sonny/arch-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add media vpn setup

Browse source
This commit is contained in:
Sonny Bakker 2024-08-03 21:03:07 +02:00
parent cf061d3779
commit 7c4dd0d3c2
25 changed files with 257 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

0
files/desktop/wireguard/desktop.key → files/desktop/wireguard/default/desktop.key
View file

0
files/desktop/wireguard/desktop.pub → files/desktop/wireguard/default/desktop.pub
View file

0
files/desktop/wireguard/preshared.psk → files/desktop/wireguard/default/preshared.psk
View file

7
files/desktop/wireguard/media/desktop.key Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
62383364643761623739623632633261343735343465336235386336333234656631363432623535
6562623634363937356137616131396264633161363461340a343432363362346664646161656563
35623334326238326135646261666330666531633831656564396139666261623937626338386632
3233333039623039640a383931633539363238326164643365316236326435643537303866373835
66393465663364303134376566623736636664353031336537663036636462613766343739336331
6438643538326533313433616438386165626537373162393430

1
files/desktop/wireguard/media/desktop.pub Normal file
View file

@ -0,0 +1 @@
YDH5lZcxUHM4AU2ZxQrFqjDIV2Z7PSUQKMcYXLExV0E=

7
files/desktop/wireguard/media/preshared.psk Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
34303432393930626266313563613636343439623631633163656532363631313039386231623936
3336636666626237316532346230303961323263613161320a383436636634376162353863386161
36663064366461333335613633316630633335666335613464333863656536623230383262623733
3065363835666231630a616362333233643637613762313437626366363365313831363661313336
66373966656534646462653833343935623466613662333932666666366430663061366261396330
3064636536643933613738356461313135363033633366396130

0
files/laptop/wireguard/laptop.key → files/laptop/wireguard/default/laptop.key
View file

0
files/laptop/wireguard/laptop.pub → files/laptop/wireguard/default/laptop.pub
View file

0
files/laptop/wireguard/preshared.psk → files/laptop/wireguard/default/preshared.psk
View file

7
files/laptop/wireguard/media/laptop.key Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
64663539393065396333623165623833636539633932306437363365656532343565643866616532
6562373233633237623761376234336331373637393431380a386261306438393837633037383464
64623965376138313665393239346138383230383565626264393635303835396537663865313237
6431313635333030390a646466303961663932353830366235643762393039396531316465333837
61613264356263616332633334386532303761353536663033373639626634396164623335626566
3632373266313435646338343738656663356635623138623939

1
files/laptop/wireguard/media/laptop.pub Normal file
View file

@ -0,0 +1 @@
hI4rqlv2afs4RJkt5xR+dYxQODSd6lR0OqWJRlnQdjM=

7
files/laptop/wireguard/media/preshared.psk Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
63643763346434313734663761386539393032613366626230373862643431613963633664353264
6466616235653963643861643439633537656439363735330a366439356537386662353431643163
33363830646433336366353363623835373639383663633837313030393162643931353331633133
6534363438303261320a333364313534336465616336386337383935353631646361623866326232
64373139636633393236303335396138326638333635663839663734346463303739646431353437
3838653361383663633632363862306565643531353066623336

1
playbook.yml
View file

@ -28,5 +28,4 @@
vars_files: vars_files:
- 'vars/main.yml' - 'vars/main.yml'
- 'vars/gpg.yml' - 'vars/gpg.yml'
- 'vars/vpn.yml'
- 'vars/mpd.yml' - 'vars/mpd.yml'

