diff --git a/wireguard.yml b/wireguard.yml new file mode 100644 index 0000000..a323d8c --- /dev/null +++ b/wireguard.yml @@ -0,0 +1,215 @@ +--- +- name: wireguard setup + hosts: all + tasks: + + - name: Packages for wireguard + apt: + name: + - wireguard + - ufw + update_cache: no + install_recommends: no + + - name: activate wireguard logging + blockinfile: + path: /etc/modprobe.d/wireguard.conf + create: yes + mode: "0444" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard" + insertbefore: BOF + block: | + options wireguard dyndbg=+p + + - name: load wireguard module during boot + blockinfile: + path: /etc/modules-load.d/wireguard.conf + create: yes + mode: "0444" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard" + insertbefore: BOF + block: | + wireguard + + - name: ufw firewall rules for routing to the Internet + blockinfile: + path: /etc/ufw/before.rules + create: yes + mode: "0440" + owner: root + group: root + marker: "# {mark} ANSIBLE MANAGED BLOCK for wireguard" + insertbefore: BOF + block: | + *nat + :POSTROUTING ACCEPT - [0:0] + # Route network 192.168.44.0/24 (wg0) + -A POSTROUTING -s 192.168.44.0/24 -j MASQUERADE + COMMIT + notify: + - Restart ufw + + - name: Allow Routing + community.general.ufw: + rule: allow + route: yes + interface_in: wg0 + + - name: 'add wireguard to startup' + command: systemctl enable wg-quick@wg0.service + args: + creates: /etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service + + - name: 'start wireguard' + command: systemctl start wg-quick@wg0.service + args: + creates: /run/systemd/units/invocation:wg-quick@wg0.service + + - name: Create /home/docker/wireguard.{{inventory_hostname}} dir + ansible.builtin.file: + path: /home/docker/wireguard.{{inventory_hostname}} + owner: root + group: docker + state: directory + mode: '0550' + + - name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh (generate random admin PW) + blockinfile: + path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh + create: yes + mode: 0550 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + cd /home/docker/wireguard.{{inventory_hostname}} + + adminpassword=$(pwgen -s 32 1) + sessionsecret=$(pwgen -s 32 1) + + [ -f env ] || echo "WGUI_PASSWORD=!ADMINPASSWD! + SESSION_SECRET=!SESSIONSECRET!" >env + + chmod 440 env + chown root:docker env + sed -i "s/\!ADMINPASSWD\!/$adminpassword/g" env + sed -i "s/\!SESSIONSECRET\!/$sessionsecret/g" env + backup: yes + validate: /bin/bash -n %s + notify: run genpw.sh + + - name: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh shebang + lineinfile: + path: /home/docker/wireguard.{{inventory_hostname}}/genpw.sh + insertbefore: BOF + line: "#!/bin/bash -e" + + - name: Gen initial passwords if not exists + ansible.builtin.shell: ./genpw.sh + args: + chdir: /home/docker/wireguard.{{inventory_hostname}} + creates: /home/docker/wireguard.{{inventory_hostname}}/env + + - name: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml Container Configuration + blockinfile: + path: /home/docker/wireguard.{{inventory_hostname}}/docker-compose.yml + create: yes + mode: 0440 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + version: '3.6' + services: + wireguard.{{inventory_hostname}}: + image: ngoduykhanh/wireguard-ui:latest + restart: unless-stopped + cap_add: + - NET_ADMIN + network_mode: host + env_file: env + environment: + - BIND_ADDRESS=192.168.41.1:5000 + - WGUI_USERNAME=wgadmin + - WGUI_MANAGE_START=false + - WGUI_MANAGE_RESTART=false + - WGUI_DNS=46.182.19.48 + - WGUI_MTU=1450 + - WGUI_CONFIG_FILE_PATH=/etc/wireguard/wg0.conf + - WGUI_LOG_LEVEL=INFO + - WGUI_SERVER_INTERFACE_ADDRESSES=192.168.44.1/24 + - WGUI_SERVER_LISTEN_PORT=59666 + - WGUI_SERVER_POST_UP_SCRIPT + - WGUI_SERVER_POST_DOWN_SCRIPT + - WGUI_DEFAULT_CLIENT_USE_SERVER_DNS=true + - WGUI_DEFAULT_CLIENT_ENABLE_AFTER_CREATION=true + volumes: + - ./db:/app/db + - /etc/wireguard:/etc/wireguard + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + backup: yes + notify: Restart wireguard + + - name: Start wireguard + ansible.builtin.shell: docker-compose up -d + args: + chdir: /home/docker/wireguard.{{inventory_hostname}} + creates: /home/docker/wireguard.{{inventory_hostname}}/db/server/global_settings.json + + - name: Wait until wireguard install is finished + wait_for: + path: /home/docker/wireguard.{{inventory_hostname}}/db/server/global_settings.json + + - name: /home/docker/traefik/providers/wireguard-ui.yml + blockinfile: + path: /home/docker/traefik/providers/wireguard-ui.yml + create: yes + mode: 0444 + owner: root + group: docker + marker: "# {mark} ANSIBLE MANAGED BLOCK" + block: | + http: + routers: + wireguard: + rule: "Host(`wireguard.ds9.dedyn.io`)" + service: wireguard + entryPoints: + - "https" + tls: + certresolver: letsencrypt + middlewares: secHeaders@file + services: + wireguard: + loadBalancer: + servers: + - url: "http://192.168.41.1:5000" + + - name: Allow ssh on port 59666 + community.general.ufw: + rule: allow + port: '59666' + proto: udp + + handlers: + + - name: Restart ufw + service: + name: ufw + state: restarted + + - name: run genpw.sh + ansible.builtin.shell: ./genpw.sh + args: + chdir: /home/docker/wireguard.{{inventory_hostname}} + notify: Restart wireguard + + - name: Restart wireguard + ansible.builtin.shell: docker-compose up -d + args: + chdir: /home/docker/wireguard.{{inventory_hostname}}