connectivity

5.5 KB•YML

wireguard.yml

5.5 KB • 164 lines • yaml

1---
2# ========================================
3# WIREGUARD VPN SERVICE DEPLOYMENT
4# ========================================
5# Deploys WireGuard VPN using wg-easy container
6# Provides web UI for client management
7
8- name: "Display WireGuard deployment information"
9  ansible.builtin.debug:
10    msg:
11      - "Deploying WireGuard VPN service"
12      - "Service: {{ connectivity_wireguard_service_name }}"
13      - "VPN Port: {{ connectivity_wireguard_port }}"
14      - "Web UI Port: {{ connectivity_wireguard_web_port }}"
15      - "VPN Subnet: {{ connectivity_wireguard_subnet }}"
16      - "External Host: {{ connectivity_wireguard_host }}"
17  tags: [wireguard]
18
19- name: "Create WireGuard configuration directory"
20  ansible.builtin.file:
21    path: "{{ connectivity_docker_base_path }}/wireguard/config"
22    state: directory
23    owner: "{{ connectivity_docker_owner }}"
24    group: "{{ connectivity_docker_group }}"
25    mode: "0750"
26  tags: [wireguard, config]
27
28- name: "Create WireGuard Docker Compose file"
29  ansible.builtin.template:
30    src: wireguard-compose.yml.j2
31    dest: "{{ connectivity_docker_base_path }}/wireguard/docker-compose.yml"
32    owner: "{{ connectivity_docker_owner }}"
33    group: "{{ connectivity_docker_group }}"
34    mode: "0644"
35  notify: restart wireguard
36  tags: [wireguard, compose]
37
38- name: "Create WireGuard environment file"
39  ansible.builtin.template:
40    src: wireguard.env.j2
41    dest: "{{ connectivity_docker_base_path }}/wireguard/.env"
42    owner: "{{ connectivity_docker_owner }}"
43    group: "{{ connectivity_docker_group }}"
44    mode: "0600"  # Secure environment file
45  notify: restart wireguard
46  tags: [wireguard, config, secrets]
47
48- name: "Enable IP forwarding for WireGuard"
49  ansible.posix.sysctl:
50    name: net.ipv4.ip_forward
51    value: '1'
52    state: present
53    reload: yes
54  tags: [wireguard, sysctl]
55
56- name: "Enable IPv6 forwarding for WireGuard (if IPv6 enabled)"
57  ansible.posix.sysctl:
58    name: net.ipv6.conf.all.forwarding
59    value: '1'
60    state: present
61    reload: yes
62  when: connectivity_wireguard_default_allowed_ips | regex_search('::/0')
63  tags: [wireguard, sysctl, ipv6]
64
65- name: "Configure iptables rules for WireGuard"
66  ansible.builtin.iptables:
67    table: nat
68    chain: POSTROUTING
69    source: "{{ connectivity_wireguard_subnet }}"
70    out_interface: "{{ connectivity_wireguard_device_name }}"
71    jump: MASQUERADE
72    comment: "WireGuard VPN NAT"
73  notify: save iptables
74  tags: [wireguard, iptables]
75
76- name: "Allow WireGuard traffic through firewall"
77  ansible.builtin.ufw:
78    rule: allow
79    port: "{{ connectivity_wireguard_port }}"
80    proto: udp
81    comment: "WireGuard VPN"
82  tags: [wireguard, firewall]
83
84- name: "Allow WireGuard web interface through firewall"
85  ansible.builtin.ufw:
86    rule: allow
87    port: "{{ connectivity_wireguard_web_port }}"
88    proto: tcp
89    comment: "WireGuard Web UI"
90  tags: [wireguard, firewall]
91
92- name: "Start WireGuard service"
93  community.docker.docker_compose:
94    project_src: "{{ connectivity_docker_base_path }}/wireguard"
95    pull: yes
96    state: present
97  tags: [wireguard, service]
98
99- name: "Wait for WireGuard service to be ready"
100  ansible.builtin.wait_for:
101    port: "{{ connectivity_wireguard_web_port }}"
102    host: "{{ ansible_default_ipv4.address }}"
103    delay: 5
104    timeout: 60
105  tags: [wireguard, health]
106
107- name: "Verify WireGuard container is running"
108  community.docker.docker_container_info:
109    name: "{{ connectivity_wireguard_container_name }}"
110  register: connectivity_wireguard_container_status
111  tags: [wireguard, verify]
112
113- name: "Display WireGuard service status"
114  ansible.builtin.debug:
115    msg:
116      - "WireGuard VPN service deployed successfully"
117      - "Container status: {{ connectivity_wireguard_container_status.container.State.Status | default('Unknown') }}"
118      - "VPN Access: UDP {{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port }}"
119      - "Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port }}"
120      - "Web UI Password: {{ connectivity_wireguard_password }}"
121      - ""
122      - "Next steps:"
123      - "1. Access Web UI to create VPN clients"
124      - "2. Download client configurations"
125      - "3. Configure client devices"
126  tags: [wireguard, info]
127
128- name: "Create WireGuard client management script"
129  ansible.builtin.template:
130    src: wireguard-client-manager.sh.j2
131    dest: "{{ connectivity_docker_base_path }}/wireguard/scripts/client-manager.sh"
132    owner: "{{ connectivity_docker_owner }}"
133    group: "{{ connectivity_docker_group }}"
134    mode: "0755"
135  tags: [wireguard, scripts]
136
137- name: "Create WireGuard backup script"
138  ansible.builtin.template:
139    src: wireguard-backup.sh.j2
140    dest: "{{ connectivity_docker_base_path }}/wireguard/scripts/backup.sh"
141    owner: "{{ connectivity_docker_owner }}"
142    group: "{{ connectivity_docker_group }}"
143    mode: "0755"
144  tags: [wireguard, backup]
145
146- name: "Create WireGuard health check script"
147  ansible.builtin.template:
148    src: wireguard-health-check.sh.j2
149    dest: "{{ connectivity_docker_base_path }}/wireguard/scripts/health-check.sh"
150    owner: "{{ connectivity_docker_owner }}"
151    group: "{{ connectivity_docker_group }}"
152    mode: "0755"
153  tags: [wireguard, monitoring]
154
155- name: "Label WireGuard container for connectivity service group"
156  community.docker.docker_container:
157    name: "{{ connectivity_wireguard_container_name }}"
158    labels:
159      com.connectivity.service: "wireguard"
160      com.connectivity.type: "vpn"
161      com.connectivity.port: "{{ connectivity_wireguard_port }}"
162    state: started
163    recreate: no
164  tags: [wireguard, labels]

