From edfeb6401af135348ddd38518a27be3e8ec51f6a Mon Sep 17 00:00:00 2001
From: binary <me@rgoncalves.se>
Date: Wed, 17 Mar 2021 20:53:31 +0100
Subject: Make wireguard unreachables/failures free

---
 playbooks/network/wireguard.yml               |  1 -
 roles/wireguard/tasks/generate.yml            | 29 ++++++++++++
 roles/wireguard/tasks/main.yml                | 66 ++++++---------------------
 roles/wireguard/tasks/server.yml              | 37 +++++++++++++++
 roles/wireguard/tasks/set_facts.yml           | 13 ------
 roles/wireguard/tasks/synchronize.yml         | 21 +++++++++
 roles/wireguard/templates/dcontroller.conf.j2 |  5 +-
 7 files changed, 106 insertions(+), 66 deletions(-)
 create mode 100644 roles/wireguard/tasks/generate.yml
 create mode 100644 roles/wireguard/tasks/server.yml
 delete mode 100644 roles/wireguard/tasks/set_facts.yml
 create mode 100644 roles/wireguard/tasks/synchronize.yml

diff --git a/playbooks/network/wireguard.yml b/playbooks/network/wireguard.yml
index 4ea75d6..a08c3a4 100644
--- a/playbooks/network/wireguard.yml
+++ b/playbooks/network/wireguard.yml
@@ -7,4 +7,3 @@
 - hosts: all
   roles:
     - { role: wireguard }
-
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
new file mode 100644
index 0000000..6b91fb2
--- /dev/null
+++ b/roles/wireguard/tasks/generate.yml
@@ -0,0 +1,29 @@
+
+# wireguard ~~ roles/wireguard/tasks/generate.yml
+# generate client configuration
+
+---
+
+- name: check keys on local disk
+  stat:
+    path: "{{ wg_host_keys }}"
+  register: stat_host_keys
+  delegate_to: localhost
+
+- name: generate host keys on local machine
+  shell: |
+    umask 077
+    wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+  args:
+    chdir: "{{ wg_dir }}"
+  when: not stat_host_keys.stat.exists or wg_force is defined and wg_force
+  delegate_to: localhost
+
+- name: generate client configuration
+  template:
+    src: host.conf.j2
+    dest: "{{ wg_dir }}/{{ ansible_host }}.conf"
+    mode: "0600"
+  when: ansible_host != global.dcontroller
+  delegate_to: localhost
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 9875457..5b48998 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -4,55 +4,22 @@
 
 ---
 
-- name: generate dynamic facts
-  include: set_facts.yml
+- name: set local directory for wireguard output
+  set_fact:
+    wg_dir: "{{ inventory_dir }}/files/wireguard"
 
-- name: check keys on local disk
-  stat:
-    path: "{{ wg_host_keys }}"
-  register: stat_host_keys
-  delegate_to: localhost
+- name: set local config files for wireguard output
+  set_fact:
+    wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf"
+    wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys"
+    wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf"
+    wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys"
 
-- name: generate host keys
-  shell: |
-    umask 077
-    wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
-  args:
-    chdir: "{{ wg_dir }}"
-  when: not stat_host_keys.stat.exists or force is defined and force
-  delegate_to: localhost
+- name: include configuration generation
+  include_tasks: generate.yml
 
-- name: create wireguard dir on remote host
-  file:
-    path: /etc/wireguard
-    owner: "{{ user_root }}"
-    group: "{{ group_root }}"
-    mode: 0700
-    state: directory
-  ignore_unreachable: true
-
-- name: generate client configuration
-  template:
-    src: host.conf.j2
-    dest: "{{ item.path }}"
-    mode: 0600
-  when: ansible_host != global.dcontroller
-  delegate_to: "{{ item.name }}"
-  loop:
-    - { name: "{{ ansible_host }}", path: "/etc/wireguard/{{ global.dcontroller }}.conf" }
-    - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" }
-  ignore_unreachable: true
-
-- name: generate server configuration
-  template:
-    src: dcontroller.conf.j2
-    dest: "{{ item.path }}"
-    mode: "0600"
-  when: ansible_host == global.dcontroller
-  delegate_to: "{{ item.name }}"
-  loop:
-    - { name: "{{ ansible_host }}", path: "/etc/wireguard/{{ global.dcontroller }}.conf" }
-    - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" }
+- name: include configuration synchronization
+  include_tasks: synchronize.yml
 
