diff options
| author | Tharre <tharre3@gmail.com> | 2019-02-19 05:45:25 +0100 |
|---|---|---|
| committer | Tharre <tharre3@gmail.com> | 2019-02-19 05:45:30 +0100 |
| commit | b6d02e11cc8ac63ce717f1a9be092f1f541745b6 (patch) | |
| tree | e999059e1eefd7d05c7040a8581187cad8be5dd6 | |
| parent | cbd109adc0822485431fa64e4d552facf05ad02b (diff) | |
| download | infrastructure-b6d02e11cc8ac63ce717f1a9be092f1f541745b6.tar.gz infrastructure-b6d02e11cc8ac63ce717f1a9be092f1f541745b6.tar.xz infrastructure-b6d02e11cc8ac63ce717f1a9be092f1f541745b6.zip | |
Add WireGuard role
| -rw-r--r-- | ansible.cfg | 2 | ||||
| -rw-r--r-- | group_vars/all/wireguard.yml | 42 | ||||
| -rwxr-xr-x | pass-client | 13 | ||||
| -rw-r--r-- | playbooks/nyarlathotep.yml | 1 | ||||
| -rw-r--r-- | roles/wireguard/defaults/main.yml | 23 | ||||
| -rw-r--r-- | roles/wireguard/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 57 | ||||
| -rw-r--r-- | roles/wireguard/templates/wg.conf.j2 | 37 |
8 files changed, 181 insertions, 0 deletions
diff --git a/ansible.cfg b/ansible.cfg index ce3e733..2587357 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,6 +3,8 @@ inventory = hosts roles_path = roles deprecation_warnings = False retry_files_enabled = False +vault_password_file = pass-client +vault_identity = "ansible/infrastructure" [ssh_connection] pipelining = True diff --git a/group_vars/all/wireguard.yml b/group_vars/all/wireguard.yml new file mode 100644 index 0000000..33b9c8c --- /dev/null +++ b/group_vars/all/wireguard.yml @@ -0,0 +1,42 @@ +$ANSIBLE_VAULT;1.2;AES256;ansible/infrastructure +32346630626561366335376561393666383830663433666335376366326236643739386434643266 +3135316261373535616530626537366334386563346166640a333964616639366333633439343239 +38353561633563333636646233633662383362646131663866663738666134616366343561333463 +3866376537666462350a396635616239663636396437646132326136653339376263663731303535 +38653263663234396339653965323537633033323636373936643736326462636563393633663262 +30356139323866393232383635613363636131656536323734313064313638333432393362373037 +38386635646261363332636164353538666666356262343038393034376564656265643063613061 +63636338313864623730386434646339313261316662323461306661323965323239633964336332 +32353465373536386234366139316562623737393931323466326136323738346330653161346262 +66643237616135383138343663373062613638656437633436383466393037666662316631333731 +38306338623635616233616563666666386139313963346630626165376462353331336632303338 +62666232633663653764623432373933666564663062656532363738646436343061373031656438 +38363038366536316538343861316235623633306438323066366434313735633535646635636165 +39633337656562366465356230623761303438316437363034663762316664366638613135343566 +37346464316235346237633139343935343736393462313632363931386661373037333234386361 +33353530626530316630393830313661626638373135646236303033626239653761353235383938 +32346131636164363636346163316638373264633563666337343566313133346238326363636134 +66643964616566303031386538316264383130376637613832346532376638646530373535336535 +33646665303163303233353438663138663664643033653136636130633233626339616464623939 +33373962393233343961373934333263303335366537633239333238626132616262613830383863 +64356635363662323231323565343263643065313539653562306666306534386233303333663263 +31366539653163663638616565663831303337616533376563353762663730353039366361613136 +32383638366365303463363038366635623262323961306431383362366465366565663639663764 +37303766383535333962373966396366323539346165623933323230646163636339656265613332 +31633334656137326631353737356538656339303266353635323762313132653131646466323439 +34383562663564613162656166366630306336373034626561366137373261313362333138313330 +66303336353861643734383137616532323636366634336334663536666634373231373533383538 +31616431613165623065393933303737346430643561626636306438353130333431646662626665 +37376432356238343663393634396563316336616638636562623933353664396666666535386366 +37353339616565393564623330396335363065366361373234306365393662636430376466323961 +33383636636464616164343364303261633830616135656439316265306532313737343662396364 +62663533373439636230386534316566353233303663373162363532636364326662653034393438 +39376332633564336338616530343938326532643835623132663033376563353363393935313762 +33613937303564346662343463333235313364663330316236616638633531383439346663623634 +32323238326438333630303030316430373561316436323336346466613564393034393230626165 +35343835353166363231626630353535396632633962636437373638646138636232333866613234 +62396431343063383338343731336565393537656435326364326562396666343033643361616437 +62333063333035346561623835646466386439313530626365626433303261343337636330633030 +35393337313765656633633162666531633632316362643033343431363063383434323538363563 +65313338326138653936643938363934616435333430346538646435323064316139323038626338 +35616137336562336664633532393035346434336464336663386132346330626637 diff --git a/pass-client b/pass-client new file mode 100755 index 0000000..9461875 --- /dev/null +++ b/pass-client @@ -0,0 +1,13 @@ +#!