From 199932a2fae8c36fc79321ba7a180786f70024ca Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Thu, 8 Jul 2021 00:33:13 +0200
Subject: [PATCH] fallback to wg-quick because of the clusterfuck of
 configuration types between the OSs

---
 host_vars/azerty/vpn.yml                     |  1 +
 host_vars/hellman/vpn.yml                    |  1 +
 host_vars/hindley/vpn.yml                    |  1 +
 host_vars/rossum/vpn.yml                     |  1 +
 host_vars/vm1/networking.yml                 |  2 +-
 host_vars/vm1/vpn.yml                        |  1 +
 host_vars/vm2/networking.yml                 |  2 +-
 host_vars/vm2/vpn.yml                        |  1 +
 host_vars/vm3/networking.yml                 |  2 +-
 host_vars/vm3/vpn.yml                        |  1 +
 host_vars/vm4/networking.yml                 |  7 +++--
 host_vars/vm4/vpn.yml                        |  1 +
 roles/networking/handlers/main.yml           |  2 +-
 roles/networking/tasks/main.yml              | 13 ++-------
 roles/networking/templates/interface.conf.j2 | 30 --------------------
 roles/networking/templates/interfaces.j2     | 27 ++++++++++++++++--
 roles/vpn/handlers/main.yml                  | 10 +++++--
 roles/vpn/tasks/main.yml                     | 15 ++++++++--
 roles/vpn/templates/wiregard.conf.j2         |  1 +
 19 files changed, 63 insertions(+), 56 deletions(-)
 delete mode 100644 roles/networking/templates/interface.conf.j2

