Initial commit

2024-10-30 01:50:38 +01:00
commit 587ca23374
147 changed files with 7521 additions and 0 deletions
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+# Install required packages
+- name: Install required packages
+  ansible.builtin.include_tasks: prepare.yml
+
+# Configure wireguard interfaces
+- name: Configure wireguard interfaces
+  ansible.builtin.include_tasks: server.yml
+  loop: "{{ wireguard_interfaces | default([]) }}"
+
+# Configure wireguard peers
+- name: Configure wireguard peers
+  ansible.builtin.include_tasks: peer.yml
+  loop: "{{ wireguard_peers | default([]) }}"
+  loop_control:
+    loop_var: wgpeer
+    label: "{{ wgpeer }}"
+
+# Apply changes and reload network service
+- name: Apply changes and reload network
+  uci:
+    command: commit
+  notify: Reload network
--- a/roles/wireguard/tasks/peer.yml
+++ b/roles/wireguard/tasks/peer.yml
@@ -0,0 +1,128 @@
+---
+# Configure user-defined wireguard peer
+- name: Configure user-defined wireguard peer
+  when: wgpeer is defined and wgpeer | type_debug == "dict"
+  block:
+    # Set state status for wireguard peer
+    - name: Set state status for wireguard peer {{ wgpeer.id }}
+      ansible.builtin.set_fact:
+        wireguard_peer_state: "{{ wgpeer.state | default('present') }}"
+
+    # Delete wireguard peer
+    - name: Delete wireguard peer {{ wgpeer.id }}
+      when: "'absent' in wireguard_peer_state"
+      uci:
+        command: "absent"
+        config: "network"
+        section: "{{ wgpeer.id }}"
+        type: "wireguard_{{ wgpeer.wireguard_interface_name }}"
+
+    # Create and configure wireguard peer
+    - name: Create and configure wireguard peer
+      when: "'present' in wireguard_peer_state"
+      block:
+        # Create wireguard peer
+        - name: Create wireguard peer {{ wgpeer.id }}
+          uci:
+            command: "add"
+            config: "network"
+            section: "{{ wgpeer.id }}"
+            type: "wireguard_{{ wgpeer.wireguard_interface_name }}"
+
+        # Configure wireguard peer
+        - name: Configure wireguard peer {{ wgpeer.id }}
+          uci:
+            command: "set"
+            config: "network"
+            section: "{{ wgpeer.id }}"
+            type: "wireguard_{{ wgpeer.wireguard_interface_name }}"
+            value:
+              description: "{{ wgpeer.name | default(omit) }}"
+              public_key: "{{ wgpeer.public_key | default(omit) }}"
+              preshared_key: "{{ wgpeer.preshared_key | default(omit) }}"
+              endpoint_host: "{{ wgpeer.endpoint_host | default(omit) }}"
+              endpoint_port: "{{ wgpeer.endpoint_port | default(omit) }}"
+              route_allowed_ips: "{{ wgpeer.route_allowed_ips | default(omit) }}"
+              persistent_keepalive: "{{ wgpeer.persistent_keepalive | default(omit) }}"
+              allowed_ips: "{{ wgpeer.allowed_ips | default([]) | join(' ') }}"
+
+# Generate wireguard peer
+- name: Generate wireguard peer
+  when: wgpeer is defined and wgpeer | type_debug == "str"
+  block:
+    # Create wireguard peer
+    - name: Create wireguard peer {{ wgpeer }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ wgpeer }}"
+        type: "{{ wireguard_interface_name }}"
+
+    # Check current wireguard private key
+    - name: Check current wireguard private key
+      uci:
+        command: "get"
+        config: "network"
+        section: "{{ wgpeer }}.private_key"
+        type: "{{ wireguard_interface_name }}"
+      register: current_wireguard_private_key
+      failed_when: >
+        current_wireguard_private_key.result is undefined and
+        'Entry not found' not in current_wireguard_private_key.result
+
+    # Set current generated wireguard private key fact
+    - name: Set current wireguard private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ current_wireguard_private_key.result }}"
+      when: >
+        (current_wireguard_private_key.result is defined and
+        current_wireguard_private_key.result | length > 0) and
+        'Entry not found' not in current_wireguard_private_key.result
+
+    # Generate wireguard key pair
+    - name: Generate wireguard key pair
+      when: >
+        current_wireguard_private_key.result is undefined or
+        'Entry not found' in current_wireguard_private_key.result
+      block:
+        # Generate wireguard private key
+        - name: Generate wireguard private key
+          ansible.builtin.command:
+            cmd: "umask go= && wg genkey"
+            uses_shell: true
+          register: new_wireguard_private_key
+
+        # Set newely generated wireguard private key fact
+        - name: Set newely generated wireguard private key fact
+          ansible.builtin.set_fact:
+            wireguard_private_key: "{{ new_wireguard_private_key.stdout }}"
+
+        # Generate wireguard public key
+        - name: Generate wireguard public key
+          ansible.builtin.command:
+            cmd: 'umask go= && echo "{{ wireguard_private_key }}" | wg pubkey'
+            uses_shell: true
+          register: wireguard_public_key
+
+        # Generate wireguard preshared key
+        - name: Generate wireguard preshared key
+          ansible.builtin.command:
+            cmd: "umask go= && wg genpsk"
+            uses_shell: true
+          register: wireguard_preshared_key
+
