Use systemd file option wherever applicable

tasks/network.yml

@@ -3,21 +3,26 @@
 # using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint <NEW-IP>:<PORT>`
 # for example.
 
-- name: Create wireguard directories
+- name: Create Wireguard directories
   become: true
   ansible.builtin.file:
-    path: '{{ item | dirname }}'
+    path: '{{ item }}'
     owner: root
     group: systemd-network
-    mode: '0644'
+    mode: '0750'
     state: directory
+    recurse: true
   loop:
-    - '{{ vpn_default.private_key_path }}'
+    - '{{ vpn_config_dir }}'
-    - '{{ vpn_default.public_key_path }}'
+    - '{{ vpn_default.private_key_path | dirname }}'
-    - '{{ vpn_media.private_key_path }}'
+    - '{{ vpn_default.public_key_path | dirname }}'
-    - '{{ vpn_media.public_key_path }}'
+    - '{{ vpn_media.private_key_path | dirname }}'
+    - '{{ vpn_media.public_key_path | dirname }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
 
-- name: Copy wireguard credentials
+- name: Copy Wireguard credentials
   become: true
   ansible.builtin.copy:
     src: '{{ item.src }}'
@@ -37,8 +42,11 @@
 
     - dest: '{{ vpn_media.private_key_path }}'
       src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
 
-- name: Copy wireguard preshared keys
+- name: Copy Wireguard preshared keys
   become: true
   ansible.builtin.copy:
     src: '{{ item.preshared_key_source_path }}'
@@ -47,6 +55,9 @@
     group: systemd-network
     mode: '0640'
   loop: '{{ vpn_default.peers + vpn_media.peers }}'
+  notify:
+    - restart systemd-networkd
+    - restart systemd-resolved
 
 - name: Desktop configuration
   notify:

tasks/platform.yml

@@ -1,22 +1,22 @@
-- name: detect platform
+- name: Detect platform
-  command: laptop-detect
+  ansible.builtin.command: laptop-detect
   register: is_laptop
   failed_when: is_laptop.rc == 2
 
-- name: set platform (desktop)
+- name: Set platform (desktop)
-  set_fact:
+  ansible.builtin.set_fact:
     platform: 'desktop'
   when: is_laptop.rc == 1
 
-- name: set platform (laptop)
+- name: Set platform (laptop)
-  set_fact:
+  ansible.builtin.set_fact:
     platform: 'laptop'
   when: is_laptop.rc == 0
 
-- name: load desktop specific vars
+- name: Load desktop specific vars
-  include_vars: 'vars/desktop.yml'
+  ansible.builtin.include_vars: 'vars/desktop.yml'
   when: platform == "desktop"
 
-- name: load laptop specific vars
+- name: Load laptop specific vars
-  include_vars: 'vars/laptop.yml'
+  ansible.builtin.include_vars: 'vars/laptop.yml'
   when: platform == "laptop"

templates/desktop/network/wg0.netdev.j2

@@ -6,14 +6,12 @@ Kind=wireguard
 Description=WireGuard tunnel {{ vpn_default.interface }}
 
 [WireGuard]
-# PrivateKeyFile option does not seem to work, perhaps a bug?
+PrivateKeyFile={{ vpn_default.private_key_path }}
-PrivateKey={{ vpn_default.private_key }}
 
 {% for peer in vpn_default.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
-# PresharedKeyFile option does not seem to work, perhaps a bug?
+PresharedKeyFile={{ peer.preshared_key_path }}
-PresharedKey={{ peer.preshared_key }}
 AllowedIPs={{ peer.allowd_ips }}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/desktop/network/wg1.netdev.j2

@@ -6,14 +6,12 @@ Kind=wireguard
 Description=WireGuard tunnel {{ vpn_media.interface }}
 
 [WireGuard]
-# PrivateKeyFile option does not seem to work, perhaps a bug?
+PrivateKeyFile={{ vpn_media.private_key_path }}
-PrivateKey={{ vpn_media.private_key }}
 
