diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2019-01-07 16:05:40 +0100 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2019-01-07 16:05:40 +0100 |
| commit | ee411778da0ff99808a8ee257c718dcb24739a7f (patch) | |
| tree | 89079cb64ca78a3dd45bc22c737ed9756c94ad91 /ansible/roles | |
| parent | 2a7ad7fd86d6195e1080d3e8a6a09d453426db3e (diff) | |
| download | infra-ee411778da0ff99808a8ee257c718dcb24739a7f.tar.gz infra-ee411778da0ff99808a8ee257c718dcb24739a7f.tar.bz2 infra-ee411778da0ff99808a8ee257c718dcb24739a7f.tar.xz infra-ee411778da0ff99808a8ee257c718dcb24739a7f.zip | |
wireguard: Rewrite.
Diffstat (limited to 'ansible/roles')
| -rw-r--r-- | ansible/roles/wireguard/defaults/main.yml | 1 | ||||
| -rw-r--r-- | ansible/roles/wireguard/tasks/main.yml | 141 |
2 files changed, 55 insertions, 87 deletions
diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml index 9b1bf59..824e765 100644 --- a/ansible/roles/wireguard/defaults/main.yml +++ b/ansible/roles/wireguard/defaults/main.yml @@ -1,2 +1 @@ wireguard__state: present -wireguard__role: client diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml index 3590636..9c4cf24 100644 --- a/ansible/roles/wireguard/tasks/main.yml +++ b/ansible/roles/wireguard/tasks/main.yml @@ -1,11 +1,15 @@ +- debug: var=wireguard__state + - tags: - wireguard become: yes when: wireguard__state == 'present' vars: - wg_if: "wg-{{ wireguard__net_id }}" - netdev_path: "/etc/systemd/network/60-{{ wg_if }}.netdev" - network_path: "/etc/systemd/network/61-{{ wg_if }}.network" + wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}" + wg_host: "{{ wg_net.hosts[ansible_hostname] }}" + all_peers: "{{ wg_host.peers is defined and wg_host.peers == 'all' }}" + netdev_path: "/etc/systemd/network/60-{{ wg_net.if }}.netdev" + network_path: "/etc/systemd/network/61-{{ wg_net.if }}.network" block: - name: Install packages tags: packages @@ -28,110 +32,75 @@ path: /etc/wireguard state: directory - - name: wg genkey /etc/wireguard/private.key + - name: "wg genkey /etc/wireguard/private-{{ wg_net.if }}.key" tags: wireguard-config - shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key + shell: wg genkey | tee /etc/wireguard/private-{{ wg_net.if }}.key | wg pubkey > /etc/wireguard/public-{{ wg_net.if }}.key args: - creates: /etc/wireguard/private.key + creates: /etc/wireguard/private-{{ wg_net.if }}.key register: wg_private_key_gen - when: wg_private_key_gen.changed tags: wireguard-config fetch: - src: "/etc/wireguard/public.key" + src: "/etc/wireguard/public-{{ wg_net.if }}.key" dest: "files" - tags: wireguard-config slurp: - src: "/etc/wireguard/private.key" + src: "/etc/wireguard/private-{{ wg_net.if }}.key" register: wg_private_key - - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) - when: wireguard__role == 'client' + - name: "Make {{ netdev_path }}" notify: systemctl restart systemd-networkd tags: wireguard-config copy: dest: "{{ netdev_path }}" content: | [NetDev] - Name={{ wg_if }} + Name={{ wg_net.if }} Kind=wireguard - Description=Net id: {{ wireguard__net_id }} + Description=Wireguard VPN [WireGuard] PrivateKey={{ wg_private_key['content'] | b64decode }} + {% if wg_host.listen_port is defined %} + ListenPort={{ wg_host.listen_port }} + {% endif %} + {% for hostname in wg_net.hosts|sort %} + {% set host = wg_net.hosts[hostname] %} + {% set present = not (host.state is defined) or host.state == 'present' %} + {% if present and (all_peers or host.endpoint is defined) %} [WireGuardPeer] - PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} - AllowedIPs=0.0.0.0/0 - AllowedIPs=::/0 - Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }} + PublicKey={{ lookup('file', hostname + '/etc/wireguard/public-{{ wg_net.if }}.key') }} + AllowedIPs={{ "0.0.0.0/0" if host.endpoint is defined else host.ipv4 }} + AllowedIPs={{ "::/0" if host.endpoint is defined else host.ipv6 }} + {% if host.endpoint is