githubixx · githubixx · Nov 6, 2024 · Oct 14, 2024 · Oct 14, 2024 · Oct 14, 2024
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -133,3 +133,9 @@ wireguard_centos7_standard_reboot_timeout: "600"
 # The default of "standard" will install the kernel module
 # with kmod-wireguard from ELRepo.
 wireguard_rockylinux8_installation_method: "standard"
+
+#########################################
+# Settings for netplan
+#########################################
+# Set to "true" if you want to use netplan to configure WireGuard.
+wireguard_use_netplan: false
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -33,3 +33,23 @@
     - not ansible_os_family == 'Darwin'
     - wireguard_service_enabled == "yes"
   listen: "reconfigure wireguard"
+
+- name: Generating Netplan Configuration
+  ansible.builtin.command: netplan generate
+  listen: reconfigure netplan
+  notify: netplan apply config
+  become: true
+
+- name: Applying Netplan Configuration
+  ansible.builtin.command: netplan apply
+  listen: netplan apply config
+  notify: restart systemd-networkd
+  become: true
+
+- name: Restart systemd-networkd
+  ansible.builtin.systemd:
+    name: systemd-networkd
+    state: restarted
+  listen: restart systemd-networkd
+  become: true
+  when: wireguard_interface_restart
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -87,7 +87,7 @@
 
 - name: Register if config/private key already exists on target host
   ansible.builtin.stat:
-    path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
+    path: "{{ wireguard_use_netplan | ternary('/etc/netplan/70-wireguard.yaml', wireguard_remote_directory + '/' + wireguard_interface + '.conf') }}"
   register: wireguard__register_config_file
   tags:
     - wg-generate-keys
@@ -120,15 +120,19 @@
   block:
     - name: Read WireGuard config file
       ansible.builtin.slurp:
-        src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
+        src: "{{ wireguard_use_netplan | ternary('/etc/netplan/70-wireguard.yaml', wireguard_remote_directory + '/' + wireguard_interface + '.conf') }}"
       register: wireguard__register_config
       no_log: '{{ ansible_verbosity < 3 }}'
       tags:
         - wg-config
 
     - name: Set private key fact
       ansible.builtin.set_fact:
-        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
+        wireguard_private_key: >-
+          {{ wireguard__register_config['content'] | b64decode |
+             regex_findall(wireguard_use_netplan |
+             ternary('key:\s*(.*)$', 'PrivateKey\s*=\s*(.*)$'), multiline=True) |
+             first }}
       no_log: '{{ ansible_verbosity < 3 }}'
       tags:
         - wg-config
@@ -157,6 +161,7 @@
     mode: 0700
   tags:
     - wg-config
+  when: not wireguard_use_netplan
 
 - name: Generate WireGuard configuration file
   ansible.builtin.template:
@@ -169,9 +174,25 @@
   no_log: '{{ ansible_verbosity < 3 }}'
   tags:
     - wg-config
+  when: not wireguard_use_netplan
   notify:
     - reconfigure wireguard
 
+- name: Generate WireGuard configuration file for netplan
+  ansible.builtin.template:
+    src: etc/netplan/wireguard.yaml.j2
+    dest: "/etc/netplan/70-wireguard.yaml"
+    owner: root
+    group: root
+    mode: "0600"
+    backup: "{{ wireguard_conf_backup }}"
+  no_log: '{{ ansible_verbosity < 3 }}'
+  tags:
+    - wg-config
+  when: wireguard_use_netplan
+  notify:
+    - reconfigure netplan
+
 - name: Ensure legacy reload-module-on-update is absent
   ansible.builtin.file:
     dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
@@ -184,4 +205,6 @@
     name: "wg-quick@{{ wireguard_interface }}"
     state: "{{ wireguard_service_state }}"
     enabled: "{{ wireguard_service_enabled }}"
-  when: not ansible_os_family == 'Darwin'
+  when:
+    - not ansible_os_family == 'Darwin'
+    - not wireguard_use_netplan
diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml
@@ -2,6 +2,15 @@
 # Copyright (C) 2018-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+- name: Check if Netplan is supported
+  ansible.builtin.assert:
+    that:
+      - ansible_distribution == "Ubuntu"
+      - ansible_distribution_version is version('17.10', '>=')
+    fail_msg: "Netplan is only supported on Ubuntu 17.10 and later versions"
+    success_msg: "Netplan is supported on this system"
+  when: wireguard_use_netplan
+
 - name: (Ubuntu) Update APT package cache
   ansible.builtin.apt:
     update_cache: "{{ wireguard_ubuntu_update_cache }}"

