fix(system/wg-admin): use variables
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
741f570235
commit
749be7227e
4 changed files with 57 additions and 28 deletions
22
roles/system/wg-admin/defaults/main.yml
Normal file
22
roles/system/wg-admin/defaults/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
# IP address assigned to the wireguard peer
|
||||
system_wg_admin_address: "192.168.0.2/32"
|
||||
|
||||
# Domain that is used with local DNS on the VPN
|
||||
system_wg_admin_domain: "localdomain"
|
||||
|
||||
# IP address of the gateway on the VPN
|
||||
system_wg_admin_gateway: "192.168.0.1"
|
||||
|
||||
# Interface name for the wireguard connection
|
||||
system_wg_admin_ifname: "wg-something"
|
||||
|
||||
# Peers of the VPN, list of objects with the following format:
|
||||
#
|
||||
# - note: ‹comment that gets put above the peer›
|
||||
# public_key: ‹public key of the peer›
|
||||
# allowed_ips: 192.168.0.0/24
|
||||
# endpoint: localhost:51820
|
||||
# # if bool(keepalive) → gets included in the config
|
||||
# keepalive: 20
|
||||
system_wg_admin_peers: []
|
|
@ -24,21 +24,24 @@
|
|||
|
||||
- name: Set dns_command for co-openSUSE
|
||||
ansible.builtin.set_fact:
|
||||
wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin"
|
||||
wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
|
||||
when: '"openSUSE" not in ansible_distribution'
|
||||
|
||||
- name: Set dns_command for openSUSE
|
||||
ansible.builtin.set_fact:
|
||||
wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin"
|
||||
wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
|
||||
when: '"openSUSE" in ansible_distribution'
|
||||
|
||||
- name: Create the config
|
||||
vars:
|
||||
address: "{{ wg_admin_address }}"
|
||||
address: "{{ system_wg_admin_address }}"
|
||||
dns_command: "{{ wg_dns_command }}"
|
||||
domain: "{{ system_wg_admin_domain }}"
|
||||
gateway: "{{ system_wg_admin_gateway }}"
|
||||
peers: "{{ systemg_wg_admin_peers }}"
|
||||
ansible.builtin.template:
|
||||
src: wg-admin.conf
|
||||
dest: /etc/wireguard/wg-admin.conf
|
||||
src: "{{ system_wg_admin_ifname }}.conf"
|
||||
dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
|
@ -49,6 +52,6 @@
|
|||
|
||||
- name: Enable and start the wireguard connection
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@wg-admin"
|
||||
name: "wg-quick@{{ system_wg_admin_ifname }}"
|
||||
enabled: yes
|
||||
state: started
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
[Interface]
|
||||
# Assign the static IP
|
||||
Address = {{ address }}/20
|
||||
|
||||
# Set the DNS
|
||||
DNS = 10.42.0.1, admin
|
||||
|
||||
# Set the DNS for the connection
|
||||
PostUp = {{ dns_command }}
|
||||
|
||||
# Load the private key
|
||||
PostUp = wg set %i private-key /etc/wireguard/private.key
|
||||
|
||||
# FIXME: Ping the VPN server to initiate the connection
|
||||
# PostUp = ping -c3 10.42.0.1
|
||||
|
||||
# poincare
|
||||
[Peer]
|
||||
PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y=
|
||||
AllowedIPs = 10.42.0.0/20
|
||||
Endpoint = mfocko.xyz:51820
|
||||
PersistentKeepAlive = 20
|
26
roles/system/wg-admin/templates/wg.conf
Normal file
26
roles/system/wg-admin/templates/wg.conf
Normal file
|
@ -0,0 +1,26 @@
|
|||
[Interface]
|
||||
# Assign the static IP
|
||||
Address = {{ address }}
|
||||
|
||||
# Set the DNS
|
||||
DNS = {{ gateway }}, {{ domain }}
|
||||
|
||||
# Set the DNS for the connection
|
||||
PostUp = {{ dns_command }}
|
||||
|
||||
# Load the private key
|
||||
PostUp = wg set %i private-key /etc/wireguard/private.key
|
||||
|
||||
# FIXME: Ping the VPN server to initiate the connection
|
||||
# PostUp = ping -c3 {{ gateway }}
|
||||
{% for peer in peers %}
|
||||
|
||||
# {{ peer.note }}
|
||||
[Peer]
|
||||
PublicKey = {{ peer.public_key }}
|
||||
AllowedIPs = {{ peer.allowed_ips }}
|
||||
Endpoint = {{ peer.endpoint }}
|
||||
{% if peer.keepalive %}
|
||||
PersistentKeepAlive = {{ peer.keepalive }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
Loading…
Reference in a new issue