Add media vpn setup

files/wireguard/media/mobile-1.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+36663166623362373139313130376432363431636130316637653064386239626638663038666137
+3736393932356630633438646239656566663132353866390a316431366232303662633063626563
+31656363636232623335373661386439353936316336663366633234316466313661613062313534
+3038303838393133340a353066306137643435353737666637363263383934353935653866636337
+66343231323262306338613035346437383133386639333066656434343838386561313636353466
+3361613932386137356435396438663364326532303533613761

files/wireguard/media/mobile-1.pub

@@ -0,0 +1 @@
+6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ=

files/wireguard/media/mobile-2.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+66333736396437633630373463646634616463373238316237386365386365366361303763373136
+6135316639303235393630313561383835363436346165610a643935653532353563303631373132
+61393763353036313731353639343835303465383365333865393733613630646162316561386139
+3634323363323330660a616664333463386461303531303531306533336166346339303236376539
+31373230376162623039373062323031336430623231313830313366363839376132316630366563
+6562373164323937363137646330623935356236353366656363

files/wireguard/media/mobile-2.pub

@@ -0,0 +1 @@
+w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c=

files/wireguard/media/preshared-desktop.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+33656266346661336633613131643631353238383261646533623137326264373661356366383938
+3133326334363561623535353738656164343331396163340a666237326461636634346237366437
+32646132306630353365326436666165616263306334343131346230343363313334636436303836
+3034613961303261640a646534616464373038313537366261613661613865353936616266613335
+30643333336633343435623336383134623231346165333831376239303764343834323961386434
+6533346661633136353037363865393764643634353933643735

files/wireguard/media/preshared-laptop.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+35626139616466633233316431393132653238383534366561303832323531636332623530373431
+6461303662336533633333386635323261393936323534350a653461653831636365303861366562
+32393031666632633364366465333931663332623464353430393539633739326135303636373762
+3264643738336630650a306664393939313838313663396264366263663866633366646264326330
+31656438346166316232663832326462383163626330633937393532383665343861323831313665
+3732643931316538303737363639616665323639353436376432

files/wireguard/media/preshared-mobile-1.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+66356363663464643764623762353539313835376230306639333037303233353830656562393664
+3334353835393064653262303736303732343139613664360a393764303166656137646538646234
+65326361646162386531326530613866373135356233626233363463626463373466363434623932
+3466373536353139340a386435383966366563366466653435656265336432333865653434343633
+63646365343838386163336337373437393236353136626232313334633432393934376361613838
+6334376636336132346333636139333634346161343837396631

files/wireguard/media/preshared-mobile-2.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+61373431643838303539366639656632383037613066353166376339393733666436613633616638
+3635623366623238353832383530323336383735333761610a303061353238333532386638336238
+36633730313334356236363735613264656131393238633537396461383462643937346630663765
+3239383863383862350a333330323932636363313931613561393932653130666138656263363263
+65663835396663643938373966386137663263613962633636383132383039326365383630336531
+6630343438366530646139373662306336353434363435333635

files/wireguard/media/preshared-tv.psk

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+66363364313233366362616232653334653739613565663831346163333863613435656534303532
+3566393437343036323366666261356465346331396334300a653530613937643265633039376464
+66363530353864653932646231343430626136613432326439373164356537393639363430313432
+3564653461303766620a663339376264363633616434303539643237343833343438643266346437
+66363738613735326662383739323531323531326161356430613134666631656562336537393632
+3962653263353334383964306230363334343064326631393237

files/wireguard/media/server.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+30396636366461333265336336313865386431613366346531373830666531653236666232366530
+6164323239653235313965393062306264353232373165630a653165626434336135306231303034
+38656230666361666336313634396562346438323863303835303832646133666266613537663833
+3030383039653364640a643631653331353063393766653866333933373339626338366133363564
+37373632333332326165323862373666386230316630323135326438326533326664396334643837
+6432323032626435373531353434646238343966396634646138

files/wireguard/media/server.pub

@@ -0,0 +1 @@
+EugKeo63C5N5kz9ShMHtYswO9Qh6mE00MtfLSFmqqjg=

files/wireguard/media/tv.key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+31346135623233396339393930373564643931306234636565633534356365626637616434396631
+3137306535336138386263343436663033363234643238610a663862306631323964333966613236
+36343565396264376436656635363862613333326138356638343966643532363964313630643763
+6635343464623837300a333036623835376133616236306637623235636432643236626635316334
+33353630646565363563303230386337613030396333383433346165643933343135623730303039
+6333396361373863353865323834383737656330396463383739

