diff options
Diffstat (limited to 'roles/network/wireguard')
-rw-r--r-- | roles/network/wireguard/base/tasks/main.yml | 52 | ||||
-rw-r--r-- | roles/network/wireguard/gateway/templates/nftables.rules.j2 | 2 | ||||
-rw-r--r-- | roles/network/wireguard/p2p/defaults/main.yml | 19 | ||||
-rw-r--r-- | roles/network/wireguard/p2p/tasks/main.yml | 16 | ||||
-rw-r--r-- | roles/network/wireguard/p2p/templates/systemd.netdev.j2 | 22 | ||||
-rw-r--r-- | roles/network/wireguard/p2p/templates/systemd.network.j2 | 6 |
6 files changed, 76 insertions, 41 deletions
diff --git a/roles/network/wireguard/base/tasks/main.yml b/roles/network/wireguard/base/tasks/main.yml index 4d60150d..f096801c 100644 --- a/roles/network/wireguard/base/tasks/main.yml +++ b/roles/network/wireguard/base/tasks/main.yml @@ -4,30 +4,36 @@ import_role: name: apt-repo/spreadspace -- name: install dkms - import_role: - name: prepare-dkms +- name: install wireguard modules via dkms (legacy systems only) + when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) < 11) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 22) + block: + - name: install dkms + import_role: + name: prepare-dkms -- name: install wireguard packages - apt: - name: - - wireguard-dkms - - wireguard-tools - state: present + - name: install wireguard-dkms package + apt: + name: wireguard-dkms + state: present -- name: check if module is available for the currently running kernel - command: modprobe --dry-run wireguard - check_mode: no - register: wireguard_module_available - failed_when: false - changed_when: false + - name: check if module is available for the currently running kernel + command: modprobe --dry-run wireguard + check_mode: no + register: wireguard_module_available + failed_when: false + changed_when: false -- name: rebuild wireguard module - when: wireguard_module_available.rc != 0 - command: dpkg-reconfigure wireguard-dkms + - name: rebuild wireguard module + when: wireguard_module_available.rc != 0 + command: dpkg-reconfigure wireguard-dkms -- name: check again if module is available for the currently running kernel - when: wireguard_module_available.rc != 0 - command: modprobe --dry-run wireguard - check_mode: no - changed_when: false + - name: check again if module is available for the currently running kernel + when: wireguard_module_available.rc != 0 + command: modprobe --dry-run wireguard + check_mode: no + changed_when: false + +- name: install wireguard tools + apt: + name: wireguard-tools + state: present diff --git a/roles/network/wireguard/gateway/templates/nftables.rules.j2 b/roles/network/wireguard/gateway/templates/nftables.rules.j2 index fcf4a21b..501b1d0b 100644 --- a/roles/network/wireguard/gateway/templates/nftables.rules.j2 +++ b/roles/network/wireguard/gateway/templates/nftables.rules.j2 @@ -4,7 +4,7 @@ table ip nat { chain wireguard-gateway-{{ item.key }}-snat { type nat hook postrouting priority 100; policy accept; - ip saddr { {{ item.value.addresses | map('ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }} + ip saddr { {{ item.value.addresses | map('ansible.utils.ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }} } } {% endif %} diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml index 9d93b810..68000a83 100644 --- a/roles/network/wireguard/p2p/defaults/main.yml +++ b/roles/network/wireguard/p2p/defaults/main.yml @@ -5,14 +5,17 @@ # priv_key: secret # listen_port: 1234 # addresses: -# - 192.168.123.254/24 +# - 192.168.255.254/24 +# static_routes: +# - dest: 192.168.123.0/24 +# gw: 192.168.255.3 -# wireguard_p2p_peer: -# pub_key: public_key_of_peer -# keepalive_interval: 10 -# endpoint: -# host: 5.6.7.8 -# port: 1234 -# allowed_ips: +# wireguard_p2p_peers: +# - pub_key: public_key_of_peer +# keepalive_interval: 10 +# endpoint: +# host: 5.6.7.8 +# port: 1234 +# allowed_ips: # - 192.168.255.3/32 # - 192.168.123.0/24 diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml index 78cfaf43..c1c21263 100644 --- a/roles/network/wireguard/p2p/tasks/main.yml +++ b/roles/network/wireguard/p2p/tasks/main.yml @@ -1,4 +1,18 @@ --- +- name: autogenerate wireguard private key file + when: "'priv_key' not in wireguard_p2p_interface" + block: + - name: generate private key + shell: + cmd: "umask 0027; wg genkey > '/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey'" + creates: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey" + + - name: make sure systemd-netword can read the private key file + file: + path: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey" + mode: 0640 + group: systemd-network + - name: install wireguard interfaces (netdev) template: src: systemd.netdev.j2 @@ -13,7 +27,7 @@ dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network" notify: restart systemd-networkd -- name: enable systemd-networkd +- name: make sure systemd-networkd is enabled systemd: name: systemd-networkd enabled: yes diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 index 04abfa1d..3e73f474 100644 --- a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 +++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 @@ -7,20 +7,26 @@ Description={{ wireguard_p2p_interface.description }} [WireGuard] +{% if 'priv_key' in wireguard_p2p_interface %} PrivateKey={{ wireguard_p2p_interface.priv_key }} +{% else %} +PrivateKeyFile=/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey +{% endif %} {% if 'listen_port' in wireguard_p2p_interface %} ListenPort={{ wireguard_p2p_interface.listen_port }} {% endif %} +{% for peer in wireguard_p2p_peers %} [WireGuardPeer] -PublicKey={{ wireguard_p2p_peer.pub_key }} -{% for ip in wireguard_p2p_peer.allowed_ips %} +PublicKey={{ peer.pub_key }} +{% for ip in peer.allowed_ips %} AllowedIPs={{ ip }} +{% endfor %} +{% if 'endpoint' in peer %} +Endpoint={{ peer.endpoint.host }}:{{ peer.endpoint.port | default(51820) }} +{% endif %} +{% if 'keepalive_interval' in peer %} +PersistentKeepalive={{ peer.keepalive_interval }} +{% endif %} {% endfor %} -{% if 'endpoint' in wireguard_p2p_peer %} -Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }} -{% endif %} -{% if 'keepalive_interval' in wireguard_p2p_peer %} -PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }} -{% endif %} diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2 index 3d1e2431..e40e610b 100644 --- a/roles/network/wireguard/p2p/templates/systemd.network.j2 +++ b/roles/network/wireguard/p2p/templates/systemd.network.j2 @@ -5,3 +5,9 @@ Name={{ wireguard_p2p_interface.name }} {% for addr in wireguard_p2p_interface.addresses %} Address={{ addr }} {% endfor %} +{% for route in wireguard_p2p_interface.static_routes | default([]) %} + +[Route] +Destination={{ route.dest }} +Gateway={{ route.gw }} +{% endfor %} |