diff options
| author | Trygve Laugstøl <trygvis@inamo.no> | 2019-01-07 16:05:40 +0100 |
|---|---|---|
| committer | Trygve Laugstøl <trygvis@inamo.no> | 2019-01-07 16:05:40 +0100 |
| commit | ee411778da0ff99808a8ee257c718dcb24739a7f (patch) | |
| tree | 89079cb64ca78a3dd45bc22c737ed9756c94ad91 /ansible | |
| parent | 2a7ad7fd86d6195e1080d3e8a6a09d453426db3e (diff) | |
| download | infra-ee411778da0ff99808a8ee257c718dcb24739a7f.tar.gz infra-ee411778da0ff99808a8ee257c718dcb24739a7f.tar.bz2 infra-ee411778da0ff99808a8ee257c718dcb24739a7f.tar.xz infra-ee411778da0ff99808a8ee257c718dcb24739a7f.zip | |
wireguard: Rewrite.
Diffstat (limited to 'ansible')
19 files changed, 168 insertions, 136 deletions
diff --git a/ansible/files/akili/etc/wireguard/public.key b/ansible/files/akili/etc/wireguard/public-wg-net1.key index 31725d2..31725d2 100644 --- a/ansible/files/akili/etc/wireguard/public.key +++ b/ansible/files/akili/etc/wireguard/public-wg-net1.key diff --git a/ansible/files/android-trygvis/etc/wireguard/public.key b/ansible/files/android-trygvis/etc/wireguard/public-wg1.key index 4ab6833..4ab6833 100644 --- a/ansible/files/android-trygvis/etc/wireguard/public.key +++ b/ansible/files/android-trygvis/etc/wireguard/public-wg1.key diff --git a/ansible/files/arius/etc/wireguard/public.key b/ansible/files/arius/etc/wireguard/public-wg-net1.key index 879fa3c..879fa3c 100644 --- a/ansible/files/arius/etc/wireguard/public.key +++ b/ansible/files/arius/etc/wireguard/public-wg-net1.key diff --git a/ansible/files/birgitte/etc/wireguard/public.key b/ansible/files/birgitte/etc/wireguard/public-wg-net1.key index 22e2fe3..22e2fe3 100644 --- a/ansible/files/birgitte/etc/wireguard/public.key +++ b/ansible/files/birgitte/etc/wireguard/public-wg-net1.key diff --git a/ansible/files/conflatorio/etc/wireguard/public-wg0.key b/ansible/files/conflatorio/etc/wireguard/public-wg0.key new file mode 100644 index 0000000..f4cc915 --- /dev/null +++ b/ansible/files/conflatorio/etc/wireguard/public-wg0.key @@ -0,0 +1 @@ +170TWFqJLCfkw48ddLLnx7zWAo1qpx/AQf8Dar8mSXY= diff --git a/ansible/files/conflatorio/etc/wireguard/public.key b/ansible/files/conflatorio/etc/wireguard/public.key deleted file mode 100644 index dc49595..0000000 --- a/ansible/files/conflatorio/etc/wireguard/public.key +++ /dev/null @@ -1 +0,0 @@ -Rdq2LKzVxDBuXhimgLA1ZW9qFKCypHhBSaBx+24w3gA= diff --git a/ansible/files/fuckaduck/etc/borg/id_ed25519.pub b/ansible/files/fuckaduck/etc/borg/id_ed25519.pub deleted file mode 100644 index 2b3cc69..0000000 --- a/ansible/files/fuckaduck/etc/borg/id_ed25519.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+nB33MTjbXI5P5wpanz0M/OO+2fClfVfkEdKPQJ4n4 for borg @ fuckaduck diff --git a/ansible/files/fuckaduck/etc/wireguard/public.key b/ansible/files/fuckaduck/etc/wireguard/public.key deleted file mode 100644 index d8012b3..0000000 --- a/ansible/files/fuckaduck/etc/wireguard/public.key +++ /dev/null @@ -1 +0,0 @@ -1Fywv/wM2QrqpxlbX5ql5lJNZdmadUGGn7gkXlAnlgE= diff --git a/ansible/files/knot/etc/wireguard/public-wg0.key b/ansible/files/knot/etc/wireguard/public-wg0.key new file mode 100644 index 