Wireguarded Applications

The Wireguarded role provides a way to host specific applications inside a Wireguard VPN, allowing you to restrict access to those you’ve provided with keys.

Currently Momod only allows for Minetest to be hosted this way.

Momod sets up wg-easy in a Podman pod together with any application containers. wg-easy provides a nice web GUI to manage Wireguard configuration.

It should be noted that this VPN only directs traffic to the single ip address 10.10.0.1 (the wg-easy container) through the tunnel. All other traffic will go via your normal internet connection. In other words it provides zero protection of privacy and zero advert blocking of the kind many VPN services advertise.

It’s simply a way of restricting access to Minetest on your server.

Preparation

Begin by filling out passwords for wg-easy email, wg-easy admin user and the postgres-minetest database in host_vars/YOURSERVER/vault.yml. Also generate an encrypted version of the email password and add it to host_vars/YOURSERVER/main.yml (see that file for details of how to generate the encrypted password).

Next take a look at the Minetest world templates provided in host_vars/YOURSERVER/minetest-worlds. Choose one (or if you’re feeling confident do this with all three!) to set up your first world. Lets assume you’ve chosen the basic Minetest world in myworld-template.yml and use it to create your first world.

Choose a name for your world and copy the template to a new file matching that name. For this explanation lets call it ‘Mineworld’. Copy the myworld-template.yml to mineworld.yml.

Next edit mineworld.yml and:

  • Change the name myworld to the new name (mineworld or what you chose).
  • Set the admin_name to the name of the Minetest world administrator user. This name is used to log in to the server in the Minetest client and will be seen by other players.
  • Change the variable vault_myworld_db_password to vault_mineworld_db_password (so it matches whatever you named your world).
  • Edit your host_vars/YOURSERVER/vault.yml to include the vault_mineworld_db_password and set a password there.

You’re now ready to run the playbook.

Run the play

This will setup wg-easy, a postgres-database for your Minetest world data and any Minetest worlds you’ve defined.

ansible-playbook --ask-vault-pass --limit YOURSERVER play/wireguarded.yml

Setup wg-easy

Once complete, before you can play Minetest you’ll need to set up Wireguard. You should be able to access the wg-easy UI at https://wg-easy.YOUR-FQDN. Use the admin password you defined to log in. Add a new client, then download the configuration file. You can add clients for anyone else or any other devices you want to allow to access the Minetest world, just download the conf file and pass it to them via a secure method.

Next you need to set up Wireguard on the client machine or machines.