2023-04-13 15:23:21 +00:00
7 changed files with 193 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,83 @@
-# role_modele
+# role_wireguard
-Modèle
+Rôle de déploiement de wireguard.
 ## Variables
 ### wireguard_module_host
 Variable permettant de déployer le module (dkms) de wireguard sur l'hôte qui héberge le conteneur.
 *<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
 ### wireguard_interfaces
 Configuration des interfaces de wireguard (`/etc/wireguard/wgX.conf`).
 *<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
 ## Exemples
 Dans les exemples ci-dessous, j'utilise aussi le rôle *nftables* afin d'installer et configurer le pare-feu logiciel éponyme.
 ### host_vars/infra-wgclient-2316.nyx.ykn.local.yml
 ```yaml
 ---
 # BEGIN role_ifupdown
 ifupdown_interfaces:
  - interface: eth0
    ipv4:
      inet: static
      address: 192.168.1.51
      mask: 24
      gateway: 192.168.1.254
      dns: 192.168.1.254
    ipv6:
      inet: auto
 # END role_ifupdown
 # BEGIN role_nftables
 nftables_rules:
  - filename: wireguard
    rules:
      - ip saddr 10.5.89.1 udp dport 51820 accept
 # END role_nftables
 # BEGIN role_wireguard
 wireguard_end_ip: "{{ (ifupdown_interfaces | first).ipv4.address | split('.') | last }}"
 wireguard_module_host: neree.gaia.ykn.local
 wireguard_interfaces:
  - addresses:
      - 192.168.100.{{ wireguard_end_ip }}/24
      - fd00:a100::b{{ wireguard_end_ip }}/64
    privkey: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      31316231366435626664353933356139396430363366363633666434323135663366666435356462
      6431636238336163326330376437343639613137386265390a323433386134323538653330643062
      38353336323263313466623865393865306662396432363063383532653932346332306363346233
      3165383635326264630a313661386236633137376432653333623533393765333565376336623933
      6638
    peers:
      - name: hyperion.erebos.ykn.local
        pubkey: gGd7wgu7Npe6rhEkG6qQ8SQ7KRVihAeBsyJ2qV+MslA=
        endpoint: "[10.5.89.1]:1194"
        allowed_ips:
          - 0.0.0.0/0
          - ::/0
        persistent_keepalive: 25
 # END role_wireguard
 ```
 ### playbook.yml
 ```yaml
 ---
 - name: Déployer wireguard
  hosts: infra-wgclient-2316.nyx.ykn.local
  roles:
    - name: nftables
    - name: wireguard
 ```
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,20 @@
 ---
 # defaults file for wireguard
 wireguard_module_host: ""
 wireguard_listen_port: ""
 wireguard_interfaces: []
 # Exemple:
 #  - listen_port:
 #    privkey:
 #    addresses:
 #      - 10.10.10.1/24
 #    peers:
 #      - name:
 #        pubkey:
 #        endpoint:
 #        allowed_ips:
 #          - 0.0.0.0/0
 #          - ::/0
 #        persistent_keepalive:
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,7 +1,7 @@
 galaxy_info:
  namespace: ykn
  author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de wireguard
  license: GPL-3.0-or-later
--- a/tasks/configuration.yml
+++ b/tasks/configuration.yml
@ -0,0 +1,29 @@
 ---
 # tasks file for wireguard
 - name: Déployer la configuration des interfaces
  ansible.builtin.template:
    src: wgN.j2
    dest: /etc/wireguard/{{ interface }}.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  loop: "{{ wireguard_interfaces }}"
  loop_control:
    index_var: index
    label: "{{ interface }}"
  vars:
    interface: wg{{ index }}
  become: true
  register: deploy
 - name: Activer et redémarrer les services
  ansible.builtin.systemd:
    state: restarted
    enabled: true
    name: wg-quick@wg{{ item }}.service
  become: true
  loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
  loop_control:
    index_var: index
    label: wg{{ index }}
--- a/tasks/installation.yml
+++ b/tasks/installation.yml
@ -0,0 +1,33 @@
 ---
 # tasks file for wireguard
 - name: Installer le paquet
  ansible.builtin.apt:
    update_cache: true
    name: wireguard
  when: wireguard_module_host | length == 0
  become: true
  register: wireguard_install
 - name: Installer le module du noyau sur l'hôte
  ansible.builtin.apt:
    update_cache: true
    name: wireguard-dkms
  when: wireguard_module_host | length > 0
  delegate_to: "{{ wireguard_module_host }}"
  become: true
 - name: Installer l'outil de configuration
  ansible.builtin.apt:
    update_cache: true
    name: wireguard-tools
  when: wireguard_module_host | length > 0
  become: true
 #- name: Créer le dossier contenant la configuration
 #  ansible.builtin.file:
 #    state: directory
 #    mode: u=rwx,g=,o=
 #    path: "{{ wireguard_conf_path }}"
 #  delegate_to: "{{ wireguard_server_host }}"
 #  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 # tasks file for wireguard
 - name: Importer les tâches d'installation
  ansible.builtin.import_tasks: installation.yml
 - name: Importer les tâches de configuration
  ansible.builtin.import_tasks: configuration.yml
--- a/templates/wgN.j2
+++ b/templates/wgN.j2
@ -0,0 +1,20 @@
 # {{ ansible_managed }}
 [Interface]
 {% if item.listen_port is defined %}
 ListenPort = {{ item.listen_port }}
 {% endif %}
 PrivateKey = {{ item.privkey }}
 Address = {{ item.addresses | join(', ') }}
 {% for peer in item.peers %}
 [Peer]
 # {{ peer.name }}
 PublicKey = {{ peer.pubkey }}
 Endpoint = {{ peer.endpoint }}
 AllowedIPs = {{ peer.allowed_ips | join(', ') }}
 {% if peer.persistent_keepalive is defined %}
 PersistentKeepalive = {{ peer.persistent_keepalive }}
 {% endif %}
 {% endfor %}