diff options
Diffstat (limited to 'roles/wireguard')
| -rw-r--r-- | roles/wireguard/tasks/generate.yml | 55 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 9 | ||||
| -rw-r--r-- | roles/wireguard/tasks/set_facts.yml | 13 | ||||
| -rw-r--r-- | roles/wireguard/templates/dcontroller.conf.j2 | 19 | ||||
| -rw-r--r-- | roles/wireguard/templates/host.conf.j2 | 15 | ||||
| -rw-r--r-- | roles/wireguard/templates/hostname.tun0.j2 | 9 |
6 files changed, 120 insertions, 0 deletions
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml new file mode 100644 index 0000000..e3264ef --- /dev/null +++ b/roles/wireguard/tasks/generate.yml @@ -0,0 +1,55 @@ + +# wireguard ~~ tasks/generate.yml + +- stat: + path: "{{ wg_host_keys }}" + register: stat_host_keys + delegate_to: localhost + +- name: Generate domain keys + shell: | + umask 077 + wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}" + args: + chdir: "{{ wg_dir }}" + when: not stat_host_keys.stat.exists or force is defined and force + delegate_to: localhost + +- name: Create wireguard dir on remote host + file: + path: /etc/wireguard + owner: root + state: directory + mode: "0700" + ignore_unreachable: true + +- name: Generate client configuration + template: + src: templates/host.conf.j2 + dest: "{{ item.path }}" + mode: "0600" + when: ansible_host != _i.dcontroller + delegate_to: "{{ item.name }}" + loop: + - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } + - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } + ignore_unreachable: true + failed_when: 1 == 2 + +- name: Generate server configuration + template: + src: templates/dcontroller.conf.j2 + dest: "{{ item.path }}" + mode: "0600" + when: ansible_host == _i.dcontroller + delegate_to: "{{ item.name }}" + loop: + - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } + - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } + +- name: Generate server interface + template: + src: templates/hostname.tun0.j2 + dest: /etc/hostname.tun0 + when: ansible_host == _i.dcontroller + diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..be9e57c --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,9 @@ + +# wireguard ~~ tasks/main.yml + +--- + +- include: set_facts.yml + +- include: generate.yml + diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml new file mode 100644 index 0000000..933ca9d --- /dev/null +++ b/roles/wireguard/tasks/set_facts.yml @@ -0,0 +1,13 @@ + +# wireguard ~~ tasks/set_facts.yml + +--- + +- set_fact: + wg_dir: "{{ inventory_dir}}/files/wireguard" + +- set_fact: + wg_dcontroller_conf: "{{ wg_dir }}/{{ _i.dcontroller }}.conf" + wg_dcontroller_keys: "{{ wg_dir }}/{{ _i.dcontroller }}.keys" + wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf" + wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys" diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2 new file mode 100644 index 0000000..c1fd887 --- /dev/null +++ b/roles/wireguard/templates/dcontroller.conf.j2 @@ -0,0 +1,19 @@ + +# wireguard client configuration ~~ /etc/wireguard/*.conf +# managed by Ansible +{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %} + +[Interface] +#Address = {{ ip.in }}, fd00::1/128 +ListenPort = 53 +PrivateKey = {{ dcontroller_keys[0] }} + +{% for host in groups["all"] if hostvars[host].ansible_host != _i.dcontroller %} +{% set host = hostvars[host] %} +{% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %} +# {{ host.ansible_host }} +[Peer] +PublicKey = {{ host_keys[1] }} +AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128 + +{% endfor %} diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2 new file mode 100644 index 0000000..c25d937 --- /dev/null +++ b/roles/wireguard/templates/host.conf.j2 @@ -0,0 +1,15 @@ + +# wireguard client configuration ~~ /etc/wireguard/*.conf +# managed by Ansible +{% set host_keys = lookup("file", wg_host_keys).splitlines() %} +{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %} + +[Interface] +Address = {{ ip.in }} +PrivateKey = {{ host_keys[0] }} + +[Peer] +PublicKey = {{ dcontroller_keys[1] }} +Endpoint = {{ hostvars[_i.dcontroller].ip.out }}:53 +AllowedIPs = 0.0.0.0/0, ::/0 +PersistentKeepalive = 25 diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.tun0.j2 new file mode 100644 index 0000000..3903ccb --- /dev/null +++ b/roles/wireguard/templates/hostname.tun0.j2 @@ -0,0 +1,9 @@ +inet 10.10.0.1 255.255.255.0 +inet6 fd00:10:10::1 +!/usr/local/bin/wireguard-go -f tun0 & +!/bin/sleep 2 +!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ _i.dcontroller }}.conf +!/bin/sleep 2 +!/sbin/route add -inet 10.10.0.0/24 10.10.0.1 +!/bin/sleep 2 +!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1 |