--- - name: Install WireGuard ansible.builtin.dnf: name: wireguard-tools state: present - name: Ensure /etc/wireguard directory exists ansible.builtin.file: path: /etc/wireguard state: directory mode: "0700" owner: root group: root - name: Check if WireGuard private key exists ansible.builtin.stat: path: /etc/wireguard/private.key register: wg_key_stat - name: Generate WireGuard keypair ansible.builtin.shell: | wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key chmod 600 /etc/wireguard/private.key chmod 644 /etc/wireguard/public.key when: not wg_key_stat.stat.exists - name: Read WireGuard private key ansible.builtin.slurp: src: /etc/wireguard/private.key register: wg_private_key_raw - name: Read WireGuard public key ansible.builtin.slurp: src: /etc/wireguard/public.key register: wg_public_key_raw - name: Set WireGuard key facts ansible.builtin.set_fact: wg_server_private_key: "{{ wg_private_key_raw.content | b64decode | trim }}" wg_server_public_key: "{{ wg_public_key_raw.content | b64decode | trim }}" - name: Deploy wg0.conf ansible.builtin.template: src: wg0.conf.j2 dest: "/etc/wireguard/{{ wireguard_interface }}.conf" mode: "0600" owner: root group: root notify: restart wireguard - name: Enable and start WireGuard ansible.builtin.systemd: name: "wg-quick@{{ wireguard_interface }}" enabled: true state: started daemon_reload: true - name: Allow WireGuard UDP port from admin CIDRs ansible.posix.firewalld: rich_rule: >- rule family="ipv4" source address="{{ item }}" port port="{{ wireguard_port }}" protocol="udp" accept zone: drop state: enabled permanent: true immediate: true loop: "{{ admin_allowed_cidrs.split(' ') }}" - name: Allow DB ports from WireGuard subnet only ansible.posix.firewalld: rich_rule: >- rule family="ipv4" source address="{{ wireguard_subnet }}" port port="{{ item }}" protocol="tcp" accept zone: drop state: enabled permanent: true immediate: true loop: - "{{ wireguard_db_pg_proxy_port }}" - "{{ wireguard_db_mongo_proxy_port }}" - name: Print server public key (client config için gerekli) ansible.builtin.debug: msg: "WireGuard server public key: {{ wg_server_public_key }}" - name: Enable IP forwarding (persistent) ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' sysctl_file: /etc/sysctl.d/99-wireguard.conf state: present reload: yes when: wireguard_enable_routing - name: Bind WireGuard interface to drop zone permanently ansible.builtin.command: firewall-cmd --permanent --zone=drop --add-interface={{ wireguard_interface }} register: _wg_zone failed_when: _wg_zone.rc != 0 and 'ALREADY_ENABLED' not in _wg_zone.stderr changed_when: _wg_zone.rc == 0 - name: Bind routed interface to drop zone permanently ansible.builtin.command: firewall-cmd --permanent --zone=drop --add-interface={{ wireguard_routed_interface | default('eth1') }} register: _eth1_zone failed_when: _eth1_zone.rc != 0 and 'ALREADY_ENABLED' not in _eth1_zone.stderr changed_when: _eth1_zone.rc == 0 when: wireguard_enable_routing and wireguard_routed_subnet != "" - name: Create firewalld policy for WireGuard routing ansible.builtin.command: firewall-cmd --permanent --new-policy=wg-to-db register: _policy_create failed_when: _policy_create.rc != 0 and 'NAME_CONFLICT' not in _policy_create.stderr and 'already exists' not in _policy_create.stderr changed_when: _policy_create.rc == 0 when: wireguard_enable_routing - name: Set policy ingress zone ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-ingress-zone=drop register: _ingress failed_when: _ingress.rc != 0 and 'already' not in _ingress.stderr | lower changed_when: _ingress.rc == 0 when: wireguard_enable_routing - name: Set policy egress zone ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-egress-zone=drop register: _egress failed_when: _egress.rc != 0 and 'already' not in _egress.stderr | lower changed_when: _egress.rc == 0 when: wireguard_enable_routing - name: Add forward rule to policy (WG subnet to DB subnet only) ansible.builtin.command: > firewall-cmd --permanent --policy=wg-to-db --add-rich-rule='rule family="ipv4" source address="{{ wireguard_subnet }}" destination address="{{ wireguard_routed_subnet }}" accept' register: _fwd_rule failed_when: _fwd_rule.rc != 0 and 'already' not in _fwd_rule.stderr | lower changed_when: _fwd_rule.rc == 0 when: wireguard_enable_routing and wireguard_routed_subnet != "" - name: Enable masquerade on policy ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-masquerade register: _masq failed_when: _masq.rc != 0 and 'already' not in _masq.stderr | lower changed_when: _masq.rc == 0 when: wireguard_enable_routing - name: Add direct firewalld rule to allow wg0 to eth1 forwarding in iptables (Docker fix) ansible.builtin.command: > firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i {{ wireguard_interface }} -o {{ wireguard_routed_interface | default('eth1') }} -j ACCEPT register: _fw_dir_fwd failed_when: _fw_dir_fwd.rc != 0 and 'ALREADY_ENABLED' not in _fw_dir_fwd.stderr changed_when: _fw_dir_fwd.rc == 0 when: wireguard_enable_routing and wireguard_routed_subnet != "" notify: restart wireguard - name: Add direct firewalld rule to allow eth1 to wg0 forwarding in iptables (Docker fix) ansible.builtin.command: > firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i {{ wireguard_routed_interface | default('eth1') }} -o {{ wireguard_interface }} -j ACCEPT register: _fw_dir_rev failed_when: _fw_dir_rev.rc != 0 and 'ALREADY_ENABLED' not in _fw_dir_rev.stderr changed_when: _fw_dir_rev.rc == 0 when: wireguard_enable_routing and wireguard_routed_subnet != "" notify: restart wireguard - name: Reload firewalld to activate routing policy ansible.builtin.command: firewall-cmd --reload changed_when: false when: wireguard_enable_routing