This commit is contained in:
@@ -0,0 +1,128 @@
|
||||
---
|
||||
- name: update packages
|
||||
apt:
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
become: yes
|
||||
|
||||
|
||||
- name: install ufw
|
||||
apt:
|
||||
name: ufw
|
||||
state: present
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Allow SSH in UFW
|
||||
ufw:
|
||||
rule: allow
|
||||
port: "{{ ansible_ssh_port }}"
|
||||
proto: tcp
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: Set ufw logging
|
||||
ufw:
|
||||
logging: "on"
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: inter-node Wireguard UFW connectivity
|
||||
ufw:
|
||||
rule: allow
|
||||
src: "{{ hostvars[item].wireguard_ip }}"
|
||||
with_items: "{{ groups['all'] }}"
|
||||
become: yes
|
||||
when: ufw_enabled and item != inventory_hostname
|
||||
|
||||
- name: Reject everything and enable UFW
|
||||
ufw:
|
||||
state: enabled
|
||||
policy: reject
|
||||
log: yes
|
||||
become: yes
|
||||
when: ufw_enabled
|
||||
|
||||
- name: enable and persist ip forwarding
|
||||
sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: "1"
|
||||
state: present
|
||||
sysctl_set: yes
|
||||
reload: yes
|
||||
|
||||
- name: install wireguard
|
||||
apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
become: yes
|
||||
|
||||
- name: generate wireguard keypair
|
||||
shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
|
||||
args:
|
||||
creates: /etc/wireguard/privatekey
|
||||
become: yes
|
||||
|
||||
- name: register private key
|
||||
shell: cat /etc/wireguard/privatekey
|
||||
register: wireguard_private_key
|
||||
changed_when: false
|
||||
become: yes
|
||||
|
||||
- name: register public key
|
||||
shell: cat /etc/wireguard/publickey
|
||||
register: wireguard_public_key
|
||||
changed_when: false
|
||||
become: yes
|
||||
|
||||
- name: generate preshared keypair
|
||||
shell: "wg genpsk > /etc/wireguard/psk-{{item}}"
|
||||
args:
|
||||
creates: "/etc/wireguard/psk-{{item}}"
|
||||
when: inventory_hostname < item
|
||||
with_items: "{{groups['serverctl_mesh_nodes']}}"
|
||||
become: yes
|
||||
|
||||
- name: register preshared key
|
||||
shell: "cat /etc/wireguard/psk-{{item}}"
|
||||
register: wireguard_preshared_key
|
||||
changed_when: false
|
||||
when: inventory_hostname < item
|
||||
with_items: "{{groups['serverctl_mesh_nodes']}}"
|
||||
become: yes
|
||||
|
||||
- name: message preshared keys
|
||||
set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
|
||||
when: item.skipped is not defined
|
||||
with_items: "{{wireguard_preshared_key.results}}"
|
||||
become: yes
|
||||
|
||||
- name: Setup wgserverctl0 device
|
||||
template:
|
||||
src: 'systemd.netdev'
|
||||
dest: '{{systemd_network_dir}}/99-wg0.netdev'
|
||||
owner: root
|
||||
group: systemd-network
|
||||
mode: 0640
|
||||
become: yes
|
||||
notify: systemd network restart
|
||||
|
||||
- name: Setup wgserverctl0 network
|
||||
template:
|
||||
src: 'systemd.network'
|
||||
dest: "{{systemd_network_dir}}/99-wg0.network"
|
||||
owner: root
|
||||
group: systemd-network
|
||||
mode: 0640
|
||||
become: yes
|
||||
notify: systemd network restart
|
||||
|
||||
#- name: Start and enalbe wireguard on book
|
||||
# systemd:
|
||||
# name: wg-quick@wgserverctl0
|
||||
# enabled: yes
|
||||
# state: started
|
||||
|
||||
#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
|
||||
# with_indexed_items: "{{groups.serverctl_mesh_nodes}}"
|
||||
|
||||
Reference in New Issue
Block a user