2023-06-07 15:49:03 +02:00
|
|
|
---
|
|
|
|
- name: wireguard setup
|
|
|
|
hosts: all
|
|
|
|
tasks:
|
|
|
|
|
|
|
|
- name: Packages for wireguard
|
|
|
|
apt:
|
|
|
|
name:
|
|
|
|
- wireguard
|
|
|
|
- ufw
|
|
|
|
update_cache: no
|
|
|
|
install_recommends: no
|
|
|
|
|
|
|
|
- name: activate wireguard logging
|
|
|
|
blockinfile:
|
|
|
|
path: /etc/modprobe.d/wireguard.conf
|
|
|
|
create: yes
|
|
|
|
mode: "0444"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
|
|
|
|
insertbefore: BOF
|
|
|
|
block: |
|
|
|
|
options wireguard dyndbg=+p
|
|
|
|
|
|
|
|
- name: load wireguard module during boot
|
|
|
|
blockinfile:
|
|
|
|
path: /etc/modules-load.d/wireguard.conf
|
|
|
|
create: yes
|
|
|
|
mode: "0444"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
|
|
|
|
insertbefore: BOF
|
|
|
|
block: |
|
|
|
|
wireguard
|
|
|
|
|
2023-06-08 09:58:58 +02:00
|
|
|
- name: ufw firewall rules for ipv6 routing to the Internet
|
2023-06-07 15:49:03 +02:00
|
|
|
blockinfile:
|
|
|
|
path: /etc/ufw/before.rules
|
|
|
|
create: yes
|
|
|
|
mode: "0440"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
|
|
|
|
insertbefore: BOF
|
2023-06-08 09:58:58 +02:00
|
|
|
block: |
|
|
|
|
*nat
|
|
|
|
:POSTROUTING ACCEPT - [0:0]
|
2023-06-08 10:15:34 +02:00
|
|
|
# Route network a192:b168:cd44::/64 (wg0)
|
|
|
|
-A POSTROUTING -s a192:b168:cd44::/64 -j MASQUERADE
|
2023-06-08 09:58:58 +02:00
|
|
|
COMMIT
|
|
|
|
notify:
|
|
|
|
- Restart ufw
|
|
|
|
|
|
|
|
- name: ufw firewall rules for ipv4 routing to the Internet
|
|
|
|
blockinfile:
|
|
|
|
path: /etc/ufw/before6.rules
|
|
|
|
create: yes
|
|
|
|
mode: "0440"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard"
|
|
|
|
insertbefore: BOF
|
2023-06-07 15:49:03 +02:00
|
|
|
block: |
|
|
|
|
*nat
|
|
|
|
:POSTROUTING ACCEPT - [0:0]
|
|
|
|
# Route network 192.168.44.0/24 (wg0)
|
|
|
|
-A POSTROUTING -s 192.168.44.0/24 -j MASQUERADE
|
|
|
|
COMMIT
|
|
|
|
notify:
|
|
|
|
- Restart ufw
|
|
|
|
|
2023-06-08 09:58:58 +02:00
|
|
|
|
2023-06-07 15:49:03 +02:00
|
|
|
- name: Allow Routing
|
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
route: yes
|
|
|
|
interface_in: wg0
|
|
|
|
|
|
|
|
- name: 'add wireguard to startup'
|
|
|
|
command: systemctl enable wg-quick@wg0.service
|
|
|
|
args:
|
|
|
|
creates: /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
|
|
|
|
|
|
|
|
- name: Create /home/docker/wireguard.{{inventory_hostname}} dir
|
|
|
|
ansible.builtin.file:
|
|
|
|
path: /home/docker/wireguard.{{inventory_hostname}}
|
|
|
|
owner: root
|
|
|
|
group: docker
|
|
|
|
state: directory
|
|
|
|
mode: '0550'
|
|
|
|
|
|
|
|
- name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh (generate random admin PW)
|
|
|
|
blockinfile:
|
|
|
|
path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh
|
|
|
|
create: yes
|
|
|
|
mode: 0550
|
|
|
|
owner: root
|
|
|
|
group: docker
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
|
|
block: |
|
|
|
|
cd /home/docker/wireguard.{{inventory_hostname}}
|
|
|
|
|
|
|
|
adminpassword=$(pwgen -s 32 1)
|
|
|
|
sessionsecret=$(pwgen -s 32 1)
|
|
|
|
|
|
|
|
[ -f env ] || echo "WGUI_PASSWORD=!ADMINPASSWD!
