diff options
Diffstat (limited to 'roles/wireguard')
| -rw-r--r-- | roles/wireguard/defaults/main.yaml | 2 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yaml | 3 | ||||
| -rw-r--r-- | roles/wireguard/tasks/wireguard.yaml | 93 | ||||
| -rw-r--r-- | roles/wireguard/templates/wireguard.master.j2 | 6 | ||||
| -rw-r--r-- | roles/wireguard/templates/wireguard.slave.j2 | 11 |
5 files changed, 115 insertions, 0 deletions
diff --git a/roles/wireguard/defaults/main.yaml b/roles/wireguard/defaults/main.yaml new file mode 100644 index 0000000..649825c --- /dev/null +++ b/roles/wireguard/defaults/main.yaml @@ -0,0 +1,2 @@ +wireguard: + enabled: false diff --git a/roles/wireguard/tasks/main.yaml b/roles/wireguard/tasks/main.yaml new file mode 100644 index 0000000..4bdd7a9 --- /dev/null +++ b/roles/wireguard/tasks/main.yaml @@ -0,0 +1,3 @@ +- name: Setup wireguard + import_tasks: wireguard.yaml + when: wireguard.enabled and inventory_hostname in groups["servers"] diff --git a/roles/wireguard/tasks/wireguard.yaml b/roles/wireguard/tasks/wireguard.yaml new file mode 100644 index 0000000..eda00aa --- /dev/null +++ b/roles/wireguard/tasks/wireguard.yaml @@ -0,0 +1,93 @@ +- name: Setup Wireguard on Master Host + block: + + - name: Ensure wireguard is present + ansible.builtin.dnf: + name: wireguard-tools + state: latest + + - name: Generate private key + ansible.builtin.shell: "wg genkey" + register: privatekey + + - name: Set private key variable + ansible.builtin.set_fact: + privatekey: "{{ privatekey.stdout_lines[0] }}" + + - name: Generate public key + ansible.builtin.shell: "echo {{ privatekey }} | wg pubkey" + register: publickey + + - name: Set public key variable + ansible.builtin.set_fact: + publickey: "{{ publickey.stdout_lines[0] }}" + + - name: Create wireguard config file + ansible.builtin.template: + src: wireguard.master.j2 + dest: "{{ network.wireguard.path }}/wg0.conf" + + - name: Ensure ansible facts directory exists + ansible.builtin.file: + path: /etc/ansible/facts.d + state: directory + mode: 0755 + + - name: Add fact about wireguard config to host + ansible.builtin.copy: + content: '{ "PublicKey": "{{ publickey }}" }' + dest: "/etc/ansible/facts.d/wireguard.fact" + + - name: Re-gather facts + gather_facts: + when: inventory_hostname in groups["cloud"] + become: true + +- name: Setup Wireguard on Slave Hosts + block: + - name: Ensure wireguard is present + ansible.builtin.dnf: + name: wireguard-tools + state: latest + + - name: Wait for master node to generate file + ansible.builtin.wait_for: + host: "{{ groups['cloud'][0] }}" + path: /etc/ansible/facts.d/wireguard.fact + search_regex: PublicKey + delegate_to: "{{ groups['cloud'][0] }}" + register: output + + - name: Generate private key + ansible.builtin.shell: "wg genkey" + register: privatekey + + - name: Set private key variable + ansible.builtin.set_fact: + privatekey: "{{ privatekey.stdout_lines[0] }}" + + - name: Generate public key + ansible.builtin.shell: "echo {{ privatekey }} | wg pubkey" + register: publickey + + - name: Set public key variable + ansible.builtin.set_fact: + publickey: "{{ publickey.stdout_lines[0] }}" + + - name: Setup wireguard ip fact + set_fact: + wireguard_ip: "10.0.0.{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'].split('.')[3] }}" + + - name: Create wireguard config file + ansible.builtin.template: + src: wireguard.slave.j2 + dest: "{{ network.wireguard.path }}/wg0.conf" + + - name: Add host's details to master + lineinfile: + path: "{{ network.wireguard.path }}/wg0.conf" + line: "\n[Peer]\nPublicKey={{ publickey }}\nAllowedIPs={{ wireguard_ip }}\n" + delegate_to: "{{ groups['cloud'][0] }}" + + when: inventory_hostname not in groups["cloud"] + become: true diff --git a/roles/wireguard/templates/wireguard.master.j2 b/roles/wireguard/templates/wireguard.master.j2 new file mode 100644 index 0000000..c2ac41c --- /dev/null +++ b/roles/wireguard/templates/wireguard.master.j2 @@ -0,0 +1,6 @@ +[Interface] +Address = 10.0.0.1/24 +PostUp = firewall-cmd --add-masquerade +PostDown = firewall-cmd --remove-masquerade +ListenPort = {{ network.wireguard.port }} +PrivateKey = {{ privatekey }} diff --git a/roles/wireguard/templates/wireguard.slave.j2 b/roles/wireguard/templates/wireguard.slave.j2 new file mode 100644 index 0000000..b6a01b8 --- /dev/null +++ b/roles/wireguard/templates/wireguard.slave.j2 @@ -0,0 +1,11 @@ +[Interface] +Address = {{ wireguard_ip }}/24 +ListenPort = {{ network.wireguard.port }} +PrivateKey = {{ privatekey }} +DNS = {{ network.dns }} + +[Peer] +PublicKey = {{ hostvars[groups['cloud'][0]]['ansible_local']['wireguard']['PublicKey'] }} +AllowedIPs = 0.0.0.0/0 +Endpoint = {{ hostvars[groups['cloud'][0]]['ansible_default_ipv4']['address'] }}:{{ network.wireguard.port }} +PersistentKeepalive = 15 |