blob: df3454263912597181ff9027890a8930edbc6609 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
---
- hosts: tinc
tasks:
- name: install wireguard
package:
name: wireguard-tools
- name: install iptables
package:
name: iptables
- name: generate keypair
shell:
cmd: umask 0077 && wg genkey | tee privatekey | wg pubkey > publickey
chdir: /etc/wireguard
creates: /etc/wireguard/publickey
- name: fetch public keys
fetch:
src: /etc/wireguard/publickey
dest: /tmp/wireguard-publickeys
- name: slurp private keys
slurp:
src: /etc/wireguard/privatekey
register: privatekey
- name: configure
copy:
content: |
[Interface]
Address = {{ network.self_internal_ip }}/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = {{ privatekey['content'] | b64decode }}
{% for host in groups['tinc'] %}
{% if host != inventory_hostname %}
[Peer]
PublicKey = {{ lookup('file', '/tmp/wireguard-publickeys/{}/etc/wireguard/publickey'.format(host)) }}
AllowedIPs = {{ hostvars[host].network.self_internal_network }}
Endpoint = {{ hostvars[host].network.public_hostname }}:51820
{% endif %}
{% endfor %}
dest: /etc/wireguard/wg0.conf
- name: enable wireguard
service:
name: wg-quick@wg0
state: restarted
enabled: yes
- name: set congestion control
copy:
content: |
net.ipv4.tcp_congestion_control = bbr
dest: /etc/sysctl.d/wireguard.conf
|
