diff options
author | Romain Gonçalves <me@rgoncalves.se> | 2024-06-30 14:56:04 +0200 |
---|---|---|
committer | Romain Gonçalves <me@rgoncalves.se> | 2024-06-30 17:00:40 +0200 |
commit | e8d1a59785712a5183849b5b12b35f9347607a09 (patch) | |
tree | 79f27aad6bbf0eb223eb0358b2655c8a1411255b | |
parent | 5fb273af8ea757e5627c4b09582705e42aa1d8e6 (diff) | |
download | rules-e8d1a59785712a5183849b5b12b35f9347607a09.tar.gz |
refactor(roles/wireguard): bump wireguard generation
-rw-r--r-- | group_vars/all.yml | 4 | ||||
-rw-r--r-- | roles/wireguard/defaults/main.yml | 16 | ||||
-rw-r--r-- | roles/wireguard/tasks/configuration.yml | 20 | ||||
-rw-r--r-- | roles/wireguard/tasks/cron.yml | 2 | ||||
-rw-r--r-- | roles/wireguard/tasks/keys.yml | 19 | ||||
-rw-r--r-- | roles/wireguard/tasks/local.yml | 32 | ||||
-rw-r--r-- | roles/wireguard/tasks/main.yml | 66 | ||||
-rw-r--r-- | roles/wireguard/tasks/service.yml | 23 | ||||
-rw-r--r-- | roles/wireguard/templates/wireguard.conf.j2 | 16 | ||||
-rw-r--r-- | site.network.yml | 1 |
10 files changed, 93 insertions, 106 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml index 4e56a84..4b0160d 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -17,7 +17,7 @@ __services: {} __users: "{{ __secrets__users }}" __domain_name: rgoncalves.se -__global_domain_controller: dc0 +__global_domain_controller: ams-dcontroller-01 __global_domain_name_hosts: owo __global_domain_name_servers: - 8.8.8.8 @@ -47,7 +47,7 @@ nextcloud__admin_email: contact@rgoncalves.se httpd__log_format: forwarded -wireguard_domain_controller: "{{ __global_domain_controller }}" +wireguard__domain_controller: "{{ __global_domain_controller }}" relayd__domain_name: "{{ __domain_name }}" acme__rules: "[ {% for rule in __services if 'domain' in rule %} diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index 72cc66d..be2bf68 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -1,10 +1,12 @@ --- -wireguard_dir: /etc/wireguard -wireguard_local_dir: "{{ inventory_dir }}/files/secrets/wireguard" -wireguard_local_keys: "{{ inventory_hostname }}.keys" -wireguard_local_configuration: "{{ inventory_hostname }}.conf" +wireguard__dir: /etc/wireguard +wireguard__local_dir: "{{ inventory_dir }}/files/secrets/wireguard" +wireguard__local_keys: "{{ inventory_hostname }}.keys" +wireguard__local_configuration: "{{ inventory_hostname }}.conf" -wireguard_domain_controller: null -wireguard_persistent_keepalive: 10 -wireguard_port: 53 +wireguard__domain_controller: null +wireguard__persistent_keepalive: 10 +wireguard__port: 53 + +wireguard__interface_name: wg0 diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml deleted file mode 100644 index 0a2009e..0000000 --- a/roles/wireguard/tasks/configuration.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: generate wireguard configuration - ansible.builtin.template: - src: wireguard.conf.j2 - dest: "{{ wireguard_local_dir }}/{{ item }}.conf" - mode: "0600" - vars: - host: "{{ hostvars[item] }}" - run_once: true - delegate_to: localhost - loop: "{{ groups.all }}" - -- name: copy wireguard configuration - ansible.builtin.copy: - src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}" - dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf" - owner: 0 - group: 0 - mode: "0600" diff --git a/roles/wireguard/tasks/cron.yml b/roles/wireguard/tasks/cron.yml index dd70e5c..9194648 100644 --- a/roles/wireguard/tasks/cron.yml +++ b/roles/wireguard/tasks/cron.yml @@ -4,4 +4,4 @@ ansible.builtin.cron: name: keepalive network traffic to domain controller user: nobody - job: ping -c 1 {{ hostvars[wireguard_domain_controller].__ip.external }} + job: ping -c 1 {{ hostvars[wireguard__domain_controller].