wireguard: Rewritten to use systemd-networkd integration

group_vars/all/vars.yml

@@ -149,9 +149,6 @@ global_ssh_configuration_link: "{{ global_ssh_configuration_environment_director
 global_sudoers_directory: "/etc/sudoers.d"
 
 global_wireguard_configuration_directory: "/etc/wireguard"
-global_wireguard_configuration_environment_directory: "{{ global_configuration_environment_directory }}/wireguard"
-global_wireguard_configuration_link_name: "wireguard"
-global_wireguard_configuration_link: "{{ global_wireguard_configuration_environment_directory }}/{{ global_wireguard_configuration_link_name }}"
 global_wireguard_port: 51820
 global_wireguard_ipv4_subnet: 22
 global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}"
@@ -160,6 +157,9 @@ global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}"
 
 global_systemd_preset_directory: "/lib/systemd/system"
 global_systemd_configuration_directory: "/etc/systemd/system"
+global_systemd_network_directory: "/etc/systemd/network"
+global_systemd_network_service_name: "systemd-networkd.service"
+global_systemd_network_system_user: "systemd-network"
 
 global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh"
 

playbooks/wireguard.yml

@@ -27,11 +27,11 @@
     - wireguard_backbones
     - wireguard_clients
   roles:
-    - role: wireguard/handlers
+    - name: misc/handlers
   tasks:
-    - name: Reload wireguard configuration always
+    - name: Reload systemd wireguard network always
       become: no
       command: /bin/true
       delegate_to: localhost
       notify:
-        - reassemble wireguard config
+        - restart systemd network

roles/wireguard/application/defaults/main.yml

@@ -1,7 +1,15 @@
 ---
 
-wireguard_key_directory: "{{ global_wireguard_configuration_environment_directory }}/key"
+wireguard_key_directory: "{{ global_wireguard_configuration_directory }}/key"
 wireguard_private_key: "{{ wireguard_key_directory }}/private"
 wireguard_public_key: "{{ wireguard_key_directory }}/public"
 
 wireguard_interface_name: "wg0"
+
+netdev_name: "{{ wireguard_interface_name }}.netdev"
+network_name: "{{ wireguard_interface_name }}.network"
+
+netdev_file: "{{ global_systemd_network_directory }}/{{ netdev_name }}"
+network_file: "{{ global_systemd_network_directory }}/{{ network_name }}"
+
+netdev_directory: "{{ netdev_file }}.d"

roles/wireguard/application/meta/main.yml

@@ -3,5 +3,4 @@
 allow_duplicates: no
 
 dependencies:
-  - role: wireguard/handlers
   - role: misc/deb_backports

roles/wireguard/application/tasks/main.yml

@@ -1,43 +1,41 @@
 ---
 
+- name: Check for debian major version
+  assert:
+    that: "ansible_distribution_major_version is version_compare('10', '>=')"
+    msg: "This role requires at least Debian Buster"
+
 - name: Install wireguard using apt
   apt:
     name:
       - wireguard
     state: present
 
-- name: Create wireguard configuration environment directories
+- name: Upgrade systemd to backports (required for buster)
+  apt:
+    default_release: buster-backports
+    name:
+      - libpam-systemd
+      - libsystemd0
+      - systemd
+    state: latest # required to trigger update
+  when: "ansible_distribution_major_version == '10'"
+
+- name: Create wireguard configuration directory
   file:
     state: directory
-    path: "{{ item }}"
+    path: "{{ global_wireguard_configuration_directory }}"
-    owner: root
-    group: root
-    mode: "u=rwx,g=rx,o=rx"
-  loop:
-    - "{{ global_wireguard_configuration_environment_directory }}"
-    - "{{ global_wireguard_configuration_environment_directory }}/peers"
-
-- name: Upload makefile to wireguard configuration environment
-  template:
-    src: wireguard.makefile
-    dest: "{{ global_wireguard_configuration_environment_directory }}/makefile"
     owner: root
-    group: root
+    group: "{{ global_systemd_network_system_user }}"
-    mode: "u=rw,g=r,o=r"
+    mode: u=rwx,g=rx,o=rx
-
-- name: Create link in ssh configuration environment
-  file:
-    state: link
-    src: "{{ global_wireguard_configuration_directory }}"
-    dest: "{{ global_wireguard_configuration_link }}"
 
