Compare commits
35 commits
Author | SHA1 | Date | |
---|---|---|---|
KemoNine | 53efc122e3 | ||
KemoNine | 0217d41830 | ||
KemoNine | ef8de286b1 | ||
KemoNine | fbc79beb72 | ||
KemoNine | d1ed058fa8 | ||
KemoNine | d00bcb7d6a | ||
KemoNine | 0afb85375e | ||
KemoNine | 1faf8d9f12 | ||
KemoNine | 8fc7870c76 | ||
d5b81cb75e | |||
1997b9d710 | |||
359d601008 | |||
2ef11ac648 | |||
9f76b8baf5 | |||
97f566ad85 | |||
04843b5394 | |||
13621d4d68 | |||
9be9694553 | |||
6348c48193 | |||
43ad9a1cfe | |||
a7ada33e73 | |||
3322faf576 | |||
8e7ed9e702 | |||
f97210d2ad | |||
63dfa963be | |||
7826119ea7 | |||
e59c8bd027 | |||
3af06352ae | |||
d281a98d5b | |||
7fcc0b22a0 | |||
a357e5fab1 | |||
9a0e70ee25 | |||
fa595d8f35 | |||
493d407637 | |||
5a1488a2cd |
82
CHANGELOG.md
82
CHANGELOG.md
|
@ -1,6 +1,88 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**6.3.1**
|
||||
|
||||
- Support Openstack Debian images (contribution by @pallinger)
|
||||
|
||||
**6.3.0**
|
||||
|
||||
- Support Raspbian (contribution by @penguineer)
|
||||
|
||||
**6.2.0**
|
||||
|
||||
- Support Ubuntu 20.04 (Focal Fossa)
|
||||
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
|
||||
- As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.
|
||||
|
||||
**6.1.0**
|
||||
|
||||
- Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package.
|
||||
|
||||
**6.0.4**
|
||||
|
||||
- Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye.
|
||||
standard repositories on sid/bullseye.
|
||||
|
||||
The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo. There is no need to clean the preference and unstable repository, since packages from your release have a higher priority.
|
||||
|
||||
If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state.
|
||||
|
||||
If you want to clean up:
|
||||
* remove `/etc/apt/preferences.d/limit-unstable` and
|
||||
* remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
|
||||
|
||||
The backports repository has a lower priority and does not need an apt preference.
|
||||
|
||||
**6.0.3**
|
||||
|
||||
- If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)
|
||||
|
||||
**6.0.2**
|
||||
|
||||
- Debian: install `gnupg` package instead of `gpg`. (contribution by @zinefer)
|
||||
|
||||
**6.0.1**
|
||||
|
||||
- add shell options to syncconf handler to fail fast in case of error
|
||||
|
||||
**6.0.0**
|
||||
|
||||
- Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
|
||||
|
||||
**5.0.0**
|
||||
|
||||
- `wireguard_(preup|postdown|preup|predown)` settings are now a list. If more `iptables` commands needs to be specified e.g. then this changes makes it more readable. The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8). Also see README for more examples. (contribution by @Madic-)
|
||||
|
||||
**4.2.0**
|
||||
|
||||
- Add support for Fedora (contribution by @ties)
|
||||
|
||||
|
||||
**4.1.1**
|
||||
|
||||
- Install GPG to be able to import WireGuard key (Debian)
|
||||
|
||||
**4.1.0**
|
||||
|
||||
- Allow to specifiy additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
|
||||
- Add host comments in Wireguard config file
|
||||
|
||||
**4.0.0**
|
||||
|
||||
- While the changes introduced are backwards compatible in general if you stay with your current settings some variables are no longer needed. So this is partly a breaking change and therefore justifies a new major version.