41
tasks/network.yml
View file

@ -12,8 +12,10 @@
mode: '0644' mode: '0644'
state: directory state: directory
loop: loop:
- '{{ vpn_private_key_path }}' - '{{ vpn_default.private_key_path }}'
- '{{ vpn_public_key_path }}' - '{{ vpn_default.public_key_path }}'
- '{{ vpn_media.private_key_path }}'
- '{{ vpn_media.public_key_path }}'
- name: copy wireguard credentials - name: copy wireguard credentials
become: true become: true
@ -25,12 +27,20 @@
mode: '0640' mode: '0640'
loop: loop:
- { - {
dest: '{{ vpn_public_key_path }}', dest: '{{ vpn_default.public_key_path }}',
src: 'files/{{ platform }}/wireguard/{{ platform }}.pub', src: 'files/{{ platform }}/wireguard/default/{{ platform }}.pub',
} }
- { - {
dest: '{{ vpn_private_key_path }}', dest: '{{ vpn_default.private_key_path }}',
src: 'files/{{ platform }}/wireguard/{{ platform }}.key', src: 'files/{{ platform }}/wireguard/default/{{ platform }}.key',
}
- {
dest: '{{ vpn_media.public_key_path }}',
src: 'files/{{ platform }}/wireguard/media/{{ platform }}.pub',
}
- {
dest: '{{ vpn_media.private_key_path }}',
src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key',
} }
- name: copy wireguard preshared keys - name: copy wireguard preshared keys
@ -41,7 +51,7 @@
owner: root owner: root
group: systemd-network group: systemd-network
mode: '0640' mode: '0640'
loop: '{{ vpn_peers }}' loop: '{{ vpn_default.peers + vpn_media.peers }}'
- block: - block:
- name: setup desktop network configuration - name: setup desktop network configuration
@ -65,6 +75,15 @@
src: 'templates/desktop/network/wg0.netdev.j2', src: 'templates/desktop/network/wg0.netdev.j2',
dest: '/etc/systemd/network/40-wg0.netdev', dest: '/etc/systemd/network/40-wg0.netdev',
} }
- {
src: 'templates/desktop/network/wg1.network.j2',
dest: '/etc/systemd/network/40-wg1.network',
}
- {
src: 'templates/desktop/network/wg1.netdev.j2',
dest: '/etc/systemd/network/40-wg1.netdev',
}
- name: remove leftover configuration files - name: remove leftover configuration files
become: true become: true
file: file:
@ -101,6 +120,14 @@
src: 'templates/laptop/network/wg0.netdev.j2', src: 'templates/laptop/network/wg0.netdev.j2',
dest: '/etc/systemd/network/40-wg0.netdev', dest: '/etc/systemd/network/40-wg0.netdev',
} }
- {
src: 'templates/laptop/network/wg1.network.j2',
dest: '/etc/systemd/network/40-wg1.network',
}
- {
src: 'templates/laptop/network/wg1.netdev.j2',
dest: '/etc/systemd/network/40-wg1.netdev',
}
- name: remove leftover configuration files - name: remove leftover configuration files
become: true become: true

10
templates/desktop/network/wg0.netdev.j2
View file

@ -1,13 +1,15 @@
# {{ ansible_managed }}
[NetDev] [NetDev]
Name={{ vpn_interface }} Name={{ vpn_default.interface }}
Kind=wireguard Kind=wireguard
Description=WireGuard tunnel {{ vpn_interface }} Description=WireGuard tunnel {{ vpn_default.interface }}
[WireGuard] [WireGuard]
# PrivateKeyFile option does not seem to work, perhaps a bug? # PrivateKeyFile option does not seem to work, perhaps a bug?
PrivateKey={{ vpn_private_key }} PrivateKey={{ vpn_default.private_key }}
{% for peer in vpn_peers %} {% for peer in vpn_default.peers %}
[WireGuardPeer] [WireGuardPeer]
PublicKey={{ peer.public_key }} PublicKey={{ peer.public_key }}
# PresharedKeyFile option does not seem to work, perhaps a bug? # PresharedKeyFile option does not seem to work, perhaps a bug?

