96 lines
2.4 KiB
YAML
96 lines
2.4 KiB
YAML
---
|
|
- name: Ensure keys are generated
|
|
shell: umask 077 && wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
|
|
args:
|
|
creates: /etc/wireguard/publickey
|
|
register: key_generation
|
|
notify:
|
|
- Restart Wireguard service
|
|
|
|
- name: Register private key
|
|
slurp:
|
|
src: /etc/wireguard/privatekey
|
|
register: private_key_slurp
|
|
|
|
- name: Set private key variable
|
|
set_fact:
|
|
private_key: "{{ private_key_slurp.content | b64decode }}"
|
|
|
|
- name: Register public key
|
|
slurp:
|
|
src: /etc/wireguard/publickey
|
|
register: public_key_slurp
|
|
|
|
- name: Set public key variable
|
|
set_fact:
|
|
public_key: "{{ public_key_slurp.content | b64decode }}"
|
|
|
|
- name: Ensure Wireguard client is configured
|
|
template:
|
|
src: templates/wireguard_client.conf
|
|
dest: "/etc/wireguard/{{ interface_name }}.conf"
|
|
backup: yes
|
|
notify:
|
|
- Restart Wireguard service
|
|
|
|
- name: Ensure UFW firewall rule exists
|
|
ufw:
|
|
rule: allow
|
|
port: "{{ vpnes_port }}"
|
|
comment: 'Wireguard client listener'
|
|
proto: udp
|
|
|
|
- name: Show public key reminder
|
|
debug:
|
|
msg: "Remember to add this host '{{ inventory_hostname }}'' public key to the inventory '{{ public_key }}'"
|
|
when: key_generation.changed
|
|
|
|
- name: Ensure cron to ping VPN server exists
|
|
cron:
|
|
name: Ping Hiljainen
|
|
state: absent
|
|
job: ping -c 3 192.168.2.4 &> /dev/null
|
|
hour: '1'
|
|
user: gestor
|
|
|
|
- name: Ensure service unit to ping server exists
|
|
template:
|
|
src: templates/ping_wg_server.service.j2
|
|
dest: '/etc/systemd/system/ping_wg_server.service'
|
|
backup: yes
|
|
|
|
- name: Ensure timer unit to ping server exists
|
|
template:
|
|
src: templates/ping_wg_server.timer.j2
|
|
dest: '/etc/systemd/system/ping_wg_server.timer'
|
|
backup: yes
|
|
|
|
- name: Ensure ping systemd service unit is enabled
|
|
systemd:
|
|
name: ping_wg_server.service
|
|
enabled: false
|
|
daemon_reload: true
|
|
masked: false
|
|
|
|
- name: Ensure ping systemd timer unit is enabled
|
|
systemd:
|
|
name: ping_wg_server.timer
|
|
state: started
|
|
enabled: false
|
|
daemon_reload: true
|
|
masked: false
|
|
|
|
- name: Get host public IP
|
|
uri:
|
|
url: https://api.ipify.org?format=json
|
|
register: pub_ip
|
|
|
|
- name: Allow traffic to server
|
|
ufw:
|
|
rule: allow
|
|
from: "{{ pub_ip.json.ip }}"
|
|
delegate_to: "{{ groups['wireguard_server'][0] }}"
|
|
|
|
- name: Ping Hiljainen for monitoring
|
|
shell: ping -c 3 -4 192.168.2.4
|
|
register: ping_result
|