61 lines
1.3 KiB
YAML
61 lines
1.3 KiB
YAML
---
|
|
|
|
- name: Install wireguard packages
|
|
community.general.pacman:
|
|
name:
|
|
- wireguard-tools
|
|
# for encoding .conf as a qr code
|
|
- qrencode
|
|
notify:
|
|
- Start wireguard
|
|
|
|
- name: Enable IP forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: 1
|
|
state: present
|
|
reload: yes
|
|
when: '"bastion" in group_names'
|
|
|
|
- name: Prevent UFW from removing IP forwarding
|
|
lineinfile:
|
|
path: /etc/ufw/sysctl.conf
|
|
regexp: "^net/ipv4/ip_forward="
|
|
line: "net/ipv4/ip_forward=1"
|
|
when: '"bastion" in group_names'
|
|
|
|
- name: Deploy wireguard server config
|
|
template:
|
|
src: server.conf.j2
|
|
dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
lstrip_blocks: true
|
|
no_log: true
|
|
notify:
|
|
- Start wireguard
|
|
|
|
- name: Create wireguard client config output folder
|
|
file:
|
|
path: "{{ wireguard.client_folder }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
state: directory
|
|
when: '"bastion" in group_names'
|
|
|
|
- name: Create wireguard client configs
|
|
template:
|
|
src: client.conf.j2
|
|
dest: "{{ wireguard.client_folder }}/wg-{{ item.name }}.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
lstrip_blocks: true
|
|
no_log: true
|
|
with_items: "{{ wireguard_secret.clients }}"
|
|
notify:
|
|
- Start wireguard
|
|
when: '"bastion" in group_names'
|