From 768cb0cfb4c69341727bcb2458482cc100622494 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Fri, 25 Oct 2019 13:14:26 +0200
Subject: [PATCH] Reworked wireguard configurations

---
 group_vars/all/vars.yml                       | 15 +++-
 playbooks/wireguard.yml                       | 27 ++++++--
 roles/wireguard/application/defaults/main.yml |  8 ++-
 roles/wireguard/application/meta/main.yml     |  1 +
 roles/wireguard/application/tasks/main.yml    | 69 ++++++++++++++++++-
 roles/wireguard/application/templates/down.sh |  9 +++
 .../wireguard/application/templates/peer.cfg  |  6 ++
 roles/wireguard/application/templates/up.sh   | 15 ++++
 .../application/templates/wireguard.cfg       |  3 +
 .../application/templates/wireguard.makefile  |  8 +++
 .../application/templates/wireguard.service   | 13 ++++
 roles/wireguard/backbone/defaults/main.yml    |  7 ++
 roles/wireguard/backbone/meta/main.yml        |  7 ++
 roles/wireguard/backbone/tasks/main.yml       | 18 +++++
 roles/wireguard/backbone/templates/peer.cfg   |  1 +
 roles/wireguard/client/defaults/main.yml      |  8 +++
 roles/wireguard/client/meta/main.yml          |  6 ++
 roles/wireguard/client/tasks/main.yml         | 25 +++++++
 roles/wireguard/client/templates/peer.cfg     |  1 +
 roles/wireguard/client/vars/main.yml          |  3 +
 roles/wireguard/handlers/handlers/main.yml    | 13 ++++
 roles/wireguard/special_client/tasks/main.yml | 11 +++
 22 files changed, 265 insertions(+), 9 deletions(-)
 create mode 100644 roles/wireguard/application/templates/down.sh
 create mode 100644 roles/wireguard/application/templates/peer.cfg
 create mode 100644 roles/wireguard/application/templates/up.sh
 create mode 100644 roles/wireguard/application/templates/wireguard.cfg
 create mode 100644 roles/wireguard/application/templates/wireguard.makefile
 create mode 100644 roles/wireguard/application/templates/wireguard.service
 create mode 100644 roles/wireguard/backbone/defaults/main.yml
 create mode 100644 roles/wireguard/backbone/meta/main.yml
 create mode 100644 roles/wireguard/backbone/tasks/main.yml
 create mode 120000 roles/wireguard/backbone/templates/peer.cfg
 create mode 100644 roles/wireguard/client/defaults/main.yml
 create mode 100644 roles/wireguard/client/meta/main.yml
 create mode 100644 roles/wireguard/client/tasks/main.yml
 create mode 120000 roles/wireguard/client/templates/peer.cfg
 create mode 100644 roles/wireguard/client/vars/main.yml
 create mode 100644 roles/wireguard/handlers/handlers/main.yml

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index ac544bb..d1c9f1e 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -28,7 +28,8 @@ global_ssh_key_directory: "{{ global_public_key_directory }}/ssh"
 global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts"
 
 global_wireguard_private_directory: "{{ global_credentials_directory }}/wireguard"
-global_wireguard_public_directory: "{{ global_public_key_directory }}/wireguard"
+global_wireguard_public_directory: "{{ global_public_key_directory }}/wireguard/keys"
+global_wireguard_peers_directory: "{{ global_public_key_directory }}/wireguard/peers"
 
 ssh_host_key_types:
   - ecdsa
@@ -50,11 +51,23 @@ global_ip_discover_server_name: "nvak.banananet.work"
 global_ip_discover_url: "https://keys.banananet.work/ping"
 global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discover/register_pass chars=digits,ascii_letters length=256') }}"
 
+global_interfaces_directory: "/etc/network/interfaces.d"
+
 global_ssh_configuration_directory: "/etc/ssh/"
 global_ssh_configuration_environment_directory: "/ansible/ssh_configuration"
 global_ssh_configuration_link_name: "config"
 global_ssh_configuration_link: "{{ global_ssh_configuration_environment_directory }}/{{ global_ssh_configuration_link_name }}"
 
+global_wireguard_configuration_directory: "/etc/wireguard"
+global_wireguard_configuration_environment_directory: "/ansible/wireguard_configuration"
+global_wireguard_configuration_link_name: "wireguard"
+global_wireguard_configuration_link: "{{ global_wireguard_configuration_environment_directory }}/{{ global_wireguard_configuration_link_name }}"
+global_wireguard_port: 51820
+global_wireguard_ipv4_subnet: 22
+global_wireguard_ipv4_netmask: "{{ ('0.0.0.0/' + (global_wireguard_ipv4_subnet | string)) | ipaddr('netmask') }}"
+global_wireguard_ipv4_range: "10.162.4.0/{{ global_wireguard_ipv4_subnet }}"
+# TODO Wireguard IPv6 Support
+
 global_systemd_configuration_directory: "/etc/systemd/system"
 
