diff options
-rw-r--r-- | ansible/files/birgitte/etc/wireguard/public.key | 2 | ||||
-rw-r--r-- | ansible/group_vars/wireguard_net1/main.yml | 15 | ||||
-rw-r--r-- | ansible/roles/ufw/tasks/main.yml | 4 | ||||
-rw-r--r-- | ansible/roles/wireguard/tasks/main.yml | 33 |
4 files changed, 34 insertions, 20 deletions
diff --git a/ansible/files/birgitte/etc/wireguard/public.key b/ansible/files/birgitte/etc/wireguard/public.key index 8343677..22e2fe3 100644 --- a/ansible/files/birgitte/etc/wireguard/public.key +++ b/ansible/files/birgitte/etc/wireguard/public.key @@ -1 +1 @@ -C5jly5hJf21tODOKloocYPk257izs9Qp5n8pwmFl/n0= +A+6nNcP2bjlLYy6QG7swT4mHwiC8C2P4bCQvy1hV93E= diff --git a/ansible/group_vars/wireguard_net1/main.yml b/ansible/group_vars/wireguard_net1/main.yml index 06efebd..8e17dea 100644 --- a/ansible/group_vars/wireguard_net1/main.yml +++ b/ansible/group_vars/wireguard_net1/main.yml @@ -4,15 +4,22 @@ wireguard__server: ansible_hostname: knot hostname: trygvis.io ipv4: - address: 192.168.90.1 + address: 192.168.80.1 prefix: 24 + # Generated by https://www.ultratools.com/tools/rangeGenerator + ipv6: + address: fdf3:aad9:a885:0b3a::1 + prefix: 64 wireguard__clients: birgitte: state: present - ipv4: 192.168.90.2 + ipv4: 192.168.80.2 + ipv6: fdf3:aad9:a885:0b3a::2 conflatorio: state: absent - ipv4: 192.168.90.3 + ipv4: 192.168.80.3 + ipv6: fdf3:aad9:a885:0b3a::3 fuckaduck: state: present - ipv4: 192.168.90.4 + ipv4: 192.168.80.4 + ipv6: fdf3:aad9:a885:0b3a::4 diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml index e66ef58..b372eb7 100644 --- a/ansible/roles/ufw/tasks/main.yml +++ b/ansible/roles/ufw/tasks/main.yml @@ -18,8 +18,8 @@ # be processed COMMIT -# - ufw: -# state: enabled + - ufw: + state: enabled # - ufw: # default: allow diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml index 197d54a..a663be3 100644 --- a/ansible/roles/wireguard/tasks/main.yml +++ b/ansible/roles/wireguard/tasks/main.yml @@ -9,7 +9,7 @@ vars: items: - wireguard - - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}" + - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686-pae' }}" - name: systemctl enable systemd-networkd systemd: @@ -21,17 +21,25 @@ file: path: /etc/wireguard state: directory + - name: wg genkey /etc/wireguard/private.key + tags: wireguard-config shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key args: creates: /etc/wireguard/private.key - register: wg_private_key + register: wg_private_key_gen - - when: wg_private_key.changed + - when: wg_private_key_gen.changed + tags: wireguard-config fetch: src: "/etc/wireguard/public.key" dest: "files" + - tags: wireguard-config + slurp: + src: "/etc/wireguard/private.key" + register: wg_private_key + - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) when: wireguard__role == 'client' notify: systemctl restart systemd-networkd @@ -45,8 +53,8 @@ Description=Net id: {{ wireguard__net_id }} [WireGuard] - PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} - ListenPort={{ wireguard__listen_port }} + PrivateKey={{ wg_private_key['content'] | b64decode }} + PersistentKeepalive=60 [WireGuardPeer] PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} @@ -67,7 +75,7 @@ Description=Net id: {{ wireguard__net_id }} [WireGuard] - PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} + PrivateKey={{ wg_private_key['content'] | b64decode }} ListenPort={{ wireguard__listen_port }} {% for c in wireguard__clients %} @@ -76,9 +84,8 @@ {% if client.state == 'present' %} [WireGuardPeer] PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} - AllowedIPs=0.0.0.0/0 - # AllowedIPs={{ client.ipv4 }} - AllowedIPs=::/0 + AllowedIPs={{ client.ipv4 }} + AllowedIPs={{ client.ipv6 }} {% else %} # absent {% endif %} @@ -103,7 +110,7 @@ [Network] Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} - # Address= TODO ipv6 + Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }} - name: Make /etc/systemd/network/61-wg-XXX.network (Server) when: wireguard__role == 'server' @@ -117,12 +124,12 @@ [Network] Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} - # Address= TODO ipv6 + Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }} - - name: UFW enable + - name: UFW allow port when: wireguard__role == 'server' tags: wireguard-config ufw: rule: allow port: "{{ wireguard__listen_port }}" - proto: tcp + proto: udp |