From 773137c9d3c2e9b8424856b91f21595c1c179cf9 Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Wed, 15 Apr 2020 16:10:16 +0200
Subject: [PATCH] Initial commit

---
 .gitignore                  |  1 +
 handlers/main.yml           | 14 +++++++++++
 tasks/main.yml              | 49 +++++++++++++++++++++++++++++++++++++
 templates/wireguard.conf.j2 | 12 +++++++++
 vars/main.yml               | 20 +++++++++++++++
 5 files changed, 96 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/wireguard.conf.j2
 create mode 100644 vars/main.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4dc51e8
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+vault/
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..eb62fc2
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,14 @@
+- name: Enable wg-quick
+  systemd:
+        name: 'wg-quick@{{ wireguard.interface }}'
+        enabled: yes
+        state: started
+- name: Restart wg-quick
+  systemd:
+        name: 'wg-quick@{{ wireguard.interface }}'
+        state: restarted
+- name: Save netfilter rules
+  command:
+        argv:
+                - '/usr/sbin/netfilter-persistent'
+                - 'save'
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..f6b68b2
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,49 @@
+- name: Create configuration directory
+  file:
+        path: '/etc/wireguard'
+        state: directory
+  tags:
+        - setup
+        - configs
+- name: Copy configuration files
+  template:
+        follow: yes
+        src: 'wireguard.conf.j2'
+        dest: '/etc/wireguard/wg0.conf'
+        mode: '600'
+  notify: Restart wg-quick
+  tags:
+        - update
+        - configs
+        - vault
+- name: Install wireguard kernel module and tools
+  apt:
+        install_recommends: no
+        name:
+                - wireguard-tools
+                - wireguard # TODO: Check if kernel version > 5.6, it is included in the kernel following that
+        state: present
+        cache_valid_time: 3600
+  tags:
+        - setup
+        - packages
+  notify: Enable wg-quick
+- name: Allow wireguard through the firewall
+  loop:
+        - { ipv: 'ipv4', proto: 'tcp' }
+        - { ipv: 'ipv6', proto: 'tcp' }
+  iptables:
+        chain: INPUT
+        ctstate:
+                - NEW
+                - ESTABLISHED
+                - RELATED
+        destination_port: "{{ wireguard.port }}"
+        jump: ACCEPT
+        ip_version: '{{ item.ipv }}'
+        protocol: '{{ item.proto }}'
+  notify:
+        - Save netfilter rules
+  tags:
+        - update
+        - firewall
diff --git a/templates/wireguard.conf.j2 b/templates/wireguard.conf.j2
new file mode 100644
index 0000000..4296ea4
--- /dev/null
+++ b/templates/wireguard.conf.j2
@@ -0,0 +1,12 @@
+[Interface]
+Address = {{ wireguard.net.v4.addr }}.1/{{ wireguard.net.v4.range.serv }}, {{ wireguard.net.v6.addr }}:1/{{ wireguard.net.v6.range.serv }}
+PostUp = iptables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i {{ wireguard.interface }} -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+ListenPort = {{ wireguard.port }}
+PrivateKey = {{ wg.privkey }}
+
+{% for user in wireguard.peers %}
+[Peer]
+PublicKey = {{ user.pubkey }} 
+AllowedIPs = {{ wireguard.net.v4.addr }}.{{ user.bit }}/{{ wireguard.net.v4.range.clnt }}, {{ wireguard.net.v6.addr}}:{{ user.bit }}/{{ wireguard.net.v6.range.clnt }}
+{% endfor %}
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..d85b5b2
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1,20 @@
+wireguard:
+        interface: 'wg0'
+        port: 51820
+        net:
+                v4:
+                        addr: "172.22.12"
+                        range:
+                                serv: "24"
+                                clnt: "32"
+                v6:
+                        addr: "fd86:ea04:1115:"
+                        range:
+                                serv: "120"
+                                clnt: "128"
+        peers:
+                - { bit: 2, pubkey: "Xb+ASR5NdnIB+dXWEA4H0V3d0LC0KocKeFeQDyqDqjk=" }
+                - { bit: 3, pubkey: "kz9vLMnPtfka11n1EJpzHb4966ieJSo4BU1P2joHLXo=" }
+                - { bit: 10, pubkey: "wpjMlhrcv173ER7rZ0KrmaqahcqZA/fm3ovpaGlRIRo=" }
+                - { bit: 12, pubkey: "2FRcncz/oSmqFQLrHqICi4fEkgxrCeS9P8TTv5gcfCw=" }
+                - { bit: 14, pubkey: "XYUXzDDXzo1uDadvJ8YW5X/ISCZSyu10d35i7mb0pAY=" }