[wireguard] Deploy configuration and activate service
parent
b8698b2acd
commit
7e5f0ad73e
17
network.yml
17
network.yml
|
|
@ -1,9 +1,24 @@
|
||||||
---
|
---
|
||||||
# Deploy tunnel
|
# Deploy tunnel
|
||||||
- hosts: boeing.adm.crans.org,sputnik.adm.crans.org
|
- hosts: sputnik.adm.crans.org
|
||||||
|
vars:
|
||||||
|
debian_mirror: http://mirror.crans.org/debian
|
||||||
|
wireguard:
|
||||||
|
sputnik: true
|
||||||
|
private_key: "{{ vault_wireguard_sputnik_private_key }}"
|
||||||
|
peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
|
||||||
|
roles:
|
||||||
|
- wireguard
|
||||||
|
|
||||||
|
- hosts: boeing.adm.crans.org
|
||||||
vars:
|
vars:
|
||||||
# Debian mirror on adm
|
# Debian mirror on adm
|
||||||
debian_mirror: http://mirror.adm.crans.org/debian
|
debian_mirror: http://mirror.adm.crans.org/debian
|
||||||
|
wireguard:
|
||||||
|
sputnik: false
|
||||||
|
if: ens20
|
||||||
|
private_key: "{{ vault_wireguard_boeing_private_key }}"
|
||||||
|
peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
|
||||||
roles:
|
roles:
|
||||||
- wireguard
|
- wireguard
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,3 +25,24 @@
|
||||||
src: update-motd.d/05-service.j2
|
src: update-motd.d/05-service.j2
|
||||||
dest: /etc/update-motd.d/05-wireguard
|
dest: /etc/update-motd.d/05-wireguard
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Ensure wireguard directory is present
|
||||||
|
file:
|
||||||
|
path: /etc/wireguard
|
||||||
|
mode: 0700
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Deploy wireguard configuration
|
||||||
|
template:
|
||||||
|
src: wireguard/sputnik.conf.j2
|
||||||
|
dest: /etc/wireguard/sputnik.conf
|
||||||
|
mode: 0700
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Enable and start wireguard service
|
||||||
|
systemd:
|
||||||
|
name: wg-quick@sputnik
|
||||||
|
state: started
|
||||||
|
enabled: true
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,26 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
{% if wireguard.sputnik %}
|
||||||
|
[Interface]
|
||||||
|
Address = 172.31.0.2/30, fd0c:700:0:8::2/64
|
||||||
|
ListenPort = 51820
|
||||||
|
PrivateKey = {{ wireguard.private_key }}
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ wireguard.peer_public_key }}
|
||||||
|
AllowedIPs = 172.31.0.1/32, fd0c:700:0:8::1/128, 10.231.136.0/24, 2a0c:700:0:2::/64
|
||||||
|
Endpoint = 138.231.136.131:51820
|
||||||
|
{% else %}
|
||||||
|
[Interface]
|
||||||
|
Address = 172.31.0.1/30, fd0c:700:0:8::1/64
|
||||||
|
ListenPort = 51820
|
||||||
|
PrivateKey = {{ wireguard.private_key }}
|
||||||
|
|
||||||
|
PostUp = ifup {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
|
||||||
|
PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ wireguard.peer_public_key }}
|
||||||
|
AllowedIPs = 172.31.0.2/32, fd0c:700:0:8::2/128
|
||||||
|
Endpoint = 46.105.102.188:51820
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
Loading…
Reference in New Issue