|
||||
- Support multiple Wireguard interfaces. See README for examples (contribution by fbourqui)
|
||||
- Make role stateless: In the previous versions the private and public keys of the Wireguard hosts were stored locally in the directory defined with the `wireguard_cert_directory` variable. This is no longer the case. The variables `wireguard_cert_directory`, `wireguard_cert_owner` and `wireguard_cert_group` are no longer needed and were removed. If you used this role before this release it's safe to remove them from your settings. The directory that was defined with the `wireguard_cert_directory` variable will be kept. While not tested it may enable you to go back to an older version of this role and it should still work (contribution by fbourqui)
|
||||
- Reminder: `wireguard_cert_directory` default was `~/wireguard/certs`. Public and Private keys where stored on the host running ansible playbook. As a security best practice private keys of all your WireGuard endpoints should not be kept locally.
|
||||
|
||||
**3.2.2**
|
||||
|
||||
- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)
|
||||
|
||||
**3.2.1**
|
||||
|
||||
- remove unecessary files (contribution by pierreozoux)
|
||||
|
||||
**3.2.0**
|
||||
|
||||
- add support for RHEL/CentOS (contribution by ahanselka)
|
||||
|
|
113
README.md
113
README.md
|
@ -1,3 +1,5 @@
|
|||
# Fork of https://github.com/githubixx/ansible-role-wireguard.git with some minor tweaks to ensure PiFrameFleet can be provisioned properly
|
||||
|
||||
ansible-role-wireguard
|
||||
======================
|
||||
|
||||
|
@ -7,7 +9,7 @@ I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a whil
|
|||
|
||||
In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
|
||||
|
||||
This role was tested with Ubuntu 18.04 (Bionic Beaver), Debian 9 (Stretch) and Archlinux. It might also work with Ubuntu 16.04 (Xenial Xerus) but haven't tested it. If someone tested it let me please know if it works ;-)
|
||||
This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
|
||||
|
||||
Versions
|
||||
--------
|
||||
|
@ -17,7 +19,7 @@ I tag every release and try to stay with [semantic versioning](http://semver.org
|
|||
Requirements
|
||||
------------
|
||||
|
||||
By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things.
|
||||
By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
|
||||
|
||||
Changelog
|
||||
---------
|
||||
|
@ -27,28 +29,16 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast
|
|||
Role Variables
|
||||
--------------
|
||||
|
||||
This variables can be changed in `group_vars/`:
|
||||
These variables can be changed in `group_vars/`:
|
||||
|
||||
```
|
||||
# The LOCAL directory where the WireGuard certificates are stored after they
|
||||
# were generated. By default this will expand to user's LOCAL ${HOME}
|
||||
# (the user that run's "ansible-playbook" command) plus
|
||||
# "/wireguard/certs". That means if the user's ${HOME} directory is e.g.
|
||||
# "/home/da_user" then "wireguard_cert_directory" will have a value of
|
||||
# "/home/da_user/wireguard/certs". If you change this make sure that
|
||||
# the parent directory is writable by the user that runs "ansible-playbook"
|
||||
# command.
|
||||
wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
|
||||
wireguard_cert_owner: "root"
|
||||
wireguard_cert_group: "root"
|
||||
|
||||
# Directory to store WireGuard configuration on the remote hosts
|
||||
wireguard_remote_directory: "/etc/wireguard"
|
||||
|
||||
# The port WireGuard will listen on.
|
||||
# The default port WireGuard will listen if not specified otherwise.
|
||||
wireguard_port: "51820"
|
||||
|
||||
# The interface name that wireguard should use.
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
```
|
||||
|
||||
|
@ -88,18 +78,44 @@ Endpoint = controller01.p.domain.tld:51820
|
|||
|
||||
Now this is basically the same as above BUT now the config says: I want to route EVERY traffic originating from my workstation to the endpoint `controller01.p.domain.tld:51820`. If that endpoint can handle the traffic is of course another thing and it's up to you how you configure the endpoint routing ;-)
|
||||
|
||||
You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like):
|
||||
You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like). The values for the following variables are just examples and no defaults (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)):
|
||||
|
||||
```
|
||||
wireguard_allowed_ips: ""
|
||||
wireguard_endpoint: "host1.domain.tld"
|
||||
wireguard_persistent_keepalive: "30"
|
||||
wireguard_dns: "1.1.1.1"
|
||||
wireguard_postup: "..."