 - name: Create wireguard key directory
   file:
     state: directory
     path: "{{ wireguard_key_directory }}"
     owner: root
-    group: root
+    group: "{{ global_systemd_network_system_user }}"
-    mode: "u=rwx,g=,o="
+    mode: u=rwx,g=rx,o=
 
 - name: Generate key pair
   shell: >-
@@ -48,6 +46,14 @@
     chdir: "{{ wireguard_key_directory }}"
     creates: "{{ wireguard_public_key }}"
 
+- name: Secure key to prevent logging
+  file:
+    state: file
+    path: "{{ wireguard_private_key }}"
+    owner: root
+    group: "{{ global_systemd_network_system_user }}"
+    mode: u=rwx,g=rx,o=
+
 - name: Download wireguard public key
   fetch:
     src: "{{ wireguard_public_key }}"
@@ -58,43 +64,32 @@
 
 - name: Store peer configuration locally
   template:
-    src: "peer.cfg"
+    src: peer.conf
     dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
     owner: "{{ local_user }}"
     group: "{{ local_user }}"
     mode: "u=rw,g=r,o="
   delegate_to: localhost
 
-- name: Store main config
+- name: Configure systemd for WireGuard
-  template:
-    src: "wireguard.cfg"
-    dest: "{{ global_wireguard_configuration_environment_directory }}/main.cfg"
-    owner: root
-    group: root
-    mode: "u=rw,g=,o="
-  notify:
-    - reassemble wireguard config
-
-- name: Add control scripts
   template:
-    src: "{{ item }}.sh"
+    src: "{{ item.src }}"
-    dest: "{{ global_wireguard_configuration_directory }}/{{ item }}.sh"
+    dest: "{{ item.dest }}"
     owner: root
-    group: root
+    group: "{{ global_systemd_network_system_user }}"
-    mode: "u=rwx,g=r,o=r"
+    mode: u=rw,g=r,o=
-    validate: "{{ global_validate_shell_script }}"
-  notify:
-    - reload wireguard interface
   loop:
-    - up
+    - src: wg.netdev
-    - down
+      dest: "{{ netdev_file }}"
+    - src: wg.network
+      dest: "{{ network_file }}"
+  notify:
+    - restart systemd network
 
-- name: Configure WireGuard on boot
+- name: Create directory for systemd WireGuard network
-  template:
+  file:
-    src: wireguard.service
+    state: directory
-    dest: "{{ global_systemd_configuration_directory }}/wireguard.service"
+    path: "{{ netdev_directory }}"
     owner: root
-    group: root
+    group: "{{ global_systemd_network_system_user }}"
-    mode: "u=rw,g=r,o=r"
+    mode: u=rwx,g=rx,o=
-  notify:
-    - reload systemd

roles/wireguard/application/templates/down.sh

@@ -1,9 +0,0 @@
-#!/usr/bin/env bash
-
-set -euxo pipefail;
-
-INTERFACE={{ wireguard_interface_name | quote }};
-
-ip route flush dev $INTERFACE;
-ip link set down dev $INTERFACE;
-ip address flush dev $INTERFACE;

roles/wireguard/application/templates/peer.cfg

@@ -1,6 +0,0 @@
-[Peer]
-{% if wireguard_public_address != '127.1' %}
-Endpoint = {{ wireguard_public_address }}:{{ global_wireguard_port }}
-{% endif %}
-PublicKey = {{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }}
-AllowedIPs = {{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }}

roles/wireguard/application/templates/peer.conf

@@ -0,0 +1,6 @@
+[WireGuardPeer]
+{% if wireguard_public_address != '127.1' %}
+Endpoint={{ wireguard_public_address }}:{{ global_wireguard_port }}
+{% endif %}
+PublicKey={{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }}
+AllowedIPs={{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }}

