aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles
diff options
context:
space:
mode:
authorTrygve Laugstøl <trygvis@inamo.no>2018-12-28 22:47:51 +0100
committerTrygve Laugstøl <trygvis@inamo.no>2018-12-28 22:47:51 +0100
commit17a6c2aa2c5610860da11ad242aa8c79507442a2 (patch)
tree9c69e36794b091469cc57af41ed505aa3d755d0d /ansible/roles
parentfbcf643e474edce8e42b12ea383ec8ebeb4c9ff5 (diff)
downloadinfra-17a6c2aa2c5610860da11ad242aa8c79507442a2.tar.gz
infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.tar.bz2
infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.tar.xz
infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.zip
wireguard: working config + ipv6.
Diffstat (limited to 'ansible/roles')
-rw-r--r--ansible/roles/ufw/tasks/main.yml4
-rw-r--r--ansible/roles/wireguard/tasks/main.yml33
2 files changed, 22 insertions, 15 deletions
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index e66ef58..b372eb7 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -18,8 +18,8 @@
# be processed
COMMIT
-# - ufw:
-# state: enabled
+ - ufw:
+ state: enabled
# - ufw:
# default: allow
diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml
index 197d54a..a663be3 100644
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@@ -9,7 +9,7 @@
vars:
items:
- wireguard
- - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}"
+ - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686-pae' }}"
- name: systemctl enable systemd-networkd
systemd:
@@ -21,17 +21,25 @@
file:
path: /etc/wireguard
state: directory
+
- name: wg genkey /etc/wireguard/private.key
+ tags: wireguard-config
shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
args:
creates: /etc/wireguard/private.key
- register: wg_private_key
+ register: wg_private_key_gen
- - when: wg_private_key.changed
+ - when: wg_private_key_gen.changed
+ tags: wireguard-config
fetch:
src: "/etc/wireguard/public.key"
dest: "files"
+ - tags: wireguard-config
+ slurp:
+ src: "/etc/wireguard/private.key"
+ register: wg_private_key
+
- name: Make /etc/systemd/network/60-wg-XXX.netdev (Client)
when: wireguard__role == 'client'
notify: systemctl restart systemd-networkd
@@ -45,8 +53,8 @@
Description=Net id: {{ wireguard__net_id }}
[WireGuard]
- PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }}
- ListenPort={{ wireguard__listen_port }}
+ PrivateKey={{ wg_private_key['content'] | b64decode }}
+ PersistentKeepalive=60
[WireGuardPeer]
PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }}
@@ -67,7 +75,7 @@
Description=Net id: {{ wireguard__net_id }}
[WireGuard]
- PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }}
+ PrivateKey={{ wg_private_key['content'] | b64decode }}
ListenPort={{ wireguard__listen_port }}
{% for c in wireguard__clients %}
@@ -76,9 +84,8 @@
{% if client.state == 'present' %}
[WireGuardPeer]
PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }}
- AllowedIPs=0.0.0.0/0
- # AllowedIPs={{ client.ipv4 }}
- AllowedIPs=::/0
+ AllowedIPs={{ client.ipv4 }}
+ AllowedIPs={{ client.ipv6 }}
{% else %}
# absent
{% endif %}
@@ -103,7 +110,7 @@
[Network]
Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }}
- # Address= TODO ipv6
+ Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }}
- name: Make /etc/systemd/network/61-wg-XXX.network (Server)
when: wireguard__role == 'server'
@@ -117,12 +124,12 @@
[Network]
Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }}
- # Address= TODO ipv6
+ Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }}
- - name: UFW enable
+ - name: UFW allow port
when: wireguard__role == 'server'
tags: wireguard-config
ufw:
rule: allow
port: "{{ wireguard__listen_port }}"
- proto: tcp
+ proto: udp