fix(wg): switch to ‹NetworkManager›

Fixes #65

Signed-off-by: Matej Focko <me@mfocko.xyz>

defaults/main.yml

@@ -38,14 +38,34 @@ yubikey_token_id: None
 # Client IP for the ‹wg-admin› VPN
 wg_admin_ip: None
 
+# Dictionary containing the IP addresses of the hosts on Wireguard interfaces
+# Keys represent interface name, values IP address with a mask.
+#
+# Convenience variable for easier deduplication of common values that are used
+# across all the hosts.
+wg_addresses: None
+
+# Dictionary containing the private keys for the Wireguard hosts. Keys represent
+# interface name, values private key.
+#
+# Convenience variable to maintain better idempotency and reproducibility of the
+# Ansible deployments/bootstraps.
+wg_private_keys: None
+
 # Wireguard connections
 # List of connections to set up, example:
 #
 #     - ifname: ‹interface name›
+#       autoconnect: "true/false"  # needs to be a string
+#
+#       private_key: ‹private key for the VPN connection, if not generated›
 #       generate_keypair: true/false
-#       domain: ‹domain, adjust DNS resolution, if set›
-#       gateway: ‹part of the DNS resolution setup›
+#
 #       address: ‹assigned address on the VPN›
+#       gateway: ‹part of the DNS resolution setup›
+#       dns: ‹IP of the DNS server on the VPN›
+#       domain: ‹domain, adjust DNS resolution, if set›
+#
 #       peers:
-#         - { note, public_key, allowed_ips, endpoint, keepalive }
+#         - { note, endpoint, public_key, allowed_ips, keepalive }
 wg_connections: []

group_vars/all/vars

@@ -8,5 +8,6 @@ gpg_signingkey: "7C47D46246790496"
 hashicorp_vault_address: "{{ vault_hashicorp_vault_address }}"
 vaultwarden_address: "{{ vault_vaultwarden_address }}"
 
-wg_admin_ip: "{{ vault_wg_admin_ip }}"
+wg_addresses: "{{ vault_wg_addresses }}"
+wg_private_keys: "{{ vault_wg_private_keys }}"
 wg_connections: "{{ vault_wg_connections }}"

