fallback to wg-quick because of the clusterfuck of configuration types between the OSs

3 years ago · 199932a2fa
parent 82bd1cfb32
commit 199932a2fa
19 changed files with 63 additions and 56 deletions
--- a/host_vars/azerty/vpn.yml
+++ b/host_vars/azerty/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_azerty_key }}"
    public_key: "o9rdoSdnp4twbNbZAMl0wY4sFQh647qqRv6V8HJwMQY="
    keepalive: true
--- a/host_vars/hellman/vpn.yml
+++ b/host_vars/hellman/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_hellman_key }}"
    public_key: "+qV1RHAgSigOkrxUKqpGR83bydmlIHrEiw+A7zjbRk4="
    keepalive: true
--- a/host_vars/hindley/vpn.yml
+++ b/host_vars/hindley/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_hindley_key }}"
    public_key: "Ce48/ZdvpI2S82bIivhiWHQsyidzTAtxCnEYojY3xEA="
    keepalive: false
--- a/host_vars/rossum/vpn.yml
+++ b/host_vars/rossum/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_rossum_key }}"
    public_key: "YNEp3V5wsDLxDR29WhzECOCdOxiOuxuAqUUwS3gJWT4="
    keepalive: true
--- a/host_vars/vm1/networking.yml
+++ b/host_vars/vm1/networking.yml
@ -1,7 +1,7 @@
 ---
 interfaces:
  enp0s3:
-    ipv4: 10.0.2.14
+    ipv4: 10.0.2.5
    netmaskv4: 24
    type: static
    routes:
--- a/host_vars/vm1/vpn.yml
+++ b/host_vars/vm1/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_vm1_key }}"
    public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
    keepalive: true
--- a/host_vars/vm2/networking.yml
+++ b/host_vars/vm2/networking.yml
@ -1,7 +1,7 @@
 ---
 interfaces:
  enp0s3:
-    ipv4: 10.0.2.16
+    ipv4: 10.0.2.6
    netmaskv4: 24
    type: static
    routes:
--- a/host_vars/vm2/vpn.yml
+++ b/host_vars/vm2/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_vm2_key }}"
    public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
    keepalive: true
--- a/host_vars/vm3/networking.yml
+++ b/host_vars/vm3/networking.yml
@ -1,7 +1,7 @@
 ---
 interfaces:
  enp0s3:
-    ipv4: 10.0.2.17
+    ipv4: 10.0.2.7
    netmaskv4: 24
    type: static
    routes:
--- a/host_vars/vm3/vpn.yml
+++ b/host_vars/vm3/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_vm3_key }}"
    public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
    keepalive: true
--- a/host_vars/vm4/networking.yml
+++ b/host_vars/vm4/networking.yml
@ -1,11 +1,12 @@
 ---
 interfaces:
  enp0s3:
-    ipv4: 10.0.2.32
+    ipv4: 10.0.2.8
    netmaskv4: 24
    type: static
-    routes:
+    gateway: 10.0.2.1
-      - {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
+#    routes:
 #      - {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
  wg0:
    ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
    netmaskv4: "{{ intranet.netmaskv4 }}"
--- a/host_vars/vm4/vpn.yml
+++ b/host_vars/vm4/vpn.yml
@ -1,6 +1,7 @@
 ---
 vpn_interfaces:
  wg0:
    ip: "{{ interfaces.wg0.ipv4 }}"
    private_key: "{{ vpn_vault_vm4_key }}"
    public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
    keepalive: true
--- a/roles/networking/handlers/main.yml
+++ b/roles/networking/handlers/main.yml
@ -1,4 +1,4 @@
 ---
- name: Reload network interfaces
+- name: Reload network interfaces debian
  become: true
  command: /sbin/ifreload -a
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@ -45,15 +45,6 @@
    owner: root
    group: root
    mode: '644'
-  notify: Reload network interfaces
+  notify: Reload network interfaces debian
  when: ("raspbian_buster" not in group_names) and ("ubuntu" not in group_names)
 - name: Create interface config files
  ansible.builtin.template:
    src: "interface.conf.j2"
    dest: "/etc/network/interfaces.d/{{ item.key }}.conf"
    owner: root
    group: root
    mode: '640'
  notify: Reload network interfaces
  when: (item.value.type == "wireguard") or ("raspbian_buster" not in group_names)
