Commit 107488dd authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Add WireGuard role

This is initial to be used for communicating between
{lists,mailman3}.archlinux.org as mailman{2,3} can't run on the same
server.
parent b5e90585
...@@ -142,6 +142,8 @@ man.archlinux.org ...@@ -142,6 +142,8 @@ man.archlinux.org
dashboards.archlinux.org dashboards.archlinux.org
lists.archlinux.org lists.archlinux.org
[wireguard]
[kape_servers] [kape_servers]
asia.mirror.pkgbuild.com asia.mirror.pkgbuild.com
america.mirror.pkgbuild.com america.mirror.pkgbuild.com
......
---
# https://github.com/systemd/systemd/issues/9627
- name: delete wg0
command: networkctl delete wg0
register: result
failed_when: result.rc not in [0, 1]
listen: reload wireguard
- name: reload .network and .netdev files
command: networkctl reload
listen: reload wireguard
---
# Used for debugging
- name: install wireguard-tools
pacman: name=wireguard-tools state=present
- name: install wireguard configuration
template: src={{ item.src }} dest=/etc/systemd/network/{{ item.dest }} owner=root group=systemd-network mode=0640
loop:
- {src: wg0.netdev.j2, dest: wg0.netdev}
- {src: wg0.network.j2, dest: wg0.network}
notify: reload wireguard
- name: create wireguard zone
ansible.posix.firewalld: zone=wireguard permanent=yes state=present
register: result
- name: reload firewalld
service: name=firewalld state=reloaded
when: result.changed
- name: add wg0 to the wireguard zone
ansible.posix.firewalld: zone=wireguard interface=wg0 permanent=yes immediate=yes state=enabled
- name: open firewall holes
ansible.posix.firewalld: port=51820/udp permanent=yes immediate=yes state=enabled
[NetDev]
Name=wg0
Kind=wireguard
[WireGuard]
ListenPort=51820
PrivateKey={{ vault_wireguard_private_key }}
{% for host in groups['wireguard'] if host != inventory_hostname %}
[WireGuardPeer]
PublicKey={{ hostvars[host]['wireguard_public_key'] }}
AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
Endpoint={{ host }}:51820
{% endfor %}
[Match]
Name=wg0
[Network]
Address={{ wireguard_address }}/24
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment