From 3f9f881fafa3994a8a0dc3b738eca077c4f4d054 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Thu, 20 Aug 2020 23:09:01 +0200
Subject: add role wireguard p2p

---
 .../gateway/tasks/systemd-iptables.service.j2      | 42 ----------------------
 .../gateway/templates/systemd-iptables.service.j2  | 42 ++++++++++++++++++++++
 roles/wireguard/p2p/defaults/main.yml              | 18 ++++++++++
 roles/wireguard/p2p/handlers/main.yml              |  6 ++++
 roles/wireguard/p2p/tasks/main.yml                 | 20 +++++++++++
 .../p2p/tasks/systemd-iptables.service.j2          | 42 ++++++++++++++++++++++
 roles/wireguard/p2p/templates/systemd.netdev.j2    | 26 ++++++++++++++
 roles/wireguard/p2p/templates/systemd.network.j2   |  7 ++++
 8 files changed, 161 insertions(+), 42 deletions(-)
 delete mode 100644 roles/wireguard/gateway/tasks/systemd-iptables.service.j2
 create mode 100644 roles/wireguard/gateway/templates/systemd-iptables.service.j2
 create mode 100644 roles/wireguard/p2p/defaults/main.yml
 create mode 100644 roles/wireguard/p2p/handlers/main.yml
 create mode 100644 roles/wireguard/p2p/tasks/main.yml
 create mode 100644 roles/wireguard/p2p/tasks/systemd-iptables.service.j2
 create mode 100644 roles/wireguard/p2p/templates/systemd.netdev.j2
 create mode 100644 roles/wireguard/p2p/templates/systemd.network.j2

(limited to 'roles')

diff --git a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2 b/roles/wireguard/gateway/tasks/systemd-iptables.service.j2
deleted file mode 100644
index 11cf4b8a..00000000
--- a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2
+++ /dev/null
@@ -1,42 +0,0 @@
-[Unit]
-Wants=network-online.target
-After=network-online.target
-
-
-[Service]
-Type=oneshot
-
-{% if 'ip_snat' in item.value %}
-ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
-{%   for addr in item.value.addresses %}
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
-{%   endfor %}
-{% endif %}
-{% for forward in item.value.port_forwardings | default([]) %}
-{%   for port in forward.tcp_ports | default([]) %}
-ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
-{%   endfor %}
-{%   for port in forward.udp_ports | default([]) %}
-ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
-{%   endfor %}
-{% endfor %}
-
-{% if 'ip_snat' in item.value %}
-{%   for addr in item.value.addresses %}
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
-{%   endfor %}
-{% endif %}
-{% for forward in item.value.port_forwardings | default([]) %}
-{%   for port in forward.tcp_ports | default([]) %}
-ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
-{%   endfor %}
-{%   for port in forward.udp_ports | default([]) %}
-ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
-{%   endfor %}
-{% endfor %}
-
-RemainAfterExit=yes
-
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/wireguard/gateway/templates/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/wireguard/gateway/templates/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{%   for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{%   for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/wireguard/p2p/defaults/main.yml b/roles/wireguard/p2p/defaults/main.yml
new file mode 100644
index 00000000..9d93b810
--- /dev/null
+++ b/roles/wireguard/p2p/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+# wireguard_p2p_interface:
+#   name: p2p
+#   description: some wireguard tunnel
+#   priv_key: secret
+#   listen_port: 1234
+#   addresses:
+#   - 192.168.123.254/24
+
+# wireguard_p2p_peer:
+#   pub_key: public_key_of_peer
+#   keepalive_interval: 10
+#   endpoint:
+#     host: 5.6.7.8
+#     port: 1234
+#   allowed_ips:
+#     - 192.168.255.3/32
+#     - 192.168.123.0/24
diff --git a/roles/wireguard/p2p/handlers/main.yml b/roles/wireguard/p2p/handlers/main.yml
new file mode 100644
index 00000000..625032dc
--- /dev/null
+++ b/roles/wireguard/p2p/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart systemd-networkd
+  systemd:
+    daemon_reload: yes
+    name: systemd-networkd
+    state: restarted
diff --git a/roles/wireguard/p2p/tasks/main.yml b/roles/wireguard/p2p/tasks/main.yml
new file mode 100644
index 00000000..78cfaf43
--- /dev/null
+++ b/roles/wireguard/p2p/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: install wireguard interfaces (netdev)
+  template:
+    src: systemd.netdev.j2
+    dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.netdev"
+    mode: 0640
+    group: systemd-network
+  notify: restart systemd-networkd
+
+- name: install wireguard interfaces (network)
+  template:
+    src: systemd.network.j2
+    dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network"
+  notify: restart systemd-networkd
+
+- name: enable systemd-networkd
+  systemd:
+    name: systemd-networkd
+    enabled: yes
+    state: started
diff --git a/roles/wireguard/p2p/tasks/systemd-iptables.service.j2 b/roles/wireguard/p2p/tasks/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/wireguard/p2p/tasks/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{%   for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{%   for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/wireguard/p2p/templates/systemd.netdev.j2 b/roles/wireguard/p2p/templates/systemd.netdev.j2
new file mode 100644
index 00000000..04abfa1d
--- /dev/null
+++ b/roles/wireguard/p2p/templates/systemd.netdev.j2
@@ -0,0 +1,26 @@
+[NetDev]
+Name={{ wireguard_p2p_interface.name }}
+Kind=wireguard
+{% if 'description' in wireguard_p2p_interface %}
+Description={{ wireguard_p2p_interface.description }}
+{% endif %}
+
+
+[WireGuard]
+PrivateKey={{ wireguard_p2p_interface.priv_key }}
+{% if 'listen_port' in wireguard_p2p_interface %}
+ListenPort={{ wireguard_p2p_interface.listen_port }}
+{% endif %}
+
+
+[WireGuardPeer]
+PublicKey={{ wireguard_p2p_peer.pub_key }}
+{% for ip in wireguard_p2p_peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if 'endpoint' in wireguard_p2p_peer %}
+Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }}
+{% endif %}
+{% if 'keepalive_interval' in wireguard_p2p_peer %}
+PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }}
+{% endif %}
diff --git a/roles/wireguard/p2p/templates/systemd.network.j2 b/roles/wireguard/p2p/templates/systemd.network.j2
new file mode 100644
index 00000000..3d1e2431
--- /dev/null
+++ b/roles/wireguard/p2p/templates/systemd.network.j2
@@ -0,0 +1,7 @@
+[Match]
+Name={{ wireguard_p2p_interface.name }}
+
+[Network]
+{% for addr in wireguard_p2p_interface.addresses %}
+Address={{ addr }}
+{% endfor %}
-- 
cgit v1.2.3