  loop: "{{ lookup('dict', interfaces) }}"
--- a/roles/networking/templates/interface.conf.j2
+++ b/roles/networking/templates/interface.conf.j2
@ -1,30 +0,0 @@
 {{ ansible_managed | comment }}
 auto {{ item.key }}
 {% if item.value.type == 'wireguard' %}
 iface {{ item.key }} inet static
 {% elif item.value.type == 'dhcp' %}
 iface {{ item.key }} inet dhcp
 {% elif item.value.type == 'static' %}
 iface {{ item.key }} inet static
 {% endif %}
 {% if item.value.type == 'wireguard' %}
 	pre-up ip link add $IFACE type wireguard
 	pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
 {% endif %}
 {% if 'routes' in item.value %}
 {% for route in item.value.routes %}
 	post-up ip route add {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
 {% endfor %}
 {% endif %}
 {% if 'ipv4' in item.value %}
 	address {{ item.value.ipv4 }}/{{ item.value.netmaskv4 }}
 {% endif %}
 {% if 'routes' in item.value %}
 {% for route in item.value.routes %}
 	post-down ip route del {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
 {% endfor %}
 {% endif %}
 {% if item.value.type == 'wireguard' %}
 	post-down ip link del $IFACE
 {% endif %}
--- a/roles/networking/templates/interfaces.j2
+++ b/roles/networking/templates/interfaces.j2
@ -1,7 +1,30 @@
 {{ ansible_managed | comment }}
 source /etc/network/interfaces.d/*
 # The loopback network interface
 auto lo
 iface lo inet loopback
 {% for item in lookup('dict', interfaces) %}
 {% if item.value.type not in ['wireguard', ] %}
 auto {{ item.key }}
 {% if item.value.type == 'dhcp' %}
 iface {{ item.key }} inet dhcp
 {% elif item.value.type == 'static' %}
 iface {{ item.key }} inet static
 {% endif %}
 {% if 'routes' in item.value %}{# route up #}
 {% for route in item.value.routes %}
    post-up ip route add {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
 {% endfor %}
 {% endif %}{# end route up #}
 {% if 'ipv4' in item.value %}
    address {{ item.value.ipv4 }}/{{ item.value.netmaskv4 }}
 {% endif %}
 {% if 'routes' in item.value %}{# route dw #}
 {% for route in item.value.routes %}
    post-down ip route del {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
 {% endfor %}
 {% endif %}{# end route dw #}
 {% endif %}{# end (not in [wireguard, ]) #}
 {% endfor %}
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -1,4 +1,8 @@
 ---
- name: Reload network interfaces
+- name: Restart wireguard for interface
-  become: true
+  systemd:
-  command: /sbin/ifreload -a
+    name: "wg-quick@{{ item.key }}"
    state: restarted
  loop:
    - "{{ lookup('dict', vpn_interfaces) }}"
  no_log: true
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -3,7 +3,7 @@
  apt_repository:
    repo: deb http://deb.debian.org/debian buster-backports main
    state: present
-  when: "'debian_buster' in group_names or 'proxmox_buster' in group_names"
+  when: ('debian_buster' in group_names) or ('proxmox_buster' in group_names)
 - name: Install wireguard dependencies for proxmox
  apt:
@ -15,7 +15,7 @@
  register: apt_result
  retries: 3
  until: apt_result is succeeded
-  when: "'proxmox_buster' in group_names"
+  when: ('proxmox_buster' in group_names)
 - name: Install wireguard
  apt:
@ -35,7 +35,16 @@
    owner: root
    group: root
    mode: '600'
-  notify: Reload network interfaces
+  notify: Restart wireguard for interface
  loop:
    - "{{ lookup('dict', vpn_interfaces) }}"
  no_log: true
 - name: Enable interface
  systemd:
    name: "wg-quick@{{ item.key }}"
    state: started
    enabled: yes
  loop:
    - "{{ lookup('dict', vpn_interfaces) }}"
  no_log: true
--- a/roles/vpn/templates/wiregard.conf.j2
+++ b/roles/vpn/templates/wiregard.conf.j2
@ -1,6 +1,7 @@
 {{ ansible_managed | comment }}
 [Interface]
 Address = {{ item.value.ip }}
 PrivateKey = {{ item.value.private_key }}
 ListenPort = {{ vpn_port }}