 # Debian Repository Mirror
diff --git a/playbooks/wireguard.yml b/playbooks/wireguard.yml
index 0caa046..ca10bd8 100644
--- a/playbooks/wireguard.yml
+++ b/playbooks/wireguard.yml
@@ -1,7 +1,26 @@
 ---
 
-- name: Install wireguard vpn
-  hosts: all
-  strategy: free
+- name: Configure wireguard backbones
+  hosts: wireguard_backbones
+  strategy: linear
   roles:
-    - role: wireguard/application
+    - role: wireguard/backbone
+
+- name: Configure wireguard clients
+  hosts: wireguard_clients
+  strategy: linear
+  roles:
+    - role: wireguard/client
+
+- name: Reload all configurations
+  hosts:
+    - wireguard_backbones
+    - wireguard_clients
+  roles:
+    - role: wireguard/handlers
+  tasks:
+    - name: Reload wireguard configuration always
+      become: no
+      command: /bin/true
+      delegate_to: localhost
+      notify: reassemble wireguard config
diff --git a/roles/wireguard/application/defaults/main.yml b/roles/wireguard/application/defaults/main.yml
index 630a750..a9b1c37 100644
--- a/roles/wireguard/application/defaults/main.yml
+++ b/roles/wireguard/application/defaults/main.yml
@@ -1,5 +1,7 @@
 ---
 
-wireguard_key_directory: "/root/wireguard"
-wireguard_private_key: "{{ wireguard_key_directory }}/wg-private.key"
-wireguard_public_key: "{{ wireguard_key_directory }}/wg-public.key"
+wireguard_key_directory: "{{ global_wireguard_configuration_environment_directory }}/key"
+wireguard_private_key: "{{ wireguard_key_directory }}/private"
+wireguard_public_key: "{{ wireguard_key_directory }}/public"
+
+wireguard_interface_name: "wg0"
diff --git a/roles/wireguard/application/meta/main.yml b/roles/wireguard/application/meta/main.yml
index b0d1c2d..019b902 100644
--- a/roles/wireguard/application/meta/main.yml
+++ b/roles/wireguard/application/meta/main.yml
@@ -3,4 +3,5 @@
 allow_duplicates: no
 
 dependencies:
+  - role: wireguard/handlers
   - role: misc/deb_unstable
diff --git a/roles/wireguard/application/tasks/main.yml b/roles/wireguard/application/tasks/main.yml
index 4443b7f..2def39c 100644
--- a/roles/wireguard/application/tasks/main.yml
+++ b/roles/wireguard/application/tasks/main.yml
@@ -6,6 +6,31 @@
       - wireguard
     state: present
 