files/wireguard/media/tv.pub

@@ -0,0 +1 @@
+5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0=

handlers.yml

@@ -0,0 +1,6 @@
+- name: restart systemd-networkd
+  become: true
+  systemd:
+    name: systemd-networkd
+    state: restarted
+    enabled: true

playbook.yml

@@ -9,17 +9,22 @@
   tasks:
     - import_tasks: 'tasks/setup.yml'
     - import_tasks: 'tasks/network.yml'
+    - import_tasks: 'tasks/wireguard.yml'
+    - import_tasks: 'tasks/wireguard_media.yml'
     - import_tasks: 'tasks/docker.yml'
     - import_tasks: 'tasks/radicale.yml'
     - import_tasks: 'tasks/syncthing.yml'
     - import_tasks: 'tasks/transmission.yml'
     - import_tasks: 'tasks/mpd.yml'
     - import_tasks: 'tasks/nginx.yml'
+  handlers:
+    - import_tasks: 'handlers.yml'
   vars_files:
     - 'vars/main.yml'
     - 'vars/nginx.yml'
     - 'vars/network.yml'
     - 'vars/vpn.yml'
+    - 'vars/vpn_media.yml'
     - 'vars/transmission.yml'
     - 'vars/syncthing.yml'
     - 'vars/mpd.yml'

tasks/network.yml

@@ -1,24 +1,3 @@
-- name: load private key into var
-  set_fact:
-    vpn_server_key: '{{ lookup("file", "files/wireguard/server.key" ) }}'
-
-- name: load public key into var
-  set_fact:
-    vpn_server_public_key: '{{ lookup("file", "files/wireguard/server.pub" ) }}'
-
-# this should eventually be replaced with using the
-# PrivateKeyFile/PresharedKeyFile options
-- name: load preshared keys into variables
-  set_fact:
-    vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}'
-  with_dict: '{{ vpn_peers }}'
-
-- name: load mobile private_key
-  set_fact:
-    vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}'
-  with_dict: '{{ vpn_peers }}'
-  when: item.key == "mobile"
-
 - name: copy network configuration files
   become: true
   template:
@@ -33,11 +12,7 @@
         src: 'templates/network/link1.network.j2',
         dest: '/etc/systemd/network/link1.network',
       }
-    - { src: 'templates/network/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' }
+  notify: restart systemd-networkd
-    - {
-        src: 'templates/network/wg0.network.j2',
-        dest: '/etc/systemd/network/wg0.network',
-      }
 
 - name: copy interface restart timer/service
   become: true
@@ -56,6 +31,7 @@
         src: 'templates/interface_restart.service.j2',
         dest: '/etc/systemd/system/interface-restart.service',
       }
+  notify: restart systemd-networkd
 
 - name: enable interface restart timer
   become: true
@@ -71,63 +47,4 @@
     dest: '/etc/hosts'
     mode: '0644'
     owner: root
-
+  notify: restart systemd-networkd
-- name: copy mobile configuration
-  template:
-    src: 'mobile.wireguard.j2'
-    dest: '/tmp/mobile.wireguard.conf'
-    mode: '0600'
-  when: copy_mobile_conf
-
-- name: create wireguard directories
-  become: true
-  file:
-    path: '{{ item | dirname }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-    state: directory
-  loop:
-    - '{{ vpn_server_key_path }}'
-    - '{{ vpn_server_public_key_path }}'
-
-- name: copy wireguard credentials
-  become: true
-  copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  loop:
-    - { src: 'files/wireguard/server.pub', dest: '{{ vpn_server_public_key_path }}' }
-    - { src: 'files/wireguard/server.key', dest: '{{ vpn_server_key_path }}' }
-
-- name: copy mobile wireguard credentials
-  become: true
-  copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  loop:
-    - { src: 'files/wireguard/mobile.pub', dest: '{{ vpn_server_public_key_path }}' }
-    - { src: 'files/wireguard/mobile.key', dest: '{{ vpn_server_key_path }}' }
-
-- name: copy wireguard preshared keys
-  become: true
-  copy:
-    src: '{{ item.value.preshared_key_source_path }}'
-    dest: '{{ item.value.preshared_key_path }}'
-    owner: root
-    group: systemd-network
-    mode: '0640'
-  with_dict: '{{ vpn_peers }}'
-
-- name: restart systemd-networkd
-  become: true
-  systemd:
-    name: systemd-networkd
-    state: restarted
-    enabled: true

