diff --git a/defaults/main.yml b/defaults/main.yml index ae50c48..d382919 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,3 +37,15 @@ cloudflare_zone: None # Public ID tied to the Yubikey OTP yubikey_token_id: None + +# Wireguard connections +# List of connections to set up, example: +# +# - ifname: ‹interface name› +# generate_keypair: true/false +# domain: ‹domain, adjust DNS resolution, if set› +# gateway: ‹part of the DNS resolution setup› +# address: ‹assigned address on the VPN› +# peers: +# - { note, public_key, allowed_ips, endpoint, keepalive } +wg_connections: [] diff --git a/playbooks/bootstrap.yml b/playbooks/bootstrap.yml index e776fcc..786be94 100644 --- a/playbooks/bootstrap.yml +++ b/playbooks/bootstrap.yml @@ -36,11 +36,6 @@ become: true tags: sshd - # Install the Wireguard admin VPN - - role: system/wg-admin - become: true - tags: wg-admin - # Handle basic user configuration - user/base @@ -100,3 +95,20 @@ # Install and configure Helix - role: user/editors/helix tags: helix + + tasks: + # Install the Wireguard VPNs + - name: Wireguard + ansible.builtin.include_role: + name: wg + apply: + become: true + with_items: "{{ wg_connections }}" + vars: + wg_ifname: "{{ item.ifname }}" + wg_generate_keypair: "{{ item.generate_keypair }}" + wg_domain: "{{ item.domain }}" + wg_gateway: "{{ item.gateway }}" + wg_address: "{{ item.address }}" + wg_peers: "{{ item.peers }}" + tags: wireguard diff --git a/roles/system/wg-admin/defaults/main.yml b/roles/wg/defaults/main.yml similarity index 70% rename from roles/system/wg-admin/defaults/main.yml rename to roles/wg/defaults/main.yml index 5699801..86df952 100644 --- a/roles/system/wg-admin/defaults/main.yml +++ b/roles/wg/defaults/main.yml @@ -1,15 +1,15 @@ --- # IP address assigned to the wireguard peer -system_wg_admin_address: "192.168.0.2/32" +wg_address: "192.168.0.2/32" # Domain that is used with local DNS on the VPN -system_wg_admin_domain: "localdomain" +wg_domain: "localdomain" # IP address of the gateway on the VPN -system_wg_admin_gateway: "192.168.0.1" +wg_gateway: "192.168.0.1" # Interface name for the wireguard connection -system_wg_admin_ifname: "wg-something" +wg_ifname: "wg-something" # Peers of the VPN, list of objects with the following format: # @@ -19,4 +19,7 @@ system_wg_admin_ifname: "wg-something" # endpoint: localhost:51820 # # if bool(keepalive) → gets included in the config # keepalive: 20 -system_wg_admin_peers: [] +wg_peers: [] + +# By default don't generate the keypair and reuse the existing one +wg_generate_keypair: false diff --git a/roles/system/wg-admin/tasks/dns_AlmaLinux.yml b/roles/wg/tasks/dns_AlmaLinux.yml similarity index 100% rename from roles/system/wg-admin/tasks/dns_AlmaLinux.yml rename to roles/wg/tasks/dns_AlmaLinux.yml diff --git a/roles/system/wg-admin/tasks/install.yml b/roles/wg/tasks/install.yml similarity index 100% rename from roles/system/wg-admin/tasks/install.yml rename to roles/wg/tasks/install.yml diff --git a/roles/system/wg-admin/tasks/main.yml b/roles/wg/tasks/main.yml similarity index 64% rename from roles/system/wg-admin/tasks/main.yml rename to roles/wg/tasks/main.yml index 075ff87..714de6a 100644 --- a/roles/system/wg-admin/tasks/main.yml +++ b/roles/wg/tasks/main.yml @@ -12,6 +12,7 @@ chdir: /etc/wireguard creates: /etc/wireguard/private.key + when: wg_generate_keypair - name: Get public key ansible.builtin.command: cat /etc/wireguard/public.key @@ -24,34 +25,34 @@ - name: Set dns_command for co-openSUSE ansible.builtin.set_fact: - wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}" + wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}" when: '"openSUSE" not in ansible_distribution' - name: Set dns_command for openSUSE ansible.builtin.set_fact: - wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}" + wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}" when: '"openSUSE" in ansible_distribution' - name: Create the config vars: - address: "{{ system_wg_admin_address }}" + address: "{{ wg_address }}" dns_command: "{{ wg_dns_command }}" - domain: "{{ system_wg_admin_domain }}" - gateway: "{{ system_wg_admin_gateway }}" - peers: "{{ systemg_wg_admin_peers }}" + domain: "{{ wg_domain }}" + gateway: "{{ wg_gateway }}" + peers: "{{ wg_peers }}" ansible.builtin.template: - src: "{{ system_wg_admin_ifname }}.conf" - dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf" + src: "{{ wg_ifname }}.conf" + dest: "/etc/wireguard/{{ wg_ifname }}.conf" owner: root group: root mode: "0600" - name: Set up the DNS on AlmaLinux ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml" - when: ansible_distribution == "AlmaLinux" + when: domain and ansible_distribution == "AlmaLinux" - name: Enable and start the wireguard connection ansible.builtin.service: - name: "wg-quick@{{ system_wg_admin_ifname }}" + name: "wg-quick@{{ wg_ifname }}" enabled: yes state: started diff --git a/roles/system/wg-admin/templates/wg.conf b/roles/wg/templates/wg.conf similarity index 95% rename from roles/system/wg-admin/templates/wg.conf rename to roles/wg/templates/wg.conf index bc9ded8..d7c6c09 100644 --- a/roles/system/wg-admin/templates/wg.conf +++ b/roles/wg/templates/wg.conf @@ -2,11 +2,13 @@ # Assign the static IP Address = {{ address }} +{% if domain %} # Set the DNS DNS = {{ gateway }}, {{ domain }} # Set the DNS for the connection PostUp = {{ dns_command }} +{% endif %} # Load the private key PostUp = wg set %i private-key /etc/wireguard/private.key