Merge branch 'topic/wireguard-extern-vpn'

author: Christian Pointner <equinox@spreadspace.org> 2022-11-20 23:30:14 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2022-11-20 23:30:14 +0100
commit: b6d36823effe31d9c12c927f5d05ddab8c7005c0 (patch)
tree: f20a721e510a85da81428b2f7d9f46ae51614b05 /roles
parent: ch-mimas: external_ip (diff)
parent: add wireguard-based remote vpn connections to ch-(pan|mimas) (diff)
6 files changed, 76 insertions, 41 deletions
diff --git a/roles/network/wireguard/base/tasks/main.yml b/roles/network/wireguard/base/tasks/main.yml
index 4d60150d..f096801c 100644
--- a/roles/network/wireguard/base/tasks/main.yml
+++ b/roles/network/wireguard/base/tasks/main.yml
@@ -4,30 +4,36 @@
   import_role:
     name: apt-repo/spreadspace
 
-- name: install dkms
-  import_role:
-    name: prepare-dkms
+- name: install wireguard modules via dkms (legacy systems only)
+  when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) < 11) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 22)
+  block:
+  - name: install dkms
+    import_role:
+      name: prepare-dkms
 
-- name: install wireguard packages
-  apt:
-    name:
-    - wireguard-dkms
-    - wireguard-tools
-    state: present
+  - name: install wireguard-dkms package
+    apt:
+      name: wireguard-dkms
+      state: present
 
-- name: check if module is available for the currently running kernel
-  command: modprobe --dry-run wireguard
-  check_mode: no
-  register: wireguard_module_available
-  failed_when: false
-  changed_when: false
+  - name: check if module is available for the currently running kernel
+    command: modprobe --dry-run wireguard
+    check_mode: no
+    register: wireguard_module_available
+    failed_when: false
+    changed_when: false
 
-- name: rebuild wireguard module
-  when: wireguard_module_available.rc != 0
-  command: dpkg-reconfigure wireguard-dkms
+  - name: rebuild wireguard module
+    when: wireguard_module_available.rc != 0
+    command: dpkg-reconfigure wireguard-dkms
 
-- name: check again if module is available for the currently running kernel
-  when: wireguard_module_available.rc != 0
-  command: modprobe --dry-run wireguard
-  check_mode: no
-  changed_when: false
+  - name: check again if module is available for the currently running kernel
+    when: wireguard_module_available.rc != 0
+    command: modprobe --dry-run wireguard
+    check_mode: no
+    changed_when: false
+
+- name: install wireguard tools
+  apt:
+    name: wireguard-tools
+    state: present
diff --git a/roles/network/wireguard/gateway/templates/nftables.rules.j2 b/roles/network/wireguard/gateway/templates/nftables.rules.j2
index fcf4a21b..501b1d0b 100644
--- a/roles/network/wireguard/gateway/templates/nftables.rules.j2
+++ b/roles/network/wireguard/gateway/templates/nftables.rules.j2
@@ -4,7 +4,7 @@
 table ip nat {
   chain wireguard-gateway-{{ item.key }}-snat {
     type nat hook postrouting priority 100; policy accept;
-    ip saddr { {{ item.value.addresses | map('ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }}
+    ip saddr { {{ item.value.addresses | map('ansible.utils.ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }}
   }
 }
 {% endif %}
diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml
index 9d93b810..68000a83 100644
--- a/roles/network/wireguard/p2p/defaults/main.yml
+++ b/roles/network/wireguard/p2p/defaults/main.yml
@@ -5,14 +5,17 @@
 #   priv_key: secret
 #   listen_port: 1234
 #   addresses:
-#   - 192.168.123.254/24
+#   - 192.168.255.254/24
+#   static_routes:
+#   - dest: 192.168.123.0/24
+#     gw: 192.168.255.3
 
