Add wireguard configuration to dotfiles roleHEADmaster

This is a simple role that works only for one host. There are multiple
complications that I should keep in mind in the future.

* There is should be a way to install dotfiles on boxes without GPG key
  there. So, files with secrets in them should be gated.
* Wireguard configuration should be per host. Each host should have it
  is own private key.

3 files changed, 61 insertions, 0 deletions

diff --git a/roles/dotfiles/tasks/main.yml b/roles/dotfiles/tasks/main.yml
index 424588d..73c9a90 100644
--- a/roles/dotfiles/tasks/main.yml
+++ b/roles/dotfiles/tasks/main.yml
@@ -74,6 +74,29 @@
         sshconfig_jumphost: '{{ dotfiles_jumphost }}'
       when: has_ssh.rc == 0
 
+- name: Configure wireguard if installed
+  tags: wireguard
+  block:
+    - name: Check if wireguard is installed
+      ansible.builtin.command: wg --version
+      changed_when: false
+      failed_when: false
+      register: has_wireguard
+
+    - name: Get actual hostname
+      ansible.builtin.command: hostname
+      changed_when: false
+      failed_when: false
+      register: hostname
+
+    - ansible.builtin.include_role:
+        name: wgconfig
+      vars:
+        wgconfig_user: '{{ dotfiles_user }}'
+        wgconfig_group: '{{ dotfiles_group }}'
+        wgconfig_homedir: '{{ dotfiles_homedir }}'
+      when: has_wireguard.rc == 0 and hostname.stdout == "silver"
+
 - name: Configure git if installed
   tags: git
   block:
diff --git a/roles/wgconfig/defaults/main.yml b/roles/wgconfig/defaults/main.yml
new file mode 100644
index 0000000..0d5634b
--- /dev/null
+++ b/roles/wgconfig/defaults/main.yml
@@ -0,0 +1,3 @@
+wgconfig_user: d
+wgconfig_group: d
+wgconfig_homedir: /home/{{ wgconfig_user }}
diff --git a/roles/wgconfig/tasks/main.yml b/roles/wgconfig/tasks/main.yml
new file mode 100644
index 0000000..9ece687
--- /dev/null
+++ b/roles/wgconfig/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: Setup wireguard config directory
+  ansible.builtin.file:
+    path: '{{ wgconfig_homedir }}/.wireguard'
+    state: directory
+    owner: '{{ wgconfig_user }}'
+    group: '{{ wgconfig_group }}'
+    mode: u+rw,g-rw,o-rw
+  tags:
+    - dotfiles
+
+- name: Copy wireguard config files to home directory
+  ansible.builtin.copy:
+    src: misc/dotfiles/wireguard/{{ item }}
+    dest: '{{ wgconfig_homedir }}/.wireguard/{{ item }}'
+    owner: '{{ wgconfig_user }}'
+    group: '{{ wgconfig_group }}'
+    mode: u+rw,g-rw,o-rw
+  loop:
+    - wgvpn0.conf
+    - wgtor0.conf
+  tags:
+    - dotfiles
+
+- name: Copy wireguard scripts to home directory
+  ansible.builtin.copy:
+    src: misc/dotfiles/wireguard/{{ item }}
+    dest: '{{ wgconfig_homedir }}/.wireguard/{{ item }}'
+    owner: '{{ wgconfig_user }}'
+    group: '{{ wgconfig_group }}'
+    mode: u+rwx,g-rw,o-rw
+  loop:
+    - onion-dns-up.sh
+    - onion-dns-down.sh
+  tags:
+    - dotfiles