ADD: WireGuard - an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

README.md

@@ -94,6 +94,7 @@ If you have a spare domain name you can configure applications to be accessible
 * [Virtual Desktop](https://github.com/RattyDAVE/docker-ubuntu-xrdp-mate-custom) - A virtual desktop running on your NAS.
 * [Wallabag](https://wallabag.org/) - Save and classify articles. Read them later.
 * [Watchtower](https://github.com/v2tec/watchtower) - Monitor your Docker containers and update them if a new version is available
+* [WireGuard](https://www.wireguard.com/) - an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
 * [YouTubeDL-Material](https://github.com/Tzahi12345/YoutubeDL-Material) - Self-hosted YouTube downloader built on Material Design
 * [ZNC](https://wiki.znc.in/ZNC) - IRC bouncer to stay connected to favourite IRC networks and channels
 

docs/applications/wireguard.md

@@ -0,0 +1,15 @@
+# WireGuard
+
+Homepage: <https://www.wireguard.com/>
+
+WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
+
+## Usage
+
+Set `wireguard_enabled: true` and `wireguard_available_externally: true` in your `inventories/<your_inventory>/group_vars/nas.yml` file.
+
+The WireGuard's admin web interface can be found at <http://ansible_nas_host_or_ip:51821>. The default password is `topsecret`.
+
+## Specific Configuration
+
+You will need to configure your router for port forwarding of UDP port 51820 to your Ansible NAS server. 

docs/configuration/application_ports.md

@@ -100,5 +100,7 @@ By default, applications can be found on the ports listed below.
 | uTorrent         | 6881    | Bridge  | BT             |
 | uTorrent         | 6881    | Bridge  | UDP            |
 | Wallabag         | 7780    | Bridge  | HTTP           |
+| WireGuard        | 51820   | Bridge  | UDP            |
+| WireGuard admin  | 51821   | Bridge  | HTTP           |
 | YouTubeDL-Mater  | 8998    | Bridge  | HTTP           |
 | ZNC              | 6677    | Bridge  |                |

nas.yml

@@ -375,6 +375,11 @@
         - watchtower
       when: (watchtower_enabled | default(False))
 
+    - role: wireguard
+      tags:
+        - wireguard
+      when: (wireguard_enabled | default(False))
+
     - role: znc
       tags:
         - znc

roles/wireguard/defaults/main.yml

@@ -0,0 +1,31 @@
+---
+# enable or disable the application
+wireguard_enabled: false
+wireguard_available_externally: false
+
+# directories
+wireguard_data_directory: "{{ docker_home }}/wireguard"
+
+# environment
+wireguard_environment_variables:
+  PASSWORD: "topsecret"
+  WG_HOST: "{{ wireguard_hostname }}.{{ ansible_nas_domain }}"
+  WG_PORT: "{{ wireguard_port }}"
+  WG_MTU: "1420"
+  WG_PERSISTENT_KEEPALIVE: "0"
+  WG_DEFAULT_ADDRESS: "10.23.23.x"
+  WG_DEFAULT_DNS: "{{ ansible_nas_dns }}"
+  WG_ALLOWED_IPS: "0.0.0.0/0, ::/0"
+  WG_PRE_UP: ""
+  WG_POST_UP: ""
+  WG_PRE_DOWN: ""
+  WG_POST_DOWN: ""
+  TZ: "{{ ansible_nas_timezone }}"
+
+# network
+wireguard_port: "51820"
+wireguard_port_http: "51821"
+wireguard_hostname: "wireguard"
+
+# specs
+wireguard_memory: "512m"

roles/wireguard/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- name: Create WireGuard Directory
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "{{ wireguard_data_directory }}"
+
+- name: Create WireGuard Docker Container
+  docker_container:
+    name: wireguard
+    image: weejewel/wg-easy:latest
+    pull: true
+    env: "{{ wireguard_environment_variables }}"
+    volumes:
+      - "{{ wireguard_data_directory }}:/etc/wireguard"
+    ports:
+      - "{{ wireguard_port }}: 51820/udp"
+      - "{{ wireguard_port_http }}: 51821"
+    capabilities:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      net.ipv4.conf.all.src_valid_mark=1
+      net.ipv4.ip_forward=1
+    restart_policy: unless-stopped
+    memory: "{{ wireguard_memory }}"
+    labels:
+      traefik.enable: "{{ wireguard_available_externally | string }}"
+      traefik.http.routers.wireguard.rule: "Host(`{{ wireguard_hostname }}.{{ ansible_nas_domain }}`)"
+      traefik.http.routers.wireguard.tls.certresolver: "letsencrypt"
+      traefik.http.routers.wireguard.tls.domains[0].main: "{{ ansible_nas_domain }}"
+      traefik.http.routers.wireguard.tls.domains[0].sans: "*.{{ ansible_nas_domain }}"
+      traefik.http.services.wireguard.loadbalancer.server.port: "51821"