From c1c300aa21b407351e6045c7b40480d4120db8a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Fri, 10 Dec 2021 18:30:32 +0000 Subject: roles: Generate + deploy wireguard configurations --- roles/wireguard/tasks/configuration.yml | 18 +++++++++++++++++ roles/wireguard/tasks/keys.yml | 17 +++++++++++++++++ roles/wireguard/tasks/main.yml | 34 +++++++++++++++++++++++++++++++++ roles/wireguard/tasks/service.yml | 20 +++++++++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 roles/wireguard/tasks/configuration.yml create mode 100644 roles/wireguard/tasks/keys.yml create mode 100644 roles/wireguard/tasks/main.yml create mode 100644 roles/wireguard/tasks/service.yml (limited to 'roles/wireguard/tasks') diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml new file mode 100644 index 0000000..efb8008 --- /dev/null +++ b/roles/wireguard/tasks/configuration.yml @@ -0,0 +1,18 @@ +- name: generate wireguard configuration + template: + src: wireguard.conf.j2 + dest: "{{ wireguard_local_dir }}/{{ item }}.conf" + mode: 0600 + vars: + host: "{{ hostvars[item] }}" + run_once: true + delegate_to: localhost + loop: "{{ groups.all }}" + +- name: copy wireguard configuration + copy: + src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}" + dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf" + owner: 0 + group: 0 + mode: 0600 diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml new file mode 100644 index 0000000..7a89010 --- /dev/null +++ b/roles/wireguard/tasks/keys.yml @@ -0,0 +1,17 @@ +- name: generate hosts keys + shell: | + set -o pipefail + ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0 + umask 077 + wg genkey | \ + tee "{{ item }}.keys" | \ + wg pubkey >> "{{ item }}.keys" + exit 2 + args: + chdir: "{{ wireguard_local_dir }}" + loop: "{{ groups.all }}" + run_once: true + delegate_to: localhost + register: result + changed_when: result.rc == 2 + failed_when: result.rc not in [0, 2] diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..9f1d01d --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,34 @@ +- name: create local wireguard directory + file: + path: "{{ wireguard_local_dir }}" + state: directory + mode: 0700 + run_once: true + delegate_to: localhost + +- name: create wireguard directory + file: + path: "{{ wireguard_dir }}" + owner: 0 + group: 0 + mode: 0700 + state: directory + +- name: include key generation + include_tasks: keys.yml + +- name: include configuration generation + include_tasks: configuration.yml + +- name: install wireguard on remote host + package: + name: wireguard-tools + state: present + +- name: include service configuration for server + include_tasks: service.yml + when: inventory_hostname == wireguard_domain_controller + +- name: include service configuration for hosts + include_tasks: service.yml + when: inventory_hostname != wireguard_domain_controller diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml new file mode 100644 index 0000000..d1a1007 --- /dev/null +++ b/roles/wireguard/tasks/service.yml @@ -0,0 +1,20 @@ +- name: enable wireguard interface for OpenBSD + lineinfile: + path: /etc/rc.local + regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$" + line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}" + owner: 0 + owner: 0 + create: true + mode: 0644 + when: ansible_distribution == "OpenBSD" + +- name: restart wireguard interface + command: wg-quick "{{ item }}" "{{ wireguard_domain_controller }}" + ignore_errors: true + loop: + - down + - up + loop_control: + pause: 5 + when: ansible_distribution == "OpenBSD" -- cgit v1.2.3