diff options
| author |  Joe Banks <[email protected]> | 2022-01-11 00:45:31 +0000 |
|---|---|---|
| committer | Joe Banks <[email protected]> | 2022-01-11 13:29:08 +0000 |
| commit | 8861a6c68feb65c69e966a494507be2cc63fe9c0 (patch) | |
| tree | 5cf61f5dfa8a4179f646aa55d2893f25abe3363c | |
| parent | Automatically add new issues to the project board (#12) (diff) | |
Add role for setting up WireGuard mesh network
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 54 | ||||
| -rw-r--r-- | roles/wireguard/templates/wg0.conf.j2 | 15 |
2 files changed, 69 insertions, 0 deletions
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..66d35a4 --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,54 @@ +- name: Install WireGuard + apt: + update_cache: true + cache_valid_time: 3600 + pkg: + - wireguard + - wireguard-tools + - linux-headers-{{ ansible_kernel }} + +- name: Generate WireGuard private key + shell: set -o pipefail && wg genkey > /etc/wireguard/key.priv + args: + executable: /bin/bash + creates: /etc/wireguard/key.priv + +- name: Generate WireGuard public key + shell: set -o pipefail && cat /etc/wireguard/key.priv | wg pubkey > /etc/wireguard/key.pub + args: + executable: /bin/bash + creates: /etc/wireguard/key.pub + +- name: Ensure file permissions for keys set correctly + file: + path: '{{ item }}' + owner: root + group: root + mode: '0600' + with_items: + - /etc/wireguard/key.priv + - /etc/wireguard/key.pub + +- name: Fetch private key for all hosts + slurp: + src: /etc/wireguard/key.priv + register: wg_priv_key + +- name: Fetch public key for all hosts + slurp: + src: /etc/wireguard/key.pub + register: wg_pub_key + +- name: Generate WireGuard configuration file + template: + src: wg0.conf.j2 + dest: /etc/wireguard/wg0.conf + mode: '0600' + group: root + owner: root + +- name: Start and enable the WireGuard service + service: + name: wg-quick@wg0 + enabled: true + state: started diff --git a/roles/wireguard/templates/wg0.conf.j2 b/roles/wireguard/templates/wg0.conf.j2 new file mode 100644 index 0000000..b42b1fc --- /dev/null +++ b/roles/wireguard/templates/wg0.conf.j2 @@ -0,0 +1,15 @@ +# Configuration managed by Ansible +[Interface] +Address = {{ wireguard_subnet }} +ListenPort = 46850 +PrivateKey = {{ wg_priv_key['content'] | b64decode | trim }} + +{% for host in hostvars.keys() if not host == inventory_hostname %} +# Peer config for: {{ host }} +[Peer] +AllowedIPs = {{ hostvars[host]['wireguard_subnet'] }} +PublicKey = {{ hostvars[host]['wg_pub_key']['content'] | b64decode | trim }} +Endpoint = {{ host }}.box.pydis.wtf:46850 +PersistentKeepalive = 30 + +{% endfor %} |