149 lines
3.4 KiB
YAML
149 lines
3.4 KiB
YAML
---
|
|
- name: Install required packages
|
|
package:
|
|
name: "{{item}}"
|
|
state: present
|
|
with_items:
|
|
- software-properties-common
|
|
- linux-headers-{{ansible_kernel}}
|
|
|
|
- name : Add WireGuard repository
|
|
apt_repository:
|
|
repo: "ppa:wireguard/wireguard"
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Install WireGuard
|
|
package:
|
|
name: "{{item}}"
|
|
state: present
|
|
with_items:
|
|
- wireguard-dkms
|
|
- wireguard-tools
|
|
|
|
- name: Enable WireGuard kernel module
|
|
modprobe:
|
|
name: wireguard
|
|
state: present
|
|
register: wireguard_module_enabled
|
|
until: wireguard_module_enabled is succeeded
|
|
retries: 10
|
|
delay: 10
|
|
failed_when: wireguard_module_enabled is failure
|
|
|
|
- name: Create WireGuard certificates directory
|
|
file:
|
|
dest: "{{wireguard_cert_directory}}"
|
|
state: directory
|
|
mode: 0700
|
|
run_once: true
|
|
delegate_to: localhost
|
|
|
|
- name: Set path to private key file
|
|
set_fact:
|
|
private_key_file_path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
|
|
tags:
|
|
wg-config
|
|
|
|
- name: Set path to public key file
|
|
set_fact:
|
|
public_key_file_path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.public.key"
|
|
tags:
|
|
wg-config
|
|
|
|
- name: Register if private key already exists
|
|
local_action:
|
|
module: stat
|
|
path: "{{private_key_file_path}}"
|
|
register: private_key_file_stat
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Generate WireGuard private key
|
|
shell: "wg genkey"
|
|
register: wg_private_key_result
|
|
with_inventory_hostnames:
|
|
- vpn
|
|
when: private_key_file_stat.stat.exists == False
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Set private key fact
|
|
set_fact:
|
|
wg_private_key: "{{wg_private_key_result.results[0].stdout}}"
|
|
when: private_key_file_stat.stat.exists == False
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Generate WireGuard public key
|
|
shell: "echo '{{wg_private_key}}' | wg pubkey"
|
|
register: wg_public_key_result
|
|
when: private_key_file_stat.stat.exists == False
|
|
with_inventory_hostnames:
|
|
- vpn
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Set public key fact
|
|
set_fact:
|
|
wg_public_key: "{{wg_public_key_result.results[0].stdout}}"
|
|
when: private_key_file_stat.stat.exists == False
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Store hosts private key locally
|
|
local_action:
|
|
module: template
|
|
src: "wg-privatekey.j2"
|
|
dest: "{{private_key_file_path}}"
|
|
mode: 0600
|
|
when: private_key_file_stat.stat.exists == False
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Store hosts public key locally
|
|
local_action:
|
|
module: template
|
|
src: "wg-publickey.j2"
|
|
dest: "{{public_key_file_path}}"
|
|
mode: 0600
|
|
when: private_key_file_stat.stat.exists == False
|
|
tags:
|
|
- wg-generate-keys
|
|
|
|
- name: Read private key from local filesystem
|
|
set_fact:
|
|
private_key: "{{lookup('file', private_key_file_path)}}"
|
|
tags:
|
|
wg-config
|
|
|
|
- name: Read public key from local filesystem
|
|
set_fact:
|
|
public_key: "{{lookup('file', public_key_file_path)}}"
|
|
tags:
|
|
wg-config
|
|
|
|
- name: Create WireGuard configuration directory
|
|
file:
|
|
dest: "{{wireguard_remote_directory}}"
|
|
state: directory
|
|
mode: 0700
|
|
tags:
|
|
- wg-config
|
|
|
|
- name: Generate WireGuard configuration file
|
|
template:
|
|
src: wg-fullmesh.conf.j2
|
|
dest: "{{wireguard_remote_directory}}/wg0.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
tags:
|
|
- wg-config
|
|
|
|
- name: Start and enable WireGuard service
|
|
service:
|
|
name: wg-quick@wg0
|
|
state: started
|
|
enabled: yes
|