|
||||
wireguard_postdown: "..."
|
||||
wireguard_fwmark: "1234"
|
||||
wireguard_mtu: "1492"
|
||||
wireguard_table: "5000"
|
||||
wireguard_preup:
|
||||
- ...
|
||||
wireguard_predown:
|
||||
- ...
|
||||
wireguard_postup:
|
||||
- ...
|
||||
wireguard_postdown:
|
||||
- ...
|
||||
wireguard_save_config: "true"
|
||||
```
|
||||
|
||||
`wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
|
||||
|
||||
```
|
||||
wireguard_postup:
|
||||
- iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
|
||||
- iptables -A FORWARD -i %i -j ACCEPT
|
||||
- iptables -A FORWARD -o %i -j ACCEPT
|
||||
```
|
||||
|
||||
```
|
||||
wireguard_preup:
|
||||
- echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
- ufw allow 51820/udp
|
||||
```
|
||||
|
||||
The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8).
|
||||
|
||||
`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
|
||||
|
||||
Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
|
||||
|
@ -252,6 +268,63 @@ Example Playbook
|
|||
- wireguard
|
||||
```
|
||||
|
||||
Example Inventory using two different WireGuard interfaces on host "multi"
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
This is a complex example using yaml inventory format:
|
||||
|
||||
```
|
||||
vpn1:
|
||||
hosts:
|
||||
multi:
|
||||
wireguard_address: 10.9.0.1/32
|
||||
wireguard_allowed_ips: "10.9.0.1/32, 192.168.2.0/24"
|
||||
wireguard_endpoint: multi.exemple.com
|
||||
nated:
|
||||
wireguard_address: 10.9.0.2/32
|
||||
wireguard_allowed_ips: "10.9.0.2/32, 192.168.3.0/24"
|
||||
wireguard_persistent_keepalive: 15
|
||||
wireguard_endpoint: nated.exemple.com
|
||||
wireguard_postup:
|
||||
- iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
|
||||
- iptables -A FORWARD -i %i -j ACCEPT
|
||||
- iptables -A FORWARD -o %i -j ACCEPT
|
||||
wireguard_postdown:
|
||||
- iptables -t nat -D POSTROUTING -o ens12 -j MASQUERADE
|
||||
- iptables -D FORWARD -i %i -j ACCEPT
|
||||
- iptables -D FORWARD -o %i -j ACCEPT
|
||||
|
||||
vpn2:
|
||||
hosts:
|
||||
# Use a different name, and define ansible_host, to avoid mixing of vars without
|
||||
# needing to prefix vars with interface name.
|
||||
multi-wg1:
|
||||
ansible_host: multi
|
||||
wireguard_interface: wg1
|
||||
# when using several interface on one host, we must use different ports
|
||||
wireguard_port: 51821
|
||||
wireguard_address: 10.9.1.1/32
|
||||
wireguard_endpoint: multi.exemple.com
|
||||
another:
|
||||
wireguard_address: 10.9.1.2/32
|
||||
wireguard_endpoint: another.exemple.com
|
||||
```
|
||||
|
||||
Playbooks
|
||||
---------
|
||||
|
||||
```
|
||||
- hosts: vpn1
|
||||
roles:
|
||||
- wireguard
|
||||
```
|
||||
|
||||
```
|
||||
- hosts: vpn2
|
||||
roles:
