aboutsummaryrefslogtreecommitdiffstats
path: root/roles/wireguard
diff options
context:
space:
mode:
Diffstat (limited to 'roles/wireguard')
-rw-r--r--roles/wireguard/tasks/generate.yml55
-rw-r--r--roles/wireguard/tasks/main.yml9
-rw-r--r--roles/wireguard/tasks/set_facts.yml13
-rw-r--r--roles/wireguard/templates/dcontroller.conf.j219
-rw-r--r--roles/wireguard/templates/host.conf.j215
-rw-r--r--roles/wireguard/templates/hostname.tun0.j29
6 files changed, 120 insertions, 0 deletions
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
new file mode 100644
index 0000000..e3264ef
--- /dev/null
+++ b/roles/wireguard/tasks/generate.yml
@@ -0,0 +1,55 @@
+
+# wireguard ~~ tasks/generate.yml
+
+- stat:
+ path: "{{ wg_host_keys }}"
+ register: stat_host_keys
+ delegate_to: localhost
+
+- name: Generate domain keys
+ shell: |
+ umask 077
+ wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+ args:
+ chdir: "{{ wg_dir }}"
+ when: not stat_host_keys.stat.exists or force is defined and force
+ delegate_to: localhost
+
+- name: Create wireguard dir on remote host
+ file:
+ path: /etc/wireguard
+ owner: root
+ state: directory
+ mode: "0700"
+ ignore_unreachable: true
+
+- name: Generate client configuration
+ template:
+ src: templates/host.conf.j2
+ dest: "{{ item.path }}"
+ mode: "0600"
+ when: ansible_host != _i.dcontroller
+ delegate_to: "{{ item.name }}"
+ loop:
+ - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+ - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+ ignore_unreachable: true
+ failed_when: 1 == 2
+
+- name: Generate server configuration
+ template:
+ src: templates/dcontroller.conf.j2
+ dest: "{{ item.path }}"
+ mode: "0600"
+ when: ansible_host == _i.dcontroller
+ delegate_to: "{{ item.name }}"
+ loop:
+ - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+ - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+
+- name: Generate server interface
+ template:
+ src: templates/hostname.tun0.j2
+ dest: /etc/hostname.tun0
+ when: ansible_host == _i.dcontroller
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000..be9e57c
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,9 @@
+
+# wireguard ~~ tasks/main.yml
+
+---
+
+- include: set_facts.yml
+
+- include: generate.yml
+
diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml
new file mode 100644
index 0000000..933ca9d
--- /dev/null
+++ b/roles/wireguard/tasks/set_facts.yml
@@ -0,0 +1,13 @@
+
+# wireguard ~~ tasks/set_facts.yml
+
+---
+
+- set_fact:
+ wg_dir: "{{ inventory_dir}}/files/wireguard"
+
+- set_fact:
+ wg_dcontroller_conf: "{{ wg_dir }}/{{ _i.dcontroller }}.conf"
+ wg_dcontroller_keys: "{{ wg_dir }}/{{ _i.dcontroller }}.keys"
+ wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf"
+ wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys"
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
new file mode 100644
index 0000000..c1fd887
--- /dev/null
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -0,0 +1,19 @@
+
+# wireguard client configuration ~~ /etc/wireguard/*.conf
+# managed by Ansible
+{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
+
+[Interface]
+#Address = {{ ip.in }}, fd00::1/128
+ListenPort = 53
+PrivateKey = {{ dcontroller_keys[0] }}
+
+{% for host in groups["all"] if hostvars[host].ansible_host != _i.dcontroller %}
+{% set host = hostvars[host] %}
+{% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %}
+# {{ host.ansible_host }}
+[Peer]
+PublicKey = {{ host_keys[1] }}
+AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128
+
+{% endfor %}
diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2
new file mode 100644
index 0000000..c25d937
--- /dev/null
+++ b/roles/wireguard/templates/host.conf.j2
@@ -0,0 +1,15 @@
+
+# wireguard client configuration ~~ /etc/wireguard/*.conf
+# managed by Ansible
+{% set host_keys = lookup("file", wg_host_keys).splitlines() %}
+{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
+
+[Interface]
+Address = {{ ip.in }}
+PrivateKey = {{ host_keys[0] }}
+
+[Peer]
+PublicKey = {{ dcontroller_keys[1] }}
+Endpoint = {{ hostvars[_i.dcontroller].ip.out }}:53
+AllowedIPs = 0.0.0.0/0, ::/0
+PersistentKeepalive = 25
diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.tun0.j2
new file mode 100644
index 0000000..3903ccb
--- /dev/null
+++ b/roles/wireguard/templates/hostname.tun0.j2
@@ -0,0 +1,9 @@
+inet 10.10.0.1 255.255.255.0
+inet6 fd00:10:10::1
+!/usr/local/bin/wireguard-go -f tun0 &
+!/bin/sleep 2
+!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ _i.dcontroller }}.conf
+!/bin/sleep 2
+!/sbin/route add -inet 10.10.0.0/24 10.10.0.1
+!/bin/sleep 2
+!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1
remember that computers suck.