diff --git a/roles/system/wg-admin/defaults/main.yml b/roles/system/wg-admin/defaults/main.yml new file mode 100644 index 0000000..5699801 --- /dev/null +++ b/roles/system/wg-admin/defaults/main.yml @@ -0,0 +1,22 @@ +--- +# IP address assigned to the wireguard peer +system_wg_admin_address: "192.168.0.2/32" + +# Domain that is used with local DNS on the VPN +system_wg_admin_domain: "localdomain" + +# IP address of the gateway on the VPN +system_wg_admin_gateway: "192.168.0.1" + +# Interface name for the wireguard connection +system_wg_admin_ifname: "wg-something" + +# Peers of the VPN, list of objects with the following format: +# +# - note: ‹comment that gets put above the peer› +# public_key: ‹public key of the peer› +# allowed_ips: 192.168.0.0/24 +# endpoint: localhost:51820 +# # if bool(keepalive) → gets included in the config +# keepalive: 20 +system_wg_admin_peers: [] diff --git a/roles/system/wg-admin/tasks/main.yml b/roles/system/wg-admin/tasks/main.yml index 30b00e1..075ff87 100644 --- a/roles/system/wg-admin/tasks/main.yml +++ b/roles/system/wg-admin/tasks/main.yml @@ -24,21 +24,24 @@ - name: Set dns_command for co-openSUSE ansible.builtin.set_fact: - wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin" + wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}" when: '"openSUSE" not in ansible_distribution' - name: Set dns_command for openSUSE ansible.builtin.set_fact: - wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin" + wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}" when: '"openSUSE" in ansible_distribution' - name: Create the config vars: - address: "{{ wg_admin_address }}" + address: "{{ system_wg_admin_address }}" dns_command: "{{ wg_dns_command }}" + domain: "{{ system_wg_admin_domain }}" + gateway: "{{ system_wg_admin_gateway }}" + peers: "{{ systemg_wg_admin_peers }}" ansible.builtin.template: - src: wg-admin.conf - dest: /etc/wireguard/wg-admin.conf + src: "{{ system_wg_admin_ifname }}.conf" + dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf" owner: root group: root mode: "0600" @@ -49,6 +52,6 @@ - name: Enable and start the wireguard connection ansible.builtin.service: - name: "wg-quick@wg-admin" + name: "wg-quick@{{ system_wg_admin_ifname }}" enabled: yes state: started diff --git a/roles/system/wg-admin/templates/wg-admin.conf b/roles/system/wg-admin/templates/wg-admin.conf deleted file mode 100644 index bb60099..0000000 --- a/roles/system/wg-admin/templates/wg-admin.conf +++ /dev/null @@ -1,22 +0,0 @@ -[Interface] -# Assign the static IP -Address = {{ address }}/20 - -# Set the DNS -DNS = 10.42.0.1, admin - -# Set the DNS for the connection -PostUp = {{ dns_command }} - -# Load the private key -PostUp = wg set %i private-key /etc/wireguard/private.key - -# FIXME: Ping the VPN server to initiate the connection -# PostUp = ping -c3 10.42.0.1 - -# poincare -[Peer] -PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y= -AllowedIPs = 10.42.0.0/20 -Endpoint = mfocko.xyz:51820 -PersistentKeepAlive = 20 diff --git a/roles/system/wg-admin/templates/wg.conf b/roles/system/wg-admin/templates/wg.conf new file mode 100644 index 0000000..bc9ded8 --- /dev/null +++ b/roles/system/wg-admin/templates/wg.conf @@ -0,0 +1,26 @@ +[Interface] +# Assign the static IP +Address = {{ address }} + +# Set the DNS +DNS = {{ gateway }}, {{ domain }} + +# Set the DNS for the connection +PostUp = {{ dns_command }} + +# Load the private key +PostUp = wg set %i private-key /etc/wireguard/private.key + +# FIXME: Ping the VPN server to initiate the connection +# PostUp = ping -c3 {{ gateway }} +{% for peer in peers %} + +# {{ peer.note }} +[Peer] +PublicKey = {{ peer.public_key }} +AllowedIPs = {{ peer.allowed_ips }} +Endpoint = {{ peer.endpoint }} +{% if peer.keepalive %} +PersistentKeepAlive = {{ peer.keepalive }} +{% endif %} +{% endfor %}