aboutsummaryrefslogtreecommitdiffstats
path: root/roles/wireguard
diff options
context:
space:
mode:
authorbinary <me@rgoncalves.se>2021-03-17 20:53:31 +0100
committerbinary <me@rgoncalves.se>2021-03-17 20:53:31 +0100
commitedfeb6401af135348ddd38518a27be3e8ec51f6a (patch)
treea179029da1de48d7a8edf7e4a4c7902324f9e751 /roles/wireguard
parent3e8b7f77311d32fd11e05d6f11d454aa40ed0aec (diff)
downloadinfrastructure-edfeb6401af135348ddd38518a27be3e8ec51f6a.tar.gz
Make wireguard unreachables/failures free
Diffstat (limited to 'roles/wireguard')
-rw-r--r--roles/wireguard/tasks/generate.yml29
-rw-r--r--roles/wireguard/tasks/main.yml66
-rw-r--r--roles/wireguard/tasks/server.yml37
-rw-r--r--roles/wireguard/tasks/set_facts.yml13
-rw-r--r--roles/wireguard/tasks/synchronize.yml21
-rw-r--r--roles/wireguard/templates/dcontroller.conf.j25
6 files changed, 106 insertions, 65 deletions
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
new file mode 100644
index 0000000..6b91fb2
--- /dev/null
+++ b/roles/wireguard/tasks/generate.yml
@@ -0,0 +1,29 @@
+
+# wireguard ~~ roles/wireguard/tasks/generate.yml
+# generate client configuration
+
+---
+
+- name: check keys on local disk
+ stat:
+ path: "{{ wg_host_keys }}"
+ register: stat_host_keys
+ delegate_to: localhost
+
+- name: generate host keys on local machine
+ shell: |
+ umask 077
+ wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+ args:
+ chdir: "{{ wg_dir }}"
+ when: not stat_host_keys.stat.exists or wg_force is defined and wg_force
+ delegate_to: localhost
+
+- name: generate client configuration
+ template:
+ src: host.conf.j2
+ dest: "{{ wg_dir }}/{{ ansible_host }}.conf"
+ mode: "0600"
+ when: ansible_host != global.dcontroller
+ delegate_to: localhost
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 9875457..5b48998 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -4,55 +4,22 @@
---
-- name: generate dynamic facts
- include: set_facts.yml
+- name: set local directory for wireguard output
+ set_fact:
+ wg_dir: "{{ inventory_dir }}/files/wireguard"
-- name: check keys on local disk
- stat:
- path: "{{ wg_host_keys }}"
- register: stat_host_keys
- delegate_to: localhost
+- name: set local config files for wireguard output
+ set_fact:
+ wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf"
+ wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys"
+ wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf"
+ wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys"
-- name: generate host keys
- shell: |
- umask 077
- wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
- args:
- chdir: "{{ wg_dir }}"
- when: not stat_host_keys.stat.exists or force is defined and force
- delegate_to: localhost
+- name: include configuration generation
+ include_tasks: generate.yml
-- name: create wireguard dir on remote host
- file:
- path: /etc/wireguard
- owner: "{{ user_root }}"
- group: "{{ group_root }}"
- mode: 0700
- state: directory
- ignore_unreachable: true
-
-- name: generate client configuration
- template:
- src: host.conf.j2
- dest: "{{ item.path }}"
- mode: 0600
- when: ansible_host != global.dcontroller
- delegate_to: "{{ item.name }}"
- loop:
- - { name: "{{ ansible_host }}", path: "/etc/wireguard/{{ global.dcontroller }}.conf" }
- - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" }
- ignore_unreachable: true
-
-- name: generate server configuration
- template:
- src: dcontroller.conf.j2
- dest: "{{ item.path }}"
- mode: "0600"
- when: ansible_host == global.dcontroller
- delegate_to: "{{ item.name }}"
- loop:
- - { name: "{{ ansible_host }}", path: "/etc/wireguard/{{ global.dcontroller }}.conf" }
- - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" }
+- name: include configuration synchronization
+ include_tasks: synchronize.yml
- name: enable wireguard for freebsd
lineinfile:
@@ -78,9 +45,6 @@
ignore_errors: true
when: ansible_distribution != "FreeBSD"
-- name: generate server interface
- template:
- src: templates/hostname.j2
- dest: /etc/hostname.tun0
+- name: include server setup
+ include_tasks: server.yml
when: ansible_host == global.dcontroller
-
diff --git a/roles/wireguard/tasks/server.yml b/roles/wireguard/tasks/server.yml
new file mode 100644
index 0000000..aac9197
--- /dev/null
+++ b/roles/wireguard/tasks/server.yml
@@ -0,0 +1,37 @@
+
+# wireguard ~~ roles/wireguard/tasks/main.yml
+# create keys and configuration for wireguard hosts
+
+---
+
+- name: generate server configuration
+ template:
+ src: dcontroller.conf.j2
+ dest: "{{ wg_dir }}/{{ ansible_host }}.conf"
+ mode: "0600"
+ when: ansible_host == global.dcontroller
+ delegate_to: localhost
+
+- name: generate server interface
+ template:
+ src: templates/hostname.j2
+ dest: /etc/hostname.tun0
+
+# NOTE: interface destruction and creation exists in the same tasks,
+# to avoid being kicked out of the ssh sessions if this one exists
+# within the current VPN.
+- name: restart wireguard interface
+ shell: |
+ ifconfig tun0 destroy
+ sh /etc/netstart tun0
+ register: result
+
+- name: show debug output
+ debug:
+ msg: |
+ {% for line in result.stdout_lines %}
+ "{{ line }}"
+ {% endfor %}
+ {% for line in result.stderr_lines %}
+ "{{ line }}"
+ {% endfor %}
diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml
deleted file mode 100644
index 7e042ea..0000000
--- a/roles/wireguard/tasks/set_facts.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-
-# wireguard ~~ tasks/set_facts.yml
-
----
-
-- set_fact:
- wg_dir: "{{ inventory_dir }}/files/wireguard"
-
-- set_fact:
- wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf"
- wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys"
- wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf"
- wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys"
diff --git a/roles/wireguard/tasks/synchronize.yml b/roles/wireguard/tasks/synchronize.yml
new file mode 100644
index 0000000..0e7574a
--- /dev/null
+++ b/roles/wireguard/tasks/synchronize.yml
@@ -0,0 +1,21 @@
+
+# wireguard ~~ roles/wireguard/tasks/main.yml
+# create keys and configuration for wireguard hosts
+
+---
+
+- name: ensure wireguard directory exists on remote
+ file:
+ path: /etc/wireguard
+ owner: "0"
+ group: "0"
+ mode: "0700"
+ state: directory
+
+- name: ensure wiregard configuration is copied on remote
+ copy:
+ src: "{{ wg_host_conf }}"
+ dest: "/etc/wireguard/{{ global.dcontroller }}.conf"
+ owner: "0"
+ group: "0"
+ mode: "0600"
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
index 7213925..a8e6292 100644
--- a/roles/wireguard/templates/dcontroller.conf.j2
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -8,12 +8,15 @@
ListenPort = 53
PrivateKey = {{ dcontroller_keys[0] }}
-{% for host in groups["all"] if hostvars[host].ansible_host != global.dcontroller %}
+{% for host in groups["all"] %}
{% set host = hostvars[host] %}
+{##}
+{% if host.ansible_host != global.dcontroller and host.ip is defined %}
{% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %}
# {{ host.ansible_host }}
[Peer]
PublicKey = {{ host_keys[1] }}
AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128
+{% endif %}
{% endfor %}
remember that computers suck.