aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ansible/files/birgitte/etc/wireguard/public.key2
-rw-r--r--ansible/group_vars/wireguard_net1/main.yml15
-rw-r--r--ansible/roles/ufw/tasks/main.yml4
-rw-r--r--ansible/roles/wireguard/tasks/main.yml33
4 files changed, 34 insertions, 20 deletions
diff --git a/ansible/files/birgitte/etc/wireguard/public.key b/ansible/files/birgitte/etc/wireguard/public.key
index 8343677..22e2fe3 100644
--- a/ansible/files/birgitte/etc/wireguard/public.key
+++ b/ansible/files/birgitte/etc/wireguard/public.key
@@ -1 +1 @@
-C5jly5hJf21tODOKloocYPk257izs9Qp5n8pwmFl/n0=
+A+6nNcP2bjlLYy6QG7swT4mHwiC8C2P4bCQvy1hV93E=
diff --git a/ansible/group_vars/wireguard_net1/main.yml b/ansible/group_vars/wireguard_net1/main.yml
index 06efebd..8e17dea 100644
--- a/ansible/group_vars/wireguard_net1/main.yml
+++ b/ansible/group_vars/wireguard_net1/main.yml
@@ -4,15 +4,22 @@ wireguard__server:
ansible_hostname: knot
hostname: trygvis.io
ipv4:
- address: 192.168.90.1
+ address: 192.168.80.1
prefix: 24
+ # Generated by https://www.ultratools.com/tools/rangeGenerator
+ ipv6:
+ address: fdf3:aad9:a885:0b3a::1
+ prefix: 64
wireguard__clients:
birgitte:
state: present
- ipv4: 192.168.90.2
+ ipv4: 192.168.80.2
+ ipv6: fdf3:aad9:a885:0b3a::2
conflatorio:
state: absent
- ipv4: 192.168.90.3
+ ipv4: 192.168.80.3
+ ipv6: fdf3:aad9:a885:0b3a::3
fuckaduck:
state: present
- ipv4: 192.168.90.4
+ ipv4: 192.168.80.4
+ ipv6: fdf3:aad9:a885:0b3a::4
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index e66ef58..b372eb7 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -18,8 +18,8 @@
# be processed
COMMIT
-# - ufw:
-# state: enabled
+ - ufw:
+ state: enabled
# - ufw:
# default: allow
diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml
index 197d54a..a663be3 100644
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@@ -9,7 +9,7 @@
vars:
items:
- wireguard
- - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}"
+ - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686-pae' }}"
- name: systemctl enable systemd-networkd
systemd:
@@ -21,17 +21,25 @@
file:
path: /etc/wireguard
state: directory
+
- name: wg genkey /etc/wireguard/private.key
+ tags: wireguard-config
shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
args:
creates: /etc/wireguard/private.key
- register: wg_private_key
+ register: wg_private_key_gen
- - when: wg_private_key.changed
+ - when: wg_private_key_gen.changed
+ tags: wireguard-config
fetch:
src: "/etc/wireguard/public.key"
dest: "files"
+ - tags: wireguard-config
+ slurp:
+ src: "/etc/wireguard/private.key"
+ register: wg_private_key
+
- name: Make /etc/systemd/network/60-wg-XXX.netdev (Client)
when: wireguard__role == 'client'
notify: systemctl restart systemd-networkd
@@ -45,8 +53,8 @@
Description=Net id: {{ wireguard__net_id }}
[WireGuard]
- PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }}
- ListenPort={{ wireguard__listen_port }}
+ PrivateKey={{ wg_private_key['content'] | b64decode }}
+ PersistentKeepalive=60
[WireGuardPeer]
PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }}
@@ -67,7 +75,7 @@
Description=Net id: {{ wireguard__net_id }}
[WireGuard]
- PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }}
+ PrivateKey={{ wg_private_key['content'] | b64decode }}
ListenPort={{ wireguard__listen_port }}
{% for c in wireguard__clients %}
@@ -76,9 +84,8 @@
{% if client.state == 'present' %}
[WireGuardPeer]
PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }}
- AllowedIPs=0.0.0.0/0
- # AllowedIPs={{ client.ipv4 }}
- AllowedIPs=::/0
+ AllowedIPs={{ client.ipv4 }}
+ AllowedIPs={{ client.ipv6 }}
{% else %}
# absent
{% endif %}
@@ -103,7 +110,7 @@
[Network]
Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }}
- # Address= TODO ipv6
+ Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }}
- name: Make /etc/systemd/network/61-wg-XXX.network (Server)
when: wireguard__role == 'server'
@@ -117,12 +124,12 @@
[Network]
Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }}
- # Address= TODO ipv6
+ Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }}
- - name: UFW enable
+ - name: UFW allow port
when: wireguard__role == 'server'
tags: wireguard-config
ufw:
rule: allow
port: "{{ wireguard__listen_port }}"
- proto: tcp
+ proto: udp