Reworked wireguard configurations

5 years ago · 768cb0cfb4
parent 1d7840422f
commit 768cb0cfb4
22 changed files with 265 additions and 9 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -28,7 +28,8 @@ global_ssh_key_directory: "{{ global_public_key_directory }}/ssh"
 global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts"

 global_wireguard_private_directory: "{{ global_credentials_directory }}/wireguard"
-global_wireguard_public_directory: "{{ global_public_key_directory }}/wireguard"
+global_wireguard_public_directory: "{{ global_public_key_directory }}/wireguard/keys"
+global_wireguard_peers_directory: "{{ global_public_key_directory }}/wireguard/peers"

 ssh_host_key_types:
  - ecdsa
@ -50,11 +51,23 @@ global_ip_discover_server_name: "nvak.banananet.work"
 global_ip_discover_url: "https://keys.banananet.work/ping"
 global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discover/register_pass chars=digits,ascii_letters length=256') }}"

+global_interfaces_directory: "/etc/network/interfaces.d"
+
 global_ssh_configuration_directory: "/etc/ssh/"
 global_ssh_configuration_environment_directory: "/ansible/ssh_configuration"
 global_ssh_configuration_link_name: "config"
 global_ssh_configuration_link: "{{ global_ssh_configuration_environment_directory }}/{{ global_ssh_configuration_link_name }}"

+global_wireguard_configuration_directory: "/etc/wireguard"
+global_wireguard_configuration_environment_directory: "/ansible/wireguard_configuration"
+global_wireguard_configuration_link_name: "wireguard"
+global_wireguard_configuration_link: "{{ global_wireguard_configuration_environment_directory }}/{{ global_wireguard_configuration_link_name }}"
+global_wireguard_port: 51820
+global_wireguard_ipv4_subnet: 22
+global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}"
+global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}"
+# TODO Wireguard IPv6 Support
+
 global_systemd_configuration_directory: "/etc/systemd/system"

 # Debian Repository Mirror
--- a/playbooks/wireguard.yml
+++ b/playbooks/wireguard.yml
@ -1,7 +1,26 @@
 ---

- name: Install wireguard vpn
-  hosts: all
-  strategy: free
+- name: Configure wireguard backbones
+  hosts: wireguard_backbones
+  strategy: linear
  roles:
-    - role: wireguard/application
+    - role: wireguard/backbone
+
+- name: Configure wireguard clients
+  hosts: wireguard_clients
+  strategy: linear
+  roles:
+    - role: wireguard/client
+
+- name: Reload all configurations
+  hosts:
+    - wireguard_backbones
+    - wireguard_clients
+  roles:
+    - role: wireguard/handlers
+  tasks:
+    - name: Reload wireguard configuration always
+      become: no
+      command: /bin/true
+      delegate_to: localhost
+      notify: reassemble wireguard config
--- a/roles/wireguard/application/defaults/main.yml
+++ b/roles/wireguard/application/defaults/main.yml
@ -1,5 +1,7 @@
 ---

-wireguard_key_directory: "/root/wireguard"
-wireguard_private_key: "{{ wireguard_key_directory }}/wg-private.key"
-wireguard_public_key: "{{ wireguard_key_directory }}/wg-public.key"
+wireguard_key_directory: "{{ global_wireguard_configuration_environment_directory }}/key"
+wireguard_private_key: "{{ wireguard_key_directory }}/private"
+wireguard_public_key: "{{ wireguard_key_directory }}/public"
+
+wireguard_interface_name: "wg0"
--- a/roles/wireguard/application/meta/main.yml
+++ b/roles/wireguard/application/meta/main.yml
@ -3,4 +3,5 @@
 allow_duplicates: no

 dependencies:
+  - role: wireguard/handlers
  - role: misc/deb_unstable
--- a/roles/wireguard/application/tasks/main.yml
+++ b/roles/wireguard/application/tasks/main.yml
@ -6,6 +6,31 @@
      - wireguard
    state: present

