115 lines
2.9 KiB
YAML
115 lines
2.9 KiB
YAML
---
|
|
- hosts: all
|
|
any_errors_fatal: true
|
|
gather_facts: yes
|
|
tasks:
|
|
- name: update packages
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
become: yes
|
|
|
|
- name: Allow SSH in UFW
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ ansible_ssh_port }}"
|
|
proto: tcp
|
|
become: yes
|
|
when: ufw_enabled
|
|
|
|
- name: Set ufw logging
|
|
ufw:
|
|
logging: "on"
|
|
become: yes
|
|
when: ufw_enabled
|
|
|
|
- name: inter-node Wireguard UFW connectivity
|
|
ufw:
|
|
rule: allow
|
|
src: "{{ hostvars[item].wireguard_ip }}"
|
|
with_items: "{{ groups['all'] }}"
|
|
become: yes
|
|
when: ufw_enabled and item != inventory_hostname
|
|
|
|
- name: Reject everything and enable UFW
|
|
ufw:
|
|
state: enabled
|
|
policy: reject
|
|
log: yes
|
|
become: yes
|
|
when: ufw_enabled
|
|
|
|
- name: Install wireguard
|
|
apt:
|
|
name: wireguard
|
|
state: present
|
|
become: yes
|
|
|
|
- name: Generate Wireguard keypair
|
|
shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
|
|
args:
|
|
creates: /etc/wireguard/privatekey
|
|
become: yes
|
|
|
|
- name: register private key
|
|
shell: cat /etc/wireguard/privatekey
|
|
register: wireguard_private_key
|
|
changed_when: false
|
|
become: yes
|
|
|
|
- name: register public key
|
|
shell: cat /etc/wireguard/publickey
|
|
register: wireguard_public_key
|
|
changed_when: false
|
|
become: yes
|
|
|
|
- name: generate Preshared keyskeypair
|
|
shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"
|
|
args:
|
|
creates: "/etc/wireguard/psk-{{ item }}"
|
|
when: inventory_hostname < item
|
|
with_items: "{{ groups['all'] }}"
|
|
become: yes
|
|
|
|
- name: register preshared key
|
|
shell: "cat /etc/wireguard/psk-{{ item }}"
|
|
register: wireguard_preshared_key
|
|
changed_when: false
|
|
when: inventory_hostname < item
|
|
with_items: "{{ groups['all'] }}"
|
|
become: yes
|
|
|
|
- name: massage preshared keys
|
|
set_fact: "wireguard_preshared_keys={{ wireguard_preshared_keys|default({}) | combine( {item.item: item.stdout} ) }}"
|
|
when: item.skipped is not defined
|
|
with_items: "{{ wireguard_preshared_key.results }}"
|
|
become: yes
|
|
|
|
- name: Setup wg0 device
|
|
template:
|
|
src: ./templates/systemd.netdev
|
|
dest: /etc/systemd/network/99-wg0.netdev
|
|
owner: root
|
|
group: systemd-network
|
|
mode: 0640
|
|
become: yes
|
|
notify: systemd network restart
|
|
|
|
- name: Setup wg0 network
|
|
template:
|
|
src: ./templates/systemd.network
|
|
dest: /etc/systemd/network/99-wg0.network
|
|
owner: root
|
|
group: systemd-network
|
|
mode: 0640
|
|
become: yes
|
|
notify: systemd network restart
|
|
|
|
handlers:
|
|
- name: systemd network restart
|
|
service:
|
|
name: systemd-networkd
|
|
state: restarted
|
|
enabled: yes
|
|
become: yes
|