group_vars/all/vault

@@ -1,28 +1,81 @@
 $ANSIBLE_VAULT;1.1;AES256
-63376231613461376465633862633737343864636662306262303530303165623730613833323961
-6233383266366236326435656134656437356539326533390a636631613339373366346338666436
-38633938316237626662666363343230663533633565643838323137306434376539353439306339
-3435623631323865630a333834343066363837643061313063666632383962396435326530633239
-30396561643634396632386433633263323830646463643835626639313139663332653638353862
-33616434363635396462343533656234393662373533666662623763633363636233626436663931
-33633439323531663634613834396330653636353733366336303836646230373165663833363134
-39623339353436373862333736353133353331623239663961313835666166323233643964646138
-34656332663534626636323531333563653263366330346665663739373335356631386562353531
-32613765316661303034616366656462376561363432396663646565353230316238366336376466
-32663264313531393136363832393364616538646131653561653762366430396437396361376132
-66633035663334323762396361326538343032356432333766346538653864313530653162653131
-66383461383036306137343638373831633265303638643366393837373332623538326364643739
-32316464376535643933363935383336663438373132643233346133383232653363373337323634
-36356531623838306262333733306639336538323630656438383836323437373938373139396131
-33643361326362643638306162336132626135393362373431306137383261643335626534353730
-32626630633135656432313737326238343264333465313434633961383166313162656666626639
-34336438353838376530306630326635633262616631653436313739393438663162313265626431
-35333033396265356166356162646462376532616431663530653664323838343833663464653035
-31336436316631616135326233363235303032346161393366323930623430376333636661623737
-39613464653165366230383539366464336639383666636437323337666566613836376537656466
-32346161386163363665373633663961333435613636376165386634366331393835306537323033
-39353963633061616466323636396536643338356361353865313139396135663836636162343165
-65386162343539336437643630323631353230396566616563613865613261383835353862313134
-37336236393862656636376665646466623862633732663833616535373737613538626437303935
-65633539663834333564386638626432316166616630653333326431643231626331666634383236
-393965363664366531313766383735323335
+32646438633661393232633832623432636435386330393264326530373731633932626364656562
+3265333062393538363536393037383433663564613231340a346261336530396536613131386564
+64666433663036396331626163636163643035323830343637386532343434356132386162366361
+3938303166643334330a633065663064393833646563323133393330353634333665663332613732
+36346535653836383735313561316366633437383237663766366433643139663663623231666166
+33306332316464623733393338363065613437306433653663623564313332653136363235626336
+30643464613630363331623665623563633266336236663665613864313831356236373066626633
+36363130326233383163616161353830366139313930653330653837666535666237613237373362
+38363665393536643237393338623466353435633635653634323631353265363462333431653235
+38383730383634633861393932373662303339626433303162393533303164653830373566373936
+65303735336531656163613139353965363732646161623961663439393832356638663761396134
+32303466613265366461303137663831323036303362613464666362386363303836333239313834
+64653961383865383638343937623532616165633138303839393832356364653736313039336133
+31623263323365373064666236363163363539633931633635643539323163343335656338653535
+37623166656333373538393230613533666632363035366565666330663065396265346262383139
+66646464386263386535363930636364303338353330616538613836343238303665363939363930
+37333361633532613430396531616261343666656238373364383465343462363261613031663239
+31393930336333333364663839373231336638666533316231643834316439366431363435396132
+31396237313765316334643931346164316261656138346134616233646335646365623665646632
+61316630316565333664653532663232316432393432383233636564646432343737373161663963
+62376536336537353538633366613431646537663966306533623037363361316134393463396438
+64636566326632313333333033396334323065613962376539396633353661366235313436376132
+35353339623765393135646264356436373832633232383762343933663436386531346364336336
+61616164613265623061653933353438666632643164313839303065393438636137653632336163
+61376436616564343139356165323162383238316264646536646138396635633234323862613135
+35363838666630303666623638363137623964336663396462343266336264336635666631363563
+65396465393563616431373563663738343161393238396132313536643433346237376134313031
+37633431353437636638656661323762383333616562623364353731303137393637313135356338
+38643238393663313966323233303037623838383934663263623461363863653536303132346337
+34623535633233306133666665353339663836323336343561343537326261323633333761336631
+65623133383633616463643462336630643363346561316162346433386137313431306131656162
+34343137633239666535346431663663363634643936643132343436616266353532633434663939
+38336130343062393964366230643633656561663939653030653064623532306663363731616566
+30393361636133303231643138633766613461633665663566633862363533366233326365653430
+33633761396236663738326561616433303934663936306334323465346334666464346333376266
+39633438383064303338396337613835383039313861376363323563336333663263303465316534
+36343132393035633165623864623937636235633965326566373730303430613562376365663364
+38643665346530376430316164616538313462373633653630316330326638303466333836623730
+33643237663666383235363736313335306636346263623032356262326666666134623862653265
+32666630383134633037643138323432656633343565656461336534386566613162323736373166
+36666536303639303064373035313130636438653331613262613365643166383036623630656434
+38363431336566626238343830393561666230383464613036306236346237346132316565373932
+35346361373535373838323566313166666233623761653663376636666539393438353436306232
+61343762333939366664333366356132303738316464393030613863383434656639376136623661
+65373338356263613738626463646337343939663735623432616138373665633163373334616139
+35353833303738396666363561643537323730373031373137386361626664623936626333303337
+37636562353863336531336134636139346538383839626365356532393735333834653638383438
+65653736366437373838613330643431336632623432623264346530646535623635363834623931
+62616166373435623161313438656631323137366538386235323766633363653062373565353436
+39346236613137373662316265396536383334353636323065383730386436356635666138643264
+37626438633430353934623136633230623737326632323933646132656163343833643230336564
+64643030623932366337356666393162333732656164616235623736613036393134383535303936
+30336131323263643165623663646661306166616530623338333266303831653834653431363033
+39646365333065306536316161366635363361386366393834333261363437656266306132333230
+30303836396136373963643131383565383239643561363665306336393536643039623736323333
+37643835376437616563316363636166356466396165366238306334386466353630366462366463
+39356366346561366661323131343331363935653064373137366233316633313833623662383366
+30313561356164613038386130303031623534636163613863356438333766633835326331373934
+61633136393466666238396264366464363632616532336332376265383761363936396635633961
+65393235326364326164626563626163643265633235656330616437643865356636376432613936
+66303065373665623536653562393933633564303634376435373135393235353065366661666137
+61373864383437376131363634333237656162313739363134323039323935623632343338613061
+38633161616262393138356130386266643261313539646137326237643262363061326633646664
+30643931373061323864656534626563653735636335616631626134663838663261383064336465
+62313762313362326634353334376632643536643161326262653637623232353534336465366639
+66656532643236336235306566343761376131633639346332623266313139333235326464333334
+30633961616531343535646632663665653365333961343038636439366664323463653335333363
+38333135343363323631373533316561383732643231383862653132383531323266303534663665
+31633038353065373865306333346437643265623262323036656439663664653337653131373865
+39353635613333643933656636643166346539373838353738373864313839636138333763613033
+30383937613463616434626561346436393734653039373563613361333835396361333663366534
+31376166643263633437353435646536363034316165653334613430393037656136393532306137
+31343165353661383835306664623064633333666639306334336464333836376535336237623232
+61666530663162373934326465383865613936323739323739383966353631623433643231343535
+62333065333036393330353230323265653264333762326431363937643131326131613663306532
+61363430316464663762633336313265373064343731386261376133663463616135646432373062
+37633861316332616639633234313938353230646237343934393735396232613662306131666438
+39613139643132633564633431636365656165313531373262393030366236343836653436656338
+34646533656164313836343930383535633038643437616165303432323865653836343064343261
+36636262613338366530

