wireguard
This commit is contained in:
Nikos Papadakis
parent
33f12242ba
commit
7f7e612132
GPG key ID:
78871F9905ADFF02
6 changed files with 110 additions and 9 deletions
|
|
@ -22,3 +22,7 @@ s3_bucket: "prymn-cache"
|
|||
s3_endpoint: "https://75178f9eca227dea51b3db4db2c15a5a.r2.cloudflarestorage.com"
|
||||
s3_access_key_id: "{{ vault_s3_access_key_id }}"
|
||||
s3_secret_access_key: "{{ vault_s3_secret_access_key }}"
|
||||
|
||||
# Wireguard
|
||||
wireguard_ip: "10.0.42.1"
|
||||
wireguard_network_mask: "24"
|
||||
|
|
|
|||
2
host_vars/ulna.papadakis.xyz.yml
Normal file
2
host_vars/ulna.papadakis.xyz.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
ansible_become_pass: "{{ ulna_become_pass | default(omit) }}"
|
||||
wireguard_ip: "10.0.42.1"
|
||||
|
|
@ -1,10 +1,16 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34626236366363333963613532643239643331333637613664653238336431636338303537643936
|
||||
3830343365336262633165616535363336313665383261310a383931623831326530313837346137
|
||||
35663961343433396461653164613666363331396430393131393038393433346263653331653064
|
||||
3162663361623439340a363865633661623563366330336666633766656531663033613131343466
|
||||
39366463393839333963326531376436373038386239623937303839336264336462613236623431
|
||||
37633635333738316665346463333361363234636465333764643464323830313636616165646365
|
||||
39663235323764323564326135333631613665336338646565666362336666633337643065626362
|
||||
66663631313434393636326531616261623132633730333439313534636165373635393465616531
|
||||
66643663376238653164626364386338363863366661313235353966316664343039
|
||||
63613665646438616265666332616134306638336363643763376536386338336265333036633561
|
||||
3866393138653031346363613137343238323839633632330a346433343633383938383835373438
|
||||
33306235633230633734663937316365643263373964386234613236316132396661643565356639
|
||||
3966326363643566360a326135633033396262636661366536653132613939323034346138353434
|
||||
63356662653461333537643737353537353862313366356265623333373635323133393462353638
|
||||
35646563643231666632666537373633643037376638323132383739613736393035376462313065
|
||||
63633366363265396163343633306439313364656161663930623965376337343661323230616532
|
||||
35613663373263323839313534623831366334346135383439316439366634343133343462366631
|
||||
31663363346138336163633562366130663430626633303733643730333039646663643930626564
|
||||
38366466306534366661646564386566303562303733663534666334383639623939616238666237
|
||||
34353130663033376534386533633639656161333164646164346136323937623630663638633731
|
||||
32353131386538326230633630626530393561623930353963316431663635343131373539633937
|
||||
38396539323566616565633161653835306435653639633336626434643562316564346665616662
|
||||
39633663343736366264623334653763323763366133343634306162356664386564393232386564
|
||||
346330633462313734343039633666616536
|
||||
|
|
|
|||
25
templates/wireguard/wg0.netdev.j2
Normal file
25
templates/wireguard/wg0.netdev.j2
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
[NetDev]
|
||||
Name=wg0
|
||||
Kind=wireguard
|
||||
Description=Wireguard tunnel wg0
|
||||
|
||||
[WireGuard]
|
||||
ListenPort=51820
|
||||
PrivateKey={{ wireguard_private_key.stdout }}
|
||||
|
||||
{% for peer in groups['wireguard'] %}
|
||||
{% if peer != inventory_hostname %}
|
||||
|
||||
[WireGuardPeer]
|
||||
PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
|
||||
AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
|
||||
PersistentKeepalive=25
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
# ouroboros
|
||||
[WireGuardPeer]
|
||||
PublicKey={{ ouroboros_wireguard_public_key }}
|
||||
AllowedIPs={{ ouroboros_wireguard_ip }}/32
|
||||
PersistentKeepalive=25
|
||||
5
templates/wireguard/wg0.network.j2
Normal file
5
templates/wireguard/wg0.network.j2
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
[Match]
|
||||
Name=wg0
|
||||
|
||||
[Network]
|
||||
Address={{ wireguard_ip }}/{{ wireguard_network_mask }}
|
||||
59
wireguard.yml
Normal file
59
wireguard.yml
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
- hosts: [wireguard]
|
||||
tasks:
|
||||
- name: Install wireguard packages
|
||||
become: true
|
||||
ansible.builtin.apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
|
||||
- name: Generate keys
|
||||
become: true
|
||||
ansible.builtin.shell: |
|
||||
umask 0077
|
||||
wg genkey > /etc/wireguard/privatekey
|
||||
wg pubkey < /etc/wireguard/privatekey > /etc/wireguard/publickey
|
||||
args:
|
||||
creates:
|
||||
- /etc/wireguard/privatekey
|
||||
- /etc/wireguard/publickey
|
||||
|
||||
- name: Register public key
|
||||
become: true
|
||||
ansible.builtin.shell: cat /etc/wireguard/publickey
|
||||
register: wireguard_public_key
|
||||
changed_when: false
|
||||
|
||||
- name: Register private key
|
||||
become: true
|
||||
ansible.builtin.shell: cat /etc/wireguard/privatekey
|
||||
register: wireguard_private_key
|
||||
changed_when: false
|
||||
|
||||
- name: Setup network device
|
||||
become: yes
|
||||
notify: systemd network restart
|
||||
ansible.builtin.template:
|
||||
src: ./templates/wireguard/wg0.netdev.j2
|
||||
dest: /etc/systemd/network/wg0.netdev
|
||||
owner: root
|
||||
group: systemd-network
|
||||
mode: 0640
|
||||
|
||||
- name: Setup network
|
||||
become: yes
|
||||
notify: systemd network restart
|
||||
ansible.builtin.template:
|
||||
src: ./templates/wireguard/wg0.network.j2
|
||||
dest: /etc/systemd/network/wg0.network
|
||||
owner: root
|
||||
group: systemd-network
|
||||
mode: 0640
|
||||
|
||||
handlers:
|
||||
- name: systemd network restart
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
name: systemd-networkd
|
||||
state: restarted
|
||||
enabled: true
|
||||
Loading…
Reference in a new issue