infrastructure/ansible/plays/vpn.yaml

---
- name: Setup VPN Meshnetwork
  hosts: all
  become: true
  become_user: root
  gather_facts: true
  vars:
    nodes: "{{ groups['all'] | sort }}"
  tasks:
    - name: Generate Keymaterial
      become: true
      block:
        - name: Generate Private Key
          ansible.builtin.shell:
            executable: /bin/bash
            cmd: |
             set -o pipefail
             wg genkey | tee /etc/wireguard/privatekey             
            creates: /etc/wireguard/privatekey
        - name: Register Private Key
          ansible.builtin.slurp:
            src: /etc/wireguard/privatekey
          register: private_key_b64
          changed_when: false
        - name: Register Public Key
          ansible.builtin.shell:
            executable: /bin/bash
            cmd: |
              set -o pipefail
              cat /etc/wireguard/privatekey | wg pubkey              
          register: public_key
          changed_when: false
        - name: Set facts
          ansible.builtin.set_fact:
            wg_private_key: "{{ private_key_b64.content | b64decode }}"
            wg_public_key: "{{ public_key.stdout }}"
    - name: Deploy Config
      ansible.builtin.template:
        src: wg_infra.conf.j2
        dest: /etc/wireguard/wg_infra.conf
        owner: root
        group: root
        mode: 0600
      notify:
        - Restart wireguard
    - name: Enable systemd service
      ansible.builtin.systemd:
        name: wg-quick@wg_infra
        enabled: true
    - name: Setup /etc/hosts
      ansible.builtin.lineinfile:
        path: /etc/hosts
        regexp: "^{{ item }}\\s"
        line: "{{ hostvars[item]['wg_addr'] | mandatory }} {{ item }}"
        state: present
      loop: "{{ nodes }}"
      when: item != inventory_hostname

  handlers:
    - name: Restart wireguard
      ansible.builtin.systemd:
        name: wg-quick@wg_infra
        state: restarted

# vim: ft=yaml.ansible