blob: 34d46bc9e6821b65abab559efeeeba9f1bc00a07 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
---
- name: Install wireguard
ansible.builtin.apt:
name:
- wireguard
- ufw
state: present
- name: Get node ips from dns records
command: "dig +short {{ item }}"
register: wireguard_node_ip
delegate_to: localhost
with_items: "{{ groups['wireguard-mesh'] }}"
- name: Massage node ips
ansible.builtin.set_fact: >
wireguard_node_ips={{ wireguard_node_ips|default({})
| combine( {item.item: item.stdout} ) }}
with_items: "{{ wireguard_node_ip.results }}"
- name: Allow wireguard endpoint ufw
ansible.builtin.ufw:
rule: allow
port: "{{ wireguard_listen_port }}"
proto: 'udp'
- name: Generate Wireguard keypair
ansible.builtin.shell: >
wg genkey | tee /etc/wireguard/privatekey
| wg pubkey | tee /etc/wireguard/publickey
args:
creates: /etc/wireguard/privatekey
- name: Register private key
ansible.builtin.shell: cat /etc/wireguard/privatekey
register: wireguard_private_key
changed_when: false
- name: Register public key
ansible.builtin.shell: cat /etc/wireguard/publickey
register: wireguard_public_key
changed_when: false
- name: Generate Preshared keyskeypair
ansible.builtin.shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"
args:
creates: "/etc/wireguard/psk-{{ item }}"
when: inventory_hostname < item
with_items: "{{ groups['wireguard-mesh'] }}"
- name: Register preshared key
ansible.builtin.shell: "cat /etc/wireguard/psk-{{ item }}"
register: wireguard_preshared_key
changed_when: false
when: inventory_hostname < item
with_items: "{{ groups['wireguard-mesh'] }}"
- name: Massage preshared keys
ansible.builtin.set_fact: >
wireguard_preshared_keys={{ wireguard_preshared_keys|default({})
| combine( {item.item: item.stdout} ) }}
when: item.skipped is not defined
with_items: "{{ wireguard_preshared_key.results }}"
- name: Build config
ansible.builtin.template:
src: mmtmesh.conf.j2
dest: /etc/wireguard/mmtmesh.conf
owner: root
mode: 0640
- name: Enable wireguard
ansible.builtin.systemd:
name: wg-quick@mmtmesh
enabled: true
- name: Hotreload wireguard
ansible.builtin.shell: >
bash -c
"wg syncconf mmtmesh <(wg-quick strip mmtmesh)"
|