|
||||
- wireguard
|
||||
```
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
|
|
|
@ -1,21 +1,27 @@
|
|||
---
|
||||
# The LOCAL directory where the WireGuard certificates are stored after they
|
||||
# were generated. By default this will expand to user's LOCAL ${HOME}
|
||||
# (the user that run's "ansible-playbook" command) plus
|
||||
# "/wireguard/certs". That means if the user's ${HOME} directory is e.g.
|
||||
# "/home/da_user" then "wireguard_cert_directory" will have a value of
|
||||
# "/home/da_user/wireguard/certs". If you change this make sure that
|
||||
# the parent directory is writable by the user that runs "ansible-playbook"
|
||||
# command.
|
||||
wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
|
||||
wireguard_cert_owner: "root"
|
||||
wireguard_cert_group: "root"
|
||||
#######################################
|
||||
# General settings
|
||||
#######################################
|
||||
|
||||
# Directory to store WireGuard configuration on the remote hosts
|
||||
wireguard_remote_directory: "/etc/wireguard"
|
||||
|
||||
# The port WireGuard will listen on.
|
||||
# The default port WireGuard will listen if not specified otherwise.
|
||||
wireguard_port: "51820"
|
||||
|
||||
# The interface name that wireguard should use.
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
|
||||
# Whether or not WireGuard is running in a container
|
||||
wireguard_containerized: false
|
||||
|
||||
|
||||
#######################################
|
||||
# Settings only relevant for Ubuntu
|
||||
#######################################
|
||||
|
||||
# Set to "false" if package cache should not be updated
|
||||
wireguard_ubuntu_update_cache: "true"
|
||||
|
||||
# Set package cache valid time
|
||||
wireguard_ubuntu_cache_valid_time: "3600"
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
Package: *
|
||||
Pin: release a=unstable
|
||||
Pin-Priority: 90
|
|
@ -2,4 +2,27 @@
|
|||
- name: restart wireguard
|
||||
service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: restarted
|
||||
state: "{{ item }}"
|
||||
loop:
|
||||
- stopped
|
||||
- started
|
||||
when: not wg_syncconf and not wireguard_containerized
|
||||
listen: "reconfigure wireguard"
|
||||
|
||||
- name: syncconf wireguard
|
||||
shell: |
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
set -o nounset
|
||||
systemctl is-active wg-quick@wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
|
||||
wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
|
||||
exit 0
|
||||
args:
|
||||
executable: "/bin/bash"
|
||||
when: wg_syncconf and not wireguard_containerized
|
||||
listen: "reconfigure wireguard"
|
||||
|
||||
- name: restart wireguard (container)
|
||||
command: /usr/bin/s6-svc -r /var/run/s6/services/wireguard
|
||||
when: wireguard_containerized
|
||||
listen: "reconfigure wireguard"
|
||||
|
|
|
@ -8,9 +8,17 @@ galaxy_info:
|
|||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- name: Debian
|
||||
versions:
|
||||
- stretch
|
||||
- buster
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 31
|
||||
galaxy_tags:
|
||||
- networking
|
||||
- security
|
||||
|
|
173
tasks/main.yml
173
tasks/main.yml
|
@ -3,18 +3,7 @@
|
|||
setup:
|
||||
|
||||
- include_tasks: "setup-{{ ansible_distribution|lower }}.yml"
|
||||
|
||||
- name: Install WireGuard
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
vars:
|
||||
packages:
|
||||
- wireguard-dkms
|
||||
- wireguard-tools
|
||||
tags:
|
||||
- wg-install
|
||||
- skip_ansible_lint
|
||||
when: not wireguard_containerized
|
||||
|
||||
- name: Enable WireGuard kernel module
|
||||
modprobe:
|
||||
|
@ -28,110 +17,78 @@
|
|||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: Create WireGuard certificates directory
|
||||
file:
|
||||
dest: "{{ wireguard_cert_directory }}"
|
||||
state: directory
|
||||
owner: "{{ wireguard_cert_owner }}"
|
||||
group: "{{ wireguard_cert_group }}"
|
||||
mode: 0700
|
||||
run_once: true
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
wg-generate-keys
|
||||
|
||||
- name: Set WireGuard IP (without mask)
|
||||
set_fact:
|
||||
