130 lines
2.8 KiB
YAML
130 lines
2.8 KiB
YAML
---
|
|
- name: Install WireGuard and tools
|
|
apt:
|
|
name:
|
|
- wireguard
|
|
- wireguard-tools
|
|
- qrencode
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Allow WireGuard port through UFW
|
|
ufw:
|
|
rule: allow
|
|
port: "51820"
|
|
proto: udp
|
|
|
|
- name: Enable IP forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
sysctl_set: true
|
|
state: present
|
|
reload: true
|
|
|
|
- name: Create WireGuard config directory
|
|
file:
|
|
path: /etc/wireguard
|
|
state: directory
|
|
mode: "0700"
|
|
owner: root
|
|
group: root
|
|
|
|
# --- Server keypair ---
|
|
- name: Check if server private key exists
|
|
stat:
|
|
path: /etc/wireguard/server.key
|
|
register: server_key_stat
|
|
|
|
- name: Generate server private key
|
|
shell: wg genkey > /etc/wireguard/server.key
|
|
when: not server_key_stat.stat.exists
|
|
|
|
- name: Set permissions on server private key
|
|
file:
|
|
path: /etc/wireguard/server.key
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Read server private key
|
|
slurp:
|
|
src: /etc/wireguard/server.key
|
|
register: server_private_key
|
|
|
|
- name: Derive server public key
|
|
shell: wg pubkey < /etc/wireguard/server.key
|
|
register: server_public_key
|
|
changed_when: false
|
|
|
|
# --- Phone keypair ---
|
|
- name: Check if phone private key exists
|
|
stat:
|
|
path: /etc/wireguard/phone.key
|
|
register: phone_key_stat
|
|
|
|
- name: Generate phone private key
|
|
shell: wg genkey > /etc/wireguard/phone.key
|
|
when: not phone_key_stat.stat.exists
|
|
|
|
- name: Set permissions on phone private key
|
|
file:
|
|
path: /etc/wireguard/phone.key
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Read phone private key
|
|
slurp:
|
|
src: /etc/wireguard/phone.key
|
|
register: phone_private_key
|
|
|
|
- name: Derive phone public key
|
|
shell: wg pubkey < /etc/wireguard/phone.key
|
|
register: phone_public_key
|
|
changed_when: false
|
|
|
|
# --- Server config ---
|
|
- name: Write wg0.conf
|
|
template:
|
|
src: wg0.conf.j2
|
|
dest: /etc/wireguard/wg0.conf
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
notify: Restart wg0
|
|
|
|
# --- Service ---
|
|
- name: Enable and start wg-quick@wg0
|
|
systemd:
|
|
name: wg-quick@wg0
|
|
enabled: true
|
|
state: started
|
|
|
|
# --- Phone client config + QR ---
|
|
- name: Write phone client config
|
|
copy:
|
|
dest: /etc/wireguard/phone-client.conf
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
content: |
|
|
[Interface]
|
|
PrivateKey = {{ phone_private_key.content | b64decode | trim }}
|
|
Address = 10.10.0.2/32
|
|
DNS = 192.168.7.77
|
|
|
|
[Peer]
|
|
PublicKey = {{ server_public_key.stdout }}
|
|
Endpoint = {{ wireguard_endpoint }}:51820
|
|
AllowedIPs = 192.168.7.0/24, 10.10.0.0/24
|
|
PersistentKeepalive = 25
|
|
|
|
- name: Generate QR code for phone
|
|
shell: qrencode -t ansiutf8 < /etc/wireguard/phone-client.conf
|
|
register: phone_qr
|
|
changed_when: false
|
|
|
|
- name: Display phone QR code
|
|
debug:
|
|
msg: "{{ phone_qr.stdout_lines }}" |