debian.ansible.wireguard.se.../wireguard.yml

---
- name: wireguard setup
  hosts: all
  tasks:

    - name: Packages for wireguard
      apt:
        name:
          - wireguard
          - ufw
        update_cache: no
        install_recommends: no

    - name: activate wireguard logging
      blockinfile:
        path: /etc/modprobe.d/wireguard.conf
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
        insertbefore: BOF
        block: |
          options wireguard dyndbg=+p

    - name: load wireguard module during boot
      blockinfile:
        path: /etc/modules-load.d/wireguard.conf
        create: yes
        mode: "0444"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
        insertbefore: BOF
        block: |
          wireguard

    - name: ufw firewall rules for ipv6 routing to the Internet
      blockinfile:
        path: /etc/ufw/before6.rules
        create: yes
        mode: "0440"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
        insertbefore: BOF
        block: |
          *nat
          :POSTROUTING ACCEPT - [0:0]
          # Route network fdaa:a192:b168:cd44::/64 (wg0)
          -A POSTROUTING -s fdaa:a192:b168:cd44::/64 -j MASQUERADE
          COMMIT
      notify:
      - Restart ufw

    - name: ufw firewall rules for ipv4 routing to the Internet
      blockinfile:
        path: /etc/ufw/before.rules
        create: yes
        mode: "0440"
        owner: root
        group: root
        marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
        insertbefore: BOF
        block: |
          *nat
          :POSTROUTING ACCEPT - [0:0]
          # Route network 192.168.44.0/24 (wg0)
          -A POSTROUTING -s 192.168.44.0/24 -j MASQUERADE
          COMMIT
      notify:
      - Restart ufw


    - name: Allow Routing
      community.general.ufw:
        rule: allow
        route: yes
        interface_in: wg0

    - name: Restart service for config changes
      copy:
        dest: "/etc/systemd/system/wg-ui-restart.service"
        content: |
          [Unit]
          Description=Restart WireGuard
          After=network.target
          
          [Service]
          Type=oneshot
          ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service
          
          [Install]
          RequiredBy=wg-ui-restart.path

    - name: 'start wg-ui-restart.service'
      systemd:
        name: wg-ui-restart.service
        enabled: true

    - name: Restart service for config changes
      copy:
        dest: "/etc/systemd/system/wg-ui-restart.path"
        content: |
          [Unit]
          Description=Watch /etc/wireguard/wg0.conf for changes
          
          [Path]
          PathModified=/etc/wireguard/wg0.conf
          
          [Install]
          WantedBy=multi-user.target

    - name: 'add wg-ui-restart.path to startup'
      systemd:
        name: wg-ui-restart.path
        state: started
        enabled: true

    - name: 'add wireguard to startup'
      command: systemctl enable wg-quick@wg0.service
      args:
        creates: /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
    
    - name: Create /home/docker/wireguard.{{inventory_hostname}} dir
      ansible.builtin.file:
        path: /home/docker/wireguard.{{inventory_hostname}}
        owner: root
        group: docker
        state: directory
        mode: '0550'

    - name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh (generate random admin PW)
      blockinfile:
        path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh
        create: yes
        mode: 0550
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          cd /home/docker/wireguard.{{inventory_hostname}}

          adminpassword=$(pwgen -s 32 1)
          sessionsecret=$(pwgen -s 32 1)

          [ -f env ] || echo "WGUI_PASSWORD=!ADMINPASSWD!
          SESSION_SECRET=!SESSIONSECRET!" >env

          chmod 440 env
          chown root:docker env 
          sed -i "s/\!ADMINPASSWD\!/$adminpassword/g" env
          sed -i "s/\!SESSIONSECRET\!/$sessionsecret/g" env
        backup: yes
        validate: /bin/bash -n %s
      notify: run genpw.sh

    - name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh shebang
      lineinfile:
        path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh
        insertbefore: BOF
        line: "#!/bin/bash -e"

    - name: Gen initial passwords if not exists
      ansible.builtin.shell: ./genpw.sh
      args:
        chdir: /home/docker/wireguard.{{inventory_hostname}}
        creates: /home/docker/wireguard.{{inventory_hostname}}/env

