From 73629c402a19444e4c5dd1d08ff0a484cb130954 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Fri, 28 Feb 2020 23:27:11 +0100
Subject: added role wireguard/gateway

---
 dan/ele-gwhetzner.yml                              |  1 +
 dan/host_vars/ele-gwhetzner.yml                    | 10 +++++++
 dan/host_vars/ele-media.yml                        | 32 ++++++++++++----------
 inventory/host_vars/ele-gwhetzner.yml              | 17 ++++++++++++
 inventory/host_vars/ele-media.yml                  |  6 ++++
 roles/wireguard/gateway/defaults/main.yml          | 15 ++++++++++
 roles/wireguard/gateway/handlers/main.yml          |  6 ++++
 roles/wireguard/gateway/tasks/main.yml             | 20 ++++++++++++++
 .../wireguard/gateway/templates/systemd.netdev.j2  | 26 ++++++++++++++++++
 .../wireguard/gateway/templates/systemd.network.j2 |  7 +++++
 10 files changed, 126 insertions(+), 14 deletions(-)
 create mode 100644 dan/host_vars/ele-gwhetzner.yml
 create mode 100644 roles/wireguard/gateway/defaults/main.yml
 create mode 100644 roles/wireguard/gateway/handlers/main.yml
 create mode 100644 roles/wireguard/gateway/tasks/main.yml
 create mode 100644 roles/wireguard/gateway/templates/systemd.netdev.j2
 create mode 100644 roles/wireguard/gateway/templates/systemd.network.j2

diff --git a/dan/ele-gwhetzner.yml b/dan/ele-gwhetzner.yml
index 57e35e41..5975014f 100644
--- a/dan/ele-gwhetzner.yml
+++ b/dan/ele-gwhetzner.yml
@@ -6,3 +6,4 @@
   - role: sshd
   - role: zsh
   - role: wireguard/base
+  - role: wireguard/gateway
diff --git a/dan/host_vars/ele-gwhetzner.yml b/dan/host_vars/ele-gwhetzner.yml
new file mode 100644
index 00000000..4fc98f53
--- /dev/null
+++ b/dan/host_vars/ele-gwhetzner.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;dan
+62393830326163353339343132303631303230383938316134343732313339346532383339323064
+3361613830343332303664393438633161326233303537630a353465313033386630663731363865
+63346563343632366639323165663331393335356266383533316165356335356132343534623934
+6336396437393931350a303737353861613264303733363662336461386666376531356538356563
+35383636343538316337313132326566326564386131376563666235396235393236643366613232
+66366530653965336265623636616233643738373465386331626330396563303134313061653838
+37303039343364376633373931663031383638326132616336623636306162373462653138666464
+39623737613464313432326131666135353261333864323436353130626636393764393433326166
+3133
diff --git a/dan/host_vars/ele-media.yml b/dan/host_vars/ele-media.yml
index c02bfedf..5c61100d 100644
--- a/dan/host_vars/ele-media.yml
+++ b/dan/host_vars/ele-media.yml
@@ -1,15 +1,19 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-33326531333361326665353430333562333230616233323433353630313038656236613065336361
-3530313637373961353938613364383335666366373732380a383236353630356530663462613963
-34393737353666346232303530353561303065323933373132313762666161313433653964386465
-3736336436346134370a613238626331636331386361343766336630626662333630343665363963
-62396336323137306166396131343063613436623833666535303135663739353636393637643034
-63393038623233336562666239336363333963633933386564303666396232373462316335383264
-31316265353061633161663765383638623636643231633966353562656565633363643232303431
-31623237646231326165653239396361383436393966613636633934646337343530383538623137
-38363533376366396236636639343531333166386533396465336130643864376632306565636238
-30326563633735393634396434326561376537616536323737343736636465366564323131343063
-31333664306130636232306165613732356565653130366330613630653333383864626133353530
-36356163623837383065623463363364653637636364653362393332616661633562383333303165
-34653466356434633364303238333261613938626264316530613462313837663436653739313835
-3861383261373662343733646638333963643035636462643661
+39313765623035396238623563663539616537386636613062353731633166646233613863663931
+3938373832343534633735633332653961313635356232380a343534353962613833366266613634
+62306232326661363131393138316661613963633433646639383031316432663165616432666331
+3161636138326132380a343263643739396636303132396665636338343064633731363538383330
+36613839636163343531316432356663656331623731626262363336366635316663663037383362
+32353666336538613061656434613830323561613936393039373265373865393035643837393362
+35393335616265643061626665633233313435393833366164373833313965643465663562333635
+30396132633462616263646239346338386164626662353931343333643762323632636363343235
+32333065373931646162653837343132313766393336336435643430393661373634386538393865
+39313862303733316236306432346233393963346633353734316233663366636239363739386365
+61363532653334386230626333313464393263396230373132333139613239623132343630336663
+36396234613435346233663466666339393062326465303866303063373033353536643262633233
+30616465383539326162646662303335373038663632303037636363626363323735333134313732
+64353435323066383331376533306534363334643230616366326230613331336437323738373231
+63313265343136323936666130306436376131303838623936356639623739643965323334356234
+36613838363265333764353461613734376234316330356465316632376536666138653962646139
+62393462383138393837303761633861613161343831333333303463376137383130653730323438
+3036646664336262633533386531323439663230316365653337
diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml
index 254f0b8a..aeaa936f 100644
--- a/inventory/host_vars/ele-gwhetzner.yml
+++ b/inventory/host_vars/ele-gwhetzner.yml
@@ -31,3 +31,20 @@ network:
     overlay: "{{ (hostvars[vm_host].vm_host.network.bridges.public.overlay.prefix | ipaddr(hostvars[vm_host].vm_host.network.bridges.public.overlay.offsets[inventory_hostname])).split('/')[0] }}"
 
