Add wireguard configuration

templates/desktop/network/vmbr0.netdev.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+[NetDev]
+Name=vmbr0
+Kind=bridge

templates/desktop/network/vmbr0.network.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+[Match]
+Name=vmbr0
+
+[Network]
+Address=10.4.0.1/24
+DHCP=yes
+IPForward=yes
+ConfigureWithoutCarrier=yes

templates/desktop/network/wg0.netdev.j2

@@ -0,0 +1,24 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+[NetDev]
+Name={{ vpn_interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ vpn_interface }}
+
+[WireGuard]
+# PrivateKeyFile option does not seem to work, perhaps a bug?
+PrivateKey={{ vpn_private_key }}
+
+{% for peer in vpn_peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+# PresharedKeyFile option does not seem to work, perhaps a bug?
+PresharedKey={{ peer.preshared_key }}
+AllowedIPs={{ peer.allowd_ips }}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/desktop/network/wg0.network.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+[Match]
+Name={{ vpn_interface }}
+
+[Network]
+Address={{ vpn_ip }}/{{ vpn_subnet }}

templates/desktop/nftables.j2

@@ -25,10 +25,10 @@ table inet filter {
     tcp dport ssh accept
 
     # syncthing
-    ip saddr 10.8.1.1 tcp dport 22000 accept
+    ip saddr 10.0.0.1 tcp dport 22000 accept
 
     # allow remote pulse audio
-    ip saddr 10.8.1.1 tcp dport 4713 accept
+    ip saddr 10.0.0.1 tcp dport 4713 accept
 
     # allow dhcp requests for bridget connections
     iifname "vmbr0" udp dport { 53, 67 } accept

templates/desktop/pulse-script.j2

@@ -2,4 +2,4 @@
 #
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
 
-/usr/bin/pactl load-module module-native-protocol-tcp auth-anonymous=1 listen=10.8.1.10
+/usr/bin/pactl load-module module-native-protocol-tcp auth-anonymous=1 listen={{ vpn_ip }}

templates/desktop/syncthing.j2

@@ -71,7 +71,7 @@
         <maxRequestKiB>0</maxRequestKiB>
     </device>
     <device id="PGSOVGQ-VOHWV77-F7DFFQO-JZKTWWG-Z2XU2DE-N4ATK5U-F7MXKKM-TFSROQJ" name="Zeus" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
-        <address>tcp://10.8.0.1:22000</address>
+        <address>tcp://10.0.0.1:22000</address>
         <paused>false</paused>
         <autoAcceptFolders>false</autoAcceptFolders>
         <maxSendKbps>0</maxSendKbps>

templates/laptop/openvpn.j2

@@ -1,102 +0,0 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
-#
-##############################################
-# Sample client-side OpenVPN 2.0 config file #
-# for connecting to multi-client server.     #
-#                                            #
-# This configuration can be used by multiple #
-# clients, however each client should have   #
-# its own cert and key files.                #
-#                                            #
-# On Windows, you might want to rename this  #
-# file so it has a .ovpn extension           #
-##############################################
-
-# Specify that we are a client and that we
-# will be pulling certain config file directives
-# from the server.
-client
-
-# Use the same setting as you are using on
-# the server.
-# On most systems, the VPN will not function
-# unless you partially or fully disable
-# the firewall for the TUN/TAP interface.
-dev {{ vpn_interface }}
-
-# Use unprivileged ip command
-#iproute /usr/local/sbin/unpriv-ip
-
-# Are we connecting to a TCP or
-# UDP server?  Use the same setting as
-# on the server.
-proto {{ vpn_protocol }}
-
-# The hostname/IP and port of the server.
-# You can have multiple remote entries
-# to load balance between the servers.
-remote {{ vpn_ip }}
-port {{ vpn_port }}
-
-# Keep trying indefinitely to resolve the
-# host name of the OpenVPN server.  Very useful
-# on machines which are not permanently connected
-# to the internet such as laptops.
-resolv-retry infinite
-
-# Ping every 30s - Inactivity restart 120s
-keepalive 30 120
-
-# Don't ping until connected to remote
-ping-timer-rem
-
-# Most clients don't need to bind to
-# a specific local port number.
-nobind
-
-# Try to preserve some state across restarts.
-persist-key
-persist-tun
-
-# SSL/TLS parms.
-# See the server config file for more
-# description.  It's best to use
-# a separate .crt/.key file pair
-# for each client.  A single ca
-# file can be used for all clients.
-ca /etc/openvpn/client/zeus/ca.crt
-cert  /etc/openvpn/client/zeus/laptop.crt
-key  /etc/openvpn/client/zeus/laptop.key
-
-# Verify server certificate by checking that the
-# certicate has the correct key usage set.
-# This is an important precaution to protect against
-# a potential attack discussed here:
-#  http://openvpn.net/howto.html#mitm
-#
-# To use this feature, you will need to generate
-# your server certificates with the keyUsage set to
-#   digitalSignature, keyEncipherment
-# and the extendedKeyUsage to
-#   serverAuth
-# EasyRSA can do this for you.
-remote-cert-tls server
-
-# If a tls-auth key is used on the server
-# then every client must also have the key.
-tls-auth ta.key 1
-auth SHA512
-
-# Select a cryptographic cipher.
-# If the cipher option is used on the server
-# then you must also specify it here.
-cipher AES-256-CBC
-
-# Enable compression on the VPN link.
-# Don't enable this unless it is also
-# enabled in the server config file.
-# Disabled as advised on https://openvpn.net/security-advisories/
-#compress lz4
-
-# Set log file verbosity.
-verb {{ vpn_verbosity }}