infra-ansible

ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
wireguard_client.yml

(3165B)
      1 ---
      2 - name: set up local wireguard client
      3   become: true
      4   delegate_to: localhost
      5   block:
      6     - name: create wireguard directory
      7       file:
      8         path: /rw/config/wireguard
      9         owner: root
     10         group: root
     11         mode: '0700'
     12         state: directory
     13     
     14     - name: link /etc/wireguard
     15       file: 
     16         src: /rw/config/wireguard
     17         dest: /etc/wireguard
     18         owner: root
     19         group: root
     20         force: true
     21         state: link
     22     
     23     - name: edit client interface
     24       ini_file:
     25         path: '/etc/wireguard/{{ wg_client_iface }}.conf'
     26         owner: root
     27         group: root
     28         mode: '0600'
     29         section: Interface
     30         option: '{{ item.option }}'
     31         value: '{{ item.value }}'
     32       with_items:
     33         - option: PrivateKey
     34           value: '{{ wg_client_private_key }}'
     35         - option: Address
     36           value: '{{ wg_client_ip }}/32'
     37       notify: restart client wireguard
     38     
     39     - name: add server peer to client config
     40       delegate_facts: true
     41       ini_file:
     42         path: '/etc/wireguard/{{ wg_client_iface }}.conf'
     43         owner: root
     44         group: root
     45         mode: '0600'
     46         section: Peer
     47         option: '{{ item.option }}'
     48         value: '{{ item.value }}'
     49       with_items:
     50         - option: PublicKey
     51           value: '{{ wg_server_public_key }}'
     52         - option: AllowedIPs
     53           value: '{{ wg_server_ip }}/32'
     54         - option: Endpoint
     55           value: '{{ ansible_default_ipv4.address }}:{{ wireguard_port }} # {{ ansible_nodename }}'
     56         - option: PersistentKeepalive
     57           value: 25
     58       notify: restart client wireguard
     59     
     60     - name: autostart wireguard
     61       copy:
     62         dest: /rw/config/rc.local.d/00-wireguard.rc
     63         owner: root
     64         group: root
     65         mode: '0755'
     66         content: |
     67           #!/bin/sh
     68           rm -rf /etc/wireguard
     69           ln -s /rw/config/wireguard /etc/wireguard
     70     
     71     - name: autostart wireguard {{ wg_client_iface }}
     72       copy:
     73         dest: '/rw/config/rc.local.d/70-wireguard-{{ wg_client_iface }}.rc'
     74         owner: root
     75         group: root
     76         mode: '0755'
     77         content: |
     78           #!/bin/sh
     79           systemctl start wg-quick@{{ wg_client_iface }}
     80     
     81     - name: resolve {{ ansible_nodename }} to {{ wg_server_ip }}
     82       delegate_facts: true
     83       lineinfile:
     84         path: /etc/hosts
     85         search_string: '{{ wg_server_ip }}'
     86         line: '{{ wg_server_ip }} {{ ansible_nodename }}'
     87         insertbefore: '### START default local hosts'
     88     
     89     - name: persist /etc/hosts for qubes
     90       delegate_facts: true
     91       lineinfile:
     92         path: /rw/config/hosts
     93         search_string: '{{ wg_server_ip }}'
     94         line: '{{ wg_server_ip }} {{ ansible_nodename }}'
     95         insertbefore: '### START default local hosts'
     96