__ip.external }} diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml deleted file mode 100644 index ee42408..0000000 --- a/roles/wireguard/tasks/keys.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: generate hosts keys - ansible.builtin.shell: | - set -o pipefail - ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0 - umask 077 - wg genkey | \ - tee "{{ item }}.keys" | \ - wg pubkey >> "{{ item }}.keys" - exit 2 - args: - chdir: "{{ wireguard_local_dir }}" - loop: "{{ groups.all }}" - run_once: true - delegate_to: localhost - register: result - changed_when: result.rc == 2 - failed_when: result.rc not in [0, 2] diff --git a/roles/wireguard/tasks/local.yml b/roles/wireguard/tasks/local.yml new file mode 100644 index 0000000..3eed984 --- /dev/null +++ b/roles/wireguard/tasks/local.yml @@ -0,0 +1,32 @@ +--- + +- name: create local wireguard directory + ansible.builtin.file: + path: "{{ wireguard__local_dir }}" + state: directory + mode: "0700" + +- name: generate hosts keys + ansible.builtin.shell: | + set -o pipefail + ls "{{ wireguard__local_dir }}/{{ item }}.keys" && exit 0 + umask 077 + wg genkey | \ + tee "{{ item }}.keys" | \ + wg pubkey >> "{{ item }}.keys" + exit 2 + args: + chdir: "{{ wireguard__local_dir }}" + loop: "{{ groups.all }}" + register: result + changed_when: result.rc == 2 + failed_when: result.rc not in [0, 2] + +- name: generate wireguard configuration + ansible.builtin.template: + src: wireguard.conf.j2 + dest: "{{ wireguard__local_dir }}/{{ item }}.conf" + mode: "0600" + vars: + host: "{{ hostvars[item] }}" + loop: "{{ groups.all }}" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 31b3655..b263e5d 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -1,41 +1,55 @@ --- -- name: create local wireguard directory - ansible.builtin.file: - path: "{{ wireguard_local_dir }}" - state: directory - mode: "0700" - run_once: true - delegate_to: localhost - - name: create wireguard directory ansible.builtin.file: - path: "{{ wireguard_dir }}" + path: "{{ wireguard__dir }}" owner: 0 group: 0 mode: "0700" state: directory -- name: include key generation - ansible.builtin.include_tasks: keys.yml +- name: include local tasks + ansible.builtin.include_tasks: local.yml + run_once: true + args: + apply: + delegate_to: localhost -- name: include configuration generation - ansible.builtin.include_tasks: configuration.yml +- name: copy wireguard configuration + ansible.builtin.copy: + src: "{{ wireguard__local_dir }}/{{ wireguard__local_configuration }}" + dest: "{{ wireguard__dir }}/{{ wireguard__interface_name }}.conf" + owner: 0 + group: 0 + mode: "0600" -- name: install wireguard on remote host +- name: install wireguard ansible.builtin.package: name: wireguard-tools state: present -- name: include service configuration for hosts - ansible.builtin.include_tasks: service.yml - when: inventory_hostname == wireguard_domain_controller - -- name: include service configuration for server - ansible.builtin.include_tasks: "{{ task }}" - when: inventory_hostname != wireguard_domain_controller - loop_control: - loop_var: task - loop: - - service.yml - - cron.yml +- name: enable wireguard interface + ansible.builtin.lineinfile: + path: /etc/rc.local + regexp: "^/usr/local/bin/wg-quick up {{ wireguard__interface_name }}$" + line: "/usr/local/bin/wg-quick up {{ wireguard__interface_name }}" + owner: 0 + create: true + mode: "0644" + +- name: restart wireguard interface + ansible.builtin.raw: | + wg-quick down {{ wireguard__interface_name }} + sleep {{ 10 | random(start=1) }} + wg-quick up {{ wireguard__interface_name }} + register: wireguard__result_status + +- name: keepalive cronjob every minute + ansible.builtin.cron: + name: keepalive network traffic to domain controller + user: nobody + job: ping -c 1 {{ hostvars[wireguard__domain_controller].