diff --git a/files/wireguard/mobile.key b/files/wireguard/default/mobile.key similarity index 100% rename from files/wireguard/mobile.key rename to files/wireguard/default/mobile.key diff --git a/files/wireguard/mobile.pub b/files/wireguard/default/mobile.pub similarity index 100% rename from files/wireguard/mobile.pub rename to files/wireguard/default/mobile.pub diff --git a/files/wireguard/preshared-desktop.psk b/files/wireguard/default/preshared-desktop.psk similarity index 100% rename from files/wireguard/preshared-desktop.psk rename to files/wireguard/default/preshared-desktop.psk diff --git a/files/wireguard/preshared-laptop.psk b/files/wireguard/default/preshared-laptop.psk similarity index 100% rename from files/wireguard/preshared-laptop.psk rename to files/wireguard/default/preshared-laptop.psk diff --git a/files/wireguard/preshared-mobile.psk b/files/wireguard/default/preshared-mobile.psk similarity index 100% rename from files/wireguard/preshared-mobile.psk rename to files/wireguard/default/preshared-mobile.psk diff --git a/files/wireguard/server.key b/files/wireguard/default/server.key similarity index 100% rename from files/wireguard/server.key rename to files/wireguard/default/server.key diff --git a/files/wireguard/server.pub b/files/wireguard/default/server.pub similarity index 100% rename from files/wireguard/server.pub rename to files/wireguard/default/server.pub diff --git a/files/wireguard/media/mobile-1.key b/files/wireguard/media/mobile-1.key new file mode 100644 index 0000000..9e686a3 --- /dev/null +++ b/files/wireguard/media/mobile-1.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +36663166623362373139313130376432363431636130316637653064386239626638663038666137 +3736393932356630633438646239656566663132353866390a316431366232303662633063626563 +31656363636232623335373661386439353936316336663366633234316466313661613062313534 +3038303838393133340a353066306137643435353737666637363263383934353935653866636337 +66343231323262306338613035346437383133386639333066656434343838386561313636353466 +3361613932386137356435396438663364326532303533613761 diff --git a/files/wireguard/media/mobile-1.pub b/files/wireguard/media/mobile-1.pub new file mode 100644 index 0000000..8245f2d --- /dev/null +++ b/files/wireguard/media/mobile-1.pub @@ -0,0 +1 @@ +6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ= diff --git a/files/wireguard/media/mobile-2.key b/files/wireguard/media/mobile-2.key new file mode 100644 index 0000000..c1389db --- /dev/null +++ b/files/wireguard/media/mobile-2.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +66333736396437633630373463646634616463373238316237386365386365366361303763373136 +6135316639303235393630313561383835363436346165610a643935653532353563303631373132 +61393763353036313731353639343835303465383365333865393733613630646162316561386139 +3634323363323330660a616664333463386461303531303531306533336166346339303236376539 +31373230376162623039373062323031336430623231313830313366363839376132316630366563 +6562373164323937363137646330623935356236353366656363 diff --git a/files/wireguard/media/mobile-2.pub b/files/wireguard/media/mobile-2.pub new file mode 100644 index 0000000..2006fd4 --- /dev/null +++ b/files/wireguard/media/mobile-2.pub @@ -0,0 +1 @@ +w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c= diff --git a/files/wireguard/media/preshared-desktop.psk b/files/wireguard/media/preshared-desktop.psk new file mode 100644 index 0000000..7c70d3a --- /dev/null +++ b/files/wireguard/media/preshared-desktop.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +33656266346661336633613131643631353238383261646533623137326264373661356366383938 +3133326334363561623535353738656164343331396163340a666237326461636634346237366437 +32646132306630353365326436666165616263306334343131346230343363313334636436303836 +3034613961303261640a646534616464373038313537366261613661613865353936616266613335 +30643333336633343435623336383134623231346165333831376239303764343834323961386434 +6533346661633136353037363865393764643634353933643735 diff --git a/files/wireguard/media/preshared-laptop.psk b/files/wireguard/media/preshared-laptop.psk new file mode 100644 index 0000000..5fbe636 --- /dev/null +++ b/files/wireguard/media/preshared-laptop.