chore: lots of changes
This commit is contained in:
133
ansible/roles/wireguard/tasks/configure.yml
Normal file
133
ansible/roles/wireguard/tasks/configure.yml
Normal file
@@ -0,0 +1,133 @@
|
||||
# --------------------------------------------------------
|
||||
# WireGuard installieren
|
||||
# --------------------------------------------------------
|
||||
|
||||
- name: Stelle sicher, dass WireGuard installiert ist
|
||||
apt:
|
||||
name: wireguard
|
||||
state: present
|
||||
update_cache: yes
|
||||
become: true
|
||||
when: ansible_connection != "local"
|
||||
|
||||
# --------------------------------------------------------
|
||||
# Server-Schlüssel erzeugen und speichern
|
||||
# --------------------------------------------------------
|
||||
|
||||
- name: Prüfe ob privater Server-Schlüssel existiert
|
||||
stat:
|
||||
path: /etc/wireguard/privatekey
|
||||
register: privkey_file
|
||||
become: true
|
||||
when: ansible_connection != "local"
|
||||
|
||||
- name: Erstelle Schlüsselpaar für Server (wenn nicht vorhanden)
|
||||
command: wg genkey
|
||||
register: server_private_key
|
||||
when: ansible_connection != "local" and (not privkey_file.stat.exists | default(true))
|
||||
|
||||
- name: Speichere privaten Schlüssel
|
||||
copy:
|
||||
content: "{{ server_private_key.stdout }}"
|
||||
dest: /etc/wireguard/privatekey
|
||||
mode: "0600"
|
||||
when: server_private_key.stdout is defined and server_private_key.stdout is defined
|
||||
|
||||
- name: Lies privaten Schlüssel ein
|
||||
slurp:
|
||||
src: /etc/wireguard/privatekey
|
||||
become: true
|
||||
when: ansible_connection != "local"
|
||||
|
||||
- name: Erzeuge öffentlichen Server-Schlüssel
|
||||
command: "echo '{{ wg_privkey }}' | wg pubkey"
|
||||
register: wg_pubkey
|
||||
when: ansible_connection != "local"
|
||||
|
||||
- name: Privaten Server-Schlüssel anzeigen
|
||||
debug:
|
||||
msg: "{{ server_private_key }}"
|
||||
when: ansible_connection != "local"
|
||||
|
||||
# --------------------------------------------------------
|
||||
# Client-Key-Erzeugung lokal (einmalig pro Client)
|
||||
# --------------------------------------------------------
|
||||
|
||||
- name: Generiere privaten Schlüssel für Clients (auf dem Server)
|
||||
command: wg genkey
|
||||
args:
|
||||
creates: "/etc/wireguard/client-{{ item.name }}.key"
|
||||
loop: "{{ wireguard_clients }}"
|
||||
loop_control:
|
||||
label: "{{ item.name }}"
|
||||
register: client_private_keys
|
||||
when: ansible_connection != "local"
|
||||
|
||||
|
||||
- name: Erzeuge öffentlichen Schlüssel für Clients
|
||||
command: "echo '{{ client_privkey_result.stdout }}' | wg pubkey"
|
||||
register: client_pubkey_result
|
||||
when:
|
||||
- ansible_connection != "local"
|
||||
- client_privkey_result is defined
|
||||
- client_privkey_result.stdout is defined
|
||||
|
||||
- name: wireguard_clients mit public_key anreichern
|
||||
set_fact:
|
||||
wireguard_clients: "{{ wireguard_clients_with_pubkey | default([]) + [ item.0 | combine({'public_key': item.1.stdout|trim }) ] }}"
|
||||
loop: "{{ wireguard_clients | zip(client_public_keys.results) | list }}"
|
||||
when: client_public_keys is defined
|
||||
|
||||
- name: Aktuelles wireguard_clients-Set überschreiben
|
||||
set_fact:
|
||||
wireguard_clients: "{{ wireguard_clients_with_pubkey }}"
|
||||
when: wireguard_clients_with_pubkey is defined
|
||||
|
||||
# --------------------------------------------------------
|
||||
# Konfigurationsdatei erzeugen
|
||||
# --------------------------------------------------------
|
||||
|
||||
#- debug:
|
||||
# var: wireguard_clients
|
||||
|
||||
- name: Render wg0.conf
|
||||
template:
|
||||
src: wg0.conf.j2
|
||||
dest: /etc/wireguard/wg0.conf
|
||||
when: wg_privkey is defined and wg_privkey != ""
|
||||
|
||||
# --------------------------------------------------------
|
||||
# IP Forwarding & WireGuard aktivieren
|
||||
# --------------------------------------------------------
|
||||
|
||||
- name: Aktiviere IP-Forwarding
|
||||
sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: 1
|
||||
state: present
|
||||
sysctl_set: yes
|
||||
reload: yes
|
||||
become: true
|
||||
when: ansible_connection != "local"
|
||||
|
||||
- name: Starte und aktiviere WireGuard
|
||||
systemd:
|
||||
name: wg-quick@wg0
|
||||
enabled: true
|
||||
state: started
|
||||
daemon_reload: yes
|
||||
become: true
|
||||
when: ansible_connection != "local"
|
||||
|
||||
- name: Verteilt für jeden Client die Client-Config
|
||||
template:
|
||||
src: client.conf.j2
|
||||
dest: "/etc/wireguard/clients/{{ item.name }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
loop: "{{ wireguard_clients }}"
|
||||
#delegate_to: localhost
|
||||
run_once: true
|
||||
become: true
|
||||
when: ansible_connection != "local"
|
||||
Reference in New Issue
Block a user