    - name: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml Container Configuration
      blockinfile:
        path: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml
        create: yes
        mode: 0440
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          version: '3.6'
          services:
            wireguard.{{inventory_hostname}}:
              image: ngoduykhanh/wireguard-ui:latest
              restart: unless-stopped
              cap_add:
                - NET_ADMIN
              network_mode: host
              env_file: env
              environment:
                - BIND_ADDRESS=192.168.41.1:5000
                - WGUI_ENDPOINT_ADDRESS=wireguard-tor.{{inventory_hostname}}
                - WGUI_USERNAME=wgadmin
                - WGUI_MANAGE_START=false
                - WGUI_MANAGE_RESTART=false
                - WGUI_DNS=2a02:2970:1002::18,46.182.19.48
                - WGUI_MTU=1450
                - WGUI_CONFIG_FILE_PATH=/etc/wireguard/wg0.conf
                - WGUI_LOG_LEVEL=INFO
                - WGUI_SERVER_INTERFACE_ADDRESSES=fdaa:a192:b168:cd44::1/64,192.168.44.1/24
                - WGUI_SERVER_LISTEN_PORT=59666
                - WGUI_SERVER_POST_UP_SCRIPT
                - WGUI_SERVER_POST_DOWN_SCRIPT
                - WGUI_DEFAULT_CLIENT_USE_SERVER_DNS=true
                - WGUI_DEFAULT_CLIENT_ENABLE_AFTER_CREATION=true
                # route all incl. Internet traffic
                - WGUI_DEFAULT_CLIENT_ALLOWED_IPS=::/0,0.0.0.0/0
                # route all but priate ipv4 networks (expect 192.168.44.0/24) through wireguard - not working
                #- WGUI_DEFAULT_CLIENT_ALLOWED_IPS=::/0,0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.168.44.0/24,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3
              volumes:
                - ./db:/app/db
                - /etc/wireguard:/etc/wireguard
                - /etc/timezone:/etc/timezone:ro
                - /etc/localtime:/etc/localtime:ro
        backup: yes
      notify: Restart wireguard

    - name: Start wireguard
      ansible.builtin.shell: docker-compose up -d
      args:
        chdir: /home/docker/wireguard.{{inventory_hostname}}
        creates: /home/docker/wireguard.{{inventory_hostname}}/db/server/global_settings.json

    - name: Wait until wireguard install is finished
      wait_for:
        path: /etc/wireguard/wg0.conf

    - name: /home/docker/traefik/providers/wireguard-ui.yml
      blockinfile:
        path: /home/docker/traefik/providers/wireguard-ui.yml
        create: yes
        mode: 0444
        owner: root
        group: docker
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        block: |
          http:
            routers:
              wireguard:
                rule: "Host(`wireguard.ds9.dedyn.io`)"
                service: wireguard
                entryPoints:
                  - "https"
                tls:
                  certresolver: letsencrypt
                middlewares: secHeaders@file
            services:
              wireguard:
                loadBalancer:
                  servers:
                    - url: "http://192.168.41.1:5000"

    - name: Allow port 59666
      community.general.ufw:
        rule: allow
        port: '59666'
        proto: udp

    - name: 'start wireguard'
      command: systemctl start wg-quick@wg0.service
      args:
        creates: /run/systemd/units/invocation:wg-quick@wg0.service

  handlers:

    - name: Restart ufw
      service:
        name: ufw
        state: restarted

    - name: run genpw.sh
      ansible.builtin.shell: ./genpw.sh
      args:
        chdir: /home/docker/wireguard.{{inventory_hostname}}
      notify: Restart wireguard

    - name: Restart wireguard
      ansible.builtin.shell: docker-compose up -d
      args:
        chdir: /home/docker/wireguard.{{inventory_hostname}}
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`---`
			`- name: wireguard setup`
			`hosts: all`
			`tasks:`

			`- name: Packages for wireguard`
			`apt:`
			`name:`
			`- wireguard`
			`- ufw`
			`update_cache: no`
			`install_recommends: no`

			`- name: activate wireguard logging`
			`blockinfile:`
			`path: /etc/modprobe.d/wireguard.conf`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"`
			`insertbefore: BOF`
			`block: \|`
			`options wireguard dyndbg=+p`

			`- name: load wireguard module during boot`
			`blockinfile:`
			`path: /etc/modules-load.d/wireguard.conf`
			`create: yes`
			`mode: "0444"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"`
			`insertbefore: BOF`
			`block: \|`
			`wireguard`

„wireguard.yml“ ändern 2023-06-08 09:58:58 +02:00			`- name: ufw firewall rules for ipv6 routing to the Internet`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`blockinfile:`
„wireguard.yml“ ändern 2023-06-08 10:17:40 +02:00			`path: /etc/ufw/before6.rules`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`create: yes`
			`mode: "0440"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"`
			`insertbefore: BOF`
„wireguard.yml“ ändern 2023-06-08 09:58:58 +02:00			`block: \|`
			`*nat`
			`:POSTROUTING ACCEPT - [0:0]`
„wireguard.yml“ ändern 2023-06-09 11:59:13 +02:00			`# Route network fdaa:a192:b168:cd44::/64 (wg0)`
			`-A POSTROUTING -s fdaa:a192:b168:cd44::/64 -j MASQUERADE`
„wireguard.yml“ ändern 2023-06-08 09:58:58 +02:00			`COMMIT`
			`notify:`
			`- Restart ufw`

