From 10b34cffaf96b043e27e8221d53e32e6d9a7bf66 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 1 Mar 2025 21:01:48 +0100 Subject: [PATCH 1/5] Fix ansible lint errors --- playbook.yml | 58 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 19 deletions(-) diff --git a/playbook.yml b/playbook.yml index 7b0b51d..01a2109 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,46 +1,66 @@ -- hosts: localhost +- name: Arch Linux provisioning + hosts: localhost pre_tasks: - - name: install shared packages + - name: Install shared packages become: true - pacman: + community.general.pacman: name: '{{ packages }}' - - name: detecting platform - import_tasks: 'tasks/platform.yml' - - name: install platform specific packages + + - name: Detect platform + ansible.builtin.import_tasks: 'tasks/platform.yml' + + - name: Install platform specific packages become: true - pacman: + community.general.pacman: name: '{{ platform_packages }}' when: platform_packages | length > 0 roles: - common tasks: - - import_tasks: 'tasks/setup.yml' + - name: Generic provisioning + ansible.builtin.import_tasks: 'tasks/setup.yml' - - import_tasks: 'tasks/setup-desktop.yml' + - name: Desktop provisioning + ansible.builtin.import_tasks: 'tasks/setup-desktop.yml' when: platform == 'desktop' tags: laptop - - import_tasks: 'tasks/setup-laptop.yml' + - name: Laptop provisioning + ansible.builtin.import_tasks: 'tasks/setup-laptop.yml' when: platform == 'laptop' tags: laptop - - import_tasks: 'tasks/network.yml' - - import_tasks: 'tasks/systemd.yml' + - name: Network provisioning + ansible.builtin.import_tasks: 'tasks/network.yml' - - import_tasks: 'tasks/git.yml' + - name: Systemd provisioning + ansible.builtin.import_tasks: 'tasks/systemd.yml' + + - name: Git provisioning + ansible.builtin.import_tasks: 'tasks/git.yml' tags: git - - import_tasks: 'tasks/mpv.yml' + - name: MPV provisioning + ansible.builtin.import_tasks: 'tasks/mpv.yml' tags: mpv - - import_tasks: 'tasks/mpd.yml' + - name: MPD provisioning + ansible.builtin.import_tasks: 'tasks/mpd.yml' tags: mpd - - import_tasks: 'tasks/syncthing.yml' - - import_tasks: 'tasks/timer.yml' + - name: Syncthing provisioning + ansible.builtin.import_tasks: 'tasks/syncthing.yml' + + - name: Systemd timer provisioning + ansible.builtin.import_tasks: 'tasks/timer.yml' + handlers: - - import_tasks: 'handlers.yml' - - import_tasks: 'roles/common/handlers/user.yml' + + - name: Import default handlers + ansible.builtin.import_tasks: 'handlers.yml' + + - name: Import common role handlers + ansible.builtin.import_tasks: 'roles/common/handlers/user.yml' vars_files: - 'vars/main.yml' - 'vars/gpg.yml' From ee384fe64451b2c5816eeabcb4dfdcb6eb793f11 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 1 Mar 2025 21:08:26 +0100 Subject: [PATCH 2/5] Fix network task linter errors --- tasks/network.yml | 163 +++++++++++++++++++++------------------------- 1 file changed, 73 insertions(+), 90 deletions(-) diff --git a/tasks/network.yml b/tasks/network.yml index c03e12e..1faca5c 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -3,9 +3,9 @@ # using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint :` # for example. -- name: create wireguard directories +- name: Create wireguard directories become: true - file: + ansible.builtin.file: path: '{{ item | dirname }}' owner: root group: systemd-network @@ -17,35 +17,30 @@ - '{{ vpn_media.private_key_path }}' - '{{ vpn_media.public_key_path }}' -- name: copy wireguard credentials +- name: Copy wireguard credentials become: true - copy: + ansible.builtin.copy: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - - { - dest: '{{ vpn_default.public_key_path }}', - src: 'files/{{ platform }}/wireguard/default/{{ platform }}.pub', - } - - { - dest: '{{ vpn_default.private_key_path }}', - src: 'files/{{ platform }}/wireguard/default/{{ platform }}.key', - } - - { - dest: '{{ vpn_media.public_key_path }}', - src: 'files/{{ platform }}/wireguard/media/{{ platform }}.pub', - } - - { - dest: '{{ vpn_media.private_key_path }}', - src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key', - } + - dest: '{{ vpn_default.public_key_path }}' + src: 'files/{{ platform }}/wireguard/default/{{ platform }}.pub' -- name: copy wireguard preshared keys + - dest: '{{ vpn_default.private_key_path }}' + src: 'files/{{ platform }}/wireguard/default/{{ platform }}.key' + + - dest: '{{ vpn_media.public_key_path }}' + src: 'files/{{ platform }}/wireguard/media/{{ platform }}.pub' + + - dest: '{{ vpn_media.private_key_path }}' + src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key' + +- name: Copy wireguard preshared keys become: true - copy: + ansible.builtin.copy: src: '{{ item.preshared_key_source_path }}' dest: '{{ item.preshared_key_path }}' owner: root @@ -53,100 +48,88 @@ mode: '0640' loop: '{{ vpn_default.peers + vpn_media.peers }}' -- block: - - name: setup desktop network configuration - become: true - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: systemd-network - mode: '0640' - loop: - - { - src: 'templates/desktop/network/enp.network.j2', - dest: '/etc/systemd/network/20-wired.network', - } - - { - src: 'templates/desktop/network/wg0.network.j2', - dest: '/etc/systemd/network/40-wg0.network', - } - - { - src: 'templates/desktop/network/wg0.netdev.j2', - dest: '/etc/systemd/network/40-wg0.netdev', - } - - { - src: 'templates/desktop/network/wg1.network.j2', - dest: '/etc/systemd/network/40-wg1.network', - } - - { - src: 'templates/desktop/network/wg1.netdev.j2', - dest: '/etc/systemd/network/40-wg1.netdev', - } - - - name: remove leftover configuration files - become: true - file: - path: '{{ item }}' - state: absent - loop: - - '/etc/systemd/network/30-vmbr0.network' - - '/etc/systemd/network/30-vmbr0.netdev' - +- name: Desktop configuration notify: - restart systemd-networkd - restart systemd-resolved when: platform == "desktop" - -- block: - - name: setup laptop network configuration + block: + - name: Setup network configuration become: true - template: + ansible.builtin.template: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - - { - src: 'templates/laptop/network/wireless.network.j2', - dest: '/etc/systemd/network/20-wireless.network', - } - - { - src: 'templates/laptop/network/wg0.network.j2', - dest: '/etc/systemd/network/40-wg0.network', - } - - { - src: 'templates/laptop/network/wg0.netdev.j2', - dest: '/etc/systemd/network/40-wg0.netdev', - } - - { - src: 'templates/laptop/network/wg1.network.j2', - dest: '/etc/systemd/network/40-wg1.network', - } - - { - src: 'templates/laptop/network/wg1.netdev.j2', - dest: '/etc/systemd/network/40-wg1.netdev', - } + - src: 'templates/desktop/network/enp.network.j2' + dest: '/etc/systemd/network/20-wired.network' - - name: remove leftover configuration files + - src: 'templates/desktop/network/wg0.network.j2' + dest: '/etc/systemd/network/40-wg0.network' + + - src: 'templates/desktop/network/wg0.netdev.j2' + dest: '/etc/systemd/network/40-wg0.netdev' + + - src: 'templates/desktop/network/wg1.network.j2' + dest: '/etc/systemd/network/40-wg1.network' + + - src: 'templates/desktop/network/wg1.netdev.j2' + dest: '/etc/systemd/network/40-wg1.netdev' + + - name: Remove leftover configuration files become: true - file: + ansible.builtin.file: path: '{{ item }}' state: absent loop: - '/etc/systemd/network/30-vmbr0.network' - '/etc/systemd/network/30-vmbr0.netdev' +- name: Laptop configuration notify: - restart systemd-networkd - restart systemd-resolved - restart iwd when: platform == "laptop" + block: + - name: Setup network configuration + become: true + ansible.builtin.template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - src: 'templates/laptop/network/wireless.network.j2' + dest: '/etc/systemd/network/20-wireless.network' -- name: copy firewall template + - src: 'templates/laptop/network/wg0.network.j2' + dest: '/etc/systemd/network/40-wg0.network' + + - src: 'templates/laptop/network/wg0.netdev.j2' + dest: '/etc/systemd/network/40-wg0.netdev' + + - src: 'templates/laptop/network/wg1.network.j2' + dest: '/etc/systemd/network/40-wg1.network' + + - src: 'templates/laptop/network/wg1.netdev.j2' + dest: '/etc/systemd/network/40-wg1.netdev' + + - name: Remove leftover configuration files + become: true + ansible.builtin.file: + path: '{{ item }}' + state: absent + loop: + - '/etc/systemd/network/30-vmbr0.network' + - '/etc/systemd/network/30-vmbr0.netdev' + +- name: Copy firewall template become: true - template: + ansible.builtin.template: src: 'templates/{{ platform }}/nftables.j2' dest: '/etc/nftables.conf' owner: root From eab191b54ebd6041f7969c46bc9d62c2525d093f Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 1 Mar 2025 21:45:59 +0100 Subject: [PATCH 3/5] Ask vault password by default --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index 4c41b64..5ec08e7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,6 @@ [defaults] roles_path = ./roles +ask_vault_pass = true [privilege_escalation] become_ask_pass = True From a44c76344b417b91647e424d7ea06be735eae3b3 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sat, 1 Mar 2025 21:46:16 +0100 Subject: [PATCH 4/5] Add more tags --- playbook.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index 01a2109..ea30c97 100644 --- a/playbook.yml +++ b/playbook.yml @@ -8,6 +8,7 @@ - name: Detect platform ansible.builtin.import_tasks: 'tasks/platform.yml' + tags: platform_vars - name: Install platform specific packages become: true @@ -19,6 +20,7 @@ tasks: - name: Generic provisioning ansible.builtin.import_tasks: 'tasks/setup.yml' + tags: setup - name: Desktop provisioning ansible.builtin.import_tasks: 'tasks/setup-desktop.yml' @@ -32,9 +34,11 @@ - name: Network provisioning ansible.builtin.import_tasks: 'tasks/network.yml' + tags: network - name: Systemd provisioning ansible.builtin.import_tasks: 'tasks/systemd.yml' + tags: systemd - name: Git provisioning ansible.builtin.import_tasks: 'tasks/git.yml' @@ -50,12 +54,13 @@ - name: Syncthing provisioning ansible.builtin.import_tasks: 'tasks/syncthing.yml' + tags: syncthing - name: Systemd timer provisioning ansible.builtin.import_tasks: 'tasks/timer.yml' + tags: timers handlers: - - name: Import default handlers ansible.builtin.import_tasks: 'handlers.yml' From b2c395b3b7f164d5511567345dc67453571283b2 Mon Sep 17 00:00:00 2001 From: Sonny Bakker Date: Sun, 2 Mar 2025 16:05:07 +0100 Subject: [PATCH 5/5] Use systemd file option wherever applicable --- tasks/network.yml | 29 ++++++--- tasks/platform.yml | 20 +++--- templates/desktop/network/wg0.netdev.j2 | 6 +- templates/desktop/network/wg1.netdev.j2 | 6 +- templates/laptop/network/wg0.netdev.j2 | 6 +- templates/laptop/network/wg1.netdev.j2 | 6 +- vars/desktop.yml | 82 ++++++++---------------- vars/laptop.yml | 83 ++++++++----------------- vars/main.yml | 2 + 9 files changed, 94 insertions(+), 146 deletions(-) diff --git a/tasks/network.yml b/tasks/network.yml index 1faca5c..feec18b 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -3,21 +3,26 @@ # using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint :` # for example. -- name: Create wireguard directories +- name: Create Wireguard directories become: true ansible.builtin.file: - path: '{{ item | dirname }}' + path: '{{ item }}' owner: root group: systemd-network - mode: '0644' + mode: '0750' state: directory + recurse: true loop: - - '{{ vpn_default.private_key_path }}' - - '{{ vpn_default.public_key_path }}' - - '{{ vpn_media.private_key_path }}' - - '{{ vpn_media.public_key_path }}' + - '{{ vpn_config_dir }}' + - '{{ vpn_default.private_key_path | dirname }}' + - '{{ vpn_default.public_key_path | dirname }}' + - '{{ vpn_media.private_key_path | dirname }}' + - '{{ vpn_media.public_key_path | dirname }}' + notify: + - restart systemd-networkd + - restart systemd-resolved -- name: Copy wireguard credentials +- name: Copy Wireguard credentials become: true ansible.builtin.copy: src: '{{ item.src }}' @@ -37,8 +42,11 @@ - dest: '{{ vpn_media.private_key_path }}' src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key' + notify: + - restart systemd-networkd + - restart systemd-resolved -- name: Copy wireguard preshared keys +- name: Copy Wireguard preshared keys become: true ansible.builtin.copy: src: '{{ item.preshared_key_source_path }}' @@ -47,6 +55,9 @@ group: systemd-network mode: '0640' loop: '{{ vpn_default.peers + vpn_media.peers }}' + notify: + - restart systemd-networkd + - restart systemd-resolved - name: Desktop configuration notify: diff --git a/tasks/platform.yml b/tasks/platform.yml index 287b9c7..66e96cd 100644 --- a/tasks/platform.yml +++ b/tasks/platform.yml @@ -1,22 +1,22 @@ -- name: detect platform - command: laptop-detect +- name: Detect platform + ansible.builtin.command: laptop-detect register: is_laptop failed_when: is_laptop.rc == 2 -- name: set platform (desktop) - set_fact: +- name: Set platform (desktop) + ansible.builtin.set_fact: platform: 'desktop' when: is_laptop.rc == 1 -- name: set platform (laptop) - set_fact: +- name: Set platform (laptop) + ansible.builtin.set_fact: platform: 'laptop' when: is_laptop.rc == 0 -- name: load desktop specific vars - include_vars: 'vars/desktop.yml' +- name: Load desktop specific vars + ansible.builtin.include_vars: 'vars/desktop.yml' when: platform == "desktop" -- name: load laptop specific vars - include_vars: 'vars/laptop.yml' +- name: Load laptop specific vars + ansible.builtin.include_vars: 'vars/laptop.yml' when: platform == "laptop" diff --git a/templates/desktop/network/wg0.netdev.j2 b/templates/desktop/network/wg0.netdev.j2 index 788c88f..6f1c0dd 100644 --- a/templates/desktop/network/wg0.netdev.j2 +++ b/templates/desktop/network/wg0.netdev.j2 @@ -6,14 +6,12 @@ Kind=wireguard Description=WireGuard tunnel {{ vpn_default.interface }} [WireGuard] -# PrivateKeyFile option does not seem to work, perhaps a bug? -PrivateKey={{ vpn_default.private_key }} +PrivateKeyFile={{ vpn_default.private_key_path }} {% for peer in vpn_default.peers %} [WireGuardPeer] PublicKey={{ peer.public_key }} -# PresharedKeyFile option does not seem to work, perhaps a bug? -PresharedKey={{ peer.preshared_key }} +PresharedKeyFile={{ peer.preshared_key_path }} AllowedIPs={{ peer.allowd_ips }} {% if peer.endpoint %} Endpoint={{ peer.endpoint }} diff --git a/templates/desktop/network/wg1.netdev.j2 b/templates/desktop/network/wg1.netdev.j2 index 1917cb6..104804f 100644 --- a/templates/desktop/network/wg1.netdev.j2 +++ b/templates/desktop/network/wg1.netdev.j2 @@ -6,14 +6,12 @@ Kind=wireguard Description=WireGuard tunnel {{ vpn_media.interface }} [WireGuard] -# PrivateKeyFile option does not seem to work, perhaps a bug? -PrivateKey={{ vpn_media.private_key }} +PrivateKeyFile={{ vpn_media.private_key_path }} {% for peer in vpn_media.peers %} [WireGuardPeer] PublicKey={{ peer.public_key }} -# PresharedKeyFile option does not seem to work, perhaps a bug? -PresharedKey={{ peer.preshared_key }} +PresharedKeyFile={{ peer.preshared_key_path }} AllowedIPs={{ peer.allowd_ips }} {% if peer.endpoint %} Endpoint={{ peer.endpoint }} diff --git a/templates/laptop/network/wg0.netdev.j2 b/templates/laptop/network/wg0.netdev.j2 index 788c88f..6f1c0dd 100644 --- a/templates/laptop/network/wg0.netdev.j2 +++ b/templates/laptop/network/wg0.netdev.j2 @@ -6,14 +6,12 @@ Kind=wireguard Description=WireGuard tunnel {{ vpn_default.interface }} [WireGuard] -# PrivateKeyFile option does not seem to work, perhaps a bug? -PrivateKey={{ vpn_default.private_key }} +PrivateKeyFile={{ vpn_default.private_key_path }} {% for peer in vpn_default.peers %} [WireGuardPeer] PublicKey={{ peer.public_key }} -# PresharedKeyFile option does not seem to work, perhaps a bug? -PresharedKey={{ peer.preshared_key }} +PresharedKeyFile={{ peer.preshared_key_path }} AllowedIPs={{ peer.allowd_ips }} {% if peer.endpoint %} Endpoint={{ peer.endpoint }} diff --git a/templates/laptop/network/wg1.netdev.j2 b/templates/laptop/network/wg1.netdev.j2 index 1917cb6..104804f 100644 --- a/templates/laptop/network/wg1.netdev.j2 +++ b/templates/laptop/network/wg1.netdev.j2 @@ -6,14 +6,12 @@ Kind=wireguard Description=WireGuard tunnel {{ vpn_media.interface }} [WireGuard] -# PrivateKeyFile option does not seem to work, perhaps a bug? -PrivateKey={{ vpn_media.private_key }} +PrivateKeyFile={{ vpn_media.private_key_path }} {% for peer in vpn_media.peers %} [WireGuardPeer] PublicKey={{ peer.public_key }} -# PresharedKeyFile option does not seem to work, perhaps a bug? -PresharedKey={{ peer.preshared_key }} +PresharedKeyFile={{ peer.preshared_key_path }} AllowedIPs={{ peer.allowd_ips }} {% if peer.endpoint %} Endpoint={{ peer.endpoint }} diff --git a/vars/desktop.yml b/vars/desktop.yml index fc9fc0f..3f39782 100644 --- a/vars/desktop.yml +++ b/vars/desktop.yml @@ -1,24 +1,18 @@ platform_packages: [] modprobe_templates: - - { - src: 'templates/desktop/modprobe/99-amdgpu.conf.j2', + - src: 'templates/desktop/modprobe/99-amdgpu.conf.j2' dest: '/etc/modprobe.d/99-amdgpu.conf' - } mkinitcpio_templates: - - { - src: 'templates/desktop/mkinitcpio/1-modules.conf.j2', - dest: '/etc/mkinitcpio.conf.d/1-amdgpu.conf' - } - - { - src: 'templates/desktop/mkinitcpio/linux.preset.j2', - dest: '/etc/mkinitcpio.d/linux.preset' - } - - { - src: 'templates/desktop/mkinitcpio/linux-lts.preset.j2', - dest: '/etc/mkinitcpio.d/linux-lts.preset' - } + - src: 'templates/desktop/mkinitcpio/1-modules.conf.j2' + dest: '/etc/mkinitcpio.conf.d/1-amdgpu.conf' + + - src: 'templates/desktop/mkinitcpio/linux.preset.j2' + dest: '/etc/mkinitcpio.d/linux.preset' + + - src: 'templates/desktop/mkinitcpio/linux-lts.preset.j2' + dest: '/etc/mkinitcpio.d/linux-lts.preset' boot_configuration: disk: /dev/sdc @@ -29,53 +23,31 @@ vpn_default: subnet: '24' interface: 'wg0' - public_key_path: '/etc/wireguard/keys/public/default/desktop.pub' - private_key_path: '/etc/wireguard/keys/private/default/desktop.key' - - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 65386334366166306164363464633364383935313739373730373139663139373964336665636264 - 3563663038313039363230623266393164646164373739620a623536633631643231633938613461 - 63366239333230663531306333383962353937353736663336343434663633303232386531353832 - 6434633935333538650a613065306239333031656362356165326136333131356135383436326561 - 62303035386634636333353664373231633434656538303866386262353139363439363435346637 - 6637363334623133376134306165626564343864633032613763 + public_key_path: '{{ vpn_config_dir }}/keys/public/default/desktop.pub' + private_key_path: '{{ vpn_config_dir }}/keys/private/default/desktop.key' + private_key_source_path: 'files/desktop/wireguard/default/desktop.key' peers: - - { - name: 'zeus', - allowd_ips: '10.0.0.1/32', - endpoint: 'fudiggity.nl:51902', - public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=', - preshared_key_path: '/etc/wireguard/keys/private/default/preshared-zeus.psk', - preshared_key_source_path: 'files/desktop/wireguard/default/preshared.psk', - preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n363333633336613939306632323163396239303739366135393232396134393266623939613534326238393638333137383235313039623264343932303038330a633934373638363966306533346235326234663464313963356238623064666430303030643533666536393662316237333463336462376366343335363131350a333135366239633765633136316133653535336661666461666365636233656165666635663037386666323931643265623233366133623237663734623661623661316436396465343866363266393565653237636136626536353630383263", - } + - name: 