 - name: enable wireguard for freebsd
   lineinfile:
@@ -78,9 +45,6 @@
   ignore_errors: true
   when: ansible_distribution != "FreeBSD"
 
-- name: generate server interface
-  template:
-    src: templates/hostname.j2
-    dest: /etc/hostname.tun0
+- name: include server setup
+  include_tasks: server.yml
   when: ansible_host == global.dcontroller
-
diff --git a/roles/wireguard/tasks/server.yml b/roles/wireguard/tasks/server.yml
new file mode 100644
index 0000000..aac9197
--- /dev/null
+++ b/roles/wireguard/tasks/server.yml
@@ -0,0 +1,37 @@
+
+# wireguard ~~ roles/wireguard/tasks/main.yml
+# create keys and configuration for wireguard hosts
+
+---
+
+- name: generate server configuration
+  template:
+    src: dcontroller.conf.j2
+    dest: "{{ wg_dir }}/{{ ansible_host }}.conf"
+    mode: "0600"
+  when: ansible_host == global.dcontroller
+  delegate_to: localhost
+
+- name: generate server interface
+  template:
+    src: templates/hostname.j2
+    dest: /etc/hostname.tun0
+
+# NOTE: interface destruction and creation exists in the same tasks,
+# to avoid being kicked out of the ssh sessions if this one exists
+# within the current VPN.
+- name: restart wireguard interface
+  shell: |
+    ifconfig tun0 destroy
+    sh /etc/netstart tun0
+  register: result
+
+- name: show debug output
+  debug:
+    msg: |
+      {% for line in result.stdout_lines %}
+      "{{ line }}"
+      {% endfor %}
+      {% for line in result.stderr_lines %}
+      "{{ line }}"
+      {% endfor %}
diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml
deleted file mode 100644
index 7e042ea..0000000
--- a/roles/wireguard/tasks/set_facts.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-
-# wireguard ~~ tasks/set_facts.yml
-
----
-
-- set_fact:
-    wg_dir: "{{ inventory_dir }}/files/wireguard"
-
-- set_fact:
-    wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf"
-    wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys"
-    wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf"
-    wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys"
diff --git a/roles/wireguard/tasks/synchronize.yml b/roles/wireguard/tasks/synchronize.yml
new file mode 100644
index 0000000..0e7574a
--- /dev/null
+++ b/roles/wireguard/tasks/synchronize.yml
@@ -0,0 +1,21 @@
+
+# wireguard ~~ roles/wireguard/tasks/main.yml
+# create keys and configuration for wireguard hosts
+
+---
+
+- name: ensure wireguard directory exists on remote
+  file:
+    path: /etc/wireguard
+    owner: "0"
+    group: "0"
+    mode: "0700"
+    state: directory
+
+- name: ensure wiregard configuration is copied on remote
+  copy:
+    src: "{{ wg_host_conf }}"
+    dest: "/etc/wireguard/{{ global.dcontroller }}.conf"
+    owner: "0"
+    group: "0"
+    mode: "0600"
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
index 7213925..a8e6292 100644
--- a/roles/wireguard/templates/dcontroller.conf.j2
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -8,12 +8,15 @@
 ListenPort = 53
 PrivateKey = {{ dcontroller_keys[0] }}
 
-{% for host in groups["all"] if hostvars[host].ansible_host != global.dcontroller %}
+{% for host in groups["all"] %}
 {% set host = hostvars[host] %}
+{##}
+{% if host.ansible_host != global.dcontroller and host.ip is defined %}
 {% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %}
 # {{ host.ansible_host }}
 [Peer]
 PublicKey = {{ host_keys[1] }}
 AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128
 
+{% endif %}
 {% endfor %}
-- 
cgit v1.2.3