Add mobile configuration & load keys from paths

2021-12-31 19:16:00 +01:00 · 2021-12-31 19:16:00 +01:00 · 56331232e6
commit 56331232e6
parent 16a979b04b
13 changed files with 106 additions and 183 deletions
--- a/files/wireguard/mobile.key
+++ b/files/wireguard/mobile.key
@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+38623135656135643331396434326663353731356164326664646236383031643330363965303862
+3362643138666138386431616565646132306166396566310a313436336563643830353661323934
+33363166363735356539303635663632313630326338306433326437616335656364363038373738
+3866366666636131300a636265313164646232663135616638663430373933626365383536643763
+65376530323763643534636631333335373431326636663339333037393262303433636137623030
+6432663135386535333632303631633761623534316566306633
--- a/files/wireguard/mobile.pub
+++ b/files/wireguard/mobile.pub
@ -0,0 +1 @@
+4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=
--- a/files/wireguard/preshared-desktop.psk
+++ b/files/wireguard/preshared-desktop.psk
--- a/files/wireguard/preshared-laptop.psk
+++ b/files/wireguard/preshared-laptop.psk
--- a/files/wireguard/preshared-mobile.psk
+++ b/files/wireguard/preshared-mobile.psk
@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+63616561393263613761376535646565646165303439323633353637656537373132373137646139
+3165366266366235643735343566363062326438613261330a333837393331313537393238633630
+64393231363232393935353535633562353439356433663539333831353530343831643235636136
+3866653465393437300a623363653161366466646239623836363561376165653238343261636565
+32633231333338653738356431636433613537303435333034326461633861633361373564616538
+3462653862383062626530636465353230386261316661616634
--- a/tasks/network.yml
+++ b/tasks/network.yml
@ -1,3 +1,24 @@
+- name: load private key into var
+  set_fact:
+    vpn_server_key: '{{ lookup("file", "files/wireguard/server.key" ) }}'
+
+- name: load public key into var
+  set_fact:
+    vpn_server_public_key: '{{ lookup("file", "files/wireguard/server.pub" ) }}'
+
+# this should eventually be replaced with using the
+# PrivateKeyFile/PresharedKeyFile options
+- name: load preshared keys into variables
+  set_fact:
+    vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}'
+  with_dict: '{{ vpn_peers }}'
+
+- name: load mobile private_key
+  set_fact:
+    vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}'
+  with_dict: '{{ vpn_peers }}'
+  when: item.key == "mobile"
+
 - name: copy network configuration files
  become: true
  template:
@ -7,10 +28,7 @@
    group: systemd-network
    mode: '0640'
  loop:
-    - {
-        src: 'templates/network/br0.netdev.j2',
-        dest: '/etc/systemd/network/br0.netdev',
-      }
+    - { src: 'templates/network/br0.netdev.j2', dest: '/etc/systemd/network/br0.netdev' }
    - {
        src: 'templates/network/br0.network.j2',
        dest: '/etc/systemd/network/br0.network',
@ -19,15 +37,19 @@
        src: 'templates/network/enp5s0.network.j2',
        dest: '/etc/systemd/network/enp5s0.network',
      }
-    - {
-        src: 'templates/network/wg0.netdev.j2',
-        dest: '/etc/systemd/network/wg0.netdev',
-      }
+    - { src: 'templates/network/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' }
    - {
        src: 'templates/network/wg0.network.j2',
        dest: '/etc/systemd/network/wg0.network',
      }

+- name: copy mobile configuration
+  template:
+    src: 'mobile.wireguard.j2'
+    dest: '/tmp/mobile.wireguard.conf'
+    mode: '0600'
+  when: copy_mobile_conf
+
 - name: create wireguard directories
  become: true
  file:
@ -49,24 +71,30 @@
    group: systemd-network
    mode: '0640'
  loop:
-    - {
-        src: 'files/wireguard/server.pub',
-        dest: '{{ vpn_server_public_key_path }}',
-      }
-    - {
-        src: 'files/wireguard/server.key',
-        dest: '{{ vpn_server_key_path }}',
-      }
+    - { src: 'files/wireguard/server.pub', dest: '{{ vpn_server_public_key_path }}' }
+    - { src: 'files/wireguard/server.key', dest: '{{ vpn_server_key_path }}' }
+
+- name: copy mobile wireguard credentials
+  become: true
+  copy:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop:
+    - { src: 'files/wireguard/mobile.pub', dest: '{{ vpn_server_public_key_path }}' }
+    - { src: 'files/wireguard/mobile.key', dest: '{{ vpn_server_key_path }}' }

 - name: copy wireguard preshared keys
  become: true
  copy:
-    src: '{{ item.preshared_key_source_path }}'
-    dest: '{{ item.preshared_key_path }}'
+    src: '{{ item.value.preshared_key_source_path }}'
+    dest: '{{ item.value.preshared_key_path }}'
    owner: root
    group: systemd-network
    mode: '0640'
-  loop: '{{ vpn_peers }}'
+  with_dict: '{{ vpn_peers }}'

