aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2020-10-27 22:08:56 +0100
committerTrygve Laugstøl <trygvis@inamo.no>2020-10-27 22:26:52 +0100
commit8fe199c66d3d2118fc45a2ffa2d994430a91da3e (patch)
tree09367b7ddd49a9abd2c6e0eaea8919b4b3fa33b3
parent285c587daf298132bc961b26abed1e5870c41e4b (diff)
downloadinfra-8fe199c66d3d2118fc45a2ffa2d994430a91da3e.tar.gz
infra-8fe199c66d3d2118fc45a2ffa2d994430a91da3e.tar.bz2
infra-8fe199c66d3d2118fc45a2ffa2d994430a91da3e.tar.xz
infra-8fe199c66d3d2118fc45a2ffa2d994430a91da3e.zip
Adding hash to wireguard.
-rw-r--r--ansible/group_vars/all/wireguard_wg0.yml7
-rw-r--r--ansible/inventory10
-rw-r--r--ansible/plays/files/hash/etc/wireguard/public-wg0.key1
-rw-r--r--ansible/roles/wireguard/tasks/main.yml21
4 files changed, 21 insertions, 18 deletions
diff --git a/ansible/group_vars/all/wireguard_wg0.yml b/ansible/group_vars/all/wireguard_wg0.yml
index 2a8f7e2..5d8e450 100644
--- a/ansible/group_vars/all/wireguard_wg0.yml
+++ b/ansible/group_vars/all/wireguard_wg0.yml
@@ -9,6 +9,8 @@ wireguard_wg0:
peers: all
# Generated by https://www.ultratools.com/tools/rangeGenerator
ipv6: fdf3:aad9:a885:0b3a::1
+ allowed_ips:
+ - ::/0
birgitte:
state: present
ipv4: 192.168.60.2
@@ -37,3 +39,8 @@ wireguard_wg0:
android-trygvis:
state: present
ipv6: fdf3:aad9:a885:0b3a::12
+ hash:
+ endpoint: hash.trygvis.io
+ listen_port: 51821
+ peers: all
+ ipv6: fdf3:aad9:a885:0b3a::13
diff --git a/ansible/inventory b/ansible/inventory
index 5789258..501477c 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -4,7 +4,7 @@ all:
ansible_host: knot.vpn.trygvis.io
ansible_python_interpreter: /usr/bin/python3
hash:
- ansible_host: hash.trygvis.io
+ ansible_host: hash.vpn.trygvis.io
numquam:
ansible_host: numquam.trygvis.io
birgitte:
@@ -12,6 +12,7 @@ all:
ansible_python_interpreter: /usr/bin/python3
arius:
ansible_host: arius.trygvis.io
+ ansible_python_interpreter: /usr/bin/python3
mw:
ansible_host: 2a01:7e00:e000:272:2ff:aaff:fe7e:46b4
homepi:
@@ -22,7 +23,7 @@ all:
ansible_host: conflatorio.vpn.trygvis.io
ansible_python_interpreter: /usr/bin/python3
akili:
- ansible_host: akili.local
+ ansible_host: akili.vpn.trygvis.io
ansible_python_interpreter: /usr/bin/python3
nextcloud:
ansible_host: 192.168.10.201
@@ -148,15 +149,16 @@ all:
wireguard_wg0:
hosts:
akili:
+ android-trygvis:
arius:
astyanax:
babypi:
birgitte:
conflatorio:
+ hash:
knot:
malabaricus:
- sweetzpot-mobile:
sweetzpot-macos:
- android-trygvis:
+ sweetzpot-mobile:
# vim: set filetype=yaml:
diff --git a/ansible/plays/files/hash/etc/wireguard/public-wg0.key b/ansible/plays/files/hash/etc/wireguard/public-wg0.key
new file mode 100644
index 0000000..b7736d6
--- /dev/null
+++ b/ansible/plays/files/hash/etc/wireguard/public-wg0.key
@@ -0,0 +1 @@
+mqWUWuINT47LoIxYHNrtdvE91nBZeqGaRfwAK1rTPHw=
diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml
index d05cec9..a91aea5 100644
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@@ -76,14 +76,15 @@
# {{ hostname }}
[WireGuardPeer]
PublicKey={{ host.public_key if host.public_key is defined else lookup('file', hostname + '/etc/wireguard/public-{{ wg_net.if }}.key') }}
- {% if host.endpoint is defined %}
- AllowedIPs={{ "0.0.0.0/0" }}
- {% elif host.ipv4 is defined %}
+ {% if host.allowed_ips is defined %}
+ {% for h in host.allowed_ips %}
+ AllowedIPs={{ h }}
+ {% endfor %}
+ {% endif %}
+ {% if host.ipv4 is defined %}
AllowedIPs={{ host.ipv4 }}
{% endif %}
- {% if host.endpoint is defined %}
- AllowedIPs={{ "::/0" }}
- {% elif host.ipv6 is defined %}
+ {% if host.ipv6 is defined %}
AllowedIPs={{ host.ipv6 }}
{% endif %}
{% if host.endpoint is defined %}
@@ -118,14 +119,6 @@
{% endfor %}
{% endif %}
- - name: UFW allow port
- when: wg_host.listen_port is defined
- tags: wireguard-config
- ufw:
- rule: allow
- port: "{{ wg_host.listen_port }}"
- proto: udp
-
- tags:
- wireguard
become: yes