aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2024-06-30 14:56:04 +0200
committerRomain Gonçalves <me@rgoncalves.se>2024-06-30 17:00:40 +0200
commite8d1a59785712a5183849b5b12b35f9347607a09 (patch)
tree79f27aad6bbf0eb223eb0358b2655c8a1411255b
parent5fb273af8ea757e5627c4b09582705e42aa1d8e6 (diff)
downloadrules-e8d1a59785712a5183849b5b12b35f9347607a09.tar.gz
refactor(roles/wireguard): bump wireguard generation
-rw-r--r--group_vars/all.yml4
-rw-r--r--roles/wireguard/defaults/main.yml16
-rw-r--r--roles/wireguard/tasks/configuration.yml20
-rw-r--r--roles/wireguard/tasks/cron.yml2
-rw-r--r--roles/wireguard/tasks/keys.yml19
-rw-r--r--roles/wireguard/tasks/local.yml32
-rw-r--r--roles/wireguard/tasks/main.yml66
-rw-r--r--roles/wireguard/tasks/service.yml23
-rw-r--r--roles/wireguard/templates/wireguard.conf.j216
-rw-r--r--site.network.yml1
10 files changed, 93 insertions, 106 deletions
diff --git a/group_vars/all.yml b/group_vars/all.yml
index 4e56a84..4b0160d 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -17,7 +17,7 @@ __services: {}
__users: "{{ __secrets__users }}"
__domain_name: rgoncalves.se
-__global_domain_controller: dc0
+__global_domain_controller: ams-dcontroller-01
__global_domain_name_hosts: owo
__global_domain_name_servers:
- 8.8.8.8
@@ -47,7 +47,7 @@ nextcloud__admin_email: contact@rgoncalves.se
httpd__log_format: forwarded
-wireguard_domain_controller: "{{ __global_domain_controller }}"
+wireguard__domain_controller: "{{ __global_domain_controller }}"
relayd__domain_name: "{{ __domain_name }}"
acme__rules: "[
{% for rule in __services if 'domain' in rule %}
diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
index 72cc66d..be2bf68 100644
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@@ -1,10 +1,12 @@
---
-wireguard_dir: /etc/wireguard
-wireguard_local_dir: "{{ inventory_dir }}/files/secrets/wireguard"
-wireguard_local_keys: "{{ inventory_hostname }}.keys"
-wireguard_local_configuration: "{{ inventory_hostname }}.conf"
+wireguard__dir: /etc/wireguard
+wireguard__local_dir: "{{ inventory_dir }}/files/secrets/wireguard"
+wireguard__local_keys: "{{ inventory_hostname }}.keys"
+wireguard__local_configuration: "{{ inventory_hostname }}.conf"
-wireguard_domain_controller: null
-wireguard_persistent_keepalive: 10
-wireguard_port: 53
+wireguard__domain_controller: null
+wireguard__persistent_keepalive: 10
+wireguard__port: 53
+
+wireguard__interface_name: wg0
diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml
deleted file mode 100644
index 0a2009e..0000000
--- a/roles/wireguard/tasks/configuration.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-
-- name: generate wireguard configuration
- ansible.builtin.template:
- src: wireguard.conf.j2
- dest: "{{ wireguard_local_dir }}/{{ item }}.conf"
- mode: "0600"
- vars:
- host: "{{ hostvars[item] }}"
- run_once: true
- delegate_to: localhost
- loop: "{{ groups.all }}"
-
-- name: copy wireguard configuration
- ansible.builtin.copy:
- src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}"
- dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf"
- owner: 0
- group: 0
- mode: "0600"
diff --git a/roles/wireguard/tasks/cron.yml b/roles/wireguard/tasks/cron.yml
index dd70e5c..9194648 100644
--- a/roles/wireguard/tasks/cron.yml
+++ b/roles/wireguard/tasks/cron.yml
@@ -4,4 +4,4 @@
ansible.builtin.cron:
name: keepalive network traffic to domain controller
user: nobody
- job: ping -c 1 {{ hostvars[wireguard_domain_controller].__ip.external }}
+ job: ping -c 1 {{ hostvars[wireguard__domain_controller].__ip.external }}
diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml
deleted file mode 100644
index ee42408..0000000
--- a/roles/wireguard/tasks/keys.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-
-- name: generate hosts keys
- ansible.builtin.shell: |
- set -o pipefail
- ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0
- umask 077
- wg genkey | \
- tee "{{ item }}.keys" | \
- wg pubkey >> "{{ item }}.keys"
- exit 2
- args:
- chdir: "{{ wireguard_local_dir }}"
- loop: "{{ groups.all }}"
- run_once: true
- delegate_to: localhost
- register: result
- changed_when: result.rc == 2
- failed_when: result.rc not in [0, 2]
diff --git a/roles/wireguard/tasks/local.yml b/roles/wireguard/tasks/local.yml
new file mode 100644
index 0000000..3eed984
--- /dev/null
+++ b/roles/wireguard/tasks/local.yml
@@ -0,0 +1,32 @@
+---
+
+- name: create local wireguard directory
+ ansible.builtin.file:
+ path: "{{ wireguard__local_dir }}"
+ state: directory
+ mode: "0700"
+
+- name: generate hosts keys
+ ansible.builtin.shell: |
+ set -o pipefail
+ ls "{{ wireguard__local_dir }}/{{ item }}.keys" && exit 0
+ umask 077
+ wg genkey | \
+ tee "{{ item }}.keys" | \
+ wg pubkey >> "{{ item }}.keys"
+ exit 2
+ args:
+ chdir: "{{ wireguard__local_dir }}"
+ loop: "{{ groups.all }}"
+ register: result
+ changed_when: result.rc == 2
+ failed_when: result.rc not in [0, 2]
+
+- name: generate wireguard configuration
+ ansible.builtin.template:
+ src: wireguard.conf.j2
+ dest: "{{ wireguard__local_dir }}/{{ item }}.conf"
+ mode: "0600"
+ vars:
+ host: "{{ hostvars[item] }}"
+ loop: "{{ groups.all }}"
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 31b3655..b263e5d 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -1,41 +1,55 @@
---
-- name: create local wireguard directory
- ansible.builtin.file:
- path: "{{ wireguard_local_dir }}"
- state: directory
- mode: "0700"
- run_once: true
- delegate_to: localhost
-
- name: create wireguard directory
ansible.builtin.file:
- path: "{{ wireguard_dir }}"
+ path: "{{ wireguard__dir }}"
owner: 0
group: 0
mode: "0700"
state: directory
-- name: include key generation
- ansible.builtin.include_tasks: keys.yml
+- name: include local tasks
+ ansible.builtin.include_tasks: local.yml
+ run_once: true
+ args:
+ apply:
+ delegate_to: localhost
-- name: include configuration generation
- ansible.builtin.include_tasks: configuration.yml
+- name: copy wireguard configuration
+ ansible.builtin.copy:
+ src: "{{ wireguard__local_dir }}/{{ wireguard__local_configuration }}"
+ dest: "{{ wireguard__dir }}/{{ wireguard__interface_name }}.conf"
+ owner: 0
+ group: 0
+ mode: "0600"
-- name: install wireguard on remote host
+- name: install wireguard
ansible.builtin.package:
name: wireguard-tools
state: present
-- name: include service configuration for hosts
- ansible.builtin.include_tasks: service.yml
- when: inventory_hostname == wireguard_domain_controller
-
-- name: include service configuration for server
- ansible.builtin.include_tasks: "{{ task }}"
- when: inventory_hostname != wireguard_domain_controller
- loop_control:
- loop_var: task
- loop:
- - service.yml
- - cron.yml
+- name: enable wireguard interface
+ ansible.builtin.lineinfile:
+ path: /etc/rc.local
+ regexp: "^/usr/local/bin/wg-quick up {{ wireguard__interface_name }}$"
+ line: "/usr/local/bin/wg-quick up {{ wireguard__interface_name }}"
+ owner: 0
+ create: true
+ mode: "0644"
+
+- name: restart wireguard interface
+ ansible.builtin.raw: |
+ wg-quick down {{ wireguard__interface_name }}
+ sleep {{ 10 | random(start=1) }}
+ wg-quick up {{ wireguard__interface_name }}
+ register: wireguard__result_status
+
+- name: keepalive cronjob every minute
+ ansible.builtin.cron:
+ name: keepalive network traffic to domain controller
