-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathplaybook.yml
115 lines (100 loc) · 2.69 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---
- name: setup vpn clients
hosts: localhost
connection: local
become: yes
vars:
# Use system python so apt package is available
# ansible_python_interpreter: "/usr/bin/env python"
tasks:
- debug: var=hostvars['localhost']
- name: install wireguard package
apt:
name: wireguard
state: present
update_cache: yes
- fail:
- name: setup vpn clients
hosts: localhost
connection: local
become: yes
vars:
# Use system python so apt package is available
ansible_python_interpreter: "/usr/bin/env python"
tasks:
- name: install wireguard package
apt:
name: wireguard
state: present
update_cache: yes
- name: generate private key
shell:
cmd: umask 077 && wg genkey | tee privatekey | wg pubkey > publickey
chdir: /etc/wireguard
creates: /etc/wireguard/publickey
- name: get public key
command: cat /etc/wireguard/publickey
register: publickey_contents
changed_when: False
# Save results as a fact, so we can use it when templating wg0.conf for the
# server
- name: set public key fact
set_fact:
pubkey: "{{ publickey_contents.stdout }}"
- name: create client wireguard config
template:
dest: /etc/wireguard/wg0.conf
src: client_wg0.conf.j2
owner: root
group: root
mode: '0600'
notify: restart wireguard
handlers:
# Restarts WireGuard interface, loading any new config and running PostUp
# commands in the process. Notify this handler on client config changes.
- name: restart wireguard
shell: wg-quick down wg0; wg-quick up wg0
args:
executable: /bin/bash
- name: setup vpn server
hosts: vpn_server
tasks:
- name: install wireguard package
apt:
name: wireguard
state: present
update_cache: yes
- name: create server wireguard config
template:
dest: /etc/wireguard/wg0.conf
src: server_wg0.conf.j2
owner: root
group: root
mode: '0600'
notify: reload wireguard config
- name: enable and persist ip forwarding
sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
sysctl_set: yes
reload: yes
- name: start wireguard and enable on boot
systemd:
name: wg-quick@wg0
enabled: yes
state: started
handlers:
# Reloads config without disrupting current peer sessions, but does not
# re-run PostUp commands. Notify this handler on server config changes.
- name: reload wireguard config
shell: wg syncconf wg0 <(wg-quick strip wg0)
args:
executable: /bin/bash
- name: start vpn on clients
hosts: localhost
connection: local
become: yes
tasks:
- name: start vpn
command: wg-quick up wg0