commit 1ec7b153fdbb38b9aeac557a74fcb0724f879bef
Author: Arne Zachlod <arne@nerdkeller.org>
Date:   Sat Oct 5 20:52:42 2024 +0200

    first commit, wireguard basics working

diff --git a/Readme.md b/Readme.md
new file mode 100644
index 0000000..7224044
--- /dev/null
+++ b/Readme.md
@@ -0,0 +1,2 @@
+ansible playbook, play with:
+ansible-playbook -i hosts common.yml -K
diff --git a/common.yml b/common.yml
new file mode 100644
index 0000000..0d2c7b4
--- /dev/null
+++ b/common.yml
@@ -0,0 +1,5 @@
+---
+- hosts: all
+  remote_user: root
+  roles:
+    - common
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..e4d9898
--- /dev/null
+++ b/hosts
@@ -0,0 +1,2 @@
+[vpn_server]
+vpn2.db4rne.de
diff --git a/roles/vpn-server-wireguard/tasks/main.yml b/roles/vpn-server-wireguard/tasks/main.yml
new file mode 100644
index 0000000..f78ced3
--- /dev/null
+++ b/roles/vpn-server-wireguard/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: wireguard server keys
+  hosts: vpn_server
+  vars:
+    server_privkey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          37373763643362313533663532373161353334613738316136336562666462303735623065323139
+          3364366239376434343064633765373830393937346665650a636231396634326236333466636165
+          34373562356437373136666336363466336564663839333930366566316439336262303861343965
+          6434633631383264390a316135386235653433396161616662373633393635626537316432623632
+          30353631363164346161343530313365663437663533366639636432353234376632333638313464
+          6263333266666164343834636330626265326135303361636135
+    server_pubkey: nbHkhDv4TLxjdGRqwW4dyFyNZsYBTi2ryVCZ7/K7aEs=
+  tasks:
+    - name: install wireguard
+      apt:
+        name: wireguard
+        state: present
+
+    - name: create server wireguard config
+      template:
+        dest: /etc/wireguard/wg0.conf
+        src: server_wg0.conf.j2
+        owner: root
+        group: root
+        mode: '0600'
+
+    - name: enable and persist ip forwarding
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: "1"
+        state: present
+        sysctl_set: yes
+        reload: yes
+
+    - name: start and enable wireguard
+      systemd:
+        name: wg-quick@wg0
+        enabled: yes
+        state: started
+
+
+
diff --git a/roles/vpn-server-wireguard/tasks/templates/server_wg0.conf.j2 b/roles/vpn-server-wireguard/tasks/templates/server_wg0.conf.j2
new file mode 100644
index 0000000..31d31aa
--- /dev/null
+++ b/roles/vpn-server-wireguard/tasks/templates/server_wg0.conf.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+[Interface]
+Address = 10.0.1.1/24
+ListenPort = 51820
+PrivateKey = {{ server_privkey }}
+