Merge bfcfbd8362
into d5b81cb75e
This commit is contained in:
commit
408123281b
|
@ -1,6 +1,10 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**6.4.0**
|
||||
|
||||
- Allow to generate keys and configuration for non-ansible hosts like smartphones with `wireguard_unmanaged_hosts` (see `defaults/main.yml`) (contribution by @juju4)
|
||||
|
||||
**6.3.1**
|
||||
|
||||
- Support Openstack Debian images (contribution by @pallinger)
|
||||
|
@ -34,6 +38,7 @@ Changelog
|
|||
|
||||
The backports repository has a lower priority and does not need an apt preference.
|
||||
|
||||
|
||||
**6.0.3**
|
||||
|
||||
- If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)
|
||||
|
|
14
README.md
14
README.md
|
@ -257,6 +257,20 @@ Endpoint = server.at.home.p.domain.tld:51820
|
|||
|
||||
The other WireGuard config files (`wg0.conf` by default) looks similar but of course `[Interface]` includes the config of that specific host and the `[Peer]` entries lists the config of the other hosts.
|
||||
|
||||
The following variable allows to configure unmanaged hosts which are not configured by Ansible, typically smartphones and tablets. In this case, private key and client configuration are generated on Wireguard hub. They can be shared through qrcode (also see https://fukuchi.org/works/qrencode/).
|
||||
|
||||
Example: `qrencode --type=ANSIUTF8 < /etc/wireguard/{{ item.item.host }}.conf`
|
||||
|
||||
```
|
||||
wireguard_unmanaged_hosts:
|
||||
- host: 'test'
|
||||
allowed_ips: 10.200.10.10/32
|
||||
dns: 10.200.10.1
|
||||
- host: 'test2'
|
||||
allowed_ips: 10.200.10.11/32
|
||||
dns: 10.200.10.1
|
||||
```
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
|
|
|
@ -12,6 +12,13 @@ wireguard_port: "51820"
|
|||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
|
||||
#wireguard_unmanaged_hosts:
|
||||
# - host: 'test1'
|
||||
# allowed_ips: 10.200.10.10/32
|
||||
# dns: 10.200.10.1
|
||||
# - host: 'test2'
|
||||
# allowed_ips: 10.200.10.11/32
|
||||
# dns: 10.200.10.1
|
||||
|
||||
#######################################
|
||||
# Settings only relevant for Ubuntu
|
||||
|
|
|
@ -97,6 +97,46 @@
|
|||
tags:
|
||||
- wg-config
|
||||
|
||||
- block:
|
||||
- name: Create private key for unmanaged hosts
|
||||
shell: |
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey
|
||||
exit 0
|
||||
args:
|
||||
executable: /bin/bash
|
||||
creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
|
||||
register: uh_private_key
|
||||
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
|
||||
|
||||
- name: Validate permissions of unmanaged hosts' private keys
|
||||
file:
|
||||
path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
|
||||
mode: '0400'
|
||||
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
|
||||
|
||||
- name: Recover existing private key for unmanaged hosts
|
||||
shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
|
||||
register: uh_private_key
|
||||
changed_when: false
|
||||
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
|
||||
|
||||
- name: Derive WireGuard public key for unmanaged hosts
|
||||
shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
|
||||
args:
|
||||
creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
|
||||
executable: "/bin/bash"
|
||||
register: uh_public_key
|
||||
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
|
||||
|
||||
- name: Recover existing public key for unmanaged hosts
|
||||
shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
|
||||
register: uh_public_key
|
||||
changed_when: false
|
||||
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
|
||||
when: wireguard_unmanaged_hosts is defined and wireguard_unmanaged_hosts
|
||||
|
||||
- name: Generate WireGuard configuration file
|
||||
template:
|
||||
src: wg.conf.j2
|
||||
|
@ -109,6 +149,15 @@
|
|||
notify:
|
||||
- reconfigure wireguard
|
||||
|
||||
- name: Generate WireGuard configuration file for unmanaged systems
|
||||
template:
|
||||
src: wg-unmanaged.conf.j2
|
||||
dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
with_items: "{{ uh_private_key.results }}"
|
||||
|
||||
- name: Check if reload-module-on-update is set
|
||||
stat:
|
||||
path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
{{ ansible_managed | comment }}
|
||||
# For unmanaged host {{ item.item.host }}
|
||||
# qrencode -t ansiutf8 < /etc/wireguard/{{ item.item.host }}.conf
|
||||
[Interface]
|
||||
PrivateKey = {{ item.stdout }}
|
||||
Address = {{ item.item.allowed_ips }}
|
||||
{% if item.item.dns is defined %}
|
||||
DNS = {{ item.item.dns }}
|
||||
{% endif %}
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ wireguard_endpoint }}:{{ wireguard_port }}
|
||||
PublicKey = {{ public_key }}
|
||||
# PresharedKey =
|
||||
# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN.
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
|
@ -68,3 +68,12 @@ SaveConfig = true
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% if wireguard_unmanaged_hosts is defined %}
|
||||
{% for hostdata in uh_public_key.results %}
|
||||
|
||||
[Peer]
|
||||
# {{ hostdata.item.host }}
|
||||
PublicKey = {{ hostdata.stdout }}
|
||||
AllowedIPs = {{ hostdata.item.allowed_ips}}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
Reference in New Issue