Install and provision wireguard client on ingress server

ansible/group_vars/all/wireguard.yml

@@ -165,3 +165,21 @@ wireguard:
         6637366330636561650a333162343039326466666536336536386332626563323739383964393237
         32663861666162646232333333636366636461616265393738336631376234336461326134363430
         3863323435343963353161653936323837633837613733646263
+    ingress:
+      ip: 10.23.0.5
+      public_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        35303230376161383436623662376136623039646533323737613533346662333633303335363337
+        3662396435616535386334623563396330306432653263380a306563303664636565333537313338
+        34356331336664336362616235353136346237303263326331383137306536643438313639653938
+        3961366563356562660a303131396334626135663038633536326132623332313436363037343632
+        64613566623238393337613161333438316536633631626536393263656466316363356131623732
+        3134333035613634313934333461626531333437313835386431
+      private_key: !vault |
+        $ANSIBLE_VAULT;1.1;AES256
+        39353738366635326164316161636531366133613439343166383030623164366361613830303232
+        3738303931386336313534303332396363366233623164660a386664353333393137623065396634
+        36333261376136313939616563326235376331636164353538626363393361313739383239613466
+        3635663664366261320a653334626366376539386232373034643235356433643934383132343439
+        33633865353337356636343562383163323039663061653763633166346566396665366434666335
+        3832346662303438633233393165343030616331353936633262

ansible/main.yml

@@ -58,3 +58,7 @@
     - duplicati
     - gitlab_pages
     - deluge
+
+- hosts: ingress
+  roles:
+    - ingress

ansible/roles/ingress/files/wireguard.conf

@@ -0,0 +1,10 @@
+[Interface]
+Address = {{ ingress_wireguard.ip }}
+PrivateKey = {{ ingress_wireguard.private_key }}
+
+[Peer]
+PublicKey = {{ wireguard.server.public_key }}
+Endpoint = {{ wireguard.public_ip }}:{{ wireguard.port }}
+AllowedIPs = {{ wireguard.cidr }}
+
+PersistentKeepalive = 25

ansible/roles/ingress/handlers/main.yml

@@ -0,0 +1,5 @@
+- name: restart wireguard
+  service:
+    name: wg-quick.wg0
+    state: restarted
+  become: true

ansible/roles/ingress/tasks/main.yml

@@ -0,0 +1,2 @@
+- name: Configure wireguard
+  include: wireguard.yml

ansible/roles/ingress/tasks/wireguard.yml

@@ -0,0 +1,44 @@
+- name: Install Wireguard
+  package:
+    name:
+      - wireguard-virt
+      - wireguard-tools
+  become: true
+
+- name: Get wireguard credentials
+  set_fact:
+    ingress_wireguard: "{{ wireguard.clients.ingress }}"
+
+- name: Wireguard config
+  template:
+    src: files/wireguard.conf
+    dest: /etc/wireguard/wg0.conf
+    mode: "0600"
+    backup: true
+  become: true
+  notify: restart wireguard
+
+# Wireguard on Alpine doesn't ship a native OpenRC service
+- name: Download wireguard service
+  get_url:
+    url: https://gitweb.gentoo.org/repo/gentoo.git/plain/net-vpn/wireguard-tools/files/wg-quick.init
+    dest: /etc/init.d/wg-quick.wg0
+    mode: "0755"
+    backup: yes
+  become: true
+
+- name: Enable wireguard
+  service:
+    name: wg-quick.wg0
+    enabled: true
+  become: true
+
+- name: Enable p2p communication
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    sysctl_set: yes
+    state: present
+    reload: yes
+    sysctl_file: /etc/sysctl.d/99-sysctl.conf
+  become: true