From c6ec2b97beaed7110089e8813f1f2eb70d2b9846 Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Thu, 20 Dec 2018 18:38:18 +0300
Subject: [PATCH 1/5] Add support auto generate wireguard keys; Update template
 and variables data format.

---
 README.md                   | 162 +++++++++++++++++++++++++++++-------
 defaults/main.yml           |  52 +++++++-----
 tasks/configure_network.yml |  24 ++++++
 tasks/main.yml              |   2 +-
 templates/wgX.conf.j2       |   4 +-
 tests/test.yml              |   2 +-
 6 files changed, 188 insertions(+), 58 deletions(-)

diff --git a/README.md b/README.md
index effe007..09984ca 100644
--- a/README.md
+++ b/README.md
@@ -11,11 +11,27 @@ The role should be self-contained, just provide vars for your hosts and run it.
 Role Variables
 --------------
 
-### `wireguard_networks`
+### `wireguard_manage_keys`
 
-Each host needs to have `wireguard_networks` variable set. It should be a list of WireGuard interface name the host should use, by default it is an empty list. For each `$INTERFACE` specified here the host should have `wireguard_$INTERFACE_interface` and `wireguard_$INTERFACE_peers` vars set.
+If `True` ansible automatically generated public and private pair keys. Default `False`.
 
-### `wireguard_$INTERFACE_interface`
+### `wireguard_interfaces`
+
+Each host needs to have `wireguard_interfaces` variable set. It should be a list of WireGuard interface name the host should use, by default it is an empty list. For each `$INTERFACE` specified here the host should have:
+```
+wireguard_interface:
+  $INTERFACE:
+     key: value
+```
+and
+```
+wireguard_peers:
+  $INTERFACE:
+    key: value
+```
+vars set.
+
+### `wireguard_interface: $INTERFACE`
 
 This variable allows configuring the WireGuard interface on the host. It is a dict and the following keys are taken into account:
 
@@ -38,7 +54,7 @@ Other configurable things:
 
 These options can be configured for an interface but are unset by default, refer to `wg(8)` and `wg-quick(8)` manpages for their meaning.
 
-### `wireguard_$INTERFACE_peers`
+### `wireguard_peers: $INTERFACE`
 
 A hash configuring the host's peers in the form of `peer_name: { ... peer_configuration ... }`.
 
@@ -54,8 +70,9 @@ A hash configuring the host's peers in the form of `peer_name: { ... peer_config
 Example:
 
 ```yaml
-wireguard_wg0_peers:
-  - fugu:
+wireguard_peers:
+  wg0:
+    fugu:
       public_key: 12345
       allowed_ips: 10.0.0.0/16
 ```
@@ -65,48 +82,54 @@ Dependencies
 
 None.
 
-Example
--------
+Examples
+--------
 
+### If wireguard_manage_keys is `False`
 Star topology (multiple clients connecting to each other through one central server).
 
 ```yaml
 # host_vars/someserver.yml
-wireguard_wg0_interface:
-  address: 10.0.0.1/16
-  private_key: someserver_private_key
-  listen_port: 12345
-
-wireguard_wg0_peers:
-  client1:
-    public_key: client1_public_key
-    allowed_ips: 10.0.0.11/32
-  client2:
-    public_key: client2_public_key
-    allowed_ips: 10.0.0.12/32
+wireguard_interface:
+  wg0:
+    address: 10.0.0.1/16
+    private_key: someserver_private_key
+    listen_port: 12345
+
+wireguard_peers:
+  wg0:
+    client1:
+      public_key: client1_public_key
+      allowed_ips: 10.0.0.11/32
+    client2:
+      public_key: client2_public_key
+      allowed_ips: 10.0.0.12/32
 ```
 
 ```yaml
 # group_vars/client.yml
-wireguard_wg0_peers:
-  someserver:
-    public_key: someserver_public_key
-    endpoint: someserver.example.com:12345
-    allowed_ips: 10.0.0.1/16
+wireguard_peers:
+  wg0:
+    someserver:
+      public_key: someserver_public_key
+      endpoint: someserver.example.com:12345
+      allowed_ips: 10.0.0.1/16
 ```
 
 ```yaml
 # host_vars/client1.yml
-wireguard_wg0_interface:
-  address: 10.0.0.11/16
-  private_key: client1_private_key
+wireguard_interface:
+  wg0:
+    address: 10.0.0.11/16
+    private_key: client1_private_key
 ```
 
 ```yaml
 # host_vars/client2.yml
-wireguard_wg0_interface:
-  address: 10.0.0.12/16
-  private_key: client2_private_key
+wireguard_interface:
+  wg0:
+    address: 10.0.0.12/16
+    private_key: client2_private_key
 ```
 
 ```
@@ -128,6 +151,83 @@ client2
      - wireguard
 ```
 
