meta: bump collection version to 0.4.1

config

README.md

@@ -5,6 +5,8 @@
 This ansible collection provides various roles for installing
 and configuring basic system utilities like gnupg, ssh etc
 
+- [`caddy`](roles/caddy/README.md): configures and runs caddy
+
 - [`git`](roles/git/README.md): configures git on the target system
 
 - [`gnupg`](roles/gnupg/README.md): configures gnupg on the target system

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: base
-version: 0.3.0
+version: 0.4.1
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@@ -8,8 +8,9 @@ description: >-2
   Roles for base services which are core functionality like managing packages
   and ssh or common dependencies other services like databases
 dependencies:
-  "community.docker": "^4.2.0"
+  "community.docker": "^4.7.0"
-  "community.general": "^10.0.0"
+  "community.general": "^11.1.2"
+  "containers.podman": "^1.17.0"
 license_file: LICENSE.md
 build_ignore:
 - '*.tar.gz'
@@ -23,6 +24,7 @@ tags:
   - lego
   - minio
   - nginx
+  - caddy
   - restic
   - user_management
   - openldap

playbooks/caddy.yml

@@ -0,0 +1,7 @@
+---
+- name: Install and configure caddy
+  hosts: "{{ caddy_hosts | default('caddy') }}"
+  become: "{{ caddy_become | default(false) }}"
+  gather_facts: "{{ caddy_gather_facts | default(false) }}"
+  roles:
+    - role: finallycoffee.base.caddy

playbooks/caddy_reverse_proxy.yml

@@ -0,0 +1,31 @@
+---
+- name: Ensure reverse proxy configuration is created
+  hosts: "{{ target_hosts }}"
+  become: "{{ target_become | default(false) }}"
+  gather_facts: "{{ target_gather_facts | default(false) }}"
+  roles:
+    - role: finallycoffee.base.caddy_site
+  vars:
+    caddy_site_cert_basepath: >-2
+      {{ caddy_site_tls_store | default('/tls') }}/{{ caddy_site_name }}/certificates/{{ caddy_site_name }}
+    caddy_site_config: >-2
+      {{ caddy_site_config_override | default(caddy_site_default_config, true) }}
+    caddy_site_default_config: |+2
+      https://{{ caddy_site_name }} {
+          tls {{ caddy_site_cert_basepath}}.crt {{ caddy_site_cert_basepath }}.key
+          header {
+              Strict-Transport-Security "max-age=31536000"
+          }
+          encode zstd gzip
+          {% if caddy_reverse_proxy_template_block  | default(true) -%}
+          reverse_proxy {{ caddy_reverse_proxy_backend_addr }} {
+            {{ caddy_reverse_proxy_extra_config | default('') | indent(6) }}
+            {%- if caddy_reverse_proxy_import_proxyheaders | default(true, true) %}
+            import proxyheaders
+            {%- endif +%}
+          }
+          {%- else -%}
+          {{- caddy_reverse_proxy_block | default('') | indent(4) }}
+          {%- endif +%}
+      }
+

