feat(wireguard): add role (#32)

* feat(wireguard): add role
* fix(docker_compose): show project name in debug messages
* chore(deps): update dependencies

.github/file-filters.yml

@@ -30,3 +30,7 @@ roles/docker:
 roles/docker_compose:
   - *shared
   - roles/docker_compose/**
+
+roles/wireguard:
+  - *shared
+  - roles/wireguard/**

.pre-commit-config.yaml

@@ -25,12 +25,12 @@ repos:
       - id: prettier
 
   - repo: https://github.com/crate-ci/typos
-    rev: v1.21.0
+    rev: v1.22.8
     hooks:
       - id: typos
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.4
+    rev: 0.28.5
     hooks:
       - id: check-github-workflows
       - id: check-renovate
@@ -46,12 +46,12 @@ repos:
       - id: checkmake
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.18.3
+    rev: v8.18.4
     hooks:
       - id: gitleaks
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.4.7
+    rev: v0.4.10
     hooks:
       - id: ruff-format
       - id: ruff
@@ -74,7 +74,7 @@ repos:
       - id: j2lint
 
   - repo: https://github.com/ansible/ansible-lint
-    rev: v24.5.0
+    rev: v24.6.1
     hooks:
       - id: ansible-lint
         args: [--fix]

Makefile

@@ -12,6 +12,7 @@ lock:
 
 update:
 	poetry up --latest
+	poetry run galaxy-update requirements.yml
 
 checks: pc lint-py
 

plugins/modules/hello_world.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
 """A simple Ansible module that returns the message it was given."""
 
 from ansible.module_utils.basic import AnsibleModule

plugins/modules/linger.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
 """An Ansible module to enable/disable linger for a user."""
 
 import subprocess

pyproject.toml

@@ -6,10 +6,13 @@ authors = ["DeadNews <[email protected]>"]
 
 [tool.poetry.dependencies]
 python = "^3.10"
-ansible-core = "^2.16.5"
+ansible-core = "^2.17.1"
+
+[tool.poetry.group.dev.dependencies]
+galaxy-update = "^0.0.1a0"
 
 [tool.poetry.group.lint.dependencies]
-ansible-lint = { version = "^24.6.0", markers = "platform_system != 'Windows'" }
+ansible-lint = { version = "^24.6.1", markers = "platform_system != 'Windows'" }
 mypy = "^1.10.0"
 poethepoet = "^0.26.1"
 ruff = "^0.4.9"

requirements.yml

@@ -1,7 +1,8 @@
 ---
 collections:
   - name: community.general
-    version: 9.0.1
-
+    version: 9.1.0
   - name: community.docker
-    version: 3.10.3
+    version: 3.10.4
+  - name: ansible.posix
+    version: 1.5.4

roles/docker_compose/README.md

@@ -5,7 +5,18 @@
 ## Role Variables
 
 - [meta/argument_specs.yml](./meta/argument_specs.yml)
+- [vars/main.yml](./vars/main.yml)
 
 ## Example Playbook
 
 - [molecule/docker_compose/converge.yml](./molecule/docker_compose/converge.yml)
+
+```yaml
+- hosts: servers
+  roles:
+    - role: deadnews.util.docker_compose
+      docker_compose_project: docker-app
+      docker_compose_target_dir: ~/docker-compose
+      docker_compose_files:
+        - src: files/docker-compose.yml
+```

roles/docker_compose/tasks/deploy.yml

@@ -77,7 +77,7 @@
     state: present
   register: compose_up
 
-- name: Show results for docker compose up
+- name: Show results for docker compose up ー {{ docker_compose_project }}
   ansible.builtin.debug:
     var: compose_up.stderr
 
@@ -117,7 +117,7 @@
       register: containers_exec
       loop: "{{ docker_compose_containers_exec }}"
 
-    - name: Show exec results
+    - name: Show exec results ー {{ docker_compose_project }}
       ansible.builtin.debug:
         msg:
           rc: "{{ item.rc }}"
@@ -139,7 +139,7 @@
       register: containers_logs
       loop: "{{ docker_compose_containers_logs }}"
 
-    - name: Show Docker containers logs
+    - name: Show Docker containers logs ー {{ docker_compose_project }}
       ansible.builtin.debug:
         msg:
           stderr: "{{ item.stderr }}"
@@ -153,7 +153,7 @@
     - docker_compose_containers_check is defined
     - docker_compose_containers_check
   block:
-    - name: Ensure that Docker container is running
+    - name: Ensure that Docker container is running ー {{ docker_compose_project }}
       ansible.builtin.command:
         cmd: docker inspect -f {%raw%}'{{.State.Running}}'{%endraw%} {{ item }}
       changed_when: false
@@ -163,7 +163,7 @@
       until: running_verify.stdout == 'true'
       loop: "{{ docker_compose_containers_check }}"
 
-    - name: Ensure that Docker container is healthy
+    - name: Ensure that Docker container is healthy ー {{ docker_compose_project }}
       ansible.builtin.command:
         cmd: docker inspect -f {%raw%}'{{if .State.Health}}{{.State.Health.Status}}{{else}}no health check{{end}}'{%endraw%} {{ item }}
       changed_when: false
@@ -175,7 +175,7 @@
         healthy_verify.stdout == 'no health check'
       loop: "{{ docker_compose_containers_check }}"
 