 {% for peer in vpn_media.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
-# PresharedKeyFile option does not seem to work, perhaps a bug?
+PresharedKeyFile={{ peer.preshared_key_path }}
-PresharedKey={{ peer.preshared_key }}
 AllowedIPs={{ peer.allowd_ips }}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/laptop/network/wg0.netdev.j2

@@ -6,14 +6,12 @@ Kind=wireguard
 Description=WireGuard tunnel {{ vpn_default.interface }}
 
 [WireGuard]
-# PrivateKeyFile option does not seem to work, perhaps a bug?
+PrivateKeyFile={{ vpn_default.private_key_path }}
-PrivateKey={{ vpn_default.private_key }}
 
 {% for peer in vpn_default.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
-# PresharedKeyFile option does not seem to work, perhaps a bug?
+PresharedKeyFile={{ peer.preshared_key_path }}
-PresharedKey={{ peer.preshared_key }}
 AllowedIPs={{ peer.allowd_ips }}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

templates/laptop/network/wg1.netdev.j2

@@ -6,14 +6,12 @@ Kind=wireguard
 Description=WireGuard tunnel {{ vpn_media.interface }}
 
 [WireGuard]
-# PrivateKeyFile option does not seem to work, perhaps a bug?
+PrivateKeyFile={{ vpn_media.private_key_path }}
-PrivateKey={{ vpn_media.private_key }}
 
 {% for peer in vpn_media.peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
-# PresharedKeyFile option does not seem to work, perhaps a bug?
+PresharedKeyFile={{ peer.preshared_key_path }}
-PresharedKey={{ peer.preshared_key }}
 AllowedIPs={{ peer.allowd_ips }}
 {% if peer.endpoint %}
 Endpoint={{ peer.endpoint }}

vars/desktop.yml

@@ -1,24 +1,18 @@
 platform_packages: []
 
 modprobe_templates:
-  - {
+  - src: 'templates/desktop/modprobe/99-amdgpu.conf.j2'
-    src: 'templates/desktop/modprobe/99-amdgpu.conf.j2',
     dest: '/etc/modprobe.d/99-amdgpu.conf'
-  }
 
 mkinitcpio_templates:
-  - {
+  - src: 'templates/desktop/mkinitcpio/1-modules.conf.j2'
-      src: 'templates/desktop/mkinitcpio/1-modules.conf.j2',
     dest: '/etc/mkinitcpio.conf.d/1-amdgpu.conf'
-  }
+
-  - {
+  - src: 'templates/desktop/mkinitcpio/linux.preset.j2'
-      src: 'templates/desktop/mkinitcpio/linux.preset.j2',
     dest: '/etc/mkinitcpio.d/linux.preset'
-  }
+
-  - {
+  - src: 'templates/desktop/mkinitcpio/linux-lts.preset.j2'
-      src: 'templates/desktop/mkinitcpio/linux-lts.preset.j2',
     dest: '/etc/mkinitcpio.d/linux-lts.preset'
-  }
 
 boot_configuration:
   disk: /dev/sdc
@@ -29,53 +23,31 @@ vpn_default:
   subnet: '24'
   interface: 'wg0'
 
-  public_key_path: '/etc/wireguard/keys/public/default/desktop.pub'
+  public_key_path: '{{ vpn_config_dir }}/keys/public/default/desktop.pub'
-  private_key_path: '/etc/wireguard/keys/private/default/desktop.key'
+  private_key_path: '{{ vpn_config_dir }}/keys/private/default/desktop.key'
-  
+  private_key_source_path: 'files/desktop/wireguard/default/desktop.key'
-  private_key: !vault |
-    $ANSIBLE_VAULT;1.1;AES256
-    65386334366166306164363464633364383935313739373730373139663139373964336665636264
-    3563663038313039363230623266393164646164373739620a623536633631643231633938613461
-    63366239333230663531306333383962353937353736663336343434663633303232386531353832
-    6434633935333538650a613065306239333031656362356165326136333131356135383436326561
-    62303035386634636333353664373231633434656538303866386262353139363439363435346637
-    6637363334623133376134306165626564343864633032613763
 