+- name: Create wireguard configuration environment directories
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rwx,g=rx,o=rx"
+  loop:
+    - "{{ global_wireguard_configuration_environment_directory }}"
+    - "{{ global_wireguard_configuration_environment_directory }}/peers"
+
+- name: Upload makefile to wireguard configuration environment
+  template:
+    src: wireguard.makefile
+    dest: "{{ global_wireguard_configuration_environment_directory }}/makefile"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+
+- name: Create link in ssh configuration environment
+  file:
+    state: link
+    src: "{{ global_wireguard_configuration_directory }}"
+    dest: "{{ global_wireguard_configuration_link }}"
+
 - name: Create wireguard key directory
   file:
     state: directory
@@ -26,7 +51,49 @@
 - name: Download wireguard public key
   fetch:
     src: "{{ wireguard_public_key }}"
-    dest: "{{ global_wireguard_public_directory }}/{{ ansible_fqdn }}"
+    dest: "{{ global_wireguard_public_directory }}/{{ inventory_hostname }}"
     fail_on_missing: yes
     flat: yes
     validate_checksum: yes
+
+- name: Store peer configuration locally
+  template:
+    src: "peer.cfg"
+    dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
+    owner: zocker
+    group: zocker
+    mode: "u=rw,g=r,o="
+  delegate_to: localhost
+
+- name: Store main config
+  template:
+    src: "wireguard.cfg"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/main.cfg"
+    owner: root
+    group: root
+    mode: "u=rw,g=,o="
+  notify:
+    - reassemble wireguard config
+
+- name: Add control scripts
+  template:
+    src: "{{ item }}.sh"
+    dest: "{{ global_wireguard_configuration_directory }}/{{ item }}.sh"
+    owner: root
+    group: root
+    mode: "u=rwx,g=r,o=r"
+  notify:
+    - reload wireguard interface
+  loop:
+    - up
+    - down
+
+- name: Configure WireGuard on boot
+  template:
+    src: wireguard.service
+    dest: "{{ global_systemd_configuration_directory }}/wireguard.service"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  notify:
+    - reload systemd
diff --git a/roles/wireguard/application/templates/down.sh b/roles/wireguard/application/templates/down.sh
new file mode 100644
index 0000000..22d9029
--- /dev/null
+++ b/roles/wireguard/application/templates/down.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -euxo pipefail;
+
+INTERFACE={{ wireguard_interface_name | quote }};
+
+ip route flush dev $INTERFACE;
+ip link set down dev $INTERFACE;
+ip address flush dev $INTERFACE;
diff --git a/roles/wireguard/application/templates/peer.cfg b/roles/wireguard/application/templates/peer.cfg
new file mode 100644
index 0000000..ccd807a
--- /dev/null
+++ b/roles/wireguard/application/templates/peer.cfg
@@ -0,0 +1,6 @@
+[Peer]
+{% if wireguard_public_address != '127.1' %}
+Endpoint = {{ wireguard_public_address }}:{{ global_wireguard_port }}
+{% endif %}
+PublicKey = {{ lookup('file', global_wireguard_public_directory + '/' + inventory_hostname) }}
+AllowedIPs = {{ wireguard_ipv4_address }}, {{ global_wireguard_ipv4_range }}
diff --git a/roles/wireguard/application/templates/up.sh b/roles/wireguard/application/templates/up.sh
new file mode 100644
index 0000000..1339e99
--- /dev/null
+++ b/roles/wireguard/application/templates/up.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -euxo pipefail;
+
+INTERFACE={{ wireguard_interface_name | quote }};
+
+if ! ip link show dev $INTERFACE; then
+  ip link add dev $INTERFACE type wireguard;
+else
+  ip link set dev $INTERFACE type wireguard;
+fi
+ip address add dev $INTERFACE {{ wireguard_ipv4_address | quote }}/{{ global_wireguard_ipv4_subnet | quote }};
+wg setconf $INTERFACE {{ global_wireguard_configuration_directory }}/wireguard.cfg;
+ip link set up dev $INTERFACE;
+#ip route add {{ global_wireguard_ipv4_range }} dev $INTERFACE;
diff --git a/roles/wireguard/application/templates/wireguard.cfg b/roles/wireguard/application/templates/wireguard.cfg
new file mode 100644
index 0000000..6870fe2
--- /dev/null
+++ b/roles/wireguard/application/templates/wireguard.cfg
@@ -0,0 +1,3 @@
+[Interface]
+PrivateKey = <PRIVATEKEY>
+ListenPort = {{ global_wireguard_port }}
diff --git a/roles/wireguard/application/templates/wireguard.makefile b/roles/wireguard/application/templates/wireguard.makefile
new file mode 100644
index 0000000..312fc16
--- /dev/null
+++ b/roles/wireguard/application/templates/wireguard.makefile
@@ -0,0 +1,8 @@
+dest:={{ global_wireguard_configuration_link_name }}
+
+peer_files:=$(wildcard peers/*)
+
+${dest}/wireguard.cfg: main.cfg ${peer_files}
+	cat $^ | sed '0,/<PRIVATEKEY>/{s#<PRIVATEKEY>#'"$$(cat {{ wireguard_private_key | quote }})"'#}' > "$@"
+	chown root:root "$@"
+	chmod u=rw,g=r,o= "$@"
diff --git a/roles/wireguard/application/templates/wireguard.service b/roles/wireguard/application/templates/wireguard.service
new file mode 100644
index 0000000..dabbd64
--- /dev/null
+++ b/roles/wireguard/application/templates/wireguard.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=WireGuard Interface