host_vars/ampere/vault

@@ -1,6 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-37346330376565653933653934653564643163356637666632393964366632363336353463323432
-3765303739303338326463396635653834396361316331340a326239666464363739363562613233
-30353039313564353866663838626366663064633332313662656238323262393131626462373064
-6566376239356530300a303362633534636565386636393764396362653263323362306264383461
-31363065383436313062336338303762316164663036393533376130643138646237
+37313763643432623939616435323639326235653062376332346163653338366638393531313864
+6362383739393765383762323437326337643534356339380a396436306566393638666362383037
+32336462646362363066626230303433386137353263623535376233306634366530373439376464
+3363303734363266620a623861373831616338303662613862643361356339303466346664363330
+37313961373535393339386539356638383239656465636135613338646132353264373737623362
+33323334656564306136656564653261646230613232633161623234636362643363633235363032
+38633461373230326536393734383162656161366533373135353162313334313833666637313134
+38366332383666623036366439343265353232633032666436363164613464623534613264346531
+31663366663430313637306135353930386330333932383864333264313265616337333530396562
+32636136333261366231653933383131306161393033623666396234633363613766643562393366
+61613130353465356334313637353231366535363339623631306535383634643731303363613461
+66363738646464333038633961623363386533626363336536653330626266646431633531373033
+64636162326465326632666235356437636338303030353839316231356165616166393963333761
+64393630666635306632633530363738656139623939313533316336636139626434346139373262
+39306331346434643639626232366536666234653830386533373035353762313437363932636439
+33346639363733623761326239616236383763393235343130633964373330373736386533663537
+38396133376132633934656362653563613333323735386137393162373238366464333966663862
+65613937363863323264376662326434343966366161316134653138653066646331336637303839
+653336356139313536663533636632383766

host_vars/hertz/vault

@@ -1,6 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-61353931363939383464363938643136373433643736333361646566393863663136336162643962
-3038666635616462623231656565663764643666663536390a316232623638396239636234376330
-64663638363766343536373236366434356135366435336661393935396161393161626361313662
-6664343835393263310a623439323739666362356335653538646331316331613165393263343039
-34363335393961363265646263653138346563633339653039613831366565326638
+62313235373263656238613263613564626638333563616630373638316163653734363431663333
+3134616263323961613261653131653662343333666334370a373465623863313538376236336562
+61666661613332363732336466383238623635323534393461306433343635343165633130333832
+6265366230353732390a373236666238386638333365316137623461626664623830626438353538
+61373163663138303336316231343461376538326261653631306434373566393939353862393561
+30353064356533646361386330313738323233373466636234646463363035353565306263353361
+30646661383561343630353733663163313937386332333133613566376334636561653062666464
+64623465303930376433346565343364373565373530336133653537623766326264336165303833
+38633362373231636266316461336461663735386632386537666431353232616331323362333831
+66303633353830353330333033383562613863346661393566663965616530623432316134306664
+62666132666234653363636535663163643631316431373265343939376263393739313831316463
+34633334303938643939313266306565343765666239393638623333353931613831336239353533
+39633635356134613035633866363764366135626166376364623938313066636335623233633639
+32656538626662626532323530656665376633353535353835643637313661613235616237386637
+36333531666232323431333264616161333038393239303239393038333234366235353335383365
+30646233666661336435656463663966353433323864633265636536616431333536666265666566
+35373937666132313134323436633334343834363732393732356636666136653263616538396132
+64383830356563333836383234323763313236346561353835383931653565333636613561303564
+613333623536616635323431613638343730

