diff --git a/ansible/inventories/group_vars/wireguard_server/sifi.yaml b/ansible/inventories/group_vars/wireguard_server/sifi.yaml index c88ec6e..9f6edae 100644 --- a/ansible/inventories/group_vars/wireguard_server/sifi.yaml +++ b/ansible/inventories/group_vars/wireguard_server/sifi.yaml @@ -1,14 +1,12 @@ -server_port: "51820" - -peers: -- publicKey: "NRGPm2GV+ocsXImNxJ5pT/FuQCPg8uQcvydB6OSQEBg=" - allowedIPs: "192.168.99.4/32" +--- +wg_interface: wg0 +wg_port: 51820 +#wg_server_public_interface: eth0 +wg_server_address: 192.168.99.1/32 +#wg_server_private_key: "{{ wg_server_private_key }}" - -# client -{% for peer in peers %} -[Peer] -PublicKey = {{ peers[peer].publicKey}} -AllowedIPs = {{ peers[peer].allowedIPs}} -{{% endfor %}} \ No newline at end of file +wg_peers: + - name: fabio_test + publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE=" + allowedIP: "192.168.99.4/32" \ No newline at end of file diff --git a/ansible/playbooks/requirements.yml b/ansible/playbooks/requirements.yml index 6ad14f3..ac6911c 100644 --- a/ansible/playbooks/requirements.yml +++ b/ansible/playbooks/requirements.yml @@ -2,7 +2,7 @@ --- roles: # - name: bodsch.dns.bind - # version: + # version: # - name: nginx # src: git@github.com:myorg/ansible-role-nginx.git @@ -17,10 +17,8 @@ collections: # - name: community.postgresql # version: "3.2.0" - # - name: ansible.posix # version: "1.5.4" - # - name: myorg.infrastructure # source: https://hub.internal.com/api/galaxy/ - # version: "1.0.0" \ No newline at end of file + # version: "1.0.0" diff --git a/ansible/playbooks/roles/wireguard_server/handlers/main.yaml b/ansible/playbooks/roles/wireguard_server/handlers/main.yaml new file mode 100644 index 0000000..862ff4f --- /dev/null +++ b/ansible/playbooks/roles/wireguard_server/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: Restart WireGuard + ansible.builtin.systemd: + name: "wg-quick@{{ wg_interface }}" + state: restarted \ No newline at end of file diff --git a/ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml b/ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml new file mode 100644 index 0000000..c3de507 --- /dev/null +++ b/ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml @@ -0,0 +1,31 @@ +# wireguard_server.yml - Configure WireGuard VPN server +--- +- name: Get Private Key [privatekey => var_privatekey] + shell: cat privatekey + register: wg_server_private_key + args: + chdir: /etc/wireguard + +- name: Deploy WireGuard server configuration + ansible.builtin.template: + src: templates/wireguard_server.jinja + dest: "/etc/wireguard/{{ wg_interface }}.conf" + owner: root + group: root + mode: '0600' + notify: Restart WireGuard + +- name: Enable and start WireGuard + ansible.builtin.systemd: + name: "wg-quick@{{ wg_interface }}" + state: started + enabled: true + +- name: Open WireGuard port in firewall + community.general.ufw: + rule: allow + port: "{{ wg_port }}" + proto: udp + comment: "WireGuard VPN" + ignore_errors: true + diff --git a/ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml b/ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml new file mode 100644 index 0000000..f6c14a0 --- /dev/null +++ b/ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml @@ -0,0 +1,49 @@ +# generate_keys.yml - Generate WireGuard key pairs +--- +- name: Create WireGuard directory + ansible.builtin.file: + path: /etc/wireguard + state: directory + mode: '0700' + +- name: Check if private key already exists + ansible.builtin.stat: + path: /etc/wireguard/privatekey + register: privkey_file + +- name: Generate private key + ansible.builtin.command: wg genkey + register: wg_private_key + when: not privkey_file.stat.exists + changed_when: true + +- name: Save private key + ansible.builtin.copy: + content: "{{ wg_private_key.stdout }}" + dest: /etc/wireguard/privatekey + owner: root + group: root + mode: '0600' + when: not privkey_file.stat.exists + +- name: Read private key + ansible.builtin.slurp: + src: /etc/wireguard/privatekey + register: private_key_content + +- name: Generate public key from private key + ansible.builtin.shell: echo "{{ private_key_content.content | b64decode | trim }}" | wg pubkey + register: wg_public_key + changed_when: false + +- name: Save public key + ansible.builtin.copy: + content: "{{ wg_public_key.stdout }}" + dest: /etc/wireguard/publickey + owner: root + group: root + mode: '0644' + +- name: Display public key for reference + ansible.builtin.debug: + msg: "Public key for {{ inventory_hostname }}: {{ wg_public_key.stdout }}" \ No newline at end of file diff --git a/ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml b/ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml new file mode 100644 index 0000000..b297304 --- /dev/null +++ b/ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml @@ -0,0 +1,25 @@ +# install_wireguard.yml - Install WireGuard on Linux hosts +--- +- name: Install WireGuard on Debian/Ubuntu + ansible.builtin.apt: + name: + - wireguard + - wireguard-tools + state: present + update_cache: true + when: ansible_os_family == "Debian" + +- name: Install