add wireguard-based remote vpn connections to ch-(pan|mimas)

author: Christian Pointner <equinox@spreadspace.org> 2022-11-20 23:30:00 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2022-11-20 23:30:00 +0100
commit: 0f6cabbae37d2750a1841d2e1abd07eca064af29 (patch)
tree: f20a721e510a85da81428b2f7d9f46ae51614b05 /roles/network/wireguard
parent: wireguard roles: some more cleanups and fixes (diff)
4 files changed, 31 insertions, 4 deletions
diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml
index cb8d6f18..68000a83 100644
--- a/roles/network/wireguard/p2p/defaults/main.yml
+++ b/roles/network/wireguard/p2p/defaults/main.yml
@@ -5,7 +5,10 @@
 #   priv_key: secret
 #   listen_port: 1234
 #   addresses:
-#   - 192.168.123.254/24
+#   - 192.168.255.254/24
+#   static_routes:
+#   - dest: 192.168.123.0/24
+#     gw: 192.168.255.3
 
 # wireguard_p2p_peers:
 #   - pub_key: public_key_of_peer
@@ -14,5 +17,5 @@
 #       host: 5.6.7.8
 #       port: 1234
 #     allowed_ips:
-#       - 192.168.255.3/32
-#       - 192.168.123.0/24
+#     - 192.168.255.3/32
+#     - 192.168.123.0/24
diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml
index 78cfaf43..c1c21263 100644
--- a/roles/network/wireguard/p2p/tasks/main.yml
+++ b/roles/network/wireguard/p2p/tasks/main.yml
@@ -1,4 +1,18 @@
 ---
+- name: autogenerate wireguard private key file
+  when: "'priv_key' not in wireguard_p2p_interface"
+  block:
+  - name: generate private key
+    shell:
+      cmd: "umask 0027; wg genkey > '/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey'"
+      creates: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey"
+
+  - name: make sure systemd-netword can read the private key file
+    file:
+      path: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey"
+      mode: 0640
+      group: systemd-network
+
 - name: install wireguard interfaces (netdev)
   template:
     src: systemd.netdev.j2
@@ -13,7 +27,7 @@
     dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network"
   notify: restart systemd-networkd
 
-- name: enable systemd-networkd
+- name: make sure systemd-networkd is enabled
   systemd:
     name: systemd-networkd
     enabled: yes
diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
index 336fdfb2..3e73f474 100644
--- a/roles/network/wireguard/p2p/templates/systemd.netdev.j2
+++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
@@ -7,7 +7,11 @@ Description={{ wireguard_p2p_interface.description }}
 
 
 [WireGuard]
+{% if 'priv_key' in wireguard_p2p_interface %}
 PrivateKey={{ wireguard_p2p_interface.priv_key }}
+{% else %}
+PrivateKeyFile=/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey
+{% endif %}
 {% if 'listen_port' in wireguard_p2p_interface %}
 ListenPort={{ wireguard_p2p_interface.listen_port }}
 {% endif %}
diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2
index 3d1e2431..e40e610b 100644
--- a/roles/network/wireguard/p2p/templates/systemd.network.j2
+++ b/roles/network/wireguard/p2p/templates/systemd.network.j2
@@ -5,3 +5,9 @@ Name={{ wireguard_p2p_interface.name }}
 {% for addr in wireguard_p2p_interface.addresses %}
 Address={{ addr }}
 {% endfor %}
+{% for route in wireguard_p2p_interface.static_routes | default([]) %}
+
+[Route]
+Destination={{ route.dest }}
+Gateway={{ route.gw }}
+{% endfor %}
author	Christian Pointner <equinox@spreadspace.org>	2022-11-20 23:30:00 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2022-11-20 23:30:00 +0100
commit	0f6cabbae37d2750a1841d2e1abd07eca064af29 (patch)
tree	f20a721e510a85da81428b2f7d9f46ae51614b05 /roles/network/wireguard
parent	wireguard roles: some more cleanups and fixes (diff)