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +35626139616466633233316431393132653238383534366561303832323531636332623530373431 +6461303662336533633333386635323261393936323534350a653461653831636365303861366562 +32393031666632633364366465333931663332623464353430393539633739326135303636373762 +3264643738336630650a306664393939313838313663396264366263663866633366646264326330 +31656438346166316232663832326462383163626330633937393532383665343861323831313665 +3732643931316538303737363639616665323639353436376432 diff --git a/files/wireguard/media/preshared-mobile-1.psk b/files/wireguard/media/preshared-mobile-1.psk new file mode 100644 index 0000000..fa7150d --- /dev/null +++ b/files/wireguard/media/preshared-mobile-1.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +66356363663464643764623762353539313835376230306639333037303233353830656562393664 +3334353835393064653262303736303732343139613664360a393764303166656137646538646234 +65326361646162386531326530613866373135356233626233363463626463373466363434623932 +3466373536353139340a386435383966366563366466653435656265336432333865653434343633 +63646365343838386163336337373437393236353136626232313334633432393934376361613838 +6334376636336132346333636139333634346161343837396631 diff --git a/files/wireguard/media/preshared-mobile-2.psk b/files/wireguard/media/preshared-mobile-2.psk new file mode 100644 index 0000000..2397ca7 --- /dev/null +++ b/files/wireguard/media/preshared-mobile-2.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +61373431643838303539366639656632383037613066353166376339393733666436613633616638 +3635623366623238353832383530323336383735333761610a303061353238333532386638336238 +36633730313334356236363735613264656131393238633537396461383462643937346630663765 +3239383863383862350a333330323932636363313931613561393932653130666138656263363263 +65663835396663643938373966386137663263613962633636383132383039326365383630336531 +6630343438366530646139373662306336353434363435333635 diff --git a/files/wireguard/media/preshared-tv.psk b/files/wireguard/media/preshared-tv.psk new file mode 100644 index 0000000..6c052d6 --- /dev/null +++ b/files/wireguard/media/preshared-tv.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +66363364313233366362616232653334653739613565663831346163333863613435656534303532 +3566393437343036323366666261356465346331396334300a653530613937643265633039376464 +66363530353864653932646231343430626136613432326439373164356537393639363430313432 +3564653461303766620a663339376264363633616434303539643237343833343438643266346437 +66363738613735326662383739323531323531326161356430613134666631656562336537393632 +3962653263353334383964306230363334343064326631393237 diff --git a/files/wireguard/media/server.key b/files/wireguard/media/server.key new file mode 100644 index 0000000..938e76b --- /dev/null +++ b/files/wireguard/media/server.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +30396636366461333265336336313865386431613366346531373830666531653236666232366530 +6164323239653235313965393062306264353232373165630a653165626434336135306231303034 +38656230666361666336313634396562346438323863303835303832646133666266613537663833 +3030383039653364640a643631653331353063393766653866333933373339626338366133363564 +37373632333332326165323862373666386230316630323135326438326533326664396334643837 +6432323032626435373531353434646238343966396634646138 diff --git a/files/wireguard/media/server.pub b/files/wireguard/media/server.pub new file mode 100644 index 0000000..a7c9a71 --- /dev/null +++ b/files/wireguard/media/server.pub @@ -0,0 +1 @@ +EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg= diff --git a/files/wireguard/media/tv.key b/files/wireguard/media/tv.key new file mode 100644 index 0000000..c3beeca --- /dev/null +++ b/files/wireguard/media/tv.