ansible-ffibk/roles/wireguard/tasks/main.yml

94 lines
2.8 KiB
YAML
Raw Normal View History

---
- name: Gather my own WireGuard networks.
set_fact:
my_wireguard_networks: "{% set _my_nets = [] %}\
{% for net in wireguard_networks %}\
{% if inventory_hostname_short in net.peers %}\
{% do _my_nets.append(net) %}\
{% set remote = net.peers | reject('equalto', inventory_hostname_short) | list () | first %}\
{% set remote_hostname = remote + '.freifunk-mwu.de' %}\
{% set remote_magic = hostvars[remote_hostname]['magic'] %}\
{% do net.update({'remote': remote, 'remote_hostname': remote_hostname, 'remote_magic': remote_magic}) %}\
{% endif %}\
{% endfor %}\
{{ _my_nets }}"
- name: Set unstable pin priority.
blockinfile:
dest: "/etc/apt/preferences.d/limit-unstable"
block: |
Package: *
Pin: release a=unstable
Pin-Priority: -10
create: True
owner: "root"
group: "root"
mode: "0644"
- name: Raise WireGuard pin priority.
blockinfile:
dest: "/etc/apt/preferences.d/wireguard"
block: |
Package: wireguard*
Pin: release a=unstable
Pin-Priority: 500
create: "true"
owner: "root"
group: "root"
mode: "0644"
- name: Add Debian unstable repository.
apt_repository:
repo: "deb http://deb.debian.org/debian/ unstable main"
state: "present"
filename: "unstable"
update_cache: True
- name: Install WireGuard packages.
package:
name: "{{ wireguard_packages }}"
state: "present"
- name: Ensure WireGuard directory exists.
file:
path: "/etc/wireguard"
state: "directory"
owner: "root"
group: "root"
mode: "0640"
- name: Register the WireGuard public + private key.
set_fact:
wireguard_public_key: "{{ lookup('passwordstore', 'wireguard/' + inventory_hostname_short + ' subkey=public') }}"
wireguard_private_key: "{{ lookup('passwordstore', 'wireguard/' + inventory_hostname_short + ' subkey=private') }}"
no_log: True
- name: Write the WireGuard private key.
copy:
content: "{{ wireguard_private_key }}"
dest: "/etc/wireguard/wg.priv"
owner: "root"
group: "root"
mode: "0600"
- name: Write the WireGuard config.
template:
src: "wg.conf.j2"
dest: "/etc/wireguard/wg-{{ item.remote[:11] }}.conf"
owner: root
group: root
mode: 0640
loop: "{{ my_wireguard_networks }}"
- name: Configure the WireGuard interface config.
template:
src: "wireguard.j2"
dest: "/etc/network/interfaces.d/wireguard"
owner: "root"
group: "root"
mode: "0644"
notify: reload network interfaces
- name: flush handlers
meta: flush_handlers