-# wireguard_p2p_peer:
-#   pub_key: public_key_of_peer
-#   keepalive_interval: 10
-#   endpoint:
-#     host: 5.6.7.8
-#     port: 1234
-#   allowed_ips:
+# wireguard_p2p_peers:
+#   - pub_key: public_key_of_peer
+#     keepalive_interval: 10
+#     endpoint:
+#       host: 5.6.7.8
+#       port: 1234
+#     allowed_ips:
 #     - 192.168.255.3/32
 #     - 192.168.123.0/24
diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml
index 78cfaf43..c1c21263 100644
--- a/roles/network/wireguard/p2p/tasks/main.yml
+++ b/roles/network/wireguard/p2p/tasks/main.yml
@@ -1,4 +1,18 @@
 ---
+- name: autogenerate wireguard private key file
+  when: "'priv_key' not in wireguard_p2p_interface"
+  block:
+  - name: generate private key
+    shell:
+      cmd: "umask 0027; wg genkey > '/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey'"
+      creates: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey"
+
+  - name: make sure systemd-netword can read the private key file
+    file:
+      path: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey"
+      mode: 0640
+      group: systemd-network
+
 - name: install wireguard interfaces (netdev)
   template:
     src: systemd.netdev.j2
@@ -13,7 +27,7 @@
     dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network"
   notify: restart systemd-networkd
 
-- name: enable systemd-networkd
+- name: make sure systemd-networkd is enabled
   systemd:
     name: systemd-networkd
     enabled: yes
diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
index 04abfa1d..3e73f474 100644
--- a/roles/network/wireguard/p2p/templates/systemd.netdev.j2
+++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
@@ -7,20 +7,26 @@ Description={{ wireguard_p2p_interface.description }}
 
 
 [WireGuard]
+{% if 'priv_key' in wireguard_p2p_interface %}
 PrivateKey={{ wireguard_p2p_interface.priv_key }}
+{% else %}
+PrivateKeyFile=/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey
+{% endif %}
 {% if 'listen_port' in wireguard_p2p_interface %}
 ListenPort={{ wireguard_p2p_interface.listen_port }}
 {% endif %}
 
+{% for peer in wireguard_p2p_peers %}
 
 [WireGuardPeer]
-PublicKey={{ wireguard_p2p_peer.pub_key }}
-{% for ip in wireguard_p2p_peer.allowed_ips %}
+PublicKey={{ peer.pub_key }}
+{%   for ip in peer.allowed_ips %}
 AllowedIPs={{ ip }}
+{%   endfor %}
+{%   if 'endpoint' in peer %}
+Endpoint={{ peer.endpoint.host }}:{{ peer.endpoint.port | default(51820) }}
+{%   endif %}
+{%   if 'keepalive_interval' in peer %}
+PersistentKeepalive={{ peer.keepalive_interval }}
+{%   endif %}
 {% endfor %}
-{% if 'endpoint' in wireguard_p2p_peer %}
-Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }}
-{% endif %}
-{% if 'keepalive_interval' in wireguard_p2p_peer %}
-PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }}
-{% endif %}
diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2
index 3d1e2431..e40e610b 100644
--- a/roles/network/wireguard/p2p/templates/systemd.network.j2
+++ b/roles/network/wireguard/p2p/templates/systemd.network.j2
@@ -5,3 +5,9 @@ Name={{ wireguard_p2p_interface.name }}
 {% for addr in wireguard_p2p_interface.addresses %}
 Address={{ addr }}
 {% endfor %}
+{% for route in wireguard_p2p_interface.static_routes | default([]) %}
+
+[Route]
+Destination={{ route.dest }}
+Gateway={{ route.gw }}
+{% endfor %}
author	Christian Pointner <equinox@spreadspace.org>	2022-11-20 23:30:14 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2022-11-20 23:30:14 +0100
commit	b6d36823effe31d9c12c927f5d05ddab8c7005c0 (patch)
tree	f20a721e510a85da81428b2f7d9f46ae51614b05 /roles
parent	ch-mimas: external_ip (diff)
parent	add wireguard-based remote vpn connections to ch-(pan\|mimas) (diff)