roles/wireguard/application/templates/up.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-
-set -euxo pipefail;
-
-INTERFACE={{ wireguard_interface_name | quote }};
-
-if ! ip link show dev $INTERFACE; then
-  ip link add dev $INTERFACE type wireguard;
-else
-  ip link set dev $INTERFACE type wireguard;
-fi
-ip address add dev $INTERFACE {{ wireguard_ipv4_address | quote }}/{{ global_wireguard_ipv4_subnet | quote }};
-wg setconf $INTERFACE {{ global_wireguard_configuration_directory }}/wireguard.cfg;
-ip link set up dev $INTERFACE;
-#ip route add {{ global_wireguard_ipv4_range }} dev $INTERFACE;

roles/wireguard/application/templates/wg.netdev

@@ -0,0 +1,7 @@
+[NetDev]
+Name={{ wireguard_interface_name }}
+Kind=wireguard
+
+[WireGuard]
+ListenPort={{ global_wireguard_port }}
+PrivateKeyFile={{ wireguard_private_key }}

roles/wireguard/application/templates/wg.network

@@ -0,0 +1,5 @@
+[Match]
+Name={{ wireguard_interface_name }}
+
+[Network]
+Address={{ wireguard_ipv4_address }}/{{ global_wireguard_ipv4_subnet }}

roles/wireguard/application/templates/wireguard.cfg

@@ -1,3 +0,0 @@
-[Interface]
-PrivateKey = <PRIVATEKEY>
-ListenPort = {{ global_wireguard_port }}

roles/wireguard/application/templates/wireguard.makefile

@@ -1,8 +0,0 @@
-dest:={{ global_wireguard_configuration_link_name }}
-
-peer_files:=$(sort $(wildcard peers/*))
-
-${dest}/wireguard.cfg: main.cfg ${peer_files}
-	cat $^ | sed '0,/<PRIVATEKEY>/{s#<PRIVATEKEY>#'"$$(cat {{ wireguard_private_key | quote }})"'#}' > "$@"
-	chown root:root "$@"
-	chmod u=rw,g=r,o= "$@"

roles/wireguard/application/templates/wireguard.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=WireGuard Interface
-After=network.target
-
-[Service]
-Type=oneshot
-ExecStart={{ global_wireguard_configuration_directory }}/up.sh
-RemainAfterExit=true
-ExecStop={{ global_wireguard_configuration_directory }}/down.sh
-StandardOutput=journal
-
-[Install]
-WantedBy=multi-user.target

roles/wireguard/backbone/tasks/main.yml

@@ -9,7 +9,7 @@
 - name: Store public key to backbones
   copy:
     src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
-    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf"
     owner: root
     group: root
     mode: "u=rw,g=r,o=r"

roles/wireguard/client/tasks/main.yml

@@ -4,19 +4,20 @@
   copy:
     content:  |
       {{ lookup('file', global_wireguard_peers_directory + '/' + item) }}
-      PersistentKeepalive = {{ keepalive_timeout }}
+      PersistentKeepalive={{ keepalive_timeout }}
-    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ item }}"
+    dest: "{{ netdev_directory }}/{{ item }}.conf"
     owner: root
     group: root
     mode: "u=rw,g=r,o=r"
   when: "item != inventory_hostname"
   loop: "{{ groups['wireguard_backbones'] }}"
-  notify: reassemble wireguard config
+  notify:
+    - restart systemd network
 
 - name: Store public key to backbones
   copy:
     src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
-    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf"
     owner: root
     group: root
     mode: "u=rw,g=r,o=r"

roles/wireguard/handlers/handlers/main.yml

@@ -1,13 +0,0 @@
----
-
-- name: reassemble wireguard config
-  make:
-    chdir: "{{ global_wireguard_configuration_environment_directory }}"
-    target: "{{ global_wireguard_configuration_link_name }}/wireguard.cfg"
-  notify:
-    - reload wireguard interface
-
-- name: reload wireguard interface
-  systemd:
-    name: wireguard
-    state: restarted

roles/wireguard/special_client/tasks/main.yml

@@ -17,7 +17,7 @@
 - name: Store public key to backbones
   template:
     src: "peer.cfg"
-    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    dest: "{{ netdev_directory }}/{{ inventory_hostname }}.conf"
     owner: root
     group: root
     mode: "u=rw,g=r,o=r"