fix(system/wg-admin): use variables
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
741f570235
commit
749be7227e
4 changed files with 57 additions and 28 deletions
22
roles/system/wg-admin/defaults/main.yml
Normal file
22
roles/system/wg-admin/defaults/main.yml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
---
|
||||||
|
# IP address assigned to the wireguard peer
|
||||||
|
system_wg_admin_address: "192.168.0.2/32"
|
||||||
|
|
||||||
|
# Domain that is used with local DNS on the VPN
|
||||||
|
system_wg_admin_domain: "localdomain"
|
||||||
|
|
||||||
|
# IP address of the gateway on the VPN
|
||||||
|
system_wg_admin_gateway: "192.168.0.1"
|
||||||
|
|
||||||
|
# Interface name for the wireguard connection
|
||||||
|
system_wg_admin_ifname: "wg-something"
|
||||||
|
|
||||||
|
# Peers of the VPN, list of objects with the following format:
|
||||||
|
#
|
||||||
|
# - note: ‹comment that gets put above the peer›
|
||||||
|
# public_key: ‹public key of the peer›
|
||||||
|
# allowed_ips: 192.168.0.0/24
|
||||||
|
# endpoint: localhost:51820
|
||||||
|
# # if bool(keepalive) → gets included in the config
|
||||||
|
# keepalive: 20
|
||||||
|
system_wg_admin_peers: []
|
|
@ -24,21 +24,24 @@
|
||||||
|
|
||||||
- name: Set dns_command for co-openSUSE
|
- name: Set dns_command for co-openSUSE
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin"
|
wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
|
||||||
when: '"openSUSE" not in ansible_distribution'
|
when: '"openSUSE" not in ansible_distribution'
|
||||||
|
|
||||||
- name: Set dns_command for openSUSE
|
- name: Set dns_command for openSUSE
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin"
|
wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
|
||||||
when: '"openSUSE" in ansible_distribution'
|
when: '"openSUSE" in ansible_distribution'
|
||||||
|
|
||||||
- name: Create the config
|
- name: Create the config
|
||||||
vars:
|
vars:
|
||||||
address: "{{ wg_admin_address }}"
|
address: "{{ system_wg_admin_address }}"
|
||||||
dns_command: "{{ wg_dns_command }}"
|
dns_command: "{{ wg_dns_command }}"
|
||||||
|
domain: "{{ system_wg_admin_domain }}"
|
||||||
|
gateway: "{{ system_wg_admin_gateway }}"
|
||||||
|
peers: "{{ systemg_wg_admin_peers }}"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: wg-admin.conf
|
src: "{{ system_wg_admin_ifname }}.conf"
|
||||||
dest: /etc/wireguard/wg-admin.conf
|
dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
|
@ -49,6 +52,6 @@
|
||||||
|
|
||||||
- name: Enable and start the wireguard connection
|
- name: Enable and start the wireguard connection
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: "wg-quick@wg-admin"
|
name: "wg-quick@{{ system_wg_admin_ifname }}"
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
[Interface]
|
|
||||||
# Assign the static IP
|
|
||||||
Address = {{ address }}/20
|
|
||||||
|
|
||||||
# Set the DNS
|
|
||||||
DNS = 10.42.0.1, admin
|
|
||||||
|
|
||||||
# Set the DNS for the connection
|
|
||||||
PostUp = {{ dns_command }}
|
|
||||||
|
|
||||||
# Load the private key
|
|
||||||
PostUp = wg set %i private-key /etc/wireguard/private.key
|
|
||||||
|
|
||||||
# FIXME: Ping the VPN server to initiate the connection
|
|
||||||
# PostUp = ping -c3 10.42.0.1
|
|
||||||
|
|
||||||
# poincare
|
|
||||||
[Peer]
|
|
||||||
PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y=
|
|
||||||
AllowedIPs = 10.42.0.0/20
|
|
||||||
Endpoint = mfocko.xyz:51820
|
|
||||||
PersistentKeepAlive = 20
|
|
26
roles/system/wg-admin/templates/wg.conf
Normal file
26
roles/system/wg-admin/templates/wg.conf
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
[Interface]
|
||||||
|
# Assign the static IP
|
||||||
|
Address = {{ address }}
|
||||||
|
|
||||||
|
# Set the DNS
|
||||||
|
DNS = {{ gateway }}, {{ domain }}
|
||||||
|
|
||||||
|
# Set the DNS for the connection
|
||||||
|
PostUp = {{ dns_command }}
|
||||||
|
|
||||||
|
# Load the private key
|
||||||
|
PostUp = wg set %i private-key /etc/wireguard/private.key
|
||||||
|
|
||||||
|
# FIXME: Ping the VPN server to initiate the connection
|
||||||
|
# PostUp = ping -c3 {{ gateway }}
|
||||||
|
{% for peer in peers %}
|
||||||
|
|
||||||
|
# {{ peer.note }}
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ peer.public_key }}
|
||||||
|
AllowedIPs = {{ peer.allowed_ips }}
|
||||||
|
Endpoint = {{ peer.endpoint }}
|
||||||
|
{% if peer.keepalive %}
|
||||||
|
PersistentKeepAlive = {{ peer.keepalive }}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
Loading…
Reference in a new issue