wg-cgnat/roles/install_wireguard/tasks/main.yml

- name: Install Wireguard
  ansible.builtin.apt:
    name: wireguard
    update_cache: true

- name: Enable IPv4 forward in /etc/sysctl.conf
  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: true

- name: Create the /etc/wireguard/ansible directory
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "0700"
    owner: root
    group: root
  loop:
    - /etc/wireguard
    - /etc/wireguard/ansible

- name: Create the keys
  ansible.builtin.shell:
    executable: /bin/bash
    chdir: /etc/wireguard/ansible
    creates: /etc/wireguard/ansible/preshared_key
    cmd: |-
      set -o pipefail
      umask 077
      wg genkey | tee server_private_key | wg pubkey > server_public_key
      wg genkey | tee peer_private_key | wg pubkey > peer_public_key
      openssl rand 32 | base64 > /etc/wireguard/ansible/preshared_key

- name: Get the keys
  block:
    - name: Read the files in /etc/wireguard/ansible
      ansible.builtin.slurp:
        src: "/etc/wireguard/ansible/{{ item }}_key"
      loop:
        - server_public
        - server_private
        - peer_public
        - peer_private
        - preshared
      register: tmp

    - name: Extract the keys from the files
      ansible.builtin.set_fact:
        keys: "{{ keys | combine({item.item: (item.content | b64decode | trim)}) }}"
      loop: "{{ tmp.results }}"
      vars:
        keys: {}
      no_log: true

- name: Create the configuration files
  ansible.builtin.template:
    src: "{{ item.name }}.j2"
    dest: "/etc/wireguard/{{ item.name }}"
    owner: root
    group: root
    mode: "{{ item.permissions }}"
  loop:
    - { name: "wg0.conf", permissions: "0600" }
    - { name: "peer.conf", permissions: "0600" }
    - { name: "iptables.sh", permissions: "0700" }
  register: config_files
  no_log: true

- name: Start the Wireguard server
  ansible.builtin.systemd_service:
    enabled: true
    state: |-
      {%
        set file_changed = config_files.results
            | selectattr('item.name', 'in', ['wg0.conf', 'iptables.sh'])
            | map(attribute='changed')
            | select('equalto', True)
            | list
            | length > 0
      %}
      {{ "restarted" if file_changed else "started" }}
    name: wg-quick@wg0

- name: Download the Wireguard peer config
  when: (config_files.results | selectattr('item.name', 'equalto', 'peer.conf') | map(attribute='changed'))[0]
  ansible.builtin.fetch:
    src: /etc/wireguard/peer.conf
    dest: ../wireguard-configs/{{ inventory_hostname }}/vpn.conf
    flat: true