Adding hash to wireguard.

4 files changed, 21 insertions, 18 deletions

diff --git a/ansible/group_vars/all/wireguard_wg0.yml b/ansible/group_vars/all/wireguard_wg0.yml
index 2a8f7e2..5d8e450 100644
--- a/ansible/group_vars/all/wireguard_wg0.yml
+++ b/ansible/group_vars/all/wireguard_wg0.yml
@@ -9,6 +9,8 @@ wireguard_wg0:
       peers: all
       # Generated by https://www.ultratools.com/tools/rangeGenerator
       ipv6: fdf3:aad9:a885:0b3a::1
+      allowed_ips:
+        - ::/0
     birgitte:
       state: present
       ipv4: 192.168.60.2
@@ -37,3 +39,8 @@ wireguard_wg0:
     android-trygvis:
       state: present
       ipv6: fdf3:aad9:a885:0b3a::12
+    hash:
+      endpoint: hash.trygvis.io
+      listen_port: 51821
+      peers: all
+      ipv6: fdf3:aad9:a885:0b3a::13
diff --git a/ansible/inventory b/ansible/inventory
index 5789258..501477c 100644
--- a/ansible/inventory
+++ b/ansible/inventory
@@ -4,7 +4,7 @@ all:
       ansible_host: knot.vpn.trygvis.io
       ansible_python_interpreter: /usr/bin/python3
     hash:
-      ansible_host: hash.trygvis.io
+      ansible_host: hash.vpn.trygvis.io
     numquam:
       ansible_host: numquam.trygvis.io
     birgitte:
@@ -12,6 +12,7 @@ all:
       ansible_python_interpreter: /usr/bin/python3
     arius:
       ansible_host: arius.trygvis.io
+      ansible_python_interpreter: /usr/bin/python3
     mw:
       ansible_host: 2a01:7e00:e000:272:2ff:aaff:fe7e:46b4
     homepi:
@@ -22,7 +23,7 @@ all:
       ansible_host: conflatorio.vpn.trygvis.io
       ansible_python_interpreter: /usr/bin/python3
     akili:
-      ansible_host: akili.local
+      ansible_host: akili.vpn.trygvis.io
       ansible_python_interpreter: /usr/bin/python3
     nextcloud:
       ansible_host: 192.168.10.201
@@ -148,15 +149,16 @@ all:
     wireguard_wg0:
       hosts:
         akili:
+        android-trygvis:
         arius:
         astyanax:
         babypi:
         birgitte:
         conflatorio:
+        hash:
         knot:
         malabaricus:
-        sweetzpot-mobile:
         sweetzpot-macos:
-        android-trygvis:
+        sweetzpot-mobile:
 
 # vim: set filetype=yaml:
diff --git a/ansible/plays/files/hash/etc/wireguard/public-wg0.key b/ansible/plays/files/hash/etc/wireguard/public-wg0.key
new file mode 100644
index 0000000..b7736d6
--- /dev/null
+++ b/ansible/plays/files/hash/etc/wireguard/public-wg0.key
@@ -0,0 +1 @@
+mqWUWuINT47LoIxYHNrtdvE91nBZeqGaRfwAK1rTPHw=
diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml
index d05cec9..a91aea5 100644
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@@ -76,14 +76,15 @@
           # {{ hostname }}
           [WireGuardPeer]
           PublicKey={{ host.public_key if host.public_key is defined else lookup('file', hostname + '/etc/wireguard/public-{{ wg_net.if }}.key') }}
-          {% if host.endpoint is defined %}
-          AllowedIPs={{ "0.0.0.0/0" }}
-          {% elif host.ipv4 is defined %}
+          {% if host.allowed_ips is defined %}
+          {% for h in host.allowed_ips %}
+          AllowedIPs={{ h }}
+          {% endfor %}
+          {% endif %}
+          {% if host.ipv4 is defined %}
           AllowedIPs={{ host.ipv4 }}
           {% endif %}
-          {% if host.endpoint is defined %}
-          AllowedIPs={{ "::/0" }}
-          {% elif host.ipv6 is defined %}
+          {% if host.ipv6 is defined %}
           AllowedIPs={{ host.ipv6 }}
           {% endif %}
           {% if host.endpoint is defined %}
@@ -118,14 +119,6 @@
           {% endfor %}
           {% endif %}
 
-    - name: UFW allow port
-      when: wg_host.listen_port is defined
-      tags: wireguard-config
-      ufw:
-        rule: allow
-        port: "{{ wg_host.listen_port }}"
-        proto: udp
-
 - tags:
     - wireguard
   become: yes