├── .ansible-lint ├── .cache └── roles │ └── mawalu.wireguard_private_networking ├── .github └── workflows │ └── molecule.yml ├── .yamllint ├── LICENSE ├── README.md ├── defaults └── main.yml ├── handlers └── main.yml ├── meta └── main.yml ├── molecule └── default │ ├── converge.yml │ ├── molecule.yml │ ├── testvars.yml │ └── verify.yml ├── requirements.yml ├── tasks └── main.yml └── templates ├── backports.list ├── client.conf.j2 ├── interface.conf.j2 └── limit-unstable /.ansible-lint: -------------------------------------------------------------------------------- 1 | warn_list: 2 | - git-latest 3 | -------------------------------------------------------------------------------- /.cache/roles/mawalu.wireguard_private_networking: -------------------------------------------------------------------------------- 1 | ../.. -------------------------------------------------------------------------------- /.github/workflows/molecule.yml: -------------------------------------------------------------------------------- 1 | on: [push, pull_request] 2 | 3 | jobs: 4 | molecule: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - name: Check out the codebase. 8 | uses: actions/checkout@v2 9 | 10 | - name: Set up Python 3. 11 | uses: actions/setup-python@v2 12 | with: 13 | python-version: '3.x' 14 | 15 | - name: Install test dependencies. 16 | run: pip3 install ansible molecule[docker] docker 17 | 18 | - name: Run Molecule tests. 19 | run: molecule test 20 | env: 21 | PY_COLORS: '1' 22 | ANSIBLE_FORCE_COLOR: '1' 23 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | # Based on ansible-lint config 3 | extends: default 4 | 5 | rules: 6 | braces: 7 | max-spaces-inside: 1 8 | level: error 9 | brackets: 10 | max-spaces-inside: 1 11 | level: error 12 | colons: 13 | max-spaces-after: -1 14 | level: error 15 | commas: 16 | max-spaces-after: -1 17 | level: error 18 | comments: disable 19 | comments-indentation: disable 20 | document-start: disable 21 | empty-lines: 22 | max: 3 23 | level: error 24 | hyphens: 25 | level: error 26 | indentation: disable 27 | key-duplicates: enable 28 | line-length: disable 29 | new-line-at-end-of-file: disable 30 | new-lines: 31 | type: unix 32 | trailing-spaces: disable 33 | truthy: disable 34 | 35 | ignore: | 36 | .env 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Martin Wagner 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Private server to server network with ansible and wireguard 2 | 3 | [![Ansible Role](https://img.shields.io/ansible/role/d/33136)](https://galaxy.ansible.com/mawalu/wireguard_private_networking) 4 | 5 | This role allowes you to deploy a fast, secure and provider agnostic private network between multiple servers. This is usefull for providers that do not provide you with a private network or if you want to connect servers that are spread over multiple regions and providers. 6 | 7 | ## How 8 | 9 | The role installs [wireguard](https://wireguard.com) on Debian or Ubuntu, creates a mesh between all servers by adding them all as peers and configures the wg-quick systemd service. 10 | 11 | ## Installation 12 | 13 | Installation can be done using [ansible galaxy](https://galaxy.ansible.com/mawalu/wireguard_private_networking): 14 | 15 | ``` 16 | $ ansible-galaxy install mawalu.wireguard_private_networking 17 | ``` 18 | 19 | ## Setup 20 | 21 | Install this role, assign a `vpn_ip` variable to every host that should be part of the network and run the role. Plese make sure to allow the VPN port (default is 5888) in your firewall. Here is a small example configuration: 22 | 23 | Optionally, you can set a `public_addr` on each host. This address will be used to connect to the wireguard peer instead of the address in the inventory. Useful if you are configuring over a different network than wireguard is using. e.g. ansible connects over a LAN to your peer. 24 | 25 | ```yaml 26 | # inventory