first working version

2018-07-18 23:57:27 +02:00 · 2018-07-18 23:57:27 +02:00 · 977b21147a
parent 6517b8cdba
commit 977b21147a
3 changed files with 76 additions and 36 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -18,9 +18,7 @@ wireguard_port: "51820"
 # The interface name that wireguard should use.
 wireguard_interface: "wg0"

-wireguard_server_conf: |
-  [Interface]
-  PrivateKey = {{wg_server_privatekey }}
-  Address = {{wireguard_ip}}
-  ListenPort = {{wireguard_port}}
-  SaveConfig = true 
+# TODO: Currently the role only supports full mesh network. But there
+# should also be the possibility to have only one server and many
+# peers. Needs to be implemented so this variable isn't used yet.
+# wireguard_server: ""
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,15 +1,11 @@
 ---
- name: Determine kernel release
-  shell: "uname -r"
-  register: kernel_release
-
 - name: Install required packages
  package:
    name: "{{item}}"
    state: present
  with_items:
    - software-properties-common
-    - linux-headers-{{kernel_release}}
+    - linux-headers-{{ansible_kernel}}

 - name : Add WireGuard repository
  apt_repository:
@ -43,11 +39,23 @@
  run_once: true
  delegate_to: localhost

+- name: Set path to private key file
+  set_fact:
+    private_key_file_path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
+  tags:
+    wg-config
+
+- name: Set path to public key file
+  set_fact:
+    public_key_file_path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.public.key"
+  tags:
+    wg-config
+
 - name: Register if private key already exists
  local_action:
    module: stat
-    path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
-  register: private_key_file
+    path: "{{private_key_file_path}}"
+  register: private_key_file_stat
  tags:
    - wg-generate-keys

@ -56,21 +64,21 @@
  register: wg_private_key_result
  with_inventory_hostnames:
    - vpn
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
  tags:
    - wg-generate-keys

 - name: Set private key fact
  set_fact:
    wg_private_key: "{{wg_private_key_result.results[0].stdout}}"
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
  tags:
    - wg-generate-keys

 - name: Generate WireGuard public key
  shell: "echo '{{wg_private_key}}' | wg pubkey"
  register: wg_public_key_result
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
  with_inventory_hostnames:
    - vpn
  tags:
@ -79,7 +87,7 @@
 - name: Set public key fact
  set_fact:
    wg_public_key: "{{wg_public_key_result.results[0].stdout}}"
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
  tags:
    - wg-generate-keys

@ -87,9 +95,9 @@
  local_action:
    module: template
    src: "wg-privatekey.j2"
-    dest: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
+    dest: "{{private_key_file_path}}"
    mode: 0600
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
  tags:
    - wg-generate-keys

@ -97,24 +105,44 @@
  local_action:
    module: template
    src: "wg-publickey.j2"
-    dest: "{{wireguard_cert_directory}}/{{inventory_hostname}}.public.key"
+    dest: "{{public_key_file_path}}"
    mode: 0600
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
  tags:
    - wg-generate-keys

-  #- name: Generate WireGuard configuration file
-  #  template:
-  #    src: wireguard.conf.j2
-  #    dest: /etc/wireguard/wg0.conf
-  #    owner: root
-  #    group: root
-  #    mode: 0600
-  #    force: no
-  #
-  #
-  #- name: Start and enable WireGuard service
-  #  service:
-  #    name: wg-quick@wg0
-  #    state: started
-  #    enabled: yes
+- name: Read private key from local filesystem
+  set_fact:
+    private_key: "{{lookup('file', private_key_file_path)}}"
+  tags:
+    wg-config
+
+- name: Read public key from local filesystem
+  set_fact:
+    public_key: "{{lookup('file', public_key_file_path)}}"
+  tags:
+    wg-config
+
+- name: Create WireGuard configuration directory
+  file:
+    dest: "{{wireguard_remote_directory}}"
+    state: directory
+    mode: 0700
+  tags:
+    - wg-config
+
+- name: Generate WireGuard configuration file
+  template:
+    src: wg-fullmesh.conf.j2
+    dest: "{{wireguard_remote_directory}}/wg0.conf"
+    owner: root
+    group: root
+    mode: 0600
+  tags:
+    - wg-config
+
+- name: Start and enable WireGuard service
+  service:
+    name: wg-quick@wg0
+    state: started
+    enabled: yes
--- a/templates/wg-fullmesh.conf.j2
+++ b/templates/wg-fullmesh.conf.j2
@ -0,0 +1,14 @@
+#jinja2: trim_blocks:False
+[Interface]
+Address = {{vpn_ip}}
+PrivateKey = {{private_key}}
+ListenPort = {{wireguard_port}}
+
+{% for host in groups["vpn"] %}
+  {%- if host != inventory_hostname -%}
+    [Peer]
+    PublicKey = {{hostvars[host]['public_key']}}
+    AllowedIPs = {{hostvars[host]['vpn_ip']}}/32
+    Endpoint = {{host}}:{{wireguard_port}}
+  {%- endif -%}
+{% endfor %}