diff --git a/host_vars/azerty/vpn.yml b/host_vars/azerty/vpn.yml
index aa53cf4..4ddc172 100644
--- a/host_vars/azerty/vpn.yml
+++ b/host_vars/azerty/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_azerty_key }}"
     public_key: "o9rdoSdnp4twbNbZAMl0wY4sFQh647qqRv6V8HJwMQY="
     keepalive: true
diff --git a/host_vars/hellman/vpn.yml b/host_vars/hellman/vpn.yml
index d0d41b8..309a087 100644
--- a/host_vars/hellman/vpn.yml
+++ b/host_vars/hellman/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_hellman_key }}"
     public_key: "+qV1RHAgSigOkrxUKqpGR83bydmlIHrEiw+A7zjbRk4="
     keepalive: true
diff --git a/host_vars/hindley/vpn.yml b/host_vars/hindley/vpn.yml
index ba6a557..e4472e7 100644
--- a/host_vars/hindley/vpn.yml
+++ b/host_vars/hindley/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_hindley_key }}"
     public_key: "Ce48/ZdvpI2S82bIivhiWHQsyidzTAtxCnEYojY3xEA="
     keepalive: false
diff --git a/host_vars/rossum/vpn.yml b/host_vars/rossum/vpn.yml
index 2591773..e5fd30c 100644
--- a/host_vars/rossum/vpn.yml
+++ b/host_vars/rossum/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_rossum_key }}"
     public_key: "YNEp3V5wsDLxDR29WhzECOCdOxiOuxuAqUUwS3gJWT4="
     keepalive: true
diff --git a/host_vars/vm1/networking.yml b/host_vars/vm1/networking.yml
index 48f3977..acc7024 100644
--- a/host_vars/vm1/networking.yml
+++ b/host_vars/vm1/networking.yml
@@ -1,7 +1,7 @@
 ---
 interfaces:
   enp0s3:
-    ipv4: 10.0.2.14
+    ipv4: 10.0.2.5
     netmaskv4: 24
     type: static
     routes:
diff --git a/host_vars/vm1/vpn.yml b/host_vars/vm1/vpn.yml
index c121d20..121dd03 100644
--- a/host_vars/vm1/vpn.yml
+++ b/host_vars/vm1/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_vm1_key }}"
     public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
     keepalive: true
diff --git a/host_vars/vm2/networking.yml b/host_vars/vm2/networking.yml
index 2e66036..362308a 100644
--- a/host_vars/vm2/networking.yml
+++ b/host_vars/vm2/networking.yml
@@ -1,7 +1,7 @@
 ---
 interfaces:
   enp0s3:
-    ipv4: 10.0.2.16
+    ipv4: 10.0.2.6
     netmaskv4: 24
     type: static
     routes:
diff --git a/host_vars/vm2/vpn.yml b/host_vars/vm2/vpn.yml
index 4c60a77..a3022a6 100644
--- a/host_vars/vm2/vpn.yml
+++ b/host_vars/vm2/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_vm2_key }}"
     public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
     keepalive: true
diff --git a/host_vars/vm3/networking.yml b/host_vars/vm3/networking.yml
index 9920737..970d82b 100644
--- a/host_vars/vm3/networking.yml
+++ b/host_vars/vm3/networking.yml
@@ -1,7 +1,7 @@
 ---
 interfaces:
   enp0s3:
-    ipv4: 10.0.2.17
+    ipv4: 10.0.2.7
     netmaskv4: 24
     type: static
     routes:
diff --git a/host_vars/vm3/vpn.yml b/host_vars/vm3/vpn.yml
index 0195cd3..4f0556c 100644
--- a/host_vars/vm3/vpn.yml
+++ b/host_vars/vm3/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_vm3_key }}"
     public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
     keepalive: true
diff --git a/host_vars/vm4/networking.yml b/host_vars/vm4/networking.yml
index 174c3ed..620374b 100644
--- a/host_vars/vm4/networking.yml
+++ b/host_vars/vm4/networking.yml
@@ -1,11 +1,12 @@
 ---
 interfaces:
   enp0s3:
-    ipv4: 10.0.2.32
+    ipv4: 10.0.2.8
     netmaskv4: 24
     type: static
-    routes:
-      - {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
+    gateway: 10.0.2.1
+#    routes:
+#      - {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
   wg0:
     ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
     netmaskv4: "{{ intranet.netmaskv4 }}"
diff --git a/host_vars/vm4/vpn.yml b/host_vars/vm4/vpn.yml
index 1dafb73..e8ff96f 100644
--- a/host_vars/vm4/vpn.yml
+++ b/host_vars/vm4/vpn.yml
@@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
   wg0:
+    ip: "{{ interfaces.wg0.ipv4 }}"
     private_key: "{{ vpn_vault_vm4_key }}"
     public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
     keepalive: true
diff --git a/roles/networking/handlers/main.yml b/roles/networking/handlers/main.yml
index 179f5f0..2bf721b 100644
--- a/roles/networking/handlers/main.yml
+++ b/roles/networking/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
-- name: Reload network interfaces
+- name: Reload network interfaces debian
   become: true
   command: /sbin/ifreload -a
diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml
index 759a074..00a2c12 100644
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@@ -45,15 +45,6 @@
     owner: root
     group: root
     mode: '644'
-  notify: Reload network interfaces
+  notify: Reload network interfaces debian
+  when: ("raspbian_buster" not in group_names) and ("ubuntu" not in group_names)
 
-- name: Create interface config files
-  ansible.builtin.template:
-    src: "interface.conf.j2"
-    dest: "/etc/network/interfaces.d/{{ item.key }}.conf"
-    owner: root
-    group: root
-    mode: '640'
-  notify: Reload network interfaces
-  when: (item.value.type == "wireguard") or ("raspbian_buster" not in group_names)
-  loop: "{{ lookup('dict', interfaces) }}"
diff --git a/roles/networking/templates/interface.conf.j2 b/roles/networking/templates/interface.conf.j2
deleted file mode 100644
index 0aa1e0d..0000000
--- a/roles/networking/templates/interface.conf.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-{{ ansible_managed | comment }}
-
-auto {{ item.key }}
-{% if item.value.type == 'wireguard' %}
-iface {{ item.key }} inet static
-{% elif item.value.type == 'dhcp' %}
-iface {{ item.key }} inet dhcp
-{% elif item.value.type == 'static' %}
-iface {{ item.key }} inet static
-{% endif %}
-{% if item.value.type == 'wireguard' %}
-	pre-up ip link add $IFACE type wireguard
-	pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
-{% endif %}
-{% if 'routes' in item.value %}
-{% for route in item.value.routes %}
-	post-up ip route add {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
-{% endfor %}
-{% endif %}
-{% if 'ipv4' in item.value %}
-	address {{ item.value.ipv4 }}/{{ item.value.netmaskv4 }}
-{% endif %}
-{% if 'routes' in item.value %}
-{% for route in item.value.routes %}
-	post-down ip route del {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
-{% endfor %}
-{% endif %}
-{% if item.value.type == 'wireguard' %}
-	post-down ip link del $IFACE
-{% endif %}
diff --git a/roles/networking/templates/interfaces.j2 b/roles/networking/templates/interfaces.j2
index 5aa1e36..69bc40e 100644
--- a/roles/networking/templates/interfaces.j2
+++ b/roles/networking/templates/interfaces.j2
@@ -1,7 +1,30 @@
 {{ ansible_managed | comment }}
 
