try usg stuff

ansible/group_vars/cloud_key.yml

@@ -0,0 +1,72 @@
+unifi_site: default
+unifi_gateway_config:
+  firewall:
+    name:
+      WAN_LOCAL:
+        rule:
+          20:
+            action: accept
+            description: WireGuard
+            destination:
+              port: "{{ wireguard.usg.wg0.listen_port }}"
+            protocol: udp
+    group:
+      network-group:
+        remote_user_vpn_network:
+          description: Remote User VPN subnets
+          network:
+            - 10.253.1.0/24
+      address-group:
+        RougeDns:
+          description: IoT
+          address: 10.0.0.210-10.0.0.230
+  service:
+    nat:
+      rule:
+        1:
+          description: Redirect DNS queries to pihole
+          destination:
+            address: "!10.0.0.31"
+            port: "53"
+          inbound-interface: eth1
+          inside-address:
+            address: "10.0.0.31"
+            port: "53"
+          log: enable
+          protocol: tcp_udp
+          type: destination
+          source:
+            group:
+              address-group: RougeDns
+        5002:
+          description: Translate reply back
+          destination:
+            address: 10.0.0.31
+            port: "53"
+          outbound-interface: eth0
+          protocol: tcp_udp
+          type: masquerade
+  interfaces:
+    wireguard:
+      wg0:
+        address: "{{ wireguard.usg.wg0.address }}"
+        firewall:
+          in:
+            name: LAN_IN
+          local:
+            name: LAN_LOCAL
+          out:
+            name: LAN_OUT
+        listen-port: "{{ wireguard.usg.wg0.listen_port }}"
+        mtu: "1500"
+        peer:
+          - key: "{{ wireguard.usg.wg0.peers.phone.public }}"
+            allowed-ips: "{{ wireguard.usg.wg0.peers.phone.allowed_ips }}"
+            persistent-keepalive: "{{ wireguard.usg.wg0.persistent_keepalive }}"
+            endpoint: "{{ wireguard.usg.wg0.endpoint }}:{{ wireguard.usg.wg0.listen_port }}"
+          - key: "{{ wireguard.usg.wg0.peers.travel.public }}"
+            allowed-ips: "{{ wireguard.usg.wg0.peers.travel.allowed_ips }}"
+            persistent-keepalive: "{{ wireguard.usg.wg0.persistent_keepalive }}"
+            endpoint: "{{ wireguard.usg.wg0.endpoint }}:{{ wireguard.usg.wg0.listen_port }}"
+        private-key: /config/auth/wireguard/wg.key
+        route-allowed-ips: "true"

ansible/roles/cloud_key/defaults/main.yml

@@ -0,0 +1,2 @@
+unifi_site: default
+unifi_gateway_config:

ansible/roles/cloud_key/tasks/main.yml

@@ -0,0 +1,17 @@
+- name: Ensure folder for site exists
+  ansible.builtin.file:
+    path: "/srv/unifi/data/sites/{{ unifi_site }}"
+    state: directory
+    mode: "0755"
+    owner: unifi
+    group: unifi
+
+- name: Place config.gateway.json
+  ansible.builtin.template:
+    src: config.gateway.json.j2
+    dest: "/srv/unifi/data/sites/{{ unifi_site }}/config.gateway.json"
+    owner: unifi
+    group: unifi
+    mode: "0644"
+    validate: python -m json.tool %s
+    backup: yes

ansible/roles/cloud_key/templates/config.gateway.json.j2

@@ -0,0 +1,11 @@
+{% set copy_=unifi_gateway_config -%}
+{% for inf in unifi_gateway_config.interfaces.wireguard %}
+    {%- set p=[] -%}
+    {% for peer in unifi_gateway_config.interfaces.wireguard[inf].peer %}
+        {%- set m=peer.key -%}
+        {%- set x=peer.pop("key") -%}
+        {%- set x=(p.append({m: peer})) -%}
+    {% endfor %}
+    {%- set x=(unifi_gateway_config.interfaces.wireguard[inf].__setitem__("peer", p)) -%}
+{% endfor %}
+{{- copy_ | to_json(indent=4) }}

ansible/roles/usg/defaults/main.yml

@@ -0,0 +1 @@
+unifi_wg_priv:

ansible/roles/usg/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: Ensure folder for wireguard
+  ansible.builtin.file:
+    path: /config/auth/wireguard
+    state: directory
+    mode: "0755"
+
+- name: Place wg.key
+  ansible.builtin.copy:
+    content: "{{ unifi_wg_priv }}\n"
+    dest: /config/auth/wireguard/wg.key
+    mode: "0644"