feat(wg-admin): add playbooks for wg-admin clients
Signed-off-by: Matej Focko <mfocko@redhat.com>
This commit is contained in:
parent
5f99af32cf
commit
c83836b900
5 changed files with 122 additions and 0 deletions
|
@ -30,6 +30,11 @@
|
||||||
become: true
|
become: true
|
||||||
tags: sshd
|
tags: sshd
|
||||||
|
|
||||||
|
# Install the Wireguard admin VPN
|
||||||
|
- role: system/wg-admin
|
||||||
|
tags: wg-admin
|
||||||
|
become: true
|
||||||
|
|
||||||
# Handle basic user configuration
|
# Handle basic user configuration
|
||||||
- user/base
|
- user/base
|
||||||
|
|
||||||
|
|
29
roles/system/wg-admin/tasks/dns_AlmaLinux.yml
Normal file
29
roles/system/wg-admin/tasks/dns_AlmaLinux.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
- name: Enable and start systemd-resolved
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: systemd-resolved
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Make NetworkManager use the systemd-resolved
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
[main]
|
||||||
|
dns=systemd-resolved
|
||||||
|
|
||||||
|
dest: /etc/NetworkManager/conf.d/systemd-resolved.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
|
||||||
|
- name: Replace the original resolv.conf with systemd-resolved reference
|
||||||
|
ansible.builtin.file:
|
||||||
|
src: /run/systemd/resolve/resolv.conf
|
||||||
|
path: /etc/resolv.conf
|
||||||
|
state: link
|
||||||
|
force: true
|
||||||
|
|
||||||
|
- name: Restart the NetworkManager
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: NetworkManager
|
||||||
|
state: restarted
|
12
roles/system/wg-admin/tasks/install.yml
Normal file
12
roles/system/wg-admin/tasks/install.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- name: Install the wireguard on Ubuntu
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: wireguard
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution == "Ubuntu"
|
||||||
|
|
||||||
|
- name: Install the wireguard on co-Ubuntu
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: wireguard-tools
|
||||||
|
state: present
|
||||||
|
when: ansible_distribution != "Ubuntu"
|
54
roles/system/wg-admin/tasks/main.yml
Normal file
54
roles/system/wg-admin/tasks/main.yml
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
---
|
||||||
|
- name: Packages
|
||||||
|
ansible.builtin.include_tasks: install.yml
|
||||||
|
tags: install
|
||||||
|
|
||||||
|
- name: Generate private key
|
||||||
|
ansible.builtin.shell:
|
||||||
|
cmd: |
|
||||||
|
set -e -o pipefail
|
||||||
|
umask 077
|
||||||
|
wg genkey | tee private.key | wg pubkey > public.key
|
||||||
|
|
||||||
|
chdir: /etc/wireguard
|
||||||
|
creates: /etc/wireguard/private.key
|
||||||
|
|
||||||
|
- name: Get public key
|
||||||
|
ansible.builtin.command: cat /etc/wireguard/public.key
|
||||||
|
register: public_key
|
||||||
|
changed_when: False
|
||||||
|
|
||||||
|
- name: Set public key fact
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
public_key: "{{ public_key.stdout }}"
|
||||||
|
|
||||||
|
- name: Set dns_command for co-openSUSE
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin"
|
||||||
|
when: ansible_distribution != "openSUSE"
|
||||||
|
|
||||||
|
- name: Set dns_command for openSUSE
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin"
|
||||||
|
when: ansible_distribution == "openSUSE"
|
||||||
|
|
||||||
|
- name: Create the config
|
||||||
|
vars:
|
||||||
|
address: "{{ wg_admin_address }}"
|
||||||
|
dns_command: "{{ wg_dns_command }}"
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: wg-admin.conf
|
||||||
|
dest: /etc/wireguard/wg-admin.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0600"
|
||||||
|
|
||||||
|
- name: Set up the DNS on AlmaLinux
|
||||||
|
ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
|
||||||
|
when: ansible_distribution == "AlmaLinux"
|
||||||
|
|
||||||
|
- name: Enable and start the wireguard connection
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: "wg-quick@wg-admin"
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
22
roles/system/wg-admin/templates/wg-admin.conf
Normal file
22
roles/system/wg-admin/templates/wg-admin.conf
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
[Interface]
|
||||||
|
# Assign the static IP
|
||||||
|
Address = {{ address }}/20
|
||||||
|
|
||||||
|
# Set the DNS
|
||||||
|
DNS = 10.42.0.1, admin
|
||||||
|
|
||||||
|
# Set the DNS for the connection
|
||||||
|
PostUp = {{ dns_command }}
|
||||||
|
|
||||||
|
# Load the private key
|
||||||
|
PostUp = wg set %i private-key /etc/wireguard/private.key
|
||||||
|
|
||||||
|
# FIXME: Ping the VPN server to initiate the connection
|
||||||
|
# PostUp = ping -c3 10.42.0.1
|
||||||
|
|
||||||
|
# poincare
|
||||||
|
[Peer]
|
||||||
|
PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y=
|
||||||
|
AllowedIPs = 10.42.0.0/20
|
||||||
|
Endpoint = mfocko.xyz:51820
|
||||||
|
PersistentKeepAlive = 20
|
Loading…
Reference in a new issue