ansible-roles/vpn/wireguard/tasks/main.yml

---
- name: "install wireguard"
  ansible.builtin.apt:
    name: "wireguard"

- name: "configure wireguard"
  ansible.builtin.template:
    src: "./{{ vpn_wireguard_role }}/IFACE.conf"
    dest: "/etc/wireguard/{{ vpn_wireguard_iface }}.conf"
    mode: 0600
  register: vpn_wireguard_conf

- name: "post-up nftables inet script"
  ansible.builtin.template:
    src: "./post-up-IFACE-inet.nft"
    dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-inet.nft"
    mode: 0755
  register: vpn_wireguard_post_up_iface_inet_nft

- name: "post-up nftables ipv4 script"
  ansible.builtin.template:
    src: "./post-up-IFACE-ipv4.nft"
    dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-ipv4.nft"
    mode: 0755
  register: vpn_wireguard_post_up_iface_ipv4_nft

- name: "configure interface"
  ansible.builtin.template:
    src: "./{{ vpn_wireguard_role }}/IFACE"
    dest: "/etc/network/interfaces.d/{{ vpn_wireguard_iface }}"
    mode: 0644
    validate: >
      bash -c
      'if ! diff %s /etc/network/interfaces.d/{{ vpn_wireguard_iface }} &&
          ip link show dev {{ vpn_wireguard_iface }} ;
       then
           ifdown {{ vpn_wireguard_iface }} ;
       fi'
  register: vpn_wireguard_intf

- name: "restart interface"
  ansible.builtin.shell: |
    if ip link show dev {{ vpn_wireguard_iface }}
    then
        ifdown {{ vpn_wireguard_iface }} && ifup {{ vpn_wireguard_iface }}
    else
        ifup {{ vpn_wireguard_iface }}
    fi
  when:
    vpn_wireguard_conf.changed or
    vpn_wireguard_post_up_iface_inet_nft.changed or
    vpn_wireguard_post_up_iface_ipv4_nft.changed or
    vpn_wireguard_intf.changed

- name: "pre-down nftables inet script"
  ansible.builtin.template:
    src: "./pre-down-IFACE-inet.nft"
    dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft"
    mode: 0755

- name: "pre-down nftables ipv4 script"
  ansible.builtin.template:
    src: "./pre-down-IFACE-ipv4.nft"
    dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-ipv4.nft"
    mode: 0755
Initial commit 2022-12-20 19:47:11 +01:00			`---`
			`- name: "install wireguard"`
			`ansible.builtin.apt:`
			`name: "wireguard"`

			`- name: "configure wireguard"`
			`ansible.builtin.template:`
Split wireguard client and server files 2023-07-22 21:08:50 +02:00			`src: "./{{ vpn_wireguard_role }}/IFACE.conf"`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`dest: "/etc/wireguard/{{ vpn_wireguard_iface }}.conf"`
Initial commit 2022-12-20 19:47:11 +01:00			`mode: 0600`
			`register: vpn_wireguard_conf`

			`- name: "post-up nftables inet script"`
			`ansible.builtin.template:`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`src: "./post-up-IFACE-inet.nft"`
			`dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-inet.nft"`
Initial commit 2022-12-20 19:47:11 +01:00			`mode: 0755`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`register: vpn_wireguard_post_up_iface_inet_nft`
Initial commit 2022-12-20 19:47:11 +01:00
			`- name: "post-up nftables ipv4 script"`
			`ansible.builtin.template:`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`src: "./post-up-IFACE-ipv4.nft"`
			`dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-ipv4.nft"`
Initial commit 2022-12-20 19:47:11 +01:00			`mode: 0755`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`register: vpn_wireguard_post_up_iface_ipv4_nft`
Initial commit 2022-12-20 19:47:11 +01:00
			`- name: "configure interface"`
			`ansible.builtin.template:`
Split wireguard client and server files 2023-07-22 21:08:50 +02:00			`src: "./{{ vpn_wireguard_role }}/IFACE"`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`dest: "/etc/network/interfaces.d/{{ vpn_wireguard_iface }}"`
Initial commit 2022-12-20 19:47:11 +01:00			`mode: 0644`
			`validate: >`
			`bash -c`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`'if ! diff %s /etc/network/interfaces.d/{{ vpn_wireguard_iface }} &&`
			`ip link show dev {{ vpn_wireguard_iface }} ;`
Initial commit 2022-12-20 19:47:11 +01:00			`then`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`ifdown {{ vpn_wireguard_iface }} ;`
Initial commit 2022-12-20 19:47:11 +01:00			`fi'`
			`register: vpn_wireguard_intf`

			`- name: "restart interface"`
			`ansible.builtin.shell: \|`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`if ip link show dev {{ vpn_wireguard_iface }}`
Initial commit 2022-12-20 19:47:11 +01:00			`then`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`ifdown {{ vpn_wireguard_iface }} && ifup {{ vpn_wireguard_iface }}`
Initial commit 2022-12-20 19:47:11 +01:00			`else`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`ifup {{ vpn_wireguard_iface }}`
Initial commit 2022-12-20 19:47:11 +01:00			`fi`
			`when:`
			`vpn_wireguard_conf.changed or`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`vpn_wireguard_post_up_iface_inet_nft.changed or`
			`vpn_wireguard_post_up_iface_ipv4_nft.changed or`
Initial commit 2022-12-20 19:47:11 +01:00			`vpn_wireguard_intf.changed`

			`- name: "pre-down nftables inet script"`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`ansible.builtin.template:`
			`src: "./pre-down-IFACE-inet.nft"`
			`dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft"`
Initial commit 2022-12-20 19:47:11 +01:00			`mode: 0755`

			`- name: "pre-down nftables ipv4 script"`
Variable wireguard interface name 2023-07-20 20:27:37 +02:00			`ansible.builtin.template:`
			`src: "./pre-down-IFACE-ipv4.nft"`
			`dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-ipv4.nft"`
Initial commit 2022-12-20 19:47:11 +01:00			`mode: 0755`