working role (I hope) using debian network/interface config instead of wg-quick

This commit is contained in:
histausse 2021-07-05 02:32:59 +02:00
parent 962c42870f
commit 4e962888f6
Signed by: histausse
GPG key ID: 67486F107F62E9E9
16 changed files with 104 additions and 27 deletions

View file

@ -1,4 +1,4 @@
# Ansible configuration, copy from the AURORE config.
# Ansible configuration
[defaults]
@ -12,7 +12,7 @@ inventory = ./hosts
roles_path = ./roles
# Custom header in templates
ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S by {uid}
ansible_managed = Ansible managed
# Do not use cows (with cowsay)
nocows = 1

View file

@ -1,8 +1,15 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.14
netmaskv4: 24
type: static
routes:
- {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,7 +1,6 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm1_key }}"
public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
keepalive: true

View file

@ -1,8 +1,15 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.16
netmaskv4: 24
type: static
routes:
- {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,7 +1,6 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm2_key }}"
public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
keepalive: true

View file

@ -1,8 +1,15 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.17
netmaskv4: 24
type: static
routes:
- {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,7 +1,6 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm3_key }}"
public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
keepalive: true

View file

@ -1,8 +1,15 @@
---
interfaces:
enp0s3:
ipv4: 10.0.2.32
netmaskv4: 24
type: static
routes:
- {subnet: 0.0.0.0, netmask: 0, gateway: 10.0.2.1}
wg0:
ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
netmaskv4: "{{ intranet.netmaskv4 }}"
type: wireguard
ipv4_forwarding: false
ipv6_forwarding: false

View file

@ -1,7 +1,6 @@
---
vpn_interfaces:
wg0:
ip: "{{ interfaces.wg0.ipv4 }}"
private_key: "{{ vpn_vault_vm4_key }}"
public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
keepalive: true

View file

@ -0,0 +1,4 @@
---
- name: Reload network interfaces
become: true
command: /sbin/ifreload -a

View file

@ -1,4 +1,15 @@
---
- name: Install wireguard
apt:
name:
- ifupdown2
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Enable ipv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
@ -26,3 +37,22 @@
value: '0'
sysctl_set: true
when: not ipv6_forwarding
- name: Create interface config files
ansible.builtin.template:
src: "interfaces.j2"
dest: "/etc/network/interfaces"
owner: root
group: root
mode: '644'
notify: Reload network interfaces
- name: Create interface config files
ansible.builtin.template:
src: "interface.conf.j2"
dest: "/etc/network/interfaces.d/{{ item.key }}.conf"
owner: root
group: root
mode: '640'
notify: Reload network interfaces
loop: "{{ lookup('dict', interfaces) }}"

View file

@ -0,0 +1,30 @@
{{ ansible_managed | comment }}
auto {{ item.key }}
{% if item.value.type == 'wireguard' %}
iface {{ item.key }} inet static
{% elif item.value.type == 'dhcp' %}
iface {{ item.key }} inet dhcp
{% elif item.value.type == 'static' %}
iface {{ item.key }} inet static
{% endif %}
{% if item.value.type == 'wireguard' %}
pre-up ip link add $IFACE type wireguard
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
{% endif %}
{% if 'routes' in item.value %}
{% for route in item.value.routes %}
post-up ip route add {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
{% endfor %}
{% endif %}
{% if 'ipv4' in item.value %}
address {{ item.value.ipv4 }}/{{ item.value.netmaskv4 }}
{% endif %}
{% if 'routes' in item.value %}
{% for route in item.value.routes %}
post-down ip route del {{ route.subnet }}/{{ route.netmask }} via {{ route.gateway }}
{% endfor %}
{% endif %}
{% if item.value.type == 'wireguard' %}
post-down ip link del $IFACE
{% endif %}

View file

@ -0,0 +1,3 @@
{{ ansible_managed | comment }}
source /etc/network/interfaces.d/*

View file

@ -1,9 +1,4 @@
---
# This is so uggly
- name: Restart wireguard for interface
systemd:
name: "wg-quick@{{ item.key }}"
state: restarted
loop:
- "{{ lookup('dict', vpn_interfaces) }}"
no_log: false
- name: Reload network interfaces
become: true
command: /sbin/ifreload -a

View file

@ -21,29 +21,21 @@
apt:
name:
- wireguard
- ifupdown2
state: latest
update_cache: true
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Create config files
- name: Create wireguard config files
ansible.builtin.template:
src: "wiregard.conf"
src: "wiregard.conf.j2"
dest: "/etc/wireguard/{{ item.key }}.conf"
owner: root
group: root
mode: '600'
notify: Restart wireguard for interface
notify: Reload network interfaces
loop:
- "{{ lookup('dict', vpn_interfaces) }}"
no_log: true
- name: Enable interface
systemd:
name: "wg-quick@{{ item.key }}"
state: started
enabled: yes
loop:
- "{{ lookup('dict', vpn_interfaces) }}"
no_log: false

View file

@ -1,7 +1,6 @@
{{ ansible_managed | comment }}
[Interface]
Address = {{ item.value.ip }}
PrivateKey = {{ item.value.private_key }}
ListenPort = {{ vpn_port }}