From c71ca190abd1e3f185303f23fcadc3ec5d5781b4 Mon Sep 17 00:00:00 2001
From: Adrien <adrien@reslinger.net>
Date: Mon, 3 Aug 2020 23:24:28 +0200
Subject: [PATCH] First release

---
 .drone.yml                                    | 12 +++
 README.md                                     |  4 +-
 defaults/main.yml                             |  4 +
 handlers/main.yml                             |  3 +
 meta/main.yml                                 | 16 ++++
 tasks/install_RedHat.yml                      |  8 ++
 tasks/main.yml                                | 80 +++++++++++++++++++
 .../etc/firewalld/services/wireguard.xml      |  6 ++
 templates/etc/wireguard.conf.j2               | 14 ++++
 vars/RedHat_7.yml                             |  4 +
 vars/RedHat_8.yml                             |  4 +
 11 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 .drone.yml
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/install_RedHat.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/etc/firewalld/services/wireguard.xml
 create mode 100644 templates/etc/wireguard.conf.j2
 create mode 100644 vars/RedHat_7.yml
 create mode 100644 vars/RedHat_8.yml

diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 0000000..833f690
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,12 @@
+---
+kind: pipeline
+type: kubernetes
+name: default
+
+steps:
+  - name: lint
+    image: quay.io/adrilinux/ansible:latest
+    commands:
+      - ansible-lint ./
+#      - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-playbook --syntax-check --list-tasks"
+#      - "find . -maxdepth 1 -name '*.yml' | sort | grep -v '.drone.yml' | xargs ansible-lint"
diff --git a/README.md b/README.md
index 684d8e0..4be6337 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+[![Build Status](https://drone.reslinger.net/api/badges/adrien/ansible-role-wireguard/status.svg)](https://drone.reslinger.net/adrien/ansible-role-wireguard)
+
 # ansible-role-wireguard
 
-Install wireguard
\ No newline at end of file
+Install WireGuard
\ No newline at end of file
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..ce191dc
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+wireguard_interface: wg0
+wireguard_port: 51820
+skip_conf: false
\ No newline at end of file
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..4b27f01
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: Restart WireGuard
+  service: name=wg-quick@{{ wireguard_interface }} state=restarted
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..ecaedd3
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,16 @@
+galaxy_info:
+  author: Adrien Reslinger
+  description: Install WireGuard
+  company: Personnal
+  min_ansible_version: 2.9
+  galaxy_tags: []
+  license: GPL2
+  platforms:
+  - name: CentOS
+    version:
+    - 7
+    - 8
+  - name: RedHat
+    version:
+    - 7
+    - 8
diff --git a/tasks/install_RedHat.yml b/tasks/install_RedHat.yml
new file mode 100644
index 0000000..9d61e6b
--- /dev/null
+++ b/tasks/install_RedHat.yml
@@ -0,0 +1,8 @@
+---
+- name: Install repositories packages for CentOS
+  package:
+    name:
+      - epel-release
+      - elrepo-release
+    state: present
+    update_cache: yes
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..ec206dc
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+- name: WireGuard setup
+  block:
+  - name: Include vars for {{ ansible_os_family }}
+    include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+
+  - name: Pre-installation
+    include_tasks: "install_{{ ansible_os_family }}.yml"
+
+  - name: Install packages for WireGuard
+    package:
+      name: "{{ wireguard_packages }}"
+      state: present
+      update_cache: yes
+
+  - name: Configure wireguard
+    block:
+    - name: Retreive private key
+      block:
+      - name: Retreive private key
+        shell: >
+          cat /etc/wireguard/privatekey
+        register: wireguard_private_key
+      rescue:
+      - name: Generate private key
+        shell: >
+          set -o pipefail && wg genkey | tee /etc/wireguard/privatekey
+        register: wireguard_private_key
+      always:
+      - name: Fix permission on /etc/wireguard/privatekey
+        file:
+          path: "/etc/wireguard/privatekey"
+          owner: root
+          group: root
+          mode: 0600
+
+    - name: Retreive public key
+      block:
+      - name: Retreive public key
+        shell: >
+          cat /etc/wireguard/publickey
+        register: wireguard_public_key
+      rescue:
+      - name: Generate public key
+        shell: >
+          set -o pipefail && cat /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
+        register: wireguard_public_key
+      always:
+      - name: Fix permission on /etc/wireguard/publickey
+        file:
+          path: "/etc/wireguard/publickey"
+          owner: root
+          group: root
+          mode: 0600
+
+    - name: Set keys pair variable
+      set_facts:
+        wireguard_public_key: '{{ wireguard_public_key.stdout }}'
+        wireguard_private_key: '{{ wireguard_private_key.stdout }}'
+
+    - name: Install WireGuard configuration files
+      template:
+        src: "etc/wireguard/wireguard.conf.j2"
+        dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Enable Wireguard service
+      service:
+        name: "wg-quick@{{ wireguard_interface }}"
+        enabled: yes
+        state: restarted
+    when:
+      - skip_conf|false
+    tags:
+      - wireguard-conf
+
+  tags:
+    - wireguard
diff --git a/templates/etc/firewalld/services/wireguard.xml b/templates/etc/firewalld/services/wireguard.xml
new file mode 100644
index 0000000..c2ede6d
--- /dev/null
+++ b/templates/etc/firewalld/services/wireguard.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>WireGuard</short>
+  <description>WireGuard is a virtual private network (VPN) solution. It is used to create encrypted point-to-point tunnels between computers. If you plan to provide a VPN service, enable this option.</description>
+  <port protocol="udp" port="{{ wireguard_port }}"/>
+</service>
diff --git a/templates/etc/wireguard.conf.j2 b/templates/etc/wireguard.conf.j2
new file mode 100644
index 0000000..ca4ae52
--- /dev/null
+++ b/templates/etc/wireguard.conf.j2
@@ -0,0 +1,14 @@
+[Interface]
+PrivateKey = {{ wireguard_private_key }}
+#Address = 10.0.0.1/24
+DNS = {{ vpn_network }}.1
+SaveConfig = true
+ListenPort = {{ wireguard_port }}
+PostUp     = firewall-cmd --add-port {{ wireguard_port }}/udp && firewall-cmd --add-masquerade
+PostDown   = firewall-cmd --remove-port {{ wireguard_port }}/udp && firewall-cmd --remove-masquerade
+
+[Peer]
+PublicKey = {{ public_key_files.results[0].stdout }}
+AllowedIPs = 0.0.0.0/0,::/0
+Endpoint = {{ ansible_default_ipv4.address }}:{{ vpn_port }}
+PersistentKeepalive = 20
\ No newline at end of file
diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml
new file mode 100644
index 0000000..39f5d41
--- /dev/null
+++ b/vars/RedHat_7.yml
@@ -0,0 +1,4 @@
+---
+wireguard_packages:
+  - kmod-wireguard
+  - wireguard-tools
diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml
new file mode 100644
index 0000000..39f5d41
--- /dev/null
+++ b/vars/RedHat_8.yml
@@ -0,0 +1,4 @@
+---
+wireguard_packages:
+  - kmod-wireguard
+  - wireguard-tools