chore(wg): factor out the wireguard role

Signed-off-by: Matej Focko <me@mfocko.xyz>
2024-07-12 19:53:09 +02:00 · 2024-07-12 19:53:09 +02:00 · bc2d4a291e
commit bc2d4a291e
parent f0d4f84ec7
7 changed files with 50 additions and 20 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -37,3 +37,15 @@ cloudflare_zone: None

 # Public ID tied to the Yubikey OTP
 yubikey_token_id: None
+
+# Wireguard connections
+# List of connections to set up, example:
+#
+#     - ifname: ‹interface name›
+#       generate_keypair: true/false
+#       domain: ‹domain, adjust DNS resolution, if set›
+#       gateway: ‹part of the DNS resolution setup›
+#       address: ‹assigned address on the VPN›
+#       peers:
+#         - { note, public_key, allowed_ips, endpoint, keepalive }
+wg_connections: []
--- a/playbooks/bootstrap.yml
+++ b/playbooks/bootstrap.yml
@ -36,11 +36,6 @@
      become: true
      tags: sshd

-    # Install the Wireguard admin VPN
-    - role: system/wg-admin
-      become: true
-      tags: wg-admin
-
    # Handle basic user configuration
    - user/base

@ -100,3 +95,20 @@
    # Install and configure Helix
    - role: user/editors/helix
      tags: helix
+
+  tasks:
+    # Install the Wireguard VPNs
+    - name: Wireguard
+      ansible.builtin.include_role:
+        name: wg
+        apply:
+          become: true
+      with_items: "{{ wg_connections }}"
+      vars:
+        wg_ifname: "{{ item.ifname }}"
+        wg_generate_keypair: "{{ item.generate_keypair }}"
+        wg_domain: "{{ item.domain }}"
+        wg_gateway: "{{ item.gateway }}"
+        wg_address: "{{ item.address }}"
+        wg_peers: "{{ item.peers }}"
+      tags: wireguard
--- a/roles/system/wg-admin/defaults/main.yml
+++ b/roles/system/wg-admin/defaults/main.yml
@ -1,15 +1,15 @@
 ---
 # IP address assigned to the wireguard peer
-system_wg_admin_address: "192.168.0.2/32"
+wg_address: "192.168.0.2/32"

 # Domain that is used with local DNS on the VPN
-system_wg_admin_domain: "localdomain"
+wg_domain: "localdomain"

 # IP address of the gateway on the VPN
-system_wg_admin_gateway: "192.168.0.1"
+wg_gateway: "192.168.0.1"

 # Interface name for the wireguard connection
-system_wg_admin_ifname: "wg-something"
+wg_ifname: "wg-something"

 # Peers of the VPN, list of objects with the following format:
 #
@ -19,4 +19,7 @@ system_wg_admin_ifname: "wg-something"
 #       endpoint: localhost:51820
 #       # if bool(keepalive) → gets included in the config
 #       keepalive: 20
-system_wg_admin_peers: []
+wg_peers: []
+
+# By default don't generate the keypair and reuse the existing one
+wg_generate_keypair: false
--- a/roles/system/wg-admin/tasks/dns_AlmaLinux.yml
+++ b/roles/system/wg-admin/tasks/dns_AlmaLinux.yml
--- a/roles/system/wg-admin/tasks/install.yml
+++ b/roles/system/wg-admin/tasks/install.yml
--- a/roles/system/wg-admin/tasks/main.yml
+++ b/roles/system/wg-admin/tasks/main.yml
@ -12,6 +12,7 @@

    chdir: /etc/wireguard
    creates: /etc/wireguard/private.key
+  when: wg_generate_keypair

 - name: Get public key
  ansible.builtin.command: cat /etc/wireguard/public.key
@ -24,34 +25,34 @@

 - name: Set dns_command for co-openSUSE
  ansible.builtin.set_fact:
-    wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
+    wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
  when: '"openSUSE" not in ansible_distribution'

 - name: Set dns_command for openSUSE
  ansible.builtin.set_fact:
-    wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
+    wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
  when: '"openSUSE" in ansible_distribution'

 - name: Create the config
  vars:
-    address: "{{ system_wg_admin_address }}"
+    address: "{{ wg_address }}"
    dns_command: "{{ wg_dns_command }}"
-    domain: "{{ system_wg_admin_domain }}"
-    gateway: "{{ system_wg_admin_gateway }}"
-    peers: "{{ systemg_wg_admin_peers }}"
+    domain: "{{ wg_domain }}"
+    gateway: "{{ wg_gateway }}"
+    peers: "{{ wg_peers }}"
  ansible.builtin.template:
-    src: "{{ system_wg_admin_ifname }}.conf"
-    dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
+    src: "{{ wg_ifname }}.conf"
+    dest: "/etc/wireguard/{{ wg_ifname }}.conf"
    owner: root
    group: root
    mode: "0600"

 - name: Set up the DNS on AlmaLinux
  ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
-  when: ansible_distribution == "AlmaLinux"
+  when: domain and ansible_distribution == "AlmaLinux"

 - name: Enable and start the wireguard connection
  ansible.builtin.service:
-    name: "wg-quick@{{ system_wg_admin_ifname }}"
+    name: "wg-quick@{{ wg_ifname }}"
    enabled: yes
    state: started
--- a/roles/system/wg-admin/templates/wg.conf
+++ b/roles/system/wg-admin/templates/wg.conf
@ -2,11 +2,13 @@
 # Assign the static IP
 Address = {{ address }}

+{% if domain %}
 # Set the DNS
 DNS = {{ gateway }}, {{ domain }}

 # Set the DNS for the connection
 PostUp = {{ dns_command }}
+{% endif %}

 # Load the private key
 PostUp = wg set %i private-key /etc/wireguard/private.key