+### If wireguard_manage_keys is `True`
+All hosts is servers and clients (peer2peer).
+
+```yaml
+# host_vars/someserver.yml
+wireguard_interface:
+  wg0:
+    address: 10.0.0.1/16
+    private_key: someserver_private_key
+    listen_port: 12345
+
+wireguard_peers:
+  wg0:
+    client1:
+      public_key: client1_public_key
+      allowed_ips: 10.0.0.11/32
+    client2:
+      public_key: client2_public_key
+      allowed_ips: 10.0.0.12/32
+```
+
+```yaml
+# group_vars/all.yml
+wireguard_listen_port: 5888
+wireguard_wg0_preshared_key: secret_preshared_key
+wireguard_wg0_peer_settings: >
+  {%  set _peers = {} -%}
+  {%- for node in groups['all'] | map('extract', hostvars) -%}
+  {%-   if (node['wg0_ipv4'] is defined and inventory_hostname != node['inventory_hostname']) -%}
+  {%-     set _data = {} -%}
+  {%-     set _endpoint_data = [] -%}
+  {{-     _endpoint_data.append(node.ip_v4) -}}
+  {{-     _endpoint_data.append(wireguard_listen_port) -}}
+  {%-     set _endpoint = _endpoint_data | join(':') -%}
+  {%-     set x=_data.__setitem__('public_key', node.public_wg0.content | b64decode | trim) -%}
+  {%-     set x=_data.__setitem__('allowed_ips', node.wg0_ipv4) -%}
+  {%-     set x=_data.__setitem__('preshared_key', wireguard_wg0_preshared_key) -%}
+  {%-     set x=_data.__setitem__('endpoint', _endpoint) -%}
+  {%-     set x=_peers.__setitem__(node['inventory_hostname'], _data) -%}
+  {%-   endif -%}
+  {%- endfor -%}
+  {{- _peers }}
+
+wireguard_manage_keys: True
+wireguard_manage_services: True
+wireguard_interfaces:
+  - wg0
+
+wireguard_peers: 
+  wg0: "{{ wireguard_wg0_peer_settings }}"
+
+wireguard_interface:
+  wg0:
+    address: "{{ wg0_ipv4 }}"
+    private_key: "{{ private_wg0.content | b64decode | trim }}"
+    listen_port: "{{ wireguard_listen_port }}"
+```
+
+```
+# inventory file
+[wireguard-servers]
+server1 wg0_ipv4=10.0.0.1/32
+server2 wg0_ipv4=10.0.0.2/32
+server3 wg0_ipv4=10.0.0.3/32
+```
+
+```yaml
+# playbook.yml
+- hosts: all
+  vars:
+    wireguard_interfaces:
+      - wg0
+  roles:
+     - wireguard
+```
+
+
 Supported platforms
 -------------------
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 7bf1265..726aaa8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,27 +1,33 @@
 ---
-wireguard_manage_services: true
-wireguard_networks: []
-# wireguard_networks:
+wireguard_manage_keys: False
+wireguard_manage_services: True
+
+wireguard_interfaces: []
+# wireguard_interfaces:
 #   - wg0
-# wireguard_wg0_peers:
-#   - foobar:
-#       public_key:
-#       allowed_ips:
-#       # endpoint:
-#       # preshared_key:
-#       # persistent_keepalive:
+wireguard_peers: {}
+# wireguard_peers:
+#   wg0:
+#     - foobar:
+#         public_key:
+#         allowed_ips:
+#         #endpoint:
+#         #preshared_key:
+#         #persistent_keepalive:
 
