Add role specific declarations.

4 years ago · 7e62efcbb9
parent 9e172580bc
commit 7e62efcbb9
4 changed files with 65 additions and 59 deletions
--- a/ansible/roles/wg_vpn/defaults/main.yml
+++ b/ansible/roles/wg_vpn/defaults/main.yml
@ -1,2 +1,5 @@
 ---
-# defaults file for wg_vpn
+
+wireguard_server_listen_port: 51820
+
+wireguard_server_lan_interface: enp3s0
--- a/ansible/roles/wg_vpn/handlers/main.yml
+++ b/ansible/roles/wg_vpn/handlers/main.yml
@ -1,2 +1,5 @@
 ---
-# handlers file for wg_vpn
+# handlers file for wg_vpn
+
+- name: restart wireguard
+  service: name=wg-quick@wg0.service state=restarted
--- a/ansible/roles/wg_vpn/tasks/main.yml
+++ b/ansible/roles/wg_vpn/tasks/main.yml
@ -2,65 +2,35 @@
 # tasks file for wg_vpn
 # playbook to go from a "base configured" server to a wg vpn peer

- name: "generating config on relay server"
-  debug:
-    msg: "config on relay is starting"
-    verbosity: 1
- name: generate config on relay server
-  include: pretasks_debian.yml
-  become: yes
+- name: add unstable to repos
+  shell: |
+    echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
+    printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable

- name: "generating config on local mac"
-  debug:
-    msg: "config on mac is starting"
-    verbosity: 1
-  when: source_os == 'macos'
- name: generate config on local mac
-  include: pretasks_mac.yml
-  delegate_to: localhost
-  when: source_os == 'macos'
+- name: install wireguard
+  apt:
+    # hardcoded header here is for digital oceans :(
+    name:
+      - wireguard
+      - build-essential
+      - dkms
+      - linux-headers-4.19.0-6-cloud-amd64
+    update_cache: yes
+    state: latest

- name: "generating config on local arch"
-  debug:
-    msg: "config on arch is starting"
-    verbosity: 1
-  when: source_os == 'arch'
- name: generate config on local arch
-  include: pretasks_arch.yml
-  delegate_to: localhost
-  when: source_os == 'arch'
+    
+- name: Enable IP forwarding
+  sysctl: name={{ item }} value=1 state=present
+  with_items:
+    - net.ipv4.ip_forward
+    - net.ipv6.conf.all.forwarding

- name: generate config for IOS on local machine
-  include: pretasks_ios.yml
-  delegate_to: localhost
+- name: Create wireguard config directory
+  file: state=directory path=/etc/wireguard owner=root group=root mode=0700

- name: "completing config on server"
-  debug:
-    msg: "config on relay is resuming"
-    verbosity: 1
- name: complete config, wg up on relay server
-  include: posttasks_debian.yml
-  become: yes
-  
- name: complete config, wg up on local mac
-  include: posttasks_mac.yml
-  delegate_to: localhost
-  when: source_os == 'macos'
+- name: Install wireguard configuration
+  template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600
+  notify: restart wireguard

- name: "generating config on local arch"
-  debug:
-    msg: "config on arch is completing"
-    verbosity: 1
-  when: source_os == 'arch'
- name: complete config on local arch
-  include: posttasks_arch.yml
-  delegate_to: localhost
-  when: source_os == 'arch'
-
- name: "generating config for iOS"
-  debug:
-    msg: "config for IOS is completing"
-    verbosity: 1
- name: complete config for IOS on local machine
-  include: posttasks_ios.yml
-  delegate_to: localhost      
+- name: Start wireguard
+  service: name=wg-quick@wg0.service enabled=yes state=started
--- a/ansible/roles/wg_vpn/templates/wg0.conf
+++ b/ansible/roles/wg_vpn/templates/wg0.conf
@ -0,0 +1,30 @@
+[Interface]
+PrivateKey = {{ wireguard_server_privkey }}
+{#
+    We want the Address field here to be an IP address
+    with the whole network in CIDR notation, like 10.0.0.1/24.
+
+    If wireguard_vpn_network is a CIDR network like 10.0.0.0/24,
+    and wireguard_server_offset is an integer like 1,
+    this will produce an offset of the start of the network + CIDR prefix,
+    which in this case will be the desired 10.0.0.1/24.
+#}
+Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }}
+ListenPort = {{ wireguard_server_listen_port }}
+
+{% for client in wireguard_clients %}
+[Peer]
+# {{ client.name }}
+PublicKey = {{ client.pubkey }}
+{#
+    We want the Address field here to be an IP address
+    withOUT the whole network in CIDR notation, like 10.0.0.15/32.
+
+    If wireguard_vpn_network is a CIDR network like 10.0.0.0/24,
+    and client.offset is an integer like 15,
+    this will produce an offset of the start of the network with a /32 CIDR prefix
+    which in this case will be the desired 10.0.0.15/32.
+#}
+AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }}
+
+{% endfor %}