wireguard_ip: "{{ wireguard_address.split('/')[0] }}"
|
||||
|
||||
- name: Set path to private key file
|
||||
set_fact:
|
||||
private_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.private.key"
|
||||
tags:
|
||||
wg-generate-keys
|
||||
|
||||
- name: Set path to public key file
|
||||
set_fact:
|
||||
public_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.public.key"
|
||||
tags:
|
||||
wg-generate-keys
|
||||
|
||||
- name: Register if private key already exists
|
||||
- name: Register if config/private key already exists on target host
|
||||
stat:
|
||||
path: "{{ private_key_file_path }}"
|
||||
register: private_key_file_stat
|
||||
delegate_to: localhost
|
||||
path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
|
||||
register: config_file_stat
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
- wg-config
|
||||
|
||||
- name: Generate WireGuard private key
|
||||
shell: "wg genkey"
|
||||
register: wg_private_key_result
|
||||
with_inventory_hostnames:
|
||||
- vpn
|
||||
when: not private_key_file_stat.stat.exists
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
- skip_ansible_lint
|
||||
- name: Get wg subcommands
|
||||
command: "wg --help"
|
||||
register: wg_subcommands
|
||||
changed_when: false
|
||||
|
||||
- name: Set private key fact
|
||||
- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
|
||||
set_fact:
|
||||
wg_private_key: "{{ wg_private_key_result.results[0].stdout }}"
|
||||
when: not private_key_file_stat.stat.exists
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
wg_syncconf: false
|
||||
|
||||
- name: Generate WireGuard public key
|
||||
shell: "echo '{{ wg_private_key }}' | wg pubkey"
|
||||
- name: Check if wg syncconf subcommand is available
|
||||
set_fact:
|
||||
wg_syncconf: true
|
||||
when: wg_subcommands.stdout | regex_search('syncconf:')
|
||||
|
||||
- name: Show syncconf subcommand status
|
||||
debug:
|
||||
var: wg_syncconf
|
||||
|
||||
- block:
|
||||
- name: Generate WireGuard private key
|
||||
command: "wg genkey"
|
||||
register: wg_private_key_result
|
||||
changed_when: false
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Set private key fact
|
||||
set_fact:
|
||||
private_key: "{{ wg_private_key_result.stdout }}"
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
when: not config_file_stat.stat.exists
|
||||
|
||||
- block:
|
||||
- name: Read WireGuard config file
|
||||
slurp:
|
||||
src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
|
||||
register: wg_config
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set private key fact
|
||||
set_fact:
|
||||
private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
|
||||
tags:
|
||||
- wg-config
|
||||
when: config_file_stat.stat.exists
|
||||
|
||||
- name: Derive WireGuard public key
|
||||
shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306
|
||||
register: wg_public_key_result
|
||||
when: not private_key_file_stat.stat.exists
|
||||
with_inventory_hostnames:
|
||||
- vpn
|
||||
changed_when: false
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
- wg-config
|
||||
|
||||
- name: Set public key fact
|
||||
set_fact:
|
||||
wg_public_key: "{{ wg_public_key_result.results[0].stdout }}"
|
||||
when: not private_key_file_stat.stat.exists
|
||||
public_key: "{{ wg_public_key_result.stdout }}"
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Store hosts private key locally
|
||||
template:
|
||||
src: "wg-privatekey.j2"
|
||||
dest: "{{ private_key_file_path }}"
|
||||
owner: "{{ wireguard_cert_owner }}"
|
||||
group: "{{ wireguard_cert_group }}"
|
||||
mode: 0644
|
||||
when: not private_key_file_stat.stat.exists
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Store hosts public key locally
|
||||
template:
|
||||
src: "wg-publickey.j2"
|
||||
dest: "{{ public_key_file_path }}"
|
||||
owner: "{{ wireguard_cert_owner }}"
|
||||
group: "{{ wireguard_cert_group }}"
|
||||
mode: 0644
|
||||
when: not private_key_file_stat.stat.exists
|
||||
delegate_to: localhost
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Read private key
|
||||
set_fact:
|
||||
private_key: "{{ lookup('file', private_key_file_path) }}"
