From c110f9a103c2f676917e3fe5e33f4eaedfed070c Mon Sep 17 00:00:00 2001 From: binary Date: Fri, 20 Nov 2020 19:20:55 +0100 Subject: Refactor wireguard role with new host declaration. --- playbooks/network.yml | 8 +++- roles/wireguard/tasks/generate.yml | 54 --------------------------- roles/wireguard/tasks/main.yml | 41 +++++++++++--------- roles/wireguard/tasks/set_facts.yml | 6 +-- roles/wireguard/templates/dcontroller.conf.j2 | 2 +- roles/wireguard/templates/host.conf.j2 | 2 +- roles/wireguard/templates/hostname.j2 | 2 +- 7 files changed, 36 insertions(+), 79 deletions(-) delete mode 100644 roles/wireguard/tasks/generate.yml diff --git a/playbooks/network.yml b/playbooks/network.yml index b0c5448..1e8206b 100644 --- a/playbooks/network.yml +++ b/playbooks/network.yml @@ -5,13 +5,19 @@ --- - hosts: localhost + gather_facts: no roles: - { role: ssh_dns } +- hosts: all + gather_facts: no + roles: + - { role: wireguard } + - hosts: servers roles: + - { role: dns } - { role: sshd } - - { role: wireguard } - hosts: dcontroller roles: diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml deleted file mode 100644 index 6e60a92..0000000 --- a/roles/wireguard/tasks/generate.yml +++ /dev/null @@ -1,54 +0,0 @@ - -# wireguard ~~ tasks/generate.yml - -- stat: - path: "{{ wg_host_keys }}" - register: stat_host_keys - delegate_to: localhost - -- name: Generate domain keys - shell: | - umask 077 - wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}" - args: - chdir: "{{ wg_dir }}" - when: not stat_host_keys.stat.exists or force is defined and force - delegate_to: localhost - -- name: Create wireguard dir on remote host - file: - path: /etc/wireguard - owner: root - state: directory - mode: "0700" - ignore_unreachable: true - -- name: Generate client configuration - template: - src: templates/host.conf.j2 - dest: "{{ item.path }}" - mode: "0600" - when: ansible_host != _i.dcontroller - delegate_to: "{{ item.name }}" - loop: - - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } - - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } - ignore_unreachable: true - -- name: Generate server configuration - template: - src: templates/dcontroller.conf.j2 - dest: "{{ item.path }}" - mode: "0600" - when: ansible_host == _i.dcontroller - delegate_to: "{{ item.name }}" - loop: - - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } - - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } - -- name: Generate server interface - template: - src: templates/hostname.j2 - dest: /etc/hostname.tun0 - when: ansible_host == _i.dcontroller - diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 9e23fa7..51b97c0 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -1,15 +1,19 @@ -# wireguard ~~ tasks/main.yml + +# wireguard ~~ roles/wireguard/tasks/main.yml +# create keys and configuration for wireguard hosts --- -- include: set_facts.yml +- name: generate dynamic facts + include: set_facts.yml -- stat: +- name: check keys on local disk + stat: path: "{{ wg_host_keys }}" register: stat_host_keys delegate_to: localhost -- name: Generate domain keys +- name: generate host keys shell: | umask 077 wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}" @@ -18,40 +22,41 @@ when: not stat_host_keys.stat.exists or force is defined and force delegate_to: localhost -- name: Create wireguard dir on remote host +- name: create wireguard dir on remote host file: path: /etc/wireguard - owner: root + owner: "{{ user_root }}" + group: "{{ group_root }}" + mode: 0700 state: directory - mode: "0700" ignore_unreachable: true -- name: Generate client configuration +- name: generate client configuration template: - src: templates/host.conf.j2 + src: host.conf.j2 dest: "{{ item.path }}" - mode: "0600" - when: ansible_host != _i.dcontroller + mode: 0600 + when: ansible_host != global.dcontroller delegate_to: "{{ item.name }}" loop: - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } - - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } + - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" } ignore_unreachable: true -- name: Generate server configuration +- name: generate server configuration template: - src: templates/dcontroller.conf.j2 + src: dcontroller.conf.j2 dest: "{{ item.path }}" mode: "0600" - when: ansible_host == _i.dcontroller + when: ansible_host == global.dcontroller delegate_to: "{{ item.name }}" loop: - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } - - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } + - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" } -- name: Generate server interface +- name: generate server interface template: src: templates/hostname.j2 dest: /etc/hostname.tun0 - when: ansible_host == _i.dcontroller + when: ansible_host == global.dcontroller diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml index 933ca9d..7e042ea 100644 --- a/roles/wireguard/tasks/set_facts.yml +++ b/roles/wireguard/tasks/set_facts.yml @@ -4,10 +4,10 @@ --- - set_fact: - wg_dir: "{{ inventory_dir}}/files/wireguard" + wg_dir: "{{ inventory_dir }}/files/wireguard" - set_fact: - wg_dcontroller_conf: "{{ wg_dir }}/{{ _i.dcontroller }}.conf" - wg_dcontroller_keys: "{{ wg_dir }}/{{ _i.dcontroller }}.keys" + wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf" + wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys" wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf" wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys" diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2 index 5771ef6..7213925 100644 --- a/roles/wireguard/templates/dcontroller.conf.j2 +++ b/roles/wireguard/templates/dcontroller.conf.j2 @@ -8,7 +8,7 @@ ListenPort = 53 PrivateKey = {{ dcontroller_keys[0] }} -{% for host in groups["all"] if hostvars[host].ansible_host != _i.dcontroller %} +{% for host in groups["all"] if hostvars[host].ansible_host != global.dcontroller %} {% set host = hostvars[host] %} {% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %} # {{ host.ansible_host }} diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2 index 2a5acc5..4c693eb 100644 --- a/roles/wireguard/templates/host.conf.j2 +++ b/roles/wireguard/templates/host.conf.j2 @@ -10,6 +10,6 @@ PrivateKey = {{ host_keys[0] }} [Peer] PublicKey = {{ dcontroller_keys[1] }} -Endpoint = {{ hostvars[_i.dcontroller].ip.out }}:53 +Endpoint = {{ hostvars[global.dcontroller].ip.out }}:53 AllowedIPs = 0.0.0.0/0, ::/0 PersistentKeepalive = 25 diff --git a/roles/wireguard/templates/hostname.j2 b/roles/wireguard/templates/hostname.j2 index 3903ccb..8938320 100644 --- a/roles/wireguard/templates/hostname.j2 +++ b/roles/wireguard/templates/hostname.j2 @@ -2,7 +2,7 @@ inet 10.10.0.1 255.255.255.0 inet6 fd00:10:10::1 !/usr/local/bin/wireguard-go -f tun0 & !/bin/sleep 2 -!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ _i.dcontroller }}.conf +!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ global.dcontroller }}.conf !/bin/sleep 2 !/sbin/route add -inet 10.10.0.0/24 10.10.0.1 !/bin/sleep 2 -- cgit v1.2.3