|
|
|
|
SESSION_SECRET=!SESSIONSECRET!" >env
|
|
|
|
|
|
|
|
chmod 440 env
|
|
|
|
chown root:docker env
|
|
|
|
sed -i "s/\!ADMINPASSWD\!/$adminpassword/g" env
|
|
|
|
sed -i "s/\!SESSIONSECRET\!/$sessionsecret/g" env
|
|
|
|
backup: yes
|
|
|
|
validate: /bin/bash -n %s
|
|
|
|
notify: run genpw.sh
|
|
|
|
|
|
|
|
- name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh shebang
|
|
|
|
lineinfile:
|
|
|
|
path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh
|
|
|
|
insertbefore: BOF
|
|
|
|
line: "#!/bin/bash -e"
|
|
|
|
|
|
|
|
- name: Gen initial passwords if not exists
|
|
|
|
ansible.builtin.shell: ./genpw.sh
|
|
|
|
args:
|
|
|
|
chdir: /home/docker/wireguard.{{inventory_hostname}}
|
|
|
|
creates: /home/docker/wireguard.{{inventory_hostname}}/env
|
|
|
|
|
|
|
|
- name: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml Container Configuration
|
|
|
|
blockinfile:
|
|
|
|
path: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml
|
|
|
|
create: yes
|
|
|
|
mode: 0440
|
|
|
|
owner: root
|
|
|
|
group: docker
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
|
|
block: |
|
|
|
|
version: '3.6'
|
|
|
|
services:
|
|
|
|
wireguard.{{inventory_hostname}}:
|
|
|
|
image: ngoduykhanh/wireguard-ui:latest
|
|
|
|
restart: unless-stopped
|
|
|
|
cap_add:
|
|
|
|
- NET_ADMIN
|
|
|
|
network_mode: host
|
|
|
|
env_file: env
|
|
|
|
environment:
|
|
|
|
- BIND_ADDRESS=192.168.41.1:5000
|
2023-06-08 10:09:47 +02:00
|
|
|
- WGUI_ENDPOINT_ADDRESS=wireguard-tor.{{inventory_hostname}}
|
2023-06-07 15:49:03 +02:00
|
|
|
- WGUI_USERNAME=wgadmin
|
2023-06-07 16:45:32 +02:00
|
|
|
- WGUI_MANAGE_START=true
|
|
|
|
- WGUI_MANAGE_RESTART=true
|
2023-06-08 10:09:02 +02:00
|
|
|
- WGUI_DNS=2a02:2970:1002::18,46.182.19.48
|
2023-06-07 15:49:03 +02:00
|
|
|
- WGUI_MTU=1450
|
|
|
|
- WGUI_CONFIG_FILE_PATH=/etc/wireguard/wg0.conf
|
|
|
|
- WGUI_LOG_LEVEL=INFO
|
2023-06-08 10:15:34 +02:00
|
|
|
- WGUI_SERVER_INTERFACE_ADDRESSES=a192:b168:cd44::1/64,192.168.44.1/24
|
2023-06-07 15:49:03 +02:00
|
|
|
- WGUI_SERVER_LISTEN_PORT=59666
|
|
|
|
- WGUI_SERVER_POST_UP_SCRIPT
|
|
|
|
- WGUI_SERVER_POST_DOWN_SCRIPT
|
|
|
|
- WGUI_DEFAULT_CLIENT_USE_SERVER_DNS=true
|
|
|
|
- WGUI_DEFAULT_CLIENT_ENABLE_AFTER_CREATION=true
|
|
|
|
volumes:
|
|
|
|
- ./db:/app/db
|
|
|
|
- /etc/wireguard:/etc/wireguard
|
|
|
|
- /etc/timezone:/etc/timezone:ro
|
|
|
|
- /etc/localtime:/etc/localtime:ro
|
|
|
|
backup: yes
|
|
|
|
notify: Restart wireguard
|
|
|
|
|
|
|
|
- name: Start wireguard
|
|
|
|
ansible.builtin.shell: docker-compose up -d
|
|
|
|
args:
|
|
|
|
chdir: /home/docker/wireguard.{{inventory_hostname}}
|
|
|
|
creates: /home/docker/wireguard.{{inventory_hostname}}/db/server/global_settings.json
|
|
|
|
|
|
|
|
- name: Wait until wireguard install is finished
|
|
|
|
wait_for:
|
2023-06-07 16:12:57 +02:00
|
|
|
path: /etc/wireguard/wg0.conf
|
2023-06-07 15:49:03 +02:00
|
|
|
|
|
|
|
- name: /home/docker/traefik/providers/wireguard-ui.yml
|
|
|
|
blockinfile:
|
|
|
|
path: /home/docker/traefik/providers/wireguard-ui.yml
|
|
|
|
create: yes
|
|
|
|
mode: 0444
|
|
|
|
owner: root
|
|
|
|
group: docker
|
|
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
|
|
block: |
|
|
|
|
http:
|
|
|
|
routers:
|
|
|
|
wireguard:
|
|
|
|
rule: "Host(`wireguard.ds9.dedyn.io`)"
|
|
|
|
service: wireguard
|
|
|
|
entryPoints:
|
|
|
|
- "https"
|
|
|
|
tls:
|
|
|
|
certresolver: letsencrypt
|
|
|
|
middlewares: secHeaders@file
|
|
|
|
services:
|
|
|
|
wireguard:
|
|
|
|
loadBalancer:
|
|
|
|
servers:
|
|
|
|
- url: "http://192.168.41.1:5000"
|
|
|
|
|
2023-06-07 16:59:04 +02:00
|
|
|
- name: Allow port 59666
|
2023-06-07 15:49:03 +02:00
|
|
|
community.general.ufw:
|
|
|
|
rule: allow
|
|
|
|
port: '59666'
|
|
|
|
proto: udp
|
|
|
|
|
2023-06-07 16:12:57 +02:00
|
|
|
- name: 'start wireguard'
|
|
|
|
command: systemctl start wg-quick@wg0.service
|
|
|
|
args:
|
|
|
|
creates: /run/systemd/units/invocation:wg-quick@wg0.service
|
|
|
|
|
2023-06-07 15:49:03 +02:00
|
|
|
handlers:
|
|
|
|
|
|
|
|
- name: Restart ufw
|
|
|
|
service:
|
|
|
|
name: ufw
|
|
|
|
state: restarted
|
|
|
|
|
|
|
|
- name: run genpw.sh
|
|
|
|
ansible.builtin.shell: ./genpw.sh
|
|
|
|
args:
|
|
|
|
chdir: /home/docker/wireguard.{{inventory_hostname}}
|
|
|
|
notify: Restart wireguard
|
|
|
|
|
|
|
|
- name: Restart wireguard
|
|
|
|
ansible.builtin.shell: docker-compose up -d
|
|
|
|
args:
|
|
|
|
chdir: /home/docker/wireguard.{{inventory_hostname}}
|