|
||||
tags:
|
||||
wg-config
|
||||
|
||||
- name: Read public key
|
||||
set_fact:
|
||||
public_key: "{{ lookup('file', public_key_file_path) }}"
|
||||
tags:
|
||||
wg-config
|
||||
- wg-config
|
||||
|
||||
- name: Create WireGuard configuration directory
|
||||
file:
|
||||
|
@ -151,10 +108,26 @@
|
|||
tags:
|
||||
- wg-config
|
||||
notify:
|
||||
- restart wireguard
|
||||
- reconfigure wireguard
|
||||
|
||||
- name: Check if reload-module-on-update is set
|
||||
stat:
|
||||
path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
|
||||
register: reload_module_on_update
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set WireGuard reload-module-on-update
|
||||
file:
|
||||
dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
|
||||
state: touch
|
||||
when: not reload_module_on_update.stat.exists
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Start and enable WireGuard service
|
||||
service:
|
||||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: started
|
||||
enabled: yes
|
||||
when: not wireguard_containerized
|
||||
|
|
|
@ -1,11 +1,32 @@
|
|||
---
|
||||
- name: Install required packages
|
||||
- name: (Archlinux) Install wireguard-lts package
|
||||
pacman:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
name: "{{ item.name }}"
|
||||
state: "{{ item.state }}"
|
||||
with_items:
|
||||
- { name: wireguard-dkms, state: absent }
|
||||
- { name: wireguard-lts, state: present }
|
||||
become: yes
|
||||
vars:
|
||||
packages:
|
||||
- linux-headers
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- ansible_kernel is match(".*-lts$")
|
||||
- ansible_kernel is version('5.6', '<')
|
||||
|
||||
- name: (Archlinux) Install wireguard-dkms package
|
||||
pacman:
|
||||
name: wireguard-dkms
|
||||
state: present
|
||||
become: yes
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- not ansible_kernel is match(".*-lts$")
|
||||
- ansible_kernel is version('5.6', '<')
|
||||
|
||||
- name: (Archlinux) Install wireguard-tools package
|
||||
pacman:
|
||||
name: wireguard-tools
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
|
@ -1,11 +1,19 @@
|
|||
---
|
||||
|
||||
- name: Add WireGuard repository
|
||||
- name: (CentOS) Add WireGuard repository
|
||||
get_url:
|
||||
url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
|
||||
dest: /etc/yum.repos.d/wireguard.repo
|
||||
|
||||
- name: Install EPEL repository
|
||||
- name: (CentOS) Install EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
update_cache: yes
|
||||
|
||||
- name: (CentOS) Install wireguard packages
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
93
tasks/setup-debian-raspbian.yml
Normal file
93
tasks/setup-debian-raspbian.yml
Normal file
|
@ -0,0 +1,93 @@
|
|||
---
|
||||
|
||||
- name: (Raspbian) Install GPG - required to add wireguard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- name: (Raspbian) Add Debian repository key
|
||||
apt_key:
|
||||
keyserver: "keyserver.ubuntu.com"
|
||||
id: "04EE7237B7D453EC"
|
||||
state: present
|
||||
when: ansible_lsb.id == "Raspbian"
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Add Debian Unstable repository for WireGuard
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian unstable main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install latest kernel
|
||||
apt:
|
||||
name:
|
||||
- "raspberrypi-kernel"
|
||||
state: latest
|
||||
register: kernel_update
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
|
||||
reboot:
|
||||
search_paths: ['/lib/molly-guard', '/usr/sbin']
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '>=')
|
||||
- kernel_update is changed
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
|
||||
stat:
|
||||
path: /lib/molly-guard/
|
||||
register: molly_guard
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
|
||||
reboot:
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- not molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
|
||||
command: /lib/molly-guard/shutdown -r now
|
||||
async: 1
|
||||
poll: 0
|
||||
ignore_unreachable: yes
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
|