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +31346135623233396339393930373564643931306234636565633534356365626637616434396631 +3137306535336138386263343436663033363234643238610a663862306631323964333966613236 +36343565396264376436656635363862613333326138356638343966643532363964313630643763 +6635343464623837300a333036623835376133616236306637623235636432643236626635316334 +33353630646565363563303230386337613030396333383433346165643933343135623730303039 +6333396361373863353865323834383737656330396463383739 diff --git a/files/wireguard/media/tv.pub b/files/wireguard/media/tv.pub new file mode 100644 index 0000000..9dd4f5e --- /dev/null +++ b/files/wireguard/media/tv.pub @@ -0,0 +1 @@ +5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0= diff --git a/handlers.yml b/handlers.yml new file mode 100644 index 0000000..568c3b8 --- /dev/null +++ b/handlers.yml @@ -0,0 +1,6 @@ +- name: restart systemd-networkd + become: true + systemd: + name: systemd-networkd + state: restarted + enabled: true diff --git a/playbook.yml b/playbook.yml index 31110d5..7a6bc58 100644 --- a/playbook.yml +++ b/playbook.yml @@ -9,17 +9,22 @@ tasks: - import_tasks: 'tasks/setup.yml' - import_tasks: 'tasks/network.yml' + - import_tasks: 'tasks/wireguard.yml' + - import_tasks: 'tasks/wireguard_media.yml' - import_tasks: 'tasks/docker.yml' - import_tasks: 'tasks/radicale.yml' - import_tasks: 'tasks/syncthing.yml' - import_tasks: 'tasks/transmission.yml' - import_tasks: 'tasks/mpd.yml' - import_tasks: 'tasks/nginx.yml' + handlers: + - import_tasks: 'handlers.yml' vars_files: - 'vars/main.yml' - 'vars/nginx.yml' - 'vars/network.yml' - 'vars/vpn.yml' + - 'vars/vpn_media.yml' - 'vars/transmission.yml' - 'vars/syncthing.yml' - 'vars/mpd.yml' diff --git a/tasks/network.yml b/tasks/network.yml index f4e7844..5065d02 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -1,24 +1,3 @@ -- name: load private key into var - set_fact: - vpn_server_key: '{{ lookup("file", "files/wireguard/server.key" ) }}' - -- name: load public key into var - set_fact: - vpn_server_public_key: '{{ lookup("file", "files/wireguard/server.pub" ) }}' - -# this should eventually be replaced with using the -# PrivateKeyFile/PresharedKeyFile options -- name: load preshared keys into variables - set_fact: - vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}' - with_dict: '{{ vpn_peers }}' - -- name: load mobile private_key - set_fact: - vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}' - with_dict: '{{ vpn_peers }}' - when: item.key == "mobile" - - name: copy network configuration files become: true template: @@ -33,11 +12,7 @@ src: 'templates/network/link1.network.j2', dest: '/etc/systemd/network/link1.network', } - - { src: 'templates/network/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' } - - { - src: 'templates/network/wg0.network.j2', - dest: '/etc/systemd/network/wg0.network', - } + notify: restart systemd-networkd - name: copy interface restart timer/service become: true @@ -56,6 +31,7 @@ src: 'templates/interface_restart.service.j2', dest: '/etc/systemd/system/interface-restart.service', } + notify: restart systemd-networkd - name: enable interface restart timer become: true @@ -71,63 +47,4 @@ dest: '/etc/hosts' mode: '0644' owner: root - -- name: copy mobile configuration - template: - src: 'mobile.wireguard.j2' - dest: '/tmp/mobile.wireguard.conf' - mode: '0600' - when: copy_mobile_conf - -- name: create wireguard directories - become: true - file: - path: '{{ item | dirname }}' - owner: root - group: systemd-network - mode: '0640' - state: directory - loop: - - '{{ vpn_server_key_path }}' - - '{{ vpn_server_public_key_path }}' - -- name: copy wireguard credentials - become: true - copy: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: systemd-network - mode: '0640' - loop: - - { src: 'files/wireguard/server.pub', dest: '{{ vpn_server_public_key_path }}' } - - { src: 'files/wireguard/server.key', dest: '{{ vpn_server_key_path }}' } - -- name: copy mobile wireguard credentials - become: true - copy: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: systemd-network - mode: '0640' - loop: - - { src: 'files/wireguard/mobile.pub', dest: '{{ vpn_server_public_key_path }}' } - - { src: 'files/wireguard/mobile.key', dest: '{{ vpn_server_key_path }}' } - -- name: copy wireguard preshared keys - become: true - copy: - src: '{{ item.value.preshared_key_source_path }}' - dest: '{{ item.value.preshared_key_path }}' - owner: root - group: systemd-network - mode: '0640' - with_dict: '{{ vpn_peers }}' - -- name: restart systemd-networkd - become: true - systemd: - name: systemd-networkd - state: restarted - enabled: true + notify: restart systemd-networkd diff --git a/tasks/nginx.yml b/tasks/nginx.yml index d7ea8bf..f271187 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -41,3 +41,5 @@ src: '/etc/nginx/sites-available/newsreader', dest: '/etc/nginx/sites-enabled/newsreader', } + +# TODO: provision certbot configuration diff --git a/tasks/setup.yml b/tasks/setup.yml index 8e4c4d9..99983c9 100644 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -17,3 +17,6 @@ group: root mode: '0644' notify: reload ssh + +# TODO: provision default grub menu entry for now +# linux-image-6.1.0-17 kernel seems to break networking diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml new file mode 100644 index 0000000..d8b9b51 --- /dev/null +++ b/tasks/wireguard.yml @@ -0,0 +1,90 @@ +- name: load private key into var + set_fact: + vpn_server_key: '{{ lookup("file", "files/wireguard/default/server.key" ) }}' + +- name: load public key into var + set_fact: + vpn_server_public_key: '{{ lookup("file", "files/wireguard/default/server.pub" ) }}' + +# this should eventually be replaced with using the +# PrivateKeyFile/PresharedKeyFile options +- name: load preshared keys into variables + set_fact: + vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}' + with_dict: '{{ vpn_peers }}' + +- name: load mobile private_key + set_fact: + vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}' + with_dict: '{{ vpn_peers }}' + when: item.key == "mobile" + +- name: copy wireguard configuration files + become: true + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'templates/network/wireguard/default/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' } + - { + src: 'templates/network/wireguard/default/wg0.network.j2', + dest: '/etc/systemd/network/wg0.network', + } + notify: restart systemd-networkd + +- name: copy mobile configuration + template: + src: 'templates/network/wireguard/default/mobile.wireguard.j2' + dest: '/tmp/mobile.wireguard.conf' + mode: '0600' + when: copy_vpn_configurations + +- name: create wireguard directories + become: true + file: + path: '{{ item | dirname }}' + owner: root + group: systemd-network + mode: '0640' + state: directory + loop: + - '{{ vpn_server_key_path }}' + - '{{ vpn_server_public_key_path }}' + +- name: copy wireguard credentials + become: true + copy: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'files/wireguard/default/server.pub', dest: '{{ vpn_server_public_key_path }}' } + - { src: 'files/wireguard/default/server.key', dest: '{{ vpn_server_key_path }}' } + +- name: copy mobile wireguard credentials + become: true + copy: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'files/wireguard/default/mobile.pub', dest: '{{ vpn_server_public_key_path|dirname }}/mobile.pub' } + - { src: 'files/wireguard/default/mobile.key', dest: '{{ vpn_server_key_path|dirname }}/mobile.key' } + +- name: copy wireguard preshared keys + become: true + copy: + src: '{{ item.value.preshared_key_source_path }}' + dest: '{{ item.value.preshared_key_path }}' + owner: root + group: systemd-network + mode: '0640' + with_dict: '{{ vpn_peers }}' + diff --git a/tasks/wireguard_media.yml b/tasks/wireguard_media.yml new file mode 100644 index 0000000..7a7cd39 --- /dev/null +++ b/tasks/wireguard_media.yml @@ -0,0 +1,97 @@ +- name: load media private key into var + set_fact: + vpn_media_server_key: '{{ lookup("file", "files/wireguard/media/server.key" ) }}' + +- name: load media public key into var + set_fact: + vpn_media_server_public_key: '{{ lookup("file", "files/wireguard/media/server.pub" ) }}' + +# this should eventually be replaced with using the +# PrivateKeyFile/PresharedKeyFile options +- name: load preshared media keys into variables + set_fact: + vpn_media_peers: '{{ vpn_media_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}' + with_dict: '{{ vpn_media_peers }}' + +- name: load external media private_keys + set_fact: + vpn_media_peers: '{{ vpn_media_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}' + with_dict: '{{ vpn_media_peers }}' + when: item.key in ['mobile_peer_1', 'mobile_peer_2', 'tv'] + +- name: copy wireguard media configuration files + become: true + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'templates/network/wireguard/media/wg1.netdev.j2', dest: '/etc/systemd/network/wg1.netdev' } + - { + src: 'templates/network/wireguard/media/wg1.network.j2', + dest: '/etc/systemd/network/wg1.network', + } + notify: restart systemd-networkd + +- name: copy external media configurations + template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + mode: '0600' + loop: + - { src: 'templates/network/wireguard/media/mobile_1.wireguard.j2', dest: '/tmp/mobile_1.wireguard.conf' } + - { src: 'templates/network/wireguard/media/mobile_2.wireguard.j2', dest: '/tmp/mobile_2.wireguard.conf' } + - { src: 'templates/network/wireguard/media/tv.wireguard.j2', dest: '/tmp/tv.wireguard.conf' } + when: copy_vpn_media_configurations + +- name: create wireguard media directories + become: true + file: + path: '{{ item | dirname }}' + owner: root + group: systemd-network + mode: '0640' + state: directory + loop: + - '{{ vpn_media_server_key_path }}' + - '{{ vpn_media_server_public_key_path }}' + +- name: copy wireguard media credentials + become: true + copy: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'files/wireguard/media/server.pub', dest: '{{ vpn_media_server_public_key_path }}' } + - { src: 'files/wireguard/media/server.key', dest: '{{ vpn_media_server_key_path }}' } + +- name: copy mobile media wireguard credentials + become: true + copy: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'files/wireguard/media/mobile-1.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/mobile_1.pub' } + - { src: 'files/wireguard/media/mobile-1.key', dest: '{{ vpn_media_server_key_path|dirname }}/mobile_1.key' } + - { src: 'files/wireguard/media/mobile-2.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/mobile_2.pub' } + - { src: 'files/wireguard/media/mobile-2.key', dest: '{{ vpn_media_server_key_path|dirname }}/mobile_2.key' } + - { src: 'files/wireguard/media/tv.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/tv.pub' } + - { src: 'files/wireguard/media/tv.key', dest: '{{ vpn_media_server_key_path|dirname }}/tv.key' } + +- name: copy wireguard media preshared keys + become: true + copy: + src: '{{ item.value.preshared_key_source_path }}' + dest: '{{ item.value.preshared_key_path }}' + owner: root + group: systemd-network + mode: '0640' + with_dict: '{{ vpn_media_peers }}' diff --git a/templates/mobile.wireguard.j2 b/templates/network/wireguard/default/mobile.wireguard.j2 similarity index 64% rename from templates/mobile.wireguard.j2 rename to templates/network/wireguard/default/mobile.wireguard.j2 index f8c9a43..a0fd7b9 100644 --- a/templates/mobile.wireguard.j2 +++ b/templates/network/wireguard/default/mobile.wireguard.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# {{ ansible_managed }} [Interface] Address={{ vpn_peers.mobile.ip }}/24 @@ -8,4 +8,4 @@ PrivateKey={{ vpn_peers.mobile.private_key }} PublicKey={{ vpn_server_public_key }} PresharedKey={{ vpn_peers.mobile.preshared_key }} AllowedIPs={{ vpn_listen_address }}/32 -Endpoint={{ wan_ip_address }}:{{ vpn_port }} +Endpoint={{ domain_name }}:{{ vpn_port }} diff --git a/templates/network/wg0.netdev.j2 b/templates/network/wireguard/default/wg0.netdev.j2 similarity index 82% rename from templates/network/wg0.netdev.j2 rename to templates/network/wireguard/default/wg0.netdev.j2 index 4d454de..24021fb 100644 --- a/templates/network/wg0.netdev.j2 +++ b/templates/network/wireguard/default/wg0.netdev.