roles: Generate + deploy wireguard configurations

7 files changed, 139 insertions, 0 deletions

diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
new file mode 100644
index 0000000..2275c05
--- /dev/null
+++ b/roles/wireguard/defaults/main.yml
@@ -0,0 +1,8 @@
+wireguard_dir: /etc/wireguard
+wireguard_local_dir: "{{ inventory_dir }}/files/secrets/wireguard"
+wireguard_local_keys: "{{ inventory_hostname }}.keys"
+wireguard_local_configuration: "{{ inventory_hostname }}.conf"
+
+wireguard_domain_controller: null
+wireguard_persistent_keepalive: 10
+wireguard_port: 53
diff --git a/roles/wireguard/tasks/configuration.yml b/roles/wireguard/tasks/configuration.yml
new file mode 100644
index 0000000..efb8008
--- /dev/null
+++ b/roles/wireguard/tasks/configuration.yml
@@ -0,0 +1,18 @@
+- name: generate wireguard configuration
+  template:
+    src: wireguard.conf.j2
+    dest: "{{ wireguard_local_dir }}/{{ item }}.conf"
+    mode: 0600
+  vars:
+    host: "{{ hostvars[item] }}"
+  run_once: true
+  delegate_to: localhost
+  loop: "{{ groups.all }}"
+
+- name: copy wireguard configuration
+  copy:
+    src: "{{ wireguard_local_dir }}/{{ wireguard_local_configuration }}"
+    dest: "{{ wireguard_dir }}/{{ wireguard_domain_controller }}.conf"
+    owner: 0
+    group: 0
+    mode: 0600
diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml
new file mode 100644
index 0000000..7a89010
--- /dev/null
+++ b/roles/wireguard/tasks/keys.yml
@@ -0,0 +1,17 @@
+- name: generate hosts keys
+  shell: |
+    set -o pipefail
+    ls "{{ wireguard_local_dir }}/{{ item }}.keys" && exit 0
+    umask 077
+    wg genkey | \
+    tee "{{ item }}.keys" | \
+    wg pubkey >> "{{ item }}.keys"
+    exit 2
+  args:
+    chdir: "{{ wireguard_local_dir }}"
+  loop: "{{ groups.all }}"
+  run_once: true
+  delegate_to: localhost
+  register: result
+  changed_when: result.rc == 2
+  failed_when: result.rc not in [0, 2]
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000..9f1d01d
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: create local wireguard directory
+  file:
+    path: "{{ wireguard_local_dir }}"
+    state: directory
+    mode: 0700
+  run_once: true
+  delegate_to: localhost
+
+- name: create wireguard directory
+  file:
+    path: "{{ wireguard_dir }}"
+    owner: 0
+    group: 0
+    mode: 0700
+    state: directory
+
+- name: include key generation
+  include_tasks: keys.yml
+
+- name: include configuration generation
+  include_tasks: configuration.yml
+
+- name: install wireguard on remote host
+  package:
+    name: wireguard-tools
+    state: present
+
+- name: include service configuration for server
+  include_tasks: service.yml
+  when: inventory_hostname == wireguard_domain_controller
+
+- name: include service configuration for hosts
+  include_tasks: service.yml
+  when: inventory_hostname != wireguard_domain_controller
diff --git a/roles/wireguard/tasks/service.yml b/roles/wireguard/tasks/service.yml
new file mode 100644
index 0000000..d1a1007
--- /dev/null
+++ b/roles/wireguard/tasks/service.yml
@@ -0,0 +1,20 @@
+- name: enable wireguard interface for OpenBSD
+  lineinfile:
+    path: /etc/rc.local
+    regexp: "^/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}$"
+    line: "/usr/local/bin/wg-quick up {{ wireguard_domain_controller }}"
+    owner: 0
+    owner: 0
+    create: true
+    mode: 0644
+  when: ansible_distribution == "OpenBSD"
+
+- name: restart wireguard interface
+  command: wg-quick "{{ item }}" "{{ wireguard_domain_controller }}"
+  ignore_errors: true
+  loop:
+    - down
+    - up
+  loop_control:
+    pause: 5
+  when: ansible_distribution == "OpenBSD"
diff --git a/roles/wireguard/templates/hostname.j2 b/roles/wireguard/templates/hostname.j2
new file mode 100644
index 0000000..aca3b03
--- /dev/null
+++ b/roles/wireguard/templates/hostname.j2
@@ -0,0 +1,8 @@
+inet 10.10.0.1 255.255.255.0
+inet6 fd00:10:10::1
+#!/usr/local/bin/wireguard-go -f tun0 &
+!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ global.dcontroller }}.conf
+!/bin/sleep 2
+!/sbin/route add -inet 10.10.0.0/24 10.10.0.1
+!/bin/sleep 2
+!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1
diff --git a/roles/wireguard/templates/wireguard.conf.j2 b/roles/wireguard/templates/wireguard.conf.j2
new file mode 100644
index 0000000..91ebf1d
--- /dev/null
+++ b/roles/wireguard/templates/wireguard.conf.j2
@@ -0,0 +1,34 @@
+# managed by Ansible
+{% set keys = lookup("file", wireguard_local_dir ~ "/" ~ host.inventory_hostname ~ ".keys").splitlines() %}
+{% set domain_controller_keys = lookup("file", wireguard_local_dir ~ "/" ~ wireguard_domain_controller ~ ".keys").splitlines() %}
+{% set is_domain_controller = host.inventory_hostname == wireguard_domain_controller %}
+{% set ipv4_address = host.__ip.internal ~ "/24" if is_domain_controller else host.__ip.internal %}
+{% set ipv6_address = "fd00::1/128" if is_domain_controller else "fd00:10:10::" ~ host.__ip.internal.split(".")[3] %}
+
+[Interface]
+Address = {{ ipv4_address }}, {{ ipv6_address }}
+PrivateKey = {{ keys[0] }}
+{% if is_domain_controller %}
+ListenPort = {{ wireguard_port }}
+{% endif %}
+
+{% if is_domain_controller %}
+{% for guest in groups.all %}
+{% set guest = hostvars[guest] %}
+{% if guest.inventory_hostname not in [wireguard_domain_controller, "localhost"] and guest.__ip.internal %}
+{# #}
+{% set guest_keys = lookup("file", wireguard_local_dir ~ "/" ~ guest.inventory_hostname ~ ".keys").splitlines() %}
+# {{ guest.inventory_hostname }}
+[Peer]
+PublicKey = {{ guest_keys[1] }}
+AllowedIPs = {{ guest.__ip.internal }}/32, fd00:10:10::{{ guest.__ip.internal.split('.')[3] }}/128
+
+{% endif %}
+{% endfor %}
+{% else %}
+[Peer]
+PublicKey = {{ domain_controller_keys[1] }}
+Endpoint = {{ hostvars[wireguard_domain_controller].__ip.external }}:{{ wireguard_port }}
+AllowedIPs = 0.0.0.0/0, ::/0
+PersistentKeepalive = {{ wireguard_persistent_keepalive }}
+{% endif %}