fix(system/wg-admin): use variables

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-07-12 14:55:29 +02:00
parent 741f570235
commit 749be7227e
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
4 changed files with 57 additions and 28 deletions

View file

@ -0,0 +1,22 @@
---
# IP address assigned to the wireguard peer
system_wg_admin_address: "192.168.0.2/32"
# Domain that is used with local DNS on the VPN
system_wg_admin_domain: "localdomain"
# IP address of the gateway on the VPN
system_wg_admin_gateway: "192.168.0.1"
# Interface name for the wireguard connection
system_wg_admin_ifname: "wg-something"
# Peers of the VPN, list of objects with the following format:
#
# - note: comment that gets put above the peer
# public_key: public key of the peer
# allowed_ips: 192.168.0.0/24
# endpoint: localhost:51820
# # if bool(keepalive) → gets included in the config
# keepalive: 20
system_wg_admin_peers: []

View file

@ -24,21 +24,24 @@
- name: Set dns_command for co-openSUSE - name: Set dns_command for co-openSUSE
ansible.builtin.set_fact: ansible.builtin.set_fact:
wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin" wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
when: '"openSUSE" not in ansible_distribution' when: '"openSUSE" not in ansible_distribution'
- name: Set dns_command for openSUSE - name: Set dns_command for openSUSE
ansible.builtin.set_fact: ansible.builtin.set_fact:
wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin" wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
when: '"openSUSE" in ansible_distribution' when: '"openSUSE" in ansible_distribution'
- name: Create the config - name: Create the config
vars: vars:
address: "{{ wg_admin_address }}" address: "{{ system_wg_admin_address }}"
dns_command: "{{ wg_dns_command }}" dns_command: "{{ wg_dns_command }}"
domain: "{{ system_wg_admin_domain }}"
gateway: "{{ system_wg_admin_gateway }}"
peers: "{{ systemg_wg_admin_peers }}"
ansible.builtin.template: ansible.builtin.template:
src: wg-admin.conf src: "{{ system_wg_admin_ifname }}.conf"
dest: /etc/wireguard/wg-admin.conf dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
owner: root owner: root
group: root group: root
mode: "0600" mode: "0600"
@ -49,6 +52,6 @@
- name: Enable and start the wireguard connection - name: Enable and start the wireguard connection
ansible.builtin.service: ansible.builtin.service:
name: "wg-quick@wg-admin" name: "wg-quick@{{ system_wg_admin_ifname }}"
enabled: yes enabled: yes
state: started state: started

View file

@ -1,22 +0,0 @@
[Interface]
# Assign the static IP
Address = {{ address }}/20
# Set the DNS
DNS = 10.42.0.1, admin
# Set the DNS for the connection
PostUp = {{ dns_command }}
# Load the private key
PostUp = wg set %i private-key /etc/wireguard/private.key
# FIXME: Ping the VPN server to initiate the connection
# PostUp = ping -c3 10.42.0.1
# poincare
[Peer]
PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y=
AllowedIPs = 10.42.0.0/20
Endpoint = mfocko.xyz:51820
PersistentKeepAlive = 20

View file

@ -0,0 +1,26 @@
[Interface]
# Assign the static IP
Address = {{ address }}
# Set the DNS
DNS = {{ gateway }}, {{ domain }}
# Set the DNS for the connection
PostUp = {{ dns_command }}
# Load the private key
PostUp = wg set %i private-key /etc/wireguard/private.key
# FIXME: Ping the VPN server to initiate the connection
# PostUp = ping -c3 {{ gateway }}
{% for peer in peers %}
# {{ peer.note }}
[Peer]
PublicKey = {{ peer.public_key }}
AllowedIPs = {{ peer.allowed_ips }}
Endpoint = {{ peer.endpoint }}
{% if peer.keepalive %}
PersistentKeepAlive = {{ peer.keepalive }}
{% endif %}
{% endfor %}