			`- name: ufw firewall rules for ipv4 routing to the Internet`
			`blockinfile:`
„wireguard.yml“ ändern 2023-06-08 10:17:40 +02:00			`path: /etc/ufw/before.rules`
„wireguard.yml“ ändern 2023-06-08 09:58:58 +02:00			`create: yes`
			`mode: "0440"`
			`owner: root`
			`group: root`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"`
			`insertbefore: BOF`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`block: \|`
			`*nat`
			`:POSTROUTING ACCEPT - [0:0]`
			`# Route network 192.168.44.0/24 (wg0)`
			`-A POSTROUTING -s 192.168.44.0/24 -j MASQUERADE`
			`COMMIT`
			`notify:`
			`- Restart ufw`

„wireguard.yml“ ändern 2023-06-08 09:58:58 +02:00
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`- name: Allow Routing`
			`community.general.ufw:`
			`rule: allow`
			`route: yes`
			`interface_in: wg0`

„wireguard.yml“ ändern 2023-06-10 15:07:58 +02:00			`- name: Restart service for config changes`
			`copy:`
			`dest: "/etc/systemd/system/wg-ui-restart.service"`
			`content: \|`
			`[Unit]`
			`Description=Restart WireGuard`
			`After=network.target`

			`[Service]`
			`Type=oneshot`
			`ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service`

			`[Install]`
			`RequiredBy=wg-ui-restart.path`

			`- name: 'start wg-ui-restart.service'`
			`systemd:`
			`name: wg-ui-restart.service`
			`enabled: true`

			`- name: Restart service for config changes`
			`copy:`
			`dest: "/etc/systemd/system/wg-ui-restart.path"`
			`content: \|`
			`[Unit]`
			`Description=Watch /etc/wireguard/wg0.conf for changes`

			`[Path]`
			`PathModified=/etc/wireguard/wg0.conf`

			`[Install]`
			`WantedBy=multi-user.target`

			`- name: 'add wg-ui-restart.path to startup'`
			`systemd:`
			`name: wg-ui-restart.path`
			`state: started`
			`enabled: true`

„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`- name: 'add wireguard to startup'`
			`command: systemctl enable wg-quick@wg0.service`
			`args:`
			`creates: /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service`

			`- name: Create /home/docker/wireguard.{{inventory_hostname}} dir`
			`ansible.builtin.file:`
			`path: /home/docker/wireguard.{{inventory_hostname}}`
			`owner: root`
			`group: docker`
			`state: directory`
			`mode: '0550'`

			`- name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh (generate random admin PW)`
			`blockinfile:`
			`path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh`
			`create: yes`
			`mode: 0550`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`cd /home/docker/wireguard.{{inventory_hostname}}`

			`adminpassword=$(pwgen -s 32 1)`
			`sessionsecret=$(pwgen -s 32 1)`

			`[ -f env ] \|\| echo "WGUI_PASSWORD=!ADMINPASSWD!`
			`SESSION_SECRET=!SESSIONSECRET!" >env`

			`chmod 440 env`
			`chown root:docker env`
			`sed -i "s/\!ADMINPASSWD\!/$adminpassword/g" env`
			`sed -i "s/\!SESSIONSECRET\!/$sessionsecret/g" env`
			`backup: yes`
			`validate: /bin/bash -n %s`
			`notify: run genpw.sh`

			`- name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh shebang`
			`lineinfile:`
			`path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh`
			`insertbefore: BOF`
			`line: "#!/bin/bash -e"`

			`- name: Gen initial passwords if not exists`
			`ansible.builtin.shell: ./genpw.sh`
			`args:`
			`chdir: /home/docker/wireguard.{{inventory_hostname}}`
			`creates: /home/docker/wireguard.{{inventory_hostname}}/env`