tasks/nginx.yml

@@ -41,3 +41,5 @@
         src: '/etc/nginx/sites-available/newsreader',
         dest: '/etc/nginx/sites-enabled/newsreader',
       }
+
+# TODO: provision certbot configuration

tasks/setup.yml

@@ -17,3 +17,6 @@
     group: root
     mode: '0644'
   notify: reload ssh
+
+# TODO: provision default grub menu entry for now
+# linux-image-6.1.0-17 kernel seems to break networking

tasks/wireguard.yml

@@ -0,0 +1,90 @@
+- name: load private key into var
+  set_fact:
+    vpn_server_key: '{{ lookup("file", "files/wireguard/default/server.key" ) }}'
+
+- name: load public key into var
+  set_fact:
+    vpn_server_public_key: '{{ lookup("file", "files/wireguard/default/server.pub" ) }}'
+
+# this should eventually be replaced with using the
+# PrivateKeyFile/PresharedKeyFile options
+- name: load preshared keys into variables
+  set_fact:
+    vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}'
+  with_dict: '{{ vpn_peers }}'
+
+- name: load mobile private_key
+  set_fact:
+    vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}'
+  with_dict: '{{ vpn_peers }}'
+  when: item.key == "mobile"
+
+- name: copy wireguard configuration files
+  become: true
+  template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'templates/network/wireguard/default/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' }
+    - {
+        src: 'templates/network/wireguard/default/wg0.network.j2',
+        dest: '/etc/systemd/network/wg0.network',
+      }
+  notify: restart systemd-networkd
+
+- name: copy mobile configuration
+  template:
+    src: 'templates/network/wireguard/default/mobile.wireguard.j2'
+    dest: '/tmp/mobile.wireguard.conf'
+    mode: '0600'
+  when: copy_vpn_configurations
+
+- name: create wireguard directories
+  become: true
+  file:
+    path: '{{ item | dirname }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+    state: directory
+  loop:
+    - '{{ vpn_server_key_path }}'
+    - '{{ vpn_server_public_key_path }}'
+
+- name: copy wireguard credentials
+  become: true
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'files/wireguard/default/server.pub', dest: '{{ vpn_server_public_key_path }}' }
+    - { src: 'files/wireguard/default/server.key', dest: '{{ vpn_server_key_path }}' }
+
+- name: copy mobile wireguard credentials
+  become: true
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'files/wireguard/default/mobile.pub', dest: '{{ vpn_server_public_key_path|dirname }}/mobile.pub' }
+    - { src: 'files/wireguard/default/mobile.key', dest: '{{ vpn_server_key_path|dirname }}/mobile.key' }
+
+- name: copy wireguard preshared keys
+  become: true
+  copy:
+    src: '{{ item.value.preshared_key_source_path }}'
+    dest: '{{ item.value.preshared_key_path }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  with_dict: '{{ vpn_peers }}'
+

