diff options
-rw-r--r-- | ansible/all.yml | 5 | ||||
-rw-r--r-- | ansible/files/birgitte/etc/wireguard/public.key | 1 | ||||
-rw-r--r-- | ansible/files/fuckaduck/etc/wireguard/public.key | 1 | ||||
-rw-r--r-- | ansible/files/knot/etc/wireguard/public.key | 1 | ||||
-rw-r--r-- | ansible/group_vars/wireguard_net1/main.yml | 18 | ||||
-rw-r--r-- | ansible/host_vars/knot/wireguard.yml | 1 | ||||
-rw-r--r-- | ansible/inventory | 14 | ||||
-rw-r--r-- | ansible/roles/wireguard/defaults/main.yml | 1 | ||||
-rw-r--r-- | ansible/roles/wireguard/handlers/main.yml | 5 | ||||
-rw-r--r-- | ansible/roles/wireguard/tasks/main.yml | 128 |
10 files changed, 172 insertions, 3 deletions
diff --git a/ansible/all.yml b/ansible/all.yml index 90cdef8..f0556f7 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -25,3 +25,8 @@ - lxc-hosts roles: - lxc-host + +- hosts: + - wireguard_net1 + roles: + - wireguard diff --git a/ansible/files/birgitte/etc/wireguard/public.key b/ansible/files/birgitte/etc/wireguard/public.key new file mode 100644 index 0000000..8343677 --- /dev/null +++ b/ansible/files/birgitte/etc/wireguard/public.key @@ -0,0 +1 @@ +C5jly5hJf21tODOKloocYPk257izs9Qp5n8pwmFl/n0= diff --git a/ansible/files/fuckaduck/etc/wireguard/public.key b/ansible/files/fuckaduck/etc/wireguard/public.key new file mode 100644 index 0000000..d8012b3 --- /dev/null +++ b/ansible/files/fuckaduck/etc/wireguard/public.key @@ -0,0 +1 @@ +1Fywv/wM2QrqpxlbX5ql5lJNZdmadUGGn7gkXlAnlgE= diff --git a/ansible/files/knot/etc/wireguard/public.key b/ansible/files/knot/etc/wireguard/public.key new file mode 100644 index 0000000..5d4a839 --- /dev/null +++ b/ansible/files/knot/etc/wireguard/public.key @@ -0,0 +1 @@ +TgWtNOhe1j1uF8/xkN+u7Sv5FtvXj5EYRcwjbHjKjRU= diff --git a/ansible/group_vars/wireguard_net1/main.yml b/ansible/group_vars/wireguard_net1/main.yml new file mode 100644 index 0000000..06efebd --- /dev/null +++ b/ansible/group_vars/wireguard_net1/main.yml @@ -0,0 +1,18 @@ +wireguard__net_id: net1 +wireguard__listen_port: 51820 +wireguard__server: + ansible_hostname: knot + hostname: trygvis.io + ipv4: + address: 192.168.90.1 + prefix: 24 +wireguard__clients: + birgitte: + state: present + ipv4: 192.168.90.2 + conflatorio: + state: absent + ipv4: 192.168.90.3 + fuckaduck: + state: present + ipv4: 192.168.90.4 diff --git a/ansible/host_vars/knot/wireguard.yml b/ansible/host_vars/knot/wireguard.yml new file mode 100644 index 0000000..a921af1 --- /dev/null +++ b/ansible/host_vars/knot/wireguard.yml @@ -0,0 +1 @@ +wireguard__role: server diff --git a/ansible/inventory b/ansible/inventory index 6319cd4..e8daef8 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -27,13 +27,14 @@ all: conflatorio: arius: akysis: - elasticsearch-servers: - hosts: - numquam: + fuckaduck: sbcs: hosts: homepi: malabaricus: + elasticsearch-servers: + hosts: + numquam: modern1: hosts: nextcloud: @@ -90,4 +91,11 @@ all: children: borg_nas: + wireguard_net1: + hosts: + knot: + fuckaduck: + birgitte: + conflatorio: + # vim: set filetype=yaml: diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..62705a7 --- /dev/null +++ b/ansible/roles/wireguard/defaults/main.yml @@ -0,0 +1 @@ +wireguard__role: client diff --git a/ansible/roles/wireguard/handlers/main.yml b/ansible/roles/wireguard/handlers/main.yml new file mode 100644 index 0000000..f0170dd --- /dev/null +++ b/ansible/roles/wireguard/handlers/main.yml @@ -0,0 +1,5 @@ +- name: systemctl restart systemd-networkd + become: yes + systemd: + name: systemd-networkd + state: restarted diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..197d54a --- /dev/null +++ b/ansible/roles/wireguard/tasks/main.yml @@ -0,0 +1,128 @@ +- tags: + - wireguard + become: yes + block: + - name: Install packages + apt: + name: "{{ items }}" + install_recommends: no + vars: + items: + - wireguard + - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}" + + - name: systemctl enable systemd-networkd + systemd: + name: systemd-networkd + enabled: yes + state: started + + - name: mkdir /etc/wireguard + file: + path: /etc/wireguard + state: directory + - name: wg genkey /etc/wireguard/private.key + shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key + args: + creates: /etc/wireguard/private.key + register: wg_private_key + + - when: wg_private_key.changed + fetch: + src: "/etc/wireguard/public.key" + dest: "files" + + - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) + when: wireguard__role == 'client' + notify: systemctl restart systemd-networkd + tags: wireguard-config + copy: + dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev + content: | + [NetDev] + Name=wg-{{ wireguard__net_id }} + Kind=wireguard + Description=Net id: {{ wireguard__net_id }} + + [WireGuard] + PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} + ListenPort={{ wireguard__listen_port }} + + [WireGuardPeer] + PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} + AllowedIPs=0.0.0.0/0 + AllowedIPs=::/0 + Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }} + + - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server) + when: wireguard__role == 'server' + notify: systemctl restart systemd-networkd + tags: wireguard-config + copy: + dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev + content: | + [NetDev] + Name=wg-{{ wireguard__net_id }} + Kind=wireguard + Description=Net id: {{ wireguard__net_id }} + + [WireGuard] + PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} + ListenPort={{ wireguard__listen_port }} + + {% for c in wireguard__clients %} + {% set client = wireguard__clients[c] %} + # Client: {{ c }} + {% if client.state == 'present' %} + [WireGuardPeer] + PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} + AllowedIPs=0.0.0.0/0 + # AllowedIPs={{ client.ipv4 }} + AllowedIPs=::/0 + {% else %} + # absent + {% endif %} + + {% endfor %} + + - name: rm /etc/systemd/network/60-wg-XXX.network + tags: wireguard-config + file: + path: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.network + state: absent + + - name: Make /etc/systemd/network/61-wg-XXX.network (Client) + when: wireguard__role == 'client' + tags: wireguard-config + notify: systemctl restart systemd-networkd + copy: + dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network + content: | + [Match] + Name=wg-{{ wireguard__net_id }} + + [Network] + Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} + # Address= TODO ipv6 + + - name: Make /etc/systemd/network/61-wg-XXX.network (Server) + when: wireguard__role == 'server' + tags: wireguard-config + notify: systemctl restart systemd-networkd + copy: + dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network + content: | + [Match] + Name=wg-{{ wireguard__net_id }} + + [Network] + Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} + # Address= TODO ipv6 + + - name: UFW enable + when: wireguard__role == 'server' + tags: wireguard-config + ufw: + rule: allow + port: "{{ wireguard__listen_port }}" + proto: tcp |