Add wiregaurd deployment with wg-easy

This commit is contained in:
tom.chivert 2023-10-26 14:42:56 +02:00
parent 7170df030e
commit 65892db2ee
4 changed files with 75 additions and 6 deletions

View File

@ -21,6 +21,7 @@ Available services
- cadvisor
- Redisinsight
- Gitlab
- [Wireguard](https://github.com/wg-easy/wg-easy)
Role variables
---------------
@ -57,6 +58,7 @@ Example variables
- cadvisor
- redisinsight
- gitlab
- wireguard
traefik_domain: 'example.com'
traefik_letsencrypt_email: 'cert@example.com'
@ -74,6 +76,11 @@ Example variables
gitlab_root_password: 'vault-this-thingy'
gitlab_domain: gitlab.example.com
gitlab_registry_domain: registry.example.com
wireguard_version: 'latest'
# wg-easy webui access:
wireguard_domain: 'wg.example.com'
wireguard_password: 'please-vault-this-too'
```
TODO
@ -94,8 +101,6 @@ TODO
- needs to be implemented
- Promtail
- needs to be implemented
- Gitlab
- needs to be implemented
License
-------

View File

@ -48,9 +48,16 @@
ignore_errors: '{{ ansible_check_mode }}'
tags: ['docker_gitlab']
- name: 'gitlab-runner-restart'
- name: gitlab-runner-restart
systemd:
name: docker-compose@gitlab-runner
state: restarted
ignore_errors: '{{ ansible_check_mode }}'
tags: ['docker_gitlab-runner']
- name: wireguard-restart
systemd:
name: docker-compose@wireguard
state: restarted
ignore_errors: '{{ ansible_check_mode }}'
tags: ['docker_wireguard']

16
tasks/wireguard.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: wireguard | check vars are defined
assert:
that:
- wireguard_domain is defined
tags: ['docker_wireguard']
- include_tasks: base.yml
tags: ['docker_wireguard']
- name: 'wireguard | create docker volumes'
docker_volume:
name: '{{ item }}'
with_items:
- 'wireguard__etc_wireguard'
tags: ['docker_wireguard']

View File

@ -0,0 +1,41 @@
version: '3.7'
networks:
traefik:
external: true
volumes:
wireguard__etc_wireguard:
external: true
services:
wireguard:
container_name: wireguard
image: weejewel/wg-easy:{{ wireguard_version | default("latest") }}
restart: unless-stopped
ports:
- "51820:51820/udp"
volumes:
- 'wireguard__etc_wireguard:/etc/wireguard'
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
environment:
- WG_HOST={{ wireguard_domain }}
- PASSWORD={{ wireguard_password }}
labels:
traefik.enable: true
traefik.docker.network: traefik
traefik.http.routers.wireguard.rule: Host(`{{ wireguard_domain }}`)
traefik.http.routers.wireguard.tls: true
traefik.http.routers.wireguard.tls.certresolver: letsencrypt
traefik.http.routers.wireguard.entrypoints: websecure
{% if traefik_ipwhitelist is defined %}
traefik.http.routers.wireguard.middlewares: "clientips@docker"
{% endif %}
traefik.http.services.wireguard.loadbalancer.server.port: 51821
networks:
- traefik