pk
/
mail-server
mirror of https://github.com/pikami/mail-server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Configure wireguard VPN

This commit is contained in:
Pijus Kamandulis 2024-05-29 22:06:22 +03:00
parent dd5869a62d
commit d779db5d34
4 changed files with 79 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
README.md
View File

@ -30,6 +30,27 @@ mail_users:
password: Password123 password: Password123
virtuals: virtuals:
- "alice@pikami.net" - "alice@pikami.net"
mx1_wg:
private_key: <wireguard private key>
address: <hosts address inside vpn>
port: 21841
interface: wg0
peers:
- name: Gateway
public_key: <vpn gateway public key>
endpoint: <gateway ip>:21841
allowed_ips: 10.2.0.1/32
mx2_wg:
private_key: <wireguard private key>
address: <hosts address inside vpn>
port: 21841
interface: wg0
peers:
- name: Gateway
public_key: <vpn gateway public key>
endpoint: <gateway ip>:21841
allowed_ips: 10.2.0.1/32
``` ```
The hosts are taken from the `inventory.yml` file: The hosts are taken from the `inventory.yml` file:
@ -38,9 +59,9 @@ The hosts are taken from the `inventory.yml` file:
all: all:
hosts: hosts:
mx1: mx1:
ansible_host: 51.158.215.227 ansible_host: <mail server ip>
mx2: mx2:
ansible_host: 89.58.5.252 ansible_host: <secondary mail server ip>
``` ```
## Environment setup ## Environment setup
@ -77,3 +98,4 @@ Current ansible playbooks:
- 02-ssl.yml - generates ssl certificates and adds a renew cron job - 02-ssl.yml - generates ssl certificates and adds a renew cron job
- 03-mail.yml - installs and configures dovecot and opensmtpd - 03-mail.yml - installs and configures dovecot and opensmtpd
- 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver - 04-secondary-mail.yml - installs and configures opensmtpd as a backup mail receiver
- 05-vpn.yml - configures wireguard vpn

36
ansible/05-vpn.yml Normal file
View File

@ -0,0 +1,36 @@
- name: VPN Setup
hosts:
- mx1
- mx2
remote_user: root
vars_files:
- vars.yml
tasks:
- name: Install wireguard
community.general.openbsd_pkg:
name:
- wireguard-tools
state: present
- name: Ensures /etc/wireguard dir exists
file:
path: "/etc/wireguard"
state: directory
- name: Create wireguard config
template:
src: "templates/wireguard.conf.j2"
dest: "/etc/wireguard/{{ lookup('vars', inventory_hostname + '_wg').interface }}.conf"
owner: root
group: wheel
mode: "0600"
- name: Create wireguard interface
template:
src: "templates/wireguard.if.j2"
dest: "/etc/hostname.{{ lookup('vars', inventory_hostname + '_wg').interface }}"
register: iface_config
- name: Apply network configuration if changed
shell: sh /etc/netstart {{ lookup('vars', inventory_hostname + '_wg').interface }}
when: iface_config.changed

13
ansible/templates/wireguard.conf.j2 Normal file
View File

@ -0,0 +1,13 @@
{% set _wg = lookup('vars', inventory_hostname + '_wg') %}
# {{ ansible_managed }}
[Interface]
PrivateKey = {{ _wg.private_key }}
ListenPort = {{ _wg.port }}
{% for peer in _wg.peers %}
[Peer]
# {{ peer.name }}
PublicKey = {{ peer.public_key }}
Endpoint = {{ peer.endpoint }}
AllowedIPs = {{ peer.allowed_ips }}
{% endfor %}

6
ansible/templates/wireguard.if.j2 Normal file
View File

@ -0,0 +1,6 @@
{% set _wg = lookup('vars', inventory_hostname + '_wg') %}
# {{ ansible_managed }}
inet {{ _wg.address }} 255.255.255.0 NONE
up
!/usr/local/bin/wg setconf {{ _wg.interface }} /etc/wireguard/{{ _wg.interface }}.conf