aboutsummaryrefslogtreecommitdiff
path: root/ansible/roles/network
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/network')
-rw-r--r--ansible/roles/network/handlers/main.yml5
-rw-r--r--ansible/roles/network/tasks/main.yml46
-rw-r--r--ansible/roles/network/templates/rules.v4.j24
-rw-r--r--ansible/roles/network/templates/wireguard.conf.j212
4 files changed, 65 insertions, 2 deletions
diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml
new file mode 100644
index 0000000..30bdf2b
--- /dev/null
+++ b/ansible/roles/network/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload wireguard
+ service:
+ name: wg-quick@wgdeuxfleurs
+ state: restarted
diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml
index 1443e0c..e8e059a 100644
--- a/ansible/roles/network/tasks/main.yml
+++ b/ansible/roles/network/tasks/main.yml
@@ -9,3 +9,49 @@
name: net.ipv4.ip_forward
value: "1"
sysctl_set: yes
+
+# Wireguard configuration
+- name: "Enable backports repository"
+ apt_repository:
+ repo: deb http://deb.debian.org/debian buster-backports main
+ state: present
+
+- name: "Install wireguard"
+ apt:
+ name:
+ - wireguard
+ - wireguard-tools
+ - "linux-headers-{{ ansible_kernel }}"
+ state: present
+
+- name: "Create wireguard configuration direcetory"
+ file: path=/etc/wireguard/ state=directory
+
+- name: "Check if wireguard private key exists"
+ stat: path=/etc/wireguard/privkey
+ register: wireguard_privkey
+
+- name: "Create wireguard private key"
+ shell: wg genkey > /etc/wireguard/privkey
+ when: wireguard_privkey.stat.exists == false
+ notify:
+ - reload wireguard
+
+- name: "Secure wireguard private key"
+ file: path=/etc/wireguard/privkey mode=0600
+
+- name: "Retrieve wireguard private key"
+ shell: cat /etc/wireguard/privkey
+ register: wireguard_privkey
+
+- name: "Retrieve wireguard public key"
+ shell: wg pubkey < /etc/wireguard/privkey
+ register: wireguard_pubkey
+
+- name: "Deploy wireguard configuration"
+ template: src=wireguard.conf.j2 dest=/etc/wireguard/wgdeuxfleurs.conf mode=0600
+ notify:
+ - reload wireguard
+
+- name: "Enable Wireguard systemd service at boot"
+ service: name=wg-quick@wgdeuxfleurs state=started enabled=yes daemon_reload=yes
diff --git a/ansible/roles/network/templates/rules.v4.j2 b/ansible/roles/network/templates/rules.v4.j2
index a446139..ef2cf64 100644
--- a/ansible/roles/network/templates/rules.v4.j2
+++ b/ansible/roles/network/templates/rules.v4.j2
@@ -10,8 +10,8 @@
-A INPUT -s 192.168.1.254 -j ACCEPT
-A INPUT -s 82.253.205.190 -j ACCEPT
{% for selected_host in groups['cluster_nodes'] %}
--A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT
--A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT
+-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -p udp --dport 51820 -j ACCEPT
+-A INPUT -s {{ hostvars[selected_host]['vpn_ip'] }} -j ACCEPT
{% endfor %}
# Local
diff --git a/ansible/roles/network/templates/wireguard.conf.j2 b/ansible/roles/network/templates/wireguard.conf.j2
new file mode 100644
index 0000000..907d546
--- /dev/null
+++ b/ansible/roles/network/templates/wireguard.conf.j2
@@ -0,0 +1,12 @@
+[Interface]
+Address = {{ vpn_ip }}
+PrivateKey = {{ wireguard_privkey.stdout }}
+ListenPort = 51820
+
+{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}
+[Peer]
+PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}
+Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}
+AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32
+PersistentKeepalive = 25
+{% endfor %}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-25 12:07:08 +0000