wg-aws/roles/wireguard_server/tasks/main.yml

---
- name: (Ubuntu) Update APT package cache
  apt:
    update_cache: true

- name: (Ubuntu) Ensure WireGuard DKMS package is removed
  apt:
    name:
      - "wireguard-dkms"
    state: absent

- name: Install wireguard package
  apt:
    name: "wireguard"
    state: present

- name: Install qrencode package
  apt:
    name: "qrencode"
    state: present

- name: Reboot to use new kernel
  reboot:

- name: ensure wireguard services are stopped and enabled
  service:
    name: "wg-quick@wg0"
    state: stopped
    enabled: yes
  ignore_errors: True
  
- name: generate directories for client configs
  file:
    path: "~/wg/client_{{ item }}"
    state: directory
    owner: root
    group: root
    mode: 0700
  with_sequence: start=1 end={{ vpn_clients }}

- name: generate private and public keys for the client and server
  shell: umask 077; wg genkey | tee ~/wg/{{ item }}.private | wg pubkey > ~/wg/{{ item }}.public
  register: key_files
  with_sequence: start=0 end={{ vpn_clients }}

- name: register private key file contents
  shell: cat ~/wg/{{ item }}.private
  register: private_key_files
  with_sequence: start=0 end={{ vpn_clients }}

- name: register public key file contents
  shell: cat ~/wg/{{ item }}.public
  register: public_key_files
  with_sequence: start=0 end={{ vpn_clients }}

- name: generate client configs
  template:
    src: "wg0-client.conf"
    dest: "~/wg/client_{{ item }}/wg0-client.conf"
    owner: root
    group: root
    mode: 0600
  with_sequence: start=1 end={{ vpn_clients }}

- name: generate qr codes for client configs
  shell: umask 077; qrencode --type=PNG --output=/root/wg/client_{{ item }}/wg0-client.png < ~/wg/client_{{ item }}/wg0-client.conf
  with_sequence: start=1 end={{ vpn_clients }}

- name: generate server config
  template:
    src: "wg0.conf"
    dest: "/etc/wireguard/wg0.conf"
    owner: root
    group: root
    mode: 0600

- name: enable ipv4 traffic forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: yes
    state: present
    reload: yes

- name: ensure all wireguard services are started
  service:
    name: "wg-quick@wg0"
    state: started
  ignore_errors: True
    
- name:  download client conf files to the "wireguard_profiles/" folder on your local host
  fetch:
    src: "~/wg/client_{{item}}/wg0-client.conf"
    dest: "wireguard_profiles/{{ ansible_ssh_host }}/client_{{item}}/"
    flat: yes
  with_sequence: start=1 end={{ vpn_clients }}

- name:  download client qr codes to the "wireguard_profiles/" folder on your local host
  fetch:
    src: "~/wg/client_{{item}}/wg0-client.png"
    dest: "wireguard_profiles/{{ ansible_ssh_host }}/client_{{item}}/"
    flat: yes
  with_sequence: start=1 end={{ vpn_clients }}