Add role

2020-06-23 14:06:12 +02:00
parent 0249fac42b
commit aeb2cf7233
11 changed files with 189 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+wireguard_if: wg0
+wireguard_ext_if: eth0
+wireguard_listenport: 51820
+wireguard_peers: []
+wireguard_ipv4_forward: true
+wireguard_ipv6_forward: true
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -0,0 +1,16 @@
+- name: apt-update
+  apt:
+    update_cache: yes
+
+- name: Restart ndppd
+  service:
+    name: ndppd
+    state: restarted
+
+- name: Reload nftables
+  command: /usr/sbin/nft -f /etc/nftables.conf
+
+- name: Restart wg-quick service
+  service:
+    name: "wg-quick@{{ wireguard_if }}"
+    state: restarted
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -0,0 +1,23 @@
+- name: Pin unstable packages
+  copy:
+    dest: /etc/apt/preferences.d/limit-unstable
+    content: "Package: *\nPin: release a=unstable\nPin-Priority: 90"
+
+- name: Install gpg
+  apt:
+    name: gpg
+
+- name: Apt keys
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: "{{ item }}"
+  loop: ["04EE7237B7D453EC", "648ACFD622F3D138"]
+
+- name: Unstable apt repo
+  apt_repository:
+    repo: deb http://deb.debian.org/debian/ unstable main
+    filename: unstable
+
+- name: Install required packages
+  apt:
+    name: ['wireguard', 'wireguard-dkms', 'nftables', 'ndppd']
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,15 @@
+- import_tasks: apt.yml
+  tags: ["wireguard", "apt"]
+
+- import_tasks: wireguard.yml
+  tags: ["wireguard"]
+
+- import_tasks: sysctl.yml
+  tags: ["wireguard", "sysctl"]
+
+- import_tasks: ndppd.yml
+  tags: ["wireguard", "ndppd"]
+
+- import_tasks: nftables.yml
+  tags: ["wireguard", "nftables"]
+  
--- a/tasks/ndppd.yml
+++ b/tasks/ndppd.yml
@@ -0,0 +1,11 @@
+- name: ndppd config file
+  template:
+    src: ndppd.conf.j2
+    dest: /etc/ndppd.conf
+  notify: Restart ndppd
+
+- name: ndppd service
+  service:
+    name: ndppd
+    state: started
+    enabled: true
--- a/tasks/nftables.yml
+++ b/tasks/nftables.yml
@@ -0,0 +1,11 @@
+- name: nftables configuration
+  template:
+    dest: /etc/nftables.conf
+    src: nftables.conf.j2
+  notify: Reload nftables
+
+- name: nftables service
+  service:
+    name: nftables
+    state: started
+    enabled: true
--- a/tasks/sysctl.yml
+++ b/tasks/sysctl.yml
@@ -0,0 +1,11 @@
+- sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    sysctl_set: yes
+  when: wireguard_ipv4_forward
+
+- sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: "1"
+    sysctl_set: yes
+  when: wireguard_ipv6_forward
--- a/tasks/wireguard.yml
+++ b/tasks/wireguard.yml
@@ -0,0 +1,33 @@
+---
+- name: Create wireguard directory
+  file:
+    path: /etc/wireguard
+    state: directory
+    mode: 0700
+
+- name: Generate private key
+  shell: "umask 077 && wg genkey > /etc/wireguard/{{ wireguard_if }}.key"
+  args:
+    creates: "/etc/wireguard/{{ wireguard_if }}.key"
+
+- name: Read private key
+  command: "cat /etc/wireguard/{{ wireguard_if }}.key"
+  register: priv_key
+  changed_when: false
+  check_mode: no
+
+- name: Interface configuration file
+  template:
+    src: wg.conf.j2
+    dest: "/etc/wireguard/{{ wireguard_if }}.conf"
+    mode: 0600
+    owner: root
+    group: root
+  notify: Restart wg-quick service
+
+- name: Wireguard service
+  service:
+    name: "wg-quick@{{ wireguard_if }}.service"
+    state: started
+    enabled: true
+
--- a/templates/ndppd.conf.j2
+++ b/templates/ndppd.conf.j2
@@ -0,0 +1,9 @@
+proxy {{ ansible_default_ipv6.interface }}{
+{% for peer in wireguard_peers %}
+{% for ip6_addr in peer.allowedips | ipv6 %}
+  rule {{ ip6_addr }} {
+    static
+  }
+{% endfor %}
+{% endfor %}
+}
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -0,0 +1,37 @@
+#!/usr/sbin/nft -f
+
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop
+    iif lo accept
+    ct state established,related accept
+    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
+    ip protocol icmp icmp type echo-request accept
+    tcp dport { ssh } ct state new accept
+    udp dport { {{ wireguard_listenport }} } ct state new accept
+    counter drop
+  }
+  chain forward {
+    type filter hook forward priority 0; policy drop
+    ct state established,related accept
+    ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+    ip protocol icmp icmp type echo-request accept
+    iifname "{{ wireguard_if }}" ct state new accept
+    counter drop
+  }
+  chain output {
+    type filter hook output priority 0;
+  }
+
+}
+table ip nat {
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		oifname "{{ wireguard_ext_if }}" masquerade
+	}
+}
+
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@@ -0,0 +1,16 @@
+[Interface]
+PrivateKey = {{ priv_key.stdout }}
+ListenPort = {{ wireguard_listenport }}
+
+{% for peer in wireguard_peers %}
+[Peer]
+PublicKey = {{ peer.publickey }}
+{% if peer.presharedkey is defined %}
+PresharedKey = {{ peer.presharedkey }}
+{% endif %}
+{% if peer.endpoint is defined -%}
+Endpoint = {{ peer.endpoint }}
+{%- endif %}
+AllowedIPs = {{ peer.allowedips | join(', ') }}
+
+{% endfor %}