Add Infrastructure VPN setup

This commit is contained in:
Tobias Manske 2023-09-12 03:30:01 +02:00
parent a8ef28e446
commit db2f77bc88
Signed by: tobias
GPG Key ID: 9164B527694A0709
3 changed files with 90 additions and 1 deletions

View File

@ -271,4 +271,9 @@
enabled: true
masked: false
daemon_reload: true
- name: Setup Infrastructure Wireguard
tags:
- setup
- setup_wireguard
- setup_vpn
ansible.builtin.import_playbook: vpn.yaml

View File

@ -0,0 +1,27 @@
# DO NOT PFUSCH IN THIS FILE!
# ANSIBLE WILL NOT CARE AND RUIN YOUR DAY!
# CONSIDER YOUSELF WARNED.
[Interface]
Address = {{ wg_addr | mandatory }}/32
MTU = 1280
SaveConfig = false
ListenPort = 52000
PrivateKey = {{ wg_private_key | mandatory }}
{% for node in nodes %}
{% set hvar=hostvars[node] %}
# node: {{ hvar.inventory_hostname }}
[peer]
PublicKey = {{ hvar.wg_public_key | mandatory }}
AllowedIPs = {{ hvar.wg_addr | mandatory }}/32
{% if hvar.ansible_default_ipv6 is defined and ansible_default_ipv6 is defined and hvar.ansible_default_ipv6.scope == "global" and ansible_default_ipv6.scope == "global" %}
Endpoint = [{{ hvar.ansible_default_ipv6.address | mandatory }}]:52000
{% else %}
Endpoint = [{{ hvar.ansible_default_ipv4.address | mandatory }}]:52000
{% endif %}
{% if hvar.wg_keepalive is defined %}
PersistentKeepalive = {{ hvar.wg_keepalive }}
{% endif %}
{% endfor %}

View File

@ -0,0 +1,57 @@
---
- name: Setup VPN Meshnetwork
hosts: all
become: true
become_user: root
gather_facts: true
vars:
nodes: "{{ groups['all'] }}"
tasks:
- name: Generate Keymaterial
become: true
block:
- name: Generate Private Key
ansible.builtin.shell:
executable: /bin/bash
cmd: |
set -o pipefail
wg genkey | tee /etc/wireguard/privatekey
creates: /etc/wireguard/privatekey
- name: Register Private Key
ansible.builtin.slurp:
src: /etc/wireguard/privatekey
register: private_key_b64
changed_when: false
- name: Register Public Key
ansible.builtin.shell:
executable: /bin/bash
cmd: |
set -o pipefail
cat /etc/wireguard/privatekey | wg pubkey
register: public_key
changed_when: false
- name: Set facts
ansible.builtin.set_fact:
wg_private_key: "{{ private_key_b64.content | b64decode }}"
wg_public_key: "{{ public_key.stdout }}"
- name: Deploy Config
ansible.builtin.template:
src: wg_infra.conf.j2
dest: /etc/wireguard/wg_infra.conf
owner: root
group: root
mode: 0600
notify:
- Restart wireguard
- name: Enable systemd service
ansible.builtin.systemd:
name: wg-quick@wg_infra
enabled: true
handlers:
- name: Restart wireguard
ansible.builtin.systemd:
name: wg-quick@wg_infra
state: restarted
# vim: ft=yaml.ansible