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart={{ global_wireguard_configuration_directory }}/up.sh
+RemainAfterExit=true
+ExecStop={{ global_wireguard_configuration_directory }}/down.sh
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/wireguard/backbone/defaults/main.yml b/roles/wireguard/backbone/defaults/main.yml
new file mode 100644
index 0000000..910f1df
--- /dev/null
+++ b/roles/wireguard/backbone/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+
+# wireguard_ipv4_address
+wireguard_public_address: "{{ inventory_hostname }}"
+
+allowed_ips:
+  - "{{ global_wireguard_ipv4_range }}"
diff --git a/roles/wireguard/backbone/meta/main.yml b/roles/wireguard/backbone/meta/main.yml
new file mode 100644
index 0000000..85fdde4
--- /dev/null
+++ b/roles/wireguard/backbone/meta/main.yml
@@ -0,0 +1,7 @@
+---
+
+allow_duplicates: no
+
+dependencies:
+  - role: misc/handlers
+  - role: wireguard/application
diff --git a/roles/wireguard/backbone/tasks/main.yml b/roles/wireguard/backbone/tasks/main.yml
new file mode 100644
index 0000000..f2a39e3
--- /dev/null
+++ b/roles/wireguard/backbone/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Allow wireguard on firewall
+  ufw:
+    rule: allow
+    port: "{{ global_wireguard_port }}"
+    proto: udp
+
+- name: Store public key to backbones
+  copy:
+    src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  delegate_to: "{{ item }}"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"
diff --git a/roles/wireguard/backbone/templates/peer.cfg b/roles/wireguard/backbone/templates/peer.cfg
new file mode 120000
index 0000000..3b90ba4
--- /dev/null
+++ b/roles/wireguard/backbone/templates/peer.cfg
@@ -0,0 +1 @@
+../../application/templates/peer.cfg
\ No newline at end of file
diff --git a/roles/wireguard/client/defaults/main.yml b/roles/wireguard/client/defaults/main.yml
new file mode 100644
index 0000000..b8e3691
--- /dev/null
+++ b/roles/wireguard/client/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+
+# wireguard_ipv4_address
+
+keepalive_timeout: 25
+
+allowed_ips:
+  - "{{ global_wireguard_ipv4_range }}"
diff --git a/roles/wireguard/client/meta/main.yml b/roles/wireguard/client/meta/main.yml
new file mode 100644
index 0000000..1391b87
--- /dev/null
+++ b/roles/wireguard/client/meta/main.yml
@@ -0,0 +1,6 @@
+---
+
+allow_duplicates: no
+
+dependencies:
+  - role: wireguard/application
\ No newline at end of file
diff --git a/roles/wireguard/client/tasks/main.yml b/roles/wireguard/client/tasks/main.yml
new file mode 100644
index 0000000..9f81a2e
--- /dev/null
+++ b/roles/wireguard/client/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+- name: Add config of backbones
+  copy:
+    content:  |
+      {{ lookup('file', global_wireguard_peers_directory + '/' + item) }}
+      PersistentKeepalive = {{ keepalive_timeout }}
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ item }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"
+  notify: reassemble wireguard config
+
+- name: Store public key to backbones
+  copy:
+    src: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  delegate_to: "{{ item }}"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"
diff --git a/roles/wireguard/client/templates/peer.cfg b/roles/wireguard/client/templates/peer.cfg
new file mode 120000
index 0000000..3b90ba4
--- /dev/null
+++ b/roles/wireguard/client/templates/peer.cfg
@@ -0,0 +1 @@
+../../application/templates/peer.cfg
\ No newline at end of file
diff --git a/roles/wireguard/client/vars/main.yml b/roles/wireguard/client/vars/main.yml
new file mode 100644
index 0000000..57cb2fd
--- /dev/null
+++ b/roles/wireguard/client/vars/main.yml
@@ -0,0 +1,3 @@
+---
+
+wireguard_public_address: "127.1"
diff --git a/roles/wireguard/handlers/handlers/main.yml b/roles/wireguard/handlers/handlers/main.yml
new file mode 100644
index 0000000..0f180f4
--- /dev/null
+++ b/roles/wireguard/handlers/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: reassemble wireguard config
+  make:
+    chdir: "{{ global_wireguard_configuration_environment_directory }}"
+    target: "{{ global_wireguard_configuration_link_name }}/wireguard.cfg"
+  notify:
+    - reload wireguard interface
+
+- name: reload wireguard interface
+  systemd:
+    name: wireguard
+    state: restarted
diff --git a/roles/wireguard/special_client/tasks/main.yml b/roles/wireguard/special_client/tasks/main.yml
index b8216a6..d5410d3 100644
--- a/roles/wireguard/special_client/tasks/main.yml
+++ b/roles/wireguard/special_client/tasks/main.yml
@@ -13,3 +13,14 @@
     /bin/sh -c "< {{ client_public_key | quote }} /usr/bin/wg pubkey > {{ wireguard_client_private_key | quote }}"
   when: wireguard_private_key.changed
   delegate_to: 127.0.0.1
+
+- name: Store public key to backbones
+  template:
+    src: "peer.cfg"
+    dest: "{{ global_wireguard_configuration_environment_directory }}/peers/{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  delegate_to: "{{ item }}"
+  when: "item != inventory_hostname"
+  loop: "{{ groups['wireguard_backbones'] }}"