From c1c300aa21b407351e6045c7b40480d4120db8a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Fri, 10 Dec 2021 18:30:32 +0000 Subject: roles: Generate + deploy wireguard configurations --- group_vars/all.yml | 2 ++ playbooks/site.yml | 9 ++++++-- roles/wireguard/defaults/main.yml | 8 +++++++ roles/wireguard/tasks/configuration.yml | 18 +++++++++++++++ roles/wireguard/tasks/keys.yml | 17 +++++++++++++++ roles/wireguard/tasks/main.yml | 34 +++++++++++++++++++++++++++++ roles/wireguard/tasks/service.yml | 20 +++++++++++++++++ roles/wireguard/templates/hostname.j2 | 8 +++++++ roles/wireguard/templates/wireguard.conf.j2 | 34 +++++++++++++++++++++++++++++ 9 files changed, 148 insertions(+), 2 deletions(-) create mode 100644 roles/wireguard/defaults/main.yml create mode 100644 roles/wireguard/tasks/configuration.yml create mode 100644 roles/wireguard/tasks/keys.yml create mode 100644 roles/wireguard/tasks/main.yml create mode 100644 roles/wireguard/tasks/service.yml create mode 100644 roles/wireguard/templates/hostname.j2 create mode 100644 roles/wireguard/templates/wireguard.conf.j2 diff --git a/group_vars/all.yml b/group_vars/all.yml index 410d962..694927c 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -1,6 +1,8 @@ ansible_hostname: "{{ ansible_host }}" ansible_become_method: su +wireguard_domain_controller: "{{ __global_domain_controller }}" + __is_vm: false __ip: diff --git a/playbooks/site.yml b/playbooks/site.yml index a191eb6..96dffb5 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -1,7 +1,14 @@ +- hosts: all + roles: + - role: wireguard + tags: role_wireguard + - hosts: servers roles: - role: sshd tags: role_sshd + - role: httpd + tags: role_httpd - hosts: stack0 roles: @@ -9,5 +16,3 @@ tags: role_nfsd - role: vmm tags: role_vmm - - role: httpd - tags: role_httpd diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 0000000..2275c05 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,8 @@ +wireguard_dir: /etc/wireguard +wireguard_local_dir: "{{ inventory_dir }}/files/secrets/wireguard" +wireguard_local_keys: "{{ inventory_hostname }}.keys" +wireguard_local_configuration: "{{ inventory_hostname }}.conf" + +wireguard_domain_controller: null +wireguard_persistent_keepalive: 10 +wireguard_port: 53 diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml new file mode 100644 index 0000000..efb8008 --- /dev/null +++ b/roles/wireguard/tasks/configuration.yml @@ -0,0 +1,18 @@ +- name: generate wireguard configuration + template: + src: wireguard.conf.j2 + dest: "{{ wireguard_local_dir }}/{{ item }}.conf" + mode: 0600 + vars: + host: "{{ hostvars[item] }}" + run_once: true + delegate_to: localhost + loop: "{{ groups.all }}" + +- name: copy wireguard configuration + copy: + src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}" + dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf" + owner: 0 + group: 0 + mode: 0600 diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml new file mode 100644 index 0000000..7a89010 --- /dev/null +++ b/roles/wireguard/tasks/keys.yml @@ -0,0 +1,17 @@ +- name: generate hosts keys + shell: | + set -o pipefail + ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0 + umask 077 + wg genkey | \ + tee "{{ item }}.keys" | \ + wg pubkey >> "{{ item }}.keys" + exit 2 + args: + chdir: "{{ wireguard_local_dir }}" + loop: "{{ groups.all }}" + run_once: true + delegate_to: localhost + register: result + changed_when: result.rc == 2 + failed_when: result.rc not in [0, 2] diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..9f1d01d --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,34 @@ +- name: create local wireguard directory + file: + path: "{{ wireguard_local_dir }}" + state: directory + mode: 0700 + run_once: true + delegate_to: localhost + +- name: create wireguard directory + file: + path: "{{ wireguard_dir }}" + owner: 0 + group: 0 + mode: 0700 + state: directory + +- name: include key generation + include_tasks: keys.yml + +- name: include configuration generation + include_tasks: configuration.yml + +- name: install wireguard on remote host + package: + name: wireguard-tools + state: present + +- name: include service configuration for server + include_tasks: service.yml + when: inventory_hostname == wireguard_domain_controller + +- name: include service configuration for hosts + include_tasks: service.yml + when: inventory_hostname != wireguard_domain_controller diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml new file mode 100644 index 0000000..d1a1007 --- /dev/null +++ b/roles/wireguard/tasks/service.yml @@ -0,0 +1,20 @@ +- name: enable wireguard interface for OpenBSD + lineinfile: + path: /etc/rc.local + regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$" + line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}" + owner: 0 + owner: 0 + create: true + mode: 0644 + when: ansible_distribution == "OpenBSD" + +- name: restart wireguard interface + command: wg-quick "{{ item }}" "{{ wireguard_domain_controller }}" + ignore_errors: true + loop: + - down + - up + loop_control: + pause: 5 + when: ansible_distribution == "OpenBSD" diff --git a/roles/wireguard/templates/hostname.j2 b/roles/wireguard/templates/hostname.j2 new file mode 100644 index 0000000..aca3b03 --- /dev/null +++ b/roles/wireguard/templates/hostname.j2 @@ -0,0 +1,8 @@ +inet 10.10.0.1 255.255.255.0 +inet6 fd00:10:10::1 +#!/usr/local/bin/wireguard-go -f tun0 & +!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ global.dcontroller }}.conf +!/bin/sleep 2 +!/sbin/route add -inet 10.10.0.0/24 10.10.0.1 +!/bin/sleep 2 +!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1 diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2 new file mode 100644 index 0000000..91ebf1d --- /dev/null +++ b/roles/wireguard/templates/wireguard.conf.j2 @@ -0,0 +1,34 @@ +# managed by Ansible +{% set keys = lookup("file", wireguard_local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %} +{% set domain_controller_keys = lookup("file", wireguard_local_dir ~ "/" ~ wireguard_domain_controller ~ ".keys").splitlines() %} +{% set is_domain_controller = host.inventory_hostname == wireguard_domain_controller %} +{% set ipv4_address = host.__ip.internal ~ "/24" if is_domain_controller else host.__ip.internal %} +{% set ipv6_address = "fd00::1/128" if is_domain_controller else "fd00:10:10::" ~ host.__ip.internal.split(".")[3] %} + +[Interface] +Address = {{ ipv4_address }}, {{ ipv6_address }} +PrivateKey = {{ keys[0] }} +{% if is_domain_controller %} +ListenPort = {{ wireguard_port }} +{% endif %} + +{% if is_domain_controller %} +{% for guest in groups.all %} +{% set guest = hostvars[guest] %} +{% if guest.inventory_hostname not in [wireguard_domain_controller, "localhost"] and guest.__ip.internal %} +{# #} +{% set guest_keys = lookup("file", wireguard_local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %} +# {{ guest.inventory_hostname }} +[Peer] +PublicKey = {{ guest_keys[1] }} +AllowedIPs = {{ guest.__ip.internal }}/32, fd00:10:10::{{ guest.__ip.internal.split('.')[3] }}/128 + +{% endif %} +{% endfor %} +{% else %} +[Peer] +PublicKey = {{ domain_controller_keys[1] }} +Endpoint = {{ hostvars[wireguard_domain_controller].__ip.external }}:{{ wireguard_port }} +AllowedIPs = 0.0.0.0/0, ::/0 +PersistentKeepalive = {{ wireguard_persistent_keepalive }} +{% endif %} -- cgit v1.2.3