'zeus' + allowd_ips: '10.0.0.1/32' + endpoint: 'fudiggity.nl:51902' + public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=' + preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk' + preshared_key_source_path: 'files/desktop/wireguard/default/preshared.psk' vpn_media: ip: '10.0.1.3' subnet: '24' interface: 'wg1' - public_key_path: '/etc/wireguard/keys/public/media/desktop.pub' - private_key_path: '/etc/wireguard/keys/private/media/desktop.key' - - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 62396362373339306463343330346431613538383236663666386135383864303835616161336662 - 6633313937313261313033323361383866313639643733650a363730393538623463313362343133 - 34643530303832393530666239636263353435353031316166366638666132323034313662653334 - 3238313161363632380a356464626364656465616231346463366632386635353861303934653036 - 34363436616334386463353463303537346234346666366631333634393733613164636466633137 - 3265386536663664626236343062336662373638656435303966 + public_key_path: '{{ vpn_config_dir }}/keys/public/media/desktop.pub' + private_key_path: '{{ vpn_config_dir }}/keys/private/media/desktop.key' + private_key_source_path: 'files/desktop/wireguard/media/desktop.key' peers: - - { - name: 'zeus-media', - allowd_ips: '10.0.1.1/32', - endpoint: 'fudiggity.nl:51903', - public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=', - preshared_key_path: '/etc/wireguard/keys/private/media/preshared-zeus.psk', - preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk', - preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n306139356532343165316339353064323434323432663462363833303930303463373137653463336366303237376564346131623662323066316435613737610a303439333438656663626334313134326231386566643364626438353864353265363137343335353365346565653939343564383130623561656264663365390a303239613536393539636464656466373531623664633637663937333438656638373539313734366139646331393965316538343863643836663363613764353839656430616233633761343562386534316336613062626236313833643066", - } + - name: 'zeus-media' + allowd_ips: '10.0.1.1/32' + endpoint: 'fudiggity.nl:51903' + public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=' + preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk' + preshared_key_source_path: 'files/desktop/wireguard/media/preshared.psk' diff --git a/vars/laptop.yml b/vars/laptop.yml index 0b8c907..f2e5dbc 100644 --- a/vars/laptop.yml +++ b/vars/laptop.yml @@ -10,75 +10,46 @@ boot_configuration: partition: 1 mkinitcpio_templates: - - { - src: 'templates/laptop/mkinitcpio/1-modules.conf.j2', - dest: '/etc/mkinitcpio.conf.d/1-modules.conf' - } - - { - src: 'templates/laptop/mkinitcpio/2-hooks.conf.j2', - dest: '/etc/mkinitcpio.conf.d/2-hooks.conf' - } - - { - src: 'templates/laptop/mkinitcpio/linux.preset.j2', - dest: '/etc/mkinitcpio.d/linux.preset' - } - - { - src: 'templates/laptop/mkinitcpio/linux-lts.preset.j2', - dest: '/etc/mkinitcpio.d/linux-lts.preset' - } + - src: 'templates/laptop/mkinitcpio/1-modules.conf.j2' + dest: '/etc/mkinitcpio.conf.d/1-modules.conf' + + - src: 'templates/laptop/mkinitcpio/2-hooks.conf.j2' + dest: '/etc/mkinitcpio.conf.d/2-hooks.conf' + + - src: 'templates/laptop/mkinitcpio/linux.preset.j2' + dest: '/etc/mkinitcpio.d/linux.preset' + + - src: 'templates/laptop/mkinitcpio/linux-lts.preset.j2' + dest: '/etc/mkinitcpio.d/linux-lts.preset' vpn_default: ip: '10.0.0.2' subnet: '24' interface: 'wg0' - public_key_path: '/etc/wireguard/keys/public/default/laptop.pub' - private_key_path: '/etc/wireguard/keys/private/default/laptop.key' - - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 36393066313764386361376662376266623331313765373666616334356362656332653838346330 - 