From aefa7a4f57f91ed62ca166ecf5fdfc2eacc04f6a Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sat, 23 Jan 2021 22:17:02 +0100
Subject: move wireguard to network sub-dir

---
 .../templates/systemd-fix-default-gw.service.j2    | 12 +++++++
 .../gateway/templates/systemd-iptables.service.j2  | 42 ++++++++++++++++++++++
 .../wireguard/gateway/templates/systemd.netdev.j2  | 26 ++++++++++++++
 .../wireguard/gateway/templates/systemd.network.j2 | 20 +++++++++++
 4 files changed, 100 insertions(+)
 create mode 100644 roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
 create mode 100644 roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
 create mode 100644 roles/network/wireguard/gateway/templates/systemd.netdev.j2
 create mode 100644 roles/network/wireguard/gateway/templates/systemd.network.j2

(limited to 'roles/network/wireguard/gateway/templates')

diff --git a/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2 b/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
new file mode 100644
index 00000000..d2d8a470
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd-fix-default-gw.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip route add {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }}
+ExecStop=/sbin/ip route del {{ item.value.default_gateway.outer }} via {{ ansible_default_ipv4.gateway }}
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{%   for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{%   for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/network/wireguard/gateway/templates/systemd.netdev.j2 b/roles/network/wireguard/gateway/templates/systemd.netdev.j2
new file mode 100644
index 00000000..96399b52
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd.netdev.j2
@@ -0,0 +1,26 @@
+[NetDev]
+Name={{ item.key }}
+Kind=wireguard
+{% if 'description' in item.value %}
+Description={{ item.value.description }}
+{% endif %}
+
+
+[WireGuard]
+PrivateKey={{ item.value.priv_key }}
+ListenPort={{ item.value.listen_port | default(51820) }}
+
+{% for peer in item.value.peers %}
+
+[WireGuardPeer]
+PublicKey={{ peer.pub_key }}
+{%   for ip in peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{%   endfor %}
+{%   if 'endpoint' in peer %}
+Endpoint={{ peer.endpoint.host }}:{{ peer.endpoint.port | default(51820) }}
+{%   endif %}
+{%   if 'keepalive_interval' in peer %}
+PersistentKeepalive={{ peer.keepalive_interval }}
+{%   endif %}
+{% endfor %}
diff --git a/roles/network/wireguard/gateway/templates/systemd.network.j2 b/roles/network/wireguard/gateway/templates/systemd.network.j2
new file mode 100644
index 00000000..6847aa6a
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/systemd.network.j2
@@ -0,0 +1,20 @@
+[Match]
+Name={{ item.key }}
+
+[Network]
+{% for addr in item.value.addresses %}
+Address={{ addr }}
+{% endfor %}
+{% if 'ip_masq' in item.value and item.value.ip_masq %}
+IPMasquerade=yes
+{% endif %}
+{% if 'default_gateway' in item.value %}
+
+[Route]
+Destination=0.0.0.0/1
+Gateway={{ item.value.default_gateway.inner }}
+
+[Route]
+Destination=128.0.0.0/1
+Gateway={{ item.value.default_gateway.inner }}
+{% endif %}
-- 
cgit v1.2.3