host file 27 | 28 | wireguard: 29 | hosts: 30 | 1.1.1.1: 31 | vpn_ip: 10.1.0.1/32 32 | public_addr: "example.com" # optional 33 | 2.2.2.2: 34 | vpn_ip: 10.1.0.2/32 35 | 36 | ``` 37 | 38 | ```yaml 39 | # playbook 40 | 41 | - name: Configure wireguard mesh 42 | hosts: wireguard 43 | remote_user: root 44 | roles: 45 | - mawalu.wireguard_private_networking 46 | ``` 47 | 48 | ```yaml 49 | # playbook (with client config) 50 | - name: Configure wireguard mesh 51 | hosts: wireguard 52 | remote_user: root 53 | vars: 54 | client_vpn_ip: 10.1.0.100 55 | client_wireguard_path: "~/my-client-config.conf" 56 | roles: 57 | - mawalu.wireguard_private_networking 58 | ``` 59 | 60 | ## Additional configuration 61 | 62 | There are a small number of role variables that can be overwritten. 63 | 64 | ```yaml 65 | wireguard_port: "5888" # the port to use for server to server connections 66 | wireguard_path: "/etc/wireguard" # location of all wireguard configurations 67 | 68 | wireguard_network_name: "private" # the name to use for the config file and wg-quick 69 | 70 | wireguard_mtu: 1500 # Optionally a MTU to set in the wg-quick file. Not set by default. Can also be set per host 71 | 72 | debian_enable_backports: true # if the debian backports repos should be added on debian machines 73 | 74 | # Raspberry Pi Zero support 75 | # Needs kernel headers and manual compilation of wireguard, opt in via flag, install `community.general` collection 76 | # Caution: Might trigger a reboot. 77 | allow_build_from_source: true 78 | 79 | wireguard_sources_path: "/var/cache" # Location to clone the WireGuard sources if manual build is required 80 | 81 | client_vpn_ip: "" # if set an additional wireguard config file will be generated at the specified path on localhost 82 | client_wireguard_path: "~/wg.conf" # path on localhost to write client config, if client_vpn_ip is set 83 | 84 | # a list of additional peers that will be added to each server 85 | wireguard_additional_peers: 86 | - comment: martin 87 | ip: 10.2.3.4 88 | key: your_wireguard_public_key 89 | - comment: other_network 90 | ip: 10.32.0.0/16 91 | key: their_wireguard_public_key 92 | keepalive: 20 93 | endpoint: some.endpoint:2230 94 | 95 | wireguard_post_up: "iptables ..." # PostUp hook command 96 | wireguard_post_down: "iptables" # PostDown hook command 97 | ``` 98 | 99 | ## Testing 100 | 101 | This role has a small test setup that is created using [molecule](https://github.com/ansible-community/molecule). To run the tests follow the molecule [install guide](https://molecule.readthedocs.io/en/latest/installation.html), ensure that a docker daemon runs on your machine and execute `molecule test`. 102 | 103 | ## Contributing 104 | 105 | Feel free to open issues or MRs if you find problems or have ideas for improvements. I'm especially open for MRs that add support for additional operating systems and more tests. 106 | 107 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | wireguard_port: "5888" 3 | wireguard_path: "/etc/wireguard" 4 | 5 | wireguard_sources_path: "/var/cache" 6 | 7 | wireguard_network_name: "private" 8 | 9 | debian_enable_backports: true 10 | debian_pin_packages: true 11 | 12 | client_vpn_ip: "" 13 | client_wireguard_path: "~/wg.conf" 14 | client_wireguard_dns: false 15 | 16 | wireguard_additional_peers: false 17 | wireguard_post_up: false 18 | wireguard_post_down: false 19 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Enable wg-quick service 3 | service: 4 | name: "wg-quick@{{ wireguard_network_name }}" 5 | enabled: yes 6 | 7 | - name: Restart wg-quick service 8 | service: 9 | name: "wg-quick@{{ wireguard_network_name }}" 10 | state: restarted 11 | when: config.changed 12 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | role_name: wireguard_private_networking 3 | author: mawalu 4 | company: codelayer.de 5 | description: Build your own multi server private network using