set up role for wireguard connections
This commit is contained in:
parent
39a531cf87
commit
6c77886916
GPG key ID:
21FD3D77D56BAF49
9 changed files with 137 additions and 0 deletions
19
inventory/external.yml
Normal file
19
inventory/external.yml
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
pearl:
|
||||
hosts:
|
||||
"157.90.125.225":
|
||||
ansible_ssh_port: 2222
|
||||
debian_version: "trixie"
|
||||
btrfs_uuid: "e51a43f8-d131-4c64-8bce-a206e5621483"
|
||||
nas:
|
||||
hosts:
|
||||
"213.119.99.214":
|
||||
ansible_ssh_port: 2223
|
||||
static_ip: "192.168.0.3"
|
||||
boomhut:
|
||||
hosts:
|
||||
"51.254.128.104":
|
||||
ansible_ssh_port: 2222
|
||||
emma:
|
||||
hosts:
|
||||
"78.22.233.14":
|
||||
ansible_ssh_port: 2222
|
||||
4
inventory/host_vars/157.90.125.225/vars.yml
Normal file
4
inventory/host_vars/157.90.125.225/vars.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
wireguard_address: "10.0.0.2/24"
|
||||
wireguard_peers:
|
||||
- "78.22.233.14"
|
||||
4
inventory/host_vars/51.254.128.104/vars.yml
Normal file
4
inventory/host_vars/51.254.128.104/vars.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
wireguard_address: "10.0.0.3/24"
|
||||
wireguard_peers:
|
||||
- "78.22.233.14"
|
||||
5
inventory/host_vars/78.22.233.14/vars.yml
Normal file
5
inventory/host_vars/78.22.233.14/vars.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
wireguard_address: "10.0.0.1/24"
|
||||
wireguard_peers:
|
||||
- "157.90.125.225"
|
||||
- "51.254.128.104"
|
||||
6
plays/wireguard.yml
Normal file
6
plays/wireguard.yml
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Set up WireGuard connections
|
||||
hosts: emma:pearl:boomhut
|
||||
become: true
|
||||
roles:
|
||||
- any.tools.wireguard
|
||||
5
roles/any.tools.wireguard/defaults/main.yml
Normal file
5
roles/any.tools.wireguard/defaults/main.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
wireguard_port: 51820
|
||||
wireguard_interface: wg0
|
||||
wireguard_keepalive: 25
|
||||
wireguard_peers: "{{ ansible_play_hosts }}"
|
||||
5
roles/any.tools.wireguard/handlers/main.yml
Normal file
5
roles/any.tools.wireguard/handlers/main.yml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart wg-quick
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: restarted
|
||||
73
roles/any.tools.wireguard/tasks/main.yml
Normal file
73
roles/any.tools.wireguard/tasks/main.yml
Normal file
|
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
- name: Ensure WireGuard is installed
|
||||
ansible.builtin.apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
|
||||
- name: Ensure /etc/wireguard directory exists
|
||||
ansible.builtin.file:
|
||||
path: /etc/wireguard
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "700"
|
||||
|
||||
- name: Check if private key already exists
|
||||
ansible.builtin.stat:
|
||||
path: /etc/wireguard/private_key
|
||||
register: wireguard_private_key_file
|
||||
|
||||
- name: Generate WireGuard private key
|
||||
ansible.builtin.shell: wg genkey > /etc/wireguard/private_key
|
||||
when: not wireguard_private_key_file.stat.exists
|
||||
|
||||
- name: Set permissions on private key
|
||||
ansible.builtin.file:
|
||||
path: /etc/wireguard/private_key
|
||||
owner: root
|
||||
group: root
|
||||
mode: "600"
|
||||
|
||||
- name: Derive and write WireGuard public key from private key
|
||||
ansible.builtin.shell: wg pubkey < /etc/wireguard/private_key > /etc/wireguard/public_key
|
||||
changed_when: false
|
||||
|
||||
- name: Set permissions on public key
|
||||
ansible.builtin.file:
|
||||
path: /etc/wireguard/public_key
|
||||
owner: root
|
||||
group: root
|
||||
mode: "644"
|
||||
|
||||
- name: Read WireGuard private key
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/wireguard/private_key
|
||||
register: wireguard_private_key_b64
|
||||
|
||||
- name: Set WireGuard private key fact
|
||||
ansible.builtin.set_fact:
|
||||
wireguard_private_key: "{{ wireguard_private_key_b64.content | b64decode | trim }}"
|
||||
|
||||
- name: Read WireGuard public key
|
||||
ansible.builtin.slurp:
|
||||
src: /etc/wireguard/public_key
|
||||
register: wireguard_public_key_b64
|
||||
|
||||
- name: Set WireGuard public key fact
|
||||
ansible.builtin.set_fact:
|
||||
wireguard_public_key: "{{ wireguard_public_key_b64.content | b64decode | trim }}"
|
||||
|
||||
- name: Deploy WireGuard interface config
|
||||
ansible.builtin.template:
|
||||
src: wg0.conf.j2
|
||||
dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "600"
|
||||
notify: restart wg-quick
|
||||
|
||||
- name: Enable and start wg-quick service
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: started
|
||||
enabled: true
|
||||
16
roles/any.tools.wireguard/templates/wg0.conf.j2
Normal file
16
roles/any.tools.wireguard/templates/wg0.conf.j2
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
[Interface]
|
||||
Address = {{ wireguard_address }}
|
||||
PrivateKey = {{ wireguard_private_key }}
|
||||
ListenPort = {{ wireguard_port }}
|
||||
|
||||
{% for host in wireguard_peers %}
|
||||
{% if host != inventory_hostname %}
|
||||
[Peer]
|
||||
# {{ host }}
|
||||
PublicKey = {{ hostvars[host]['wireguard_public_key'] }}
|
||||
AllowedIPs = {{ hostvars[host]['wireguard_address'].split('/')[0] }}/32
|
||||
Endpoint = {{ hostvars[host]['ansible_host'] | default(host) }}:{{ hostvars[host]['wireguard_port'] | default(wireguard_port) }}
|
||||
PersistentKeepalive = {{ wireguard_keepalive }}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
Loading…
Add table
Add a link
Reference in a new issue