PiFrame/ansible
PiFrame/ansible
1
0
Fork 0
Code Issues Releases Activity

Add a more flexible routing config to wireguard ; enable wireguard dns reresolver daily service/timer

Browse source
This commit is contained in:
KemoNine 2020-08-13 20:36:50 -04:00
parent c189491024
commit b003ebdcfd
4 changed files with 50 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
inventory.example
View file

@ -17,6 +17,10 @@ frames:
monit_wireguard_ip: 192.168.254.1 monit_wireguard_ip: 192.168.254.1
rtty_server: 192.168.254.1 rtty_server: 192.168.254.1
munin_server: 192.168.254.1 munin_server: 192.168.254.1
wireguard_postup:
- ip route add 192.168.254.0/24 dev wg0
wireguard_postdown:
- ip route del 192.168.254.0/24 dev wg0
wg: wg:
hosts: hosts:
frame1: frame1:
@ -27,7 +31,6 @@ wg:
wireguard_remote_directory: "/opt/wireguard" wireguard_remote_directory: "/opt/wireguard"
wireguard_address: 192.168.254.1/32 wireguard_address: 192.168.254.1/32
wireguard_allowed_ips: "192.168.254.0/24" wireguard_allowed_ips: "192.168.254.0/24"
wireguard_table: "off"
wireguard_postup: wireguard_postup:
- ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0 - ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0
- iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT - iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT
@ -43,6 +46,7 @@ wg:
- iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT
- iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP
vars: vars:
wireguard_table: "off"
wireguard_port: 51821 wireguard_port: 51821
wireguard_endpoint: 192.168.0.2 wireguard_endpoint: 192.168.0.2
wireguard_persistent_keepalive: 30 wireguard_persistent_keepalive: 30

29
roles/wireguard/tasks/main.yml
View file

@ -131,3 +131,32 @@
state: started state: started
enabled: yes enabled: yes
when: not wireguard_containerized when: not wireguard_containerized
- name: Setup wg dns-reresolver service
template:
src: wireguard_reresolve-dns.service
dest: "/etc/systemd/system/wireguard_reresolve-dns.service"
owner: root
group: root
mode: 0644
tags:
- wg-config
when: not wireguard_containerized
- name: Setup wg dns-reresolver timer
template:
src: wireguard_reresolve-dns.timer
dest: "/etc/systemd/system/wireguard_reresolve-dns.timer"
owner: root
group: root
mode: 0644
tags:
- wg-config
when: not wireguard_containerized
- name: Enable wg dns-reresolver timer
systemd:
name: wireguard_reresolve-dns.timer
daemon_reload: yes
enabled: yes
state: restarted

8
roles/wireguard/templates/wireguard_reresolve-dns.service Normal file
View file

@ -0,0 +1,8 @@
[Unit]
Description=Reresolve DNS of all WireGuard endpoints
Wants=network-online.target
After=network-online.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/doc/wireguard-tools/examples/reresolve-dns/reresolve-dns.sh "$i"; done'

8
roles/wireguard/templates/wireguard_reresolve-dns.timer Normal file
View file

@ -0,0 +1,8 @@
[Unit]
Description=Periodically reresolve DNS of all WireGuard endpoints
[Timer]
OnCalendar=*-*-* 01:00:00
[Install]
WantedBy=timers.target