wireguard and ansible 6 | issue_tracker_url: https://github.com/mawalu/wireguard-private-networking/issues 7 | license: MIT 8 | min_ansible_version: 2.7 9 | platforms: 10 | - name: Ubuntu 11 | versions: 12 | - all 13 | - name: Debian 14 | versions: 15 | - all 16 | - name: Archlinux 17 | versions: 18 | - all 19 | - name: EL 20 | versions: 21 | - 7 22 | - 8 23 | - name: OpenSuse 24 | versions: 25 | - 15.1 26 | - 15.2 27 | galaxy_tags: 28 | - wireguard 29 | - vpn 30 | - networking 31 | 32 | dependencies: [] 33 | -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | tasks: 5 | - name: "Call setup" 6 | setup: 7 | - name: "Print wanted variables" 8 | debug: 9 | msg: 'ansible_kernel "{{ ansible_kernel }}"' 10 | - name: "Include wireguard-private-networking" 11 | include_role: 12 | name: "wireguard-private-networking" 13 | vars: 14 | - ansible_python_interpreter: /usr/bin/python3 15 | - vpn_ip: "10.10.10.1/32" 16 | vars_files: 17 | - testvars.yml 18 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | driver: 5 | name: docker 6 | lint: | 7 | set -e 8 | yamllint . 9 | ansible-lint . 10 | platforms: 11 | - name: instance 12 | image: geerlingguy/docker-ubuntu2004-ansible:latest 13 | volumes: 14 | - /sys/fs/cgroup:/sys/fs/cgroup 15 | - /lib/modules:/lib/modules 16 | command: /lib/systemd/systemd 17 | pre_build_image: true 18 | privileged: true 19 | provisioner: 20 | name: ansible 21 | -------------------------------------------------------------------------------- /molecule/default/testvars.yml: -------------------------------------------------------------------------------- 1 | --- 2 | wireguard_port: "5888" # the port to use for server to server connections 3 | wireguard_path: "/etc/wireguard" # location of all wireguard configurations 4 | 5 | wireguard_network_name: "private" # the name to use for the config file and wg-quick 6 | 7 | wireguard_mtu: 1500 # Optionally a MTU to set in the wg-quick file. Not set by default. Can also be set per host 8 | 9 | debian_enable_backports: true # if the debian backports repos should be added on debian machines 10 | debian_pin_packages: true # if the pin configuration to limit the use of unstable repos should be created on debian machines 11 | 12 | client_vpn_ip: "" # if set an additional wireguard config file will be generated at the specified path on localhost 13 | client_wireguard_path: "~/wg.conf" # path on localhost to write client config, if client_vpn_ip is set 14 | 15 | # a list of additional peers that will be added to each server 16 | wireguard_additional_peers: 17 | - comment: martin 18 | ip: 10.2.3.4 19 | key: e+2fJq6/XmsxezxzNdXau9NMxevNRNLKbGW3nBq0exM= 20 | - comment: other_network 21 | ip: 10.32.0.0/16 22 | key: e+2fJq6/XmsxezxzNdXau9NMxevNRNLKbGW3nBq0exM= 23 | keepalive: 20 24 | endpoint: example.com:2230 25 | 26 | wireguard_post_up: "echo iptables" # PostUp hook command 27 | wireguard_post_down: "echo iptables" # PostDown hook command 28 | -------------------------------------------------------------------------------- /molecule/default/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This is an example playbook to execute Ansible tests. 3 | 4 | - name: Verify 5 | hosts: all 6 | tasks: 7 | - name: Example assertion 8 | assert: 9 | that: true 10 | -------------------------------------------------------------------------------- /requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | collections: 3 | - name: community.docker 4 | - name: community.general 5 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Install linux headers (Ubuntu) 3 | apt: 4 | update_cache: yes 5 | state: present 6 | name: linux-headers-generic 7 | when: 8 | - ansible_distribution == "Ubuntu" 9 | - ansible_distribution_major_version|int < 20 10 | 11 | - name: Add backports repository (Debian) 12 | block: 13 | - name: Add backports repository list (Debian) 14 | copy: 15 | src: templates/backports.list 16 | dest: /etc/apt/sources.list.d/backport.list 17 | mode: 0644 18 | 19 | - name: Add backports repository key (Debian) 20 | apt_key: 21 | url: https://ftp-master.debian.org/keys/archive-key-{{ ansible_lsb.release }}.asc 22 | state: present 23 | when: 24 | - ansible_distribution == "Debian" and debian_enable_backports and ansible_architecture != "armv61" 25 | 26 | - name: Check that is proxmox 27 | stat: 28 | path: /etc/pve 29 | register: is_proxmox 30 | when: ansible_distribution == "Debian" 31 | 32 | - name: Install linux headers when debian proxmox 33 | apt: 34 | update_cache: yes 35 | state: present 36 | name: pve-headers 37 | when: ansible_distribution == "Debian" and is_proxmox.stat.exists 38 | 39 | - name: Install Raspberry Pi Kernel Headers 40 | apt: 41 | update_cache: yes 42 | state: present 43 | name: raspberrypi-kernel-headers 44 | register: raspberrypi_kernel_headers_result 45 | when: ansible_distribution == "Debian" and ansible_lsb.id == "Raspbian" 46 | 47 | - name: Install WireGuard (Raspberry Pi 2, Raspberry Pi Zero W) 48 | block: 49 | - name: Check if manual builds and reboots are required 50 | assert: 51 | that: 52 | - allow_build_from_source is true 53 | fail_msg: "The installation on this platform requires a manual build and possibly a reboot. Please allow these actions by setting the flag 'allow_build_from_source'" 54 | 55 | - name: Install compile dependencies 56 | apt: 57 | update_cache: yes 58 | state: present 59 | name: 60 | - bc 61 | - bison 62 | - checkinstall 63 | - build-essential 64 | - flex 65 | - git 66 | - libelf-dev 67 | - libmnl-dev 68 | - libncurses5-dev 69 | - libssl-dev 70 | 71 | - name: Initial download of rpi-source 72 | get_url: 73 | url: 'https://raw.githubusercontent.com/RPi-Distro/rpi-source/master/rpi-source' 74 | dest: '/usr/local/bin/rpi-source' 75 | mode: u=rwx,g=rx,o=rx 76 | 77 | - name: Reboot Raspberry Pi and wait for it to come back up 78 | reboot: 79 | when: raspberrypi_kernel_headers_result.changed 80 | 81 | - name: Run rpi-source 82 | command: /usr/local/bin/rpi-source 83 | register: rpi_source_result 84 | changed_when: "rpi_source_result.rc == 0" 85 | failed_when: "'FAILED' in rpi_source_result.stderr" 86 | 87 | - name: Reboot Raspberry Pi and wait for it to come back up 88 | reboot: 89 | when: rpi_source_result.changed 90 | 91 | - name: Clone WireGuard source 92 | git: 93 | repo: 'https://git.zx2c4.com/wireguard-linux-compat/' 94 | update: true 95 | dest: "{{ wireguard_sources_path }}/wireguard-linux-compat" 96 | 97 | - name: Build WireGuard 98 | community.general.make: 99 | chdir: "{{ wireguard_sources_path }}/wireguard-linux-compat/src" 100 | register: wireguard_build_result 101 | 102 | - name: Install WireGuard 103 | command: 104 | chdir: "{{ wireguard_sources_path }}/wireguard-linux-compat/src" 105 | cmd: checkinstall -y --pkgname wireguard 106 | when: wireguard_build_result.changed 107 | 108 | - name: Clone WireGuard tools source 109 | git: 110 | repo: 'https://git.zx2c4.com/wireguard-tools' 111 | update: true 112 | dest: "{{ wireguard_sources_path }}/wireguard-tools" 113 | 114 | - name: Build WireGuard tools 115 | community.general.make: 116 | chdir: "{{ wireguard_sources_path }}/wireguard-tools/src" 117 | register: wireguard_tools_build_result 118 | 119 | - name: Install WireGuard tools 120 | command: 121 | chdir: "{{ wireguard_sources_path }}/wireguard-tools/src" 122 | cmd: checkinstall -y --pkgname wireguard-tools 123 | when: wireguard_tools_build_result.changed 124 | 125 | when: ansible_distribution == "Debian" and ansible_lsb.id == "Raspbian" and ansible_architecture == "armv6l" 126 | 127 | - name: Install wireguard (apt) 128 | apt: 129 | update_cache: yes 130 | state: present 131 | name: wireguard 132 | when: 133 | - ansible_distribution == "Ubuntu" or ansible_distribution == "Debian" and ansible_architecture != "armv6l" 134 | 135 | - name: Install wireguard (pacman) 