2023-03-09 10:54:19 +01:00
|
|
|
---
|
|
|
|
- hosts: all
|
|
|
|
become: yes
|
2023-03-09 18:24:52 +01:00
|
|
|
vars:
|
|
|
|
peer_node_privkeys: []
|
|
|
|
peer_node_pubkeys: []
|
2023-03-09 10:54:19 +01:00
|
|
|
tasks:
|
|
|
|
- name: Install wireguard and ufw
|
|
|
|
ansible.builtin.apt:
|
|
|
|
name:
|
|
|
|
- wireguard
|
|
|
|
- ufw
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Generate a wireguard server privatekey
|
|
|
|
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
|
|
|
|
|
2023-03-09 18:24:52 +01:00
|
|
|
- name: Read privatekey from the wireguard folder and generate public key
|
|
|
|
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey"
|
|
|
|
register: root_node_public_key_stdout
|
|
|
|
|
2023-03-09 10:54:19 +01:00
|
|
|
- name: Read privatekey from the wireguard folder
|
|
|
|
ansible.builtin.shell: "cat /etc/wireguard/private.key"
|
2023-03-09 18:24:52 +01:00
|
|
|
register: root_node_private_key_stdout
|
|
|
|
|
|
|
|
- name: Create keys directory
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: "/tmp/keys"
|
|
|
|
state: directory
|
2023-03-09 10:54:19 +01:00
|
|
|
|
|
|
|
- name: Set the file content to a variable
|
|
|
|
ansible.builtin.set_fact:
|
2023-03-09 18:24:52 +01:00
|
|
|
root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"
|
|
|
|
root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"
|
|
|
|
|
|
|
|
- name: Generate privatekeys for the peer nodes
|
|
|
|
ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"
|
|
|
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
|
|
|
|
|
|
|
- name: Generate pubkeys for the peer nodes
|
|
|
|
ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt | wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"
|
|
|
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
|
|
|
|
|
|
|
- name: Copy generated private keys to temporal keys location
|
|
|
|
ansible.builtin.fetch:
|
|
|
|
src: "/tmp/keys/peer{{ item }}_private_key.txt"
|
|
|
|
dest: "./keys/peer{{ item }}_private_key.txt"
|
|
|
|
flat: yes
|
|
|
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
2023-03-09 10:54:19 +01:00
|
|
|
|
2023-03-09 18:24:52 +01:00
|
|
|
- name: Copy generated public keys to temporal keys location
|
|
|
|
ansible.builtin.fetch:
|
|
|
|
src: "/tmp/keys/peer{{ item }}_public_key.txt"
|
|
|
|
dest: "./keys/peer{{ item }}_public_key.txt"
|
|
|
|
flat: yes
|
|
|
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
|
|
|
|
2023-03-09 10:54:19 +01:00
|
|
|
- name: Get the default public interface
|
|
|
|
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
|
|
|
|
register: server_public_interface_stdout
|
|
|
|
|
|
|
|
- name: Set the stdout of the public interface to a variable
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
server_public_interface: "{{ server_public_interface_stdout.stdout }}"
|
|
|
|
|
2023-03-09 18:24:52 +01:00
|
|
|
- name: Temporal remap of the interface to eth1
|
|
|
|
ansible.builtin.set_fact:
|
|
|
|
server_public_interface: "eth1"
|
|
|
|
|
|
|
|
- name: show the eth1 interface address
|
|
|
|
ansible.builtin.debug:
|
|
|
|
msg: "{{ ansible_eth1.ipv4.address }}"
|
|
|
|
|
2023-03-09 10:54:19 +01:00
|
|
|
- name: Protect the privatekey by allowing only the root user to read
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: "/etc/wireguard/private.key"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '077'
|
|
|
|
|
|
|
|
- name: Generate a wireguard server pubkey
|
|
|
|
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key"
|
|
|
|
|
|
|
|
- name: Protect the privatekey by allowing only the root user to read
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: "/etc/wireguard/public.key"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
|
|
|
|
- name: Install the server wireguard template to the server
|
|
|
|
ansible.builtin.template:
|
2023-03-09 18:24:52 +01:00
|
|
|
src: "./templates/server_wg0.conf"
|
2023-03-09 10:54:19 +01:00
|
|
|
dest: "/etc/wireguard/wg0.conf"
|
|
|
|
|
|
|
|
- name: Ensure that the permissions to the config are not too open
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: "/etc/wireguard/wg0.conf"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: '077'
|
|
|
|
|
|
|
|
- name: Allow everything and enable UFW
|
|
|
|
community.general.ufw:
|
|
|
|
state: enabled
|
|
|
|
policy: allow
|
|
|
|
|
|
|
|
- name: Set logging for the ufw
|
|
|
|
community.general.ufw:
|
|
|
|
logging: 'on'
|
|
|
|
|
|
|
|
- name: Allow all access to port 22
|
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
port: '22'
|
|
|
|
|
|
|
|
- name: Allow all access to wireguard port (udp)
|
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
port: '51820'
|
|
|
|
proto: udp
|
|
|
|
|
|
|
|
- name: Start the wireguard service
|
|
|
|
ansible.builtin.service:
|
|
|
|
name: wg-quick@wg0.service
|
|
|
|
enabled: yes
|
|
|
|
state: started
|
2023-03-09 18:24:52 +01:00
|
|
|
|
|
|
|
- name: Store the public to temportal directory so that the clients will be able to read it
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: "{{ root_node_public_key }}"
|
|
|
|
dest: "./keys/root_node_public_key.txt"
|
|
|
|
become: false
|
|
|
|
delegate_to: localhost
|
|
|
|
|
|
|
|
- name: Store the public ip of the node to temportal directory so that the clients will be able to read it
|
|
|
|
ansible.builtin.copy:
|
|
|
|
content: "{{ ansible_eth1.ipv4.address }}"
|
|
|
|
dest: "./keys/root_node_public_ip.txt"
|
|
|
|
become: false
|
|
|
|
delegate_to: localhost
|