6
templates/desktop/network/wg0.network.j2
View file

@ -1,5 +1,7 @@
# {{ ansible_managed }}
[Match] [Match]
Name={{ vpn_interface }} Name={{ vpn_default.interface }}
[Network] [Network]
Address={{ vpn_ip }}/{{ vpn_subnet }} Address={{ vpn_default.ip }}/{{ vpn_default.subnet }}

24
templates/desktop/network/wg1.netdev.j2 Normal file
View file

@ -0,0 +1,24 @@
# {{ ansible_managed }}
[NetDev]
Name={{ vpn_media.interface }}
Kind=wireguard
Description=WireGuard tunnel {{ vpn_media.interface }}
[WireGuard]
# PrivateKeyFile option does not seem to work, perhaps a bug?
PrivateKey={{ vpn_media.private_key }}
{% for peer in vpn_media.peers %}
[WireGuardPeer]
PublicKey={{ peer.public_key }}
# PresharedKeyFile option does not seem to work, perhaps a bug?
PresharedKey={{ peer.preshared_key }}
AllowedIPs={{ peer.allowd_ips }}
{% if peer.endpoint %}
Endpoint={{ peer.endpoint }}
{% endif %}
{% if not loop.last %}
{% endif %}
{% endfor %}

7
templates/desktop/network/wg1.network.j2 Normal file
View file

@ -0,0 +1,7 @@
# {{ ansible_managed }}
[Match]
Name={{ vpn_media.interface }}
[Network]
Address={{ vpn_media.ip }}/{{ vpn_media.subnet }}

10
templates/laptop/network/wg0.netdev.j2
View file

@ -1,13 +1,15 @@
# {{ ansible_managed }}
[NetDev] [NetDev]
Name={{ vpn_interface }} Name={{ vpn_default.interface }}
Kind=wireguard Kind=wireguard
Description=WireGuard tunnel {{ vpn_interface }} Description=WireGuard tunnel {{ vpn_default.interface }}
[WireGuard] [WireGuard]
# PrivateKeyFile option does not seem to work, perhaps a bug? # PrivateKeyFile option does not seem to work, perhaps a bug?
PrivateKey={{ vpn_private_key }} PrivateKey={{ vpn_default.private_key }}
{% for peer in vpn_peers %} {% for peer in vpn_default.peers %}
[WireGuardPeer] [WireGuardPeer]
PublicKey={{ peer.public_key }} PublicKey={{ peer.public_key }}
# PresharedKeyFile option does not seem to work, perhaps a bug? # PresharedKeyFile option does not seem to work, perhaps a bug?

6
templates/laptop/network/wg0.network.j2
View file

@ -1,5 +1,7 @@
# {{ ansible_managed }}
[Match] [Match]
Name={{ vpn_interface }} Name={{ vpn_default.interface }}
[Network] [Network]
Address={{ vpn_ip }}/{{ vpn_subnet }} Address={{ vpn_default.ip }}/{{ vpn_default.subnet }}

24
templates/laptop/network/wg1.netdev.j2 Normal file
View file

@ -0,0 +1,24 @@
# {{ ansible_managed }}
[NetDev]
Name={{ vpn_media.interface }}
Kind=wireguard
Description=WireGuard tunnel {{ vpn_media.interface }}
[WireGuard]
# PrivateKeyFile option does not seem to work, perhaps a bug?
PrivateKey={{ vpn_media.private_key }}
{% for peer in vpn_media.peers %}
[WireGuardPeer]
PublicKey={{ peer.public_key }}
# PresharedKeyFile option does not seem to work, perhaps a bug?
PresharedKey={{ peer.preshared_key }}
AllowedIPs={{ peer.allowd_ips }}
{% if peer.endpoint %}
Endpoint={{ peer.endpoint }}
{% endif %}
{% if not loop.last %}
{% endif %}
{% endfor %}

7
templates/laptop/network/wg1.network.j2 Normal file
View file

@ -0,0 +1,7 @@
# {{ ansible_managed }}
[Match]
Name={{ vpn_media.interface }}
[Network]
Address={{ vpn_media.ip }}/{{ vpn_media.subnet }}