0000000..8caf3db --- /dev/null +++ b/ansible/files/knot/etc/wireguard/public-wg0.key @@ -0,0 +1 @@ +cuUgTdFH1UEXpUH6V1nashdH7K/L+pl6dmJCpBWN+Xw= diff --git a/ansible/files/knot/etc/wireguard/public-wg1.key b/ansible/files/knot/etc/wireguard/public-wg1.key new file mode 100644 index 0000000..0b891d1 --- /dev/null +++ b/ansible/files/knot/etc/wireguard/public-wg1.key @@ -0,0 +1 @@ +LM3L40nY0FWMECG6oP8VWYDjWVkRLp3kK0fofP3W7S0= diff --git a/ansible/files/knot/etc/wireguard/public.key b/ansible/files/knot/etc/wireguard/public.key deleted file mode 100644 index 5d4a839..0000000 --- a/ansible/files/knot/etc/wireguard/public.key +++ /dev/null @@ -1 +0,0 @@ -TgWtNOhe1j1uF8/xkN+u7Sv5FtvXj5EYRcwjbHjKjRU= diff --git a/ansible/group_vars/all/wireguard_wg-net1.yml b/ansible/group_vars/all/wireguard_wg-net1.yml new file mode 100644 index 0000000..33044ab --- /dev/null +++ b/ansible/group_vars/all/wireguard_wg-net1.yml @@ -0,0 +1,32 @@ +wireguard-wg-net1: + if: wg-net1 + ipv4_prefix: 24 + ipv6_prefix: 64 + hosts: + knot: + endpoint: trygvis.io + listen_port: 51820 + ipv4: 192.168.80.1 + # Generated by https://www.ultratools.com/tools/rangeGenerator + ipv6: fdf3:aad9:a885:0b3a::1 + peers: all + birgitte: + state: present + ipv4: 192.168.80.2 + ipv6: fdf3:aad9:a885:0b3a::2 + conflatorio: + state: present + ipv4: 192.168.80.3 + ipv6: fdf3:aad9:a885:0b3a::3 + fuckaduck: + state: absent + ipv4: 192.168.80.4 + ipv6: fdf3:aad9:a885:0b3a::4 + arius: + state: present + ipv4: 192.168.80.6 + ipv6: fdf3:aad9:a885:0b3a::6 + akili: + state: present + ipv4: 192.168.80.7 + ipv6: fdf3:aad9:a885:0b3a::7 diff --git a/ansible/group_vars/all/wireguard_wg0.yml b/ansible/group_vars/all/wireguard_wg0.yml new file mode 100644 index 0000000..4e8238b --- /dev/null +++ b/ansible/group_vars/all/wireguard_wg0.yml @@ -0,0 +1,28 @@ +wireguard-wg0: + if: wg0 + ipv4_prefix: 24 + ipv6_prefix: 64 + hosts: + knot: + endpoint: trygvis.io + listen_port: 51821 + peers: all + ipv4: 192.168.60.1 + # Generated by https://www.ultratools.com/tools/rangeGenerator + ipv6: fdf3:aad9:a885:0b3b::1 +# birgitte: +# state: present +# ipv4: 192.168.60.2 +# ipv6: fdf3:aad9:a885:0b3b::2 + conflatorio: + state: present + ipv4: 192.168.60.3 + ipv6: fdf3:aad9:a885:0b3b::3 +# arius: +# state: present +# ipv4: 192.168.60.6 +# ipv6: fdf3:aad9:a885:0b3b::6 +# akili: +# state: present +# ipv4: 192.168.60.7 +# ipv6: fdf3:aad9:a885:0b3b::7 diff --git a/ansible/group_vars/all/wireguard_wg1.yml b/ansible/group_vars/all/wireguard_wg1.yml new file mode 100644 index 0000000..a053dca --- /dev/null +++ b/ansible/group_vars/all/wireguard_wg1.yml @@ -0,0 +1,15 @@ +wireguard-wg1: + if: wg1 + ipv4_prefix: 24 + ipv6_prefix: 64 + hosts: + knot: + endpoint: trygvis.io + listen_port: 51822 + peers: all + ipv4: 192.168.110.1 + ipv6: 2a01:7e00:e000:272::b00b::1 + android-trygvis: + state: present + ipv4: 192.168.110.2 + ipv6: 2a01:7e00:e000:272::b00b::2 diff --git a/ansible/group_vars/wireguard_net1.yml b/ansible/group_vars/wireguard_net1.yml deleted file mode 100644 index deb330a..0000000 --- a/ansible/group_vars/wireguard_net1.yml +++ /dev/null @@ -1,37 +0,0 @@ -wireguard__net_id: net1 -wireguard__listen_port: 51820 -wireguard__server: - ansible_hostname: knot - hostname: trygvis.io - ipv4: - address: 192.168.80.1 - prefix: 24 - # Generated by https://www.ultratools.com/tools/rangeGenerator - ipv6: - address: fdf3:aad9:a885:0b3a::1 - prefix: 64 -wireguard__clients: - birgitte: - state: present - ipv4: 192.168.80.2 - ipv6: fdf3:aad9:a885:0b3a::2 - conflatorio: - state: present - ipv4: 192.168.80.3 - ipv6: fdf3:aad9:a885:0b3a::3 - fuckaduck: - state: present - ipv4: 192.168.80.4 - ipv6: fdf3:aad9:a885:0b3a::4 - android-trygvis: - state: present - ipv4: 192.168.80.5 - ipv6: fdf3:aad9:a885:0b3a::5 - arius: - state: present - ipv4: 192.168.80.6 - ipv6: fdf3:aad9:a885:0b3a::6 - akili: - state: present - ipv4: 192.168.80.7 - ipv6: fdf3:aad9:a885:0b3a::7 diff --git a/ansible/inventory b/ansible/inventory index db5d88a..d413177 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -18,8 +18,6 @@ all: ansible_host: conflatorio.trygvis.io nextcloud: ansible_host: 192.168.90.101 - fuckaduck: - ansible_host: fuckaduck.local akili: ansible_host: akili.local children: @@ -29,7 +27,6 @@ all: conflatorio: arius: akysis: - fuckaduck: sbcs: hosts: homepi: @@ -100,7 +97,6 @@ all: borg_server__clients_ansible_group: borg_nas borg_nas: hosts: - fuckaduck: birgitte: conflatorio: vars: @@ -110,13 +106,25 @@ all: children: borg_nas: - wireguard_net1: + wireguard_wg-net1: hosts: akili: arius: birgitte: conflatorio: - fuckaduck: + knot: + + wireguard_wg0: + hosts: + akili: + arius: + birgitte: + conflatorio: + knot: + + wireguard_wg1: + hosts: + android-trygvis: knot: # vim: set filetype=yaml: diff --git a/ansible/roles/wireguard/defaults/main.yml b/ansible/roles/wireguard/defaults/main.yml index 9b1bf59..824e765 100644 --- a/ansible/roles/wireguard/defaults/main.yml +++ b/ansible/roles/wireguard/defaults/main.yml @@ -1,2 +1 @@ wireguard__state: present -wireguard__role: client diff --git a/ansible/roles/wireguard/tasks/main.yml b/ansible/roles/wireguard/tasks/main.yml index 3590636..9c4cf24 100644 --- a/ansible/roles/wireguard/tasks/main.yml +++ b/ansible/roles/wireguard/tasks/main.yml @@ -1,11 +1,15 @@ +- debug: var=wireguard__state + - tags: - wireguard become: yes when: wireguard__state == 'present' vars: - wg_if: "wg-{{ wireguard__net_id }}" - netdev_path: "/etc/systemd/network/60-{{ wg_if }}.netdev" - network_path: "/etc/systemd/network/61-{{ wg_if }}.network" + wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}" + wg_host: "{{ wg_net.hosts[ansible_hostname] }}" + all_peers: "{{ wg_host.peers is defined and wg_host.peers == 'all' }}" + netdev_path: "/etc/systemd/network/60-{{ wg_net.if }}.netdev" + network_path: "/etc/systemd/network/61-{{ wg_net.if }}.network" block: - name: Install packages tags: packages @@ -28,110 +32,75 @@ path: /etc/wireguard state: directory - - name: wg genkey /etc/wireguard/private.key + - name: "wg genkey /etc/wireguard/private-{{ wg_net.if }}.key" tags: wireguard-config - shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key + shell: wg genkey | tee /etc/wireguard/private-{{ wg_net.if }}.key | wg pubkey > /etc/wireguard/public-{{ wg_net.if }}.key args: - creates: /etc/wireguard/private.key + creates: /etc/wireguard/private-{{ wg_net.if }}.key register: wg_private_key_gen - when: wg_private_key_gen.changed tags: wireguard-config fetch: - src: "/etc/wireguard/public.key" + src: "/etc/wireguard/public-{{ wg_net.if }}.key" dest: "files" - tags: wireguard-config slurp: - src: "/etc/wireguard/private.key" + src: "/etc/wireguard/private-{{ wg_net.if }}.key" register: wg_private_key - - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) - when: wireguard__role == 'client' + - name: "Make {{ netdev_path }}" notify: systemctl restart systemd-networkd tags: wireguard-config copy: dest: "{{ netdev_path }}" content: | [NetDev] - Name={{ wg_if }} + Name={{ wg_net.if }} Kind=wireguard - Description=Net id: {{ wireguard__net_id }} + Description=Wireguard VPN [WireGuard] PrivateKey={{ wg_private_key['content'] | b64decode }} + {% if wg_host.listen_port is defined %} + ListenPort={{ wg_host.listen_port }} + {% endif %} + {% for hostname in wg_net.hosts|sort %} + {% set host = wg_net.hosts[hostname] %} + {% set present = not (host.state is defined) or host.state == 'present' %} + {% if present and (all_peers or host.endpoint is defined) %} [WireGuardPeer] - PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} - AllowedIPs=0.0.0.0/0 - AllowedIPs=::/0 - Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }} + PublicKey={{ lookup('file', hostname + '/etc/wireguard/public-{{ wg_net.if }}.key') }} + AllowedIPs={{ "0.0.0.0/0" if host.endpoint is defined else host.ipv4 }} + AllowedIPs={{ "::/0" if host.endpoint is defined else host.ipv6 }} + {% if host.endpoint is defined %} + Endpoint={{ host.endpoint }}:{{ host.listen_port }} + {% endif %} PersistentKeepalive=60 - - - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server) - when: wireguard__role == 'server' - notify: systemctl restart systemd-networkd - tags: wireguard-config - copy: - dest: "{{ netdev_path }}" - content: | - [NetDev] - Name={{ wg_if }} - Kind=wireguard - Description=Net id: {{ wireguard__net_id }} - - [WireGuard] - PrivateKey={{ wg_private_key['content'] | b64decode }} - ListenPort={{ wireguard__listen_port }} - - {% for c in wireguard__clients|sort %} - {% set client = wireguard__clients[c] %} - # Client: {{ c }} - {% if client.state == 'present' %} - [WireGuardPeer] - PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} - AllowedIPs={{ client.ipv4 }} - AllowedIPs={{ client.ipv6 }} - {% else %} - # absent {% endif %} - {% endfor %} - - name: Make /etc/systemd/network/61-wg-XXX.network (Client) - when: wireguard__role == 'client' - tags: wireguard-config - notify: systemctl restart systemd-networkd - copy: - dest: "{{ network_path }}" - content: | - [Match] - Name={{ wg_if }} - - [Network] - Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} - Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }} - - - name: Make /etc/systemd/network/61-wg-XXX.network (Server) - when: wireguard__role == 'server' + - name: "Make {{ network_path }}" tags: wireguard-config notify: systemctl restart systemd-networkd copy: