# -------------------------------------------------------- # WireGuard installieren # -------------------------------------------------------- - name: Stelle sicher, dass WireGuard installiert ist apt: name: wireguard state: present update_cache: yes become: true when: ansible_connection != "local" # -------------------------------------------------------- # Server-Schlüssel erzeugen und speichern # -------------------------------------------------------- - name: Prüfe ob privater Server-Schlüssel existiert stat: path: /etc/wireguard/privatekey register: privkey_file become: true when: ansible_connection != "local" - name: Erstelle Schlüsselpaar für Server (wenn nicht vorhanden) command: wg genkey register: server_private_key when: ansible_connection != "local" and (not privkey_file.stat.exists | default(true)) - name: Speichere privaten Schlüssel copy: content: "{{ server_private_key.stdout }}" dest: /etc/wireguard/privatekey mode: "0600" when: server_private_key.stdout is defined and server_private_key.stdout is defined - name: Lies privaten Schlüssel ein slurp: src: /etc/wireguard/privatekey become: true when: ansible_connection != "local" - name: Erzeuge öffentlichen Server-Schlüssel command: "echo '{{ wg_privkey }}' | wg pubkey" register: wg_pubkey when: ansible_connection != "local" - name: Privaten Server-Schlüssel anzeigen debug: msg: "{{ server_private_key }}" when: ansible_connection != "local" # -------------------------------------------------------- # Client-Key-Erzeugung lokal (einmalig pro Client) # -------------------------------------------------------- - name: Generiere privaten Schlüssel für Clients (auf dem Server) command: wg genkey args: creates: "/etc/wireguard/client-{{ item.name }}.key" loop: "{{ wireguard_clients }}" loop_control: label: "{{ item.name }}" register: client_private_keys when: ansible_connection != "local" - name: Erzeuge öffentlichen Schlüssel für Clients command: "echo '{{ client_privkey_result.stdout }}' | wg pubkey" register: client_pubkey_result when: - ansible_connection != "local" - client_privkey_result is defined - client_privkey_result.stdout is defined - name: wireguard_clients mit public_key anreichern set_fact: wireguard_clients: "{{ wireguard_clients_with_pubkey | default([]) + [ item.0 | combine({'public_key': item.1.stdout|trim }) ] }}" loop: "{{ wireguard_clients | zip(client_public_keys.results) | list }}" when: client_public_keys is defined - name: Aktuelles wireguard_clients-Set überschreiben set_fact: wireguard_clients: "{{ wireguard_clients_with_pubkey }}" when: wireguard_clients_with_pubkey is defined # -------------------------------------------------------- # Konfigurationsdatei erzeugen # -------------------------------------------------------- #- debug: # var: wireguard_clients - name: Render wg0.conf template: src: wg0.conf.j2 dest: /etc/wireguard/wg0.conf when: wg_privkey is defined and wg_privkey != "" # -------------------------------------------------------- # IP Forwarding & WireGuard aktivieren # -------------------------------------------------------- - name: Aktiviere IP-Forwarding sysctl: name: net.ipv4.ip_forward value: 1 state: present sysctl_set: yes reload: yes become: true when: ansible_connection != "local" - name: Starte und aktiviere WireGuard systemd: name: wg-quick@wg0 enabled: true state: started daemon_reload: yes become: true when: ansible_connection != "local" - name: Verteilt für jeden Client die Client-Config template: src: client.conf.j2 dest: "/etc/wireguard/clients/{{ item.name }}.conf" owner: root group: root mode: 0600 loop: "{{ wireguard_clients }}" #delegate_to: localhost run_once: true become: true when: ansible_connection != "local"