   peers:
-    - {
+    - name: 'zeus'
-        name: 'zeus',
+      allowd_ips: '10.0.0.1/32'
-        allowd_ips: '10.0.0.1/32',
+      endpoint: 'fudiggity.nl:51902'
-        endpoint: 'fudiggity.nl:51902',
+      public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
-        public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=',
+      preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-        preshared_key_path: '/etc/wireguard/keys/private/default/preshared-zeus.psk',
+      preshared_key_source_path: 'files/desktop/wireguard/default/preshared.psk'
-        preshared_key_source_path: 'files/desktop/wireguard/default/preshared.psk',
-        preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n363333633336613939306632323163396239303739366135393232396134393266623939613534326238393638333137383235313039623264343932303038330a633934373638363966306533346235326234663464313963356238623064666430303030643533666536393662316237333463336462376366343335363131350a333135366239633765633136316133653535336661666461666365636233656165666635663037386666323931643265623233366133623237663734623661623661316436396465343866363266393565653237636136626536353630383263",
-      }
 
 vpn_media:
   ip: '10.0.1.3'
   subnet: '24'
   interface: 'wg1'
 
-  public_key_path: '/etc/wireguard/keys/public/media/desktop.pub'
+  public_key_path: '{{ vpn_config_dir }}/keys/public/media/desktop.pub'
-  private_key_path: '/etc/wireguard/keys/private/media/desktop.key'
+  private_key_path: '{{ vpn_config_dir }}/keys/private/media/desktop.key'
-
+  private_key_source_path: 'files/desktop/wireguard/media/desktop.key'
-  private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          62396362373339306463343330346431613538383236663666386135383864303835616161336662
-          6633313937313261313033323361383866313639643733650a363730393538623463313362343133
-          34643530303832393530666239636263353435353031316166366638666132323034313662653334
-          3238313161363632380a356464626364656465616231346463366632386635353861303934653036
-          34363436616334386463353463303537346234346666366631333634393733613164636466633137
-          3265386536663664626236343062336662373638656435303966
 
   peers:
-    - {
+    - name: 'zeus-media'
-        name: 'zeus-media',
+      allowd_ips: '10.0.1.1/32'
-        allowd_ips: '10.0.1.1/32',
+      endpoint: 'fudiggity.nl:51903'
-        endpoint: 'fudiggity.nl:51903',
+      public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg='
-        public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=',
+      preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-        preshared_key_path: '/etc/wireguard/keys/private/media/preshared-zeus.psk',
+      preshared_key_source_path: 'files/desktop/wireguard/media/preshared.psk'
-        preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk',
-        preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n306139356532343165316339353064323434323432663462363833303930303463373137653463336366303237376564346131623662323066316435613737610a303439333438656663626334313134326231386566643364626438353864353265363137343335353365346565653939343564383130623561656264663365390a303239613536393539636464656466373531623664633637663937333438656638373539313734366139646331393965316538343863643836663363613764353839656430616233633761343562386534316336613062626236313833643066",
-      }

vars/laptop.yml

@@ -10,75 +10,46 @@ boot_configuration:
   partition: 1
 
 mkinitcpio_templates:
-  - {
+  - src: 'templates/laptop/mkinitcpio/1-modules.conf.j2'
-      src: 'templates/laptop/mkinitcpio/1-modules.conf.j2',
     dest: '/etc/mkinitcpio.conf.d/1-modules.conf'
-  }
+
-  - {
+  - src: 'templates/laptop/mkinitcpio/2-hooks.conf.j2'
-      src: 'templates/laptop/mkinitcpio/2-hooks.conf.j2',
     dest: '/etc/mkinitcpio.conf.d/2-hooks.conf'
-  }
+
-  - {
+  - src: 'templates/laptop/mkinitcpio/linux.preset.j2'
-      src: 'templates/laptop/mkinitcpio/linux.preset.j2',
     dest: '/etc/mkinitcpio.d/linux.preset'
-  }
+
-  - {
+  - src: 'templates/laptop/mkinitcpio/linux-lts.preset.j2'
-      src: 'templates/laptop/mkinitcpio/linux-lts.preset.j2',
     dest: '/etc/mkinitcpio.d/linux-lts.preset'
-  }
 
 vpn_default:
   ip: '10.0.0.2'
   subnet: '24'
   interface: 'wg0'
 