playbooks/docker_shorewall.yml

@@ -0,0 +1,54 @@
+---
+- name: Configure shorewall for docker egress
+  hosts: "{{ docker_shorewall_hosts | default('docker:&shorewall') }}"
+  become: "{{ docker_shorewall_become | default(true, true) }}"
+  tasks:
+    - name: Add docker interface
+      ansible.builtin.lineinfile:
+        path: /etc/shorewall/interfaces
+        regex: "^dock"
+        line: |
+          dock	docker0		bridge
+    - name: Add docker routing policy
+      ansible.builtin.blockinfile:
+        path: /etc/shorewall/policy
+        insertbefore: "^# THE FOLLOWING POLICY MUST BE LAST"
+        content: |
+          # Docker specific configuration
+          dock		all		ACCEPT
+    - name: Add docker zone
+      ansible.builtin.lineinfile:
+        path: /etc/shorewall/zones
+        regex: "^dock"
+        line: |
+          dock	ipv4
+    - name: Add docker egress rules
+      ansible.builtin.blockinfile:
+        path: /etc/shorewall/rules
+        marker: "#{mark} ANSIBLE MANAGED BLOCK - DOCKER EGRESS"
+        content: |
+          #
+          # Docker egress configuration
+          #
+          ACCEPT		dock		all
+    - name: Add docker dns rules
+      ansible.builtin.blockinfile:
+        path: /etc/shorewall/rules
+        marker: "#{mark} ANSIBLE MANAGED BLOCK - DOCKER DNS"
+        content: |
+          #
+          # Docker dns configuration
+          #
+          DNS(ACCEPT)	dock		all
+    - name: Enable shorewall docker support
+      ansible.builtin.lineinfile:
+        path: /etc/shorewall/shorewall.conf
+        line: "DOCKER=Yes"
+        regex: "^DOCKER="
+    - name: Ensure shorewall reloaded
+      community.general.systemd_service:
+        service: "{{ item }}"
+        state: reloaded
+      loop:
+        - shorewall.service
+        - shorewall6.service

playbooks/lego_certificate.yml

@@ -10,7 +10,7 @@
       vars:
         _dns_record:
           type: "CNAME"
-          name: "_acme-challenge.{{ _domain }}"
+          name: "_acme-challenge.{{ _domain }}."
           content: "{{ target_tsig_key_name }}.{{ target_acme_zone }}."
       loop: "{{ target_domains }}"
       loop_control:

playbooks/ntp.yml

@@ -0,0 +1,7 @@
+---
+- name: Install and configure network time protocol daemon
+  hosts: "{{ ntp_hosts | default('ntp') }}"
+  become: "{{ ntp_become | default(false) }}"
+  gather_facts: "{{ ntp_gather_facts | default(false) }}"
+  roles:
+    - role: finallycoffee.base.ntp

playbooks/wg_quick.yml

@@ -0,0 +1,7 @@
+---
+- name: Configure wireguard interfaces with wg_quick
+  hosts: "{{ wg_quick_hosts | default('wg_quick') }}"
+  become: "{{ wg_quick_become | default(false) }}"
+  gather_facts: "{{ wg_quick_gather_facts | default(false) }}"
+  roles:
+    - role: finallycoffee.base.wg_quick

roles/caddy/README.md

@@ -0,0 +1,10 @@
+# `finallycoffee.base.caddy` ansible role
+
+Deploy a (pre-)configure [caddy v2](https://caddyserver.com) web
+server / proxy using ansible.
+
+## Configuration
+
+To change the default configuration of reading all files from
+`/etc/caddy/sites.d/` (see `caddy_dynamic_config_dir`), specify
+your desired configuration in `caddy_config`.

roles/caddy/defaults/main/config.yml

@@ -0,0 +1,23 @@
+---
+caddy_config: |+2
+  {
+        auto_https disable_redirects
+  }
+
+  (proxyheaders) {
+      header_up X-Forwarded-Ssl on
+      header_up Host {host}
+      header_up X-Real-IP {remote}
+      header_up X-Forwarded-For {remote}
+      # header_up X-Forwarded-Port {port}
+      header_up X-Forwarded-Proto {scheme}
+      header_up X-Url-Scheme {scheme}
+      header_up X-Forwarded-Host {host}
+  }
+  
+  # Import all configurations
+  import {{ caddy_dynamic_configs_dir }}/*/Caddyfile
+  
+  :80 {
+      redir /  https://{host}{uri} 301
+  }

