feat(edge_vps): add WireGuard setup task and template
This commit is contained in:
19
roles/edge_vps/tasks/20_wireguard.yaml
Normal file
19
roles/edge_vps/tasks/20_wireguard.yaml
Normal file
@@ -0,0 +1,19 @@
|
||||
---
|
||||
- name: Install WireGuard
|
||||
ansible.builtin.apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
update_cache: true
|
||||
|
||||
- name: Deploy WireGuard config
|
||||
ansible.builtin.template:
|
||||
src: wireguard/wg0.conf.j2
|
||||
dest: "{{ edge_vps_wireguard_config_dir }}/{{ edge_vps_wireguard_interface }}.conf"
|
||||
mode: "0600"
|
||||
notify: restart wireguard
|
||||
|
||||
- name: Enable WireGuard
|
||||
ansible.builtin.systemd:
|
||||
name: "wg-quick@{{ edge_vps_wireguard_interface }}"
|
||||
enabled: true
|
||||
state: started
|
||||
25
roles/edge_vps/templates/wireguard/wg0.conf.j2
Normal file
25
roles/edge_vps/templates/wireguard/wg0.conf.j2
Normal file
@@ -0,0 +1,25 @@
|
||||
[Interface]
|
||||
Address = {{ edge_vps_wireguard_address }}
|
||||
ListenPort = {{ edge_vps_wireguard_port }}
|
||||
PrivateKey = {{ vault_edge_vps.wireguard.private_key }}
|
||||
|
||||
PostUp = sysctl -w net.ipv4.ip_forward=1
|
||||
PostUp = iptables -A FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
|
||||
PostUp = iptables -A FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
|
||||
{% for route in edge_vps_wireguard_routes | default([]) %}
|
||||
PostUp = ip route add {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
|
||||
{% endfor %}
|
||||
PostDown = iptables -D FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
|
||||
PostDown = iptables -D FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
|
||||
{% for route in edge_vps_wireguard_routes | default([]) %}
|
||||
PostDown = ip route del {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
|
||||
{% endfor %}
|
||||
|
||||
{% for peer in vault_edge_vps.wireguard.peers %}
|
||||
[Peer]
|
||||
# {{ peer.name }}
|
||||
PublicKey = {{ peer.public_key }}
|
||||
PresharedKey = {{ peer.preshared_key }}
|
||||
AllowedIPs = {{ peer.allowed_ips }}
|
||||
|
||||
{% endfor %}
|
||||
Reference in New Issue
Block a user