-source /etc/network/interfaces.d/*
-
 # The loopback network interface
 auto lo
 iface lo inet loopback
+
+{% for item in lookup('dict', interfaces) %}
+{% if item.value.type not in ['wireguard', ] %}
+auto {{ item.key }}
+{% if item.value.type == 'dhcp' %}
+iface {{ item.key }} inet dhcp
+{% elif item.value.type == 'static' %}
+iface {{ item.key }} inet static
+{% endif %}
+{% if 'routes' in item.value %}{# route up #}
+{% for route in item.value.routes %}
+    post-up ip route add {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
+{% endfor %}
+{% endif %}{# end route up #}
+{% if 'ipv4' in item.value %}
+    address {{ item.value.ipv4 }}/{{ item.value.netmaskv4 }}
+{% endif %}
+{% if 'routes' in item.value %}{# route dw #}
+{% for route in item.value.routes %}
+    post-down ip route del {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
+{% endfor %}
+{% endif %}{# end route dw #}
+
+{% endif %}{# end (not in [wireguard, ]) #}
+{% endfor %}
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
index 179f5f0..dc9f10c 100644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@@ -1,4 +1,8 @@
 ---
-- name: Reload network interfaces
-  become: true
-  command: /sbin/ifreload -a
+- name: Restart wireguard for interface
+  systemd:
+    name: "wg-quick@{{ item.key }}"
+    state: restarted
+  loop:
+    - "{{ lookup('dict', vpn_interfaces) }}"
+  no_log: true
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index a9b4161..00d417e 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -3,7 +3,7 @@
   apt_repository:
     repo: deb http://deb.debian.org/debian buster-backports main
     state: present
-  when: "'debian_buster' in group_names or 'proxmox_buster' in group_names"
+  when: ('debian_buster' in group_names) or ('proxmox_buster' in group_names)
 
 - name: Install wireguard dependencies for proxmox
   apt:
@@ -15,7 +15,7 @@
   register: apt_result
   retries: 3
   until: apt_result is succeeded
-  when: "'proxmox_buster' in group_names"
+  when: ('proxmox_buster' in group_names)
 
 - name: Install wireguard
   apt:
@@ -35,7 +35,16 @@
     owner: root
     group: root
     mode: '600'
-  notify: Reload network interfaces
+  notify: Restart wireguard for interface
+  loop:
+    - "{{ lookup('dict', vpn_interfaces) }}"
+  no_log: true
+
+- name: Enable interface
+  systemd:
+    name: "wg-quick@{{ item.key }}"
+    state: started
+    enabled: yes
   loop:
     - "{{ lookup('dict', vpn_interfaces) }}"
   no_log: true
diff --git a/roles/vpn/templates/wiregard.conf.j2 b/roles/vpn/templates/wiregard.conf.j2
index 9d442a2..25890c7 100644
--- a/roles/vpn/templates/wiregard.conf.j2
+++ b/roles/vpn/templates/wiregard.conf.j2
@@ -1,6 +1,7 @@
 {{ ansible_managed | comment }}
 
 [Interface]
+Address = {{ item.value.ip }}
 PrivateKey = {{ item.value.private_key }}
 ListenPort = {{ vpn_port }}