chore(wg): factor out the wireguard role
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
f0d4f84ec7
commit
bc2d4a291e
7 changed files with 50 additions and 20 deletions
|
@ -37,3 +37,15 @@ cloudflare_zone: None
|
|||
|
||||
# Public ID tied to the Yubikey OTP
|
||||
yubikey_token_id: None
|
||||
|
||||
# Wireguard connections
|
||||
# List of connections to set up, example:
|
||||
#
|
||||
# - ifname: ‹interface name›
|
||||
# generate_keypair: true/false
|
||||
# domain: ‹domain, adjust DNS resolution, if set›
|
||||
# gateway: ‹part of the DNS resolution setup›
|
||||
# address: ‹assigned address on the VPN›
|
||||
# peers:
|
||||
# - { note, public_key, allowed_ips, endpoint, keepalive }
|
||||
wg_connections: []
|
||||
|
|
|
@ -36,11 +36,6 @@
|
|||
become: true
|
||||
tags: sshd
|
||||
|
||||
# Install the Wireguard admin VPN
|
||||
- role: system/wg-admin
|
||||
become: true
|
||||
tags: wg-admin
|
||||
|
||||
# Handle basic user configuration
|
||||
- user/base
|
||||
|
||||
|
@ -100,3 +95,20 @@
|
|||
# Install and configure Helix
|
||||
- role: user/editors/helix
|
||||
tags: helix
|
||||
|
||||
tasks:
|
||||
# Install the Wireguard VPNs
|
||||
- name: Wireguard
|
||||
ansible.builtin.include_role:
|
||||
name: wg
|
||||
apply:
|
||||
become: true
|
||||
with_items: "{{ wg_connections }}"
|
||||
vars:
|
||||
wg_ifname: "{{ item.ifname }}"
|
||||
wg_generate_keypair: "{{ item.generate_keypair }}"
|
||||
wg_domain: "{{ item.domain }}"
|
||||
wg_gateway: "{{ item.gateway }}"
|
||||
wg_address: "{{ item.address }}"
|
||||
wg_peers: "{{ item.peers }}"
|
||||
tags: wireguard
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
# IP address assigned to the wireguard peer
|
||||
system_wg_admin_address: "192.168.0.2/32"
|
||||
wg_address: "192.168.0.2/32"
|
||||
|
||||
# Domain that is used with local DNS on the VPN
|
||||
system_wg_admin_domain: "localdomain"
|
||||
wg_domain: "localdomain"
|
||||
|
||||
# IP address of the gateway on the VPN
|
||||
system_wg_admin_gateway: "192.168.0.1"
|
||||
wg_gateway: "192.168.0.1"
|
||||
|
||||
# Interface name for the wireguard connection
|
||||
system_wg_admin_ifname: "wg-something"
|
||||
wg_ifname: "wg-something"
|
||||
|
||||
# Peers of the VPN, list of objects with the following format:
|
||||
#
|
||||
|
@ -19,4 +19,7 @@ system_wg_admin_ifname: "wg-something"
|
|||
# endpoint: localhost:51820
|
||||
# # if bool(keepalive) → gets included in the config
|
||||
# keepalive: 20
|
||||
system_wg_admin_peers: []
|
||||
wg_peers: []
|
||||
|
||||
# By default don't generate the keypair and reuse the existing one
|
||||
wg_generate_keypair: false
|
|
@ -12,6 +12,7 @@
|
|||
|
||||
chdir: /etc/wireguard
|
||||
creates: /etc/wireguard/private.key
|
||||
when: wg_generate_keypair
|
||||
|
||||
- name: Get public key
|
||||
ansible.builtin.command: cat /etc/wireguard/public.key
|
||||
|
@ -24,34 +25,34 @@
|
|||
|
||||
- name: Set dns_command for co-openSUSE
|
||||
ansible.builtin.set_fact:
|
||||
wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
|
||||
wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
|
||||
when: '"openSUSE" not in ansible_distribution'
|
||||
|
||||
- name: Set dns_command for openSUSE
|
||||
ansible.builtin.set_fact:
|
||||
wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
|
||||
wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
|
||||
when: '"openSUSE" in ansible_distribution'
|
||||
|
||||
- name: Create the config
|
||||
vars:
|
||||
address: "{{ system_wg_admin_address }}"
|
||||
address: "{{ wg_address }}"
|
||||
dns_command: "{{ wg_dns_command }}"
|
||||
domain: "{{ system_wg_admin_domain }}"
|
||||
gateway: "{{ system_wg_admin_gateway }}"
|
||||
peers: "{{ systemg_wg_admin_peers }}"
|
||||
domain: "{{ wg_domain }}"
|
||||
gateway: "{{ wg_gateway }}"
|
||||
peers: "{{ wg_peers }}"
|
||||
ansible.builtin.template:
|
||||
src: "{{ system_wg_admin_ifname }}.conf"
|
||||
dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
|
||||
src: "{{ wg_ifname }}.conf"
|
||||
dest: "/etc/wireguard/{{ wg_ifname }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
|
||||
- name: Set up the DNS on AlmaLinux
|
||||
ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
|
||||
when: ansible_distribution == "AlmaLinux"
|
||||
when: domain and ansible_distribution == "AlmaLinux"
|
||||
|
||||
- name: Enable and start the wireguard connection
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@{{ system_wg_admin_ifname }}"
|
||||
name: "wg-quick@{{ wg_ifname }}"
|
||||
enabled: yes
|
||||
state: started
|
|
@ -2,11 +2,13 @@
|
|||
# Assign the static IP
|
||||
Address = {{ address }}
|
||||
|
||||
{% if domain %}
|
||||
# Set the DNS
|
||||
DNS = {{ gateway }}, {{ domain }}
|
||||
|
||||
# Set the DNS for the connection
|
||||
PostUp = {{ dns_command }}
|
||||
{% endif %}
|
||||
|
||||
# Load the private key
|
||||
PostUp = wg set %i private-key /etc/wireguard/private.key
|
Loading…
Reference in a new issue