From b32819380a98edd24cb1c21b3a3ce9ac124ec6d2 Mon Sep 17 00:00:00 2001 From: "Philip (a-0)" <@ph:a-0.me> Date: Wed, 27 Jul 2022 11:45:46 +0200 Subject: [PATCH] Initial commit --- defaults/main.yml | 2 ++ handlers/main.yml | 1 + meta/main.yml | 2 ++ tasks/main.yml | 63 ++++++++++++++++++++++++++++++++++++++ templates/add_client.sh.j2 | 43 ++++++++++++++++++++++++++ templates/genpair.sh.j2 | 1 + templates/to_qr.sh.j2 | 1 + templates/wg0.conf.j2 | 14 +++++++++ vars/debian.yml | 4 +++ 9 files changed, 131 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/add_client.sh.j2 create mode 100644 templates/genpair.sh.j2 create mode 100644 templates/to_qr.sh.j2 create mode 100644 templates/wg0.conf.j2 create mode 100644 vars/debian.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c6847bf --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,2 @@ +--- +wireguard_os_supported: False \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..2002130 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,2 @@ +--- +galaxy_info: \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..c2d3011 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,63 @@ +--- +- name: Set OS dependent variables + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" + - "{{ ansible_system | lower }}.yml" + paths: + - '{{ role_path }}/vars' + ignore_errors: True + +- name: OS is supported + ansible.builtin.assert: + that: __os_supported + quiet: True + vars: + __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}" + + +- name: Install wireguard + apt: + name: wireguard + state: present + update_cache: yes + +- name: Set wg0.conf + template: + src: wg0.conf.j2 + dest: /etc/wireguard/wg0.conf + owner: root + mode: 0600 + +- name: Set add_client.sh + template: + src: add_client.sh.j2 + dest: /etc/wireguard/add_client.sh + owner: root + mode: 0600 + +- name: Set to_qr.sh + template: + src: to_qr.sh.j2 + dest: /etc/wireguard/to_qr.sh + owner: root + mode: 0600 + +- name: Set genpair.sh + template: + src: genpair.sh.j2 + dest: /etc/wireguard/genpair.sh + owner: root + mode: 0600 + +- name: Enable wireguard service + service: + name: wg-quick@wg0.service + state: started + enabled: yes + daemon_reload: yes \ No newline at end of file diff --git a/templates/add_client.sh.j2 b/templates/add_client.sh.j2 new file mode 100644 index 0000000..af624cc --- /dev/null +++ b/templates/add_client.sh.j2 @@ -0,0 +1,43 @@ +# add_client +IP=$1 + +# If a client config file is already present, return +if [[ -f /etc/wireguard/client/wg0.conf ]] +then + echo "client/wg0.conf already exists. Please consider moving it to another place or deleting it" + return 1 +fi + +# generate client key pair +private_key=$(wg genkey) +public_key=$(echo $private_key | wg pubkey) + +# write updated server config to temp-file +cp /etc/wireguard/wg0.conf /etc/wireguard/wg0-temp.conf +echo " +[Peer] +PublicKey = $public_key +AllowedIPs = $IP/32 +" >> /etc/wireguard/wg0-temp.conf + +# restart wireguard with updated conf +wg-quick down wg0 +mv /etc/wireguard/wg0-temp.conf /etc/wireguard/wg0.conf +wg-quick up wg0 + +# generate client config file +echo "[Interface] +Address = $IP/24 +PrivateKey = $private_key +MTU = 1280 +DNS = 192.168.2.1 + +[Peer] +PublicKey = UPnYF3sTTBUlyHz0gyEAL7c1+rFM7G4LOQ4oab2VqAg= +AllowedIPs = 0.0.0.0/0 +Endpoint = wg.a-0.me:51900 +PersistentKeepalive = 30 +" > /etc/wireguard/client/wg0.conf + +# output client conf as QR-Code +qrencode -r /etc/wireguard/client/wg0.conf -t ansiutf8 \ No newline at end of file diff --git a/templates/genpair.sh.j2 b/templates/genpair.sh.j2 new file mode 100644 index 0000000..570c3ca --- /dev/null +++ b/templates/genpair.sh.j2 @@ -0,0 +1 @@ +wg genkey | tee $1_private_key | wg pubkey > $1_public_key \ No newline at end of file diff --git a/templates/to_qr.sh.j2 b/templates/to_qr.sh.j2 new file mode 100644 index 0000000..0489a86 --- /dev/null +++ b/templates/to_qr.sh.j2 @@ -0,0 +1 @@ +qrencode -r $1 -t ansiutf8 \ No newline at end of file diff --git a/templates/wg0.conf.j2 b/templates/wg0.conf.j2 new file mode 100644 index 0000000..ef0b838 --- /dev/null +++ b/templates/wg0.conf.j2 @@ -0,0 +1,14 @@ +[Interface] +Address = {{ wireguard_server_CIDR }} +SaveConfig = true +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ wireguard_iface_name }} -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ wireguard_iface_name }} -j MASQUERADE +ListenPort = 51900 +PrivateKey = {{ wireguard_server_privkey }} + +{% for client in wireguard_clients %} +[Peer] +PublicKey = {{ client.pubkey }} +AllowedIPs = {{ client.ipv4 }} + +{% endfor %} \ No newline at end of file diff --git a/vars/debian.yml b/vars/debian.yml new file mode 100644 index 0000000..92797a1 --- /dev/null +++ b/vars/debian.yml @@ -0,0 +1,4 @@ +--- +wireguard_os_supported: True + +wireguard_iface_name: eth0 \ No newline at end of file