roles/caddy/defaults/main/container.yml

@@ -0,0 +1,43 @@
+---
+caddy_container_image_registry: "docker.io"
+caddy_container_image_namespace: "library"
+caddy_container_image_repository: "caddy"
+caddy_container_image_name: >-2
+  {{ [
+    caddy_container_image_registry | default([], true),
+    caddy_container_image_namespace | default([], true),
+    caddy_container_image_repository
+  ] | flatten | join('/') }}
+
+caddy_container_image_tag: ~
+caddy_container_image: >-2
+  {{ [
+    caddy_container_image_name,
+    caddy_container_image_tag | default(caddy_version, true)
+  ] | join(':') }}
+caddy_container_image_source: "pull"
+caddy_container_image_force_source: >-2
+  {{ caddy_container_image_tag | ansible.builtin.type_debug != 'NoneType' }}
+caddy_container_image_state: "{{ caddy_state }}"
+
+caddy_container_name: "caddy"
+caddy_container_env: ~
+caddy_container_ports: ~
+caddy_container_user: ~
+caddy_container_labels: ~
+caddy_container_volumes: ~
+caddy_container_config_dir: "/etc/caddy"
+caddy_container_default_volumes:
+  - "{{ caddy_config_dir }}:{{ caddy_container_config_dir }}:ro"
+  - "{{ caddy_dynamic_configs_dir }}:{{ caddy_dynamic_configs_dir }}:ro"
+  - "{{ caddy_config_internal_dir }}:/config:rw"
+  - "{{ caddy_state_dir }}:/data:rw"
+caddy_container_all_volumes: >-2
+  {{ caddy_container_default_volumes | default([], true)
+  + caddy_container_volumes | default([], true) }}
+caddy_container_state: >-2
+  {{ (caddy_state == 'present') | ternary('started', 'absent') }}
+caddy_container_restart_policy: "on-failure"
+caddy_container_networks: ~
+caddy_container_network_mode: ~
+caddy_container_etc_hosts: ~

roles/caddy/defaults/main/main.yml

@@ -0,0 +1,11 @@
+---
+caddy_user: "caddy"
+caddy_version: "2.10.2"
+caddy_config_file: "/etc/caddy/Caddyfile"
+caddy_config_dir: "{{ caddy_config_file | ansible.builtin.dirname }}"
+caddy_config_internal_dir: "{{ caddy_config_dir }}/config"
+caddy_dynamic_configs_dir: "{{ caddy_config_dir }}/sites.d"
+caddy_state_dir: "/var/lib/caddy"
+
+caddy_state: "present"
+caddy_deployment_method: "docker"

roles/caddy/defaults/main/user.yml

@@ -0,0 +1,7 @@
+---
+caddy_user_state: "{{ caddy_state }}"
+caddy_user_system: true
+caddy_user_create_home: false
+
+caddy_run_uid: "{{ caddy_user_info.uid | default(caddy_user) }}"
+caddy_run_gid: "{{ caddy_user_info.group | default(caddy_user) }}"

roles/caddy/meta/main.yml

@@ -0,0 +1,13 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: caddy
+  description: Deploy caddy, a webserver
+  galaxy_tags:
+    - caddy
+    - zerossl
+    - http
+    - webserver
+    - docker
+    - podman

roles/caddy/tasks/deploy-docker.yml

@@ -0,0 +1,26 @@
+---
+- name: Ensure container image '{{ caddy_container_image }}' is {{ caddy_container_image_state }}
+  community.docker.docker_image:
+    name: "{{ caddy_container_image }}"
+    state: "{{ caddy_container_image_state }}"
+    source: "{{ caddy_container_image_source }}"
+    force_source: "{{ caddy_container_image_force_source }}"
+  register: caddy_container_image_info
+  until: caddy_container_image_info is success
+  retries: 10
+  delay: 3
+
+- name: Ensure container '{{ caddy_container_name }}' is {{ caddy_container_state }}
+  community.docker.docker_container:
+    name: "{{ caddy_container_name }}"
+    image: "{{ caddy_container_image }}"
+    state: "{{ caddy_container_state }}"
+    env: "{{ caddy_container_env | default(omit, true) }}"
+    user: "{{ caddy_container_user | default(omit, true) }}"
+    ports: "{{ caddy_container_ports | default(omit, true) }}"
+    labels: "{{ caddy_container_labels | default(omit, true) }}"
+    volumes: "{{ caddy_container_all_volumes }}"
+    networks: "{{ caddy_container_networks | default(omit, true) }}"
+    etc_hosts: "{{ caddy_container_etc_hosts | default(omit, true) }}"
+    network_mode: "{{ caddy_container_network_mode | default(omit, true) }}"
+    restart_policy: "{{ caddy_container_restart_policy }}"