tasks/wireguard_media.yml

@@ -0,0 +1,97 @@
+- name: load media private key into var
+  set_fact:
+    vpn_media_server_key: '{{ lookup("file", "files/wireguard/media/server.key" ) }}'
+
+- name: load media public key into var
+  set_fact:
+    vpn_media_server_public_key: '{{ lookup("file", "files/wireguard/media/server.pub" ) }}'
+
+# this should eventually be replaced with using the
+# PrivateKeyFile/PresharedKeyFile options
+- name: load preshared media keys into variables
+  set_fact:
+    vpn_media_peers: '{{ vpn_media_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}'
+  with_dict: '{{ vpn_media_peers }}'
+
+- name: load external media private_keys
+  set_fact:
+    vpn_media_peers: '{{ vpn_media_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}'
+  with_dict: '{{ vpn_media_peers }}'
+  when: item.key in ['mobile_peer_1', 'mobile_peer_2', 'tv']
+
+- name: copy wireguard media configuration files
+  become: true
+  template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'templates/network/wireguard/media/wg1.netdev.j2', dest: '/etc/systemd/network/wg1.netdev' }
+    - {
+        src: 'templates/network/wireguard/media/wg1.network.j2',
+        dest: '/etc/systemd/network/wg1.network',
+      }
+  notify: restart systemd-networkd
+
+- name: copy external media configurations
+  template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    mode: '0600'
+  loop:
+    - { src: 'templates/network/wireguard/media/mobile_1.wireguard.j2', dest: '/tmp/mobile_1.wireguard.conf' }
+    - { src: 'templates/network/wireguard/media/mobile_2.wireguard.j2', dest: '/tmp/mobile_2.wireguard.conf' }
+    - { src: 'templates/network/wireguard/media/tv.wireguard.j2', dest: '/tmp/tv.wireguard.conf' }
+  when: copy_vpn_media_configurations
+
+- name: create wireguard media directories
+  become: true
+  file:
+    path: '{{ item | dirname }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+    state: directory
+  loop:
+    - '{{ vpn_media_server_key_path }}'
+    - '{{ vpn_media_server_public_key_path }}'
+
+- name: copy wireguard media credentials
+  become: true
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'files/wireguard/media/server.pub', dest: '{{ vpn_media_server_public_key_path }}' }
+    - { src: 'files/wireguard/media/server.key', dest: '{{ vpn_media_server_key_path }}' }
+
+- name: copy mobile media wireguard credentials
+  become: true
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'files/wireguard/media/mobile-1.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/mobile_1.pub' }
+    - { src: 'files/wireguard/media/mobile-1.key', dest: '{{ vpn_media_server_key_path|dirname }}/mobile_1.key' }
+    - { src: 'files/wireguard/media/mobile-2.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/mobile_2.pub' }
+    - { src: 'files/wireguard/media/mobile-2.key', dest: '{{ vpn_media_server_key_path|dirname }}/mobile_2.key' }
+    - { src: 'files/wireguard/media/tv.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/tv.pub' }
+    - { src: 'files/wireguard/media/tv.key', dest: '{{ vpn_media_server_key_path|dirname }}/tv.key' }
+
+- name: copy wireguard media preshared keys
+  become: true
+  copy:
+    src: '{{ item.value.preshared_key_source_path }}'
+    dest: '{{ item.value.preshared_key_path }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  with_dict: '{{ vpn_media_peers }}'

templates/network/wireguard/default/mobile.wireguard.j2

@@ -1,4 +1,4 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+# {{ ansible_managed }}
 
 [Interface]
 Address={{ vpn_peers.mobile.ip }}/24
@@ -8,4 +8,4 @@ PrivateKey={{ vpn_peers.mobile.private_key }}
 PublicKey={{ vpn_server_public_key }}
 PresharedKey={{ vpn_peers.mobile.preshared_key }}
 AllowedIPs={{ vpn_listen_address }}/32
-Endpoint={{ wan_ip_address }}:{{ vpn_port }}
+Endpoint={{ domain_name }}:{{ vpn_port }}

templates/network/wireguard/default/wg0.netdev.j2

@@ -1,4 +1,4 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+# {{ ansible_managed }}
 
 [NetDev]
 Name={{ vpn_interface }}

templates/network/wireguard/default/wg0.network.j2

@@ -1,4 +1,4 @@
-# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+# {{ ansible_managed }}
 
 [Match]
 Name={{ vpn_interface }}

templates/network/wireguard/media/mobile_1.wireguard.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Interface]
+Address={{ vpn_media_peers.mobile_peer_1.ip }}/24
+PrivateKey={{ vpn_media_peers.mobile_peer_1.private_key }}
+
+[Peer]
+PublicKey={{ vpn_media_server_public_key }}
+PresharedKey={{ vpn_media_peers.mobile_peer_1.preshared_key }}
+AllowedIPs={{ vpn_media_listen_address }}/32
+Endpoint={{ domain_name }}:{{ vpn_media_port }}

templates/network/wireguard/media/mobile_2.wireguard.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Interface]
+Address={{ vpn_media_peers.mobile_peer_2.ip }}/24
+PrivateKey={{ vpn_media_peers.mobile_peer_2.private_key }}
+
+[Peer]
+PublicKey={{ vpn_media_server_public_key }}
+PresharedKey={{ vpn_media_peers.mobile_peer_2.preshared_key }}
+AllowedIPs={{ vpn_media_listen_address }}/32
+Endpoint={{ domain_name }}:{{ vpn_media_port }}

templates/network/wireguard/media/tv.wireguard.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Interface]
+Address={{ vpn_media_peers.tv.ip }}/24
+PrivateKey={{ vpn_media_peers.tv.private_key }}
+
+[Peer]
+PublicKey={{ vpn_media_server_public_key }}
+PresharedKey={{ vpn_media_peers.tv.preshared_key }}
+AllowedIPs={{ vpn_media_listen_address }}/32
+Endpoint={{ domain_name }}:{{ vpn_media_port }}

