summaryrefslogtreecommitdiff
path: root/ansible/roles/wireguard2/tasks/present.yml
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/wireguard2/tasks/present.yml')
-rw-r--r--ansible/roles/wireguard2/tasks/present.yml99
1 files changed, 99 insertions, 0 deletions
diff --git a/ansible/roles/wireguard2/tasks/present.yml b/ansible/roles/wireguard2/tasks/present.yml
new file mode 100644
index 0000000..967ec7d
--- /dev/null
+++ b/ansible/roles/wireguard2/tasks/present.yml
@@ -0,0 +1,99 @@
+- name: "wg genkey {{ private_key_path }}"
+ become: yes
+ shell: "wg genkey | tee {{ private_key_path }} | wg pubkey > {{ public_key_path }}"
+ args:
+ creates: "{{ private_key_path }}"
+ register: wg_private_key_gen
+
+- name: chmod/chown keys
+ become: yes
+ file:
+ owner: systemd-network
+ group: adm
+ mode: 0640
+ path: "{{ item }}"
+ loop:
+ - "{{ private_key_path }}"
+ - "{{ public_key_path }}"
+
+- when: wg_private_key_gen.changed
+ become: yes
+ fetch:
+ src: "{{ public_key_path }}"
+ dest: "files/{{ public_keys_path }}/{{ ansible_hostname }}.pub"
+ flat: true
+
+- become: yes
+ slurp:
+ src: "{{ private_key_path }}"
+ register: wg_private_key
+
+- name: "Create {{ netdev_path }}"
+ become: yes
+ notify: systemctl restart systemd-networkd
+ copy:
+ owner: systemd-network
+ group: adm
+ mode: 0640
+ dest: "{{ netdev_path }}"
+ content: |
+ [NetDev]
+ Name={{ wireguard_if }}
+ Kind=wireguard
+ Description=Wireguard VPN ({{ wireguard_if }})
+
+ [WireGuard]
+ PrivateKey={{ wg_private_key['content'] | b64decode }}
+ {%- if wireguard_listen_port is defined %}
+ ListenPort={{ wireguard_listen_port }}
+ {% endif %}
+ {% for peer, data in wireguard_peers|dictsort %}
+ {% if peer != ansible_hostname %}
+
+ # {{ peer }}
+ [WireGuardPeer]
+ PublicKey={{ data.public_key if data.public_key is defined else lookup('file', public_keys_path + "/" + peer + ".pub") }}
+ {% if data.endpoint is defined %}
+ {% if data.endpoint == "auto" %}
+ Endpoint={{ hostvars[peer]['ansible_host'] }}:{{ data.listen_port if data.listen_port is defined else wireguard_listen_port }}
+ {% else %}
+ Endpoint={{ data.endpoint }}:{{ data.listen_port if data.listen_port is defined else wireguard_listen_port }}
+ {% endif %}
+ {% endif %}
+ {% for ip in data.allowed_ips|default([]) %}
+ AllowedIPs={{ ip }}
+ {% endfor %}
+ PersistentKeepalive={{ data.keepalive if data.keepalive is defined else "60" }}
+ {% endif %}{# skip this host #}
+ {% endfor %}
+
+- name: "Create {{ network_path }}"
+ become: yes
+ notify: systemctl restart systemd-networkd
+ copy:
+ owner: systemd-network
+ group: adm
+ mode: 0640
+ dest: "{{ network_path }}"
+ content: |
+ [Match]
+ Name={{ wireguard_if }}
+
+ [Address]
+ Address={{ wireguard_address4 }}
+
+ # Routers
+ {% for router in wireguard_routers %}
+ {% if router.state|default("absent") == "present" %}
+
+ [Route]
+ Gateway={{ router.gateway|ipaddr('address') }}
+ Destination={{ router.network }}
+ {% endif %}{# state #}
+ {% endfor %}
+
+- become: yes
+ systemd:
+ unit: systemd-networkd
+ state: started
+ enabled: yes
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-05 13:50:33 +0000