roles/caddy/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Ensure state '{{ caddy_state }}' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported caddy_state '{{ caddy_state }}'.
+      Supported states are {{ caddy_states | join(', ') }}.
+  when: caddy_state not in caddy_states
+
+- name: Ensure deployment method '{{ caddy_deployment_method }}' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Unsupported caddy_deployment_method '{{ caddy_deployment_method }}'.
+      Supported deployment methods are {{ caddy_deployment_methods | join(', ') }}.
+  when: caddy_deployment_method not in caddy_deployment_methods
+
+- name: Ensure caddy user '{{ caddy_user }}' is {{ caddy_user_state }}
+  ansible.builtin.user:
+    name: "{{ caddy_user }}"
+    state: "{{ caddy_user_state }}"
+    system: "{{ caddy_user_system }}"
+    create_home: "{{ caddy_user_create_home }}"
+  register: "caddy_user_info"
+
+- name: Ensure base directories are present
+  ansible.builtin.file:
+    path: "{{ dir.name }}"
+    state: "directory"
+    owner: "{{ dir.owner | default(caddy_run_uid) }}"
+    group: "{{ dir.group | default(caddy_run_uid) }}"
+    mode: "{{ dir.mode | default('0750') }}"
+  when: caddy_state == 'present'
+  loop:
+    - name: "{{ caddy_config_dir }}"
+    - name: "{{ caddy_dynamic_configs_dir }}"
+    - name: "{{ caddy_config_internal_dir }}"
+    - name: "{{ caddy_state_dir }}"
+  loop_control:
+    loop_var: "dir"
+    label: "{{ dir.name }}"
+
+- name: Ensure caddy configuration is up to date
+  ansible.builtin.copy:
+    dest: "{{ caddy_config_file }}"
+    content: "{{ caddy_config }}"
+    owner: "{{ caddy_run_uid }}"
+    group: "{{ caddy_run_gid }}"
+    mode: "0640"
+  when: caddy_state == 'present'
+
+- name: Ensure caddy is deployed using {{ caddy_deployment_method }}
+  ansible.builtin.include_tasks:
+    file: "deploy-{{ caddy_deployment_method }}.yml"

roles/caddy/vars/main.yml

@@ -0,0 +1,6 @@
+---
+caddy_states:
+  - "present"
+  - "absent"
+caddy_deployment_methods:
+  - "docker"

roles/caddy_site/README.md

@@ -0,0 +1,7 @@
+# `finallycoffee.base.caddy_site` ansible role
+
+Provision a single site configuration in caddy.
+
+Set `caddy_site_name` as a unique
+site identifier (needs to be a valid filename) and `caddy_site_config`
+to contain the actual `Caddyfile` contents.

roles/caddy_site/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+caddy_site_name: ~
+caddy_site_config: ~
+caddy_site_state: "present"
+
+caddy_site_configs: "/etc/caddy/sites.d"
+caddy_site_config_dir: >-2
+  {{ caddy_site_configs }}/{{ caddy_site_name }}
+caddy_site_config_file: >-2
+  {{ caddy_site_config_dir }}/Caddyfile
+
+caddy_site_owner: "caddy"
+caddy_site_group: "caddy"

roles/caddy_site/meta/main.yml

@@ -0,0 +1,11 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: caddy_site
+  description: Deploy a sites' configuration in caddy
+  galaxy_tags:
+    - caddy
+    - zerossl
+    - http
+    - webserver

