From 41fe17ca222da77fb860374adc915a4ca3b2c573 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Thu, 27 Dec 2018 23:31:35 +0100 Subject: wireguard: wip. --- ansible/roles/wireguard/defaults/main.yml | 1 + ansible/roles/wireguard/handlers/main.yml | 5 ++ ansible/roles/wireguard/tasks/main.yml | 128 ++++++++++++++++++++++++++++++ 3 files changed, 134 insertions(+) create mode 100644 ansible/roles/wireguard/defaults/main.yml create mode 100644 ansible/roles/wireguard/handlers/main.yml create mode 100644 ansible/roles/wireguard/tasks/main.yml (limited to 'ansible/roles/wireguard') diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..62705a7 --- /dev/null +++ b/ansible/roles/wireguard/defaults/main.yml @@ -0,0 +1 @@ +wireguard__role: client diff --git a/ansible/roles/wireguard/handlers/main.yml b/ansible/roles/wireguard/handlers/main.yml new file mode 100644 index 0000000..f0170dd --- /dev/null +++ b/ansible/roles/wireguard/handlers/main.yml @@ -0,0 +1,5 @@ +- name: systemctl restart systemd-networkd + become: yes + systemd: + name: systemd-networkd + state: restarted diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..197d54a --- /dev/null +++ b/ansible/roles/wireguard/tasks/main.yml @@ -0,0 +1,128 @@ +- tags: + - wireguard + become: yes + block: + - name: Install packages + apt: + name: "{{ items }}" + install_recommends: no + vars: + items: + - wireguard + - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}" + + - name: systemctl enable systemd-networkd + systemd: + name: systemd-networkd + enabled: yes + state: started + + - name: mkdir /etc/wireguard + file: + path: /etc/wireguard + state: directory + - name: wg genkey /etc/wireguard/private.key + shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key + args: + creates: /etc/wireguard/private.key + register: wg_private_key + + - when: wg_private_key.changed + fetch: + src: "/etc/wireguard/public.key" + dest: "files" + + - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) + when: wireguard__role == 'client' + notify: systemctl restart systemd-networkd + tags: wireguard-config + copy: + dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev + content: | + [NetDev] + Name=wg-{{ wireguard__net_id }} + Kind=wireguard + Description=Net id: {{ wireguard__net_id }} + + [WireGuard] + PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} + ListenPort={{ wireguard__listen_port }} + + [WireGuardPeer] + PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} + AllowedIPs=0.0.0.0/0 + AllowedIPs=::/0 + Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }} + + - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server) + when: wireguard__role == 'server' + notify: systemctl restart systemd-networkd + tags: wireguard-config + copy: + dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev + content: | + [NetDev] + Name=wg-{{ wireguard__net_id }} + Kind=wireguard + Description=Net id: {{ wireguard__net_id }} + + [WireGuard] + PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} + ListenPort={{ wireguard__listen_port }} + + {% for c in wireguard__clients %} + {% set client = wireguard__clients[c] %} + # Client: {{ c }} + {% if client.state == 'present' %} + [WireGuardPeer] + PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} + AllowedIPs=0.0.0.0/0 + # AllowedIPs={{ client.ipv4 }} + AllowedIPs=::/0 + {% else %} + # absent + {% endif %} + + {% endfor %} + + - name: rm /etc/systemd/network/60-wg-XXX.network + tags: wireguard-config + file: + path: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.network + state: absent + + - name: Make /etc/systemd/network/61-wg-XXX.network (Client) + when: wireguard__role == 'client' + tags: wireguard-config + notify: systemctl restart systemd-networkd + copy: + dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network + content: | + [Match] + Name=wg-{{ wireguard__net_id }} + + [Network] + Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} + # Address= TODO ipv6 + + - name: Make /etc/systemd/network/61-wg-XXX.network (Server) + when: wireguard__role == 'server' + tags: wireguard-config + notify: systemctl restart systemd-networkd + copy: + dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network + content: | + [Match] + Name=wg-{{ wireguard__net_id }} + + [Network] + Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} + # Address= TODO ipv6 + + - name: UFW enable + when: wireguard__role == 'server' + tags: wireguard-config + ufw: + rule: allow + port: "{{ wireguard__listen_port }}" + proto: tcp -- cgit v1.2.3