initial commit, here be dragons

roles/wireguard/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: Start a-vpn
+  ansible.builtin.systemd:
+    name: wg-quick@a-vpn
+    state: restarted
+    enabled: yes

roles/wireguard/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Activate IP4 forwarding in kernel
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /etc/sysctl.d/99-ip-forwarding.conf
+    state: present
+    reload: yes
+
+- name: Activate IP6 forwarding in kernel
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_file: /etc/sysctl.d/99-ip-forwarding.conf
+    state: present
+    reload: yes
+
+- name: Provision wireguard tools
+  ansible.builtin.apt: { name: "wireguard-tools" }
+
+- name: Template a-vpn configuration
+  ansible.builtin.template:
+    src: a-vpn.conf.j2
+    dest: /etc/wireguard/a-vpn.conf
+    mode: 0600
+    owner: root
+    group: root
+  notify: [ "Start a-vpn" ]
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers

roles/wireguard/templates/a-vpn.conf.j2

@@ -0,0 +1,10 @@
+[Interface]
+PrivateKey = {{ vault.wireguard.host.private_key }}
+Address = 10.0.22.1
+ListenPort = 51841
+
+[Peer]
+# User1 - Machine1
+PublicKey = {{ vault.wireguard.user1.machine1.public_key }}
+AllowedIPs = 10.0.22.11/32
+PresharedKey = {{ vault.wireguard.user1.machine1.preshared_key }}