diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 37edc2b..2cc5261 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -149,9 +149,6 @@ global_ssh_configuration_link: "{{ global_ssh_configuration_environment_director global_sudoers_directory: "/etc/sudoers.d" global_wireguard_configuration_directory: "/etc/wireguard" -global_wireguard_configuration_environment_directory: "{{ global_configuration_environment_directory }}/wireguard" -global_wireguard_configuration_link_name: "wireguard" -global_wireguard_configuration_link: "{{ global_wireguard_configuration_environment_directory }}/{{ global_wireguard_configuration_link_name }}" global_wireguard_port: 51820 global_wireguard_ipv4_subnet: 22 global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}" @@ -160,6 +157,9 @@ global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}" global_systemd_preset_directory: "/lib/systemd/system" global_systemd_configuration_directory: "/etc/systemd/system" +global_systemd_network_directory: "/etc/systemd/network" +global_systemd_network_service_name: "systemd-networkd.service" +global_systemd_network_system_user: "systemd-network" global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh" diff --git a/playbooks/wireguard.yml b/playbooks/wireguard.yml index 73e953f..4b585ab 100644 --- a/playbooks/wireguard.yml +++ b/playbooks/wireguard.yml @@ -27,11 +27,11 @@ - wireguard_backbones - wireguard_clients roles: - - role: wireguard/handlers + - name: misc/handlers tasks: - - name: Reload wireguard configuration always + - name: Reload systemd wireguard network always become: no command: /bin/true delegate_to: localhost notify: - - reassemble wireguard config + - restart systemd network diff --git a/roles/wireguard/application/defaults/main.yml b/roles/wireguard/application/defaults/main.yml index a9b1c37..ac4c7df 100644 --- a/roles/wireguard/application/defaults/main.yml +++ b/roles/wireguard/application/defaults/main.yml @@ -1,7 +1,15 @@ --- -wireguard_key_directory: "{{ global_wireguard_configuration_environment_directory }}/key" +wireguard_key_directory: "{{ global_wireguard_configuration_directory }}/key" wireguard_private_key: "{{ wireguard_key_directory }}/private" wireguard_public_key: "{{ wireguard_key_directory }}/public" wireguard_interface_name: "wg0" + +netdev_name: "{{ wireguard_interface_name }}.netdev" +network_name: "{{ wireguard_interface_name }}.network" + +netdev_file: "{{ global_systemd_network_directory }}/{{ netdev_name }}" +network_file: "{{ global_systemd_network_directory }}/{{ network_name }}" + +netdev_directory: "{{ netdev_file }}.d" diff --git a/roles/wireguard/application/meta/main.yml b/roles/wireguard/application/meta/main.yml index 1669e28..c27d0e5 100644 --- a/roles/wireguard/application/meta/main.yml +++ b/roles/wireguard/application/meta/main.yml @@ -3,5 +3,4 @@ allow_duplicates: no dependencies: - - role: wireguard/handlers - role: misc/deb_backports diff --git a/roles/wireguard/application/tasks/main.yml b/roles/wireguard/application/tasks/main.yml index 5c25762..91fd089 100644 --- a/roles/wireguard/application/tasks/main.yml +++ b/roles/wireguard/application/tasks/main.yml @@ -1,43 +1,41 @@ --- +- name: Check for debian major version + assert: + that: "ansible_distribution_major_version is version_compare('10', '>=')" + msg: "This role requires at least Debian Buster" + - name: Install wireguard using apt apt: name: - wireguard state: present -- name: Create wireguard configuration environment directories +- name: Upgrade systemd to backports (required for buster) + apt: + default_release: buster-backports + name: + - libpam-systemd + - libsystemd0 + - systemd + state: latest # required to trigger update + when: "ansible_distribution_major_version == '10'" + +- name: Create wireguard configuration directory file: state: directory - path: "{{ item }}" - owner: root - group: root - mode: "u=rwx,g=rx,o=rx" - loop: - - "{{ global_wireguard_configuration_environment_directory }}" - - "{{ global_wireguard_configuration_environment_directory }}/peers" - -- name: Upload makefile to wireguard configuration environment - template: - src: wireguard.makefile - dest: "{{ global_wireguard_configuration_environment_directory }}/makefile" + path: "{{ global_wireguard_configuration_directory }}" owner: root - group: root - mode: "u=rw,g=r,o=r" - -- name: Create link in ssh configuration environment - file: - state: link - src: "{{ global_wireguard_configuration_directory }}" - dest: "{{ global_wireguard_configuration_link }}" + group: "{{ global_systemd_network_system_user }}" + mode: u=rwx,g=rx,o=rx - name: Create wireguard key directory file: state: directory path: "{{ wireguard_key_directory }}" owner: root - group: root - mode: "u=rwx,g=,o=" + group: "{{ global_systemd_network_system_user }}" + mode: u=rwx,g=rx,o= - name: Generate key pair shell: >- @@ -48,6 +46,14 @@ chdir: "{{ wireguard_key_directory }}" creates: "{{ wireguard_public_key }}" +- name: Secure key to prevent logging + file: + state: file + path: "{{ wireguard_private_key }}" + owner: root + group: "{{ global_systemd_network_system_user }}" + mode: u=rwx,g=rx,o= + - name: Download wireguard public key fetch: src: "{{ wireguard_public_key }}" @@ -58,43 +64,32 @@ - name: Store peer configuration locally template: - src: "peer.cfg" + src: peer.conf dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}" owner: "{{ local_user }}" group: "{{ local_user }}" mode: "u=rw,g=r,o=" delegate_to: localhost -- name: Store main config - template: - src: "wireguard.cfg" - dest: "{{ global_wireguard_configuration_environment_directory }}/main.cfg" - owner: root - group: root - mode: "u=rw,g=,o=" - notify: - - reassemble wireguard config - -- name: Add control scripts +- name: Configure systemd for WireGuard template: - src: "{{ item }}.sh" - dest: "{{ global_wireguard_configuration_directory }}/{{ item }}.sh" + src: "{{ item.src }}" + dest: "{{ item.dest }}" owner: root - group: root - mode: "u=rwx,g=r,o=r" - validate: "{{ global_validate_shell_script }}" - notify: - - reload wireguard interface + group: "{{ global_systemd_network_system_user }}" + mode: u=rw,g=r,o= loop: - - up - - down + - src: wg.netdev + dest: "{{ netdev_file }}" + - src: wg.network + dest: "{{ network_file }}" + notify: + - restart systemd network -- name: Configure WireGuard on boot - template: - src: wireguard.service - dest: "{{ global_systemd_configuration_directory }}/wireguard.service" +- name: Create directory for systemd WireGuard network + file: + state: directory + path: "{{ netdev_directory }}" owner: root - group: root - mode: "u=rw,g=r,o=r" - notify: - - reload systemd + group: "{{ global_systemd_network_system_user }}" + mode: u=rwx,g=rx,o= diff --git a/roles/wireguard/application/templates/down.sh b/roles/wireguard/application/templates/down.sh deleted file mode 100644 index f670110..0000000 --- a/roles/wireguard/application/templates/down.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail; - -INTERFACE={{ wireguard_interface_name | quote }}; - -ip route flush dev $INTERFACE; -ip link set down dev $INTERFACE; -ip address flush dev $INTERFACE; diff --git a/roles/wireguard/application/templates/peer.cfg b/roles/wireguard/application/templates/peer.cfg deleted file mode 100644 index ccd807a..0000000 --- a/roles/wireguard/application/templates/peer.cfg +++ /dev/null @@ -1,6 +0,0 @@ -[Peer] -{% if wireguard_public_address != '127.1' %} -Endpoint = {{ wireguard_public_address }}:{{ global_wireguard_port }} -{% endif %} -PublicKey = {{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }} -AllowedIPs = {{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }} diff --git a/roles/wireguard/application/templates/peer.conf b/roles/wireguard/application/templates/peer.conf new file mode 100644 index 0000000..91e109e --- /dev/null +++ b/roles/wireguard/application/templates/peer.conf @@ -0,0 +1,6 @@ +[WireGuardPeer] +{% if wireguard_public_address != '127.1' %} +Endpoint={{ wireguard_public_address }}:{{ global_wireguard_port }} +{% endif %} +PublicKey={{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }} +AllowedIPs={{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }} diff --git a/roles/wireguard/application/templates/up.sh b/roles/wireguard/application/templates/up.sh deleted file mode 100644 index 760bc94..0000000 --- a/roles/wireguard/application/templates/up.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -euxo pipefail; - -INTERFACE={{ wireguard_interface_name | quote }}; - -if ! ip link show dev $INTERFACE; then - ip link add dev $INTERFACE type wireguard; -else - ip link set dev $INTERFACE type wireguard; -fi -ip address add dev $INTERFACE {{ wireguard_ipv4_address | quote }}/{{ global_wireguard_ipv4_subnet | quote }}; -wg setconf $INTERFACE {{ global_wireguard_configuration_directory }}/wireguard.cfg; -ip link set up dev $INTERFACE; -#ip route add {{ global_wireguard_ipv4_range }} dev $INTERFACE; diff --git a/roles/wireguard/application/templates/wg.netdev b/roles/wireguard/application/templates/wg.netdev new file mode 100644 index 0000000..e94babd --- /dev/null +++ b/roles/wireguard/application/templates/wg.netdev @@ -0,0 +1,7 @@ +[NetDev] +Name={{ wireguard_interface_name }} +Kind=wireguard + +[WireGuard] +ListenPort={{ global_wireguard_port }} +PrivateKeyFile={{ wireguard_private_key }} diff --git a/roles/wireguard/application/templates/wg.network b/roles/wireguard/application/templates/wg.network new file mode 100644 index 0000000..db475ef --- /dev/null +++ b/roles/wireguard/application/templates/wg.network @@ -0,0 +1,5 @@ +[Match] +Name={{ wireguard_interface_name }} + +[Network] +Address={{ wireguard_ipv4_address }}/{{ global_wireguard_ipv4_subnet }} diff --git a/roles/wireguard/application/templates/wireguard.cfg b/roles/wireguard/application/templates/wireguard.cfg deleted file mode 100644 index 6870fe2..0000000 --- a/roles/wireguard/application/templates/wireguard.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[Interface] -PrivateKey = -ListenPort = {{ global_wireguard_port }} diff --git a/roles/wireguard/application/templates/wireguard.makefile b/roles/wireguard/application/templates/wireguard.makefile deleted file mode 100644 index 6d862dc..0000000 --- a/roles/wireguard/application/templates/wireguard.makefile +++ /dev/null @@ -1,8 +0,0 @@ -dest:={{ global_wireguard_configuration_link_name }} - -peer_files:=$(sort $(wildcard peers/*)) - -${dest}/wireguard.cfg: main.cfg ${peer_files} - cat $^ | sed '0,//{s##'"$$(cat {{ wireguard_private_key | quote }})"'#}' > "$@" - chown root:root "$@" - chmod u=rw,g=r,o= "$@" diff --git a/roles/wireguard/application/templates/wireguard.service b/roles/wireguard/application/templates/wireguard.service deleted file mode 100644 index dabbd64..0000000 --- a/roles/wireguard/application/templates/wireguard.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=WireGuard Interface -After=network.target - -[Service] -Type=oneshot -ExecStart={{ global_wireguard_configuration_directory }}/up.sh -RemainAfterExit=true -ExecStop={{ global_wireguard_configuration_directory }}/down.sh -StandardOutput=journal - -[Install] -WantedBy=multi-user.target diff --git a/roles/wireguard/backbone/tasks/main.yml b/roles/wireguard/backbone/tasks/main.yml index f2a39e3..f84530b 100644 --- a/roles/wireguard/backbone/tasks/main.yml +++ b/roles/wireguard/backbone/tasks/main.yml @@ -9,7 +9,7 @@ - name: Store public key to backbones copy: src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}" - dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}" + dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf" owner: root group: root mode: "u=rw,g=r,o=r" diff --git a/roles/wireguard/client/tasks/main.yml b/roles/wireguard/client/tasks/main.yml index 9f81a2e..231cc3e 100644 --- a/roles/wireguard/client/tasks/main.yml +++ b/roles/wireguard/client/tasks/main.yml @@ -4,19 +4,20 @@ copy: content: | {{ lookup('file', global_wireguard_peers_directory + '/' + item) }} - PersistentKeepalive = {{ keepalive_timeout }} - dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ item }}" + PersistentKeepalive={{ keepalive_timeout }} + dest: "{{ netdev_directory }}/{{ item }}.conf" owner: root group: root mode: "u=rw,g=r,o=r" when: "item != inventory_hostname" loop: "{{ groups['wireguard_backbones'] }}" - notify: reassemble wireguard config + notify: + - restart systemd network - name: Store public key to backbones copy: src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}" - dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}" + dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf" owner: root group: root mode: "u=rw,g=r,o=r" diff --git a/roles/wireguard/handlers/handlers/main.yml b/roles/wireguard/handlers/handlers/main.yml deleted file mode 100644 index 0f180f4..0000000 --- a/roles/wireguard/handlers/handlers/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: reassemble wireguard config - make: - chdir: "{{ global_wireguard_configuration_environment_directory }}" - target: "{{ global_wireguard_configuration_link_name }}/wireguard.cfg" - notify: - - reload wireguard interface - -- name: reload wireguard interface - systemd: - name: wireguard - state: restarted diff --git a/roles/wireguard/special_client/tasks/main.yml b/roles/wireguard/special_client/tasks/main.yml index d5410d3..45360b0 100644 --- a/roles/wireguard/special_client/tasks/main.yml +++ b/roles/wireguard/special_client/tasks/main.yml @@ -17,7 +17,7 @@ - name: Store public key to backbones template: src: "peer.cfg" - dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}" + dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf" owner: root group: root mode: "u=rw,g=r,o=r"