defined %} + Endpoint={{ host.endpoint }}:{{ host.listen_port }} + {% endif %} PersistentKeepalive=60 - - - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server) - when: wireguard__role == 'server' - notify: systemctl restart systemd-networkd - tags: wireguard-config - copy: - dest: "{{ netdev_path }}" - content: | - [NetDev] - Name={{ wg_if }} - Kind=wireguard - Description=Net id: {{ wireguard__net_id }} - - [WireGuard] - PrivateKey={{ wg_private_key['content'] | b64decode }} - ListenPort={{ wireguard__listen_port }} - - {% for c in wireguard__clients|sort %} - {% set client = wireguard__clients[c] %} - # Client: {{ c }} - {% if client.state == 'present' %} - [WireGuardPeer] - PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} - AllowedIPs={{ client.ipv4 }} - AllowedIPs={{ client.ipv6 }} - {% else %} - # absent {% endif %} - {% endfor %} - - name: Make /etc/systemd/network/61-wg-XXX.network (Client) - when: wireguard__role == 'client' - tags: wireguard-config - notify: systemctl restart systemd-networkd - copy: - dest: "{{ network_path }}" - content: | - [Match] - Name={{ wg_if }} - - [Network] - Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} - Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }} - - - name: Make /etc/systemd/network/61-wg-XXX.network (Server) - when: wireguard__role == 'server' + - name: "Make {{ network_path }}" tags: wireguard-config notify: systemctl restart systemd-networkd copy: dest: "{{ network_path }}" content: | [Match] - Name={{ wg_if }} + Name={{ wg_net.if }} [Network] - Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} - Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }} + Address={{ wg_net.hosts[ansible_hostname].ipv4 }}/{{ wg_net.ipv4_prefix }} + Address={{ wg_net.hosts[ansible_hostname].ipv6 }}/{{ wg_net.ipv6_prefix }} - name: UFW allow port - when: wireguard__role == 'server' + when: wg_host.listen_port is defined tags: wireguard-config ufw: rule: allow - port: "{{ wireguard__listen_port }}" + port: "{{ wg_host.listen_port }}" proto: udp - tags: @@ -139,31 +108,31 @@ become: yes when: wireguard__state == 'absent' vars: - wg_if: "wg-{{ wireguard__net_id }}" - netdev_path: "/etc/systemd/network/60-{{ wg_if }}.netdev" - network_path: "/etc/systemd/network/61-{{ wg_if }}.network" + wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}" + netdev_path: "/etc/systemd/network/60-{{ wg_net.if }}.netdev" + network_path: "/etc/systemd/network/61-{{ wg_net.if }}.network" block: - - file: - path: /etc/wireguard - state: absent - notify: systemctl restart systemd-networkd - - - file: - path: "{{ netdev_path }}" - state: absent - notify: systemctl restart systemd-networkd - - - file: - path: "{{ network_path }}" + - name: Remove old files + file: + path: "{{ item }}" state: absent notify: systemctl restart systemd-networkd - - - shell: "ip -j link show {{ wg_if }}" + with_items: + - /etc/wireguard/private-{{ wg_net.if }}.key + - /etc/wireguard/public-{{ wg_net.if }}.key + - "{{ netdev_path }}" + - "{{ network_path }}" + + - name: Checking for interface + shell: "ip -j link show" changed_when: False register: ip_link - - shell: "ip -j link delete {{ wg_if }}" - when: ip_link.stdout_lines|length != "0" + - name: Removing interface + shell: "ip -j link delete {{ wg_net.if }}" + when: links[wg_net.if] is defined + vars: + links: "{{ ip_link.stdout | from_json | items2dict(key_name='ifname', value_name='ifname') }}" - name: generate dns records tags: @@ -172,7 +141,7 @@ local_action: module: copy content: | - wireguard_dns_records_{{ wireguard__net_id }}: + wireguard_dns_records_{{ wg_net.if }}: {% for c in wireguard__clients|sort %} {% set client = wireguard__clients[c] %} - type: A @@ -184,4 +153,4 @@ value: {{ client.ipv6 }} state: {{ client.state }} {% endfor %} - dest: "files/wireguard-dns-records-{{ wireguard__net_id }}.yml" + dest: "files/wireguard-dns-records-{{ wg_net.if }}.yml" |