roles/caddy_site/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+- name: Fail if required variables are not populated
+  ansible.builtin.fail:
+    msg: "Either `caddy_site_name` or `caddy_site_config` is not provided"
+  when: >-2
+    (caddy_site_name | ansible.builtin.type_debug == 'NoneType')
+    or
+    (caddy_site_config | ansible.builtin.type_debug == 'NoneType')
+
+- name: Ensure directory for caddy site config '{{ caddy_site_name }}' is {{ caddy_site_state }}
+  ansible.builtin.file:
+    path: "{{ caddy_site_config_dir }}"
+    state: >-2
+      {{ (caddy_site_state == 'present') | ternary('directory', 'absent') }}
+    owner: "{{ caddy_site_owner }}"
+    group: "{{ caddy_site_group }}"
+    mode: "0750"
+
+- name: Ensure caddy site configuration is templated
+  ansible.builtin.copy:
+    dest: "{{ caddy_site_config_file }}"
+    content: "{{ caddy_site_config }}"
+    owner: "{{ caddy_site_owner }}"
+    group: "{{ caddy_site_group }}"
+    mode: "0640"
+  when: caddy_site_state == 'present'

roles/lego/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.25.1"
+lego_version: "4.31.0"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"

roles/minio/defaults/main/container.yml

@@ -1,7 +1,7 @@
 ---
 minio_container_name: minio
 minio_container_image_name: "docker.io/minio/minio"
-minio_container_image_tag: "RELEASE.2025-07-18T21-56-31Z"
+minio_container_image_tag: "RELEASE.2025-10-15T17-29-55Z"
 minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
 minio_container_networks: []
 minio_container_ports: []

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.29.0"
+nginx_version: "1.29.4"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

roles/ntp/README.md

@@ -0,0 +1,4 @@
+# `finallycoffee.base.ntp`
+
+Install `ntp`, configure a timezone by sym-linking `/etc/localtime`
+and enable the systemd service.

roles/ntp/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+ntp_state: present
+ntp_package_name: "ntp"
+
+ntp_timezone: "Europe/Paris"
+
+ntp_systemd_service_name: "ntpd.service"
+ntp_systemd_service_state: >-2
+  {{ (ntp_state == 'present') | ternary('started', 'stopped') }}
+ntp_systemd_service_enabled: >-2
+  {{ (ntp_state == 'present') }}
+
+ntp_etc_localtime_file: "/etc/localtime"
+ntp_usr_share_zoneinfo_path: "/usr/share/zoneinfo"

roles/ntp/meta/main.yml

@@ -0,0 +1,8 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: ntp
+  description: Install network time protocol daemon
+  galaxy_tags:
+    - ntp

roles/ntp/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+- name: Check if 'ntp_state' is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Invalid state '{{ ntp_state }}'! Valid
+      states are {{ ntp_states | join(', ') }}.
+  when: ntp_state not in ntp_states
+
+- name: Ensure system package is {{ ntp_state }}
+  ansible.builtin.package:
+    name: "{{ ntp_package_name }}"
+    state: "{{ ntp_state }}"
+
+- name: Ensure /etc/localtime is symlinked
+  ansible.builtin.file:
+    src: "{{ ntp_usr_share_zoneinfo_path }}/{{ ntp_timezone }}"
+    dest: "{{ ntp_etc_localtime_file }}"
+    state: "{{ (ntp_state == 'present') | ternary('link', 'absent') }}"
+
+- name: Ensure ntp systemd service is configured
+  ansible.builtin.systemd:
+    name: "{{ ntp_systemd_service_name }}"
+    enabled: "{{ ntp_systemd_service_enabled }}"
+
+- name: Ensure ntp systemd service is {{ ntp_systemd_service_state }}
+  ansible.builtin.systemd:
+    name: "{{ ntp_systemd_service_name }}"
+    state: "{{ ntp_systemd_service_state }}"