WireGuard on RHEL/CentOS 8+ + ansible.builtin.yum: + name: + - wireguard-tools + state: present + when: ansible_os_family == "RedHat" + +- name: Enable IP forwarding + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: true + state: present + reload: true diff --git a/ansible/playbooks/roles/wireguard_server/tasks/main.yaml b/ansible/playbooks/roles/wireguard_server/tasks/main.yaml index b182880..0b2489d 100644 --- a/ansible/playbooks/roles/wireguard_server/tasks/main.yaml +++ b/ansible/playbooks/roles/wireguard_server/tasks/main.yaml @@ -1,44 +1,4 @@ --- -- name: Install Wireguard Server - apt: - pkg: - - wireguard - state: latest - update_cache: true - - -- name: Creating server privatekey and publickey - shell: wg genkey | tee privatekey | wg pubkey > publickey - args: - chdir: /etc/wireguard/keys - -- name: Get Private Key [privatekey => ]var_privatekey - shell: cat privatekey - register: var_privatekey - args: - chdir: /etc/wireguard/keys - - -- name: Add WireGuard interface - command: ip link add dev wg0 type wireguard - become: true - - -- name: Updating configuration - template: - src: wireguard_server - dest: /etc/wireguard/wg0.conf - -- name: Activating link - command: ip link set up dev wg0 - become: true - -- name: Getting public key - shell: cat publickey - register: var_publickey - args: - chdir: /etc/wireguard/keys - -- name: Printing public key - debug: - msg: "Server public key is {{ var_publickey }}" +- include_tasks: install_wireguard.yaml +- include_tasks: generate_keys.yaml +- include_tasks: configure_server.yaml diff --git a/ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back b/ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back new file mode 100644 index 0000000..a7d8955 --- /dev/null +++ b/ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back @@ -0,0 +1,62 @@ +--- +- name: Install Wireguard Server + apt: + pkg: + - wireguard + state: latest + update_cache: true + + +- name: Create directory for wg keys + ansible.builtin.file: + path: /etc/wireguard/keys + state: directory + mode: '0755' + +- name: Creating server privatekey and publickey + shell: wg genkey | tee privatekey | wg pubkey > publickey + args: + chdir: /etc/wireguard/keys + +- name: Get Private Key [privatekey => var_privatekey] + shell: cat privatekey + register: var_privatekey + args: + chdir: /etc/wireguard/keys + + +#- name: Add WireGuard interface +# command: ip link add dev wg0 type wireguard + + +- name: Updating configuration + template: + src: wireguard_server.jinja + dest: /etc/wireguard/wg0.conf + +#- name: Activating link +# command: ip link set up dev wg0 + + +- name: Starting wg service + systemd: + state: started + name: wg-quick@wg0 + enabled: yes + + +- name: Getting public key + shell: cat publickey + register: var_publickey + args: + chdir: /etc/wireguard/keys + + +- name: Check server public IP + shell: curl https://ipinfo.io/ip + register: var_server_ip + + +- name: Printing public key + debug: + msg: "Server {{ ansible_hostname }} reachable @{{var_server_ip}}. Public key is {{ var_publickey }}" diff --git a/ansible/playbooks/roles/wireguard_server/templates/wireguard_client.jinja b/ansible/playbooks/roles/wireguard_server/templates/wireguard_client.jinja new file mode 100644 index 0000000..e69de29 diff --git a/ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja b/ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja index 254264d..73c01d9 100644 --- a/ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja +++ b/ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja @@ -1,11 +1,27 @@ -# device -[Interface] -PrivateKey = {{ var_privatekey.stdout }} -ListenPort = {{ server_port }} +# templates/wireguard-server.conf.j2 - WireGuard server configuration +# Managed by Ansible - do not edit manually -# client -{% for peer in peers %} +[Interface] +Address = {{ wg_server_address }} +ListenPort = {{ wg_port }} +PrivateKey = {{ wg_server_private_key.stdout }} + +# IP forwarding +PreUp = sysctl -w net.ipv4.ip_forward=1 +# IP masquerading +PreUp = iptables -t mangle -A PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30 +PreUp = iptables -t nat -A POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE +PostDown = iptables -t mangle -D PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30 +PostDown = iptables -t nat -D POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE + + +{% for peer in wg_peers %} +# {{ peer.name }} [Peer] -PublicKey = {{ peers[peer].publicKey}} -AllowedIPs = {{ peers[peer].allowedIP}} -{{% endfor %}} \ No newline at end of file +PublicKey = {{ peer.publicKey }} +AllowedIPs = {{ peer.allowedIP }} +{% if peer.persistent_keepalive is defined %} +PersistentKeepalive = {{ peer.persistent_keepalive }} +{% endif %} + +{% endfor %} \ No newline at end of file diff --git a/ansible/playbooks/vpn_server.yaml b/ansible/playbooks/vpn_server.yaml index 03695df..3b1af8e 100644 --- a/ansible/playbooks/vpn_server.yaml +++ b/ansible/playbooks/vpn_server.yaml @@ -1,5 +1,6 @@ --- - name: Configure VPN Server hosts: wireguard_server + become: true roles: - wireguard_server