host_vars/mountainside/vault

@@ -1,18 +1,31 @@
 $ANSIBLE_VAULT;1.1;AES256
-36636438356436373332646664346661373963643733333236363633643064623636663239383965
-3635646338663966303232306532393934336261646537300a363838643037656339393937366633
-66303139376663626136353838353961626533623031316565393639363538636666633633656532
-6533643435663638380a663565313230326166343431666266663737393032326334633537653763
-39323464636231333931646430313539613332623435323833643763333637643438633431303166
-38386434323565343266663331313664316333373032613238326139333038383134336134316666
-62633364613830323935653839373235376566393863363565376463346263653837643534376333
-32666233613036616366363263353030633966343066623731343763313537373433663266393362
-32376636313465373932633435306363313262613161353234313063396362333732343864373964
-37323333356235336530343761316335623366646536623233353062396439613834663963326230
-33376235626165346530623931663832633363373139323237353664663562336235366538623538
-39636230326639613637653431666564343831663438623738323635343237656463333637306563
-36346131363737613633383763333032373635393730626435343565353065653265653563646562
-38366630373166373266633030323066653866363238323738666137656435653133643336316463
-63666236343534303636643630613838336466623530613436356362333732303666636239663665
-38396166333837393737303138636133323933613932313030386664303865626130626661663337
-35613532613062346435343330633232393038303862326632303033623031306433
+35303332646531393361626335626138653663373131323539393865333336366139343631623465
+3464386461316466376636663339346266656363323435340a343262393062646336616361396463
+64306161616432363638646133376333316462353361623331383532326135383838383861653662
+3062343730383336300a306461333039663937303335653032656362653863613333326239323834
+38356639313239353432366165363231646439343939303063616532316565383935646163643865
+31323264383731653737613930383539323263373866366266386630393339323765303338383661
+34373964663936613133326363623461333564303837636462613035353166326639666132366638
+36306331383663633266383162333962363431303566356630356430386337633363373764633661
+37343430343264336331376261306633383765393236383435656431656439313163626339303232
+36303530653139646531633663383434343063623964623461323731313932373238363139653565
+37303431306135656635323733323734666164303931343832376439646333396364313134613262
+31333439366539366631323439366435633835383965373064653335336265313064613663623530
+35343361353965373733636337626139636631626663353032636433343235363532316266373138
+32363630613036613833353937656534656466613634363838643735613034356334346436626534
+33623734656439373234636235343338306563336637396662613830626363343232356666383366
+37633332336366636162646163663130326435356138663135653737336336646232626131326337
+66656163616434323237643362313263346366393865356361323532623634386163386636306165
+35323334626163623161646337626436373634653265353337343536653363373433643566316136
+37383039386130663836356263323564363436353433643464323164666639383561346563346430
+33636534333431383866333034353838333265316261643434386332333461313965366663366634
+65663336306664643337373233643333386638663762393437653861353634346239363333343239
+38383135393863393436613739393537396639646332343264333036376333353263363361313234
+65366261633139346566626231303765356535366565623533333865306435313763333061356536
+63303131666465633632666632383334326436663530363634316231313736616135623964626166
+65303032323562363136623266623136643039316231613633616539373234316439653663633835
+64333661333763313337663265623062316338643666613034613236396335663366326635623134
+30653762663436363332333436633534666136643165623364366331376337303830373438626366
+35343962626538666135393061333233313863643363396561363431383035316439353265306637
+37666637646564393762383364333966373663343539363932656434366530663830316236643739
+3531393539613265343135363838633661373633663430376133

playbooks/bootstrap.yml

@@ -112,7 +112,10 @@
       with_items: "{{ wg_connections }}"
       vars:
         wg_ifname: "{{ item.ifname }}"
+        wg_autoconnect: "{{ item.autoconnect }}"
         wg_generate_keypair: "{{ item.generate_keypair }}"
+        wg_private_key: "{{ item.private_key }}"
+        wg_dns: "{{ item.dns }}"
         wg_domain: "{{ item.domain }}"
         wg_gateway: "{{ item.gateway }}"
         wg_address: "{{ item.address }}"

roles/wg/defaults/main.yml

@@ -2,6 +2,9 @@
 # IP address assigned to the wireguard peer
 wg_address: "192.168.0.2/32"
 
+# IP address of the DNS server on the VPN
+wg_dns: "192.168.0.1"
+
 # Domain that is used with local DNS on the VPN
 wg_domain: "localdomain"
 
@@ -14,12 +17,19 @@ wg_ifname: "wg-something"
 # Peers of the VPN, list of objects with the following format:
 #
 #     - note: ‹comment that gets put above the peer›
+#       endpoint: localhost:51820
 #       public_key: ‹public key of the peer›
 #       allowed_ips: 192.168.0.0/24
-#       endpoint: localhost:51820
 #       # if bool(keepalive) → gets included in the config
 #       keepalive: 20
 wg_peers: []
 