roles/ntp/vars/main.yml

@@ -0,0 +1,4 @@
+---
+ntp_states:
+  - "present"
+  - "absent"

roles/powerdns_tsig_key/tasks/main.yml

@@ -41,7 +41,7 @@
       community.docker.docker_container_exec:
         container: "{{ powerdns_tsig_key_container_name }}"
         command: "pdnsutil list-tsig-keys"
-      delegate_to: "{{ powerdns_tsig_key_hostname }}"
+      delegate_to: "{{ powerdns_tsig_key_hostname | default(inventory_hostname) }}"
       register: powerdns_tsig_key_powerdns_info
       changed_when: false
       check_mode: false
@@ -54,7 +54,7 @@
       when: >-
         (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
         not in powerdns_tsig_key_powerdns_info.stdout
-      delegate_to: "{{ powerdns_tsig_key_hostname }}"
+      delegate_to: "{{ powerdns_tsig_key_hostname | default(inventory_hostname) }}"
       register: powerdns_tsig_key_powerdns_generated_tsig_key
       throttle: 1
       become: true
@@ -67,7 +67,7 @@
       when: >-
         (powerdns_tsig_key_name ~ '. ' ~ powerdns_tsig_key_algo ~ '. ')
         not in powerdns_tsig_key_powerdns_info.stdout
-      delegate_to: "{{ powerdns_tsig_key_hostname }}"
+      delegate_to: "{{ powerdns_tsig_key_hostname | default(inventory_hostname) }}"
       throttle: 1
       become: true
 

roles/restic/templates/restic.timer.j2

@@ -4,6 +4,9 @@ Description=Run {{ restic_timer_description | default(restic_job_name) }}
 [Timer]
 OnCalendar={{ restic_policy.frequency }}
 Unit={{ restic_systemd_unit_naming_scheme }}.service
+{% if restic_systemd_timer_randomized_delay_sec %}
+RandomizedDelaySec={{ restic_systemd_timer_randomized_delay_sec }}
+{% endif %}
 
 [Install]
 WantedBy=timers.target

roles/wg_quick/README.md

@@ -0,0 +1,5 @@
+# `finallycoffee.base.wg_quick` ansible role
+
+Configure a wireguard interface using `wg_quick`. This role writes
+the configuration files and activates the interface using the systemd
+template service abstractions.

roles/wg_quick/defaults/main/connection.yml

@@ -0,0 +1,20 @@
+---
+wg_quick_interface_name: ~
+wg_quick_interface_address: ~
+wg_quick_interface_listen_port: ~
+wg_quick_interface_private_key: ~
+wg_quick_interface_private_key_file: ~
+wg_quick_interface_peer_endpoint: ~
+wg_quick_interface_peer_public_key: ~
+wg_quick_interface_peer_allowed_ips: ~
+
+wg_quick_interfaces:
+  - name: "{{ wg_quck_interface_name }}"
+    address: "{{ wg_quick_interface_address }}"
+    listen_port: "{{ wg_quick_interface_listen_port }}"
+    private_key: "{{ wg_quick_interface_private_key }}"
+    private_key_file: "{{ wg_quick_interface_private_key_file }}"
+    peers:
+      - endpoint: "{{ wg_quick_interface_peer_endpoint }}"
+        public_key: "{{ wg_quick_interface_peer_public_key }}"
+        allowed_ips: "{{ wg_quick_interface_peer_allowed_ips }}"

roles/wg_quick/defaults/main/main.yml

@@ -0,0 +1,7 @@
+---
+wg_quick_state: "present"
+wg_quick_package_name: "wireguard-tools"
+wg_quick_system_packages:
+  - "{{ wg_quick_package_name }}"
+
+wg_quick_configuration_dir: "/etc/wireguard"

