commit a09fd853ea2217adbab8d633430b6872ec4ac3d8
parent 0a8abf2674146e4eeafec9d8912dea27bea3ca84
Author: Vincent Demeester <vincent@sbr.pm>
Date: Sun, 19 May 2019 09:35:47 +0200
playbook: add wireguard
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
5 files changed, 90 insertions(+), 4 deletions(-)
diff --git a/playbook.yml b/playbook.yml
@@ -6,6 +6,7 @@
- { role: laptop, when: ansible_form_factor == 'Notebook' }
- gcloud
- dev
+ - wireguard
# ansible_hostname == 'hokkaido'
# ansible_product_version == 'ThinkPad X220'
diff --git a/roles/laptop/tasks/main.yml b/roles/laptop/tasks/main.yml
@@ -2,6 +2,6 @@
- include: common.yml
- include: thinkpad.yml
when: ansible_product_version == 'ThinkPad X220'
-- name: just force systemd to reread configs (2.4 and above)
- systemd:
- daemon_reload: yes-
\ No newline at end of file
+#- name: just force systemd to reread configs (2.4 and above)
+# systemd:
+# daemon_reload: yes+
\ No newline at end of file
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,74 @@
+---
+- name: install wireguard and tools
+ become: yes
+ package: name={{item}} state=present
+ with_items:
+ - wireguard
+# - name: Enable packet forwording for IPv4
+# sysctl:
+# name: net.ipv4.ip_forward
+# value: 1
+# sysctl_set: yes
+# state: present
+# reload: yes
+# - name: Create WireGuard configurations directory
+# file:
+# dest: /etc/wireguard
+# state: directory
+# - name: Generate WireGuard private and public keys
+# shell: umask 077 && wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+# - name: Register WireGuard private key as a variable
+# slurp:
+# src: /etc/wireguard/privatekey
+# register: wg_privatekey
+# - name: Generate WireGuard configuration file
+# template:
+# src: wireguard.conf.j2
+# dest: /etc/wireguard/wg0.conf
+# owner: root
+# group: root
+# mode: 0600
+# force: no
+# - name: Add WireGuard as a service to FirewallD
+# template:
+# src: wireguard.xml.j2
+# dest: /etc/firewalld/services/wireguard.xml
+# owner: root
+# group: root
+# mode: 0600
+# force: no
+# - name: Allow WireGuard service for FirewallD public zone
+# firewalld:
+# zone: public
+# service: wireguard
+# state: enabled
+# permanent: yes
+# immediate: yes
+# - name: Add WireGuard interface to FirewallD public zone
+# firewalld:
+# zone: public
+# interface: wg0
+# state: enabled
+# permanent: yes
+# immediate: yes
+# - name: Enable Masquerading
+# firewalld:
+# zone: public
+# masquerade: "yes"
+# state: enabled
+# permanent: yes
+# immediate: yes
+# - name: Enable WireGuard kernel module
+# modprobe:
+# name: wireguard
+# state: present
+# register: wireguard_module_enabled
+# until: wireguard_module_enabled is succeeded
+# retries: 10
+# delay: 10
+# failed_when: wireguard_module_enabled is failure
+# - name: Start and enable WireGuard service
+# service:
+# name: wg-quick@wg0
+# state: started
+# enabled: yes+
\ No newline at end of file
diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2
@@ -0,0 +1,4 @@
+[Interface]
+Address = {{ wireguard_interface_ip }}
+ListenPort = {{ wireguard_port }}
+PrivateKey = {{ wg_privatekey['content'] | b64decode }}
diff --git a/roles/wireguard/templates/wireguard.xml.j2 b/roles/wireguard/templates/wireguard.xml.j2
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>WireGuard</short>
+ <port protocol="udp" port="{{ wireguard_port }}"/>
+</service> +
\ No newline at end of file