3435643261333262653139636537326164356164373566310a633233623031336437303236636266 - 61616165376631353433353463313532643564343664346335363835306430386364303635343432 - 3864343464666566310a363563613039333465336164323833316436393236666433333163666137 - 33656632343262373463306438333764393031623666393161356539636663346331613539396637 - 3631363333623539636561366436613861363932323966666238 + public_key_path: '{{ vpn_config_dir }}/keys/public/default/laptop.pub' + private_key_path: '{{ vpn_config_dir }}/keys/private/default/laptop.key' peers: - - { - name: 'zeus', - allowd_ips: '10.0.0.1/32', - endpoint: 'fudiggity.nl:51902', - public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=', - preshared_key_path: '/etc/wireguard/keys/private/default/preshared-zeus.psk', - preshared_key_source_path: 'files/laptop/wireguard/default/preshared.psk', - preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n376463366339376639373237363632363836653266353534343331333831646366373430333163383838313835613565646466653139666337626237313737300a333761383466626637336164363235643861643865653536663433373762343637303334613862373663626663616138333964386333373633643431326233370a386664366238633533356235613332373630353731306233623364623239353564313631373061393535336532393439343432373435336538666334666335633737633030386438616566376131646662316464333765636331343262663437", - } + - name: 'zeus' + allowd_ips: '10.0.0.1/32' + endpoint: 'fudiggity.nl:51902' + public_key: 'CeybSMpJiicXmndIuhe89Bay3z3PEdYNyAwIFsacBEo=' + preshared_key_path: '{{ vpn_config_dir }}/keys/private/default/preshared-zeus.psk' + preshared_key_source_path: 'files/laptop/wireguard/default/preshared.psk' vpn_media: ip: '10.0.1.2' subnet: '24' interface: 'wg1' - public_key_path: '/etc/wireguard/keys/public/media/laptop.pub' - private_key_path: '/etc/wireguard/keys/private/media/laptop.key' - - private_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 38343933313031343230346232633837346332656163303561323038643935343638333231633032 - 3035633565326130363666393631616333653638386564360a373863366364353632383031316561 - 35306566623237613565653465316566336439613064653934316536333062366163383435313366 - 6130633630376639330a366230386435643736353664623435316334666639653836393531623463 - 30336435613761616132656138303263396263336564323865356538353661366439333538343961 - 6164353934636536333433326332383830353034343437646563 + public_key_path: '{{ vpn_config_dir }}/keys/public/media/laptop.pub' + private_key_path: '{{ vpn_config_dir }}/keys/private/media/laptop.key' peers: - - { - name: 'zeus-media', - allowd_ips: '10.0.1.1/32', - endpoint: 'fudiggity.nl:51903', - public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=', - preshared_key_path: '/etc/wireguard/keys/private/media/preshared-zeus.psk', - preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk', - preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n666536333463333939313365343734313533633132396662336665643462336164373034666265623061373463396462333162323666323565636265663861310a623766653463613036663530653763376638643566323439636236656239663064646135323337333365653039343836303935316335383831643764663366360a656639303535666430643838343465356530633162383336663633346433346465376236366265656335636438323133643064356462313166323633623634323836363032626463376239373330356533336537633139643461316235366534" - } + - name: 'zeus-media' + allowd_ips: '10.0.1.1/32' + endpoint: 'fudiggity.nl:51903' + public_key: 'EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=' + preshared_key_path: '{{ vpn_config_dir }}/keys/private/media/preshared-zeus.psk' + preshared_key_source_path: 'files/laptop/wireguard/media/preshared.psk' diff --git a/vars/main.yml b/vars/main.yml index cd8d787..5c35e2f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -43,3 +43,5 @@ modprobe_templates: [] mkinitcpio_templates: [] boot_configuration: + +vpn_config_dir: '/etc/wireguard'