roles/wg_quick/tasks/configure-interface.yml

@@ -0,0 +1,25 @@
+---
+- name: Ensure wg-quick configuration for interface '{{ wg_quick_iface.name }}' is up to date
+  ansible.builtin.template:
+    src: "wg-quick.conf.j2"
+    dest: "{{ wg_quick_configuration_dir }}/{{ wg_quick_iface.name }}.conf"
+  when: wg_quick_iface.state | default(wg_quick_state) == 'present'
+
+- name: Ensure systemd service is enabled
+  ansible.builtin.systemd_service:
+    name: "wg-quick@{{ wg_quick_iface.name }}.service"
+    enabled: true
+  when: wg_quick_iface.state | default(wg_quick_state) == 'present'
+
+- name: Ensure systemd service is {{ wg_quick_iface.state | default(wg_quick_state) }}
+  ansible.builtin.systemd_service:
+    name: "wg-quick@{{ wg_quick_iface.name }}.service"
+    state: >-2
+      {{ (wg_quick_iface.state | default(wg_quick_state) == 'present')
+        | ternary('started', 'absent') }}
+
+- name: Ensure wg-quick configuration for interface '{{ wg_quick_iface.name }}' is absent
+  ansible.builtin.file:
+    path: "{{ wg_quick_configuration_dir }}/{{ wg_quick_face.name }}.conf"
+    state: "absent"
+  when: wg_quick_iface.state | default(wg_quick_state) == 'absent'

roles/wg_quick/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Ensure wg_quick_state is valid
+  ansible.builtin.fail:
+    msg: >-2
+      Invalid state '{{ wg_quick_state }}'. Valid
+      states are {{ wg_quick_states | join(', ') }}.
+  when: wg_quick_state not in wg_quick_states
+
+- name: Ensure system packages are available
+  ansible.builtin.package:
+    name: "{{ wg_quick_system_packages }}"
+    state: "present"
+  when: wg_quick_state == 'present'
+
+- name: Ensure configuration folder is present
+  ansible.builtin.file:
+    name: "{{ wg_quick_configuration_dir }}"
+    state: "directory"
+  when: wg_quick_state == 'present'
+
+- name: Ensure connections are in the configured state
+  ansible.builtin.include_tasks:
+    file: "configure-interface.yml"
+  loop: "{{ wg_quick_interfaces }}"
+  loop_control:
+    loop_var: "wg_quick_iface"
+    label: "{{ wg_quick_iface.name }}"

roles/wg_quick/templates/wg-quick.conf.j2

@@ -0,0 +1,32 @@
+[Interface]
+Address = {{ wg_quick_iface.address | join(', ') }}
+ListenPort = {{ wg_quick_iface.listen_port }}
+
+{% if wg_quick_iface.private_key %}
+PrivateKey = {{ wg_quick_iface.private_key }}
+{% elif wg_quick_iface.private_key_file %}
+PrivateKeyFile = {{ wg_quick_iface.private_key_file }}
+{% endif %}
+{% if wg_quick_iface.table is defined %}
+Table = {{ wg_quick_iface.table | ternary('on', 'off') }}
+{% endif %}
+{% if wg_quick_iface.post_up %}
+PostUp = /bin/bash -c "{{ wg_quick_iface.post_up | join('; ') }}"
+{% endif %}
+{% if wg_quick_iface.pre_down %}
+PreDown = /bin/bash -c "{{ wg_quick_iface.pre_down | join('; ') }}"
+{% endif %}
+
+
+{% for _peer in wg_quick_iface.peers %}
+[Peer]
+Endpoint = {{ _peer.endpoint }}
+PublicKey = {{ _peer.public_key }}
+AllowedIPs = {{ _peer.allowed_ips | join(', ') }}
+{% if _peer.persistent_keepalive %}
+PersistentKeepalive = {{ _peer.persistent_keepalive }}
+{% endif %}
+{% if 'psk' in _peer %}
+PresharedKey = {{ _peer.psk }}
+{% endif %}
+{% endfor %}

roles/wg_quick/vars/main.yml

@@ -0,0 +1,4 @@
+---
+wg_quick_states:
+  - "present"
+  - "absent"