diff --git a/roles/ifupdown2/defaults/main.yml b/roles/ifupdown2/defaults/main.yml index a419f07..745da82 100644 --- a/roles/ifupdown2/defaults/main.yml +++ b/roles/ifupdown2/defaults/main.yml @@ -1,3 +1,5 @@ --- ifupdown2__interfaces: {} +ifupdown2__wireguard: {} +ifupdown2__wireguard_keepalive: 0 ... diff --git a/roles/ifupdown2/tasks/main.yml b/roles/ifupdown2/tasks/main.yml index aa07c7f..7fbd1a4 100644 --- a/roles/ifupdown2/tasks/main.yml +++ b/roles/ifupdown2/tasks/main.yml @@ -1,4 +1,33 @@ --- +- name: Ensure that interfaces names don't overlap + assert: + that: "not (ifupdown2__interfaces.keys() + | intersect(ifupdown2__wireguard.keys()))" + msg: "Static and wireguard interfaces names must not overlap" + +- name: Install wireguard + apt: + name: wireguard + when: ifupdown2__wireguard + +- name: Configure wireguard + template: + src: wireguard.conf.j2 + dest: "/etc/wireguard/{{ item.key }}.conf" + owner: root + group: root + mode: u=rw,g=r,o= + #no_log: true + loop: "{{ ifupdown2__wireguard | dict2items }}" + register: results_wireguard + +- name: Synchronise wireguard config if necessary + command: "wg syncconf {{ item.0.key }} /etc/wireguard/{{ item.0.key }}.conf" + when: "item.0.key in ansible_interfaces and item.1.changed" + loop: "{{ ifupdown2__wireguard + | dict2items + | zip(results_wireguard.results) }}" + - name: Gather package facts package_facts: manager: apt diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index a1e8f8a..06f5cba 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -1,14 +1,32 @@ {{ ansible_managed | comment }} +{% macro iface_common(iface) %} +{% for address in iface.addresses | default([]) %} +address {{ address | ipaddr }} +{% endfor %} +{% for gateway in iface.gateways | default([]) %} +gateway {{ gateway | ipaddr }} +{% endfor %} +{% if iface.forward | default(false) %} +ip-forward yes +ip6-forward yes +{% endif %} +{% if iface.goto_table is defined %} +pre-up ip rule add iif $IFACE table {{ iface.goto_table }} +pre-up ip rule add iif $IFACE blackhole +post-down ip rule del iif $IFACE table {{ iface.goto_table }} +post-down ip rule del iif $IFACE blackhole +{% endif %} +{% if iface.ipv6_addrgen is defined %} +ipv6-addrgen {{ iface.ipv6_addrgen + | ternary("yes", "no") }} +{% endif %} +{% endmacro %} + {% for name, iface in ifupdown2__interfaces.items() %} auto {{ name }} iface {{ name }} -{% for address in iface.addresses | default([]) %} - address {{ address | ipaddr }} -{% endfor %} -{% for gateway in iface.gateways | default([]) %} - gateway {{ gateway | ipaddr }} -{% endfor %} + {{ iface_common(iface) | indent(4) }} {% if iface.bridge_ports is defined %} bridge-ports {{ iface.bridge_ports | join(" ") }} {% endif %} @@ -29,13 +47,17 @@ iface {{ name }} bridge-pvid 0 post-up bridge vlan del dev {{ name }} vid 1 self {% endif %} -{% if iface.forward | default(false) %} - ip-forward yes - ip6-forward yes -{% endif %} -{% if iface.ipv6_addrgen is defined %} - ipv6-addrgen {{ iface.ipv6_addrgen - | ternary("yes", "no") }} -{% endif %} + +{% endfor %} + +{% for name, iface in ifupdown2__wireguard.items() %} +auto {{ name }} +iface {{ name }} + link-type wireguard + {{ iface_common(iface) | indent(4) }} + pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf +{% for address in iface.peer_allowed_addresses | default([]) %} + post-up ip route add {{ address }} dev $IFACE +{% endfor %} {% endfor %} diff --git a/roles/ifupdown2/templates/wireguard.conf.j2 b/roles/ifupdown2/templates/wireguard.conf.j2 new file mode 100644 index 0000000..2ec0ea0 --- /dev/null +++ b/roles/ifupdown2/templates/wireguard.conf.j2 @@ -0,0 +1,16 @@ +{{ ansible_managed | comment }} + +[Interface] +PrivateKey = {{ item.value.private_key }} +{% if "listen_port" in item.value %} +ListenPort = {{ item.value.listen_port }} +{% endif %} + +[Peer] +PublicKey = {{ item.value.peer_public_key }} +AllowedIPs = {{ item.value.peer_allowed_addresses | join(", ") }} +PersistentKeepalive = {{ item.value.peer_keepalive + | default(ifupdown2__wireguard_keepalive) }} +{% if "peer_endpoint" in item.value %} +Endpoint = {{ item.value.peer_endpoint }} +{% endif %}