-# wireguard_wg0_interface:
-#   address:
-#   private_key:
-#   # listen_port:
-#   # fw_mark:
-#   # dns: []
-#   # MTU:
-#   # Table:
-#   # pre_up: []
-#   # post_up: []
-#   # pre_down: []
-#   # post_down: []
-#   # save_config:
+wireguard_interface: {}
+# wireguard_interface:
+#   wg0:
+#     address:
+#     private_key:
+#     #listen_port:
+#     #fw_mark:
+#     #dns: []
+#     #mtu:
+#     #table:
+#     #pre_up: []
+#     #post_up: []
+#     #pre_down: []
+#     #post_down: []
+#     #save_config:
 
diff --git a/tasks/configure_network.yml b/tasks/configure_network.yml
index e66ea42..205aa94 100644
--- a/tasks/configure_network.yml
+++ b/tasks/configure_network.yml
@@ -1,4 +1,28 @@
 ---
+- name: Read private key {{ item }}
+  stat:
+    path: "/etc/wireguard/privatekey_{{ item }}"
+  register: privatekey_{{ item }}
+  when: wireguard_manage_services
+
+- name: Generate wireguard keys {{ item }}
+  shell: "umask 077; wg genkey | tee /etc/wireguard/privatekey_{{ item }} | wg pubkey > /etc/wireguard/publickey_{{ item }}"
+  when:
+    - not privatekey_{{ item }}.stat.exists
+    - wireguard_manage_services
+
+- name: Read private key {{ item }}
+  slurp:
+    src: "/etc/wireguard/privatekey_{{ item }}"
+  register: private_{{ item }}
+  when: wireguard_manage_services
+
+- name: Read public key {{ item }}
+  slurp:
+    src: "/etc/wireguard/publickey_{{ item }}"
+  register: public_{{ item }}
+  when: wireguard_manage_services
+
 - name: Configure {{ item }}
   template:
     src: wgX.conf.j2
diff --git a/tasks/main.yml b/tasks/main.yml
index af91943..7e4af05 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -11,6 +11,6 @@
     group: root
 
 - include_tasks: configure_network.yml
-  with_items: "{{ wireguard_networks }}"
+  with_items: "{{ wireguard_interfaces }}"
   tags:
     - configure
diff --git a/templates/wgX.conf.j2 b/templates/wgX.conf.j2
index 48ed358..2ee31b1 100644
--- a/templates/wgX.conf.j2
+++ b/templates/wgX.conf.j2
@@ -1,5 +1,5 @@
-{% set interface = vars.get('wireguard_' + item + '_interface', {}) -%}
-{% set peers = vars.get('wireguard_' + item + '_peers', {}) -%}
+{% set interface = wireguard_interface[item] -%}
+{% set peers = wireguard_peers[item] -%}
 
 {% set interface_required_keys = { 'address': 'Address', 'private_key': 'PrivateKey' } -%}
 {% set interface_optional_keys = {
diff --git a/tests/test.yml b/tests/test.yml
index 8aa8a3f..fe28b3e 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -2,7 +2,7 @@
 - hosts: all
   vars:
     wireguard_manage_services: false
-    wireguard_networks:
+    wireguard_interfaces:
       - wg0
       - wg1
 

From cfa19713af2017b005906d431478d35d053f5f10 Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Mon, 24 Dec 2018 12:54:27 +0300
Subject: [PATCH 2/5] Fix permission wireguard network files.

---
 tasks/configure_network.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/configure_network.yml b/tasks/configure_network.yml
index 205aa94..915692e 100644
--- a/tasks/configure_network.yml
+++ b/tasks/configure_network.yml
@@ -27,6 +27,7 @@
   template:
     src: wgX.conf.j2
     dest: /etc/wireguard/{{ item }}.conf
+    mode: '0400'
   register: configuration
 
 - name: Enable wg-quick@{{ item }} service

From 09683a004e60b2667628716607082c532db23801 Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Tue, 25 Dec 2018 14:12:52 +0300
Subject: [PATCH 3/5] Fix README.md.

---
 README.md | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/README.md b/README.md
index 09984ca..6c9467f 100644
--- a/README.md
+++ b/README.md
@@ -154,24 +154,6 @@ client2
 ### If wireguard_manage_keys is `True`
 All hosts is servers and clients (peer2peer).
 