1--- 2# ======================================== 3# WIREGUARD VPN SERVICE DEPLOYMENT 4# ======================================== 5# Deploys WireGuard VPN using wg-easy container 6# Provides web UI for client management 7 8- name: "Display WireGuard deployment information" 9 ansible.builtin.debug: 10 msg: 11 - "Deploying WireGuard VPN service" 12 - "Service: {{ connectivity_wireguard_service_name }}" 13 - "VPN Port: {{ connectivity_wireguard_port }}" 14 - "Web UI Port: {{ connectivity_wireguard_web_port }}" 15 - "VPN Subnet: {{ connectivity_wireguard_subnet }}" 16 - "External Host: {{ connectivity_wireguard_host }}" 17 tags: [wireguard] 18 19- name: "Create WireGuard configuration directory" 20 ansible.builtin.file: 21 path: "{{ connectivity_docker_base_path }}/wireguard/config" 22 state: directory 23 owner: "{{ connectivity_docker_owner }}" 24 group: "{{ connectivity_docker_group }}" 25 mode: "0750" 26 tags: [wireguard, config] 27 28- name: "Create WireGuard Docker Compose file" 29 ansible.builtin.template: 30 src: wireguard-compose.yml.j2 31 dest: "{{ connectivity_docker_base_path }}/wireguard/docker-compose.yml" 32 owner: "{{ connectivity_docker_owner }}" 33 group: "{{ connectivity_docker_group }}" 34 mode: "0644" 35 notify: restart wireguard 36 tags: [wireguard, compose] 37 38- name: "Create WireGuard environment file" 39 ansible.builtin.template: 40 src: wireguard.env.j2 41 dest: "{{ connectivity_docker_base_path }}/wireguard/.env" 42 owner: "{{ connectivity_docker_owner }}" 43 group: "{{ connectivity_docker_group }}" 44 mode: "0600" # Secure environment file 45 notify: restart wireguard 46 tags: [wireguard, config, secrets] 47 48- name: "Enable IP forwarding for WireGuard" 49 ansible.posix.sysctl: 50 name: net.ipv4.ip_forward 51 value: '1' 52 state: present 53 reload: yes 54 tags: [wireguard, sysctl] 55 56- name: "Enable IPv6 forwarding for WireGuard (if IPv6 enabled)" 57 ansible.posix.sysctl: 58 name: net.ipv6.conf.all.forwarding 59 value: '1' 60 state: present 61 reload: yes 62 when: connectivity_wireguard_default_allowed_ips | regex_search('::/0') 63 tags: [wireguard, sysctl, ipv6] 64 65- name: "Configure iptables rules for WireGuard" 66 ansible.builtin.iptables: 67 table: nat 68 chain: POSTROUTING 69 source: "{{ connectivity_wireguard_subnet }}" 70 out_interface: "{{ connectivity_wireguard_device_name }}" 71 jump: MASQUERADE 72 comment: "WireGuard VPN NAT" 73 notify: save iptables 74 tags: [wireguard, iptables] 75 76- name: "Allow WireGuard traffic through firewall" 77 ansible.builtin.ufw: 78 rule: allow 79 port: "{{ connectivity_wireguard_port }}" 80 proto: udp 81 comment: "WireGuard VPN" 82 tags: [wireguard, firewall] 83 84- name: "Allow WireGuard web interface through firewall" 85 ansible.builtin.ufw: 86 rule: allow 87 port: "{{ connectivity_wireguard_web_port }}" 88 proto: