diff options
Diffstat (limited to 'wireguard.yml')
-rw-r--r-- | wireguard.yml | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/wireguard.yml b/wireguard.yml new file mode 100644 index 0000000..be40d5b --- /dev/null +++ b/wireguard.yml @@ -0,0 +1,76 @@ +--- +- name: Wireguard config + hosts: tamriel + remote_user: ansible_worker + become: yes + vars_files: + - secrets.yml + tasks: + - name: install wireguard + apt: + name: wireguard + - name: IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: "1" + state: present + - name: ARP proxy + sysctl: + name: net.ipv4.conf.all.proxy_arp + value: "1" + state: present + + - name: Enable systemd-networkd + systemd: + enabled: true + state: started + name: systemd-networkd + + - name: Generate wireguard config + template: + src: templates/wg.netdev.j2 + dest: /etc/systemd/network/30-wg0.netdev + owner: root + group: systemd-network + mode: "640" + - name: Generate networkd config + template: + src: templates/wg.network.j2 + dest: /etc/systemd/network/30-wg0.network + + - name: Remove interface #systemd-networkd doesn't reload netdev + shell: ip link del dev wg0 || true + + + - name: Restart systemd-networkd + systemd: + state: restarted + name: systemd-networkd + + - iptables: + chain: INPUT + match: conntrack + ctstate: ["RELATED","ESTABLISHED"] + jump: ACCEPT + - iptables: + chain: FORWARD + match: conntrack + ctstate: ["RELATED","ESTABLISHED"] + jump: ACCEPT + - iptables: + chain: FORWARD + in_interface: wg0 + out_interface: wg0 + match: conntrack + ctstate: ["NEW"] + jump: ACCEPT + + - iptables: + chain: FORWARD + in_interface: wg0 + jump: ACCEPT + - iptables: + table: nat + chain: POSTROUTING + out_interface: ens2 + jump: MASQUERADE |