From dead47287af0400f7ae8a6b7ac7707f0c797e29a Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 20 Jul 2022 02:09:17 +0200 Subject: [PATCH] Generate simple config --- defaults/main.yml | 2 + tasks/install_RedHat.yml | 12 +++- tasks/main.yml | 58 ++++++++++--------- .../etc/{ => wireguard}/wireguard.conf.j2 | 14 +++-- vars/RedHat.yml | 1 - 5 files changed, 54 insertions(+), 33 deletions(-) rename templates/etc/{ => wireguard}/wireguard.conf.j2 (73%) diff --git a/defaults/main.yml b/defaults/main.yml index fdf33aa..a15fd46 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,7 @@ wireguard_interface: wg0 wireguard_port: 51820 # wireguard_address: 10.0.0.1/24 +# wireguard_allowed_ips: # wireguard_dns: # wireguard_fwmark: # wireguard_mtu: @@ -10,6 +11,7 @@ wireguard_port: 51820 # wireguard_postup: # wireguard_predown: # wireguard_postdown: +wireguard_persistent_keepalive: 20 wireguard_save_config: true skip_conf: false diff --git a/tasks/install_RedHat.yml b/tasks/install_RedHat.yml index 9d61e6b..3a2a261 100644 --- a/tasks/install_RedHat.yml +++ b/tasks/install_RedHat.yml @@ -5,4 +5,14 @@ - epel-release - elrepo-release state: present - update_cache: yes + update_cache: true + +- name: Install kernel driver for WireGuard + package: + name: + - kmod-wireguard + state: present + update_cache: true + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version < "9" diff --git a/tasks/main.yml b/tasks/main.yml index 22bc348..520211a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,9 +12,10 @@ - name: Install packages for WireGuard package: - name: "{{ wireguard_packages }}" + name: + - "{{ wireguard_packages }}" state: present - update_cache: yes + update_cache: true - name: Configure wireguard block: @@ -24,7 +25,8 @@ shell: > cat /etc/wireguard/privatekey register: wireguard_private_key - changed_when: no + changed_when: false + check_mode: false rescue: - name: Generate private key shell: > @@ -44,7 +46,8 @@ shell: > cat /etc/wireguard/publickey register: wireguard_public_key - changed_when: no + changed_when: false + check_mode: false rescue: - name: Generate public key shell: > @@ -58,28 +61,29 @@ group: root mode: 0600 -# - name: Set keys pair variable -# set_facts: -# wireguard_public_key: '{{ wireguard_public_key.stdout }}' -# wireguard_private_key: '{{ wireguard_private_key.stdout }}' -# -# - name: Install WireGuard configuration files -# template: -# src: "etc/wireguard/wireguard.conf.j2" -# dest: "/etc/wireguard/{{ wireguard_interface }}.conf" -# owner: root -# group: root -# mode: 0644 -# -# - name: Enable Wireguard service -# service: -# name: "wg-quick@{{ wireguard_interface }}" -# enabled: yes -# state: restarted -# when: -# - skip_conf|false -# tags: -# - wireguard-conf -# + - name: Set keys pair variable + set_fact: + wireguard_public_key: '{{ wireguard_public_key.stdout }}' + wireguard_private_key: '{{ wireguard_private_key.stdout }}' + check_mode: false + + - name: Install WireGuard configuration files + template: + src: "etc/wireguard/wireguard.conf.j2" + dest: "/etc/wireguard/{{ wireguard_interface }}.conf" + owner: root + group: root + mode: 0644 + + - name: Enable Wireguard service + service: + name: "wg-quick@{{ wireguard_interface }}" + enabled: true + state: restarted + when: + - not skip_conf + tags: + - wireguard-conf + tags: - wireguard diff --git a/templates/etc/wireguard.conf.j2 b/templates/etc/wireguard/wireguard.conf.j2 similarity index 73% rename from templates/etc/wireguard.conf.j2 rename to templates/etc/wireguard/wireguard.conf.j2 index 776029f..f7d0610 100644 --- a/templates/etc/wireguard.conf.j2 +++ b/templates/etc/wireguard/wireguard.conf.j2 @@ -46,10 +46,16 @@ SaveConfig = {{ wireguard_save_config }} [Peer] # {{ host }} -PublicKey = {{ public_key_files.results[0].stdout }} +PublicKey = {{ hostvars[host].wireguard_public_key }} #AllowedIPs = 0.0.0.0/0,::/0 -AllowedIPs = {{ wireguard_address }} -Endpoint = {{ ansible_default_ipv4.address }}:{{ vpn_port }} -PersistentKeepalive = 20 +{% if hostvars[host].wireguard_allowed_ips is defined %} +AllowedIPs = {{hostvars[host].wireguard_allowed_ips}} +{% else %} +AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32 +{% endif %} +Endpoint = {{ hostvars[host].ansible_default_ipv4.address }}:{{ wireguard_port }} +{% if hostvars[host].wireguard_persistent_keepalive is defined %} +PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}} +{% endif %} {% endif %} {% endfor %} diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 39f5d41..d6de4a1 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,3 @@ --- wireguard_packages: - - kmod-wireguard - wireguard-tools