Infra_mgmt/roles/wireguard/README.adoc

134 lines
3.1 KiB
Plaintext
Raw Permalink Normal View History

= Wireguard setup
Wireguard setup role. This role extends https://github.com/lablabs/ansible-collection-wireguard/tree/main/roles/wireguard[this codebase] to my needs. It's a bit simpler and adds more idempotence, e.g. when replaying the role to add another client to the server.
== Requirements
This role was written for Debian (tested on >=11) and requires root privileges. It also requires to have several collections installed on your ansible host you won't necessarily have depending on your Ansible installation:
- ansible.posix
- community.general (iptables_save module)
- ansible.utils (network filters)
- netaddr (python package)
== Role Variables
Variables can be found in the link:./defaults/main.yml[default vars file].
[source,yaml]
----
wireguard_dir: /etc/wireguard
wireguard_clients_dir: "{{ wireguard_dir }}/clients"
wireguard_clients_download_dir: clients/
wireguard_download_clients: false
wireguard_serverkeys_download_dir: server/
wireguard_download_serverkeys: false
----
Defines basic arborescence to store Wireguard files. `wireguard_download_clients` and `wireguard_download_serverkeys` can optionally set to true in order to download respectively clients and server's keys from the target host.
[source,yaml]
----
wireguard_restore_serverkeys_dir: ""
----
Use this variable if you want to use pre-existing keys from a directory to bootstrap Wireguard. Must ends with '/'.
[source,yaml]
----
wireguard_packages:
- wireguard
----
List of packages to install.
[source,yaml]
----
wireguard_port: 51810
----
Port which Wireguard will listen to.
[source,yaml]
----
wireguard_hostname: "{{ inventory_hostname }}"
----
Hostname the client will use to connect to the server.
[source,yaml]
----
wireguard_interface: wg0
----
Interface which will be mounted to the server.
[source,yaml]
----
nat_out_interface: eth0
----
Interface where the traffic will be NATed to on the server.
[source,yaml]
----
wireguard_address: 10.213.213.0/24
----
Subnet definition for the VPN network.
[source,yaml]
----
wireguard_keepalive: 25
----
Uses this if you wanna specify a keepalive value. See https://github.com/pirate/wireguard-docs#persistentkeepalive[this] for more information on keepalive.
[source,yaml]
----
wireguard_peers: []
----
Lits of peers (clients) you wanna create. You can define specific name, address, allowedIPs, DNS and keepalive for each peer. See playbook below for example.
[source,yaml]
----
filter_forward: false
other_interface:
----
Set `filter_forward` to true and specify an interface name for `other_interface` if you wanna drop packets from `wireguard_interface` to this interface.
== Dependencies
None.
== Example Playbook
[source,yaml]
----
- name: Deploy Wireguard
hosts: wireguard_hosts
become: true
vars:
wireguard_hostname: "mywireguard.server.com"
wireguard_address: 10.10.10.0/24
wireguard_peers:
- name: client_001
allowed_ip: "0.0.0.0/0, ::/0"
address: "10.10.10.2"
- name: client_002
allowed_ip: "0.0.0.0/0, ::/0"
address: "10.10.10.3"
roles:
- wireguard
----
== License
BSD-3
== Author Information
Role created by https://git.syyrell.com/syrell[syrell].