tcp 89 comment: "WireGuard Web UI" 90 tags: [wireguard, firewall] 91 92- name: "Start WireGuard service" 93 community.docker.docker_compose: 94 project_src: "{{ connectivity_docker_base_path }}/wireguard" 95 pull: yes 96 state: present 97 tags: [wireguard, service] 98 99- name: "Wait for WireGuard service to be ready" 100 ansible.builtin.wait_for: 101 port: "{{ connectivity_wireguard_web_port }}" 102 host: "{{ ansible_default_ipv4.address }}" 103 delay: 5 104 timeout: 60 105 tags: [wireguard, health] 106 107- name: "Verify WireGuard container is running" 108 community.docker.docker_container_info: 109 name: "{{ connectivity_wireguard_container_name }}" 110 register: connectivity_wireguard_container_status 111 tags: [wireguard, verify] 112 113- name: "Display WireGuard service status" 114 ansible.builtin.debug: 115 msg: 116 - "WireGuard VPN service deployed successfully" 117 - "Container status: {{ connectivity_wireguard_container_status.container.State.Status | default('Unknown') }}" 118 - "VPN Access: UDP {{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_port }}" 119 - "Web UI: http://{{ ansible_default_ipv4.address }}:{{ connectivity_wireguard_web_port }}" 120 - "Web UI Password: {{ connectivity_wireguard_password }}" 121 - "" 122 - "Next steps:" 123 - "1. Access Web UI to create VPN clients" 124 - "2. Download client configurations" 125 - "3. Configure client devices" 126 tags: [wireguard, info] 127 128- name: "Create WireGuard client management script" 129 ansible.builtin.template: 130 src: wireguard-client-manager.sh.j2 131 dest: "{{ connectivity_docker_base_path }}/wireguard/scripts/client-manager.sh" 132 owner: "{{ connectivity_docker_owner }}" 133 group: "{{ connectivity_docker_group }}" 134 mode: "0755" 135 tags: [wireguard, scripts] 136 137- name: "Create WireGuard backup script" 138 ansible.builtin.template: 139 src: wireguard-backup.sh.j2 140 dest: "{{ connectivity_docker_base_path }}/wireguard/scripts/backup.sh" 141 owner: "{{ connectivity_docker_owner }}" 142 group: "{{ connectivity_docker_group }}" 143 mode: "0755" 144 tags: [wireguard, backup] 145 146- name: "Create WireGuard health check script" 147 ansible.builtin.template: 148 src: wireguard-health-check.sh.j2 149 dest: "{{ connectivity_docker_base_path }}/wireguard/scripts/health-check.sh" 150 owner: "{{ connectivity_docker_owner }}" 151 group: "{{ connectivity_docker_group }}" 152 mode: "0755" 153 tags: [wireguard, monitoring] 154 155- name: "Label WireGuard container for connectivity service group" 156 community.docker.docker_container: 157 name: "{{ connectivity_wireguard_container_name }}" 158 labels: 159 com.connectivity.service: "wireguard" 160 com.connectivity.type: "vpn" 161 com.connectivity.port: "{{ connectivity_wireguard_port }}" 162 state: started 163 recreate: no 164 tags: [wireguard, labels]