From 0357a7c29e8caf6f3c4f2388ef619f1b25063cc4 Mon Sep 17 00:00:00 2001 From: Massaki Archambault Date: Sat, 23 Dec 2023 16:36:22 -0500 Subject: [PATCH] add wireguard --- group_vars/all.yml | 13 +++++++- hosts | 4 +-- playbook.yml | 1 + roles/wireguard/defaults/main.yml | 4 +++ roles/wireguard/handlers/main.yml | 8 +++++ roles/wireguard/tasks/main.yml | 52 ++++++++++++++++++++++++++++++ roles/wireguard/templates/wg0.conf | 15 +++++++++ 7 files changed, 94 insertions(+), 3 deletions(-) create mode 100644 roles/wireguard/defaults/main.yml create mode 100644 roles/wireguard/handlers/main.yml create mode 100644 roles/wireguard/tasks/main.yml create mode 100644 roles/wireguard/templates/wg0.conf diff --git a/group_vars/all.yml b/group_vars/all.yml index c2a1b49..3ff1809 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -148,4 +148,15 @@ letsencrypt: 31653964336664313261373031613566636337643934316430306638626631633434366164306639 30616238613334633933343339393938326561633036633062323463636161336665373732626330 37386264353239353435643266333033353931336637343038353765396134333763386637653638 - 35343739666634323562 \ No newline at end of file + 35343739666634323562 + +wireguard: + address: 10.100.0.1/24 + port: 7353 + peers: + # pixel + - public_key: 3mkPtY29F3/0WhSIEUkSAHJexJWOJfFzc6LOzBX9Hjc= + allowed_ips: 10.100.0.2/32 + # pallet + # - public_key: ZbLgn0EnkKbv8L6nxysix/fRoASNGFIIvEuLn/aLbm4= + # allowed_ips: 10.100.0.3/32 \ No newline at end of file diff --git a/hosts b/hosts index e0ac922..d4a2053 100644 --- a/hosts +++ b/hosts @@ -18,7 +18,7 @@ all: ansible_host: 192.168.10.11 vfio_pci_ids: - '1000:0086' # Broadcom / LSI SAS2308 PCI-Express Fusion-MPT SAS-2 - bastions: + bastion: hosts: bastion: ansible_host: 192.168.20.10 @@ -74,7 +74,7 @@ all: ansible_host: 192.168.20.2 children: proxmox: - bastions: + bastion: k3s: plex: minecraft-server: diff --git a/playbook.yml b/playbook.yml index 13fa960..d027b11 100644 --- a/playbook.yml +++ b/playbook.yml @@ -17,6 +17,7 @@ roles: - haproxy - bastion + - wireguard - hosts: plex roles: diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..6401560 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,4 @@ +wireguard: + address: 10.125.37.20/24 + port: 51845 + peers: [] \ No newline at end of file diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml new file mode 100644 index 0000000..1861923 --- /dev/null +++ b/roles/wireguard/handlers/main.yml @@ -0,0 +1,8 @@ +- name: Restart wg0 + service: + name: wg-quick@wg0 + enabled: true + state: restarted + +- name: Reboot + reboot: \ No newline at end of file diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..a66640f --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,52 @@ +- name: Install wireguard + apt: + name: + - wireguard + - wireguard-tools + +- name: Create wireguard configuration directory + file: + path: /etc/wireguard + state: directory + mode: '700' + + +- name: Check if public key exists + stat: + path: /etc/wireguard/public.key + register: public_key_stats + +- name: Generate private key + shell: wg genkey >/etc/wireguard/private.key + args: + creates: /etc/wireguard/private.key + register: private_key_gen + +- name: Fetch private key + command: cat /etc/wireguard/private.key + register: private_key + +- name: Generate public key + shell: cat /etc/wireguard/private.key | wg pubkey >/etc/wireguard/public.key + when: not public_key_stats.stat.exists or private_key_gen.changed + +- name: Fetch public key + command: cat /etc/wireguard/public.key + register: public_key + +- name: Print public key + debug: + msg: '{{public_key.stdout}}' + +- name: Install wireguard configuration + template: + src: wg0.conf + dest: /etc/wireguard/wg0.conf + notify: Restart wg0 + +- name: Enable ipv4 packet forwarding + lineinfile: + path: /etc/sysctl.conf + regexp: '^#?net.ipv4.ip_forward=' + line: net.ipv4.ip_forward=1 + notify: Reboot diff --git a/roles/wireguard/templates/wg0.conf b/roles/wireguard/templates/wg0.conf new file mode 100644 index 0000000..999d2eb --- /dev/null +++ b/roles/wireguard/templates/wg0.conf @@ -0,0 +1,15 @@ +[Interface] +# This is the virtual IP address, with the subnet mask we will use for the VPN. Note that this must not be on our LAN subnet and should be an uncommon subnet to avoid address conflicts +Address = {{ wireguard.address }} +ListenPort = {{ wireguard.port }} +PostUp = iptables -w -t nat -A POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE; ip6tables -w -t nat -A POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE +PostDown = iptables -w -t nat -D POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE; ip6tables -w -t nat -D POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE +#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE +#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_facts.interfaces[1] }} -j MASQUERADE +PrivateKey = {{ private_key.stdout }} + +{% for peer in wireguard.peers %} +[Peer] +PublicKey = {{ peer.public_key }} +AllowedIps = {{ peer.allowed_ips }} +{% endfor %} \ No newline at end of file