2023-04-13 15:23:21 +00:00
7 changed files with 193 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -1,3 +1,83 @@
-# role_modele
+# role_wireguard

-Modèle
+Rôle de déploiement de wireguard.
+
+## Variables
+
+### wireguard_module_host
+
+Variable permettant de déployer le module (dkms) de wireguard sur l'hôte qui héberge le conteneur.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### wireguard_interfaces
+
+Configuration des interfaces de wireguard (`/etc/wireguard/wgX.conf`).
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+## Exemples
+
+Dans les exemples ci-dessous, j'utilise aussi le rôle *nftables* afin d'installer et configurer le pare-feu logiciel éponyme.
+
+### host_vars/infra-wgclient-2316.nyx.ykn.local.yml
+
+```yaml
+---
+
+# BEGIN role_ifupdown
+ifupdown_interfaces:
+  - interface: eth0
+    ipv4:
+      inet: static
+      address: 192.168.1.51
+      mask: 24
+      gateway: 192.168.1.254
+      dns: 192.168.1.254
+    ipv6:
+      inet: auto
+# END role_ifupdown
+
+# BEGIN role_nftables
+nftables_rules:
+  - filename: wireguard
+    rules:
+      - ip saddr 10.5.89.1 udp dport 51820 accept
+# END role_nftables
+
+# BEGIN role_wireguard
+wireguard_end_ip: "{{ (ifupdown_interfaces | first).ipv4.address | split('.') | last }}"
+wireguard_module_host: neree.gaia.ykn.local
+wireguard_interfaces:
+  - addresses:
+      - 192.168.100.{{ wireguard_end_ip }}/24
+      - fd00:a100::b{{ wireguard_end_ip }}/64
+    privkey: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      31316231366435626664353933356139396430363366363633666434323135663366666435356462
+      6431636238336163326330376437343639613137386265390a323433386134323538653330643062
+      38353336323263313466623865393865306662396432363063383532653932346332306363346233
+      3165383635326264630a313661386236633137376432653333623533393765333565376336623933
+      6638
+    peers:
+      - name: hyperion.erebos.ykn.local
+        pubkey: gGd7wgu7Npe6rhEkG6qQ8SQ7KRVihAeBsyJ2qV+MslA=
+        endpoint: "[10.5.89.1]:1194"
+        allowed_ips:
+          - 0.0.0.0/0
+          - ::/0
+        persistent_keepalive: 25
+# END role_wireguard
+```
+
+### playbook.yml
+
+```yaml
+---
+
+- name: Déployer wireguard
+  hosts: infra-wgclient-2316.nyx.ykn.local
+  roles:
+    - name: nftables
+    - name: wireguard
+```
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,20 @@
+---
+# defaults file for wireguard
+
+wireguard_module_host: ""
+wireguard_listen_port: ""
+
+wireguard_interfaces: []
+# Exemple:
+#  - listen_port:
+#    privkey:
+#    addresses:
+#      - 10.10.10.1/24
+#    peers:
+#      - name:
+#        pubkey:
+#        endpoint:
+#        allowed_ips:
+#          - 0.0.0.0/0
+#          - ::/0
+#        persistent_keepalive:
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
  namespace: ykn
  author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de wireguard

  license: GPL-3.0-or-later

--- a/tasks/configuration.yml
+++ b/tasks/configuration.yml
@@ -0,0 +1,29 @@
+---
+# tasks file for wireguard
+
+- name: Déployer la configuration des interfaces
+  ansible.builtin.template:
+    src: wgN.j2
+    dest: /etc/wireguard/{{ interface }}.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  loop: "{{ wireguard_interfaces }}"
+  loop_control:
+    index_var: index
+    label: "{{ interface }}"
+  vars:
+    interface: wg{{ index }}
+  become: true
+  register: deploy
+
+- name: Activer et redémarrer les services
+  ansible.builtin.systemd:
+    state: restarted
+    enabled: true
+    name: wg-quick@wg{{ item }}.service
+  become: true
+  loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
+  loop_control:
+    index_var: index
+    label: wg{{ index }}
--- a/tasks/installation.yml
+++ b/tasks/installation.yml
@@ -0,0 +1,33 @@
+---
+# tasks file for wireguard
+
+- name: Installer le paquet
+  ansible.builtin.apt:
+    update_cache: true
+    name: wireguard
+  when: wireguard_module_host | length == 0
+  become: true
+  register: wireguard_install
+
+- name: Installer le module du noyau sur l'hôte
+  ansible.builtin.apt:
+    update_cache: true
+    name: wireguard-dkms
+  when: wireguard_module_host | length > 0
+  delegate_to: "{{ wireguard_module_host }}"
+  become: true
+
+- name: Installer l'outil de configuration
+  ansible.builtin.apt:
+    update_cache: true
+    name: wireguard-tools
+  when: wireguard_module_host | length > 0
+  become: true
+
+#- name: Créer le dossier contenant la configuration
+#  ansible.builtin.file:
+#    state: directory
+#    mode: u=rwx,g=,o=
+#    path: "{{ wireguard_conf_path }}"
+#  delegate_to: "{{ wireguard_server_host }}"
+#  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# tasks file for wireguard
+
+- name: Importer les tâches d'installation
+  ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+  ansible.builtin.import_tasks: configuration.yml
--- a/templates/wgN.j2
+++ b/templates/wgN.j2
@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Interface]
+{% if item.listen_port is defined %}
+ListenPort = {{ item.listen_port }}
+{% endif %}
+PrivateKey = {{ item.privkey }}
+Address = {{ item.addresses | join(', ') }}
+
+{% for peer in item.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.pubkey }}
+Endpoint = {{ peer.endpoint }}
+AllowedIPs = {{ peer.allowed_ips | join(', ') }}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
+
+{% endfor %}