Add role

2020-06-23 14:06:12 +02:00
parent 0249fac42b
commit aeb2cf7233
11 changed files with 189 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,7 @@
 ---
 wireguard_if: wg0
 wireguard_ext_if: eth0
 wireguard_listenport: 51820
 wireguard_peers: []
 wireguard_ipv4_forward: true
 wireguard_ipv6_forward: true
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -0,0 +1,16 @@
 - name: apt-update
  apt:
    update_cache: yes
 - name: Restart ndppd
  service:
    name: ndppd
    state: restarted
 - name: Reload nftables
  command: /usr/sbin/nft -f /etc/nftables.conf
 - name: Restart wg-quick service
  service:
    name: "wg-quick@{{ wireguard_if }}"
    state: restarted
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -0,0 +1,23 @@
 - name: Pin unstable packages
  copy:
    dest: /etc/apt/preferences.d/limit-unstable
    content: "Package: *\nPin: release a=unstable\nPin-Priority: 90"
 - name: Install gpg
  apt:
    name: gpg
 - name: Apt keys
  apt_key:
    keyserver: keyserver.ubuntu.com
    id: "{{ item }}"
  loop: ["04EE7237B7D453EC", "648ACFD622F3D138"]
 - name: Unstable apt repo
  apt_repository:
    repo: deb http://deb.debian.org/debian/ unstable main
    filename: unstable
 - name: Install required packages
  apt:
    name: ['wireguard', 'wireguard-dkms', 'nftables', 'ndppd']
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,15 @@
 - import_tasks: apt.yml
  tags: ["wireguard", "apt"]
 - import_tasks: wireguard.yml
  tags: ["wireguard"]
 - import_tasks: sysctl.yml
  tags: ["wireguard", "sysctl"]
 - import_tasks: ndppd.yml
  tags: ["wireguard", "ndppd"]
 - import_tasks: nftables.yml
  tags: ["wireguard", "nftables"]
--- a/tasks/ndppd.yml
+++ b/tasks/ndppd.yml
@@ -0,0 +1,11 @@
 - name: ndppd config file
  template:
    src: ndppd.conf.j2
    dest: /etc/ndppd.conf
  notify: Restart ndppd
 - name: ndppd service
  service:
    name: ndppd
    state: started
    enabled: true
--- a/tasks/nftables.yml
+++ b/tasks/nftables.yml
@@ -0,0 +1,11 @@
 - name: nftables configuration
  template:
    dest: /etc/nftables.conf
    src: nftables.conf.j2
  notify: Reload nftables
 - name: nftables service
  service:
    name: nftables
    state: started
    enabled: true
--- a/tasks/sysctl.yml
+++ b/tasks/sysctl.yml
@@ -0,0 +1,11 @@
 - sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: yes
  when: wireguard_ipv4_forward
 - sysctl:
    name: net.ipv6.conf.all.forwarding
    value: "1"
    sysctl_set: yes
  when: wireguard_ipv6_forward
--- a/tasks/wireguard.yml
+++ b/tasks/wireguard.yml
@@ -0,0 +1,33 @@
 ---
 - name: Create wireguard directory
  file:
    path: /etc/wireguard
    state: directory
    mode: 0700
 - name: Generate private key
  shell: "umask 077 && wg genkey > /etc/wireguard/{{ wireguard_if }}.key"
  args:
    creates: "/etc/wireguard/{{ wireguard_if }}.key"
 - name: Read private key
  command: "cat /etc/wireguard/{{ wireguard_if }}.key"
  register: priv_key
  changed_when: false
  check_mode: no
 - name: Interface configuration file
  template:
    src: wg.conf.j2
    dest: "/etc/wireguard/{{ wireguard_if }}.conf"
    mode: 0600
    owner: root
    group: root
  notify: Restart wg-quick service
 - name: Wireguard service
  service:
    name: "wg-quick@{{ wireguard_if }}.service"
    state: started
    enabled: true
--- a/templates/ndppd.conf.j2
+++ b/templates/ndppd.conf.j2
@@ -0,0 +1,9 @@
 proxy {{ ansible_default_ipv6.interface }}{
 {% for peer in wireguard_peers %}
 {% for ip6_addr in peer.allowedips | ipv6 %}
  rule {{ ip6_addr }} {
    static
  }
 {% endfor %}
 {% endfor %}
 }
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -0,0 +1,37 @@
 #!/usr/sbin/nft -f
 # {{ ansible_managed }}
 flush ruleset
 table inet filter {
  chain input {
    type filter hook input priority 0; policy drop
    iif lo accept
    ct state established,related accept
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
    ip protocol icmp icmp type echo-request accept
    tcp dport { ssh } ct state new accept
    udp dport { {{ wireguard_listenport }} } ct state new accept
    counter drop
  }
  chain forward {
    type filter hook forward priority 0; policy drop
    ct state established,related accept
    ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
    ip protocol icmp icmp type echo-request accept
    iifname "{{ wireguard_if }}" ct state new accept
    counter drop
  }
  chain output {
    type filter hook output priority 0;
  }
 }
 table ip nat {
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;
 		oifname "{{ wireguard_ext_if }}" masquerade
 	}
 }
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@@ -0,0 +1,16 @@
 [Interface]
 PrivateKey = {{ priv_key.stdout }}
 ListenPort = {{ wireguard_listenport }}
 {% for peer in wireguard_peers %}
 [Peer]
 PublicKey = {{ peer.publickey }}
 {% if peer.presharedkey is defined %}
 PresharedKey = {{ peer.presharedkey }}
 {% endif %}
 {% if peer.endpoint is defined -%}
 Endpoint = {{ peer.endpoint }}
 {%- endif %}
 AllowedIPs = {{ peer.allowedips | join(', ') }}
 {% endfor %}