diff --git a/playbooks/bootstrap.yml b/playbooks/bootstrap.yml index cb42874..d2e2ab5 100644 --- a/playbooks/bootstrap.yml +++ b/playbooks/bootstrap.yml @@ -30,6 +30,11 @@ become: true tags: sshd + # Install the Wireguard admin VPN + - role: system/wg-admin + tags: wg-admin + become: true + # Handle basic user configuration - user/base diff --git a/roles/system/wg-admin/tasks/dns_AlmaLinux.yml b/roles/system/wg-admin/tasks/dns_AlmaLinux.yml new file mode 100644 index 0000000..edbacef --- /dev/null +++ b/roles/system/wg-admin/tasks/dns_AlmaLinux.yml @@ -0,0 +1,29 @@ +--- +- name: Enable and start systemd-resolved + ansible.builtin.service: + name: systemd-resolved + enabled: yes + state: started + +- name: Make NetworkManager use the systemd-resolved + ansible.builtin.copy: + content: | + [main] + dns=systemd-resolved + + dest: /etc/NetworkManager/conf.d/systemd-resolved.conf + owner: root + group: root + mode: "0600" + +- name: Replace the original resolv.conf with systemd-resolved reference + ansible.builtin.file: + src: /run/systemd/resolve/resolv.conf + path: /etc/resolv.conf + state: link + force: true + +- name: Restart the NetworkManager + ansible.builtin.service: + name: NetworkManager + state: restarted diff --git a/roles/system/wg-admin/tasks/install.yml b/roles/system/wg-admin/tasks/install.yml new file mode 100644 index 0000000..81c816d --- /dev/null +++ b/roles/system/wg-admin/tasks/install.yml @@ -0,0 +1,12 @@ +--- +- name: Install the wireguard on Ubuntu + ansible.builtin.package: + name: wireguard + state: present + when: ansible_distribution == "Ubuntu" + +- name: Install the wireguard on co-Ubuntu + ansible.builtin.package: + name: wireguard-tools + state: present + when: ansible_distribution != "Ubuntu" diff --git a/roles/system/wg-admin/tasks/main.yml b/roles/system/wg-admin/tasks/main.yml new file mode 100644 index 0000000..0f7799b --- /dev/null +++ b/roles/system/wg-admin/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: Packages + ansible.builtin.include_tasks: install.yml + tags: install + +- name: Generate private key + ansible.builtin.shell: + cmd: | + set -e -o pipefail + umask 077 + wg genkey | tee private.key | wg pubkey > public.key + + chdir: /etc/wireguard + creates: /etc/wireguard/private.key + +- name: Get public key + ansible.builtin.command: cat /etc/wireguard/public.key + register: public_key + changed_when: False + +- name: Set public key fact + ansible.builtin.set_fact: + public_key: "{{ public_key.stdout }}" + +- name: Set dns_command for co-openSUSE + ansible.builtin.set_fact: + wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin" + when: ansible_distribution != "openSUSE" + +- name: Set dns_command for openSUSE + ansible.builtin.set_fact: + wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin" + when: ansible_distribution == "openSUSE" + +- name: Create the config + vars: + address: "{{ wg_admin_address }}" + dns_command: "{{ wg_dns_command }}" + ansible.builtin.template: + src: wg-admin.conf + dest: /etc/wireguard/wg-admin.conf + owner: root + group: root + mode: "0600" + +- name: Set up the DNS on AlmaLinux + ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml" + when: ansible_distribution == "AlmaLinux" + +- name: Enable and start the wireguard connection + ansible.builtin.service: + name: "wg-quick@wg-admin" + enabled: yes + state: started diff --git a/roles/system/wg-admin/templates/wg-admin.conf b/roles/system/wg-admin/templates/wg-admin.conf new file mode 100644 index 0000000..bb60099 --- /dev/null +++ b/roles/system/wg-admin/templates/wg-admin.conf @@ -0,0 +1,22 @@ +[Interface] +# Assign the static IP +Address = {{ address }}/20 + +# Set the DNS +DNS = 10.42.0.1, admin + +# Set the DNS for the connection +PostUp = {{ dns_command }} + +# Load the private key +PostUp = wg set %i private-key /etc/wireguard/private.key + +# FIXME: Ping the VPN server to initiate the connection +# PostUp = ping -c3 10.42.0.1 + +# poincare +[Peer] +PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y= +AllowedIPs = 10.42.0.0/20 +Endpoint = mfocko.xyz:51820 +PersistentKeepAlive = 20