diff --git a/templates/etc/netplan/wireguard.yaml.j2 b/templates/etc/netplan/wireguard.yaml.j2
@@ -0,0 +1,100 @@
+# {{ ansible_managed }}
+network:
+  version: 2
+  renderer: networkd
+  tunnels:
+    wg0:
+      mode: wireguard
+      # {{ inventory_hostname }}
+{% if wireguard_address is defined %}
+      addresses:
+        - {{ wireguard_address }}
+{% endif %}
+{% if wireguard_addresses is defined %}
+      addresses:
+{%   for wg_addr in wireguard_addresses %}
+        - {{ wg_addr }}
+{%   endfor %}
+{% endif %}
+      key: {{ wireguard_private_key }}
+      port: {{ wireguard_port }}
+{% if wireguard_mtu is defined %}
+      mtu: {{ wireguard_mtu }}
+{% endif %}
+{% if wireguard_fwmark is defined %}
+      mark: {{ wireguard_fwmark }}
+{% endif %}
+{% if wireguard_table is defined %}
+      routing-table: {{ wireguard_table }}
+{% endif %}
+      peers:
+{% for host in ansible_play_hosts %}
+{%   if host != inventory_hostname %}
+        - # Name = {{ host }}
+          keys:
+            public: {{ hostvars[host].wireguard__fact_public_key }}
+{%     if hostvars[host].wireguard_preshared_key is defined %}
+            shared: {{ hostvars[host].wireguard_preshared_key }}
+{%     endif %}
+{%     if hostvars[host].wireguard_allowed_ips is defined %}
+          allowed-ips:
+            - {{ hostvars[host].wireguard_allowed_ips }}
+{%     else %}
+{%       if wireguard_address is defined %}
+          allowed-ips:
+            - {{ hostvars[host].wireguard_address.split('/')[0] }}/32
+{%       endif %}
+{%       if wireguard_addresses is defined %}
+          allowed-ips:
+{%         for wg_addr in hostvars[host].wireguard_addresses %}
+{%           if (wg_addr | ansible.utils.ipv4) %}
+            - {{ wg_addr.split('/')[0] }}/32
+{%           elif (wg_addr | ansible.utils.ipv6) %}
+            - {{ wg_addr.split('/')[0] }}/128
+{%           endif %}
+{%         endfor %}
+{%       endif %}
+{%     endif %}
+{%     if hostvars[host].wireguard_persistent_keepalive is defined %}
+          keepalive: {{ hostvars[host].wireguard_persistent_keepalive }}
+{%     endif %}
+{%     if (hostvars[host].wireguard_dc is defined and wireguard_dc is defined and wireguard_dc['name'] != hostvars[host].wireguard_dc['name']) %}
+          endpoint: {{ hostvars[host].wireguard_dc['endpoint'] }}:{{ hostvars[host].wireguard_dc['port'] }}
+{%     elif hostvars[host].wireguard_port is defined %}
+{%       if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
+          endpoint: {{ hostvars[host].wireguard_endpoint }}:{{ hostvars[host].wireguard_port }}
+{%       else %}
+          endpoint: {{ host }}:{{ hostvars[host].wireguard_port }}
+{%       endif %}
+{%     elif hostvars[host].wireguard_endpoint is defined %}
+{%       if hostvars[host].wireguard_endpoint != "" %}
+          endpoint: {{ hostvars[host].wireguard_endpoint }}:{{ wireguard_port }}
+{%       else %}
+          # No endpoint defined for this peer
+{%       endif %}
+{%     else %}
+          endpoint: {{ host }}:{{ wireguard_port }}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% if wireguard_unmanaged_peers is defined %}
+        # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
+{%   for peer in wireguard_unmanaged_peers.keys() %}
+        - # Name = {{ peer }}
+          keys:
+            public: {{ wireguard_unmanaged_peers[peer].public_key }}
+{%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
+            shared: {{ wireguard_unmanaged_peers[peer].preshared_key }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
+          allowed-ips:
+            - {{ wireguard_unmanaged_peers[peer].allowed_ips }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
+          endpoint: {{ wireguard_unmanaged_peers[peer].endpoint }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
+          keepalive: {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
+{%     endif %}
+{%   endfor %}
+{% endif %}