From edfeb6401af135348ddd38518a27be3e8ec51f6a Mon Sep 17 00:00:00 2001 From: binary Date: Wed, 17 Mar 2021 20:53:31 +0100 Subject: Make wireguard unreachables/failures free --- roles/wireguard/tasks/generate.yml | 29 ++++++++++++ roles/wireguard/tasks/main.yml | 66 ++++++--------------------- roles/wireguard/tasks/server.yml | 37 +++++++++++++++ roles/wireguard/tasks/set_facts.yml | 13 ------ roles/wireguard/tasks/synchronize.yml | 21 +++++++++ roles/wireguard/templates/dcontroller.conf.j2 | 5 +- 6 files changed, 106 insertions(+), 65 deletions(-) create mode 100644 roles/wireguard/tasks/generate.yml create mode 100644 roles/wireguard/tasks/server.yml delete mode 100644 roles/wireguard/tasks/set_facts.yml create mode 100644 roles/wireguard/tasks/synchronize.yml (limited to 'roles/wireguard') diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml new file mode 100644 index 0000000..6b91fb2 --- /dev/null +++ b/roles/wireguard/tasks/generate.yml @@ -0,0 +1,29 @@ + +# wireguard ~~ roles/wireguard/tasks/generate.yml +# generate client configuration + +--- + +- name: check keys on local disk + stat: + path: "{{ wg_host_keys }}" + register: stat_host_keys + delegate_to: localhost + +- name: generate host keys on local machine + shell: | + umask 077 + wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}" + args: + chdir: "{{ wg_dir }}" + when: not stat_host_keys.stat.exists or wg_force is defined and wg_force + delegate_to: localhost + +- name: generate client configuration + template: + src: host.conf.j2 + dest: "{{ wg_dir }}/{{ ansible_host }}.conf" + mode: "0600" + when: ansible_host != global.dcontroller + delegate_to: localhost + diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 9875457..5b48998 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -4,55 +4,22 @@ --- -- name: generate dynamic facts - include: set_facts.yml +- name: set local directory for wireguard output + set_fact: + wg_dir: "{{ inventory_dir }}/files/wireguard" -- name: check keys on local disk - stat: - path: "{{ wg_host_keys }}" - register: stat_host_keys - delegate_to: localhost +- name: set local config files for wireguard output + set_fact: + wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf" + wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys" + wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf" + wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys" -- name: generate host keys - shell: | - umask 077 - wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}" - args: - chdir: "{{ wg_dir }}" - when: not stat_host_keys.stat.exists or force is defined and force - delegate_to: localhost +- name: include configuration generation + include_tasks: generate.yml -- name: create wireguard dir on remote host - file: - path: /etc/wireguard - owner: "{{ user_root }}" - group: "{{ group_root }}" - mode: 0700 - state: directory - ignore_unreachable: true - -- name: generate client configuration - template: - src: host.conf.j2 - dest: "{{ item.path }}" - mode: 0600 - when: ansible_host != global.dcontroller - delegate_to: "{{ item.name }}" - loop: - - { name: "{{ ansible_host }}", path: "/etc/wireguard/{{ global.dcontroller }}.conf" } - - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" } - ignore_unreachable: true - -- name: generate server configuration - template: - src: dcontroller.conf.j2 - dest: "{{ item.path }}" - mode: "0600" - when: ansible_host == global.dcontroller - delegate_to: "{{ item.name }}" - loop: - - { name: "{{ ansible_host }}", path: "/etc/wireguard/{{ global.dcontroller }}.conf" } - - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host }}.conf" } +- name: include configuration synchronization + include_tasks: synchronize.yml - name: enable wireguard for freebsd lineinfile: @@ -78,9 +45,6 @@ ignore_errors: true when: ansible_distribution != "FreeBSD" -- name: generate server interface - template: - src: templates/hostname.j2 - dest: /etc/hostname.tun0 +- name: include server setup + include_tasks: server.yml when: ansible_host == global.dcontroller - diff --git a/roles/wireguard/tasks/server.yml b/roles/wireguard/tasks/server.yml new file mode 100644 index 0000000..aac9197 --- /dev/null +++ b/roles/wireguard/tasks/server.yml @@ -0,0 +1,37 @@ + +# wireguard ~~ roles/wireguard/tasks/main.yml +# create keys and configuration for wireguard hosts + +--- + +- name: generate server configuration + template: + src: dcontroller.conf.j2 + dest: "{{ wg_dir }}/{{ ansible_host }}.conf" + mode: "0600" + when: ansible_host == global.dcontroller + delegate_to: localhost + +- name: generate server interface + template: + src: templates/hostname.j2 + dest: /etc/hostname.tun0 + +# NOTE: interface destruction and creation exists in the same tasks, +# to avoid being kicked out of the ssh sessions if this one exists +# within the current VPN. +- name: restart wireguard interface + shell: | + ifconfig tun0 destroy + sh /etc/netstart tun0 + register: result + +- name: show debug output + debug: + msg: | + {% for line in result.stdout_lines %} + "{{ line }}" + {% endfor %} + {% for line in result.stderr_lines %} + "{{ line }}" + {% endfor %} diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml deleted file mode 100644 index 7e042ea..0000000 --- a/roles/wireguard/tasks/set_facts.yml +++ /dev/null @@ -1,13 +0,0 @@ - -# wireguard ~~ tasks/set_facts.yml - ---- - -- set_fact: - wg_dir: "{{ inventory_dir }}/files/wireguard" - -- set_fact: - wg_dcontroller_conf: "{{ wg_dir }}/{{ global.dcontroller }}.conf" - wg_dcontroller_keys: "{{ wg_dir }}/{{ global.dcontroller }}.keys" - wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf" - wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys" diff --git a/roles/wireguard/tasks/synchronize.yml b/roles/wireguard/tasks/synchronize.yml new file mode 100644 index 0000000..0e7574a --- /dev/null +++ b/roles/wireguard/tasks/synchronize.yml @@ -0,0 +1,21 @@ + +# wireguard ~~ roles/wireguard/tasks/main.yml +# create keys and configuration for wireguard hosts + +--- + +- name: ensure wireguard directory exists on remote + file: + path: /etc/wireguard + owner: "0" + group: "0" + mode: "0700" + state: directory + +- name: ensure wiregard configuration is copied on remote + copy: + src: "{{ wg_host_conf }}" + dest: "/etc/wireguard/{{ global.dcontroller }}.conf" + owner: "0" + group: "0" + mode: "0600" diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2 index 7213925..a8e6292 100644 --- a/roles/wireguard/templates/dcontroller.conf.j2 +++ b/roles/wireguard/templates/dcontroller.conf.j2 @@ -8,12 +8,15 @@ ListenPort = 53 PrivateKey = {{ dcontroller_keys[0] }} -{% for host in groups["all"] if hostvars[host].ansible_host != global.dcontroller %} +{% for host in groups["all"] %} {% set host = hostvars[host] %} +{##} +{% if host.ansible_host != global.dcontroller and host.ip is defined %} {% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %} # {{ host.ansible_host }} [Peer] PublicKey = {{ host_keys[1] }} AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128 +{% endif %} {% endfor %} -- cgit v1.2.3