-```yaml
-# host_vars/someserver.yml
-wireguard_interface:
-  wg0:
-    address: 10.0.0.1/16
-    private_key: someserver_private_key
-    listen_port: 12345
-
-wireguard_peers:
-  wg0:
-    client1:
-      public_key: client1_public_key
-      allowed_ips: 10.0.0.11/32
-    client2:
-      public_key: client2_public_key
-      allowed_ips: 10.0.0.12/32
-```
-
 ```yaml
 # group_vars/all.yml
 wireguard_listen_port: 5888

From dc358772a8b3900e1d1105e72908b9e36578f3df Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Tue, 25 Dec 2018 15:14:23 +0300
Subject: [PATCH 4/5] Fix tests.

---
 tasks/configure_network.yml |  8 +++----
 tests/test.yml              | 48 ++++++++++++++++++++-----------------
 2 files changed, 30 insertions(+), 26 deletions(-)

diff --git a/tasks/configure_network.yml b/tasks/configure_network.yml
index 915692e..bc8f50e 100644
--- a/tasks/configure_network.yml
+++ b/tasks/configure_network.yml
@@ -3,25 +3,25 @@
   stat:
     path: "/etc/wireguard/privatekey_{{ item }}"
   register: privatekey_{{ item }}
-  when: wireguard_manage_services
+  when: wireguard_manage_keys
 
 - name: Generate wireguard keys {{ item }}
   shell: "umask 077; wg genkey | tee /etc/wireguard/privatekey_{{ item }} | wg pubkey > /etc/wireguard/publickey_{{ item }}"
   when:
     - not privatekey_{{ item }}.stat.exists
-    - wireguard_manage_services
+    - wireguard_manage_keys
 
 - name: Read private key {{ item }}
   slurp:
     src: "/etc/wireguard/privatekey_{{ item }}"
   register: private_{{ item }}
-  when: wireguard_manage_services
+  when: wireguard_manage_keys
 
 - name: Read public key {{ item }}
   slurp:
     src: "/etc/wireguard/publickey_{{ item }}"
   register: public_{{ item }}
-  when: wireguard_manage_services
+  when: wireguard_manage_keys
 
 - name: Configure {{ item }}
   template:
diff --git a/tests/test.yml b/tests/test.yml
index fe28b3e..4aa0284 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -6,30 +6,34 @@
       - wg0
       - wg1
 
-    wireguard_wg0_interface:
-      address: 10.0.0.1/24
-      private_key: 12345
-      listen_port: 12345
+    wireguard_interface:
+      wg0:
+        address: 10.0.0.1/24
+        private_key: 12345
+        listen_port: 12345
 
-    wireguard_wg0_peers:
-      peer-0-0:
-        public_key: 0-12345-pub
-        allowed_ips: 10.0.0.10/24
-      peer-0-1:
-        public_key: 0-23456-pub
-        allowed_ips: 10.0.0.11/24
+    wireguard_peers:
+      wg0:
+        peer-0-0:
+          public_key: 0-12345-pub
+          allowed_ips: 10.0.0.10/24
+        peer-0-1:
+          public_key: 0-23456-pub
+          allowed_ips: 10.0.0.11/24
 
-    wireguard_wg1_interface:
-      address: 10.0.1.1/24
-      private_key: 23456
-      listen_port: 23456
+    wireguard_interface:
+      wg1:
+        address: 10.0.1.1/24
+        private_key: 23456
+        listen_port: 23456
 
-    wireguard_wg1_peers:
-      peer-1-0:
-        public_key: 1-12345-pub
-        allowed_ips: 10.0.1.10/24
-      peer-1-1:
-        public_key: 1-23456-pub
-        allowed_ips: 10.0.1.11/24
+    wireguard_peers:
+      wg1:
+        peer-1-0:
+          public_key: 1-12345-pub
+          allowed_ips: 10.0.1.10/24
+        peer-1-1:
+          public_key: 1-23456-pub
+          allowed_ips: 10.0.1.11/24
   roles:
     - role_under_test

From 0cb82272483c4c5fa130b64749850b19b0003a87 Mon Sep 17 00:00:00 2001
From: Mikhail Konyakhin <m.konyahin@gmail.com>
Date: Wed, 16 Jan 2019 16:18:38 +0300
Subject: [PATCH 5/5] Add install depends for wireguard.

---
 tasks/debian_packages.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/tasks/debian_packages.yml b/tasks/debian_packages.yml
index c8d38e5..8c5ab04 100644
--- a/tasks/debian_packages.yml
+++ b/tasks/debian_packages.yml
@@ -1,7 +1,24 @@
 ---
 - include_tasks: "{{ ansible_distribution | lower }}_repositories.yml"
 
+- name: Install linux headers (Ubuntu)
+  apt:
+    name:
+      - linux-headers-generic
+      - linux-headers-{{ ansible_kernel }}
+    state: present
+    update_cache: yes
+  when: ansible_distribution == "Ubuntu"
+
+- name: Install kernel headers (Debian)
+  apt:
+    name: linux-headers-{{ ansible_kernel }}
+    state: present
+    update_cache: yes
+  when: ansible_distribution == "Debian"
+
 - name: Install wireguard
-  package:
+  apt:
     name: wireguard
     state: present
+    update_cache: yes