diff options
| author | Romain Gonçalves <me@rgoncalves.se> | 2021-12-10 18:30:32 +0000 |
|---|---|---|
| committer | Romain Gonçalves <me@rgoncalves.se> | 2021-12-10 21:52:55 +0000 |
| commit | c1c300aa21b407351e6045c7b40480d4120db8a7 (patch) | |
| tree | 48ac6715e649326d02dad7011b31c091db29b7b3 | |
| parent | 2fe1965dbb4cc650fda2b00e69219ac7ae403674 (diff) | |
| download | infrastructure-c1c300aa21b407351e6045c7b40480d4120db8a7.tar.gz | |
roles: Generate + deploy wireguard configurations
| -rw-r--r-- | group_vars/all.yml | 2 | ||||
| -rw-r--r-- | playbooks/site.yml | 9 | ||||
| -rw-r--r-- | roles/wireguard/defaults/main.yml | 8 | ||||
| -rw-r--r-- | roles/wireguard/tasks/configuration.yml | 18 | ||||
| -rw-r--r-- | roles/wireguard/tasks/keys.yml | 17 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 34 | ||||
| -rw-r--r-- | roles/wireguard/tasks/service.yml | 20 | ||||
| -rw-r--r-- | roles/wireguard/templates/hostname.j2 | 8 | ||||
| -rw-r--r-- | roles/wireguard/templates/wireguard.conf.j2 | 34 |
9 files changed, 148 insertions, 2 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 410d962..694927c 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,6 +1,8 @@ ansible_hostname: "{{ ansible_host }}" ansible_become_method: su +wireguard_domain_controller: "{{ __global_domain_controller }}" + __is_vm: false __ip: diff --git a/playbooks/site.yml b/playbooks/site.yml index a191eb6..96dffb5 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -1,7 +1,14 @@ +- hosts: all + roles: + - role: wireguard + tags: role_wireguard + - hosts: servers roles: - role: sshd tags: role_sshd + - role: httpd + tags: role_httpd - hosts: stack0 roles: @@ -9,5 +16,3 @@ tags: role_nfsd - role: vmm tags: role_vmm - - role: httpd - tags: role_httpd diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..2275c05 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,8 @@ +wireguard_dir: /etc/wireguard +wireguard_local_dir: "{{ inventory_dir }}/files/secrets/wireguard" +wireguard_local_keys: "{{ inventory_hostname }}.keys" +wireguard_local_configuration: "{{ inventory_hostname }}.conf" + +wireguard_domain_controller: null +wireguard_persistent_keepalive: 10 +wireguard_port: 53 diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml new file mode 100644 index 0000000..efb8008 --- /dev/null +++ b/roles/wireguard/tasks/configuration.yml @@ -0,0 +1,18 @@ +- name: generate wireguard configuration + template: + src: wireguard.conf.j2 + dest: "{{ wireguard_local_dir }}/{{ item }}.conf" + mode: 0600 + vars: + host: "{{ hostvars[item] }}" + run_once: true + delegate_to: localhost + loop: "{{ groups.all }}" + +- name: copy wireguard configuration + copy: + src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}" + dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf" + owner: 0 + group: 0 + mode: 0600 diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml new file mode 100644 index 0000000..7a89010 --- /dev/null +++ b/roles/wireguard/tasks/keys.yml @@ -0,0 +1,17 @@ +- name: generate hosts keys + shell: | + set -o pipefail + ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0 + umask 077 + wg genkey | \ + tee "{{ item }}.keys" | \ + wg pubkey >> "{{ item }}.keys" + exit 2 + args: + chdir: "{{ wireguard_local_dir }}" + loop: "{{ groups.all }}" + run_once: true + delegate_to: localhost + register: result + changed_when: result.rc == 2 + failed_when: result.rc not in [0, 2] diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..9f1d01d --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,34 @@ +- name: create local wireguard directory + file: + path: "{{ wireguard_local_dir }}" + state: directory + mode: 0700 + run_once: true + delegate_to: localhost + +- name: create wireguard directory + file: + path: "{{ wireguard_dir }}" + owner: 0 + group: 0 + mode: 0700 + state: directory + +- name: include key generation + include_tasks: keys.yml + +- name: include configuration generation + include_tasks: configuration.yml + +- name: install wireguard on remote host + package: + name: wireguard-tools + state: present + +- name: include service configuration for server + include_tasks: service.yml + when: inventory_hostname == wireguard_domain_controller + +- name: include service configuration for hosts + include_tasks: service.yml + when: inventory_hostname != wireguard_domain_controller diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml new file mode 100644 index 0000000..d1a1007 --- /dev/null +++ b/roles/wireguard/tasks/service.yml @@ -0,0 +1,20 @@ +- name: enable wireguard interface for OpenBSD + lineinfile: + path: /etc/rc.local + regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$" + line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}" + owner: 0 + owner: 0 + create: true + mode: 0644 + when: ansible_distribution == "OpenBSD" + +- name: restart wireguard interface + command: wg-quick "{{ item }}" "{{ wireguard_domain_controller }}" + ignore_errors: true + loop: + - down + - up + loop_control: + pause: 5 + when: ansible_distribution == "OpenBSD" diff --git a/roles/wireguard/templates/hostname.j2 b/roles/wireguard/templates/hostname.j2 new file mode 100644 index 0000000..aca3b03 --- /dev/null +++ b/roles/wireguard/templates/hostname.j2 @@ -0,0 +1,8 @@ +inet 10.10.0.1 255.255.255.0 +inet6 fd00:10:10::1 +#!/usr/local/bin/wireguard-go -f tun0 & +!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ global.dcontroller }}.conf +!/bin/sleep 2 +!/sbin/route add -inet 10.10.0.0/24 10.10.0.1 +!/bin/sleep 2 +!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1 diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2 new file mode 100644 index 0000000..91ebf1d --- /dev/null +++ b/roles/wireguard/templates/wireguard.conf.j2 @@ -0,0 +1,34 @@ +# managed by Ansible +{% set keys = lookup("file", wireguard_local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %} +{% set domain_controller_keys = lookup("file", wireguard_local_dir ~ "/" ~ wireguard_domain_controller ~ ".keys").splitlines() %} +{% set is_domain_controller = host.inventory_hostname == wireguard_domain_controller %} +{% set ipv4_address = host.__ip.internal ~ "/24" if is_domain_controller else host.__ip.internal %} +{% set ipv6_address = "fd00::1/128" if is_domain_controller else "fd00:10:10::" ~ host.__ip.internal.split(".")[3] %} + +[Interface] +Address = {{ ipv4_address }}, {{ ipv6_address }} +PrivateKey = {{ keys[0] }} +{% if is_domain_controller %} +ListenPort = {{ wireguard_port }} +{% endif %} + +{% if is_domain_controller %} +{% for guest in groups.all %} +{% set guest = hostvars[guest] %} +{% if guest.inventory_hostname not in [wireguard_domain_controller, "localhost"] and guest.__ip.internal %} +{# #} +{% set guest_keys = lookup("file", wireguard_local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %} +# {{ guest.inventory_hostname }} +[Peer] +PublicKey = {{ guest_keys[1] }} +AllowedIPs = {{ guest.__ip.internal }}/32, fd00:10:10::{{ guest.__ip.internal.split('.')[3] }}/128 + +{% endif %} +{% endfor %} +{% else %} +[Peer] +PublicKey = {{ domain_controller_keys[1] }} +Endpoint = {{ hostvars[wireguard_domain_controller].__ip.external }}:{{ wireguard_port }} +AllowedIPs = 0.0.0.0/0, ::/0 +PersistentKeepalive = {{ wireguard_persistent_keepalive }} +{% endif %} |