From c1c300aa21b407351e6045c7b40480d4120db8a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Fri, 10 Dec 2021 18:30:32 +0000 Subject: roles: Generate + deploy wireguard configurations --- roles/wireguard/templates/wireguard.conf.j2 | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 roles/wireguard/templates/wireguard.conf.j2 (limited to 'roles/wireguard/templates/wireguard.conf.j2') diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2 new file mode 100644 index 0000000..91ebf1d --- /dev/null +++ b/roles/wireguard/templates/wireguard.conf.j2 @@ -0,0 +1,34 @@ +# managed by Ansible +{% set keys = lookup("file", wireguard_local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %} +{% set domain_controller_keys = lookup("file", wireguard_local_dir ~ "/" ~ wireguard_domain_controller ~ ".keys").splitlines() %} +{% set is_domain_controller = host.inventory_hostname == wireguard_domain_controller %} +{% set ipv4_address = host.__ip.internal ~ "/24" if is_domain_controller else host.__ip.internal %} +{% set ipv6_address = "fd00::1/128" if is_domain_controller else "fd00:10:10::" ~ host.__ip.internal.split(".")[3] %} + +[Interface] +Address = {{ ipv4_address }}, {{ ipv6_address }} +PrivateKey = {{ keys[0] }} +{% if is_domain_controller %} +ListenPort = {{ wireguard_port }} +{% endif %} + +{% if is_domain_controller %} +{% for guest in groups.all %} +{% set guest = hostvars[guest] %} +{% if guest.inventory_hostname not in [wireguard_domain_controller, "localhost"] and guest.__ip.internal %} +{# #} +{% set guest_keys = lookup("file", wireguard_local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %} +# {{ guest.inventory_hostname }} +[Peer] +PublicKey = {{ guest_keys[1] }} +AllowedIPs = {{ guest.__ip.internal }}/32, fd00:10:10::{{ guest.__ip.internal.split('.')[3] }}/128 + +{% endif %} +{% endfor %} +{% else %} +[Peer] +PublicKey = {{ domain_controller_keys[1] }} +Endpoint = {{ hostvars[wireguard_domain_controller].__ip.external }}:{{ wireguard_port }} +AllowedIPs = 0.0.0.0/0, ::/0 +PersistentKeepalive = {{ wireguard_persistent_keepalive }} +{% endif %} -- cgit v1.2.3