Move to wg portal setup on larva.

- add parent play for configuring the rpi - add dedicated rpi.yml to configure the base - copy over templates, handlers from the wg play - import the rpi.yml in main.yml
3 years ago · 15b78abf21
parent 4d1b046917
commit 15b78abf21
8 changed files with 73 additions and 1 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -40,7 +40,7 @@ wireguard_clients:
    offset: 12
    privkey: "{{ vault_wireguard_client_privkey_ling8 }}"
    pubkey: YqGQE6yUz6rjBFRWgZyj5mPEaGavxrmO/cclO5o+VBQ=
-  - name: hatchery
+  - name: larva
    offset: 13
    privkey: "{{ vault_wireguard_client_privkey_hatchery }}"
    pubkey: kguQg0CvB7N1fJDO8i0Nj4C1cUKUsawfHyArwiaGxis=
--- a/ansible/host_vars/larva.home.jowj.net/main.yml
+++ b/ansible/host_vars/larva.home.jowj.net/main.yml
@ -1,3 +1,4 @@
 ansible_python_interpreter: /usr/bin/python3
 interactive: yes
 acmedns_base_lego_arch: arm64
+base_rpi: true
--- a/ansible/roles/home-net/handlers/main.yml
+++ b/ansible/roles/home-net/handlers/main.yml
@ -0,0 +1,5 @@
+---
+# handlers file for wg_vpn
+
+- name: restart wireguard
+  service: name=wg-quick@wg0.service state=restarted
--- a/ansible/roles/home-net/tasks/main.yml
+++ b/ansible/roles/home-net/tasks/main.yml
@ -1,3 +1,9 @@
+---
+
+- name: Import raspberry pi tasks
+  import_tasks: rpi.yml
+  when: base_rpi  
+
 - name: Make sure we have a 'sudo' group
  group:
    name: sudo
--- a/ansible/roles/home-net/tasks/rpi.yml
+++ b/ansible/roles/home-net/tasks/rpi.yml
@ -0,0 +1,30 @@
+---
+
+- name: install wireguard
+  apt:
+    name:
+      - wireguard
+      - wireguard-dkms
+      - wireguard-tools        
+    update_cache: yes
+    state: latest
+
+- name: Enable IP forwarding
+  sysctl: name={{ item }} value=1 state=present
+  with_items:
+    - net.ipv4.ip_forward
+    - net.ipv6.conf.all.forwarding    
+
+- name: Configure firewall (Ubuntu)
+  ufw: rule=allow port=51820 proto=udp
+  when: ansible_distribution == "Ubuntu"
+
+- name: Create wireguard config directory
+  file: state=directory path=/etc/wireguard owner=root group=root mode=0700
+
+- name: Install wireguard configuration
+  template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600
+  notify: restart wireguard
+
+- name: Start wireguard
+  service: name=wg-quick@wg0.service enabled=yes state=started    
--- a/ansible/roles/home-net/templates/main.yml
+++ b/ansible/roles/home-net/templates/main.yml
@ -0,0 +1,11 @@
+[Interface]
+PrivateKey = {{ wireguard_clients[3]['privkey'] }}
+Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }}
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wireguard_server_pubkey }}
+Endpoint = vpn.awful.club:51820
+AllowedIPs = 10.200.219.0/24
--- a/ansible/roles/home-net/templates/wg0.conf
+++ b/ansible/roles/home-net/templates/wg0.conf
@ -0,0 +1,11 @@
+[Interface]
+PrivateKey = {{ wireguard_clients[3]['privkey'] }}
+Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }}
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wireguard_server_pubkey }}
+Endpoint = vpn.awful.club:51820
+AllowedIPs = 10.200.219.0/24
--- a/ansible/wg_homeportal.yml
+++ b/ansible/wg_homeportal.yml
@ -0,0 +1,8 @@
+---
+
+- name: setup on prem portal wg host.
+  hosts: larva.home.jowj.net
+  tasks:
+    - debug: msg="Deploying wg portal"
+  roles:
+    - { name: home-net, tags: ['home-net'] }