wireguard: Rewritten to use systemd-networkd integration

dehydrated
Felix Stupp 4 years ago
parent 7c1c7c9029
commit 59dd7d93a1
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -149,9 +149,6 @@ global_ssh_configuration_link: "{{ global_ssh_configuration_environment_director
global_sudoers_directory: "/etc/sudoers.d" global_sudoers_directory: "/etc/sudoers.d"
global_wireguard_configuration_directory: "/etc/wireguard" global_wireguard_configuration_directory: "/etc/wireguard"
global_wireguard_configuration_environment_directory: "{{ global_configuration_environment_directory }}/wireguard"
global_wireguard_configuration_link_name: "wireguard"
global_wireguard_configuration_link: "{{ global_wireguard_configuration_environment_directory }}/{{ global_wireguard_configuration_link_name }}"
global_wireguard_port: 51820 global_wireguard_port: 51820
global_wireguard_ipv4_subnet: 22 global_wireguard_ipv4_subnet: 22
global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}" global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}"
@ -160,6 +157,9 @@ global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}"
global_systemd_preset_directory: "/lib/systemd/system" global_systemd_preset_directory: "/lib/systemd/system"
global_systemd_configuration_directory: "/etc/systemd/system" global_systemd_configuration_directory: "/etc/systemd/system"
global_systemd_network_directory: "/etc/systemd/network"
global_systemd_network_service_name: "systemd-networkd.service"
global_systemd_network_system_user: "systemd-network"
global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh" global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh"

@ -27,11 +27,11 @@
- wireguard_backbones - wireguard_backbones
- wireguard_clients - wireguard_clients
roles: roles:
- role: wireguard/handlers - name: misc/handlers
tasks: tasks:
- name: Reload wireguard configuration always - name: Reload systemd wireguard network always
become: no become: no
command: /bin/true command: /bin/true
delegate_to: localhost delegate_to: localhost
notify: notify:
- reassemble wireguard config - restart systemd network

@ -1,7 +1,15 @@
--- ---
wireguard_key_directory: "{{ global_wireguard_configuration_environment_directory }}/key" wireguard_key_directory: "{{ global_wireguard_configuration_directory }}/key"
wireguard_private_key: "{{ wireguard_key_directory }}/private" wireguard_private_key: "{{ wireguard_key_directory }}/private"
wireguard_public_key: "{{ wireguard_key_directory }}/public" wireguard_public_key: "{{ wireguard_key_directory }}/public"
wireguard_interface_name: "wg0" wireguard_interface_name: "wg0"
netdev_name: "{{ wireguard_interface_name }}.netdev"
network_name: "{{ wireguard_interface_name }}.network"
netdev_file: "{{ global_systemd_network_directory }}/{{ netdev_name }}"
network_file: "{{ global_systemd_network_directory }}/{{ network_name }}"
netdev_directory: "{{ netdev_file }}.d"

@ -3,5 +3,4 @@
allow_duplicates: no allow_duplicates: no
dependencies: dependencies:
- role: wireguard/handlers
- role: misc/deb_backports - role: misc/deb_backports

