diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..a5c2cc1 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,7 @@ +--- +wireguard_if: wg0 +wireguard_ext_if: eth0 +wireguard_listenport: 51820 +wireguard_peers: [] +wireguard_ipv4_forward: true +wireguard_ipv6_forward: true diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..983f627 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,16 @@ +- name: apt-update + apt: + update_cache: yes + +- name: Restart ndppd + service: + name: ndppd + state: restarted + +- name: Reload nftables + command: /usr/sbin/nft -f /etc/nftables.conf + +- name: Restart wg-quick service + service: + name: "wg-quick@{{ wireguard_if }}" + state: restarted diff --git a/tasks/apt.yml b/tasks/apt.yml new file mode 100644 index 0000000..371a884 --- /dev/null +++ b/tasks/apt.yml @@ -0,0 +1,23 @@ +- name: Pin unstable packages + copy: + dest: /etc/apt/preferences.d/limit-unstable + content: "Package: *\nPin: release a=unstable\nPin-Priority: 90" + +- name: Install gpg + apt: + name: gpg + +- name: Apt keys + apt_key: + keyserver: keyserver.ubuntu.com + id: "{{ item }}" + loop: ["04EE7237B7D453EC", "648ACFD622F3D138"] + +- name: Unstable apt repo + apt_repository: + repo: deb http://deb.debian.org/debian/ unstable main + filename: unstable + +- name: Install required packages + apt: + name: ['wireguard', 'wireguard-dkms', 'nftables', 'ndppd'] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..a61bff8 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,15 @@ +- import_tasks: apt.yml + tags: ["wireguard", "apt"] + +- import_tasks: wireguard.yml + tags: ["wireguard"] + +- import_tasks: sysctl.yml + tags: ["wireguard", "sysctl"] + +- import_tasks: ndppd.yml + tags: ["wireguard", "ndppd"] + +- import_tasks: nftables.yml + tags: ["wireguard", "nftables"] + diff --git a/tasks/ndppd.yml b/tasks/ndppd.yml new file mode 100644 index 0000000..f912ebc --- /dev/null +++ b/tasks/ndppd.yml @@ -0,0 +1,11 @@ +- name: ndppd config file + template: + src: ndppd.conf.j2 + dest: /etc/ndppd.conf + notify: Restart ndppd + +- name: ndppd service + service: + name: ndppd + state: started + enabled: true diff --git a/tasks/nftables.yml b/tasks/nftables.yml new file mode 100644 index 0000000..ad6dbc9 --- /dev/null +++ b/tasks/nftables.yml @@ -0,0 +1,11 @@ +- name: nftables configuration + template: + dest: /etc/nftables.conf + src: nftables.conf.j2 + notify: Reload nftables + +- name: nftables service + service: + name: nftables + state: started + enabled: true diff --git a/tasks/sysctl.yml b/tasks/sysctl.yml new file mode 100644 index 0000000..39f7260 --- /dev/null +++ b/tasks/sysctl.yml @@ -0,0 +1,11 @@ +- sysctl: + name: net.ipv4.ip_forward + value: "1" + sysctl_set: yes + when: wireguard_ipv4_forward + +- sysctl: + name: net.ipv6.conf.all.forwarding + value: "1" + sysctl_set: yes + when: wireguard_ipv6_forward diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml new file mode 100644 index 0000000..dfe3e4e --- /dev/null +++ b/tasks/wireguard.yml @@ -0,0 +1,33 @@ +--- +- name: Create wireguard directory + file: + path: /etc/wireguard + state: directory + mode: 0700 + +- name: Generate private key + shell: "umask 077 && wg genkey > /etc/wireguard/{{ wireguard_if }}.key" + args: + creates: "/etc/wireguard/{{ wireguard_if }}.key" + +- name: Read private key + command: "cat /etc/wireguard/{{ wireguard_if }}.key" + register: priv_key + changed_when: false + check_mode: no + +- name: Interface configuration file + template: + src: wg.conf.j2 + dest: "/etc/wireguard/{{ wireguard_if }}.conf" + mode: 0600 + owner: root + group: root + notify: Restart wg-quick service + +- name: Wireguard service + service: + name: "wg-quick@{{ wireguard_if }}.service" + state: started + enabled: true + diff --git a/templates/ndppd.conf.j2 b/templates/ndppd.conf.j2 new file mode 100644 index 0000000..9396219 --- /dev/null +++ b/templates/ndppd.conf.j2 @@ -0,0 +1,9 @@ +proxy {{ ansible_default_ipv6.interface }}{ +{% for peer in wireguard_peers %} +{% for ip6_addr in peer.allowedips | ipv6 %} + rule {{ ip6_addr }} { + static + } +{% endfor %} +{% endfor %} +} diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 new file mode 100644 index 0000000..36ba357 --- /dev/null +++ b/templates/nftables.conf.j2 @@ -0,0 +1,37 @@ +#!/usr/sbin/nft -f + +# {{ ansible_managed }} + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop + iif lo accept + ct state established,related accept + ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept + ip protocol icmp icmp type echo-request accept + tcp dport { ssh } ct state new accept + udp dport { {{ wireguard_listenport }} } ct state new accept + counter drop + } + chain forward { + type filter hook forward priority 0; policy drop + ct state established,related accept + ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept + ip protocol icmp icmp type echo-request accept + iifname "{{ wireguard_if }}" ct state new accept + counter drop + } + chain output { + type filter hook output priority 0; + } + +} +table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "{{ wireguard_ext_if }}" masquerade + } +} + diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2 new file mode 100644 index 0000000..83a6648 --- /dev/null +++ b/templates/wg.conf.j2 @@ -0,0 +1,16 @@ +[Interface] +PrivateKey = {{ priv_key.stdout }} +ListenPort = {{ wireguard_listenport }} + +{% for peer in wireguard_peers %} +[Peer] +PublicKey = {{ peer.publickey }} +{% if peer.presharedkey is defined %} +PresharedKey = {{ peer.presharedkey }} +{% endif %} +{% if peer.endpoint is defined -%} +Endpoint = {{ peer.endpoint }} +{%- endif %} +AllowedIPs = {{ peer.allowedips | join(', ') }} + +{% endfor %}