+# Whether to autoconnect; needs to be string to be properly templated for the
+# NetworkManager connection file
+wg_autoconnect: "true"
+
 # By default don't generate the keypair and reuse the existing one
 wg_generate_keypair: false
+
+# Private key, in case it is not to be generated during the runtime
+wg_private_key: ""

roles/wg/tasks/main.yml

@@ -3,67 +3,36 @@
   ansible.builtin.include_tasks: install.yml
   tags: install
 
-- name: Check for existence of private key
-  ansible.builtin.stat:
-    path: /etc/wireguard/private.key
-  register: _private_key
-
-- name: Generate keypair
-  ansible.builtin.include_tasks: tasks/generate_keypair.yml
-  when: not _private_key.stat.exists
-
-- name: Save private key
-  ansible.builtin.template:
-    src: templates/keyfile.j2
-    dest: /etc/wireguard/private.key
-    owner: root
-    group: root
-    mode: 0700
-  vars:
-    key: "{{ wg_private_key }}"
-  when: not _private_key.stat.exists
-
-- name: Save public key
-  ansible.builtin.template:
-    src: templates/keyfile.j2
-    dest: /etc/wireguard/public.key
-    owner: root
-    group: root
-    mode: 0700
-  vars:
-    key: "{{ wg_public_key }}"
-  when: not _private_key.stat.exists
-
-- name: Set dns_command for co-openSUSE
-  ansible.builtin.set_fact:
-    wg_dns_command: "resolvectl dns %i {{ wg_gateway }}; resolvectl domain %i ~{{ wg_domain }}"
-  when: '"openSUSE" not in ansible_distribution'
-
-- name: Set dns_command for openSUSE
-  ansible.builtin.set_fact:
-    wg_dns_command: "nmcli con mod %i ipv4.dns {{ wg_gateway }}; nmcli con mod %i ipv4.dns-search ~{{ wg_domain }}"
-  when: '"openSUSE" in ansible_distribution'
+# [TODO] Handle autogeneration of the keys
 
 - name: Create the config
   vars:
+    ifname: "{{ wg_ifname }}"
+    autoconnect: "{{ wg_autoconnect }}"
+
     address: "{{ wg_address }}"
-    dns_command: "{{ wg_dns_command }}"
+    dns: "{{ wg_dns }}"
     domain: "{{ wg_domain }}"
-    gateway: "{{ wg_gateway }}"
+
+    private_key: "{{ wg_private_key }}"
+
     peers: "{{ wg_peers }}"
   ansible.builtin.template:
-    src: "templates/wg.conf"
-    dest: "/etc/wireguard/{{ wg_ifname }}.conf"
+    src: "templates/wireguard-config.nmconnection"
+    dest: "/etc/NetworkManager/system-connections/{{ wg_ifname }}.nmconnection"
     owner: root
     group: root
     mode: "0600"
 
-- name: Set up the DNS on AlmaLinux
-  ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
-  when: wg_domain and ansible_distribution == "AlmaLinux"
+- name: Load the added connection
+  ansible.builtin.command:
+    cmd: nmcli connection load /etc/NetworkManager/system-connections/{{ wg_ifname }}.nmconnection
+  changed_when: false
+  become: true
 
-- name: Enable and start the wireguard connection
-  ansible.builtin.service:
-    name: "wg-quick@{{ wg_ifname }}"
-    enabled: yes
-    state: started
+- name: Up the connection
+  community.general.nmcli:
+    conn_name: "{{ wg_ifname }}"
+    state: up
+  become: true
+  when: wg_autoconnect | bool

roles/wg/templates/wireguard-config.nmconnection

@@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+
+[connection]
+id={{ ifname }}
+uuid={{ ansible_facts.hostname | to_uuid(namespace=ifname | to_uuid) }}
+type=wireguard
+autoconnect={{ autoconnect }}
+interface-name={{ ifname }}
+
+[ipv4]
+method=manual
+never-default=true
+address1={{ address }}
+dns={{ dns }}
+dns-search={{ domain }}
+
+[ipv6]
+method=ignore
+addr-gen-mode=stable-privacy
+
+[wireguard]
+private-key={{ private_key }}
+{% for peer in peers %}
+
+# {{ peer.note }}
+[wireguard-peer.{{ peer.public_key }}]
+endpoint={{ peer.endpoint }}
+allowed-ips={{ peer.allowed_ips }}
+{% if peer.keepalive %}
+persistent-keepalive={{ peer.keepalive }}
+{% endif %}
+{% endfor %}