ansible-debops-infrastructure

DebOps and Ansible scripts to manage my infrastructure
git clone git://git.erethon.com/ansible-debops-infrastructure
Log | Files | Refs

commit c0c175019c6b738eb51bf14d86f9f4c24cb5a6de
parent 3a90a1f8f12a892c5891118d9ab04c521e4c9004
Author: Dionysis Grigoropoulos <dgrig@erethon.com>
Date:   Mon, 17 May 2021 01:32:58 +0300

Add simple and single interface wireguard role

Diffstat:
ansible/playbooks/wg.yml | 8++++++++
ansible/roles/wireguard/tasks/main.yml | 73+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ansible/roles/wireguard/templates/wg.conf.j2 | 44++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 125 insertions(+), 0 deletions(-)

diff --git a/ansible/playbooks/wg.yml b/ansible/playbooks/wg.yml @@ -0,0 +1,8 @@ +--- + +- hosts: wireguard + gather_facts: no + + roles: + - role: secret + - role: wireguard diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml @@ -0,0 +1,73 @@ +--- + +- name: Generate private WG keys + command: + cmd: wg genkey + args: + creates: '{{ secret + "/wireguard/" + item + "/keys/privatekey" }}' + delegate_to: 'localhost' + become: False + run_once: True + loop: "{{ ansible_play_hosts }}" + register: wg__private_keys + tags: ["wireguard::genkeys"] + +- name: Create required directories on Ansible controller + file: + dest: '{{ secret + "/wireguard/" + item.item + "/keys/" }}' + state: directory + delegate_to: 'localhost' + become: False + run_once: True + loop: "{{ wg__private_keys.results }}" + tags: ["wireguard::genkeys"] + +- name: Save private keys to the controller secret stash + copy: + content: "{{ item.stdout }}" + dest: '{{ secret + "/wireguard/" + item.item + "/keys/privatekey" }}' + delegate_to: 'localhost' + become: False + run_once: True + loop: "{{ wg__private_keys.results }}" + when: item.changed + tags: ["wireguard::genkeys"] + +- name: Get public keys from private keys + command: wg pubkey + args: + stdin: "{{ item.stdout }}" + creates: '{{ secret + "/wireguard/" + item.item + "/keys/publickey" }}' + delegate_to: 'localhost' + loop: "{{ wg__private_keys.results }}" + when: item.changed + register: wg__public_keys + tags: ["wireguard::genkeys"] + +- name: Save public keys to the controller secret stash + copy: + content: "{{ item.stdout }}" + dest: '{{ secret + "/wireguard/" + item.item.item + "/keys/publickey" }}' + delegate_to: 'localhost' + become: False + run_once: True + loop: "{{ wg__public_keys.results }}" + when: item.changed + tags: ["wireguard::genkeys"] + +- name: Create /etc/wireguard directory + file: + name: "/etc/wireguard" + state: "directory" + +- name: Read private key and register it + set_fact: + _wireguard__private_key: "{{ lookup('file', secret + '/wireguard/' + item + '/keys/privatekey') }}" + loop: "{{ ansible_play_hosts }}" + +- name: Create wireguard config files + template: + src: wg.conf.j2 + dest: "/etc/wireguard/wg0.conf" + mode: 0600 + become: True diff --git a/ansible/roles/wireguard/templates/wg.conf.j2 b/ansible/roles/wireguard/templates/wg.conf.j2 @@ -0,0 +1,44 @@ +[Interface] +Address = {{ wireguard__host_ip }} +PrivateKey = {{ _wireguard__private_key }} +{% if wireguard__listen_port is defined %} +ListenPort = {{ wireguard__listen_port }} +{% endif %} + +{% if wireguard__group_peers is defined %} +{% for peer in wireguard__group_peers %} +[Peer] +{% if peer.public_key is defined %} +PublicKey = {{ peer.public_key }} +{% endif %} +{% if peer.public_key_host is defined %} +PublicKey = {{ lookup("password", secret + "/wireguard/" + peer.public_key_host + "/keys/publickey") }} +{% endif %} +AllowedIPs = {{ peer.allowed_ips }} +{% if peer.endpoint is defined %} +Endpoint = {{ peer.endpoint }} +{% endif %} +{% if peer.keepalive is defined %} +PersistentKeepalive = {{ peer.keepalive }} +{% endif %} +{% endfor %} +{% endif %} + +{% if wireguard__host_peers is defined %} +{% for peer in wireguard__host_peers %} +[Peer] +{% if peer.public_key is defined %} +PublicKey = {{ peer.public_key }} +{% endif %} +{% if peer.public_key_host is defined %} +PublicKey = {{ lookup("password", secret + "/wireguard/" + peer.public_key_host + "/keys/publickey") }} +{% endif %} +AllowedIPs = {{ peer.allowed_ips }} +{% if peer.endpoint is defined %} +Endpoint = {{ peer.endpoint }} +{% endif %} +{% if peer.keepalive is defined %} +PersistentKeepalive = {{ peer.keepalive }} +{% endif %} +{% endfor %} +{% endif %}