Make wireguard role generic

This commit is contained in:
Ivan R. 2024-10-30 17:42:17 +05:00
parent 05b13685e4
commit d39ea3b25f
Signed by: lumin
GPG key ID: E0937DC7CD6D3817
5 changed files with 33 additions and 8 deletions

View file

@ -0,0 +1,12 @@
---
argument_specs:
main:
options:
interface:
type: str
listen_port:
type: int
address:
type: str
peers:
type: list

View file

@ -10,7 +10,8 @@
ansible.builtin.file: ansible.builtin.file:
path: /etc/wireguard path: /etc/wireguard
state: directory state: directory
mode: '1750' mode: '1700'
owner: root
- name: Generate private key - name: Generate private key
become: true become: true
ansible.builtin.shell: | ansible.builtin.shell: |
@ -44,9 +45,10 @@
ansible.builtin.template: ansible.builtin.template:
src: wg0.conf.j2 src: wg0.conf.j2
dest: /etc/wireguard/wg0.conf dest: /etc/wireguard/wg0.conf
register: cfg
- name: Enable wireguard service - name: Enable wireguard service
become: true become: true
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
name: wg-quick@wg0 name: wg-quick@wg0
state: restarted state: "{% if cfg.changed %}restarted{% else %}started{% endif %}"
enabled: true enabled: true

View file

@ -1,10 +1,12 @@
[Interface] [Interface]
PrivateKey = {{ private_key.content | b64decode }} PrivateKey = {{ private_key.content | b64decode }}
Address = 10.110.0.1/24 Address = {{ address }}
ListenPort = 51840 ListenPort = {{ listen_port }}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ interface }} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ interface }} -j MASQUERADE
{% for peer in peers %}
[Peer] [Peer]
PublicKey = awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk= PublicKey = {{ peer.public_key }}
AllowedIPs = 10.110.0.2/32 AllowedIPs = {{ peer.allowed_ips }}
{% endfor %}

View file

@ -0,0 +1,4 @@
interface: ens18
listen_port: 51820
address: 10.0.0.1/8
peers: []

View file

@ -2,3 +2,8 @@
- hosts: network - hosts: network
roles: roles:
- role: wireguard - role: wireguard
address: 10.110.0.1/24
listen_port: 51840
peers:
- public_key: awAVP/tkl0Z9PKEMTABjIXhblWSGHhIvYjBFp3C7YUk=
allowed_ips: 10.110.0.2/32