/usr/bin/python + +# NOTE: this file must end with "-client", as otherwise ansible won't pass the +# --vault-id argument to us. + +from subprocess import call +import argparse + +parser = argparse.ArgumentParser() +parser.add_argument('--vault-id', dest='vault_id', required=True) +args = parser.parse_args() + +call(["pass", args.vault_id]) diff --git a/playbooks/nyarlathotep.yml b/playbooks/nyarlathotep.yml index b5a971b..3887662 100644 --- a/playbooks/nyarlathotep.yml +++ b/playbooks/nyarlathotep.yml @@ -10,3 +10,4 @@ - { role: grokmirror, tags: ['git'] } - { role: cgit, tags: ['cgit'] } - { role: jenkins, tags: ['jenkins'] } + - { role: wireguard, tags: ['wireguard'] } diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..62ba4f8 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,23 @@ +--- + +# wireguard: +# - name: wg2server +# address: ["10.192.122.1/24", "10.10.0.1/16"] +# dns: "10.200.100.1" +# port: 51821 +# # privateKey: "JWlx3sQGTulvLOUbgyM6Ufp+rLTd93swWEuIfEAbzhg=" +# preUp: +# preDown: +# postUp: "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE" +# postDown: "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE" +# fwmark: 0 +# peers: +# - publicKey: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=" +# presharedKey: "/UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=" +# allowedIPs: "10.192.122.3/32" +# endpoint: +# persistentKeepalive: 0 +# - publicKey: "TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=" +# allowedIPs: "10.192.122.4/32" +# - publicKey: "gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=" +# allowedIPs: "10.10.10.230/32" diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml new file mode 100644 index 0000000..6bca6b9 --- /dev/null +++ b/roles/wireguard/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart wireguard + service: name=wg-quick@{{ item.item.name }}.service state=restarted + with_items: "{{ wireguard_changed.results }}" + no_log: true diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..8351797 --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,57 @@ +--- + +- name: Install WireGuard + package: + name: "{{ item }}" + state: present + with_items: + - wireguard-lts + - wireguard-tools + +- name: Ensure /etc/wireguard exists + file: + path: "/etc/wireguard" + state: directory + owner: root + group: root + mode: 0700 + +- name: Generate private key(s) + shell: 'wg genkey' + register: wireguard_keys + when: item.privateKey is not defined + no_log: true + with_items: "{{ wireguard }}" + +- name: Set private key(s) + set_fact: + wireguard: "{{ [wireguard|combine( + item|combine({'privateKey': wireguard_keys.results[index].stdout}) + )] }}" + when: item.privateKey is not defined + no_log: true + loop: "{{ wireguard }}" + loop_control: + index_var: index + +- name: Install configuration files + template: + src: wg.conf.j2 + dest: "/etc/wireguard/{{ item.name }}.conf" + owner: root + group: root + mode: 0600 + with_items: "{{ wireguard }}" + register: wireguard_changed + no_log: true + notify: + - restart wireguard + +- name: Start and enable wireguard service + systemd: + name: "wg-quick@{{ item.name }}.service" + daemon-reload: yes + state: started + enabled: True + no_log: true + with_items: "{{ wireguard }}" diff --git a/roles/wireguard/templates/wg.conf.j2 b/roles/wireguard/templates/wg.conf.j2 new file mode 100644 index 0000000..bac19a9 --- /dev/null +++ b/roles/wireguard/templates/wg.conf.j2 @@ -0,0 +1,37 @@ +[Interface] +{% for addr in item.address %} +Address = {{ addr }} +{% endfor %} +{% if item.dns is defined %} +DNS = {{ item.dns }} +{% endif %} +{% if item.preUp is defined %} +PreUp = {{ item.preUp }} +{% endif %} +{% if item.preDown is defined %} +PreDown = {{ item.preDown }} +{% endif %} +{% if item.postUp is defined %} +PostUp = {{ item.postUp }} +{% endif %} +{% if item.postDown is defined %} +PostDown = {{ item.postDown }} +{% endif %} +ListenPort = {{ item.port }} +PrivateKey = {{ item.privateKey }} +{% if item.fwmark is defined %} +Fwmark = {{ item.fwmark }} +{% endif %} + +{% for peer in item.peers %} +[Peer] +PublicKey = {{ peer.publicKey }} +{% if peer.presharedKey is defined %} +PresharedKey = {{ peer.presharedKey }} +{% endif %} +AllowedIPs = {{ peer.allowedIPs }} +{% if peer.persistentKeepalive is defined %} +PersistentKeepalive = {{ peer.persistentKeepalive }} +{% endif %} + +{% endfor %} |