kp_wireguard/vg/playbooks/server_init.yml

---
- hosts: all
  become: yes
  vars:
    peer_node_pubkeys: []
  tasks:
    - name: Install wireguard and ufw
      ansible.builtin.apt:
        name: 
          - wireguard
          - ufw
        state: present

    - name: Generate a wireguard server privatekey
      ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"

    - name: Read privatekey from the wireguard folder and generate public key
      ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey"
      register: root_node_public_key_stdout

    - name: Read privatekey from the wireguard folder
      ansible.builtin.shell: "cat /etc/wireguard/private.key"
      register: root_node_private_key_stdout

    - name: Create keys directory
      ansible.builtin.file:
        path: "/tmp/keys"
        state: directory

    - name: Set the file content to a variable
      ansible.builtin.set_fact:
        root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"
        root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"

    - name: Generate privatekeys for the peer nodes
      ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"

    - name: Generate pubkeys for the peer nodes
      ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt |  wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"
 
    - name: Copy generated private keys to temporal keys location
      ansible.builtin.fetch:
        src: "/tmp/keys/peer{{ item }}_private_key.txt"
        dest: "./keys/peer{{ item }}_private_key.txt"
        flat: yes
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"

    - name: Copy generated public keys to temporal keys location
      ansible.builtin.fetch:
        src: "/tmp/keys/peer{{ item }}_public_key.txt"
        dest: "./keys/peer{{ item }}_public_key.txt"
        flat: yes
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"
         
    - name: Fill in the pubkeys array
      ansible.builtin.set_fact:
        peer_node_pubkeys: "{{ peer_node_pubkeys + [lookup('file', './keys/peer'+item|string+'_public_key.txt') | string] }}"
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"
      become: false
      delegate_to: localhost

    - name: Get the default public interface
      ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
      register: server_public_interface_stdout

    - name: Set the stdout of the public interface to a variable
      ansible.builtin.set_fact:
        server_public_interface: "{{ server_public_interface_stdout.stdout }}"

    - name: Temporal remap of the interface to eth1
      ansible.builtin.set_fact:
        server_public_interface: "eth1"

    - name: show the eth1 interface address
      ansible.builtin.debug:
        msg: "{{  ansible_eth1.ipv4.address }}"

    - name: Protect the privatekey by allowing only the root user to read
      ansible.builtin.file:
        path: "/etc/wireguard/private.key"
        owner: root
        group: root
        mode: '077'

    - name: Generate a wireguard server pubkey
      ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key"

    - name: Protect the privatekey by allowing only the root user to read
      ansible.builtin.file:
        path: "/etc/wireguard/public.key"
        owner: root
        group: root

    - name: Install the server wireguard template to the server
      ansible.builtin.template:
        src: "./templates/server_wg0.conf"
        dest: "/etc/wireguard/wg0.conf"

    - name: Ensure that the permissions to the config are not too open
      ansible.builtin.file:
        path: "/etc/wireguard/wg0.conf"
        owner: root
        group: root
        mode: '077'

    - name: Allow everything and enable UFW
      community.general.ufw:
        state: enabled
        policy: allow

    - name: Set logging for the ufw
      community.general.ufw:
        logging: 'on'

    - name: Allow all access to port 22
      community.general.ufw:
        rule: allow
        port: '22'

    - name: Allow all access to wireguard port (udp)
      community.general.ufw:
        rule: allow
        port: '51820'
        proto: udp

    - name: Start the wireguard service
      ansible.builtin.service:
        name: wg-quick@wg0.service
        enabled: yes
        state: started

    - name: Store the public to temportal directory so that the clients will be able to read it
      ansible.builtin.copy:
        content: "{{ root_node_public_key }}"
        dest: "./keys/root_node_public_key.txt"
      become: false
      delegate_to: localhost

    - name: Store the public ip of the node to temportal directory so that the clients will be able to read it
      ansible.builtin.copy:
        content: "{{ ansible_eth1.ipv4.address }}"
        dest: "./keys/root_node_public_ip.txt"
      become: false
      delegate_to: localhost

    - name: Add each peer to root node configuration
      ansible.builtin.shell: "wg set wg0 peer {{ peer_node_pubkeys[item] }} allowed-ips 10.6.0.{{ item+2 }}"
      loop: "{{ range(0, n_peer_nodes) | list }}"
Simple server installation done 2023-03-09 10:54:19 +01:00			`---`
			`- hosts: all`
			`become: yes`
basic done 2023-03-09 18:24:52 +01:00			`vars:`
			`peer_node_pubkeys: []`
Simple server installation done 2023-03-09 10:54:19 +01:00			`tasks:`
			`- name: Install wireguard and ufw`
			`ansible.builtin.apt:`
			`name:`
			`- wireguard`
			`- ufw`
			`state: present`

			`- name: Generate a wireguard server privatekey`
			`ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"`

basic done 2023-03-09 18:24:52 +01:00			`- name: Read privatekey from the wireguard folder and generate public key`
			`ansible.builtin.shell: "cat /etc/wireguard/private.key \| wg pubkey"`
			`register: root_node_public_key_stdout`

Simple server installation done 2023-03-09 10:54:19 +01:00			`- name: Read privatekey from the wireguard folder`
			`ansible.builtin.shell: "cat /etc/wireguard/private.key"`
basic done 2023-03-09 18:24:52 +01:00			`register: root_node_private_key_stdout`

