diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/wireguard/defaults/main.yml | 23 | ||||
| -rw-r--r-- | roles/wireguard/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 57 | ||||
| -rw-r--r-- | roles/wireguard/templates/wg.conf.j2 | 37 |
4 files changed, 123 insertions, 0 deletions
diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..62ba4f8 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,23 @@ +--- + +# wireguard: +# - name: wg2server +# address: ["10.192.122.1/24", "10.10.0.1/16"] +# dns: "10.200.100.1" +# port: 51821 +# # privateKey: "JWlx3sQGTulvLOUbgyM6Ufp+rLTd93swWEuIfEAbzhg=" +# preUp: +# preDown: +# postUp: "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE" +# postDown: "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE" +# fwmark: 0 +# peers: +# - publicKey: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=" +# presharedKey: "/UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak=" +# allowedIPs: "10.192.122.3/32" +# endpoint: +# persistentKeepalive: 0 +# - publicKey: "TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=" +# allowedIPs: "10.192.122.4/32" +# - publicKey: "gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=" +# allowedIPs: "10.10.10.230/32" diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml new file mode 100644 index 0000000..6bca6b9 --- /dev/null +++ b/roles/wireguard/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: restart wireguard + service: name=wg-quick@{{ item.item.name }}.service state=restarted + with_items: "{{ wireguard_changed.results }}" + no_log: true diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..8351797 --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,57 @@ +--- + +- name: Install WireGuard + package: + name: "{{ item }}" + state: present + with_items: + - wireguard-lts + - wireguard-tools + +- name: Ensure /etc/wireguard exists + file: + path: "/etc/wireguard" + state: directory + owner: root + group: root + mode: 0700 + +- name: Generate private key(s) + shell: 'wg genkey' + register: wireguard_keys + when: item.privateKey is not defined + no_log: true + with_items: "{{ wireguard }}" + +- name: Set private key(s) + set_fact: + wireguard: "{{ [wireguard|combine( + item|combine({'privateKey': wireguard_keys.results[index].stdout}) + )] }}" + when: item.privateKey is not defined + no_log: true + loop: "{{ wireguard }}" + loop_control: + index_var: index + +- name: Install configuration files + template: + src: wg.conf.j2 + dest: "/etc/wireguard/{{ item.name }}.conf" + owner: root + group: root + mode: 0600 + with_items: "{{ wireguard }}" + register: wireguard_changed + no_log: true + notify: + - restart wireguard + +- name: Start and enable wireguard service + systemd: + name: "wg-quick@{{ item.name }}.service" + daemon-reload: yes + state: started + enabled: True + no_log: true + with_items: "{{ wireguard }}" diff --git a/roles/wireguard/templates/wg.conf.j2 b/roles/wireguard/templates/wg.conf.j2 new file mode 100644 index 0000000..bac19a9 --- /dev/null +++ b/roles/wireguard/templates/wg.conf.j2 @@ -0,0 +1,37 @@ +[Interface] +{% for addr in item.address %} +Address = {{ addr }} +{% endfor %} +{% if item.dns is defined %} +DNS = {{ item.dns }} +{% endif %} +{% if item.preUp is defined %} +PreUp = {{ item.preUp }} +{% endif %} +{% if item.preDown is defined %} +PreDown = {{ item.preDown }} +{% endif %} +{% if item.postUp is defined %} +PostUp = {{ item.postUp }} +{% endif %} +{% if item.postDown is defined %} +PostDown = {{ item.postDown }} +{% endif %} +ListenPort = {{ item.port }} +PrivateKey = {{ item.privateKey }} +{% if item.fwmark is defined %} +Fwmark = {{ item.fwmark }} +{% endif %} + +{% for peer in item.peers %} +[Peer] +PublicKey = {{ peer.publicKey }} +{% if peer.presharedKey is defined %} +PresharedKey = {{ peer.presharedKey }} +{% endif %} +AllowedIPs = {{ peer.allowedIPs }} +{% if peer.persistentKeepalive is defined %} +PersistentKeepalive = {{ peer.persistentKeepalive }} +{% endif %} + +{% endfor %} |