add wg-gateway role

group_vars/dhcp.yml

@@ -20,12 +20,15 @@ dhcp_routers: "{{ actual_gateway_ip }}"
 allowed_access_cidrs:
   - 10.0.0.0/24
 
+allowed_services:
+  - dns
+  - dhcp
+
 status_services:
   - wg-quick@wg0
   - unbound
   - dhcpd
 
-
 reservations:
   - type: default
     name: gateway

roles/wg-gateway/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart wireguard interface
+  systemd:
+    name: wg-quick@{{ wg_interface }}
+    state: restarted

roles/wg-gateway/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Install wireguard-tools
+  yum:
+    name: wireguard-tools
+    state: installed
+
+- name: Copy wireguard config
+  template:
+    src: wg.conf.j2
+    dest: /etc/wireguard/{{ wg_interface }}.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart wireguard interface
+
+- name: Add {{ wg_interface }} to external zone
+  firewalld:
+    zone: external
+    interface: "{{ wg_interface }}"
+    permanent: yes
+    state: enabled
+
+- name: Add {{ ansible_interfaces | sort | first }} to internal zone
+  firewalld:
+    zone: internal
+    interface: "{{ ansible_interfaces | sort | first }}"
+    permanent: yes
+    state: enabled
+
+- name: Allow source networks to use wireguard
+  firewalld:
+    source: "{{ item }}"
+    zone: external
+    state: enabled
+    permanent: yes
+  with_items:
+    - "{{ allowed_access_cidrs }}"
+  
+- name: Allow services
+  firewalld:
+    zone: external
+    service: "{{ item }}"
+    state: enabled
+    permanent: yes
+    immediate: yes
+  with_items:
+    - "{{ allowed_services }}"
+
+- name: Start/Enable {{ wg_interface }} interface
+  systemd:
+    name: wg-quick@{{ wg_interface }}
+    state: started
+    enabled: yes

roles/wg-gateway/templates/wg.conf.j2

@@ -0,0 +1,8 @@
+[Interface]
+PrivateKey = {{ wg_private_key }}
+Address = {{ wg_address }}
+
+[Peer]
+PublicKey = {{ wg_public_key }}
+AllowedIPs = {{ wg_allowed_ips }}
+Endpoint = {{ wg_endpoint }}

roles/wg-gateway/vars/main.yml

@@ -0,0 +1,8 @@
+---
+wg_interface: wg0
+
+wg_private_key: "{{ vaulted_wg_private_key }}"
+wg_address: "{{ vaulted_wg_address }}"
+wg_public_key: "{{ vaulted_wg_public_key }}"
+wg_allowed_ips: 0.0.0.0/0,::0/0
+wg_endpoint: "{{ vaulted_wg_endpoint }}"