From 83f8b2509bf31cb448c71e77bb38c5a5889b199c Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 3 Dec 2022 17:16:37 -0500
Subject: [PATCH] Start a wireguard role.

---
 .gitattributes                                |  1 +
 ansible/playbook.yaml                         | 63 ++++++++++---------
 ansible/roles/wireguard/tasks/common.yaml     | 15 +++++
 ansible/roles/wireguard/tasks/freebsd.yaml    | 53 ++++++++++++++++
 ansible/roles/wireguard/tasks/linux.yaml      | 24 +++++++
 ansible/roles/wireguard/tasks/main.yaml       |  2 +
 ansible/roles/wireguard/tasks/peruser.yaml    | 29 +++++++++
 .../wireguard/tasks/peruser_freebsd.yaml      |  0
 .../roles/wireguard/tasks/peruser_linux.yaml  |  0
 9 files changed, 156 insertions(+), 31 deletions(-)
 create mode 100644 ansible/roles/wireguard/tasks/common.yaml
 create mode 100644 ansible/roles/wireguard/tasks/freebsd.yaml
 create mode 100644 ansible/roles/wireguard/tasks/linux.yaml
 create mode 100644 ansible/roles/wireguard/tasks/main.yaml
 create mode 100644 ansible/roles/wireguard/tasks/peruser.yaml
 create mode 100644 ansible/roles/wireguard/tasks/peruser_freebsd.yaml
 create mode 100644 ansible/roles/wireguard/tasks/peruser_linux.yaml

diff --git a/.gitattributes b/.gitattributes
index 90dd4e1..6ae4113 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
 cargo_credentials.toml filter=git-crypt diff=git-crypt
+wireguard_configs/ filter=git-crypt diff=git-crypt
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index 258d15c..5d55635 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -2,37 +2,38 @@
   vars:
     ansible_become: True
   roles:
-    - sudo
-    - users
-    - package_manager
-    - zrepl
-    - zsh
-    - network
-    - sshd
-    - base
-    - firewall
-    - cpu
-    - ntp
-    - build
-    - graphics
-    - gpg
-    - fonts
-    - alacritty
-    - sway
-    - emacs
-    - firefox
-    - devfs
-    - ssh_client
-    - sshfs
-    - jail
-    - fuse
-    - autofs
-    - exfat
-    - bhyve
-    - media
-    - kubernetes
-    - google_cloud_sdk
-    - ansible
+    # - sudo
+    # - users
+    # - package_manager
+    # - zrepl
+    # - zsh
+    # - network
+    # - sshd
+    # - base
+    # - firewall
+    # - cpu
+    # - ntp
+    # - build
+    # - graphics
+    # - gpg
+    # - fonts
+    # - alacritty
+    # - sway
+    # - emacs
+    # - firefox
+    # - devfs
+    # - ssh_client
+    # - sshfs
+    # - jail
+    # - fuse
+    # - autofs
+    # - exfat
+    # - bhyve
+    # - media
+    # - kubernetes
+    # - google_cloud_sdk
+    # - ansible
+    - wireguard
 
 - hosts: nat_dhcp:homeserver_nat_dhcp
   vars:
diff --git a/ansible/roles/wireguard/tasks/common.yaml b/ansible/roles/wireguard/tasks/common.yaml
new file mode 100644
index 0000000..fef1101
--- /dev/null
+++ b/ansible/roles/wireguard/tasks/common.yaml
@@ -0,0 +1,15 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  when: users is defined
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
diff --git a/ansible/roles/wireguard/tasks/freebsd.yaml b/ansible/roles/wireguard/tasks/freebsd.yaml
new file mode 100644
index 0000000..6a6688f
--- /dev/null
+++ b/ansible/roles/wireguard/tasks/freebsd.yaml
@@ -0,0 +1,53 @@
+- name: Install packages
+  package:
+    name:
+      - wireguard
+    state: present
+
+- name: Configure wireguard
+  copy:
+    src: "{{ item }}"
+    dest: /usr/local/etc/wireguard/
+    mode: 0440
+    owner: root
+    group: root
+  with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf"
+
+- name: Enable Wireguard
+  when: enabled_wireguard is defined
+  systemd:
+    enabled: yes
+    name: "wg-quick@{{ item }}"
+    daemon_reload: yes
+  loop: "{{ enabled_wireguard }}"
+
+- name: Enable gateway
+  when: wireguard_gateway is defined and wireguard_gateway == true
+  community.general.sysrc:
+    name: "{{ item }}"
+    value: "YES"
+    path: /etc/rc.conf.d/routing
+  loop:
+    - gateway_enable
+    - ipv6_gateway_enable
+
+- name: Enable wireguard service
+  when: enabled_wireguard is defined
+  community.general.sysrc:
+    name: wireguard_enable
+    value: "YES"
+    path: /etc/rc.conf.d/wireguard
+
+- name: Disable wireguard service
+  when: enabled_wireguard is not defined
+  community.general.sysrc:
+    name: wireguard_enable
+    value: "NO"
+    path: /etc/rc.conf.d/wireguard
+
+- name: Set enabled wireguard list
+  when: enabled_wireguard is defined
+  community.general.sysrc:
+    name: wireguard_interfaces
+    value: "{{ enabled_wireguard|join(' ') }}"
+    path: /etc/rc.conf.d/wireguard
diff --git a/ansible/roles/wireguard/tasks/linux.yaml b/ansible/roles/wireguard/tasks/linux.yaml
new file mode 100644
index 0000000..d3ba5b9
--- /dev/null
+++ b/ansible/roles/wireguard/tasks/linux.yaml
@@ -0,0 +1,24 @@
+- name: Install packages
+  package:
+    name:
+      - wireguard-tools
+      - qrencode # For generating qr codes to send to phone with `qrencode -t ansiutf8 -r <config_file>`
+      - systemd-resolvconf # For wg-quick to regenerate resolv.conf
+    state: present
+
+- name: Configure wireguard
+  copy:
+    src: "{{ item }}"
+    dest: /etc/wireguard/
+    mode: 0440
+    owner: root
+    group: root
+  with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf"
+
+- name: Enable Wireguard
+  when: enabled_wireguard is defined
+  systemd:
+    enabled: yes
+    name: "wg-quick@{{ item }}"
+    daemon_reload: yes
+  loop: "{{ enabled_wireguard }}"
diff --git a/ansible/roles/wireguard/tasks/main.yaml b/ansible/roles/wireguard/tasks/main.yaml
new file mode 100644
index 0000000..8a66fbe
--- /dev/null
+++ b/ansible/roles/wireguard/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: wireguard_directory is defined
diff --git a/ansible/roles/wireguard/tasks/peruser.yaml b/ansible/roles/wireguard/tasks/peruser.yaml
new file mode 100644
index 0000000..111e886
--- /dev/null
+++ b/ansible/roles/wireguard/tasks/peruser.yaml
@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/wireguard/tasks/peruser_freebsd.yaml b/ansible/roles/wireguard/tasks/peruser_freebsd.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/wireguard/tasks/peruser_linux.yaml b/ansible/roles/wireguard/tasks/peruser_linux.yaml
new file mode 100644
index 0000000..e69de29