||||
wait_for_connection:
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "raspberrypi-kernel-headers"
|
||||
state: latest
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install wireguard packages
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
37
tasks/setup-debian-vanilla.yml
Normal file
37
tasks/setup-debian-vanilla.yml
Normal file
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
- name: (Debian) Install GPG - required to add wireguard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- name: (Debian) Add WireGuard repository on buster or earlier
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian buster-backports main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
when: ansible_distribution_version | int <= 10
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Debian) Get architecture
|
||||
command: "dpkg --print-architecture"
|
||||
register: dpkg_arch
|
||||
changed_when: False
|
||||
|
||||
- set_fact:
|
||||
kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
|
||||
|
||||
- name: (Debian) Install kernel headers to compile Wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "linux-headers-{{ kernel_header_version }}"
|
||||
state: present
|
||||
|
||||
- name: (Debian) Install wireguard packages
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
|
@ -1,37 +1,8 @@
|
|||
---
|
||||
- name: Setup WireGuard preference
|
||||
copy:
|
||||
src: debian/etc/apt/preferences.d/limit-unstable
|
||||
dest: /etc/apt/preferences.d/limit-unstable
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: Add WireGuard key
|
||||
apt_key:
|
||||
keyserver: "keyserver.ubuntu.com"
|
||||
id: "8B48AD6246925553"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
- include_tasks: "setup-debian-raspbian.yml"
|
||||
when: ansible_lsb.id == "Raspbian"
|
||||
register: raspbian_setup
|
||||
|
||||
- name: Add WireGuard repository
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian/ unstable main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: Get architecture
|
||||
shell: dpkg --print-architecture
|
||||
register: dpkg_arch
|
||||
changed_when: False
|
||||
|
||||
- name: Install kernel headers to compile wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "linux-headers-{{ dpkg_arch.stdout }}"
|
||||
state: present
|
||||
- include_tasks: "setup-debian-vanilla.yml"
|
||||
when: raspbian_setup is skipped
|
||||
|
|
17
tasks/setup-fedora.yml
Normal file
17
tasks/setup-fedora.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: (Fedora) Add wireguard COPR
|
||||
yum_repository:
|
||||
name: "jdoss-wireguard"
|
||||
description: "Copr repo for wireguard owned by jdoss"
|
||||
baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
|
||||
gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
|
||||
gpgcheck: yes
|
||||
|
||||
- name: (Fedora) Install wireguard packages
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
|
@ -1,26 +1,48 @@
|
|||
---
|
||||
- name: Update APT package cache
|
||||
- name: (Ubuntu) Update APT package cache
|
||||
apt:
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
update_cache: "{{ wireguard_ubuntu_update_cache }}"
|
||||
cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: Install required packages
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
vars:
|
||||
packages:
|
||||
- software-properties-common
|
||||
- linux-headers-{{ ansible_kernel }}
|
||||
tags:
|
||||
- wg-install
|
||||
- block:
|
||||
- name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
vars:
|
||||
packages:
|
||||
- software-properties-common
|
||||
- linux-headers-{{ ansible_kernel }}
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: Add WireGuard repository
|
||||
apt_repository:
|
||||
repo: "ppa:wireguard/wireguard"
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- wg-install
|
||||
- name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10)
|
||||
apt_repository:
|
||||
repo: "ppa:wireguard/wireguard"
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- ansible_lsb.major_release is version('19.10', '<')
|
||||
|
||||
- block:
|
||||
- name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04)
