chore(wg): factor out the wireguard role
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
f0d4f84ec7
commit
bc2d4a291e
SSH key fingerprint:
SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
7 changed files with 50 additions and 20 deletions
|
|
@ -37,3 +37,15 @@ cloudflare_zone: None
|
||||||
|
|
||||||
# Public ID tied to the Yubikey OTP
|
# Public ID tied to the Yubikey OTP
|
||||||
yubikey_token_id: None
|
yubikey_token_id: None
|
||||||
|
|
||||||
|
# Wireguard connections
|
||||||
|
# List of connections to set up, example:
|
||||||
|
#
|
||||||
|
# - ifname: ‹interface name›
|
||||||
|
# generate_keypair: true/false
|
||||||
|
# domain: ‹domain, adjust DNS resolution, if set›
|
||||||
|
# gateway: ‹part of the DNS resolution setup›
|
||||||
|
# address: ‹assigned address on the VPN›
|
||||||
|
# peers:
|
||||||
|
# - { note, public_key, allowed_ips, endpoint, keepalive }
|
||||||
|
wg_connections: []
|
||||||
|
|
|
||||||
|
|
@ -36,11 +36,6 @@
|
||||||
become: true
|
become: true
|
||||||
tags: sshd
|
tags: sshd
|
||||||
|
|
||||||
# Install the Wireguard admin VPN
|
|
||||||
- role: system/wg-admin
|
|
||||||
become: true
|
|
||||||
tags: wg-admin
|
|
||||||
|
|
||||||
# Handle basic user configuration
|
# Handle basic user configuration
|
||||||
- user/base
|
- user/base
|
||||||
|
|
||||||
|
|
@ -100,3 +95,20 @@
|
||||||
# Install and configure Helix
|
# Install and configure Helix
|
||||||
- role: user/editors/helix
|
- role: user/editors/helix
|
||||||
tags: helix
|
tags: helix
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
# Install the Wireguard VPNs
|
||||||
|
- name: Wireguard
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: wg
|
||||||
|
apply:
|
||||||
|
become: true
|
||||||
|
with_items: "{{ wg_connections }}"
|
||||||
|
vars:
|
||||||
|
wg_ifname: "{{ item.ifname }}"
|
||||||
|
wg_generate_keypair: "{{ item.generate_keypair }}"
|
||||||
|
wg_domain: "{{ item.domain }}"
|
||||||
|
wg_gateway: "{{ item.gateway }}"
|
||||||
|
wg_address: "{{ item.address }}"
|
||||||
|
wg_peers: "{{ item.peers }}"
|
||||||
|
tags: wireguard
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
# IP address assigned to the wireguard peer
|
# IP address assigned to the wireguard peer
|
||||||
system_wg_admin_address: "192.168.0.2/32"
|
wg_address: "192.168.0.2/32"
|
||||||
|
|
||||||
# Domain that is used with local DNS on the VPN
|
# Domain that is used with local DNS on the VPN
|
||||||
system_wg_admin_domain: "localdomain"
|
wg_domain: "localdomain"
|
||||||
|
|
||||||
# IP address of the gateway on the VPN
|
# IP address of the gateway on the VPN
|
||||||
system_wg_admin_gateway: "192.168.0.1"
|
wg_gateway: "192.168.0.1"
|
||||||
|
|
||||||
# Interface name for the wireguard connection
|
# Interface name for the wireguard connection
|
||||||
system_wg_admin_ifname: "wg-something"
|
wg_ifname: "wg-something"
|
||||||
|
|
||||||
# Peers of the VPN, list of objects with the following format:
|
# Peers of the VPN, list of objects with the following format:
|
||||||
#
|
#
|
||||||
|
|
@ -19,4 +19,7 @@ system_wg_admin_ifname: "wg-something"
|
||||||
# endpoint: localhost:51820
|
# endpoint: localhost:51820
|
||||||
# # if bool(keepalive) → gets included in the config
|
# # if bool(keepalive) → gets included in the config
|
||||||
# keepalive: 20
|
# keepalive: 20
|
||||||
system_wg_admin_peers: []
|
wg_peers: []
|
||||||
|
|
||||||
|
# By default don't generate the keypair and reuse the existing one
|
