diff --git a/roles/wireguard/meta/argument_specs.yml b/roles/wireguard/meta/argument_specs.yml new file mode 100644 index 0000000..1af9936 --- /dev/null +++ b/roles/wireguard/meta/argument_specs.yml @@ -0,0 +1,12 @@ +--- +argument_specs: + main: + options: + interface: + type: str + listen_port: + type: int + address: + type: str + peers: + type: list diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 5d7357a..d204f6e 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -10,7 +10,8 @@ ansible.builtin.file: path: /etc/wireguard state: directory - mode: '1750' + mode: '1700' + owner: root - name: Generate private key become: true ansible.builtin.shell: | @@ -44,9 +45,10 @@ ansible.builtin.template: src: wg0.conf.j2 dest: /etc/wireguard/wg0.conf + register: cfg - name: Enable wireguard service become: true ansible.builtin.systemd_service: name: wg-quick@wg0 - state: restarted + state: "{% if cfg.changed %}restarted{% else %}started{% endif %}" enabled: true diff --git a/roles/wireguard/templates/wg0.conf.j2 b/roles/wireguard/templates/wg0.conf.j2 index 785b3c6..35bae28 100644 --- a/roles/wireguard/templates/wg0.conf.j2 +++ b/roles/wireguard/templates/wg0.conf.j2 @@ -1,10 +1,12 @@ [Interface] PrivateKey = {{ private_key.content | b64decode }} -Address = 10.110.0.1/24 -ListenPort = 51840 -PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE -PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE +Address = {{ address }} +ListenPort = {{ listen_port }} +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ interface }} -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ interface }} -j MASQUERADE +{% for peer in peers %} [Peer] -PublicKey = awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk= -AllowedIPs = 10.110.0.2/32 +PublicKey = {{ peer.public_key }} +AllowedIPs = {{ peer.allowed_ips }} +{% endfor %} diff --git a/roles/wireguard/vars/main.yml b/roles/wireguard/vars/main.yml new file mode 100644 index 0000000..4df68b6 --- /dev/null +++ b/roles/wireguard/vars/main.yml @@ -0,0 +1,4 @@ +interface: ens18 +listen_port: 51820 +address: 10.0.0.1/8 +peers: [] diff --git a/wireguard.yml b/wireguard.yml index 58139e5..1c1594e 100644 --- a/wireguard.yml +++ b/wireguard.yml @@ -2,3 +2,8 @@ - hosts: network roles: - role: wireguard + address: 10.110.0.1/24 + listen_port: 51840 + peers: + - public_key: awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk= + allowed_ips: 10.110.0.2/32