--- - name: Install wireguard packages community.general.pacman: name: - wireguard-tools # for encoding .conf as a qr code - qrencode notify: - Start wireguard - name: Enable IP forwarding sysctl: name: net.ipv4.ip_forward value: 1 state: present reload: yes when: '"bastion" in group_names' - name: Prevent UFW from removing IP forwarding lineinfile: path: /etc/ufw/sysctl.conf regexp: "^net/ipv4/ip_forward=" line: "net/ipv4/ip_forward=1" when: '"bastion" in group_names' - name: Setup UFW rules to accept VPN traffic community.general.ufw: rule: allow direction: in src: "{{ wireguard.ip.cidr }}" dest: any when: '"bastion" in group_names' - name: Deploy wireguard server config template: src: server.conf.j2 dest: "/etc/wireguard/{{ wireguard_interface }}.conf" owner: root group: root mode: 0600 lstrip_blocks: true no_log: true notify: - Start wireguard - name: Create wireguard client config output folder file: path: "{{ wireguard.client_folder }}" owner: root group: root mode: 0700 state: directory when: '"bastion" in group_names' - name: Create wireguard client configs template: src: client.conf.j2 dest: "{{ wireguard.client_folder }}/wg-{{ item.name }}.conf" owner: root group: root mode: 0600 lstrip_blocks: true no_log: true with_items: "{{ wireguard_secret.clients }}" notify: - Start wireguard when: '"bastion" in group_names'