From e3a89aecc29b15ecec834672c428dfa429576529 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Fri, 7 May 2021 00:24:52 -0400
Subject: [PATCH] Add WireGuard VPN

---
 roles/base/files/buster-backports.list |  1 +
 roles/base/tasks/main.yml              |  4 +++
 roles/base/tasks/wireguard.yml         | 49 ++++++++++++++++++++++++++
 roles/base/templates/wireguard.j2      | 19 ++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 roles/base/files/buster-backports.list
 create mode 100644 roles/base/tasks/wireguard.yml
 create mode 100644 roles/base/templates/wireguard.j2

diff --git a/roles/base/files/buster-backports.list b/roles/base/files/buster-backports.list
new file mode 100644
index 0000000..68d5e8b
--- /dev/null
+++ b/roles/base/files/buster-backports.list
@@ -0,0 +1 @@
+deb http://deb.debian.org/debian buster-backports main
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 791bc2b..1df652e 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -11,3 +11,7 @@
 - import_tasks: ddclient.yml
   tags: ddclient
   when: ddclient is defined
+
+- import_tasks: wireguard.yml
+  tags: wireguard
+  when: wireguard is defined
diff --git a/roles/base/tasks/wireguard.yml b/roles/base/tasks/wireguard.yml
new file mode 100644
index 0000000..81f17b2
--- /dev/null
+++ b/roles/base/tasks/wireguard.yml
@@ -0,0 +1,49 @@
+# Copyright (C) 2021  Kris Lamoureux
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+- name: Add Debian Buster backports
+  copy:
+    src: buster-backports.list
+    dest: /etc/apt/sources.list.d/buster-backports.list
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Install WireGuard
+  apt:
+    name: wireguard
+    state: present
+    update_cache: true
+
+- name: Generate WireGuard keys
+  shell: wg genkey | tee privatekey | wg pubkey > publickey
+  args:
+    chdir: /etc/wireguard/
+    creates: /etc/wireguard/privatekey
+
+- name: Grab WireGuard private key for configuration
+  slurp:
+    src: /etc/wireguard/privatekey
+  register: wgkey
+
+- name: Install WireGuard configuration
+  template:
+    src: wireguard.j2
+    dest: /etc/wireguard/wg0.conf
+
+- name: Start WireGuard interface
+  service:
+    name: wg-quick@wg0
+    state: started
+    enabled: true
diff --git a/roles/base/templates/wireguard.j2 b/roles/base/templates/wireguard.j2
new file mode 100644
index 0000000..b7a29da
--- /dev/null
+++ b/roles/base/templates/wireguard.j2
@@ -0,0 +1,19 @@
+[Interface]
+PrivateKey = {{ wgkey['content'] | b64decode | trim }}
+Address = {{ wireguard.address }}
+{% if wireguard.listenport is defined %}
+ListenPort = {{ wireguard.listenport }}
+{% endif %}
+
+{% for peer in wireguard.peers %}
+[Peer]
+PublicKey = {{ peer.publickey }}
+{% if peer.endpoint is defined %}
+Endpoint = {{ peer.endpoint }}
+{% endif %}
+AllowedIPs = {{ peer.allowedips }}
+{% if peer.keepalive is defined %}
+PersistentKeepalive = {{ peer.keepalive }}
+{% endif %}
+
+{% endfor %}