 - name: restart systemd-networkd
  become: true
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -7,26 +7,15 @@
    group: root
    mode: '0644'
  loop:
-    - {
-        src: 'templates/nginx/default.j2',
-        dest: '/etc/nginx/sites-available/default',
-      }
-    - {
-        src: 'templates/nginx/gitlab.j2',
-        dest: '/etc/nginx/sites-available/gitlab',
-      }
-    - {
-        src: 'templates/nginx/sentry.j2',
-        dest: '/etc/nginx/sites-available/sentry',
-      }
-    - {
-        src: 'templates/nginx/vpn.j2',
-        dest: '/etc/nginx/sites-available/vpn',
-      }
+    - { src: 'templates/nginx/default.j2', dest: '/etc/nginx/sites-available/default' }
+    - { src: 'templates/nginx/gitlab.j2', dest: '/etc/nginx/sites-available/gitlab' }
+    - { src: 'templates/nginx/sentry.j2', dest: '/etc/nginx/sites-available/sentry' }
+    - { src: 'templates/nginx/vpn.j2', dest: '/etc/nginx/sites-available/vpn' }
    - {
        src: 'templates/nginx/newsreader.j2',
        dest: '/etc/nginx/sites-available/newsreader',
      }
+  notify: restart nginx

 - name: create configuration links
  become: true
@ -47,12 +36,8 @@
        src: '/etc/nginx/sites-available/sentry',
        dest: '/etc/nginx/sites-enabled/sentry',
      }
-    - {
-        src: '/etc/nginx/sites-available/vpn',
-        dest: '/etc/nginx/sites-enabled/vpn',
-      }
+    - { src: '/etc/nginx/sites-available/vpn', dest: '/etc/nginx/sites-enabled/vpn' }
    - {
        src: '/etc/nginx/sites-available/newsreader',
        dest: '/etc/nginx/sites-enabled/newsreader',
      }
-  notify: restart nginx
--- a/tasks/openvpn.yml
+++ b/tasks/openvpn.yml
@ -1,112 +0,0 @@
- name: create openvpn server directory
-  become: true
-  file:
-    path: '{{ item.path }}'
-    state: directory
-    mode: '{{ item.mode }}'
-    owner: root
-    group: root
-  loop:
-    - {
-        path: '/etc/openvpn/server',
-        mode: '0744',
-      }
-    - {
-        path: '/etc/openvpn/client',
-        mode: '0744'
-      }
-    - {
-        path: '/etc/openvpn/easy-rsa',
-        mode: '0744',
-      }
-    - {
-        path: '/etc/openvpn/easy-rsa/keys',
-        mode: '0700',
-      }
-
- name: copy openvpn credentials
-  become: true
-  copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    mode: '{{ item.mode }}'
-    owner: root
-    group: root
-  loop:
-    - {
-        src: 'files/openvpn/ca.crt',
-        dest: '/etc/openvpn/easy-rsa/keys/ca.crt',
-        mode: '0644'
-      }
-    - {
-        src: 'files/openvpn/server.crt',
-        dest: '/etc/openvpn/easy-rsa/keys/server.crt',
-        mode: '0644'
-      }
-    - {
-        src: 'files/openvpn/server.csr',
-        dest: '/etc/openvpn/easy-rsa/keys/server.csr',
-        mode: '0644'
-      }
-    - {
-        src: 'files/openvpn/server.key',
-        dest: '/etc/openvpn/easy-rsa/keys/server.key',
-        mode: '0600'
-      }
-    - {
-        src: 'files/openvpn/dh2048.pem',
-        dest: '/etc/openvpn/easy-rsa/keys/dh2048.pem',
-        mode: '0644'
-      }
-    - {
-        src: 'files/openvpn/ta.key',
-        dest: '/etc/openvpn/easy-rsa/keys/ta.key',
-        mode: '0600'
-      }
-
- name: copy openvpn configuration files
-  become: true
-  template:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: root
-  loop:
-    - {
-        src: 'templates/openvpn/server-lan.j2',
-        dest: '/etc/openvpn/server/server-lan.conf',
-      }
-    - {
-        src: 'templates/openvpn/server-mobile.j2',
-        dest: '/etc/openvpn/server/server-mobile.conf',
-      }
-
- name: link openvpn configuration files
-  become: true
-  file:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    state: link
-  loop:
-    - {
-        src: '/etc/openvpn/server/server-lan.conf',
-        dest: '/etc/openvpn/server-lan.conf',
-      }
-    - {
-        src: '/etc/openvpn/server/server-mobile.conf',
-        dest: '/etc/openvpn/server-mobile.conf',
-      }
-
- name: restart openvpn lan server
-  become: true
-  systemd:
-    name: openvpn@server-lan
-    state: restarted
-    enabled: true
-
- name: restart openvpn mobile server
-  become: true
-  systemd:
-    name: openvpn@server-mobile
-    state: restarted
-    enabled: true
--- a/templates/mobile.wireguard.j2
+++ b/templates/mobile.wireguard.j2
@ -0,0 +1,11 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+[Interface]
+Address={{ vpn_peers.mobile.ip }}/24
+PrivateKey={{ vpn_peers.mobile.private_key }}
+
+[Peer]
+PublicKey={{ vpn_server_public_key }}
+PresharedKey={{ vpn_peers.mobile.preshared_key }}
+AllowedIPs={{ vpn_listen_address }}/32
+Endpoint={{ wan_ip_address }}:{{ vpn_port }}
--- a/templates/mpd.j2
+++ b/templates/mpd.j2
@ -93,11 +93,11 @@ input {
 # blocks. Setting this block is optional, though the server will only attempt
 # autodetection for one sound card.
 #
-{% for peer in vpn_peers %}
+{% for peer, properties in vpn_peers.items() %}
 audio_output {
 	type		"pulse"
-	name		"Pulse remote {{ peer.name }}"
-	server		"{{ peer.ip }}"
+	name		"Pulse remote {{ peer }}"
+	server		"{{ properties.ip }}"
 }
 {% endfor %}