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# {{ ansible_managed }} [NetDev] Name={{ vpn_interface }} diff --git a/templates/network/wg0.network.j2 b/templates/network/wireguard/default/wg0.network.j2 similarity index 53% rename from templates/network/wg0.network.j2 rename to templates/network/wireguard/default/wg0.network.j2 index cdee26f..0532830 100644 --- a/templates/network/wg0.network.j2 +++ b/templates/network/wireguard/default/wg0.network.j2 @@ -1,4 +1,4 @@ -# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} +# {{ ansible_managed }} [Match] Name={{ vpn_interface }} diff --git a/templates/network/wireguard/media/mobile_1.wireguard.j2 b/templates/network/wireguard/media/mobile_1.wireguard.j2 new file mode 100644 index 0000000..027949f --- /dev/null +++ b/templates/network/wireguard/media/mobile_1.wireguard.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +[Interface] +Address={{ vpn_media_peers.mobile_peer_1.ip }}/24 +PrivateKey={{ vpn_media_peers.mobile_peer_1.private_key }} + +[Peer] +PublicKey={{ vpn_media_server_public_key }} +PresharedKey={{ vpn_media_peers.mobile_peer_1.preshared_key }} +AllowedIPs={{ vpn_media_listen_address }}/32 +Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/mobile_2.wireguard.j2 b/templates/network/wireguard/media/mobile_2.wireguard.j2 new file mode 100644 index 0000000..a8a9c3b --- /dev/null +++ b/templates/network/wireguard/media/mobile_2.wireguard.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +[Interface] +Address={{ vpn_media_peers.mobile_peer_2.ip }}/24 +PrivateKey={{ vpn_media_peers.mobile_peer_2.private_key }} + +[Peer] +PublicKey={{ vpn_media_server_public_key }} +PresharedKey={{ vpn_media_peers.mobile_peer_2.preshared_key }} +AllowedIPs={{ vpn_media_listen_address }}/32 +Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/tv.wireguard.j2 b/templates/network/wireguard/media/tv.wireguard.j2 new file mode 100644 index 0000000..a9ed256 --- /dev/null +++ b/templates/network/wireguard/media/tv.wireguard.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +[Interface] +Address={{ vpn_media_peers.tv.ip }}/24 +PrivateKey={{ vpn_media_peers.tv.private_key }} + +[Peer] +PublicKey={{ vpn_media_server_public_key }} +PresharedKey={{ vpn_media_peers.tv.preshared_key }} +AllowedIPs={{ vpn_media_listen_address }}/32 +Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/wg1.netdev.j2 b/templates/network/wireguard/media/wg1.netdev.j2 new file mode 100644 index 0000000..9323295 --- /dev/null +++ b/templates/network/wireguard/media/wg1.netdev.j2 @@ -0,0 +1,20 @@ +# {{ ansible_managed }} + +[NetDev] +Name={{ vpn_media_interface }} +Kind=wireguard +Description=WireGuard tunnel wg1 + +[WireGuard] +ListenPort={{ vpn_media_port }} +PrivateKey={{ vpn_media_server_key }} + +{% for peer, properties in vpn_media_peers.items() %} +[WireGuardPeer] +PublicKey={{ properties.public_key }} +PresharedKey={{ properties.preshared_key }} +AllowedIPs={{ properties.ip }}/32 +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/templates/network/wireguard/media/wg1.network.j2 b/templates/network/wireguard/media/wg1.network.j2 new file mode 100644 index 0000000..8038f9d --- /dev/null +++ b/templates/network/wireguard/media/wg1.network.