136 | pacman: 137 | name: 138 | - wireguard-dkms 139 | - wireguard-tools 140 | state: present 141 | when: 142 | - ansible_distribution == "Archlinux" 143 | 144 | - name: Install wireguard (CentOS 8) 145 | block: 146 | - name: Install epel repo (CentOS 8) 147 | dnf: 148 | name: 149 | - elrepo-release 150 | - epel-release 151 | state: present 152 | 153 | - name: Install mod and tools (CentOS 8) 154 | dnf: 155 | name: 156 | - kmod-wireguard 157 | - wireguard-tools 158 | state: present 159 | 160 | - name: Create path (CentOS 8) 161 | file: 162 | path: "{{ wireguard_path }}" 163 | state: directory 164 | mode: u=rwx,g=,o= 165 | group: root 166 | 167 | when: ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "8" 168 | 169 | - name: Install wireguard (CentOS 7) 170 | block: 171 | - name: Install epel (CentOS 7) 172 | yum: 173 | name: 174 | - epel-release 175 | - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm 176 | state: present 177 | 178 | - name: Install plugin-elrepo wireguard (CentOS 7) 179 | yum: 180 | name: 181 | - yum-plugin-elrepo 182 | state: present 183 | 184 | - name: Install wireguard module and tools (CentOS 7) 185 | yum: 186 | name: 187 | - kmod-wireguard 188 | - wireguard-tools 189 | state: present 190 | 191 | - name: Creat path (CentOS 7) 192 | file: 193 | path: "{{ wireguard_path }}" 194 | state: directory 195 | mode: u=rwx,g=,o= 196 | group: root 197 | 198 | when: ansible_facts['distribution'] == "CentOS" and ansible_facts['distribution_major_version'] == "7" 199 | 200 | - name: Install wireguard and tools (zypper) 201 | zypper: 202 | name: 203 | - wireguard-tools 204 | state: present 205 | when: 206 | - ansible_distribution == "openSUSE Leap" 207 | 208 | - name: Ensure wireguard_path exists as directory 209 | file: 210 | path: "{{ wireguard_path }}" 211 | state: directory 212 | mode: 0755 213 | 214 | - name: Read private key 215 | stat: 216 | path: "{{ wireguard_path }}/privatekey" 217 | register: privatekey 218 | when: not ansible_check_mode 219 | 220 | - name: Generate wireguard keys 221 | shell: set -o pipefail && \ 222 | umask 077; wg genkey | tee {{ wireguard_path }}/privatekey | wg pubkey > {{ wireguard_path }}/publickey 223 | args: 224 | executable: /bin/bash 225 | when: 226 | - not ansible_check_mode 227 | - not privatekey.stat.exists 228 | 229 | - name: Read private key 230 | slurp: 231 | src: "{{ wireguard_path }}/privatekey" 232 | register: private 233 | when: not ansible_check_mode 234 | 235 | - name: Read public key 236 | slurp: 237 | src: "{{ wireguard_path }}/publickey" 238 | register: public 239 | when: not ansible_check_mode 240 | 241 | - name: Read private client's key 242 | stat: 243 | path: "{{ wireguard_path }}/client_privatekey" 244 | register: client_privatekey 245 | run_once: true 246 | when: client_vpn_ip | length > 0 247 | 248 | - name: Generate wireguard client's keys 249 | shell: set -o pipefail && \ 250 | umask 077; wg genkey | tee {{ wireguard_path }}/client_privatekey | wg pubkey > {{ wireguard_path }}/client_publickey 251 | run_once: true 252 | args: 253 | executable: /bin/bash 254 | when: 255 | - client_vpn_ip | length > 0 256 | - not client_privatekey.stat.exists 257 | 258 | - name: Read private client's key 259 | slurp: 260 | src: "{{ wireguard_path }}/client_privatekey" 261 | register: client_privatekey 262 | run_once: true 263 | when: 264 | - not ansible_check_mode 265 | - client_vpn_ip | length > 0 266 | 267 | - name: Read public client's key 268 | slurp: 269 | src: "{{ wireguard_path }}/client_publickey" 270 | register: client_publickey 271 | run_once: true 272 | when: 273 | - not ansible_check_mode 274 | - client_vpn_ip | length > 0 275 | 276 | - name: Generate configs 277 | template: 278 | src: interface.conf.j2 279 | dest: "{{ wireguard_path }}/{{ wireguard_network_name }}.conf" 280 | owner: root 281 | group: root 282 | mode: "u=rw,g=r,o=" 283 | register: config 