|
||||
apt:
|
||||
name: "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- ansible_lsb.major_release is version('19.04', '>')
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
{{hostvars[inventory_hostname]['wg_private_key']}}
|
|
@ -1 +0,0 @@
|
|||
{{hostvars[inventory_hostname]['wg_public_key']}}
|
|
@ -1,38 +1,70 @@
|
|||
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
|
||||
[Interface]
|
||||
# {{ inventory_hostname }}
|
||||
Address = {{hostvars[inventory_hostname].wireguard_address}}
|
||||
PrivateKey = {{private_key}}
|
||||
ListenPort = {{wireguard_port}}
|
||||
{% if hostvars[inventory_hostname].wireguard_dns is defined %}
|
||||
DNS = {{hostvars[inventory_hostname].wireguard_dns}}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_fwmark is defined %}
|
||||
FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_mtu is defined %}
|
||||
MTU = {{hostvars[inventory_hostname].wireguard_mtu}}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_table is defined %}
|
||||
Table = {{hostvars[inventory_hostname].wireguard_table}}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_preup is defined %}
|
||||
{% for wg_preup in hostvars[inventory_hostname].wireguard_preup %}
|
||||
PreUp = {{ wg_preup }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_predown is defined %}
|
||||
{% for wg_predown in hostvars[inventory_hostname].wireguard_predown %}
|
||||
PreDown = {{ wg_predown }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_postup is defined %}
|
||||
PostUp = {{hostvars[inventory_hostname].wireguard_postup}}
|
||||
{% for wg_postup in hostvars[inventory_hostname].wireguard_postup %}
|
||||
PostUp = {{ wg_postup }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_postdown is defined %}
|
||||
PostDown = {{hostvars[inventory_hostname].wireguard_postdown}}
|
||||
{% for wg_postdown in hostvars[inventory_hostname].wireguard_postdown %}
|
||||
PostDown = {{ wg_postdown }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_save_config is defined %}
|
||||
SaveConfig = true
|
||||
{% endif %}
|
||||
{% for host in ansible_play_hosts_all %}
|
||||
{% if host != inventory_hostname %}
|
||||
|
||||
{% for host in groups["vpn"] %}
|
||||
{% if host != inventory_hostname %}
|
||||
[Peer]
|
||||
PublicKey = {{hostvars[host].public_key}}
|
||||
{% if hostvars[host].wireguard_allowed_ips is defined %}
|
||||
AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
|
||||
{% else %}
|
||||
AllowedIPs = {{hostvars[host].wireguard_ip}}/32
|
||||
{% endif %}
|
||||
{% if hostvars[host].wireguard_persistent_keepalive is defined %}
|
||||
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
|
||||
{% endif %}
|
||||
{% if hostvars[host].wireguard_endpoint is not defined %}
|
||||
Endpoint = {{host}}:{{wireguard_port}}
|
||||
{% elif hostvars[host].wireguard_endpoint != "" %}
|
||||
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
[Peer]
|
||||
# {{ host }}
|
||||
PublicKey = {{hostvars[host].public_key}}
|
||||
{% if hostvars[host].wireguard_allowed_ips is defined %}
|
||||
AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
|
||||
{% else %}
|
||||
AllowedIPs = {{hostvars[host].wireguard_ip}}/32
|
||||
{% endif %}
|
||||
{% if hostvars[host].wireguard_persistent_keepalive is defined %}
|
||||
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
|
||||
{% endif %}
|
||||
{% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
|
||||
{% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
|
||||
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
|
||||
{% else %}
|
||||
Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
|
||||
{% endif %}
|
||||
{% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
|
||||
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
|
||||
{% elif hostvars[host].wireguard_endpoint == "" %}
|
||||
# No endpoint defined for this peer
|
||||
{% else %}
|
||||
Endpoint = {{host}}:{{wireguard_port}}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
localhost
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- .
|
|
@ -1 +0,0 @@
|
|||
---
|
Reference in a new issue