iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/ansible/roles/wireguard/tasks/main.yml

168 lines
6.1 KiB
YAML
Raw Blame History

---
- name: Install WireGuard
ansible.builtin.dnf:
name: wireguard-tools
state: present
- name: Ensure /etc/wireguard directory exists
ansible.builtin.file:
path: /etc/wireguard
state: directory
mode: "0700"
owner: root
group: root
- name: Check if WireGuard private key exists
ansible.builtin.stat:
path: /etc/wireguard/private.key
register: wg_key_stat
- name: Generate WireGuard keypair
ansible.builtin.shell: |
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
chmod 600 /etc/wireguard/private.key
chmod 644 /etc/wireguard/public.key
when: not wg_key_stat.stat.exists
- name: Read WireGuard private key
ansible.builtin.slurp:
src: /etc/wireguard/private.key
register: wg_private_key_raw
- name: Read WireGuard public key
ansible.builtin.slurp:
src: /etc/wireguard/public.key
register: wg_public_key_raw
- name: Set WireGuard key facts
ansible.builtin.set_fact:
wg_server_private_key: "{{ wg_private_key_raw.content | b64decode | trim }}"
wg_server_public_key: "{{ wg_public_key_raw.content | b64decode | trim }}"
- name: Deploy wg0.conf
ansible.builtin.template:
src: wg0.conf.j2
dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
mode: "0600"
owner: root
group: root
notify: restart wireguard
- name: Enable and start WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wireguard_interface }}"
enabled: true
state: started
daemon_reload: true
- name: Allow WireGuard UDP port from admin CIDRs
ansible.posix.firewalld:
rich_rule: >-
rule family="ipv4" source address="{{ item }}"
port port="{{ wireguard_port }}" protocol="udp" accept
zone: drop
state: enabled
permanent: true
immediate: true
loop: "{{ admin_allowed_cidrs.split(' ') }}"
- name: Allow DB ports from WireGuard subnet only
ansible.posix.firewalld:
rich_rule: >-
rule family="ipv4" source address="{{ wireguard_subnet }}"
port port="{{ item }}" protocol="tcp" accept
zone: drop
state: enabled
permanent: true
immediate: true
loop:
- "{{ wireguard_db_pg_proxy_port }}"
- "{{ wireguard_db_mongo_proxy_port }}"
- name: Print server public key (client config için gerekli)
ansible.builtin.debug:
msg: "WireGuard server public key: {{ wg_server_public_key }}"
- name: Enable IP forwarding (persistent)
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_file: /etc/sysctl.d/99-wireguard.conf
state: present
reload: yes
when: wireguard_enable_routing
- name: Bind WireGuard interface to drop zone permanently
ansible.builtin.command: firewall-cmd --permanent --zone=drop --add-interface={{ wireguard_interface }}
register: _wg_zone
failed_when: _wg_zone.rc != 0 and 'ALREADY_ENABLED' not in _wg_zone.stderr
changed_when: _wg_zone.rc == 0
- name: Bind routed interface to drop zone permanently
ansible.builtin.command: firewall-cmd --permanent --zone=drop --add-interface={{ wireguard_routed_interface | default('eth1') }}
register: _eth1_zone
failed_when: _eth1_zone.rc != 0 and 'ALREADY_ENABLED' not in _eth1_zone.stderr
changed_when: _eth1_zone.rc == 0
when: wireguard_enable_routing and wireguard_routed_subnet != ""
- name: Create firewalld policy for WireGuard routing
ansible.builtin.command: firewall-cmd --permanent --new-policy=wg-to-db
register: _policy_create
failed_when: _policy_create.rc != 0 and 'NAME_CONFLICT' not in _policy_create.stderr and 'already exists' not in _policy_create.stderr
changed_when: _policy_create.rc == 0
when: wireguard_enable_routing
- name: Set policy ingress zone
ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-ingress-zone=drop
register: _ingress
failed_when: _ingress.rc != 0 and 'already' not in _ingress.stderr | lower
changed_when: _ingress.rc == 0
when: wireguard_enable_routing
- name: Set policy egress zone
ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-egress-zone=drop
register: _egress
failed_when: _egress.rc != 0 and 'already' not in _egress.stderr | lower
changed_when: _egress.rc == 0
when: wireguard_enable_routing
- name: Add forward rule to policy (WG subnet to DB subnet only)
ansible.builtin.command: >
firewall-cmd --permanent --policy=wg-to-db
--add-rich-rule='rule family="ipv4" source address="{{ wireguard_subnet }}"
destination address="{{ wireguard_routed_subnet }}" accept'
register: _fwd_rule
failed_when: _fwd_rule.rc != 0 and 'already' not in _fwd_rule.stderr | lower
changed_when: _fwd_rule.rc == 0
when: wireguard_enable_routing and wireguard_routed_subnet != ""
- name: Enable masquerade on policy
ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-masquerade
register: _masq
failed_when: _masq.rc != 0 and 'already' not in _masq.stderr | lower
changed_when: _masq.rc == 0
when: wireguard_enable_routing
- name: Add direct firewalld rule to allow wg0 to eth1 forwarding in iptables (Docker fix)
ansible.builtin.command: >
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i {{ wireguard_interface }} -o {{ wireguard_routed_interface | default('eth1') }} -j ACCEPT
register: _fw_dir_fwd
failed_when: _fw_dir_fwd.rc != 0 and 'ALREADY_ENABLED' not in _fw_dir_fwd.stderr
changed_when: _fw_dir_fwd.rc == 0
when: wireguard_enable_routing and wireguard_routed_subnet != ""
notify: restart wireguard
- name: Add direct firewalld rule to allow eth1 to wg0 forwarding in iptables (Docker fix)
ansible.builtin.command: >
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i {{ wireguard_routed_interface | default('eth1') }} -o {{ wireguard_interface }} -j ACCEPT
register: _fw_dir_rev
failed_when: _fw_dir_rev.rc != 0 and 'ALREADY_ENABLED' not in _fw_dir_rev.stderr
changed_when: _fw_dir_rev.rc == 0
when: wireguard_enable_routing and wireguard_routed_subnet != ""
notify: restart wireguard
- name: Reload firewalld to activate routing policy
ansible.builtin.command: firewall-cmd --reload
changed_when: false
when: wireguard_enable_routing
Reference in New Issue View Git Blame Copy Permalink