+- name: Create wireguard configuration environment directories
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rwx,g=rx,o=rx"
+  loop:
+    - "{{ global_wireguard_configuration_environment_directory }}"
+    - "{{ global_wireguard_configuration_environment_directory }}/peers"
+
+- name: Upload makefile to wireguard configuration environment
+  template:
+    src: wireguard.makefile
+    dest: "{{ global_wireguard_configuration_environment_directory }}/makefile"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+
+- name: Create link in ssh configuration environment
+  file:
+    state: link
+    src: "{{ global_wireguard_configuration_directory }}"
+    dest: "{{ global_wireguard_configuration_link }}"
+
 - name: Create wireguard key directory
  file:
    state: directory
@ -26,7 +51,49 @@
 - name: Download wireguard public key
  fetch:
    src: "{{ wireguard_public_key }}"
-    dest: "{{ global_wireguard_public_directory }}/{{ ansible_fqdn }}"
+    dest: "{{ global_wireguard_public_directory }}/{{ inventory_hostname }}"
    fail_on_missing: yes
    flat: yes
    validate_checksum: yes
+
+- name: Store peer configuration locally
+  template:
+    src: "peer.cfg"
+    dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
+    owner: zocker
+    group: zocker
+    mode: "u=rw,g=r,o="
+  delegate_to: localhost
+
+- name: Store main config
+  template:
+    src: "wireguard.cfg"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/main.cfg"
+    owner: root
+    group: root
+    mode: "u=rw,g=,o="
+  notify:
+    - reassemble wireguard config
+
+- name: Add control scripts
+  template:
+    src: "{{ item }}.sh"
+    dest: "{{ global_wireguard_configuration_directory }}/{{ item }}.sh"
+    owner: root
+    group: root
+    mode: "u=rwx,g=r,o=r"
+  notify:
+    - reload wireguard interface
+  loop:
+    - up
+    - down
+
+- name: Configure WireGuard on boot
+  template:
+    src: wireguard.service
+    dest: "{{ global_systemd_configuration_directory }}/wireguard.service"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  notify:
+    - reload systemd
--- a/roles/wireguard/application/templates/down.sh
+++ b/roles/wireguard/application/templates/down.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -euxo pipefail;
+
+INTERFACE={{ wireguard_interface_name | quote }};
+
+ip route flush dev $INTERFACE;
+ip link set down dev $INTERFACE;
+ip address flush dev $INTERFACE;
--- a/roles/wireguard/application/templates/peer.cfg
+++ b/roles/wireguard/application/templates/peer.cfg
@ -0,0 +1,6 @@
+[Peer]
+{% if wireguard_public_address != '127.1' %}
+Endpoint = {{ wireguard_public_address }}:{{ global_wireguard_port }}
+{% endif %}
+PublicKey = {{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }}
+AllowedIPs = {{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }}
--- a/roles/wireguard/application/templates/up.sh
+++ b/roles/wireguard/application/templates/up.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -euxo pipefail;
+
+INTERFACE={{ wireguard_interface_name | quote }};
+
+if ! ip link show dev $INTERFACE; then
+  ip link add dev $INTERFACE type wireguard;
+else
+  ip link set dev $INTERFACE type wireguard;
+fi
+ip address add dev $INTERFACE {{ wireguard_ipv4_address | quote }}/{{ global_wireguard_ipv4_subnet | quote }};
+wg setconf $INTERFACE {{ global_wireguard_configuration_directory }}/wireguard.cfg;
+ip link set up dev $INTERFACE;
+#ip route add {{ global_wireguard_ipv4_range }} dev $INTERFACE;
--- a/roles/wireguard/application/templates/wireguard.cfg
+++ b/roles/wireguard/application/templates/wireguard.cfg
@ -0,0 +1,3 @@
+[Interface]
+PrivateKey = <PRIVATEKEY>
+ListenPort = {{ global_wireguard_port }}
--- a/roles/wireguard/application/templates/wireguard.makefile
+++ b/roles/wireguard/application/templates/wireguard.makefile
@ -0,0 +1,8 @@
+dest:={{ global_wireguard_configuration_link_name }}
+
+peer_files:=$(wildcard peers/*)