dest: "{{ network_path }}" content: | [Match] - Name={{ wg_if }} + Name={{ wg_net.if }} [Network] - Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} - Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }} + Address={{ wg_net.hosts[ansible_hostname].ipv4 }}/{{ wg_net.ipv4_prefix }} + Address={{ wg_net.hosts[ansible_hostname].ipv6 }}/{{ wg_net.ipv6_prefix }} - name: UFW allow port - when: wireguard__role == 'server' + when: wg_host.listen_port is defined tags: wireguard-config ufw: rule: allow - port: "{{ wireguard__listen_port }}" + port: "{{ wg_host.listen_port }}" proto: udp - tags: @@ -139,31 +108,31 @@ become: yes when: wireguard__state == 'absent' vars: - wg_if: "wg-{{ wireguard__net_id }}" - netdev_path: "/etc/systemd/network/60-{{ wg_if }}.netdev" - network_path: "/etc/systemd/network/61-{{ wg_if }}.network" + wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}" + netdev_path: "/etc/systemd/network/60-{{ wg_net.if }}.netdev" + network_path: "/etc/systemd/network/61-{{ wg_net.if }}.network" block: - - file: - path: /etc/wireguard - state: absent - notify: systemctl restart systemd-networkd - - - file: - path: "{{ netdev_path }}" - state: absent - notify: systemctl restart systemd-networkd - - - file: - path: "{{ network_path }}" + - name: Remove old files + file: + path: "{{ item }}" state: absent notify: systemctl restart systemd-networkd - - - shell: "ip -j link show {{ wg_if }}" + with_items: + - /etc/wireguard/private-{{ wg_net.if }}.key + - /etc/wireguard/public-{{ wg_net.if }}.key + - "{{ netdev_path }}" + - "{{ network_path }}" + + - name: Checking for interface + shell: "ip -j link show" changed_when: False register: ip_link - - shell: "ip -j link delete {{ wg_if }}" - when: ip_link.stdout_lines|length != "0" + - name: Removing interface + shell: "ip -j link delete {{ wg_net.if }}" + when: links[wg_net.if] is defined + vars: + links: "{{ ip_link.stdout | from_json | items2dict(key_name='ifname', value_name='ifname') }}" - name: generate dns records tags: @@ -172,7 +141,7 @@ local_action: module: copy content: | - wireguard_dns_records_{{ wireguard__net_id }}: + wireguard_dns_records_{{ wg_net.if }}: {% for c in wireguard__clients|sort %} {% set client = wireguard__clients[c] %} - type: A @@ -184,4 +153,4 @@ value: {{ client.ipv6 }} state: {{ client.state }} {% endfor %} - dest: "files/wireguard-dns-records-{{ wireguard__net_id }}.yml" + dest: "files/wireguard-dns-records-{{ wg_net.if }}.yml" diff --git a/ansible/wireguard.yml b/ansible/wireguard.yml index e5acba5..943b0d2 100644 --- a/ansible/wireguard.yml +++ b/ansible/wireguard.yml @@ -1,5 +1,24 @@ - hosts: - - wireguard_net1 + - wireguard_wg-net1 + tags: wg-net1 roles: - - wireguard + - role: wireguard + wireguard__state: absent + wireguard__name: wireguard-wg-net1 +- hosts: + - wireguard_wg0 + tags: wg0 + roles: + - role: wireguard + wireguard__name: wireguard-wg0 + vars: + wg_net: "{{ hostvars[ansible_hostname][wireguard__name] }}" + wg_host: "{{ wg_net.hosts[ansible_hostname] }}" + +- hosts: + - wireguard_wg1 + tags: wg1 + roles: + - role: wireguard + wireguard__name: wireguard-wg1 |