81
vars/desktop.yml
View file

@ -1,27 +1,64 @@
platform_packages: [] platform_packages: []
vpn_ip: '10.0.0.3' vpn_default:
vpn_subnet: '24' ip: '10.0.0.3'
subnet: '24'
interface: 'wg0'
vpn_public_key_path: '/etc/wireguard/keys/public/desktop.pub' public_key_path: '/etc/wireguard/keys/public/default/desktop.pub'
vpn_private_key_path: '/etc/wireguard/keys/private/desktop.key' private_key_path: '/etc/wireguard/keys/private/default/desktop.key'
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
65386334366166306164363464633364383935313739373730373139663139373964336665636264
3563663038313039363230623266393164646164373739620a623536633631643231633938613461
63366239333230663531306333383962353937353736663336343434663633303232386531353832
6434633935333538650a613065306239333031656362356165326136333131356135383436326561
62303035386634636333353664373231633434656538303866386262353139363439363435346637
6637363334623133376134306165626564343864633032613763
vpn_private_key: !vault | peers:
$ANSIBLE_VAULT;1.1;AES256 - {
65386334366166306164363464633364383935313739373730373139663139373964336665636264 name: 'zeus',
3563663038313039363230623266393164646164373739620a623536633631643231633938613461 allowd_ips: '10.0.0.1/32',
63366239333230663531306333383962353937353736663336343434663633303232386531353832 endpoint: 'fudiggity.nl:51902',
6434633935333538650a613065306239333031656362356165326136333131356135383436326561 public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=',
62303035386634636333353664373231633434656538303866386262353139363439363435346637 preshared_key_path: '/etc/wireguard/keys/private/default/preshared-zeus.psk',
6637363334623133376134306165626564343864633032613763 preshared_key_source_path: 'files/desktop/wireguard/default/preshared.psk',
preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n363333633336613939306632323163396239303739366135393232396134393266623939613534326238393638333137383235313039623264343932303038330a633934373638363966306533346235326234663464313963356238623064666430303030643533666536393662316237333463336462376366343335363131350a333135366239633765633136316133653535336661666461666365636233656165666635663037386666323931643265623233366133623237663734623661623661316436396465343866363266393565653237636136626536353630383263",
}
vpn_peers: vpn_media:
- { ip: '10.0.1.3'
name: 'zeus', subnet: '24'
allowd_ips: '10.0.0.1/32', interface: 'wg1'
endpoint: 'fudiggity.nl:51902',
public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=', public_key_path: '/etc/wireguard/keys/public/media/desktop.pub'
preshared_key_path: '/etc/wireguard/keys/private/preshared-zeus.psk', private_key_path: '/etc/wireguard/keys/private/media/desktop.key'
preshared_key_source_path: 'files/desktop/wireguard/preshared.psk',
preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n363333633336613939306632323163396239303739366135393232396134393266623939613534326238393638333137383235313039623264343932303038330a633934373638363966306533346235326234663464313963356238623064666430303030643533666536393662316237333463336462376366343335363131350a333135366239633765633136316133653535336661666461666365636233656165666635663037386666323931643265623233366133623237663734623661623661316436396465343866363266393565653237636136626536353630383263", private_key: !vault |
} $ANSIBLE_VAULT;1.1;AES256
62396362373339306463343330346431613538383236663666386135383864303835616161336662
6633313937313261313033323361383866313639643733650a363730393538623463313362343133
34643530303832393530666239636263353435353031316166366638666132323034313662653334
3238313161363632380a356464626364656465616231346463366632386635353861303934653036
34363436616334386463353463303537346234346666366631333634393733613164636466633137
3265386536663664626236343062336662373638656435303966
peers:
- {
name: 'zeus-media',
allowd_ips: '10.0.1.1/32',
endpoint: 'fudiggity.nl:51903',
public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=',
preshared_key_path: '/etc/wireguard/keys/private/media/preshared-zeus.psk',
preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk',
preshared_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
30613935653234316531633935306432343432343266346236383330393030346337313765346333
6366303237376564346131623662323066316435613737610a303439333438656663626334313134
32623138656664336462643835386435326536313734333535336534656565393934356438313062
3561656264663365390a303239613536393539636464656466373531623664633637663937333438
65663837353931373436613964633139396531653834386364383666336361376435383965643061
6233633761343562386534316336613062626236313833643066,
}