+
+${dest}/wireguard.cfg: main.cfg ${peer_files}
+	cat $^ | sed '0,/<PRIVATEKEY>/{s#<PRIVATEKEY>#'"$$(cat {{ wireguard_private_key | quote }})"'#}' > "$@"
+	chown root:root "$@"
+	chmod u=rw,g=r,o= "$@"
--- a/roles/wireguard/application/templates/wireguard.service
+++ b/roles/wireguard/application/templates/wireguard.service
@ -0,0 +1,13 @@
+[Unit]
+Description=WireGuard Interface
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart={{ global_wireguard_configuration_directory }}/up.sh
+RemainAfterExit=true
+ExecStop={{ global_wireguard_configuration_directory }}/down.sh
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/wireguard/backbone/defaults/main.yml
+++ b/roles/wireguard/backbone/defaults/main.yml
@ -0,0 +1,7 @@
+---
+
+# wireguard_ipv4_address
+wireguard_public_address: "{{ inventory_hostname }}"
+
+allowed_ips:
+  - "{{ global_wireguard_ipv4_range }}"
--- a/roles/wireguard/backbone/meta/main.yml
+++ b/roles/wireguard/backbone/meta/main.yml
@ -0,0 +1,7 @@
+---
+
+allow_duplicates: no
+
+dependencies:
+  - role: misc/handlers
+  - role: wireguard/application
--- a/roles/wireguard/backbone/tasks/main.yml
+++ b/roles/wireguard/backbone/tasks/main.yml
@ -0,0 +1,18 @@
+---
+
+- name: Allow wireguard on firewall
+  ufw:
+    rule: allow
+    port: "{{ global_wireguard_port }}"
+    proto: udp
+
+- name: Store public key to backbones
+  copy:
+    src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  delegate_to: "{{ item }}"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"
--- a/roles/wireguard/backbone/templates/peer.cfg
+++ b/roles/wireguard/backbone/templates/peer.cfg
@ -0,0 +1 @@
+../../application/templates/peer.cfg
--- a/roles/wireguard/client/defaults/main.yml
+++ b/roles/wireguard/client/defaults/main.yml
@ -0,0 +1,8 @@
+---
+
+# wireguard_ipv4_address
+
+keepalive_timeout: 25
+
+allowed_ips:
+  - "{{ global_wireguard_ipv4_range }}"
--- a/roles/wireguard/client/meta/main.yml
+++ b/roles/wireguard/client/meta/main.yml
@ -0,0 +1,6 @@
+---
+
+allow_duplicates: no
+
+dependencies:
+  - role: wireguard/application
--- a/roles/wireguard/client/tasks/main.yml
+++ b/roles/wireguard/client/tasks/main.yml
@ -0,0 +1,25 @@
+---
+
+- name: Add config of backbones
+  copy:
+    content:  |
+      {{ lookup('file', global_wireguard_peers_directory + '/' + item) }}
+      PersistentKeepalive = {{ keepalive_timeout }}
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"
+  notify: reassemble wireguard config
+
+- name: Store public key to backbones
+  copy:
+    src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  delegate_to: "{{ item }}"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"
--- a/roles/wireguard/client/templates/peer.cfg
+++ b/roles/wireguard/client/templates/peer.cfg
@ -0,0 +1 @@
+../../application/templates/peer.cfg
--- a/roles/wireguard/client/vars/main.yml
+++ b/roles/wireguard/client/vars/main.yml
@ -0,0 +1,3 @@
+---
+
+wireguard_public_address: "127.1"
--- a/roles/wireguard/handlers/handlers/main.yml
+++ b/roles/wireguard/handlers/handlers/main.yml
@ -0,0 +1,13 @@
+---
+
+- name: reassemble wireguard config
+  make:
+    chdir: "{{ global_wireguard_configuration_environment_directory }}"
+    target: "{{ global_wireguard_configuration_link_name }}/wireguard.cfg"
+  notify:
+    - reload wireguard interface
+
+- name: reload wireguard interface
+  systemd:
+    name: wireguard
+    state: restarted
--- a/roles/wireguard/special_client/tasks/main.yml
+++ b/roles/wireguard/special_client/tasks/main.yml
@ -13,3 +13,14 @@
    /bin/sh -c "< {{ client_public_key | quote }} /usr/bin/wg pubkey > {{ wireguard_client_private_key | quote }}"
  when: wireguard_private_key.changed
  delegate_to: 127.0.0.1
+
+- name: Store public key to backbones
+  template:
+    src: "peer.cfg"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  delegate_to: "{{ item }}"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"