badjware
/
home-stack-ansible
1
0
Fork 0
Code Releases Activity

add wireguard

This commit is contained in:
Massaki Archambault 2023-12-23 16:36:22 -05:00
parent fe3c000096
commit 0357a7c29e
7 changed files with 94 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
group_vars/all.yml
View File

@ -148,4 +148,15 @@ letsencrypt:
31653964336664313261373031613566636337643934316430306638626631633434366164306639
30616238613334633933343339393938326561633036633062323463636161336665373732626330
37386264353239353435643266333033353931336637343038353765396134333763386637653638
35343739666634323562
35343739666634323562
wireguard:
address: 10.100.0.1/24
port: 7353
peers:
# pixel
- public_key: 3mkPtY29F3/0WhSIEUkSAHJexJWOJfFzc6LOzBX9Hjc=
allowed_ips: 10.100.0.2/32
# pallet
# - public_key: ZbLgn0EnkKbv8L6nxysix/fRoASNGFIIvEuLn/aLbm4=
# allowed_ips: 10.100.0.3/32

4
hosts
View File

@ -18,7 +18,7 @@ all:
ansible_host: 192.168.10.11
vfio_pci_ids:
- '1000:0086' # Broadcom / LSI SAS2308 PCI-Express Fusion-MPT SAS-2
bastions:
bastion:
hosts:
bastion:
ansible_host: 192.168.20.10
@ -74,7 +74,7 @@ all:
ansible_host: 192.168.20.2
children:
proxmox:
bastions:
bastion:
k3s:
plex:
minecraft-server:

1
playbook.yml
View File

@ -17,6 +17,7 @@
roles:
- haproxy
- bastion
- wireguard
- hosts: plex
roles:

4
roles/wireguard/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
wireguard:
address: 10.125.37.20/24
port: 51845
peers: []

8
roles/wireguard/handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
- name: Restart wg0
service:
name: wg-quick@wg0
enabled: true
state: restarted
- name: Reboot
reboot:

52
roles/wireguard/tasks/main.yml Normal file
View File

@ -0,0 +1,52 @@
- name: Install wireguard
apt:
name:
- wireguard
- wireguard-tools
- name: Create wireguard configuration directory
file:
path: /etc/wireguard
state: directory
mode: '700'
- name: Check if public key exists
stat:
path: /etc/wireguard/public.key
register: public_key_stats
- name: Generate private key
shell: wg genkey >/etc/wireguard/private.key
args:
creates: /etc/wireguard/private.key
register: private_key_gen
- name: Fetch private key
command: cat /etc/wireguard/private.key
register: private_key
- name: Generate public key
shell: cat /etc/wireguard/private.key | wg pubkey >/etc/wireguard/public.key
when: not public_key_stats.stat.exists or private_key_gen.changed
- name: Fetch public key
command: cat /etc/wireguard/public.key
register: public_key
- name: Print public key
debug:
msg: '{{public_key.stdout}}'
- name: Install wireguard configuration
template:
src: wg0.conf
dest: /etc/wireguard/wg0.conf
notify: Restart wg0
- name: Enable ipv4 packet forwarding
lineinfile:
path: /etc/sysctl.conf
regexp: '^#?net.ipv4.ip_forward='
line: net.ipv4.ip_forward=1
notify: Reboot

15
roles/wireguard/templates/wg0.conf Normal file
View File

@ -0,0 +1,15 @@
[Interface]
# This is the virtual IP address, with the subnet mask we will use for the VPN. Note that this must not be on our LAN subnet and should be an uncommon subnet to avoid address conflicts
Address = {{ wireguard.address }}
ListenPort = {{ wireguard.port }}
PostUp = iptables -w -t nat -A POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE
PostDown = iptables -w -t nat -D POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE
PrivateKey = {{ private_key.stdout }}
{% for peer in wireguard.peers %}
[Peer]
PublicKey = {{ peer.public_key }}
AllowedIps = {{ peer.allowed_ips }}
{% endfor %}