--- a/templates/network/wg0.netdev.j2
+++ b/templates/network/wg0.netdev.j2
@ -9,11 +9,11 @@ Description=WireGuard tunnel wg0
 ListenPort={{ vpn_port }}
 PrivateKey={{ vpn_server_key }}

-{% for peer in vpn_peers %}
+{% for peer, properties in vpn_peers.items() %}
 [WireGuardPeer]
-PublicKey={{ peer.public_key }}
-PresharedKey={{ peer.preshared_key }}
-AllowedIPs={{ peer.ip }}/32
+PublicKey={{ properties.public_key }}
+PresharedKey={{ properties.preshared_key }}
+AllowedIPs={{ properties.ip }}/32
 {% if not loop.last %}

 {% endif %}
--- a/vars/network.yml
+++ b/vars/network.yml
@ -1,7 +1,9 @@
 bridge_interface: 'br0'
 bridge_source_interface: 'enp5s0'
 bridge_mac: '70:85:c2:5a:ce:91'
+
 lan_ip_address: '192.168.178.185'
+wan_ip_address: '178.85.119.159'

 http_port: 80
 https_port: 443
--- a/vars/vpn.yml
+++ b/vars/vpn.yml
@ -9,29 +9,23 @@ vpn_destination_range: '10.0.0.1/32'

 vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub'
 vpn_server_key_path: '/etc/wireguard/keys/private/server.key'
-vpn_server_key:  !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          36316631633737623637633465336534323661346562326361616561326262373930376539633264
-          6438653132356266353037666466373833643633343338380a373964646339663965306332393361
-          63393630653931336430333639326364666131346437666638383738323537656632346131616436
-          3137656634316632340a326139373963626364653934303830653466356533636664396161643734
-          30383661393361336561666366663637333166323732326664376431363463346132656335306436
-          3163386561623765396236316263616631323134626537383839
+
+copy_mobile_conf: false

 vpn_peers:
-  - {
-      name: 'desktop',
-      ip: '10.0.0.3',
-      public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=',
-      preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.key',
-      preshared_key_source_path: 'files/wireguard/preshared-desktop.key',
-      preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n613030653137313136613864613432613261303064373562313863353736656562343333333639323736656634663861373236353934653335643630633061340a643063633439383435316230633164666161386530373839393934643137313735353031306264663237626665356561356261306230376365643830633532370a343037393832386332323962626434303034393561373664306630623465306138646661386562306131343633323134393437393235636563346435383366373566333038396233383437656562613066383232333466623130333635303136"
-    }
-  - {
-      name: 'laptop',
-      ip: '10.0.0.2',
-      public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=',
-      preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.key',
-      preshared_key_source_path: 'files/wireguard/preshared-laptop.key',
-      preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n336435613338343639663239376633313631363439663837633832656331323039653638343366316630346137336665646461633437643066653164623537390a633862383165613032626434633063333564636662376635353638313435356530303430356336336533343137313061343637363465663436363465663664390a643832643133656330666661646535343034303235623464383532313431363035636530643966333532376236623239393363666266316363303061376565343263396433613339383661393130326562323766643135313365613766663063"
-    }
+  laptop:
+    ip: '10.0.0.2'
+    public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw='
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.psk'
+    preshared_key_source_path: 'files/wireguard/preshared-laptop.psk'
+  desktop:
+    ip: '10.0.0.3'
+    public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4='
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.psk'
+    preshared_key_source_path: 'files/wireguard/preshared-desktop.psk'
+  mobile:
+    ip: '10.0.0.4'
+    public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY='
+    preshared_key_path: '/etc/wireguard/keys/private/preshared-mobile.psk'
+    preshared_key_source_path: 'files/wireguard/preshared-mobile.psk'
+    private_key_source_path: 'files/wireguard/mobile.key'
				`@ -0,0 +1 @@`
				`4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=`