@ -1,43 +1,41 @@
--- ---
- name: Check for debian major version
assert:
that: "ansible_distribution_major_version is version_compare('10', '>=')"
msg: "This role requires at least Debian Buster"
- name: Install wireguard using apt - name: Install wireguard using apt
apt: apt:
name: name:
- wireguard - wireguard
state: present state: present
- name: Create wireguard configuration environment directories - name: Upgrade systemd to backports (required for buster)
apt:
default_release: buster-backports
name:
- libpam-systemd
- libsystemd0
- systemd
state: latest # required to trigger update
when: "ansible_distribution_major_version == '10'"
- name: Create wireguard configuration directory
file: file:
state: directory state: directory
path: "{{ item }}" path: "{{ global_wireguard_configuration_directory }}"
owner: root
group: root
mode: "u=rwx,g=rx,o=rx"
loop:
- "{{ global_wireguard_configuration_environment_directory }}"
- "{{ global_wireguard_configuration_environment_directory }}/peers"
- name: Upload makefile to wireguard configuration environment
template:
src: wireguard.makefile
dest: "{{ global_wireguard_configuration_environment_directory }}/makefile"
owner: root owner: root
group: root group: "{{ global_systemd_network_system_user }}"
mode: "u=rw,g=r,o=r" mode: u=rwx,g=rx,o=rx
- name: Create link in ssh configuration environment
file:
state: link
src: "{{ global_wireguard_configuration_directory }}"
dest: "{{ global_wireguard_configuration_link }}"
- name: Create wireguard key directory - name: Create wireguard key directory
file: file:
state: directory state: directory
path: "{{ wireguard_key_directory }}" path: "{{ wireguard_key_directory }}"
owner: root owner: root
group: root group: "{{ global_systemd_network_system_user }}"
mode: "u=rwx,g=,o=" mode: u=rwx,g=rx,o=
- name: Generate key pair - name: Generate key pair
shell: >- shell: >-
@ -48,6 +46,14 @@
chdir: "{{ wireguard_key_directory }}" chdir: "{{ wireguard_key_directory }}"
creates: "{{ wireguard_public_key }}" creates: "{{ wireguard_public_key }}"
- name: Secure key to prevent logging
file:
state: file
path: "{{ wireguard_private_key }}"
owner: root
group: "{{ global_systemd_network_system_user }}"
mode: u=rwx,g=rx,o=
- name: Download wireguard public key - name: Download wireguard public key
fetch: fetch:
src: "{{ wireguard_public_key }}" src: "{{ wireguard_public_key }}"
@ -58,43 +64,32 @@
- name: Store peer configuration locally - name: Store peer configuration locally
template: template:
src: "peer.cfg" src: peer.conf
dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}" dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
owner: "{{ local_user }}" owner: "{{ local_user }}"
group: "{{ local_user }}" group: "{{ local_user }}"
mode: "u=rw,g=r,o=" mode: "u=rw,g=r,o="
delegate_to: localhost delegate_to: localhost
- name: Store main config - name: Configure systemd for WireGuard
template:
src: "wireguard.cfg"
dest: "{{ global_wireguard_configuration_environment_directory }}/main.cfg"
owner: root
group: root
mode: "u=rw,g=,o="
notify:
- reassemble wireguard config
- name: Add control scripts
template: template:
src: "{{ item }}.sh" src: "{{ item.src }}"
dest: "{{ global_wireguard_configuration_directory }}/{{ item }}.sh" dest: "{{ item.dest }}"
owner: root owner: root
group: root group: "{{ global_systemd_network_system_user }}"
mode: "u=rwx,g=r,o=r" mode: u=rw,g=r,o=
validate: "{{ global_validate_shell_script }}"
notify:
- reload wireguard interface
loop: loop:
- up - src: wg.netdev
- down dest: "{{ netdev_file }}"
- src: wg.network
dest: "{{ network_file }}"
notify:
- restart systemd network
- name: Configure WireGuard on boot - name: Create directory for systemd WireGuard network
template: file:
src: wireguard.service state: directory
dest: "{{ global_systemd_configuration_directory }}/wireguard.service" path: "{{ netdev_directory }}"
owner: root owner: root
group: root group: "{{ global_systemd_network_system_user }}"
mode: "u=rw,g=r,o=r" mode: u=rwx,g=rx,o=
notify:
- reload systemd

@ -1,9 +0,0 @@
#!/usr/bin/env bash
set -euxo pipefail;
INTERFACE={{ wireguard_interface_name | quote }};
ip route flush dev $INTERFACE;
ip link set down dev $INTERFACE;
ip address flush dev $INTERFACE;

@ -1,6 +0,0 @@
[Peer]
{% if wireguard_public_address != '127.1' %}
Endpoint = {{ wireguard_public_address }}:{{ global_wireguard_port }}
{% endif %}
PublicKey = {{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }}
AllowedIPs = {{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }}

@ -0,0 +1,6 @@
[WireGuardPeer]
{% if wireguard_public_address != '127.1' %}
Endpoint={{ wireguard_public_address }}:{{ global_wireguard_port }}
{% endif %}
PublicKey={{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }}
AllowedIPs={{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }}

