- tags: - wireguard become: yes block: - name: Install packages apt: name: "{{ items }}" install_recommends: no vars: items: - wireguard - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686' }}" - name: systemctl enable systemd-networkd systemd: name: systemd-networkd enabled: yes state: started - name: mkdir /etc/wireguard file: path: /etc/wireguard state: directory - name: wg genkey /etc/wireguard/private.key shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key args: creates: /etc/wireguard/private.key register: wg_private_key - when: wg_private_key.changed fetch: src: "/etc/wireguard/public.key" dest: "files" - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) when: wireguard__role == 'client' notify: systemctl restart systemd-networkd tags: wireguard-config copy: dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev content: | [NetDev] Name=wg-{{ wireguard__net_id }} Kind=wireguard Description=Net id: {{ wireguard__net_id }} [WireGuard] PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} ListenPort={{ wireguard__listen_port }} [WireGuardPeer] PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} AllowedIPs=0.0.0.0/0 AllowedIPs=::/0 Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }} - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server) when: wireguard__role == 'server' notify: systemctl restart systemd-networkd tags: wireguard-config copy: dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev content: | [NetDev] Name=wg-{{ wireguard__net_id }} Kind=wireguard Description=Net id: {{ wireguard__net_id }} [WireGuard] PrivateKey={{ lookup('file', ansible_hostname + '/etc/wireguard/public.key') }} ListenPort={{ wireguard__listen_port }} {% for c in wireguard__clients %} {% set client = wireguard__clients[c] %} # Client: {{ c }} {% if client.state == 'present' %} [WireGuardPeer] PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} AllowedIPs=0.0.0.0/0 # AllowedIPs={{ client.ipv4 }} AllowedIPs=::/0 {% else %} # absent {% endif %} {% endfor %} - name: rm /etc/systemd/network/60-wg-XXX.network tags: wireguard-config file: path: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.network state: absent - name: Make /etc/systemd/network/61-wg-XXX.network (Client) when: wireguard__role == 'client' tags: wireguard-config notify: systemctl restart systemd-networkd copy: dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network content: | [Match] Name=wg-{{ wireguard__net_id }} [Network] Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} # Address= TODO ipv6 - name: Make /etc/systemd/network/61-wg-XXX.network (Server) when: wireguard__role == 'server' tags: wireguard-config notify: systemctl restart systemd-networkd copy: dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network content: | [Match] Name=wg-{{ wireguard__net_id }} [Network] Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} # Address= TODO ipv6 - name: UFW enable when: wireguard__role == 'server' tags: wireguard-config ufw: rule: allow port: "{{ wireguard__listen_port }}" proto: tcp