			`- name: Create keys directory`
			`ansible.builtin.file:`
			`path: "/tmp/keys"`
			`state: directory`
Simple server installation done 2023-03-09 10:54:19 +01:00
			`- name: Set the file content to a variable`
			`ansible.builtin.set_fact:`
basic done 2023-03-09 18:24:52 +01:00			`root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"`
			`root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"`

			`- name: Generate privatekeys for the peer nodes`
			`ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"`
			`loop: "{{ range(1, n_peer_nodes + 1) \| list }}"`

			`- name: Generate pubkeys for the peer nodes`
			`ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt \| wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"`
			`loop: "{{ range(1, n_peer_nodes + 1) \| list }}"`
works 2023-03-09 22:21:26 +01:00
basic done 2023-03-09 18:24:52 +01:00			`- name: Copy generated private keys to temporal keys location`
			`ansible.builtin.fetch:`
			`src: "/tmp/keys/peer{{ item }}_private_key.txt"`
			`dest: "./keys/peer{{ item }}_private_key.txt"`
			`flat: yes`
			`loop: "{{ range(1, n_peer_nodes + 1) \| list }}"`
Simple server installation done 2023-03-09 10:54:19 +01:00
basic done 2023-03-09 18:24:52 +01:00			`- name: Copy generated public keys to temporal keys location`
			`ansible.builtin.fetch:`
			`src: "/tmp/keys/peer{{ item }}_public_key.txt"`
			`dest: "./keys/peer{{ item }}_public_key.txt"`
			`flat: yes`
			`loop: "{{ range(1, n_peer_nodes + 1) \| list }}"`

works 2023-03-09 22:21:26 +01:00			`- name: Fill in the pubkeys array`
			`ansible.builtin.set_fact:`
			`peer_node_pubkeys: "{{ peer_node_pubkeys + [lookup('file', './keys/peer'+item\|string+'_public_key.txt') \| string] }}"`
			`loop: "{{ range(1, n_peer_nodes + 1) \| list }}"`
			`become: false`
			`delegate_to: localhost`

Simple server installation done 2023-03-09 10:54:19 +01:00			`- name: Get the default public interface`
			`ansible.builtin.shell: "ip route list \| grep default \| awk '{print $5}'"`
			`register: server_public_interface_stdout`

			`- name: Set the stdout of the public interface to a variable`
			`ansible.builtin.set_fact:`
			`server_public_interface: "{{ server_public_interface_stdout.stdout }}"`

basic done 2023-03-09 18:24:52 +01:00			`- name: Temporal remap of the interface to eth1`
			`ansible.builtin.set_fact:`
			`server_public_interface: "eth1"`

			`- name: show the eth1 interface address`
			`ansible.builtin.debug:`
			`msg: "{{ ansible_eth1.ipv4.address }}"`

Simple server installation done 2023-03-09 10:54:19 +01:00			`- name: Protect the privatekey by allowing only the root user to read`
			`ansible.builtin.file:`
			`path: "/etc/wireguard/private.key"`
			`owner: root`
			`group: root`
			`mode: '077'`

			`- name: Generate a wireguard server pubkey`
			`ansible.builtin.shell: "cat /etc/wireguard/private.key \| wg pubkey > /etc/wireguard/public.key"`

			`- name: Protect the privatekey by allowing only the root user to read`
			`ansible.builtin.file:`
			`path: "/etc/wireguard/public.key"`
			`owner: root`
			`group: root`

			`- name: Install the server wireguard template to the server`
			`ansible.builtin.template:`
basic done 2023-03-09 18:24:52 +01:00			`src: "./templates/server_wg0.conf"`
Simple server installation done 2023-03-09 10:54:19 +01:00			`dest: "/etc/wireguard/wg0.conf"`

			`- name: Ensure that the permissions to the config are not too open`
			`ansible.builtin.file:`
			`path: "/etc/wireguard/wg0.conf"`
			`owner: root`
			`group: root`
			`mode: '077'`

			`- name: Allow everything and enable UFW`
			`community.general.ufw:`
			`state: enabled`
			`policy: allow`

			`- name: Set logging for the ufw`
			`community.general.ufw:`
			`logging: 'on'`

			`- name: Allow all access to port 22`
			`community.general.ufw:`
			`rule: allow`
			`port: '22'`

			`- name: Allow all access to wireguard port (udp)`
			`community.general.ufw:`
			`rule: allow`
			`port: '51820'`
			`proto: udp`

			`- name: Start the wireguard service`
			`ansible.builtin.service:`
			`name: wg-quick@wg0.service`
			`enabled: yes`
			`state: started`
basic done 2023-03-09 18:24:52 +01:00
			`- name: Store the public to temportal directory so that the clients will be able to read it`
			`ansible.builtin.copy:`
			`content: "{{ root_node_public_key }}"`
			`dest: "./keys/root_node_public_key.txt"`
			`become: false`
			`delegate_to: localhost`

			`- name: Store the public ip of the node to temportal directory so that the clients will be able to read it`
			`ansible.builtin.copy:`
			`content: "{{ ansible_eth1.ipv4.address }}"`
			`dest: "./keys/root_node_public_ip.txt"`
			`become: false`
			`delegate_to: localhost`
works 2023-03-09 22:21:26 +01:00
			`- name: Add each peer to root node configuration`
			`ansible.builtin.shell: "wg set wg0 peer {{ peer_node_pubkeys[item] }} allowed-ips 10.6.0.{{ item+2 }}"`
			`loop: "{{ range(0, n_peer_nodes) \| list }}"`