+ user: nobody
+ job: ping -c 1 {{ hostvars[wireguard__domain_controller].__ip.external }}
+
+- name: show wireguard output
+ ansible.builtin.debug:
+ var: wireguard__result_status.stdout
diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml
deleted file mode 100644
index 85849ee..0000000
--- a/roles/wireguard/tasks/service.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-
-- name: enable wireguard interface for OpenBSD
- ansible.builtin.lineinfile:
- path: /etc/rc.local
- regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$"
- line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}"
- owner: 0
- create: true
- mode: "0644"
- when: ansible_distribution == "OpenBSD"
-
-- name: restart wireguard interface
- ansible.builtin.raw: |
- wg-quick down {{ wireguard_domain_controller }}
- sleep {{ 10 | random(start=1) }}
- wg-quick up {{ wireguard_domain_controller }}
- when: ansible_distribution == "OpenBSD"
- register: result
-
-- name: show wireguard output
- ansible.builtin.debug:
- var: result
diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2
index 91ebf1d..ef60186 100644
--- a/roles/wireguard/templates/wireguard.conf.j2
+++ b/roles/wireguard/templates/wireguard.conf.j2
@@ -1,7 +1,7 @@
# managed by Ansible
-{% set keys = lookup("file", wireguard_local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %}
-{% set domain_controller_keys = lookup("file", wireguard_local_dir ~ "/" ~ wireguard_domain_controller ~ ".keys").splitlines() %}
-{% set is_domain_controller = host.inventory_hostname == wireguard_domain_controller %}
+{% set keys = lookup("file", wireguard__local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %}
+{% set domain_controller_keys = lookup("file", wireguard__local_dir ~ "/" ~ wireguard__domain_controller ~ ".keys").splitlines() %}
+{% set is_domain_controller = host.inventory_hostname == wireguard__domain_controller %}
{% set ipv4_address = host.__ip.internal ~ "/24" if is_domain_controller else host.__ip.internal %}
{% set ipv6_address = "fd00::1/128" if is_domain_controller else "fd00:10:10::" ~ host.__ip.internal.split(".")[3] %}
@@ -9,15 +9,15 @@
Address = {{ ipv4_address }}, {{ ipv6_address }}
PrivateKey = {{ keys[0] }}
{% if is_domain_controller %}
-ListenPort = {{ wireguard_port }}
+ListenPort = {{ wireguard__port }}
{% endif %}
{% if is_domain_controller %}
{% for guest in groups.all %}
{% set guest = hostvars[guest] %}
-{% if guest.inventory_hostname not in [wireguard_domain_controller, "localhost"] and guest.__ip.internal %}
+{% if guest.inventory_hostname not in [wireguard__domain_controller, "localhost"] and guest.__ip.internal %}
{# #}
-{% set guest_keys = lookup("file", wireguard_local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %}
+{% set guest_keys = lookup("file", wireguard__local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %}
# {{ guest.inventory_hostname }}
[Peer]
PublicKey = {{ guest_keys[1] }}
@@ -28,7 +28,7 @@ AllowedIPs = {{ guest.__ip.internal }}/32, fd00:10:10::{{ guest.__ip.internal.sp
{% else %}
[Peer]
PublicKey = {{ domain_controller_keys[1] }}
-Endpoint = {{ hostvars[wireguard_domain_controller].__ip.external }}:{{ wireguard_port }}
+Endpoint = {{ hostvars[wireguard__domain_controller].__ip.external }}:{{ wireguard__port }}
AllowedIPs = 0.0.0.0/0, ::/0
-PersistentKeepalive = {{ wireguard_persistent_keepalive }}
+PersistentKeepalive = {{ wireguard__persistent_keepalive }}
{% endif %}
diff --git a/site.network.yml b/site.network.yml
index f21a1e2..adfc018 100644
--- a/site.network.yml
+++ b/site.network.yml
@@ -4,3 +4,4 @@
roles:
- role: sshd
- role: pf
+ - role: wireguard
remember that computers suck.