-    - name: Show container health status
+    - name: Show container health status ー {{ docker_compose_project }}
       ansible.builtin.debug:
         msg: "{{ item.stdout }}"
       loop: "{{ healthy_verify.results }}"

roles/wireguard/README.md

@@ -0,0 +1,20 @@
+# deadnews.util.wireguard
+
+> Setup Wireguard
+
+## Role Variables
+
+- [meta/argument_specs.yml](./meta/argument_specs.yml)
+- [vars/main.yml](./vars/main.yml)
+
+## Example Playbook
+
+- [molecule/wireguard/converge.yml](./molecule/wireguard/converge.yml)
+
+```yaml
+- hosts: servers
+  roles:
+    - role: deadnews.util.wireguard
+      wireguard_interface: wg0
+      wireguard_template: templates/wg0.conf.j2
+```

roles/wireguard/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: (Handler) Restart Wireguard service
+  ansible.builtin.systemd:
+    name: wg-quick@{{ wireguard_interface }}.service
+    state: restarted

roles/wireguard/meta/argument_specs.yml

@@ -0,0 +1,20 @@
+---
+argument_specs:
+  main:
+    short_description: The main entry point for the wireguard role.
+    options:
+      wireguard_interface:
+        description: The Wireguard interface name.
+        type: str
+
+      wireguard_template:
+        description: The Wireguard configuration template.
+        type: str
+
+      wireguard_ip_forward:
+        description: Enable and persist ip forwarding.
+        type: bool
+
+      wireguard_debug:
+        description: Display debug information after deployment.
+        type: bool

roles/wireguard/meta/main.yml

@@ -0,0 +1,6 @@
+---
+galaxy_info:
+  author: DeadNews
+  description: Setup Wireguard
+  license: MIT
+  min_ansible_version: 2.16.0

roles/wireguard/molecule/wireguard/converge.yml

@@ -0,0 +1,35 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+  vars:
+    wireguard_host: 127.0.0.1
+    wireguard_privatekey_host: IKJPGZNOcrbIh1QU8yJ6oaXsSyUoQp8QUhm1uvfp5Vo= # gitleaks:allow
+    wireguard_privatekey_peer: EKgPYhHgk1kqIkR+kFCvU8+N+yiLwqDkjcl0cy1vs2Y= # gitleaks:allow
+    wireguard_publickey_host: 7I3L6nZ0P3K6TmWzJUe3xQjk/gTyoNaCwe1oDHpfGGI= # gitleaks:allow
+    wireguard_publickey_peer: iEuV0dLE9OYfZzoKYrHZBK6Hzr/8dn1aovDuUrt9/g8= # gitleaks:allow
+
+  tasks:
+    - name: Install iptables
+      ansible.builtin.apt:
+        name: iptables
+        state: present
+        cache_valid_time: 7200 # 2h
+
+    - name: Setup Wireguard server
+      ansible.builtin.include_role:
+        name: deadnews.util.wireguard
+      vars:
+        wireguard_interface: wg0
+        wireguard_template: templates/wg0.conf.j2
+        wireguard_ip_forward: true
+        wireguard_debug: true
+
+    - name: Setup Wireguard client
+      ansible.builtin.include_role:
+        name: deadnews.util.wireguard
+      vars:
+        wireguard_interface: wg1
+        wireguard_template: templates/wg1.conf.j2
+        wireguard_ip_forward: false
+        wireguard_debug: true

roles/wireguard/molecule/wireguard/molecule.yml

@@ -0,0 +1,22 @@
+---
+driver:
+  name: docker
+
+platforms:
+  - name: ${MOLECULE_DISTRO:-debian12}
+    image: geerlingguy/docker-${MOLECULE_DISTRO:-debian12}-ansible:latest
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 0
+    ANSIBLE_STDOUT_CALLBACK: community.general.yaml
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}
+    prepare: ../../../../molecule/playbooks/prepare-systemd.yml

roles/wireguard/molecule/wireguard/templates/wg0.conf.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+[Interface]
+Address = 10.0.0.1/24
+ListenPort = 51820
+PostDown = iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
+PostUp   = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
+PrivateKey = {{ wireguard_privatekey_host }}
+
+[Peer]
+AllowedIPs = 10.0.0.2/24
+PublicKey = {{ wireguard_publickey_peer }}

roles/wireguard/molecule/wireguard/templates/wg1.conf.j2

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+[Interface]
+{# Unique IP for the peer #}
+Address = 10.0.0.2/24
+{# Unique identifier for the peer, should be added to the server's configuration #}
+PrivateKey = {{ wireguard_privatekey_peer }}
+
+[Peer]
+{# Route all traffic through the VPN, except 10.0.0.0/8 #}
+AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1
+Endpoint = {{ wireguard_host }}:51820
+PublicKey = {{ wireguard_publickey_host }}

roles/wireguard/tasks/debug.yml

@@ -0,0 +1,42 @@
+---
+# Display debug information
+
+- name: Get Wireguard status — {{ wireguard_interface }}
+  ansible.builtin.command:
+    cmd: systemctl status wg-quick@{{ wireguard_interface }}.service
+  changed_when: false
+  register: wireguard_status
+
+- name: Show Wireguard status — {{ wireguard_interface }}
+  ansible.builtin.debug:
+    var: wireguard_status.stdout
+
+- name: Get IP address and interface details
+  ansible.builtin.command:
+    cmd: ip a
+  changed_when: false
+  register: addr_output
+
+- name: Display output of IP address and interface details
+  ansible.builtin.debug:
+    var: addr_output.stdout
+
+- name: Get IP routing table
+  ansible.builtin.command:
+    cmd: ip route
+  changed_when: false
+  register: route_output
+
+- name: Display output of IP routing table
+  ansible.builtin.debug:
+    var: route_output.stdout
+
+- name: Get Wireguard interface details
+  ansible.builtin.command:
+    cmd: wg show
+  changed_when: false
+  register: wg_output
+
+- name: Display output of Wireguard interface details
+  ansible.builtin.debug:
+    var: wg_output.stdout