chore(wg): factor out the wireguard role

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-07-12 19:53:09 +02:00
parent f0d4f84ec7
commit bc2d4a291e
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
7 changed files with 50 additions and 20 deletions

View file

@ -37,3 +37,15 @@ cloudflare_zone: None
# Public ID tied to the Yubikey OTP # Public ID tied to the Yubikey OTP
yubikey_token_id: None yubikey_token_id: None
# Wireguard connections
# List of connections to set up, example:
#
# - ifname: interface name
# generate_keypair: true/false
# domain: domain, adjust DNS resolution, if set
# gateway: part of the DNS resolution setup
# address: assigned address on the VPN
# peers:
# - { note, public_key, allowed_ips, endpoint, keepalive }
wg_connections: []

View file

@ -36,11 +36,6 @@
become: true become: true
tags: sshd tags: sshd
# Install the Wireguard admin VPN
- role: system/wg-admin
become: true
tags: wg-admin
# Handle basic user configuration # Handle basic user configuration
- user/base - user/base
@ -100,3 +95,20 @@
# Install and configure Helix # Install and configure Helix
- role: user/editors/helix - role: user/editors/helix
tags: helix tags: helix
tasks:
# Install the Wireguard VPNs
- name: Wireguard
ansible.builtin.include_role:
name: wg
apply:
become: true
with_items: "{{ wg_connections }}"
vars:
wg_ifname: "{{ item.ifname }}"
wg_generate_keypair: "{{ item.generate_keypair }}"
wg_domain: "{{ item.domain }}"
wg_gateway: "{{ item.gateway }}"
wg_address: "{{ item.address }}"
wg_peers: "{{ item.peers }}"
tags: wireguard

View file

@ -1,15 +1,15 @@
--- ---
# IP address assigned to the wireguard peer # IP address assigned to the wireguard peer
system_wg_admin_address: "192.168.0.2/32" wg_address: "192.168.0.2/32"
# Domain that is used with local DNS on the VPN # Domain that is used with local DNS on the VPN
system_wg_admin_domain: "localdomain" wg_domain: "localdomain"
# IP address of the gateway on the VPN # IP address of the gateway on the VPN
system_wg_admin_gateway: "192.168.0.1" wg_gateway: "192.168.0.1"
# Interface name for the wireguard connection # Interface name for the wireguard connection
system_wg_admin_ifname: "wg-something" wg_ifname: "wg-something"
# Peers of the VPN, list of objects with the following format: # Peers of the VPN, list of objects with the following format:
# #
@ -19,4 +19,7 @@ system_wg_admin_ifname: "wg-something"
# endpoint: localhost:51820 # endpoint: localhost:51820
# # if bool(keepalive) → gets included in the config # # if bool(keepalive) → gets included in the config
# keepalive: 20 # keepalive: 20
system_wg_admin_peers: [] wg_peers: []
# By default don't generate the keypair and reuse the existing one
wg_generate_keypair: false

View file

@ -12,6 +12,7 @@
chdir: /etc/wireguard chdir: /etc/wireguard
creates: /etc/wireguard/private.key creates: /etc/wireguard/private.key
when: wg_generate_keypair
- name: Get public key - name: Get public key
ansible.builtin.command: cat /etc/wireguard/public.key ansible.builtin.command: cat /etc/wireguard/public.key
@ -24,34 +25,34 @@
- name: Set dns_command for co-openSUSE - name: Set dns_command for co-openSUSE
ansible.builtin.set_fact: ansible.builtin.set_fact:
wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}" wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
when: '"openSUSE" not in ansible_distribution' when: '"openSUSE" not in ansible_distribution'
- name: Set dns_command for openSUSE - name: Set dns_command for openSUSE
ansible.builtin.set_fact: ansible.builtin.set_fact:
wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}" wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
when: '"openSUSE" in ansible_distribution' when: '"openSUSE" in ansible_distribution'
- name: Create the config - name: Create the config
vars: vars:
address: "{{ system_wg_admin_address }}" address: "{{ wg_address }}"
dns_command: "{{ wg_dns_command }}" dns_command: "{{ wg_dns_command }}"
domain: "{{ system_wg_admin_domain }}" domain: "{{ wg_domain }}"
gateway: "{{ system_wg_admin_gateway }}" gateway: "{{ wg_gateway }}"
peers: "{{ systemg_wg_admin_peers }}" peers: "{{ wg_peers }}"
ansible.builtin.template: ansible.builtin.template:
src: "{{ system_wg_admin_ifname }}.conf" src: "{{ wg_ifname }}.conf"
dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf" dest: "/etc/wireguard/{{ wg_ifname }}.conf"
owner: root owner: root
group: root group: root
mode: "0600" mode: "0600"
- name: Set up the DNS on AlmaLinux - name: Set up the DNS on AlmaLinux
ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml" ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
when: ansible_distribution == "AlmaLinux" when: domain and ansible_distribution == "AlmaLinux"
- name: Enable and start the wireguard connection - name: Enable and start the wireguard connection
ansible.builtin.service: ansible.builtin.service:
name: "wg-quick@{{ system_wg_admin_ifname }}" name: "wg-quick@{{ wg_ifname }}"
enabled: yes enabled: yes
state: started state: started

View file

@ -2,11 +2,13 @@
# Assign the static IP # Assign the static IP
Address = {{ address }} Address = {{ address }}
{% if domain %}
# Set the DNS # Set the DNS
DNS = {{ gateway }}, {{ domain }} DNS = {{ gateway }}, {{ domain }}
# Set the DNS for the connection # Set the DNS for the connection
PostUp = {{ dns_command }} PostUp = {{ dns_command }}
{% endif %}
# Load the private key # Load the private key
PostUp = wg set %i private-key /etc/wireguard/private.key PostUp = wg set %i private-key /etc/wireguard/private.key