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} + +[Match] +Name={{ vpn_media_interface }} + +[Network] +Address={{ vpn_media_listen_address }}/{{ vpn_media_subnet }} diff --git a/templates/nftables.j2 b/templates/nftables.j2 index f234d92..9ed9be6 100644 --- a/templates/nftables.j2 +++ b/templates/nftables.j2 @@ -25,6 +25,7 @@ table ip filter { iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission" iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard" + iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media" iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS" iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web" diff --git a/vars/network.yml b/vars/network.yml index 30725fa..df16f92 100644 --- a/vars/network.yml +++ b/vars/network.yml @@ -2,7 +2,7 @@ network_interface: 'link1' network_mac: '70:85:c2:5a:ce:91' lan_ip_address: '192.168.2.1' -wan_ip_address: '37.251.96.245' +domain_name: 'fudiggity.nl' http_port: 80 https_port: 443 diff --git a/vars/vpn.yml b/vars/vpn.yml index 17dfa09..900a641 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -1,6 +1,5 @@ vpn_listen_address: '10.0.0.1' vpn_subnet: '24' -vpn_local_ip: '192.168.178.185' vpn_port: '51902' vpn_interface: 'wg0' @@ -10,22 +9,22 @@ vpn_destination_range: '10.0.0.1/32' vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub' vpn_server_key_path: '/etc/wireguard/keys/private/server.key' -copy_mobile_conf: false +copy_vpn_configurations: false vpn_peers: laptop: ip: '10.0.0.2' public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=' preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.psk' - preshared_key_source_path: 'files/wireguard/preshared-laptop.psk' + preshared_key_source_path: 'files/wireguard/default/preshared-laptop.psk' desktop: ip: '10.0.0.3' public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=' preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.psk' - preshared_key_source_path: 'files/wireguard/preshared-desktop.psk' + preshared_key_source_path: 'files/wireguard/default/preshared-desktop.psk' mobile: ip: '10.0.0.4' public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=' preshared_key_path: '/etc/wireguard/keys/private/preshared-mobile.psk' - preshared_key_source_path: 'files/wireguard/preshared-mobile.psk' - private_key_source_path: 'files/wireguard/mobile.key' + preshared_key_source_path: 'files/wireguard/default/preshared-mobile.psk' + private_key_source_path: 'files/wireguard/default/mobile.key' diff --git a/vars/vpn_media.yml b/vars/vpn_media.yml new file mode 100644 index 0000000..688695f --- /dev/null +++ b/vars/vpn_media.yml @@ -0,0 +1,42 @@ +vpn_media_listen_address: '10.0.1.1' +vpn_media_subnet: '24' +vpn_media_port: '51903' +vpn_media_interface: 'wg1' + +vpn_media_source_range: '10.0.1.0/24' +vpn_media_destination_range: '10.0.1.1/32' + +vpn_media_server_public_key_path: '/etc/wireguard/keys/public/media_server.pub' +vpn_media_server_key_path: '/etc/wireguard/keys/private/media_server.key' + +copy_vpn_media_configurations: false + +vpn_media_peers: + laptop: + ip: '10.0.1.2' + public_key: 'foobar' # TODO: generate on lapop (and provision) + preshared_key_path: '/etc/wireguard/keys/private/preshared-media-laptop.psk' + preshared_key_source_path: 'files/wireguard/media/preshared-laptop.psk' + desktop: + ip: '10.0.1.3' + public_key: 'foobar' # TODO: generate on desktop (and provision) + preshared_key_path: '/etc/wireguard/keys/private/preshared-media-desktop.psk' + preshared_key_source_path: 'files/wireguard/media/preshared-desktop.psk' + mobile_peer_1: + ip: '10.0.1.4' + public_key: '6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ=' + preshared_key_path: '/etc/wireguard/keys/private/preshared-media-mobile-1.psk' + preshared_key_source_path: 'files/wireguard/media/preshared-mobile-1.psk' + private_key_source_path: 'files/wireguard/media/mobile-1.key' + mobile_peer_2: + ip: '10.0.1.5' + public_key: 'w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c=' + preshared_key_path: '/etc/wireguard/keys/private/preshared-media-mobile-2.psk' + preshared_key_source_path: 'files/wireguard/media/preshared-mobile-2.psk' + private_key_source_path: 'files/wireguard/media/mobile-2.key' + tv: + ip: '10.0.1.6' + public_key: '5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0=' + preshared_key_path: '/etc/wireguard/keys/private/preshared-media-tv.psk' + preshared_key_source_path: 'files/wireguard/media/preshared-tv.psk' + private_key_source_path: 'files/wireguard/media/tv.key'