From 0f6cabbae37d2750a1841d2e1abd07eca064af29 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 20 Nov 2022 23:30:00 +0100
Subject: add wireguard-based remote vpn connections to ch-(pan|mimas)

---
 roles/network/wireguard/p2p/defaults/main.yml            |  9 ++++++---
 roles/network/wireguard/p2p/tasks/main.yml               | 16 +++++++++++++++-
 roles/network/wireguard/p2p/templates/systemd.netdev.j2  |  4 ++++
 roles/network/wireguard/p2p/templates/systemd.network.j2 |  6 ++++++
 4 files changed, 31 insertions(+), 4 deletions(-)

(limited to 'roles/network/wireguard/p2p')

diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml
index cb8d6f18..68000a83 100644
--- a/roles/network/wireguard/p2p/defaults/main.yml
+++ b/roles/network/wireguard/p2p/defaults/main.yml
@@ -5,7 +5,10 @@
 #   priv_key: secret
 #   listen_port: 1234
 #   addresses:
-#   - 192.168.123.254/24
+#   - 192.168.255.254/24
+#   static_routes:
+#   - dest: 192.168.123.0/24
+#     gw: 192.168.255.3
 
 # wireguard_p2p_peers:
 #   - pub_key: public_key_of_peer
@@ -14,5 +17,5 @@
 #       host: 5.6.7.8
 #       port: 1234
 #     allowed_ips:
-#       - 192.168.255.3/32
-#       - 192.168.123.0/24
+#     - 192.168.255.3/32
+#     - 192.168.123.0/24
diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml
index 78cfaf43..c1c21263 100644
--- a/roles/network/wireguard/p2p/tasks/main.yml
+++ b/roles/network/wireguard/p2p/tasks/main.yml
@@ -1,4 +1,18 @@
 ---
+- name: autogenerate wireguard private key file
+  when: "'priv_key' not in wireguard_p2p_interface"
+  block:
+  - name: generate private key
+    shell:
+      cmd: "umask 0027; wg genkey > '/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey'"
+      creates: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey"
+
+  - name: make sure systemd-netword can read the private key file
+    file:
+      path: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey"
+      mode: 0640
+      group: systemd-network
+
 - name: install wireguard interfaces (netdev)
   template:
     src: systemd.netdev.j2
@@ -13,7 +27,7 @@
     dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network"
   notify: restart systemd-networkd
 
-- name: enable systemd-networkd
+- name: make sure systemd-networkd is enabled
   systemd:
     name: systemd-networkd
     enabled: yes
diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
index 336fdfb2..3e73f474 100644
--- a/roles/network/wireguard/p2p/templates/systemd.netdev.j2
+++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2
@@ -7,7 +7,11 @@ Description={{ wireguard_p2p_interface.description }}
 
 
 [WireGuard]
+{% if 'priv_key' in wireguard_p2p_interface %}
 PrivateKey={{ wireguard_p2p_interface.priv_key }}
+{% else %}
+PrivateKeyFile=/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey
+{% endif %}
 {% if 'listen_port' in wireguard_p2p_interface %}
 ListenPort={{ wireguard_p2p_interface.listen_port }}
 {% endif %}
diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2
index 3d1e2431..e40e610b 100644
--- a/roles/network/wireguard/p2p/templates/systemd.network.j2
+++ b/roles/network/wireguard/p2p/templates/systemd.network.j2
@@ -5,3 +5,9 @@ Name={{ wireguard_p2p_interface.name }}
 {% for addr in wireguard_p2p_interface.addresses %}
 Address={{ addr }}
 {% endfor %}
+{% for route in wireguard_p2p_interface.static_routes | default([]) %}
+
+[Route]
+Destination={{ route.dest }}
+Gateway={{ route.gw }}
+{% endfor %}
-- 
cgit v1.2.3