74
vars/laptop.yml
View file

@ -5,28 +5,58 @@ platform_packages:
- nvidia-utils - nvidia-utils
- lib32-nvidia-utils - lib32-nvidia-utils
vpn_ip: '10.0.0.2' vpn_default:
vpn_subnet: '24' ip: '10.0.0.2'
subnet: '24'
interface: 'wg0'
vpn_public_key_path: '/etc/wireguard/keys/public/laptop.pub' public_key_path: '/etc/wireguard/keys/public/default/laptop.pub'
vpn_private_key_path: '/etc/wireguard/keys/private/laptop.key' private_key_path: '/etc/wireguard/keys/private/default/laptop.key'
vpn_private_key: !vault | private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
36393066313764386361376662376266623331313765373666616334356362656332653838346330 36393066313764386361376662376266623331313765373666616334356362656332653838346330
3435643261333262653139636537326164356164373566310a633233623031336437303236636266 3435643261333262653139636537326164356164373566310a633233623031336437303236636266
61616165376631353433353463313532643564343664346335363835306430386364303635343432 61616165376631353433353463313532643564343664346335363835306430386364303635343432
3864343464666566310a363563613039333465336164323833316436393236666433333163666137 3864343464666566310a363563613039333465336164323833316436393236666433333163666137
33656632343262373463306438333764393031623666393161356539636663346331613539396637 33656632343262373463306438333764393031623666393161356539636663346331613539396637
3631363333623539636561366436613861363932323966666238 3631363333623539636561366436613861363932323966666238
vpn_peers: peers:
- { - {
name: 'zeus', name: 'zeus',
allowd_ips: '10.0.0.1/32', allowd_ips: '10.0.0.1/32',
endpoint: 'fudiggity.nl:51902', endpoint: 'fudiggity.nl:51902',
public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=', public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=',
preshared_key_path: '/etc/wireguard/keys/private/preshared-zeus.psk', preshared_key_path: '/etc/wireguard/keys/private/default/preshared-zeus.psk',
preshared_key_source_path: 'files/laptop/wireguard/preshared.psk', preshared_key_source_path: 'files/laptop/wireguard/default/preshared.psk',
preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n376463366339376639373237363632363836653266353534343331333831646366373430333163383838313835613565646466653139666337626237313737300a333761383466626637336164363235643861643865653536663433373762343637303334613862373663626663616138333964386333373633643431326233370a386664366238633533356235613332373630353731306233623364623239353564313631373061393535336532393439343432373435336538666334666335633737633030386438616566376131646662316464333765636331343262663437", preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n376463366339376639373237363632363836653266353534343331333831646366373430333163383838313835613565646466653139666337626237313737300a333761383466626637336164363235643861643865653536663433373762343637303334613862373663626663616138333964386333373633643431326233370a386664366238633533356235613332373630353731306233623364623239353564313631373061393535336532393439343432373435336538666334666335633737633030386438616566376131646662316464333765636331343262663437",
} }
vpn_media:
ip: '10.0.1.2'
subnet: '24'
interface: 'wg1'
public_key_path: '/etc/wireguard/keys/public/media/laptop.pub'
private_key_path: '/etc/wireguard/keys/private/media/laptop.key'
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
38343933313031343230346232633837346332656163303561323038643935343638333231633032
3035633565326130363666393631616333653638386564360a373863366364353632383031316561
35306566623237613565653465316566336439613064653934316536333062366163383435313366
6130633630376639330a366230386435643736353664623435316334666639653836393531623463
30336435613761616132656138303263396263336564323865356538353661366439333538343961
6164353934636536333433326332383830353034343437646563
peers:
- {
name: 'zeus-media',
allowd_ips: '10.0.1.1/32',
endpoint: 'fudiggity.nl:51903',
public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=',
preshared_key_path: '/etc/wireguard/keys/private/media/preshared-zeus.psk',
preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk',
preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n666536333463333939313365343734313533633132396662336665643462336164373034666265623061373463396462333162323666323565636265663861310a623766653463613036663530653763376638643566323439636236656239663064646135323337333365653039343836303935316335383831643764663366360a656639303535666430643838343465356530633162383336663633346433346465376236366265656335636438323133643064356462313166323633623634323836363032626463376239373330356533336537633139643461316235366534"
}

2
vars/vpn.yml
View file

@ -1,2 +0,0 @@
vpn_interface: 'wg0'
vpn_protocol: 'udp'