-  public_key_path: '/etc/wireguard/keys/public/default/laptop.pub'
+  public_key_path: '{{ vpn_config_dir }}/keys/public/default/laptop.pub'
-  private_key_path: '/etc/wireguard/keys/private/default/laptop.key'
+  private_key_path: '{{ vpn_config_dir }}/keys/private/default/laptop.key'
-
-  private_key: !vault |
-    $ANSIBLE_VAULT;1.1;AES256
-    36393066313764386361376662376266623331313765373666616334356362656332653838346330
-    3435643261333262653139636537326164356164373566310a633233623031336437303236636266
-    61616165376631353433353463313532643564343664346335363835306430386364303635343432
-    3864343464666566310a363563613039333465336164323833316436393236666433333163666137
-    33656632343262373463306438333764393031623666393161356539636663346331613539396637
-    3631363333623539636561366436613861363932323966666238
 
   peers:
-    - {
+    - name: 'zeus'
-        name: 'zeus',
+      allowd_ips: '10.0.0.1/32'
-        allowd_ips: '10.0.0.1/32',
+      endpoint: 'fudiggity.nl:51902'
-        endpoint: 'fudiggity.nl:51902',
+      public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo='
-        public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=',
+      preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk'
-        preshared_key_path: '/etc/wireguard/keys/private/default/preshared-zeus.psk',
+      preshared_key_source_path: 'files/laptop/wireguard/default/preshared.psk'
-        preshared_key_source_path: 'files/laptop/wireguard/default/preshared.psk',
-        preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n376463366339376639373237363632363836653266353534343331333831646366373430333163383838313835613565646466653139666337626237313737300a333761383466626637336164363235643861643865653536663433373762343637303334613862373663626663616138333964386333373633643431326233370a386664366238633533356235613332373630353731306233623364623239353564313631373061393535336532393439343432373435336538666334666335633737633030386438616566376131646662316464333765636331343262663437",
-      }
 
 vpn_media:
   ip: '10.0.1.2'
   subnet: '24'
   interface: 'wg1'
 
-  public_key_path: '/etc/wireguard/keys/public/media/laptop.pub'
+  public_key_path: '{{ vpn_config_dir }}/keys/public/media/laptop.pub'
-  private_key_path: '/etc/wireguard/keys/private/media/laptop.key'
+  private_key_path: '{{ vpn_config_dir }}/keys/private/media/laptop.key'
-
-  private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          38343933313031343230346232633837346332656163303561323038643935343638333231633032
-          3035633565326130363666393631616333653638386564360a373863366364353632383031316561
-          35306566623237613565653465316566336439613064653934316536333062366163383435313366
-          6130633630376639330a366230386435643736353664623435316334666639653836393531623463
-          30336435613761616132656138303263396263336564323865356538353661366439333538343961
-          6164353934636536333433326332383830353034343437646563
 
   peers:
-    - {
+    - name: 'zeus-media'
-        name: 'zeus-media',
+      allowd_ips: '10.0.1.1/32'
-        allowd_ips: '10.0.1.1/32',
+      endpoint: 'fudiggity.nl:51903'
-        endpoint: 'fudiggity.nl:51903',
+      public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg='
-        public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=',
+      preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk'
-        preshared_key_path: '/etc/wireguard/keys/private/media/preshared-zeus.psk',
+      preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk'
-        preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk',
-        preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n666536333463333939313365343734313533633132396662336665643462336164373034666265623061373463396462333162323666323565636265663861310a623766653463613036663530653763376638643566323439636236656239663064646135323337333365653039343836303935316335383831643764663366360a656639303535666430643838343465356530633162383336663633346433346465376236366265656335636438323133643064356462313166323633623634323836363032626463376239373330356533336537633139643461316235366534"
-      }

vars/main.yml

@@ -43,3 +43,5 @@ modprobe_templates: []
 mkinitcpio_templates: []
 
 boot_configuration:
+
+vpn_config_dir: '/etc/wireguard'