284 | notify: 285 | - Enable wg-quick service 286 | - Restart wg-quick service 287 | when: not ansible_check_mode 288 | 289 | - name: Generate client's config 290 | template: 291 | src: client.conf.j2 292 | dest: "{{ client_wireguard_path }}" 293 | mode: "u=rw,g=,o=" 294 | vars: 295 | ansible_connection: local 296 | become: no 297 | run_once: true 298 | when: 299 | - not ansible_check_mode 300 | - client_vpn_ip | length > 0 301 | delegate_to: localhost 302 | notify: 303 | - Enable wg-quick service 304 | - Restart wg-quick service 305 | -------------------------------------------------------------------------------- /templates/backports.list: -------------------------------------------------------------------------------- 1 | deb http://deb.debian.org/debian buster-backports main 2 | -------------------------------------------------------------------------------- /templates/client.conf.j2: -------------------------------------------------------------------------------- 1 | [Interface] 2 | Address = {{ client_vpn_ip }} 3 | PrivateKey = {{ client_privatekey.content | b64decode | trim }} 4 | {% if client_wireguard_dns %} 5 | DNS = {{ client_wireguard_dns }} 6 | {% endif %} 7 | 8 | {% for node in play_hosts %} 9 | [Peer] 10 | PublicKey = {{ hostvars[node].public.content | b64decode | trim }} 11 | AllowedIPs = {{ hostvars[node].vpn_ip }} 12 | Endpoint = {{ hostvars[node]['public_addr'] | default(hostvars[node]['ansible_host']) | default(hostvars[node]['inventory_hostname']) }}:{{ wireguard_port }} 13 | PersistentKeepalive = 25 14 | 15 | {% endfor %} 16 | 17 | {% if wireguard_additional_peers %} 18 | {% for node in wireguard_additional_peers %} 19 | # {{ node.comment }} 20 | [Peer] 21 | PublicKey = {{ node.key }} 22 | AllowedIPs = {{ node.ip }} 23 | 24 | {% endfor %} 25 | {% endif %} 26 | -------------------------------------------------------------------------------- /templates/interface.conf.j2: -------------------------------------------------------------------------------- 1 | [Interface] 2 | Address = {{ vpn_ip }} 3 | PrivateKey = {{ private.content | b64decode | trim }} 4 | {% if wireguard_post_up %} 5 | PostUp = {{ wireguard_post_up }} 6 | {% endif %} 7 | {% if wireguard_post_down %} 8 | PostDown = {{ wireguard_post_down }} 9 | {% endif %} 10 | ListenPort = {{ wireguard_port }} 11 | {% if wireguard_mtu is defined %} 12 | MTU = {{ wireguard_mtu }} 13 | {% endif %} 14 | {% if client_wireguard_dns %} 15 | DNS = {{ client_wireguard_dns }} 16 | {% endif %} 17 | 18 | {% for node in play_hosts %} 19 | {% if inventory_hostname != hostvars[node]['inventory_hostname'] %} 20 | [Peer] 21 | PublicKey = {{ hostvars[node].public.content | b64decode | trim }} 22 | AllowedIPs = {{ hostvars[node].vpn_ip }} 23 | Endpoint = {{ hostvars[node]['public_addr'] | default(hostvars[node]['ansible_host']) | default(hostvars[node]['inventory_hostname']) }}:{{ wireguard_port }} 24 | 25 | {% endif %} 26 | {% endfor %} 27 | 28 | {% if client_vpn_ip | length > 0 %} 29 | [Peer] 30 | PublicKey = {{ client_publickey.content | b64decode | trim }} 31 | AllowedIPs = {{ client_vpn_ip }} 32 | {% endif %} 33 | 34 | {% if wireguard_additional_peers %} 35 | {% for node in wireguard_additional_peers %} 36 | # {{ node.comment }} 37 | [Peer] 38 | PublicKey = {{ node.key }} 39 | AllowedIPs = {{ node.ip }} 40 | {% if node.endpoint is defined %} 41 | Endpoint = {{ node.endpoint }} 42 | {% endif %} 43 | {% if node.keepalive is defined %} 44 | PersistentKeepalive = {{ node.keepalive }} 45 | {% endif %} 46 | 47 | {% endfor %} 48 | {% endif %} 49 | -------------------------------------------------------------------------------- /templates/limit-unstable: -------------------------------------------------------------------------------- 1 | Package: * 2 | Pin: release a=unstable 3 | Pin-Priority: 150 4 | --------------------------------------------------------------------------------