diff options
author | Christian Pointner <equinox@spreadspace.org> | 2021-01-23 22:17:02 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2021-01-23 22:17:02 +0100 |
commit | aefa7a4f57f91ed62ca166ecf5fdfc2eacc04f6a (patch) | |
tree | f7bb813720bc5198cbd2c172ae6136f2927eab3e /roles/network/wireguard | |
parent | add etherwake and wakeonlan to ch-equinox-(ws|t450s) (diff) |
move wireguard to network sub-dir
Diffstat (limited to 'roles/network/wireguard')
14 files changed, 353 insertions, 0 deletions
diff --git a/roles/network/wireguard/base/tasks/main.yml b/roles/network/wireguard/base/tasks/main.yml new file mode 100644 index 00000000..4d60150d --- /dev/null +++ b/roles/network/wireguard/base/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: enable spreadspace repo + when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) < 11) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 20) + import_role: + name: apt-repo/spreadspace + +- name: install dkms + import_role: + name: prepare-dkms + +- name: install wireguard packages + apt: + name: + - wireguard-dkms + - wireguard-tools + state: present + +- name: check if module is available for the currently running kernel + command: modprobe --dry-run wireguard + check_mode: no + register: wireguard_module_available + failed_when: false + changed_when: false + +- name: rebuild wireguard module + when: wireguard_module_available.rc != 0 + command: dpkg-reconfigure wireguard-dkms + +- name: check again if module is available for the currently running kernel + when: wireguard_module_available.rc != 0 + command: modprobe --dry-run wireguard + check_mode: no + changed_when: false diff --git a/roles/network/wireguard/gateway/defaults/main.yml b/roles/network/wireguard/gateway/defaults/main.yml new file mode 100644 index 00000000..69846fc3 --- /dev/null +++ b/roles/network/wireguard/gateway/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# wireguard_gateway_tunnels: +# wg-test: +# description: some wireguard tunnel +# priv_key: secret +# listen_port: 1234 +# addresses: +# - 192.168.255.254/24 +# ip_masq: yes +# ip_snat: +# interface: eth1 +# to: 1.2.3.4 +# port_forwardings: +# - dest: 1.2.3.4 +# tcp_ports: +# 80: 192.158.255.3:80 +# udp_ports: +# 123: 192.158.255.3:200 +# peers: +# - pub_key: public_key_of_peer +# keepalive_interval: 10 +# endpoint: +# host: 5.6.7.8 +# port: 1234 +# allowed_ips: +# - 192.168.255.3/32 +# - 192.168.123.0/24 diff --git a/roles/network/wireguard/gateway/handlers/main.yml b/roles/network/wireguard/gateway/handlers/main.yml new file mode 100644 index 00000000..625032dc --- /dev/null +++ b/roles/network/wireguard/gateway/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart systemd-networkd + systemd: + daemon_reload: yes + name: systemd-networkd + state: restarted diff --git a/roles/network/wireguard/gateway/tasks/main.yml b/roles/network/wireguard/gateway/tasks/main.yml new file mode 100644 index 00000000..bc14db1b --- /dev/null +++ b/roles/network/wireguard/gateway/tasks/main.yml @@ -0,0 +1,68 @@ +--- +- name: install wireguard interfaces (netdev) + loop: "{{ wireguard_gateway_tunnels | dict2items }}" + loop_control: + label: "{{ item.key }}" + template: + src: systemd.netdev.j2 + dest: "/etc/systemd/network/{{ item.key }}.netdev" + mode: 0640 + group: systemd-network + notify: restart systemd-networkd + +- name: install wireguard interfaces (network) + loop: "{{ wireguard_gateway_tunnels | dict2items }}" + loop_control: + label: "{{ item.key }}" + template: + src: systemd.network.j2 + dest: "/etc/systemd/network/{{ item.key }}.network" + notify: restart systemd-networkd + +- name: enable systemd-networkd + systemd: + name: systemd-networkd + enabled: yes + state: started + + +- name: create iptables service unit + loop: "{{ wireguard_gateway_tunnels | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: "'ip_snat' in item.value or 'port_forwardings' in item.value" + template: + src: systemd-iptables.service.j2 + dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-iptables.service" + +- name: enable/start iptables service unit + loop: "{{ wireguard_gateway_tunnels | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: "'ip_snat' in item.value or 'port_forwardings' in item.value" + systemd: + daemon_reload: yes + name: "wireguard-gateway-{{ item.key }}-iptables.service" + enabled: yes + state: started + + +- name: install workaround for default-gateway handling + loop: "{{ wireguard_gateway_tunnels | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: "'default_gateway' in item.value" + template: + src: systemd-fix-default-gw.service.j2 + dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-fix-default-gw.service" + +- name: enable/start workaround for default-gateway handling + loop: "{{ wireguard_gateway_tunnels | dict2items }}" + loop_control: + label: "{{ item.key }}" + when: "'default_gateway' in item.value" + systemd: + daemon_reload: yes + name: "wireguard-gateway-{{ item.key }}-fix-default-gw.service" + enabled: yes + state: started diff --git a/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2 b/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2 new file mode 100644 index 00000000..d2d8a470 --- /dev/null +++ b/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Wants=network-online.target +After=network-online.target + +[Service] +Type=oneshot +ExecStart=/sbin/ip route add {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }} +ExecStop=/sbin/ip route del {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }} +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 new file mode 100644 index 00000000..11cf4b8a --- /dev/null +++ b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Wants=network-online.target +After=network-online.target + + +[Service] +Type=oneshot + +{% if 'ip_snat' in item.value %} +ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1 +{% for addr in item.value.addresses %} +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +{% if 'ip_snat' in item.value %} +{% for addr in item.value.addresses %} +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +RemainAfterExit=yes + + +[Install] +WantedBy=multi-user.target diff --git a/roles/network/wireguard/gateway/templates/systemd.netdev.j2 b/roles/network/wireguard/gateway/templates/systemd.netdev.j2 new file mode 100644 index 00000000..96399b52 --- /dev/null +++ b/roles/network/wireguard/gateway/templates/systemd.netdev.j2 @@ -0,0 +1,26 @@ +[NetDev] +Name={{ item.key }} +Kind=wireguard +{% if 'description' in item.value %} +Description={{ item.value.description }} +{% endif %} + + +[WireGuard] +PrivateKey={{ item.value.priv_key }} +ListenPort={{ item.value.listen_port | default(51820) }} + +{% for peer in item.value.peers %} + +[WireGuardPeer] +PublicKey={{ peer.pub_key }} +{% for ip in peer.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} +{% if 'endpoint' in peer %} +Endpoint={{ peer.endpoint.host }}:{{ peer.endpoint.port | default(51820) }} +{% endif %} +{% if 'keepalive_interval' in peer %} +PersistentKeepalive={{ peer.keepalive_interval }} +{% endif %} +{% endfor %} diff --git a/roles/network/wireguard/gateway/templates/systemd.network.j2 b/roles/network/wireguard/gateway/templates/systemd.network.j2 new file mode 100644 index 00000000..6847aa6a --- /dev/null +++ b/roles/network/wireguard/gateway/templates/systemd.network.j2 @@ -0,0 +1,20 @@ +[Match] +Name={{ item.key }} + +[Network] +{% for addr in item.value.addresses %} +Address={{ addr }} +{% endfor %} +{% if 'ip_masq' in item.value and item.value.ip_masq %} +IPMasquerade=yes +{% endif %} +{% if 'default_gateway' in item.value %} + +[Route] +Destination=0.0.0.0/1 +Gateway={{ item.value.default_gateway.inner }} + +[Route] +Destination=128.0.0.0/1 +Gateway={{ item.value.default_gateway.inner }} +{% endif %} diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml new file mode 100644 index 00000000..9d93b810 --- /dev/null +++ b/roles/network/wireguard/p2p/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# wireguard_p2p_interface: +# name: p2p +# description: some wireguard tunnel +# priv_key: secret +# listen_port: 1234 +# addresses: +# - 192.168.123.254/24 + +# wireguard_p2p_peer: +# pub_key: public_key_of_peer +# keepalive_interval: 10 +# endpoint: +# host: 5.6.7.8 +# port: 1234 +# allowed_ips: +# - 192.168.255.3/32 +# - 192.168.123.0/24 diff --git a/roles/network/wireguard/p2p/handlers/main.yml b/roles/network/wireguard/p2p/handlers/main.yml new file mode 100644 index 00000000..625032dc --- /dev/null +++ b/roles/network/wireguard/p2p/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart systemd-networkd + systemd: + daemon_reload: yes + name: systemd-networkd + state: restarted diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml new file mode 100644 index 00000000..78cfaf43 --- /dev/null +++ b/roles/network/wireguard/p2p/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: install wireguard interfaces (netdev) + template: + src: systemd.netdev.j2 + dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.netdev" + mode: 0640 + group: systemd-network + notify: restart systemd-networkd + +- name: install wireguard interfaces (network) + template: + src: systemd.network.j2 + dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network" + notify: restart systemd-networkd + +- name: enable systemd-networkd + systemd: + name: systemd-networkd + enabled: yes + state: started diff --git a/roles/network/wireguard/p2p/tasks/systemd-iptables.service.j2 b/roles/network/wireguard/p2p/tasks/systemd-iptables.service.j2 new file mode 100644 index 00000000..11cf4b8a --- /dev/null +++ b/roles/network/wireguard/p2p/tasks/systemd-iptables.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Wants=network-online.target +After=network-online.target + + +[Service] +Type=oneshot + +{% if 'ip_snat' in item.value %} +ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1 +{% for addr in item.value.addresses %} +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +{% if 'ip_snat' in item.value %} +{% for addr in item.value.addresses %} +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +RemainAfterExit=yes + + +[Install] +WantedBy=multi-user.target diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 new file mode 100644 index 00000000..04abfa1d --- /dev/null +++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 @@ -0,0 +1,26 @@ +[NetDev] +Name={{ wireguard_p2p_interface.name }} +Kind=wireguard +{% if 'description' in wireguard_p2p_interface %} +Description={{ wireguard_p2p_interface.description }} +{% endif %} + + +[WireGuard] +PrivateKey={{ wireguard_p2p_interface.priv_key }} +{% if 'listen_port' in wireguard_p2p_interface %} +ListenPort={{ wireguard_p2p_interface.listen_port }} +{% endif %} + + +[WireGuardPeer] +PublicKey={{ wireguard_p2p_peer.pub_key }} +{% for ip in wireguard_p2p_peer.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} +{% if 'endpoint' in wireguard_p2p_peer %} +Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }} +{% endif %} +{% if 'keepalive_interval' in wireguard_p2p_peer %} +PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }} +{% endif %} diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2 new file mode 100644 index 00000000..3d1e2431 --- /dev/null +++ b/roles/network/wireguard/p2p/templates/systemd.network.j2 @@ -0,0 +1,7 @@ +[Match] +Name={{ wireguard_p2p_interface.name }} + +[Network] +{% for addr in wireguard_p2p_interface.addresses %} +Address={{ addr }} +{% endfor %} |