+    # Configure wireguard peer
+    - name: Configure wireguard peer {{ wgpeer }}
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ wgpeer }}"
+        type: "{{ wireguard_interface_name }}"
+        value:
+          description: "{{ wgpeer }}"
+          private_key: "{{ wireguard_private_key | default(omit) }}"
+          public_key: "{{ wireguard_public_key.stdout | default(omit) }}"
+          preshared_key: "{{ wireguard_preshared_key.stdout | default(omit) }}"
+          route_allowed_ips: "1"
+          persistent_keepalive: "25"
+          allowed_ips: "{{ wireguard_interface_addresses | ansible.utils.ipmath(ansible_loop.index) }}"
--- a/roles/wireguard/tasks/prepare.yml
+++ b/roles/wireguard/tasks/prepare.yml
@@ -0,0 +1,13 @@
+---
+# Update opkg cache
+- name: Update opkg cache
+  ansible.builtin.command:
+    cmd: "opkg update"
+  changed_when: false
+
+# Install wireguard packages
+- name: Install wireguard packages
+  opkg:
+    name: "{{ item }}"
+    state: "present"
+  loop: "{{ wireguard_pkgs }}"
--- a/roles/wireguard/tasks/server.yml
+++ b/roles/wireguard/tasks/server.yml
@@ -0,0 +1,111 @@
+---
+# Set state status for wireguard interface
+- name: Set state status for wireguard interface {{ item.id }}
+  ansible.builtin.set_fact:
+    wireguard_interface_state: "{{ item.state | default('present') }}"
+
+# Delete wireguard interface
+- name: Delete wireguard interface {{ item.id }}
+  when: "'absent' in wireguard_interface_state"
+  uci:
+    command: "absent"
+    config: "network"
+    section: "{{ item.id }}"
+    type: "interface"
+
+# Create and configure wireguard interface
+- name: Create and configure user-defined wireguard interface
+  when: "'present' in wireguard_interface_state"
+  block:
+    # Create wireguard interface
+    - name: Create wireguard interface {{ item.id }}
+      uci:
+        command: "add"
+        config: "network"
+        section: "{{ item.id }}"
+        type: "interface"
+
+    # Configure wireguard interface
+    - name: Configure user-defined wireguard interface {{ item.id }}
+      when: >
+        item.private_key is defined and
+        item.private_key | length > 0
+      uci:
+        command: "set"
+        config: "network"
+        section: "{{ item.id }}"
+        type: "interface"
+        value:
+          proto: "{{ item.proto | default(omit) }}"
+          private_key: "{{ item.private_key | default(omit) }}"
+          addresses: "{{ item.addresses | default(omit) }}"
+          listen_port: "{{ item.listen_port | default(omit) }}"
+
+    # Configure new wireguard interface
+    - name: Configure new wireguard interface
+      when: >
+        item.private_key is undefined or
+        item.private_key | length == 0
+      block:
+        # Check current wireguard private key
+        - name: Check current wireguard private key
+          uci:
+            command: "get"
+            config: "network"
+            section: "{{ item.id }}.private_key"
+            type: "interface"
+          register: current_wireguard_private_key
+          failed_when: >
+            current_wireguard_private_key.result is undefined and
+            'Entry not found' not in current_wireguard_private_key.result
+
+        # Set current generated wireguard private key fact
+        - name: Set current wireguard private key fact
+          ansible.builtin.set_fact:
+            wireguard_private_key: "{{ current_wireguard_private_key.result }}"
+          when: >
+            (current_wireguard_private_key.result is defined and
+            current_wireguard_private_key.result | length > 0) and
+            'Entry not found' not in current_wireguard_private_key.result
+
+        # Generate wireguard private key
+        - name: Generate wireguard private key
+          ansible.builtin.command:
+            cmd: "umask go= && wg genkey"
+            uses_shell: true
+          register: new_wireguard_private_key
+          when: >
+            current_wireguard_private_key.result is undefined or
+            'Entry not found' in current_wireguard_private_key.result
+
+        # Set newely generated wireguard private key fact
+        - name: Set newely generated wireguard private key fact
+          ansible.builtin.set_fact:
+            wireguard_private_key: "{{ new_wireguard_private_key.stdout }}"
+          when: >
+            new_wireguard_private_key.stdout is defined and
+            new_wireguard_private_key.stdout | length > 0
+
+        # Configure wireguard interface
+        - name: Configure wireguard interface {{ item.id }}
+          uci:
+            command: "set"
+            config: "network"
+            section: "{{ item.id }}"
+            type: "interface"
+            value:
+              proto: "{{ item.proto | default(omit) }}"
+              private_key: "{{ wireguard_private_key }}"
+              addresses: "{{ item.addresses | default(omit) }}"
+              listen_port: "{{ item.listen_port | default(omit) }}"
+
+    # Configure wireguard peers
+    - name: Configure wireguard peers
+      ansible.builtin.include_tasks: peer.yml
+      vars:
+        wireguard_interface_name: "wireguard_{{ item.id }}"
+        wireguard_interface_addresses: "{{ item.addresses }}"
+      loop: "{{ item.peers | default([]) }}"
+      loop_control:
+        extended: true
+        loop_var: wgpeer