From 89472a3a701d05770c6e7ff9b08ed50dde6421d2 Mon Sep 17 00:00:00 2001
From: Malin Freeborn <malinfreeborn@posteo.net>
Date: Mon, 26 Jan 2026 22:22:04 +0100
Subject: [PATCH] create wireguard playbook

---
 ansible/host_vars/nimbus.yml    |  13 ++--
 ansible/playbooks/wireguard.yml | 107 ++++++++++++++++++++++++++++++++
 2 files changed, 115 insertions(+), 5 deletions(-)
 create mode 100644 ansible/playbooks/wireguard.yml

diff --git a/ansible/host_vars/nimbus.yml b/ansible/host_vars/nimbus.yml
index 4fff5ae..d8d42c4 100644
--- a/ansible/host_vars/nimbus.yml
+++ b/ansible/host_vars/nimbus.yml
@@ -1,6 +1,9 @@
 $ANSIBLE_VAULT;1.1;AES256
-61386535643036336233373332346437666166373335343732653734326465373430306464363066
-6337326238633966623333393864363639343965373138300a633964306639343165613266646136
-61646462656362306661343662343864613866323965323165393661646665393838343735313434
-6631646531396662310a393761643537626436303965636563643534643565366436393233353662
-3965
+37363765623839666637633861353139353935323364343538356536653561373266336161353937
+3466653434666163313936393366613666393863616262320a643930663038326666653064613062
+62613661396538363539643938323033663932326362626335333438653865623038336136623030
+3735366564366431330a373061393766346631643434383364646431346231356466663737626435
+64303835343237383761633939643431333439643933636139666163393637363430633261633736
+34626631366163616439366534393031353063363138356638323634313430666330613833386661
+61346365313534353535633365626364303565363565353765353833363065343232633866633132
+63643930633266653765
diff --git a/ansible/playbooks/wireguard.yml b/ansible/playbooks/wireguard.yml
new file mode 100644
index 0000000..5e1f74b
--- /dev/null
+++ b/ansible/playbooks/wireguard.yml
@@ -0,0 +1,107 @@
+---
+- name: Install Wireguard on Server
+  hosts: nimbus
+  become: true
+
+  tasks:
+    - name: Install wireguard tools and dig
+      ansible.builtin.package:
+        name:
+          - wireguard-tools
+          - bind
+
+    - name: Create private key
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/server_public_key
+        cmd: "wg genkey | tee server_private_key | wg pubkey > server_public_key"
+
+    - name: Remember the public key
+      ansible.builtin.command: cat /etc/wireguard/server_public_key
+      register: wireguard_public_key
+
+    - name: Get server public IP
+      ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
+      register: wireguard_public_ip
+
+    - name: Allow ipv4 forwarding
+      ansible.builtin.lineinfile:
+        path: /etc/sysctl.d/wg.conf
+        line: net.ipv4.ip_forward=1
+        create: yes
+
+    - name: Start the wireguard service
+      ansible.builtin.service:
+        name: wg-quick@wg0
+        enabled: yes
+
+- name: Install Wireguard on Host
+  hosts: localhost
+  become: true
+
+  tasks:
+    - name: Install wireguard tools
+      ansible.builtin.package:
+        name:
+          - wireguard-tools
+
+    - name: Create private key
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/dmz_public_key
+        cmd: "wg genkey | tee dmz_private_key | wg pubkey > dmz_public_key"
+
+    - name: Remember the public key
+      ansible.builtin.command: cat /etc/wireguard/dmz_public_key
+      register: client_public_key
+
+- name: Generate Server Config
+  hosts: nimbus
+  become: true
+
+  tasks:
+
+    - name: Create wg0 configuration
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/wg0.conf
+        cmd: |
+          echo "
+          [Interface]
+          Address = 10.0.0.1/24
+          SaveConfig = true
+          PrivateKey = $(cat server_private_key)
+          ListenPort = 51900
+          
+          PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+          PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+          
+          [Peer]
+          PublicKey = {{ hostvars['localhost']['client_public_key']['stdout'] }}
+          AllowedIPs = 10.0.0.2/32
+          " > /etc/wireguard/wg0.conf
+
+
+- name: Generate Client Config
+  hosts: localhost
+  become: true
+
+  tasks:
+
+    - name: Create wg0 client configuration
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/wg0-client.conf
+        cmd: |
+          echo "
+          [Interface]
+          Address = 10.0.0.2/32
+          PrivateKey = $(cat dmz_private_key)
+          DNS = 9.9.9.9
+
+          [Peer]
+          PublicKey = {{ hostvars['nimbus']['wireguard_public_key']['stdout'] }}
+          Endpoint = space.xecut.me:51900
+          AllowedIPs = 10.0.0.1/32
+          " > /etc/wireguard/wg0-client.conf
+