templates/network/wireguard/media/wg1.netdev.j2

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ vpn_media_interface }}
+Kind=wireguard
+Description=WireGuard tunnel wg1
+
+[WireGuard]
+ListenPort={{ vpn_media_port }}
+PrivateKey={{ vpn_media_server_key }}
+
+{% for peer, properties in vpn_media_peers.items() %}
+[WireGuardPeer]
+PublicKey={{ properties.public_key }}
+PresharedKey={{ properties.preshared_key }}
+AllowedIPs={{ properties.ip }}/32
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/network/wireguard/media/wg1.network.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ vpn_media_interface }}
+
+[Network]
+Address={{ vpn_media_listen_address }}/{{ vpn_media_subnet }}

templates/nftables.j2

@@ -25,6 +25,7 @@ table ip filter {
     iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission"
 
     iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
+    iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"
 
     iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
     iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"

vars/network.yml

@@ -2,7 +2,7 @@ network_interface: 'link1'
 network_mac: '70:85:c2:5a:ce:91'
 
 lan_ip_address: '192.168.2.1'
-wan_ip_address: '37.251.96.245'
+domain_name: 'fudiggity.nl'
 
 http_port: 80
 https_port: 443

vars/vpn.yml

@@ -1,6 +1,5 @@
 vpn_listen_address: '10.0.0.1'
 vpn_subnet: '24'
-vpn_local_ip: '192.168.178.185'
 vpn_port: '51902'
 vpn_interface: 'wg0'
 
@@ -10,22 +9,22 @@ vpn_destination_range: '10.0.0.1/32'
 vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub'
 vpn_server_key_path: '/etc/wireguard/keys/private/server.key'
 
-copy_mobile_conf: false
+copy_vpn_configurations: false
 
 vpn_peers:
   laptop:
     ip: '10.0.0.2'
     public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw='
     preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.psk'
-    preshared_key_source_path: 'files/wireguard/preshared-laptop.psk'
+    preshared_key_source_path: 'files/wireguard/default/preshared-laptop.psk'
   desktop:
     ip: '10.0.0.3'
     public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4='
     preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.psk'
-    preshared_key_source_path: 'files/wireguard/preshared-desktop.psk'
+    preshared_key_source_path: 'files/wireguard/default/preshared-desktop.psk'
   mobile:
     ip: '10.0.0.4'
     public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY='
     preshared_key_path: '/etc/wireguard/keys/private/preshared-mobile.psk'
-    preshared_key_source_path: 'files/wireguard/preshared-mobile.psk'
+    preshared_key_source_path: 'files/wireguard/default/preshared-mobile.psk'
-    private_key_source_path: 'files/wireguard/mobile.key'
+    private_key_source_path: 'files/wireguard/default/mobile.key'

vars/vpn_media.yml

@@ -0,0 +1,42 @@
+vpn_media_listen_address: '10.0.1.1'
+vpn_media_subnet: '24'
+vpn_media_port: '51903'
+vpn_media_interface: 'wg1'
+
+vpn_media_source_range: '10.0.1.0/24'
+vpn_media_destination_range: '10.0.1.1/32'
+
+vpn_media_server_public_key_path: '/etc/wireguard/keys/public/media_server.pub'
+vpn_media_server_key_path: '/etc/wireguard/keys/private/media_server.key'
+
+copy_vpn_media_configurations: false
+
+vpn_media_peers:
+  laptop:
+    ip: '10.0.1.2'
+    public_key: 'foobar' # TODO: generate on lapop (and provision)
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-media-laptop.psk'
+    preshared_key_source_path: 'files/wireguard/media/preshared-laptop.psk'
+  desktop:
+    ip: '10.0.1.3'
+    public_key: 'foobar' # TODO: generate on desktop (and provision)
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-media-desktop.psk'
+    preshared_key_source_path: 'files/wireguard/media/preshared-desktop.psk'
+  mobile_peer_1:
+    ip: '10.0.1.4'
+    public_key: '6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ='
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-media-mobile-1.psk'
+    preshared_key_source_path: 'files/wireguard/media/preshared-mobile-1.psk'
+    private_key_source_path: 'files/wireguard/media/mobile-1.key'
+  mobile_peer_2:
+    ip: '10.0.1.5'
+    public_key: 'w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c='
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-media-mobile-2.psk'
+    preshared_key_source_path: 'files/wireguard/media/preshared-mobile-2.psk'
+    private_key_source_path: 'files/wireguard/media/mobile-2.key'
+  tv:
+    ip: '10.0.1.6'
+    public_key: '5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0='
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-media-tv.psk'
+    preshared_key_source_path: 'files/wireguard/media/preshared-tv.psk'
+    private_key_source_path: 'files/wireguard/media/tv.key'