Make wireguard role generic
This commit is contained in:
parent
05b13685e4
commit
d39ea3b25f
GPG key ID:
E0937DC7CD6D3817
5 changed files with 33 additions and 8 deletions
12
roles/wireguard/meta/argument_specs.yml
Normal file
12
roles/wireguard/meta/argument_specs.yml
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
argument_specs:
|
||||||
|
main:
|
||||||
|
options:
|
||||||
|
interface:
|
||||||
|
type: str
|
||||||
|
listen_port:
|
||||||
|
type: int
|
||||||
|
address:
|
||||||
|
type: str
|
||||||
|
peers:
|
||||||
|
type: list
|
||||||
|
|
@ -10,7 +10,8 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/wireguard
|
path: /etc/wireguard
|
||||||
state: directory
|
state: directory
|
||||||
mode: '1750'
|
mode: '1700'
|
||||||
|
owner: root
|
||||||
- name: Generate private key
|
- name: Generate private key
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: |
|
||||||
|
|
@ -44,9 +45,10 @@
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: wg0.conf.j2
|
src: wg0.conf.j2
|
||||||
dest: /etc/wireguard/wg0.conf
|
dest: /etc/wireguard/wg0.conf
|
||||||
|
register: cfg
|
||||||
- name: Enable wireguard service
|
- name: Enable wireguard service
|
||||||
become: true
|
become: true
|
||||||
ansible.builtin.systemd_service:
|
ansible.builtin.systemd_service:
|
||||||
name: wg-quick@wg0
|
name: wg-quick@wg0
|
||||||
state: restarted
|
state: "{% if cfg.changed %}restarted{% else %}started{% endif %}"
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,12 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
PrivateKey = {{ private_key.content | b64decode }}
|
PrivateKey = {{ private_key.content | b64decode }}
|
||||||
Address = 10.110.0.1/24
|
Address = {{ address }}
|
||||||
ListenPort = 51840
|
ListenPort = {{ listen_port }}
|
||||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
|
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ interface }} -j MASQUERADE
|
||||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
|
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ interface }} -j MASQUERADE
|
||||||
|
|
||||||
|
{% for peer in peers %}
|
||||||
[Peer]
|
[Peer]
|
||||||
PublicKey = awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk=
|
PublicKey = {{ peer.public_key }}
|
||||||
AllowedIPs = 10.110.0.2/32
|
AllowedIPs = {{ peer.allowed_ips }}
|
||||||
|
{% endfor %}
|
||||||
|
|
|
||||||
4
roles/wireguard/vars/main.yml
Normal file
4
roles/wireguard/vars/main.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
interface: ens18
|
||||||
|
listen_port: 51820
|
||||||
|
address: 10.0.0.1/8
|
||||||
|
peers: []
|
||||||
|
|
@ -2,3 +2,8 @@
|
||||||
- hosts: network
|
- hosts: network
|
||||||
roles:
|
roles:
|
||||||
- role: wireguard
|
- role: wireguard
|
||||||
|
address: 10.110.0.1/24
|
||||||
|
listen_port: 51840
|
||||||
|
peers:
|
||||||
|
- public_key: awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk=
|
||||||
|
allowed_ips: 10.110.0.2/32
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue