fix(system/wg-admin): use variables

Signed-off-by: Matej Focko <me@mfocko.xyz>

roles/system/wg-admin/defaults/main.yml

@@ -0,0 +1,22 @@
+---
+# IP address assigned to the wireguard peer
+system_wg_admin_address: "192.168.0.2/32"
+
+# Domain that is used with local DNS on the VPN
+system_wg_admin_domain: "localdomain"
+
+# IP address of the gateway on the VPN
+system_wg_admin_gateway: "192.168.0.1"
+
+# Interface name for the wireguard connection
+system_wg_admin_ifname: "wg-something"
+
+# Peers of the VPN, list of objects with the following format:
+#
+#     - note: ‹comment that gets put above the peer›
+#       public_key: ‹public key of the peer›
+#       allowed_ips: 192.168.0.0/24
+#       endpoint: localhost:51820
+#       # if bool(keepalive) → gets included in the config
+#       keepalive: 20
+system_wg_admin_peers: []

roles/system/wg-admin/tasks/main.yml

@@ -24,21 +24,24 @@
 
 - name: Set dns_command for co-openSUSE
   ansible.builtin.set_fact:
-    wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin"
+    wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
   when: '"openSUSE" not in ansible_distribution'
 
 - name: Set dns_command for openSUSE
   ansible.builtin.set_fact:
-    wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin"
+    wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
   when: '"openSUSE" in ansible_distribution'
 
 - name: Create the config
   vars:
-    address: "{{ wg_admin_address }}"
+    address: "{{ system_wg_admin_address }}"
     dns_command: "{{ wg_dns_command }}"
+    domain: "{{ system_wg_admin_domain }}"
+    gateway: "{{ system_wg_admin_gateway }}"
+    peers: "{{ systemg_wg_admin_peers }}"
   ansible.builtin.template:
-    src: wg-admin.conf
+    src: "{{ system_wg_admin_ifname }}.conf"
-    dest: /etc/wireguard/wg-admin.conf
+    dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
     owner: root
     group: root
     mode: "0600"
@@ -49,6 +52,6 @@
 
 - name: Enable and start the wireguard connection
   ansible.builtin.service:
-    name: "wg-quick@wg-admin"
+    name: "wg-quick@{{ system_wg_admin_ifname }}"
     enabled: yes
     state: started

roles/system/wg-admin/templates/wg-admin.conf

@@ -1,22 +0,0 @@
-[Interface]
-# Assign the static IP
-Address = {{ address }}/20
-
-# Set the DNS
-DNS = 10.42.0.1, admin
-
-# Set the DNS for the connection
-PostUp = {{ dns_command }}
-
-# Load the private key
-PostUp = wg set %i private-key /etc/wireguard/private.key
-
-# FIXME: Ping the VPN server to initiate the connection
-# PostUp = ping -c3 10.42.0.1
-
-# poincare
-[Peer]
-PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y=
-AllowedIPs = 10.42.0.0/20
-Endpoint = mfocko.xyz:51820
-PersistentKeepAlive = 20

roles/system/wg-admin/templates/wg.conf

@@ -0,0 +1,26 @@
+[Interface]
+# Assign the static IP
+Address = {{ address }}
+
+# Set the DNS
+DNS = {{ gateway }}, {{ domain }}
+
+# Set the DNS for the connection
+PostUp = {{ dns_command }}
+
+# Load the private key
+PostUp = wg set %i private-key /etc/wireguard/private.key
+
+# FIXME: Ping the VPN server to initiate the connection
+# PostUp = ping -c3 {{ gateway }}
+{% for peer in peers %}
+
+# {{ peer.note }}
+[Peer]
+PublicKey = {{ peer.public_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+Endpoint = {{ peer.endpoint }}
+{% if peer.keepalive %}
+PersistentKeepAlive = {{ peer.keepalive }}
+{% endif %}
+{% endfor %}