aboutsummaryrefslogtreecommitdiffstats
path: root/roles/wireguard/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/wireguard/tasks')
-rw-r--r--roles/wireguard/tasks/configuration.yml18
-rw-r--r--roles/wireguard/tasks/keys.yml17
-rw-r--r--roles/wireguard/tasks/main.yml34
-rw-r--r--roles/wireguard/tasks/service.yml20
4 files changed, 89 insertions, 0 deletions
diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml
new file mode 100644
index 0000000..efb8008
--- /dev/null
+++ b/roles/wireguard/tasks/configuration.yml
@@ -0,0 +1,18 @@
+- name: generate wireguard configuration
+ template:
+ src: wireguard.conf.j2
+ dest: "{{ wireguard_local_dir }}/{{ item }}.conf"
+ mode: 0600
+ vars:
+ host: "{{ hostvars[item] }}"
+ run_once: true
+ delegate_to: localhost
+ loop: "{{ groups.all }}"
+
+- name: copy wireguard configuration
+ copy:
+ src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}"
+ dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf"
+ owner: 0
+ group: 0
+ mode: 0600
diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml
new file mode 100644
index 0000000..7a89010
--- /dev/null
+++ b/roles/wireguard/tasks/keys.yml
@@ -0,0 +1,17 @@
+- name: generate hosts keys
+ shell: |
+ set -o pipefail
+ ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0
+ umask 077
+ wg genkey | \
+ tee "{{ item }}.keys" | \
+ wg pubkey >> "{{ item }}.keys"
+ exit 2
+ args:
+ chdir: "{{ wireguard_local_dir }}"
+ loop: "{{ groups.all }}"
+ run_once: true
+ delegate_to: localhost
+ register: result
+ changed_when: result.rc == 2
+ failed_when: result.rc not in [0, 2]
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000..9f1d01d
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: create local wireguard directory
+ file:
+ path: "{{ wireguard_local_dir }}"
+ state: directory
+ mode: 0700
+ run_once: true
+ delegate_to: localhost
+
+- name: create wireguard directory
+ file:
+ path: "{{ wireguard_dir }}"
+ owner: 0
+ group: 0
+ mode: 0700
+ state: directory
+
+- name: include key generation
+ include_tasks: keys.yml
+
+- name: include configuration generation
+ include_tasks: configuration.yml
+
+- name: install wireguard on remote host
+ package:
+ name: wireguard-tools
+ state: present
+
+- name: include service configuration for server
+ include_tasks: service.yml
+ when: inventory_hostname == wireguard_domain_controller
+
+- name: include service configuration for hosts
+ include_tasks: service.yml
+ when: inventory_hostname != wireguard_domain_controller
diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml
new file mode 100644
index 0000000..d1a1007
--- /dev/null
+++ b/roles/wireguard/tasks/service.yml
@@ -0,0 +1,20 @@
+- name: enable wireguard interface for OpenBSD
+ lineinfile:
+ path: /etc/rc.local
+ regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$"
+ line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}"
+ owner: 0
+ owner: 0
+ create: true
+ mode: 0644
+ when: ansible_distribution == "OpenBSD"
+
+- name: restart wireguard interface
+ command: wg-quick "{{ item }}" "{{ wireguard_domain_controller }}"
+ ignore_errors: true
+ loop:
+ - down
+ - up
+ loop_control:
+ pause: 5
+ when: ansible_distribution == "OpenBSD"
remember that computers suck.