feat(wg-admin): add playbooks for wg-admin clients

Signed-off-by: Matej Focko <mfocko@redhat.com>
This commit is contained in:
Matej Focko 2023-10-01 17:02:49 +02:00
parent 5f99af32cf
commit c83836b900
Signed by: mfocko
GPG key ID: 7C47D46246790496
5 changed files with 122 additions and 0 deletions

View file

@ -30,6 +30,11 @@
become: true become: true
tags: sshd tags: sshd
# Install the Wireguard admin VPN
- role: system/wg-admin
tags: wg-admin
become: true
# Handle basic user configuration # Handle basic user configuration
- user/base - user/base

View file

@ -0,0 +1,29 @@
---
- name: Enable and start systemd-resolved
ansible.builtin.service:
name: systemd-resolved
enabled: yes
state: started
- name: Make NetworkManager use the systemd-resolved
ansible.builtin.copy:
content: |
[main]
dns=systemd-resolved
dest: /etc/NetworkManager/conf.d/systemd-resolved.conf
owner: root
group: root
mode: "0600"
- name: Replace the original resolv.conf with systemd-resolved reference
ansible.builtin.file:
src: /run/systemd/resolve/resolv.conf
path: /etc/resolv.conf
state: link
force: true
- name: Restart the NetworkManager
ansible.builtin.service:
name: NetworkManager
state: restarted

View file

@ -0,0 +1,12 @@
---
- name: Install the wireguard on Ubuntu
ansible.builtin.package:
name: wireguard
state: present
when: ansible_distribution == "Ubuntu"
- name: Install the wireguard on co-Ubuntu
ansible.builtin.package:
name: wireguard-tools
state: present
when: ansible_distribution != "Ubuntu"

View file

@ -0,0 +1,54 @@
---
- name: Packages
ansible.builtin.include_tasks: install.yml
tags: install
- name: Generate private key
ansible.builtin.shell:
cmd: |
set -e -o pipefail
umask 077
wg genkey | tee private.key | wg pubkey > public.key
chdir: /etc/wireguard
creates: /etc/wireguard/private.key
- name: Get public key
ansible.builtin.command: cat /etc/wireguard/public.key
register: public_key
changed_when: False
- name: Set public key fact
ansible.builtin.set_fact:
public_key: "{{ public_key.stdout }}"
- name: Set dns_command for co-openSUSE
ansible.builtin.set_fact:
wg_dns_command: "resolvectl dns %i 10.42.0.1; resolvectl domain %i ~admin"
when: ansible_distribution != "openSUSE"
- name: Set dns_command for openSUSE
ansible.builtin.set_fact:
wg_dns_command: "nmcli con mod %i ipv4.dns 10.42.0.1; nmcli con mod %i ipv4.dns-search ~admin"
when: ansible_distribution == "openSUSE"
- name: Create the config
vars:
address: "{{ wg_admin_address }}"
dns_command: "{{ wg_dns_command }}"
ansible.builtin.template:
src: wg-admin.conf
dest: /etc/wireguard/wg-admin.conf
owner: root
group: root
mode: "0600"
- name: Set up the DNS on AlmaLinux
ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
when: ansible_distribution == "AlmaLinux"
- name: Enable and start the wireguard connection
ansible.builtin.service:
name: "wg-quick@wg-admin"
enabled: yes
state: started

View file

@ -0,0 +1,22 @@
[Interface]
# Assign the static IP
Address = {{ address }}/20
# Set the DNS
DNS = 10.42.0.1, admin
# Set the DNS for the connection
PostUp = {{ dns_command }}
# Load the private key
PostUp = wg set %i private-key /etc/wireguard/private.key
# FIXME: Ping the VPN server to initiate the connection
# PostUp = ping -c3 10.42.0.1
# poincare
[Peer]
PublicKey = DFvcdIvT4ulnQfRejbzUV/LJqUEYRWlAhtHKM65G92Y=
AllowedIPs = 10.42.0.0/20
Endpoint = mfocko.xyz:51820
PersistentKeepAlive = 20