Commit 107488dd authored by Kristian Klausen's avatar Kristian Klausen 🎉
Add WireGuard role

This is initial to be used for communicating between
{lists,mailman3} as mailman{2,3} can't run on the same
parent b5e90585
- name: delete wg0
command: networkctl delete wg0
register: result
failed_when: result.rc not in [0, 1]
listen: reload wireguard
- name: reload .network and .netdev files
command: networkctl reload
listen: reload wireguard
# Used for debugging
- name: install wireguard-tools
pacman: name=wireguard-tools state=present
- name: install wireguard configuration
template: src={{ item.src }} dest=/etc/systemd/network/{{ item.dest }} owner=root group=systemd-network mode=0640
- {src: wg0.netdev.j2, dest: wg0.netdev}
- {src:, dest:}
notify: reload wireguard
- name: create wireguard zone
ansible.posix.firewalld: zone=wireguard permanent=yes state=present
register: result
- name: reload firewalld
service: name=firewalld state=reloaded
when: result.changed
- name: add wg0 to the wireguard zone
ansible.posix.firewalld: zone=wireguard interface=wg0 permanent=yes immediate=yes state=enabled
- name: open firewall holes
ansible.posix.firewalld: port=51820/udp permanent=yes immediate=yes state=enabled
PrivateKey={{ vault_wireguard_private_key }}
{% for host in groups['wireguard'] if host != inventory_hostname %}
PublicKey={{ hostvars[host]['wireguard_public_key'] }}
AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
Endpoint={{ host }}:51820
{% endfor %}
Address={{ wireguard_address }}/24
