M .gitignore => .gitignore +2 -0
@@ 1,2 1,4 @@
hosts.yml
group_vars/all/secret.yml
+output/
+!output/README.org
A roles/containers/wireguard/defaults/main.yml => roles/containers/wireguard/defaults/main.yml +10 -0
@@ 0,0 1,10 @@
+---
+wireguard_domain: "vpn.ccw.icu"
+wireguard_project_dir: "vpn"
+wireguard_port: "51820"
+wireguard_peers:
+ - default
+wireguard_timezone: "Europe/London"
+wireguard_bridge_subnet: "149.102.148.89/21"
+wireguard_bridge_gateway: "149.102.144.1"
+wireguard_bridge_parent: "eth0"
A roles/containers/wireguard/tasks/config.yml => roles/containers/wireguard/tasks/config.yml +16 -0
@@ 0,0 1,16 @@
+---
+- name: Wait for peer config to be generated
+ ansible.builtin.wait_for:
+ path: "{{ container_dir }}\
+ /{{ wireguard_project_dir }}\
+ /config\
+ /peer_{{ item }}/peer_{{ item }}.conf"
+ loop: "{{ wireguard_peers }}"
+- name: Fetch peer config
+ ansible.builtin.fetch:
+ dest: ./output
+ src: "{{ container_dir }}\
+ /{{ wireguard_project_dir }}\
+ /config\
+ /peer_{{ item }}/peer_{{ item }}.conf"
+ loop: "{{ wireguard_peers }}"
A roles/containers/wireguard/tasks/main.yml => roles/containers/wireguard/tasks/main.yml +4 -0
@@ 0,0 1,4 @@
+---
+- include_tasks: setup.yml
+- include_tasks: network.yml
+- include_tasks: config.yml
A roles/containers/wireguard/tasks/network.yml => roles/containers/wireguard/tasks/network.yml +14 -0
@@ 0,0 1,14 @@
+---
+- name: Make sure the nftables vpn rule exists
+ become: true
+ template:
+ src: ../templates/52_vpn.nft.template
+ dest: /etc/nftables.d/52_vpn.nft
+ register: firewall
+
+- name: Restart nftables
+ become: true
+ service:
+ name: nftables
+ state: restarted
+ when: firewall.changed
A roles/containers/wireguard/tasks/setup.yml => roles/containers/wireguard/tasks/setup.yml +38 -0
@@ 0,0 1,38 @@
+---
+- name: Ensure wireguard-dir "{{ wireguard_project_dir }}" exists
+ file:
+ path: "{{ container_dir }}/{{ wireguard_project_dir }}"
+ state: directory
+ recurse: true
+
+- name: Setup wireguard
+ docker_container:
+ name: wireguard
+ image: linuxserver/wireguard:1.0.20210914-alpine
+ restart_policy: unless-stopped
+ env:
+ PUID: "1000"
+ PGID: "1000"
+ TZ: "{{ wireguard_timezone }}"
+ SERVERURL: "{{ wireguard_domain }}"
+ SERVERPORT: "{{ wireguard_port }}"
+ PEERS: "{{ wireguard_peers | join(',') }}"
+ INTERNAL_SUBNET: "10.0.0.0"
+ ALLOWEDIPS: "0.0.0.0/0, ::/0"
+ PEERDNS: "1.1.1.1"
+ ports:
+ - "{{ wireguard_port }}:{{ wireguard_port }}/udp"
+ volumes:
+ - "{{ container_dir }}\
+ /{{ wireguard_project_dir }}\
+ /config\
+ :/config"
+ mounts:
+ - source: /lib/modules
+ target: /lib/modules
+ type: bind
+ capabilities:
+ - NET_ADMIN
+ - SYS_MODULE
+ sysctls:
+ net.ipv4.conf.all.src_valid_mark: 1
A roles/containers/wireguard/templates/52_vpn.nft.template => roles/containers/wireguard/templates/52_vpn.nft.template +8 -0
@@ 0,0 1,8 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+ chain input {
+ # allow wireguard vpn
+ udp dport {{ wireguard_port }} accept comment "Allow wireguard"
+ }
+}
M run.yml => run.yml +11 -1
@@ 1,10 1,14 @@
---
############################################
# SETUP BASE SYSTEM
+# overwrites the ssh user set in the hosts.yml,
+# because the non-root user has yet to be created
############################################
- name: setup base system
hosts: all
- become: true
+ remote_user: root
+ vars:
+ ansible_ssh_user: root
roles:
- role: system
tags: system
@@ 48,3 52,9 @@
roles:
- role: containers/uptime-kuma
tags: status
+# Setup Wireguard
+- name: setup Wireguard
+ hosts: all
+ roles:
+ - role: containers/wireguard
+ tags: vpn