|
|
@@ -0,0 +1,54 @@
|
|
|
+---
|
|
|
+- name: Install wireguard-tools
|
|
|
+ yum:
|
|
|
+ name: wireguard-tools
|
|
|
+ state: installed
|
|
|
+
|
|
|
+- name: Copy wireguard config
|
|
|
+ template:
|
|
|
+ src: wg.conf.j2
|
|
|
+ dest: /etc/wireguard/{{ wg_interface }}.conf
|
|
|
+ owner: root
|
|
|
+ group: root
|
|
|
+ mode: '0644'
|
|
|
+ notify:
|
|
|
+ - Restart wireguard interface
|
|
|
+
|
|
|
+- name: Add {{ wg_interface }} to external zone
|
|
|
+ firewalld:
|
|
|
+ zone: external
|
|
|
+ interface: "{{ wg_interface }}"
|
|
|
+ permanent: yes
|
|
|
+ state: enabled
|
|
|
+
|
|
|
+- name: Add {{ ansible_interfaces | sort | first }} to internal zone
|
|
|
+ firewalld:
|
|
|
+ zone: internal
|
|
|
+ interface: "{{ ansible_interfaces | sort | first }}"
|
|
|
+ permanent: yes
|
|
|
+ state: enabled
|
|
|
+
|
|
|
+- name: Allow source networks to use wireguard
|
|
|
+ firewalld:
|
|
|
+ source: "{{ item }}"
|
|
|
+ zone: external
|
|
|
+ state: enabled
|
|
|
+ permanent: yes
|
|
|
+ with_items:
|
|
|
+ - "{{ allowed_access_cidrs }}"
|
|
|
+
|
|
|
+- name: Allow services
|
|
|
+ firewalld:
|
|
|
+ zone: external
|
|
|
+ service: "{{ item }}"
|
|
|
+ state: enabled
|
|
|
+ permanent: yes
|
|
|
+ immediate: yes
|
|
|
+ with_items:
|
|
|
+ - "{{ allowed_services }}"
|
|
|
+
|
|
|
+- name: Start/Enable {{ wg_interface }} interface
|
|
|
+ systemd:
|
|
|
+ name: wg-quick@{{ wg_interface }}
|
|
|
+ state: started
|
|
|
+ enabled: yes
|
Blaine Story