@ -1,15 +0,0 @@
#!/usr/bin/env bash
set -euxo pipefail;
INTERFACE={{ wireguard_interface_name | quote }};
if ! ip link show dev $INTERFACE; then
ip link add dev $INTERFACE type wireguard;
else
ip link set dev $INTERFACE type wireguard;
fi
ip address add dev $INTERFACE {{ wireguard_ipv4_address | quote }}/{{ global_wireguard_ipv4_subnet | quote }};
wg setconf $INTERFACE {{ global_wireguard_configuration_directory }}/wireguard.cfg;
ip link set up dev $INTERFACE;
#ip route add {{ global_wireguard_ipv4_range }} dev $INTERFACE;

@ -0,0 +1,7 @@
[NetDev]
Name={{ wireguard_interface_name }}
Kind=wireguard
[WireGuard]
ListenPort={{ global_wireguard_port }}
PrivateKeyFile={{ wireguard_private_key }}

@ -0,0 +1,5 @@
[Match]
Name={{ wireguard_interface_name }}
[Network]
Address={{ wireguard_ipv4_address }}/{{ global_wireguard_ipv4_subnet }}

@ -1,3 +0,0 @@
[Interface]
PrivateKey = <PRIVATEKEY>
ListenPort = {{ global_wireguard_port }}

@ -1,8 +0,0 @@
dest:={{ global_wireguard_configuration_link_name }}
peer_files:=$(sort $(wildcard peers/*))
${dest}/wireguard.cfg: main.cfg ${peer_files}
cat $^ | sed '0,/<PRIVATEKEY>/{s#<PRIVATEKEY>#'"$$(cat {{ wireguard_private_key | quote }})"'#}' > "$@"
chown root:root "$@"
chmod u=rw,g=r,o= "$@"

@ -1,13 +0,0 @@
[Unit]
Description=WireGuard Interface
After=network.target
[Service]
Type=oneshot
ExecStart={{ global_wireguard_configuration_directory }}/up.sh
RemainAfterExit=true
ExecStop={{ global_wireguard_configuration_directory }}/down.sh
StandardOutput=journal
[Install]
WantedBy=multi-user.target

@ -9,7 +9,7 @@
- name: Store public key to backbones - name: Store public key to backbones
copy: copy:
src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}" src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}" dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf"
owner: root owner: root
group: root group: root
mode: "u=rw,g=r,o=r" mode: "u=rw,g=r,o=r"

@ -4,19 +4,20 @@
copy: copy:
content: | content: |
{{ lookup('file', global_wireguard_peers_directory + '/' + item) }} {{ lookup('file', global_wireguard_peers_directory + '/' + item) }}
PersistentKeepalive = {{ keepalive_timeout }} PersistentKeepalive={{ keepalive_timeout }}
dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ item }}" dest: "{{ netdev_directory }}/{{ item }}.conf"
owner: root owner: root
group: root group: root
mode: "u=rw,g=r,o=r" mode: "u=rw,g=r,o=r"
when: "item != inventory_hostname" when: "item != inventory_hostname"
loop: "{{ groups['wireguard_backbones'] }}" loop: "{{ groups['wireguard_backbones'] }}"
notify: reassemble wireguard config notify:
- restart systemd network
- name: Store public key to backbones - name: Store public key to backbones
copy: copy:
src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}" src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}" dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf"
owner: root owner: root
group: root group: root
mode: "u=rw,g=r,o=r" mode: "u=rw,g=r,o=r"

@ -1,13 +0,0 @@
---
- name: reassemble wireguard config
make:
chdir: "{{ global_wireguard_configuration_environment_directory }}"
target: "{{ global_wireguard_configuration_link_name }}/wireguard.cfg"
notify:
- reload wireguard interface
- name: reload wireguard interface
systemd:
name: wireguard
state: restarted

@ -17,7 +17,7 @@
- name: Store public key to backbones - name: Store public key to backbones
template: template:
src: "peer.cfg" src: "peer.cfg"
dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}" dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf"
owner: root owner: root
group: root group: root
mode: "u=rw,g=r,o=r" mode: "u=rw,g=r,o=r"

Loading…
Cancel
Save