Add role

2020-06-23 14:06:12 +02:00
parent 0249fac42b
commit aeb2cf7233
11 changed files with 189 additions and 0 deletions
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -0,0 +1,23 @@
+- name: Pin unstable packages
+  copy:
+    dest: /etc/apt/preferences.d/limit-unstable
+    content: "Package: *\nPin: release a=unstable\nPin-Priority: 90"
+
+- name: Install gpg
+  apt:
+    name: gpg
+
+- name: Apt keys
+  apt_key:
+    keyserver: keyserver.ubuntu.com
+    id: "{{ item }}"
+  loop: ["04EE7237B7D453EC", "648ACFD622F3D138"]
+
+- name: Unstable apt repo
+  apt_repository:
+    repo: deb http://deb.debian.org/debian/ unstable main
+    filename: unstable
+
+- name: Install required packages
+  apt:
+    name: ['wireguard', 'wireguard-dkms', 'nftables', 'ndppd']
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,15 @@
+- import_tasks: apt.yml
+  tags: ["wireguard", "apt"]
+
+- import_tasks: wireguard.yml
+  tags: ["wireguard"]
+
+- import_tasks: sysctl.yml
+  tags: ["wireguard", "sysctl"]
+
+- import_tasks: ndppd.yml
+  tags: ["wireguard", "ndppd"]
+
+- import_tasks: nftables.yml
+  tags: ["wireguard", "nftables"]
+  
--- a/tasks/ndppd.yml
+++ b/tasks/ndppd.yml
@@ -0,0 +1,11 @@
+- name: ndppd config file
+  template:
+    src: ndppd.conf.j2
+    dest: /etc/ndppd.conf
+  notify: Restart ndppd
+
+- name: ndppd service
+  service:
+    name: ndppd
+    state: started
+    enabled: true
--- a/tasks/nftables.yml
+++ b/tasks/nftables.yml
@@ -0,0 +1,11 @@
+- name: nftables configuration
+  template:
+    dest: /etc/nftables.conf
+    src: nftables.conf.j2
+  notify: Reload nftables
+
+- name: nftables service
+  service:
+    name: nftables
+    state: started
+    enabled: true
--- a/tasks/sysctl.yml
+++ b/tasks/sysctl.yml
@@ -0,0 +1,11 @@
+- sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    sysctl_set: yes
+  when: wireguard_ipv4_forward
+
+- sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: "1"
+    sysctl_set: yes
+  when: wireguard_ipv6_forward
--- a/tasks/wireguard.yml
+++ b/tasks/wireguard.yml
@@ -0,0 +1,33 @@
+---
+- name: Create wireguard directory
+  file:
+    path: /etc/wireguard
+    state: directory
+    mode: 0700
+
+- name: Generate private key
+  shell: "umask 077 && wg genkey > /etc/wireguard/{{ wireguard_if }}.key"
+  args:
+    creates: "/etc/wireguard/{{ wireguard_if }}.key"
+
+- name: Read private key
+  command: "cat /etc/wireguard/{{ wireguard_if }}.key"
+  register: priv_key
+  changed_when: false
+  check_mode: no
+
+- name: Interface configuration file
+  template:
+    src: wg.conf.j2
+    dest: "/etc/wireguard/{{ wireguard_if }}.conf"
+    mode: 0600
+    owner: root
+    group: root
+  notify: Restart wg-quick service
+
+- name: Wireguard service
+  service:
+    name: "wg-quick@{{ wireguard_if }}.service"
+    state: started
+    enabled: true
+