diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2018-12-28 22:47:51 +0100 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2018-12-28 22:47:51 +0100 |
| commit | 17a6c2aa2c5610860da11ad242aa8c79507442a2 (patch) | |
| tree | 9c69e36794b091469cc57af41ed505aa3d755d0d /ansible/roles | |
| parent | fbcf643e474edce8e42b12ea383ec8ebeb4c9ff5 (diff) | |
| download | infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.tar.gz infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.tar.bz2 infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.tar.xz infra-17a6c2aa2c5610860da11ad242aa8c79507442a2.zip | |
wireguard: working config + ipv6.
Diffstat (limited to 'ansible/roles')
| -rw-r--r-- | ansible/roles/ufw/tasks/main.yml | 4 | ||||
| -rw-r--r-- | ansible/roles/wireguard/tasks/main.yml | 33 |
2 files changed, 22 insertions, 15 deletions
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index e66ef58..b372eb7 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -18,8 +18,8 @@ # be processed COMMIT -# - ufw: -# state: enabled + - ufw: + state: enabled # - ufw: # default: allow diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml index 197d54a..a663be3 100644 --- a/ansible/roles/wireguard/tasks/main.yml +++ b/ansible/roles/wireguard/tasks/main.yml @@ -9,7 +9,7 @@ vars: items: - wireguard - - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}" + - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686-pae' }}" - name: systemctl enable systemd-networkd systemd: @@ -21,17 +21,25 @@ file: path: /etc/wireguard state: directory + - name: wg genkey /etc/wireguard/private.key + tags: wireguard-config shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key args: creates: /etc/wireguard/private.key - register: wg_private_key + register: wg_private_key_gen - - when: wg_private_key.changed + - when: wg_private_key_gen.changed + tags: wireguard-config fetch: src: "/etc/wireguard/public.key" dest: "files" + - tags: wireguard-config + slurp: + src: "/etc/wireguard/private.key" + register: wg_private_key + - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) when: wireguard__role == 'client' notify: systemctl restart systemd-networkd @@ -45,8 +53,8 @@ Description=Net id: {{ wireguard__net_id }} [WireGuard] - PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} - ListenPort={{ wireguard__listen_port }} + PrivateKey={{ wg_private_key['content'] | b64decode }} + PersistentKeepalive=60 [WireGuardPeer] PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} @@ -67,7 +75,7 @@ Description=Net id: {{ wireguard__net_id }} [WireGuard] - PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} + PrivateKey={{ wg_private_key['content'] | b64decode }} ListenPort={{ wireguard__listen_port }} {% for c in wireguard__clients %} @@ -76,9 +84,8 @@ {% if client.state == 'present' %} [WireGuardPeer] PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} - AllowedIPs=0.0.0.0/0 - # AllowedIPs={{ client.ipv4 }} - AllowedIPs=::/0 + AllowedIPs={{ client.ipv4 }} + AllowedIPs={{ client.ipv6 }} {% else %} # absent {% endif %} @@ -103,7 +110,7 @@ [Network] Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} - # Address= TODO ipv6 + Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }} - name: Make /etc/systemd/network/61-wg-XXX.network (Server) when: wireguard__role == 'server' @@ -117,12 +124,12 @@ [Network] Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} - # Address= TODO ipv6 + Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }} - - name: UFW enable + - name: UFW allow port when: wireguard__role == 'server' tags: wireguard-config ufw: rule: allow port: "{{ wireguard__listen_port }}" - proto: tcp + proto: udp |