diff --git a/README.md b/README.md
index 3edfbf7..d0e6e6c 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,83 @@
-# role_modele
+# role_wireguard
-Modèle
\ No newline at end of file
+Rôle de déploiement de wireguard.
+
+## Variables
+
+### wireguard_module_host
+
+Variable permettant de déployer le module (dkms) de wireguard sur l'hôte qui héberge le conteneur.
+
+*Valeur par défaut: aucune*
+
+### wireguard_interfaces
+
+Configuration des interfaces de wireguard (`/etc/wireguard/wgX.conf`).
+
+*Valeur par défaut: aucune*
+
+## Exemples
+
+Dans les exemples ci-dessous, j'utilise aussi le rôle *nftables* afin d'installer et configurer le pare-feu logiciel éponyme.
+
+### host_vars/infra-wgclient-2316.nyx.ykn.local.yml
+
+```yaml
+---
+
+# BEGIN role_ifupdown
+ifupdown_interfaces:
+ - interface: eth0
+ ipv4:
+ inet: static
+ address: 192.168.1.51
+ mask: 24
+ gateway: 192.168.1.254
+ dns: 192.168.1.254
+ ipv6:
+ inet: auto
+# END role_ifupdown
+
+# BEGIN role_nftables
+nftables_rules:
+ - filename: wireguard
+ rules:
+ - ip saddr 10.5.89.1 udp dport 51820 accept
+# END role_nftables
+
+# BEGIN role_wireguard
+wireguard_end_ip: "{{ (ifupdown_interfaces | first).ipv4.address | split('.') | last }}"
+wireguard_module_host: neree.gaia.ykn.local
+wireguard_interfaces:
+ - addresses:
+ - 192.168.100.{{ wireguard_end_ip }}/24
+ - fd00:a100::b{{ wireguard_end_ip }}/64
+ privkey: !vault |
+ $ANSIBLE_VAULT;1.1;AES256
+ 31316231366435626664353933356139396430363366363633666434323135663366666435356462
+ 6431636238336163326330376437343639613137386265390a323433386134323538653330643062
+ 38353336323263313466623865393865306662396432363063383532653932346332306363346233
+ 3165383635326264630a313661386236633137376432653333623533393765333565376336623933
+ 6638
+ peers:
+ - name: hyperion.erebos.ykn.local
+ pubkey: gGd7wgu7Npe6rhEkG6qQ8SQ7KRVihAeBsyJ2qV+MslA=
+ endpoint: "[10.5.89.1]:1194"
+ allowed_ips:
+ - 0.0.0.0/0
+ - ::/0
+ persistent_keepalive: 25
+# END role_wireguard
+```
+
+### playbook.yml
+
+```yaml
+---
+
+- name: Déployer wireguard
+ hosts: infra-wgclient-2316.nyx.ykn.local
+ roles:
+ - name: nftables
+ - name: wireguard
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..113425f
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,20 @@
+---
+# defaults file for wireguard
+
+wireguard_module_host: ""
+wireguard_listen_port: ""
+
+wireguard_interfaces: []
+# Exemple:
+# - listen_port:
+# privkey:
+# addresses:
+# - 10.10.10.1/24
+# peers:
+# - name:
+# pubkey:
+# endpoint:
+# allowed_ips:
+# - 0.0.0.0/0
+# - ::/0
+# persistent_keepalive:
diff --git a/meta/main.yml b/meta/main.yml
index c58bebf..7334127 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
- description: Rôle modèle
+ description: Rôle de déploiement de wireguard
license: GPL-3.0-or-later
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
new file mode 100644
index 0000000..5b74789
--- /dev/null
+++ b/tasks/configuration.yml
@@ -0,0 +1,29 @@
+---
+# tasks file for wireguard
+
+- name: Déployer la configuration des interfaces
+ ansible.builtin.template:
+ src: wgN.j2
+ dest: /etc/wireguard/{{ interface }}.conf
+ owner: root
+ group: root
+ mode: u=rw,g=r,o=r
+ loop: "{{ wireguard_interfaces }}"
+ loop_control:
+ index_var: index
+ label: "{{ interface }}"
+ vars:
+ interface: wg{{ index }}
+ become: true
+ register: deploy
+
+- name: Activer et redémarrer les services
+ ansible.builtin.systemd:
+ state: restarted
+ enabled: true
+ name: wg-quick@wg{{ item }}.service
+ become: true
+ loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
+ loop_control:
+ index_var: index
+ label: wg{{ index }}
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..d6fc101
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,33 @@
+---
+# tasks file for wireguard
+
+- name: Installer le paquet
+ ansible.builtin.apt:
+ update_cache: true
+ name: wireguard
+ when: wireguard_module_host | length == 0
+ become: true
+ register: wireguard_install
+
+- name: Installer le module du noyau sur l'hôte
+ ansible.builtin.apt:
+ update_cache: true
+ name: wireguard-dkms
+ when: wireguard_module_host | length > 0
+ delegate_to: "{{ wireguard_module_host }}"
+ become: true
+
+- name: Installer l'outil de configuration
+ ansible.builtin.apt:
+ update_cache: true
+ name: wireguard-tools
+ when: wireguard_module_host | length > 0
+ become: true
+
+#- name: Créer le dossier contenant la configuration
+# ansible.builtin.file:
+# state: directory
+# mode: u=rwx,g=,o=
+# path: "{{ wireguard_conf_path }}"
+# delegate_to: "{{ wireguard_server_host }}"
+# become: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..e50456c
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# tasks file for wireguard
+
+- name: Importer les tâches d'installation
+ ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+ ansible.builtin.import_tasks: configuration.yml
diff --git a/templates/wgN.j2 b/templates/wgN.j2
new file mode 100644
index 0000000..6f649b8
--- /dev/null
+++ b/templates/wgN.j2
@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Interface]
+{% if item.listen_port is defined %}
+ListenPort = {{ item.listen_port }}
+{% endif %}
+PrivateKey = {{ item.privkey }}
+Address = {{ item.addresses | join(', ') }}
+
+{% for peer in item.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.pubkey }}
+Endpoint = {{ peer.endpoint }}
+AllowedIPs = {{ peer.allowed_ips | join(', ') }}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
+
+{% endfor %}