||||||
|
wg_generate_keypair: false
|
||||||
|
|
@ -12,6 +12,7 @@
|
||||||
|
|
||||||
chdir: /etc/wireguard
|
chdir: /etc/wireguard
|
||||||
creates: /etc/wireguard/private.key
|
creates: /etc/wireguard/private.key
|
||||||
|
when: wg_generate_keypair
|
||||||
|
|
||||||
- name: Get public key
|
- name: Get public key
|
||||||
ansible.builtin.command: cat /etc/wireguard/public.key
|
ansible.builtin.command: cat /etc/wireguard/public.key
|
||||||
|
|
@ -24,34 +25,34 @@
|
||||||
|
|
||||||
- name: Set dns_command for co-openSUSE
|
- name: Set dns_command for co-openSUSE
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
wg_dns_command: "resolvectl dns %i {{ system_wg_admin_gateway }}; resolvectl domain %i ~{{ system_wg_admin_domain }}"
|
wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
|
||||||
when: '"openSUSE" not in ansible_distribution'
|
when: '"openSUSE" not in ansible_distribution'
|
||||||
|
|
||||||
- name: Set dns_command for openSUSE
|
- name: Set dns_command for openSUSE
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
wg_dns_command: "nmcli con mod %i ipv4.dns {{ system_wg_admin_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ system_wg_admin_domain }}"
|
wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
|
||||||
when: '"openSUSE" in ansible_distribution'
|
when: '"openSUSE" in ansible_distribution'
|
||||||
|
|
||||||
- name: Create the config
|
- name: Create the config
|
||||||
vars:
|
vars:
|
||||||
address: "{{ system_wg_admin_address }}"
|
address: "{{ wg_address }}"
|
||||||
dns_command: "{{ wg_dns_command }}"
|
dns_command: "{{ wg_dns_command }}"
|
||||||
domain: "{{ system_wg_admin_domain }}"
|
domain: "{{ wg_domain }}"
|
||||||
gateway: "{{ system_wg_admin_gateway }}"
|
gateway: "{{ wg_gateway }}"
|
||||||
peers: "{{ systemg_wg_admin_peers }}"
|
peers: "{{ wg_peers }}"
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: "{{ system_wg_admin_ifname }}.conf"
|
src: "{{ wg_ifname }}.conf"
|
||||||
dest: "/etc/wireguard/{{ system_wg_admin_ifname }}.conf"
|
dest: "/etc/wireguard/{{ wg_ifname }}.conf"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
|
|
||||||
- name: Set up the DNS on AlmaLinux
|
- name: Set up the DNS on AlmaLinux
|
||||||
ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
|
ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
|
||||||
when: ansible_distribution == "AlmaLinux"
|
when: domain and ansible_distribution == "AlmaLinux"
|
||||||
|
|
||||||
- name: Enable and start the wireguard connection
|
- name: Enable and start the wireguard connection
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: "wg-quick@{{ system_wg_admin_ifname }}"
|
name: "wg-quick@{{ wg_ifname }}"
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
@ -2,11 +2,13 @@
|
||||||
# Assign the static IP
|
# Assign the static IP
|
||||||
Address = {{ address }}
|
Address = {{ address }}
|
||||||
|
|
||||||
|
{% if domain %}
|
||||||
# Set the DNS
|
# Set the DNS
|
||||||
DNS = {{ gateway }}, {{ domain }}
|
DNS = {{ gateway }}, {{ domain }}
|
||||||
|
|
||||||
# Set the DNS for the connection
|
# Set the DNS for the connection
|
||||||
PostUp = {{ dns_command }}
|
PostUp = {{ dns_command }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Load the private key
|
# Load the private key
|
||||||
PostUp = wg set %i private-key /etc/wireguard/private.key
|
PostUp = wg set %i private-key /etc/wireguard/private.key
|
||||||
Loading…
Reference in a new issue