[wireguard] Deploy configuration and activate service

2020-01-26 11:09:39 +01:00 · 2020-01-26 11:09:39 +01:00 · 7e5f0ad73e
parent b8698b2acd
commit 7e5f0ad73e
3 changed files with 63 additions and 1 deletions
--- a/network.yml
+++ b/network.yml
@ -1,9 +1,24 @@
 ---
 # Deploy tunnel
- hosts: boeing.adm.crans.org,sputnik.adm.crans.org
+- hosts: sputnik.adm.crans.org
+  vars:
+    debian_mirror: http://mirror.crans.org/debian
+    wireguard:
+      sputnik: true
+      private_key: "{{ vault_wireguard_sputnik_private_key }}"
+      peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
+  roles:
+    - wireguard
+
+- hosts: boeing.adm.crans.org
  vars:
    # Debian mirror on adm
    debian_mirror: http://mirror.adm.crans.org/debian
+    wireguard:
+      sputnik: false
+      if: ens20
+      private_key: "{{ vault_wireguard_boeing_private_key }}"
+      peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
  roles:
    - wireguard

--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -25,3 +25,24 @@
    src: update-motd.d/05-service.j2
    dest: /etc/update-motd.d/05-wireguard
    mode: 0755
+
+- name: Ensure wireguard directory is present
+  file:
+    path: /etc/wireguard
+    mode: 0700
+    owner: root
+    group: root
+
+- name: Deploy wireguard configuration
+  template:
+    src: wireguard/sputnik.conf.j2
+    dest: /etc/wireguard/sputnik.conf
+    mode: 0700
+    owner: root
+    group: root
+
+- name: Enable and start wireguard service
+  systemd:
+    name: wg-quick@sputnik
+    state: started
+    enabled: true
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+{% if wireguard.sputnik %}
+[Interface]
+Address = 172.31.0.2/30, fd0c:700:0:8::2/64
+ListenPort = 51820
+PrivateKey = {{ wireguard.private_key }}
+
+[Peer]
+PublicKey = {{ wireguard.peer_public_key }}
+AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64
+Endpoint = 138.231.136.131:51820
+{% else %}
+[Interface]
+Address = 172.31.0.1/30, fd0c:700:0:8::1/64
+ListenPort = 51820
+PrivateKey = {{ wireguard.private_key }}
+
+PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
+PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wireguard.peer_public_key }}
+AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
+Endpoint = 46.105.102.188:51820
+{% endif %}
+