CIS + inital

roles/wireguard_server/tasks/configure.yml

@@ -0,0 +1,34 @@
+---
+# WireGuard Configuration Tasks
+
+- name: Configure WireGuard server
+  ansible.builtin.template:
+    src: wg0.conf.j2
+    dest: "{{ wg_config_dir }}/{{ wg_interface }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart wireguard
+
+- name: Enable IP forwarding (if not already enabled by sysctl)
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+- name: Enable WireGuard service
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+    enabled: yes
+    state: started
+
+- name: Get WireGuard service status
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+  register: wg_service_status
+
+- name: Display WireGuard status
+  ansible.builtin.debug:
+    msg: "WireGuard service is {{ wg_service_status.status.ActiveState }}"

roles/wireguard_server/tasks/install.yml

@@ -0,0 +1,59 @@
+---
+# WireGuard Installation Tasks
+
+- name: Install WireGuard
+  ansible.builtin.apt:
+    name:
+      - wireguard
+      - wireguard-tools
+      - qrencode
+    state: present
+    update_cache: yes
+
+- name: Create WireGuard directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+  loop:
+    - "{{ wg_config_dir }}"
+    - "{{ wg_keys_dir }}"
+    - "{{ wg_client_configs_dir }}"
+
+- name: Check if server private key exists
+  ansible.builtin.stat:
+    path: "{{ wg_keys_dir }}/server_private.key"
+  register: server_private_key
+
+- name: Generate server private key
+  ansible.builtin.shell: wg genkey > {{ wg_keys_dir }}/server_private.key
+  when: not server_private_key.stat.exists
+
+- name: Set server private key permissions
+  ansible.builtin.file:
+    path: "{{ wg_keys_dir }}/server_private.key"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Generate server public key
+  ansible.builtin.shell: cat {{ wg_keys_dir }}/server_private.key | wg pubkey > {{ wg_keys_dir }}/server_public.key
+  args:
+    creates: "{{ wg_keys_dir }}/server_public.key"
+
+- name: Read server private key
+  ansible.builtin.slurp:
+    src: "{{ wg_keys_dir }}/server_private.key"
+  register: server_private_key_content
+
+- name: Read server public key
+  ansible.builtin.slurp:
+    src: "{{ wg_keys_dir }}/server_public.key"
+  register: server_public_key_content
+
+- name: Set server keys as facts
+  ansible.builtin.set_fact:
+    wg_server_private_key: "{{ server_private_key_content['content'] | b64decode | trim }}"
+    wg_server_public_key: "{{ server_public_key_content['content'] | b64decode | trim }}"

roles/wireguard_server/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+# WireGuard Server Role - Main Tasks
+
+- name: Include installation tasks
+  ansible.builtin.include_tasks: install.yml
+
+- name: Include configuration tasks
+  ansible.builtin.include_tasks: configure.yml
+
+- name: Include user management tasks
+  ansible.builtin.include_tasks: users.yml
+  when: wg_peers | length > 0

roles/wireguard_server/tasks/users.yml

@@ -0,0 +1,73 @@
+---
+# WireGuard User Management Tasks
+
+- name: Auto-allocate IPs if enabled
+  ansible.builtin.set_fact:
+    wg_peers_with_ips: "{{ wg_peers_with_ips | default([]) + [item | combine({'ip': wg_network | ansible.utils.ipaddr(wg_ip_start + idx) | ansible.utils.ipaddr('address')})] }}"
+  loop: "{{ wg_peers }}"
+  loop_control:
+    index_var: idx
+  when:
+    - wg_auto_allocate_ips | bool
+    - item.ip is not defined
+
+- name: Use provided IPs if auto-allocation disabled
+  ansible.builtin.set_fact:
+    wg_peers_with_ips: "{{ wg_peers }}"
+  when: not (wg_auto_allocate_ips | bool)
+
+- name: Generate client private keys
+  ansible.builtin.shell: wg genkey > {{ wg_keys_dir }}/{{ item.name }}_private.key
+  args:
+    creates: "{{ wg_keys_dir }}/{{ item.name }}_private.key"
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Set client private key permissions
+  ansible.builtin.file:
+    path: "{{ wg_keys_dir }}/{{ item.name }}_private.key"
+    owner: root
+    group: root
+    mode: '0600'
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Generate client public keys
+  ansible.builtin.shell: cat {{ wg_keys_dir }}/{{ item.name }}_private.key | wg pubkey > {{ wg_keys_dir }}/{{ item.name }}_public.key
+  args:
+    creates: "{{ wg_keys_dir }}/{{ item.name }}_public.key"
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Read client keys
+  ansible.builtin.shell: |
+    echo "private=$(cat {{ wg_keys_dir }}/{{ item.name }}_private.key)"
+    echo "public=$(cat {{ wg_keys_dir }}/{{ item.name }}_public.key)"
+  register: client_keys
+  loop: "{{ wg_peers_with_ips }}"
+  changed_when: false
+
+- name: Generate client configurations
+  ansible.builtin.template:
+    src: client.conf.j2
+    dest: "{{ wg_client_configs_dir }}/{{ item.item.name }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+  loop: "{{ client_keys.results }}"
+  vars:
+    client_name: "{{ item.item.name }}"
+    client_ip: "{{ item.item.ip }}"
+    client_private_key: "{{ item.stdout_lines[0].split('=')[1] }}"
+    client_public_key: "{{ item.stdout_lines[1].split('=')[1] }}"
+
+- name: Generate QR codes for mobile clients
+  ansible.builtin.shell: qrencode -t ansiutf8 < {{ wg_client_configs_dir }}/{{ item.name }}.conf > {{ wg_client_configs_dir }}/{{ item.name }}_qr.txt
+  args:
+    creates: "{{ wg_client_configs_dir }}/{{ item.name }}_qr.txt"
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Create summary file
+  ansible.builtin.template:
+    src: summary.md.j2
+    dest: "{{ wg_client_configs_dir }}/README.md"
+    owner: root
+    group: root
+    mode: '0644'