 external_ip: "{{ network.primary.overlay }}"
+
+
+wireguard_keys:
+  elemedia:
+    pub: "1GdTR5ehIcSVvwdWWsKitRjzcm1gY3Z9ASzJAuN7VH0="
+    priv: "{{ vault_wireguard_priv_keys.elemedia }}"
+
+wireguard_gateway_tunnels:
+  wg-elemedia:
+    description: Elevate Media Server (media.elevate.at)
+    priv_key: "{{ wireguard_keys.elemedia.priv }}"
+    addresses:
+    - 192.168.254.1/30
+    peers:
+    - pub_key: "{{ hostvars['ele-media'].wireguard_keys.gwhetzner.pub }}"
+      allowed_ips:
+        - 192.168.254.2/32
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index d471683e..a0a388e9 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -66,3 +66,9 @@ nextcloud_lvm:
     lv: ncdata
     size: 150G
     fs: ext4
+
+
+wireguard_keys:
+  gwhetzner:
+    pub: "YO78lnFJdlGnKxBrtVZF4QXF7bpF8rAP7yF97klWLzg="
+    priv: "{{ vault_wireguard_priv_keys.gwhetzner }}"
diff --git a/roles/wireguard/gateway/defaults/main.yml b/roles/wireguard/gateway/defaults/main.yml
new file mode 100644
index 00000000..9ee0523c
--- /dev/null
+++ b/roles/wireguard/gateway/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+# wireguard_gateway_tunnels:
+#   wg-test:
+#     description: some wireguard tunnel
+#     priv_key: secret
+#     listen_port: 1234
+#     addresses:
+#     - 192.168.255.254/24
+#     peers:
+#     - pub_key: public_key_of_peer
+#       keepalive_interval: 10
+#       endpoint: 5.6.7.8:1234
+#       allowed_ips:
+#         - 192.168.255.3/32
+#         - 192.168.123.0/24
diff --git a/roles/wireguard/gateway/handlers/main.yml b/roles/wireguard/gateway/handlers/main.yml
new file mode 100644
index 00000000..625032dc
--- /dev/null
+++ b/roles/wireguard/gateway/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart systemd-networkd
+  systemd:
+    daemon_reload: yes
+    name: systemd-networkd
+    state: restarted
diff --git a/roles/wireguard/gateway/tasks/main.yml b/roles/wireguard/gateway/tasks/main.yml
new file mode 100644
index 00000000..906ee640
--- /dev/null
+++ b/roles/wireguard/gateway/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: install wireguard interfaces (netdev)
+  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: systemd.netdev.j2
+    dest: "/etc/systemd/network/{{ item.key }}.netdev"
+    mode: 0640
+    group: systemd-network
+  notify: restart systemd-networkd
+
+- name: install wireguard interfaces (network)
+  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  template:
+    src: systemd.network.j2
+    dest: "/etc/systemd/network/{{ item.key }}.network"
+  notify: restart systemd-networkd
diff --git a/roles/wireguard/gateway/templates/systemd.netdev.j2 b/roles/wireguard/gateway/templates/systemd.netdev.j2
new file mode 100644
index 00000000..62f0d0a6
--- /dev/null
+++ b/roles/wireguard/gateway/templates/systemd.netdev.j2
@@ -0,0 +1,26 @@
+[NetDev]
+Name={{ item.key }}
+Kind=wireguard
+{% if 'description' in item.value %}
+Description={{ item.value.description }}
+{% endif %}
+
+
+[WireGuard]
+PrivateKey={{ item.value.priv_key }}
+ListenPort={{ item.value.listen_port | default(51820) }}
+
+{% for peer in item.value.peers %}
+
+[WireGuardPeer]
+PublicKey={{ peer.pub_key }}
+{%   for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{%   endfor %}
+{%   if 'endpoint' in peer %}
+Endpoint={{ peer.endpoint }}
+{%   endif %}
+{%   if 'keepalive_interval' in peer %}
+PersistentKeepalive={{ peer.keepalive_interval }}
+{%   endif %}
+{% endfor %}
diff --git a/roles/wireguard/gateway/templates/systemd.network.j2 b/roles/wireguard/gateway/templates/systemd.network.j2
new file mode 100644
index 00000000..8d8af966
--- /dev/null
+++ b/roles/wireguard/gateway/templates/systemd.network.j2
@@ -0,0 +1,7 @@
+[Match]
+Name={{ item.key }}
+
+[Network]
+{% for addr in item.value.addresses %}
+Address={{ addr }}
+{% endfor %}
-- 
cgit v1.2.3