From 30cb9e52e7a66a04a723dfd6a74d7c05a4cd569b Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 21 Dec 2020 18:24:35 +0000 Subject: [PATCH] Install and provision wireguard client on ingress server --- ansible/group_vars/all/wireguard.yml | 18 +++++++++ ansible/main.yml | 4 ++ ansible/roles/ingress/files/wireguard.conf | 10 +++++ ansible/roles/ingress/handlers/main.yml | 5 +++ ansible/roles/ingress/tasks/main.yml | 2 + ansible/roles/ingress/tasks/wireguard.yml | 44 ++++++++++++++++++++++ 6 files changed, 83 insertions(+) create mode 100644 ansible/roles/ingress/files/wireguard.conf create mode 100644 ansible/roles/ingress/handlers/main.yml create mode 100644 ansible/roles/ingress/tasks/main.yml create mode 100644 ansible/roles/ingress/tasks/wireguard.yml diff --git a/ansible/group_vars/all/wireguard.yml b/ansible/group_vars/all/wireguard.yml index 1bb0be8..4fa9536 100644 --- a/ansible/group_vars/all/wireguard.yml +++ b/ansible/group_vars/all/wireguard.yml @@ -165,3 +165,21 @@ wireguard: 6637366330636561650a333162343039326466666536336536386332626563323739383964393237 32663861666162646232333333636366636461616265393738336631376234336461326134363430 3863323435343963353161653936323837633837613733646263 + ingress: + ip: 10.23.0.5 + public_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 35303230376161383436623662376136623039646533323737613533346662333633303335363337 + 3662396435616535386334623563396330306432653263380a306563303664636565333537313338 + 34356331336664336362616235353136346237303263326331383137306536643438313639653938 + 3961366563356562660a303131396334626135663038633536326132623332313436363037343632 + 64613566623238393337613161333438316536633631626536393263656466316363356131623732 + 3134333035613634313934333461626531333437313835386431 + private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39353738366635326164316161636531366133613439343166383030623164366361613830303232 + 3738303931386336313534303332396363366233623164660a386664353333393137623065396634 + 36333261376136313939616563326235376331636164353538626363393361313739383239613466 + 3635663664366261320a653334626366376539386232373034643235356433643934383132343439 + 33633865353337356636343562383163323039663061653763633166346566396665366434666335 + 3832346662303438633233393165343030616331353936633262 diff --git a/ansible/main.yml b/ansible/main.yml index 12b931e..5bb47f3 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -58,3 +58,7 @@ - duplicati - gitlab_pages - deluge + +- hosts: ingress + roles: + - ingress diff --git a/ansible/roles/ingress/files/wireguard.conf b/ansible/roles/ingress/files/wireguard.conf new file mode 100644 index 0000000..0d76cc2 --- /dev/null +++ b/ansible/roles/ingress/files/wireguard.conf @@ -0,0 +1,10 @@ +[Interface] +Address = {{ ingress_wireguard.ip }} +PrivateKey = {{ ingress_wireguard.private_key }} + +[Peer] +PublicKey = {{ wireguard.server.public_key }} +Endpoint = {{ wireguard.public_ip }}:{{ wireguard.port }} +AllowedIPs = {{ wireguard.cidr }} + +PersistentKeepalive = 25 diff --git a/ansible/roles/ingress/handlers/main.yml b/ansible/roles/ingress/handlers/main.yml new file mode 100644 index 0000000..01093e5 --- /dev/null +++ b/ansible/roles/ingress/handlers/main.yml @@ -0,0 +1,5 @@ +- name: restart wireguard + service: + name: wg-quick.wg0 + state: restarted + become: true diff --git a/ansible/roles/ingress/tasks/main.yml b/ansible/roles/ingress/tasks/main.yml new file mode 100644 index 0000000..72607dd --- /dev/null +++ b/ansible/roles/ingress/tasks/main.yml @@ -0,0 +1,2 @@ +- name: Configure wireguard + include: wireguard.yml diff --git a/ansible/roles/ingress/tasks/wireguard.yml b/ansible/roles/ingress/tasks/wireguard.yml new file mode 100644 index 0000000..97f898e --- /dev/null +++ b/ansible/roles/ingress/tasks/wireguard.yml @@ -0,0 +1,44 @@ +- name: Install Wireguard + package: + name: + - wireguard-virt + - wireguard-tools + become: true + +- name: Get wireguard credentials + set_fact: + ingress_wireguard: "{{ wireguard.clients.ingress }}" + +- name: Wireguard config + template: + src: files/wireguard.conf + dest: /etc/wireguard/wg0.conf + mode: "0600" + backup: true + become: true + notify: restart wireguard + +# Wireguard on Alpine doesn't ship a native OpenRC service +- name: Download wireguard service + get_url: + url: https://gitweb.gentoo.org/repo/gentoo.git/plain/net-vpn/wireguard-tools/files/wg-quick.init + dest: /etc/init.d/wg-quick.wg0 + mode: "0755" + backup: yes + become: true + +- name: Enable wireguard + service: + name: wg-quick.wg0 + enabled: true + become: true + +- name: Enable p2p communication + sysctl: + name: net.ipv4.ip_forward + value: "1" + sysctl_set: yes + state: present + reload: yes + sysctl_file: /etc/sysctl.d/99-sysctl.conf + become: true