wireguard_node_ips={{ wireguard_node_ips|default({})
+    | combine( {item.item: item.stdout} ) }}
+  with_items: "{{ wireguard_node_ip.results }}"
+
+- name: Allow wireguard endpoint ufw
+  ansible.builtin.ufw:
+    rule: allow
+    port: "{{ wireguard_listen_port }}"
+    proto: 'udp'
+
+- name: Generate Wireguard keypair
+  ansible.builtin.shell: >
+    wg genkey | tee /etc/wireguard/privatekey
+    | wg pubkey | tee /etc/wireguard/publickey
+  args:
+    creates: /etc/wireguard/privatekey
+
+- name: Register private key
+  ansible.builtin.shell: cat /etc/wireguard/privatekey
+  register: wireguard_private_key
+  changed_when: false
+
+- name: Register public key
+  ansible.builtin.shell: cat /etc/wireguard/publickey
+  register: wireguard_public_key
+  changed_when: false
+
+- name: Generate Preshared keyskeypair
+  ansible.builtin.shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"
+  args:
+    creates: "/etc/wireguard/psk-{{ item }}"
+  when: inventory_hostname < item
+  with_items: "{{ groups['wireguard-mesh'] }}"
+
+- name: Register preshared key
+  ansible.builtin.shell: "cat /etc/wireguard/psk-{{ item }}"
+  register: wireguard_preshared_key
+  changed_when: false
+  when: inventory_hostname < item
+  with_items: "{{ groups['wireguard-mesh'] }}"
+
+- name: Massage preshared keys
+  ansible.builtin.set_fact: >
+    wireguard_preshared_keys={{ wireguard_preshared_keys|default({})
+    | combine( {item.item: item.stdout} ) }}
+  when: item.skipped is not defined
+  with_items: "{{ wireguard_preshared_key.results }}"
+
+- name: Build config
+  ansible.builtin.template:
+    src: mmtmesh.conf.j2
+    dest: /etc/wireguard/mmtmesh.conf
+    owner: root
+    mode: 0640
+
+- name: Enable wireguard
+  ansible.builtin.systemd:
+    name: wg-quick@mmtmesh
+    enabled: true
+
+- name: Hotreload wireguard
+  ansible.builtin.shell: >
+    bash -c
+    "wg syncconf mmtmesh <(wg-quick strip mmtmesh)"
diff --git a/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2 b/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2
new file mode 100644
index 0000000..aa15d23
--- /dev/null
+++ b/playbooks/roles/wireguard-mesh/templates/mmtmesh.conf.j2
@@ -0,0 +1,17 @@
+[Interface]
+Address={{ wireguard_node_ips[inventory_hostname] }}/32
+SaveConfig=true
+ListenPort={{ wireguard_listen_port }}
+PrivateKey={{ wireguard_private_key.stdout }}
+
+{% for peer in groups['wireguard-mesh'] %}
+{% if peer != inventory_hostname %}
+
+[Peer]
+PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
+PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
+AllowedIPs={{ wireguard_node_ips[peer] }}/32
+Endpoint={{ peer | replace('.int.', '.pub.') }}:{{ wireguard_listen_port }}
+
+{% endif %}
+{% endfor %}