__ip.external }} + +- name: show wireguard output + ansible.builtin.debug: + var: wireguard__result_status.stdout diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml deleted file mode 100644 index 85849ee..0000000 --- a/roles/wireguard/tasks/service.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- - -- name: enable wireguard interface for OpenBSD - ansible.builtin.lineinfile: - path: /etc/rc.local - regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$" - line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}" - owner: 0 - create: true - mode: "0644" - when: ansible_distribution == "OpenBSD" - -- name: restart wireguard interface - ansible.builtin.raw: | - wg-quick down {{ wireguard_domain_controller }} - sleep {{ 10 | random(start=1) }} - wg-quick up {{ wireguard_domain_controller }} - when: ansible_distribution == "OpenBSD" - register: result - -- name: show wireguard output - ansible.builtin.debug: - var: result diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2 index 91ebf1d..ef60186 100644 --- a/roles/wireguard/templates/wireguard.conf.j2 +++ b/roles/wireguard/templates/wireguard.conf.j2 @@ -1,7 +1,7 @@ # managed by Ansible -{% set keys = lookup("file", wireguard_local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %} -{% set domain_controller_keys = lookup("file", wireguard_local_dir ~ "/" ~ wireguard_domain_controller ~ ".keys").splitlines() %} -{% set is_domain_controller = host.inventory_hostname == wireguard_domain_controller %} +{% set keys = lookup("file", wireguard__local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %} +{% set domain_controller_keys = lookup("file", wireguard__local_dir ~ "/" ~ wireguard__domain_controller ~ ".keys").splitlines() %} +{% set is_domain_controller = host.inventory_hostname == wireguard__domain_controller %} {% set ipv4_address = host.__ip.internal ~ "/24" if is_domain_controller else host.__ip.internal %} {% set ipv6_address = "fd00::1/128" if is_domain_controller else "fd00:10:10::" ~ host.__ip.internal.split(".")[3] %} @@ -9,15 +9,15 @@ Address = {{ ipv4_address }}, {{ ipv6_address }} PrivateKey = {{ keys[0] }} {% if is_domain_controller %} -ListenPort = {{ wireguard_port }} +ListenPort = {{ wireguard__port }} {% endif %} {% if is_domain_controller %} {% for guest in groups.all %} {% set guest = hostvars[guest] %} -{% if guest.inventory_hostname not in [wireguard_domain_controller, "localhost"] and guest.__ip.internal %} +{% if guest.inventory_hostname not in [wireguard__domain_controller, "localhost"] and guest.__ip.internal %} {# #} -{% set guest_keys = lookup("file", wireguard_local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %} +{% set guest_keys = lookup("file", wireguard__local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %} # {{ guest.inventory_hostname }} [Peer] PublicKey = {{ guest_keys[1] }} @@ -28,7 +28,7 @@ AllowedIPs = {{ guest.__ip.internal }}/32, fd00:10:10::{{ guest.__ip.internal.sp {% else %} [Peer] PublicKey = {{ domain_controller_keys[1] }} -Endpoint = {{ hostvars[wireguard_domain_controller].__ip.external }}:{{ wireguard_port }} +Endpoint = {{ hostvars[wireguard__domain_controller].__ip.external }}:{{ wireguard__port }} AllowedIPs = 0.0.0.0/0, ::/0 -PersistentKeepalive = {{ wireguard_persistent_keepalive }} +PersistentKeepalive = {{ wireguard__persistent_keepalive }} {% endif %} diff --git a/site.network.yml b/site.network.yml index f21a1e2..adfc018 100644 --- a/site.network.yml +++ b/site.network.yml @@ -4,3 +4,4 @@ roles: - role: sshd - role: pf + - role: wireguard |