diff --git a/README.md b/README.md index 94a3058..5413ce9 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,27 @@ mail_users: password: Password123 virtuals: - "alice@pikami.net" + +mx1_wg: + private_key: + address: + port: 21841 + interface: wg0 + peers: + - name: Gateway + public_key: + endpoint: :21841 + allowed_ips: 10.2.0.1/32 +mx2_wg: + private_key: + address: + port: 21841 + interface: wg0 + peers: + - name: Gateway + public_key: + endpoint: :21841 + allowed_ips: 10.2.0.1/32 ``` The hosts are taken from the `inventory.yml` file: @@ -38,9 +59,9 @@ The hosts are taken from the `inventory.yml` file: all: hosts: mx1: - ansible_host: 51.158.215.227 + ansible_host: mx2: - ansible_host: 89.58.5.252 + ansible_host: ``` ## Environment setup @@ -77,3 +98,4 @@ Current ansible playbooks: - 02-ssl.yml - generates ssl certificates and adds a renew cron job - 03-mail.yml - installs and configures dovecot and opensmtpd - 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver +- 05-vpn.yml - configures wireguard vpn diff --git a/ansible/05-vpn.yml b/ansible/05-vpn.yml new file mode 100644 index 0000000..721d4af --- /dev/null +++ b/ansible/05-vpn.yml @@ -0,0 +1,36 @@ +- name: VPN Setup + hosts: + - mx1 + - mx2 + remote_user: root + vars_files: + - vars.yml + tasks: + - name: Install wireguard + community.general.openbsd_pkg: + name: + - wireguard-tools + state: present + + - name: Ensures /etc/wireguard dir exists + file: + path: "/etc/wireguard" + state: directory + + - name: Create wireguard config + template: + src: "templates/wireguard.conf.j2" + dest: "/etc/wireguard/{{ lookup('vars', inventory_hostname + '_wg').interface }}.conf" + owner: root + group: wheel + mode: "0600" + + - name: Create wireguard interface + template: + src: "templates/wireguard.if.j2" + dest: "/etc/hostname.{{ lookup('vars', inventory_hostname + '_wg').interface }}" + register: iface_config + + - name: Apply network configuration if changed + shell: sh /etc/netstart {{ lookup('vars', inventory_hostname + '_wg').interface }} + when: iface_config.changed diff --git a/ansible/templates/wireguard.conf.j2 b/ansible/templates/wireguard.conf.j2 new file mode 100644 index 0000000..a51c0ca --- /dev/null +++ b/ansible/templates/wireguard.conf.j2 @@ -0,0 +1,13 @@ +{% set _wg = lookup('vars', inventory_hostname + '_wg') %} +# {{ ansible_managed }} +[Interface] +PrivateKey = {{ _wg.private_key }} +ListenPort = {{ _wg.port }} + +{% for peer in _wg.peers %} +[Peer] +# {{ peer.name }} +PublicKey = {{ peer.public_key }} +Endpoint = {{ peer.endpoint }} +AllowedIPs = {{ peer.allowed_ips }} +{% endfor %} diff --git a/ansible/templates/wireguard.if.j2 b/ansible/templates/wireguard.if.j2 new file mode 100644 index 0000000..cb5900d --- /dev/null +++ b/ansible/templates/wireguard.if.j2 @@ -0,0 +1,6 @@ +{% set _wg = lookup('vars', inventory_hostname + '_wg') %} +# {{ ansible_managed }} +inet {{ _wg.address }} 255.255.255.0 NONE +up + +!/usr/local/bin/wg setconf {{ _wg.interface }} /etc/wireguard/{{ _wg.interface }}.conf