			`- name: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml Container Configuration`
			`blockinfile:`
			`path: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml`
			`create: yes`
			`mode: 0440`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`version: '3.6'`
			`services:`
			`wireguard.{{inventory_hostname}}:`
			`image: ngoduykhanh/wireguard-ui:latest`
			`restart: unless-stopped`
			`cap_add:`
			`- NET_ADMIN`
			`network_mode: host`
			`env_file: env`
			`environment:`
			`- BIND_ADDRESS=192.168.41.1:5000`
„wireguard.yml“ ändern 2023-06-08 10:09:47 +02:00			`- WGUI_ENDPOINT_ADDRESS=wireguard-tor.{{inventory_hostname}}`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`- WGUI_USERNAME=wgadmin`
„wireguard.yml“ ändern 2023-06-10 12:57:33 +02:00			`- WGUI_MANAGE_START=false`
			`- WGUI_MANAGE_RESTART=false`
„wireguard.yml“ ändern 2023-06-08 10:09:02 +02:00			`- WGUI_DNS=2a02:2970:1002::18,46.182.19.48`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`- WGUI_MTU=1450`
			`- WGUI_CONFIG_FILE_PATH=/etc/wireguard/wg0.conf`
			`- WGUI_LOG_LEVEL=INFO`
„wireguard.yml“ ändern 2023-06-09 11:59:13 +02:00			`- WGUI_SERVER_INTERFACE_ADDRESSES=fdaa:a192:b168:cd44::1/64,192.168.44.1/24`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`- WGUI_SERVER_LISTEN_PORT=59666`
			`- WGUI_SERVER_POST_UP_SCRIPT`
			`- WGUI_SERVER_POST_DOWN_SCRIPT`
			`- WGUI_DEFAULT_CLIENT_USE_SERVER_DNS=true`
			`- WGUI_DEFAULT_CLIENT_ENABLE_AFTER_CREATION=true`
„wireguard.yml“ ändern 2023-06-10 12:57:33 +02:00			`# route all incl. Internet traffic`
			`- WGUI_DEFAULT_CLIENT_ALLOWED_IPS=::/0,0.0.0.0/0`
			`# route all but priate ipv4 networks (expect 192.168.44.0/24) through wireguard - not working`
			#- WGUI_DEFAULT_CLIENT_ALLOWED_IPS=::/0,0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/8,169.0.0.0/9,169.128.0.0/10,169.192.0.0/11,169.224.0.0/12,169.240.0.0/13,169.248.0.0/14,169.252.0.0/15,169.255.0.0/16,170.0.0.0/7,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.168.44.0/24,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`volumes:`
			`- ./db:/app/db`
			`- /etc/wireguard:/etc/wireguard`
			`- /etc/timezone:/etc/timezone:ro`
			`- /etc/localtime:/etc/localtime:ro`
			`backup: yes`
			`notify: Restart wireguard`

			`- name: Start wireguard`
			`ansible.builtin.shell: docker-compose up -d`
			`args:`
			`chdir: /home/docker/wireguard.{{inventory_hostname}}`
			`creates: /home/docker/wireguard.{{inventory_hostname}}/db/server/global_settings.json`

			`- name: Wait until wireguard install is finished`
			`wait_for:`
„wireguard.yml“ ändern 2023-06-07 16:12:57 +02:00			`path: /etc/wireguard/wg0.conf`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00
			`- name: /home/docker/traefik/providers/wireguard-ui.yml`
			`blockinfile:`
			`path: /home/docker/traefik/providers/wireguard-ui.yml`
			`create: yes`
			`mode: 0444`
			`owner: root`
			`group: docker`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK"`
			`block: \|`
			`http:`
			`routers:`
			`wireguard:`
			rule: "Host(`wireguard.ds9.dedyn.io`)"
			`service: wireguard`
			`entryPoints:`
			`- "https"`
			`tls:`
			`certresolver: letsencrypt`
			`middlewares: secHeaders@file`
			`services:`
			`wireguard:`
			`loadBalancer:`
			`servers:`
			`- url: "http://192.168.41.1:5000"`

„wireguard.yml“ ändern 2023-06-07 16:59:04 +02:00			`- name: Allow port 59666`
„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`community.general.ufw:`
			`rule: allow`
			`port: '59666'`
			`proto: udp`

„wireguard.yml“ ändern 2023-06-07 16:12:57 +02:00			`- name: 'start wireguard'`
			`command: systemctl start wg-quick@wg0.service`
			`args:`
			`creates: /run/systemd/units/invocation:wg-quick@wg0.service`

„wireguard.yml“ hinzufügen 2023-06-07 15:49:03 +02:00			`handlers:`

			`- name: Restart ufw`
			`service:`
			`name: ufw`
			`state: restarted`

			`- name: run genpw.sh`
			`ansible.builtin.shell: ./genpw.sh`
			`args:`
			`chdir: /home/docker/wireguard.{{inventory_hostname}}`
			`notify: Restart wireguard`

			`- name: Restart wireguard`
			`ansible.builtin.shell: docker-compose up -d`
			`args:`
			`chdir: /home/docker/wireguard.{{inventory_hostname}}`