Wireguard configuration

1 files changed, 76 insertions, 0 deletions

diff --git a/wireguard.yml b/wireguard.yml
new file mode 100644
index 0000000..be40d5b
--- /dev/null
+++ b/wireguard.yml
@@ -0,0 +1,76 @@
+---
+- name: Wireguard config
+  hosts: tamriel
+  remote_user: ansible_worker
+  become: yes
+  vars_files:
+  - secrets.yml
+  tasks:
+  - name: install wireguard
+    apt:
+      name: wireguard
+  - name: IPv4 forwarding
+    sysctl:
+      name: net.ipv4.ip_forward
+      value: "1"
+      state: present
+  - name: ARP proxy
+    sysctl:
+      name: net.ipv4.conf.all.proxy_arp
+      value: "1"
+      state: present
+
+  - name: Enable systemd-networkd
+    systemd:
+      enabled: true
+      state: started
+      name: systemd-networkd
+
+  - name: Generate wireguard config
+    template:
+      src: templates/wg.netdev.j2
+      dest: /etc/systemd/network/30-wg0.netdev
+      owner: root
+      group: systemd-network
+      mode: "640"
+  - name: Generate networkd config
+    template:
+      src: templates/wg.network.j2
+      dest: /etc/systemd/network/30-wg0.network
+
+  - name: Remove interface #systemd-networkd doesn't reload netdev
+    shell: ip link del dev wg0 || true
+
+      
+  - name: Restart systemd-networkd
+    systemd:
+      state: restarted
+      name: systemd-networkd
+
+  - iptables:
+      chain: INPUT
+      match: conntrack
+      ctstate: ["RELATED","ESTABLISHED"]
+      jump: ACCEPT
+  - iptables:
+      chain: FORWARD
+      match: conntrack
+      ctstate: ["RELATED","ESTABLISHED"]
+      jump: ACCEPT
+  - iptables:
+      chain: FORWARD
+      in_interface: wg0
+      out_interface: wg0
+      match: conntrack
+      ctstate: ["NEW"]
+      jump: ACCEPT
+      
+  - iptables:
+      chain: FORWARD
+      in_interface: wg0
+      jump: ACCEPT
+  - iptables:
+      table: nat
+      chain: POSTROUTING
+      out_interface: ens2
+      jump: MASQUERADE