113 lines
2.7 KiB
YAML
113 lines
2.7 KiB
YAML
---
|
|
# VM Gateway : WireGuard + Caddy
|
|
# Point d'entree reseau depuis le VPS
|
|
|
|
- name: Configuration gateway
|
|
hosts: gateway
|
|
become: true
|
|
|
|
tasks:
|
|
# -- WireGuard --
|
|
- name: Installation WireGuard
|
|
ansible.builtin.dnf:
|
|
name:
|
|
- wireguard-tools
|
|
state: present
|
|
tags: [wireguard]
|
|
|
|
- name: Activation IP forwarding
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
sysctl_set: true
|
|
reload: true
|
|
tags: [wireguard]
|
|
|
|
- name: Creation du repertoire WireGuard
|
|
ansible.builtin.file:
|
|
path: /etc/wireguard
|
|
state: directory
|
|
mode: "0700"
|
|
tags: [wireguard]
|
|
|
|
# La config WireGuard sera a personnaliser avec les cles
|
|
# generees et l'IP du VPS (phase 5)
|
|
- name: Deploiement config WireGuard (template)
|
|
ansible.builtin.template:
|
|
src: wg0.conf.j2
|
|
dest: /etc/wireguard/wg0.conf
|
|
mode: "0600"
|
|
notify: restart wireguard
|
|
when: wireguard_configured | default(false)
|
|
tags: [wireguard]
|
|
|
|
# -- Caddy --
|
|
- name: Installation dnf-plugins-core (requis pour copr)
|
|
ansible.builtin.dnf:
|
|
name: dnf-plugins-core
|
|
state: present
|
|
tags: [caddy]
|
|
|
|
- name: Activation du repo COPR Caddy
|
|
ansible.builtin.shell: dnf copr enable -y @caddy/caddy
|
|
args:
|
|
creates: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:group_caddy:caddy.repo
|
|
tags: [caddy]
|
|
|
|
- name: Installation Caddy
|
|
ansible.builtin.dnf:
|
|
name: caddy
|
|
state: present
|
|
tags: [caddy]
|
|
|
|
- name: Deploiement Caddyfile
|
|
ansible.builtin.copy:
|
|
src: ../../docker/gateway/Caddyfile
|
|
dest: /etc/caddy/Caddyfile
|
|
mode: "0644"
|
|
notify: restart caddy
|
|
tags: [caddy]
|
|
|
|
- name: Activation Caddy
|
|
ansible.builtin.systemd:
|
|
name: caddy
|
|
state: started
|
|
enabled: true
|
|
tags: [caddy]
|
|
|
|
# -- Firewall --
|
|
- name: Ouverture ports HTTP/HTTPS
|
|
ansible.posix.firewalld:
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
state: enabled
|
|
loop:
|
|
- http
|
|
- https
|
|
notify: reload firewalld
|
|
tags: [firewall]
|
|
|
|
- name: Ouverture port WireGuard
|
|
ansible.posix.firewalld:
|
|
port: 51820/udp
|
|
permanent: true
|
|
state: enabled
|
|
notify: reload firewalld
|
|
tags: [firewall]
|
|
|
|
handlers:
|
|
- name: restart wireguard
|
|
ansible.builtin.systemd:
|
|
name: wg-quick@wg0
|
|
state: restarted
|
|
enabled: true
|
|
|
|
- name: restart caddy
|
|
ansible.builtin.systemd:
|
|
name: caddy
|
|
state: restarted
|
|
|
|
- name: reload firewalld
|
|
ansible.builtin.systemd:
|
|
name: firewalld
|
|
state: reloaded
|