# Note that Wireguard does DNS resolution only once during connection. # When a client's IP changes, the server should be notified in some way, # using `wg set wg0 peer izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4= endpoint :` # for example. - name: Create Wireguard directories become: true ansible.builtin.file: path: '{{ item }}' owner: root group: systemd-network mode: '0750' state: directory recurse: true loop: - '{{ vpn_config_dir }}' - '{{ vpn_default.private_key_path | dirname }}' - '{{ vpn_default.public_key_path | dirname }}' - '{{ vpn_media.private_key_path | dirname }}' - '{{ vpn_media.public_key_path | dirname }}' notify: - restart systemd-networkd - restart systemd-resolved - name: Copy Wireguard credentials become: true ansible.builtin.copy: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - dest: '{{ vpn_default.public_key_path }}' src: 'files/{{ platform }}/wireguard/default/{{ platform }}.pub' - dest: '{{ vpn_default.private_key_path }}' src: 'files/{{ platform }}/wireguard/default/{{ platform }}.key' - dest: '{{ vpn_media.public_key_path }}' src: 'files/{{ platform }}/wireguard/media/{{ platform }}.pub' - dest: '{{ vpn_media.private_key_path }}' src: 'files/{{ platform }}/wireguard/media/{{ platform }}.key' notify: - restart systemd-networkd - restart systemd-resolved - name: Copy Wireguard preshared keys become: true ansible.builtin.copy: src: '{{ item.preshared_key_source_path }}' dest: '{{ item.preshared_key_path }}' owner: root group: systemd-network mode: '0640' loop: '{{ vpn_default.peers + vpn_media.peers }}' notify: - restart systemd-networkd - restart systemd-resolved - name: Desktop configuration notify: - restart systemd-networkd - restart systemd-resolved when: platform == "desktop" block: - name: Setup network configuration become: true ansible.builtin.template: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - src: 'templates/desktop/network/enp.network.j2' dest: '/etc/systemd/network/20-wired.network' - src: 'templates/desktop/network/wg0.network.j2' dest: '/etc/systemd/network/40-wg0.network' - src: 'templates/desktop/network/wg0.netdev.j2' dest: '/etc/systemd/network/40-wg0.netdev' - src: 'templates/desktop/network/wg1.network.j2' dest: '/etc/systemd/network/40-wg1.network' - src: 'templates/desktop/network/wg1.netdev.j2' dest: '/etc/systemd/network/40-wg1.netdev' - name: Remove leftover configuration files become: true ansible.builtin.file: path: '{{ item }}' state: absent loop: - '/etc/systemd/network/30-vmbr0.network' - '/etc/systemd/network/30-vmbr0.netdev' - name: Laptop configuration notify: - restart systemd-networkd - restart systemd-resolved - restart iwd when: platform == "laptop" block: - name: Setup network configuration become: true ansible.builtin.template: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - src: 'templates/laptop/network/wireless.network.j2' dest: '/etc/systemd/network/20-wireless.network' - src: 'templates/laptop/network/wg0.network.j2' dest: '/etc/systemd/network/40-wg0.network' - src: 'templates/laptop/network/wg0.netdev.j2' dest: '/etc/systemd/network/40-wg0.netdev' - src: 'templates/laptop/network/wg1.network.j2' dest: '/etc/systemd/network/40-wg1.network' - src: 'templates/laptop/network/wg1.netdev.j2' dest: '/etc/systemd/network/40-wg1.netdev' - name: Remove leftover configuration files become: true ansible.builtin.file: path: '{{ item }}' state: absent loop: - '/etc/systemd/network/30-vmbr0.network' - '/etc/systemd/network/30-vmbr0.netdev' - name: Copy firewall template become: true ansible.builtin.template: src: 'templates/{{ platform }}/nftables.j2' dest: '/etc/nftables.conf' owner: root group: root mode: '0600' notify: restart nftables