ansible-ffibk/roles/wireguard/tasks/main.yml
Tobias Hachmer e4e8c0998f
Introduce p2p vpn link between all ffmwu servers via WireGuard for routing purpose.
* add jinja2 extension 'jinja2.ext.do' to ansible.cfg
 * add host kichererbse.freifunk-mwu.de
 * add new server_type 'mesh-service' and new host group 'ffmwu-mesh-services'
 * use new loopback and anycast networks
 * add role wireguard
 * add role wireguard as dependency for roles network-routing + service-bird
 * add playbook 'mesh-services'
2019-03-19 15:23:12 +01:00

80 lines
2.4 KiB
YAML

---
- name: Gather my own WireGuard networks.
set_fact:
my_wireguard_networks: "{% set _my_nets = [] %}{% for net in wireguard_networks %}{% if inventory_hostname_short in net.peers %}{% do _my_nets.append(net) %}{% set remote = net.peers | reject('equalto', inventory_hostname_short) | list () | first %}{% set remote_hostname = remote + '.freifunk-mwu.de' %}{% set remote_magic = hostvars[remote_hostname]['magic'] %}{% do net.update({'remote': remote, 'remote_hostname': remote_hostname, 'remote_magic': remote_magic}) %}{% endif %}{% endfor %}{{ _my_nets }}"
- name: Set unstable pin priority.
blockinfile:
dest: "/etc/apt/preferences.d/limit-unstable"
block: |
Package: *
Pin: release a=unstable
Pin-Priority: -10
create: True
owner: "root"
group: "root"
mode: "0644"
- name: Raise WireGuard pin priority.
blockinfile:
dest: "/etc/apt/preferences.d/wireguard"
block: |
Package: wireguard*
Pin: release a=unstable
Pin-Priority: 500
create: "true"
owner: "root"
group: "root"
mode: "0644"
- name: Add Debian unstable repository.
apt_repository:
repo: "deb http://deb.debian.org/debian/ unstable main"
state: "present"
filename: "unstable"
update_cache: True
- name: Install WireGuard packages.
package:
name: "{{ wireguard_packages }}"
state: "present"
- name: Ensure WireGuard directory exists.
file:
path: "/etc/wireguard"
state: "directory"
owner: "root"
group: "root"
mode: "0640"
- name: Register the WireGuard public + private key.
set_fact:
wireguard_public_key: "{{ lookup('passwordstore', 'wireguard/' + inventory_hostname_short + ' subkey=public') }}"
wireguard_private_key: "{{ lookup('passwordstore', 'wireguard/' + inventory_hostname_short + ' subkey=private') }}"
no_log: True
- name: Write the WireGuard private key.
copy:
content: "{{ wireguard_private_key }}"
dest: "/etc/wireguard/wg.priv"
owner: "root"
group: "root"
mode: "0600"
- name: Write the WireGuard config.
template:
src: "wg.conf.j2"
dest: "/etc/wireguard/wg-{{ item.remote[:11] }}.conf"
owner: root
group: root
mode: 0640
loop: "{{ my_wireguard_networks }}"
- name: Configure the WireGuard interface config.
template:
src: "wireguard.j2"
dest: "/etc/network/interfaces.d/wireguard"
owner: "root"
group: "root"
mode: "0644"
notify: reload network interfaces