home-infra/40_wireguard_tunnels.yaml

---
- name: "DN42 router setup"
  hosts: dn42_routers
  vars_files:
    ./host_config/{{ inventory_hostname }}.yaml
  become: true

  handlers:
    - name: "Reload systemd"
      ansible.builtin.systemd:
        daemon_reload: true

    - name: "Reload networkd"
      ansible.builtin.command:
        cmd: "networkctl reload"
      changed_when: true

  tasks:
    - name: "Ensure wireguard is installed"
      ansible.builtin.apt:
        update_cache: true
        name:
          - wireguard

    - name: "Ensure /etc/wireguard directory exists"
      ansible.builtin.file:
        path: "/etc/wireguard/"
        state: directory
        owner: root
        group: systemd-network
        mode: '0750'

    - name: "Create wireguard private key"
      ansible.builtin.shell:
        cmd: "wg genkey > /etc/wireguard/privatekey"
        creates: "/etc/wireguard/privatekey"

    - name: "Set permissions on wireguard private key"
      ansible.builtin.file:
        path: "/etc/wireguard/privatekey"
        mode: '0640'
        owner: root
        group: systemd-network

    - name: "Create wireguard publickey file"
      ansible.builtin.shell:
        cmd: "wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey"
        creates: "/etc/wireguard/publickey"

    - name: "Create internal peering systemd netdevs"
      ansible.builtin.template:
        src: ./templates/dn42/wireguard_peer.netdev.j2
        dest: /etc/systemd/network/{{ peer.name }}.netdev
        mode: "0644"
      loop: "{{ internal_peers | default([]) }}"
      loop_control:
        loop_var: peer
      when: internal_peers is not none
      notify:
        - "Reload systemd"
        - "Reload networkd"

    - name: "Create internal peering systemd networks"
      ansible.builtin.template:
        src: ./templates/dn42/wireguard_peer.network.j2
        dest: /etc/systemd/network/{{ peer.name }}.network
        mode: "0644"
      loop: "{{ internal_peers | default([]) }}"
      loop_control:
        loop_var: peer
      when: internal_peers is not none
      notify:
        - "Reload systemd"
        - "Reload networkd"

    - name: "Create internal peering systemd netdevs"
      ansible.builtin.template:
        src: ./templates/dn42/wireguard_peer.netdev.j2
        dest: /etc/systemd/network/{{ peer.name }}.netdev
        mode: "0644"
      loop: "{{ peers | default([]) }}"
      loop_control:
        loop_var: peer
      when: peers is not none
      notify:
        - "Reload systemd"
        - "Reload networkd"

    - name: "Create peering systemd networks"
      ansible.builtin.template:
        src: ./templates/dn42/wireguard_peer.network.j2
        dest: /etc/systemd/network/{{ peer.name }}.network
        mode: "0644"
      loop: "{{ peers | default([]) }}"
      loop_control:
        loop_var: peer
      when: peers is not none
      notify:
        - "Reload systemd"
        - "Reload networkd"