From 5cd12c15dc4dafb637eb4d3e7b3f76755274d9ac Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Sat, 16 May 2020 22:07:04 +0200
Subject: [PATCH] Use built-in roles for tasks and fix config

---
 handlers/main.yml           | 15 -----------
 tasks/main.yml              | 53 +++++--------------------------------
 templates/wireguard.conf.j2 |  8 +++---
 vars/main.yml               | 11 ++++++++
 4 files changed, 21 insertions(+), 66 deletions(-)
 delete mode 100644 handlers/main.yml
 create mode 100644 vars/main.yml

diff --git a/handlers/main.yml b/handlers/main.yml
deleted file mode 100644
index 03b63e7..0000000
--- a/handlers/main.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-- name: Enable wg-quick
-  systemd:
-        name: 'wg-quick@{{ wireguard.interface }}'
-        enabled: yes
-        state: restarted
-        daemon_reload: yes
-- name: Restart wg-quick
-  systemd:
-        name: 'wg-quick@{{ wireguard.interface }}'
-        state: restarted
-- name: Save netfilter rules
-  command:
-        argv:
-                - '/usr/sbin/netfilter-persistent'
-                - 'save'
diff --git a/tasks/main.yml b/tasks/main.yml
index 3fc6a3f..06e2e22 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,54 +1,13 @@
-- name: Include sensitive info
-  include_vars:
-        dir: '{{ role_path }}/vault'
-  tags:
-        - vault
-- name: Create configuration directory
-  file:
-        path: '/etc/wireguard'
-        state: directory
-  tags:
-        - setup
-        - configs
 - name: Copy configuration files
+  loop:
+        - { src: "wireguard.conf.j2", dest: "/etc/wireguard/wg0.conf", mode: '600' }
   template:
         follow: yes
-        src: 'wireguard.conf.j2'
-        dest: '/etc/wireguard/wg0.conf'
-        mode: '600'
-  notify: Restart wg-quick
+        src: '{{ item.src }}'
+        dest: '{{ item.dest }}'
+        mode: '{{ item.mode }}'
+  notify: Run service actions
   tags:
         - update
         - configs
         - vault
-- name: Install wireguard kernel module and tools
-  apt:
-        install_recommends: no
-        name:
-                - wireguard-tools
-                - wireguard # TODO: Check if kernel version > 5.6, it is included in the kernel following that
-        state: present
-        cache_valid_time: 3600
-  tags:
-        - setup
-        - packages
-  notify: Enable wg-quick
-- name: Allow wireguard through the firewall
-  loop:
-        - { ipv: 'ipv4', proto: 'tcp' }
-        - { ipv: 'ipv6', proto: 'tcp' }
-  iptables:
-        chain: INPUT
-        ctstate:
-                - NEW
-                - ESTABLISHED
-                - RELATED
-        destination_port: "{{ services.wireguard.port }}"
-        jump: ACCEPT
-        ip_version: '{{ item.ipv }}'
-        protocol: '{{ item.proto }}'
-  notify:
-        - Save netfilter rules
-  tags:
-        - update
-        - firewall
diff --git a/templates/wireguard.conf.j2 b/templates/wireguard.conf.j2
index b303345..5d77e4f 100644
--- a/templates/wireguard.conf.j2
+++ b/templates/wireguard.conf.j2
@@ -1,12 +1,12 @@
 [Interface]
-Address = {{ services.wireguard.net.v4.addr }}.1/{{ wireguard.net.v4.range.serv }}, {{ wireguard.net.v6.addr }}:1/{{ wireguard.net.v6.range.serv }}
-PostUp = iptables -A FORWARD -i {{ services.wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i {{ services.wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+Address = {{ services.wireguard.net.v4.addr }}.1/{{ services.wireguard.net.v4.range.serv }}, {{ services.wireguard.net.v6.addr }}:1/{{ services.wireguard.net.v6.range.serv }}
+PostUp = iptables -A FORWARD -i {{ services.wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i {{ services.wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i {{ services.wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i {{ services.wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
 ListenPort = {{ services.wireguard.port }}
 PrivateKey = {{ wg.privkey }}
 
 {% for user in services.wireguard.peers %}
 [Peer]
 PublicKey = {{ user.pubkey }} 
-AllowedIPs = {{ services.wireguard.net.v4.addr }}.{{ user.bit }}/{{ wireguard.net.v4.range.clnt }}, {{ wireguard.net.v6.addr}}:{{ user.bit }}/{{ wireguard.net.v6.range.clnt }}
+AllowedIPs = {{ services.wireguard.net.v4.addr }}.{{ user.bit }}/{{ services.wireguard.net.v4.range.clnt }}, {{ services.wireguard.net.v6.addr}}:{{ user.bit }}/{{ services.wireguard.net.v6.range.clnt }}
 {% endfor %}
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..fe151b8
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,11 @@
+file:
+        - { path: '/etc/wireguard', owner: 'root', group: 'root', mode: '600', state: directory }
+apt_packages:
+        - { package: "wireguard-tools", state: present }
+        - { package: "wireguard", state: present }
+systemd:
+        services:
+                - { name: "wg-quick@wg0", enabled: true, state: restarted }
+firewall:
+        - { port: "{{ services.wireguard.port }}", ipv: "v4", proto: "tcp" }
+        - { port: "{{ services.wireguard.port }}", ipv: "v6", proto: "tcp" }