diff --git a/files/wireguard/mobile.key b/files/wireguard/mobile.key new file mode 100644 index 0000000..f9bed9a --- /dev/null +++ b/files/wireguard/mobile.key @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +38623135656135643331396434326663353731356164326664646236383031643330363965303862 +3362643138666138386431616565646132306166396566310a313436336563643830353661323934 +33363166363735356539303635663632313630326338306433326437616335656364363038373738 +3866366666636131300a636265313164646232663135616638663430373933626365383536643763 +65376530323763643534636631333335373431326636663339333037393262303433636137623030 +6432663135386535333632303631633761623534316566306633 diff --git a/files/wireguard/mobile.pub b/files/wireguard/mobile.pub new file mode 100644 index 0000000..de18c84 --- /dev/null +++ b/files/wireguard/mobile.pub @@ -0,0 +1 @@ +4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY= diff --git a/files/wireguard/preshared-desktop.key b/files/wireguard/preshared-desktop.psk similarity index 100% rename from files/wireguard/preshared-desktop.key rename to files/wireguard/preshared-desktop.psk diff --git a/files/wireguard/preshared-laptop.key b/files/wireguard/preshared-laptop.psk similarity index 100% rename from files/wireguard/preshared-laptop.key rename to files/wireguard/preshared-laptop.psk diff --git a/files/wireguard/preshared-mobile.psk b/files/wireguard/preshared-mobile.psk new file mode 100644 index 0000000..ca8651c --- /dev/null +++ b/files/wireguard/preshared-mobile.psk @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +63616561393263613761376535646565646165303439323633353637656537373132373137646139 +3165366266366235643735343566363062326438613261330a333837393331313537393238633630 +64393231363232393935353535633562353439356433663539333831353530343831643235636136 +3866653465393437300a623363653161366466646239623836363561376165653238343261636565 +32633231333338653738356431636433613537303435333034326461633861633361373564616538 +3462653862383062626530636465353230386261316661616634 diff --git a/tasks/network.yml b/tasks/network.yml index f4d4add..eea805d 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -1,3 +1,24 @@ +- name: load private key into var + set_fact: + vpn_server_key: '{{ lookup("file", "files/wireguard/server.key" ) }}' + +- name: load public key into var + set_fact: + vpn_server_public_key: '{{ lookup("file", "files/wireguard/server.pub" ) }}' + +# this should eventually be replaced with using the +# PrivateKeyFile/PresharedKeyFile options +- name: load preshared keys into variables + set_fact: + vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}' + with_dict: '{{ vpn_peers }}' + +- name: load mobile private_key + set_fact: + vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}' + with_dict: '{{ vpn_peers }}' + when: item.key == "mobile" + - name: copy network configuration files become: true template: @@ -7,10 +28,7 @@ group: systemd-network mode: '0640' loop: - - { - src: 'templates/network/br0.netdev.j2', - dest: '/etc/systemd/network/br0.netdev', - } + - { src: 'templates/network/br0.netdev.j2', dest: '/etc/systemd/network/br0.netdev' } - { src: 'templates/network/br0.network.j2', dest: '/etc/systemd/network/br0.network', @@ -19,15 +37,19 @@ src: 'templates/network/enp5s0.network.j2', dest: '/etc/systemd/network/enp5s0.network', } - - { - src: 'templates/network/wg0.netdev.j2', - dest: '/etc/systemd/network/wg0.netdev', - } + - { src: 'templates/network/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' } - { src: 'templates/network/wg0.network.j2', dest: '/etc/systemd/network/wg0.network', } +- name: copy mobile configuration + template: + src: 'mobile.wireguard.j2' + dest: '/tmp/mobile.wireguard.conf' + mode: '0600' + when: copy_mobile_conf + - name: create wireguard directories become: true file: @@ -49,24 +71,30 @@ group: systemd-network mode: '0640' loop: - - { - src: 'files/wireguard/server.pub', - dest: '{{ vpn_server_public_key_path }}', - } - - { - src: 'files/wireguard/server.key', - dest: '{{ vpn_server_key_path }}', - } + - { src: 'files/wireguard/server.pub', dest: '{{ vpn_server_public_key_path }}' } + - { src: 'files/wireguard/server.key', dest: '{{ vpn_server_key_path }}' } + +- name: copy mobile wireguard credentials + become: true + copy: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + owner: root + group: systemd-network + mode: '0640' + loop: + - { src: 'files/wireguard/mobile.pub', dest: '{{ vpn_server_public_key_path }}' } + - { src: 'files/wireguard/mobile.key', dest: '{{ vpn_server_key_path }}' } - name: copy wireguard preshared keys become: true copy: - src: '{{ item.preshared_key_source_path }}' - dest: '{{ item.preshared_key_path }}' + src: '{{ item.value.preshared_key_source_path }}' + dest: '{{ item.value.preshared_key_path }}' owner: root group: systemd-network mode: '0640' - loop: '{{ vpn_peers }}' + with_dict: '{{ vpn_peers }}' - name: restart systemd-networkd become: true diff --git a/tasks/nginx.yml b/tasks/nginx.yml index 0849351..d7ea8bf 100644 --- a/tasks/nginx.yml +++ b/tasks/nginx.yml @@ -7,26 +7,15 @@ group: root mode: '0644' loop: - - { - src: 'templates/nginx/default.j2', - dest: '/etc/nginx/sites-available/default', - } - - { - src: 'templates/nginx/gitlab.j2', - dest: '/etc/nginx/sites-available/gitlab', - } - - { - src: 'templates/nginx/sentry.j2', - dest: '/etc/nginx/sites-available/sentry', - } - - { - src: 'templates/nginx/vpn.j2', - dest: '/etc/nginx/sites-available/vpn', - } + - { src: 'templates/nginx/default.j2', dest: '/etc/nginx/sites-available/default' } + - { src: 'templates/nginx/gitlab.j2', dest: '/etc/nginx/sites-available/gitlab' } + - { src: 'templates/nginx/sentry.j2', dest: '/etc/nginx/sites-available/sentry' } + - { src: 'templates/nginx/vpn.j2', dest: '/etc/nginx/sites-available/vpn' } - { src: 'templates/nginx/newsreader.j2', dest: '/etc/nginx/sites-available/newsreader', } + notify: restart nginx - name: create configuration links become: true @@ -47,12 +36,8 @@ src: '/etc/nginx/sites-available/sentry', dest: '/etc/nginx/sites-enabled/sentry', } - - { - src: '/etc/nginx/sites-available/vpn', - dest: '/etc/nginx/sites-enabled/vpn', - } + - { src: '/etc/nginx/sites-available/vpn', dest: '/etc/nginx/sites-enabled/vpn' } - { src: '/etc/nginx/sites-available/newsreader', dest: '/etc/nginx/sites-enabled/newsreader', } - notify: restart nginx diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml deleted file mode 100644 index 53e5323..0000000 --- a/tasks/openvpn.yml +++ /dev/null @@ -1,112 +0,0 @@ -- name: create openvpn server directory - become: true - file: - path: '{{ item.path }}' - state: directory - mode: '{{ item.mode }}' - owner: root - group: root - loop: - - { - path: '/etc/openvpn/server', - mode: '0744', - } - - { - path: '/etc/openvpn/client', - mode: '0744' - } - - { - path: '/etc/openvpn/easy-rsa', - mode: '0744', - } - - { - path: '/etc/openvpn/easy-rsa/keys', - mode: '0700', - } - -- name: copy openvpn credentials - become: true - copy: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '{{ item.mode }}' - owner: root - group: root - loop: - - { - src: 'files/openvpn/ca.crt', - dest: '/etc/openvpn/easy-rsa/keys/ca.crt', - mode: '0644' - } - - { - src: 'files/openvpn/server.crt', - dest: '/etc/openvpn/easy-rsa/keys/server.crt', - mode: '0644' - } - - { - src: 'files/openvpn/server.csr', - dest: '/etc/openvpn/easy-rsa/keys/server.csr', - mode: '0644' - } - - { - src: 'files/openvpn/server.key', - dest: '/etc/openvpn/easy-rsa/keys/server.key', - mode: '0600' - } - - { - src: 'files/openvpn/dh2048.pem', - dest: '/etc/openvpn/easy-rsa/keys/dh2048.pem', - mode: '0644' - } - - { - src: 'files/openvpn/ta.key', - dest: '/etc/openvpn/easy-rsa/keys/ta.key', - mode: '0600' - } - -- name: copy openvpn configuration files - become: true - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: root - loop: - - { - src: 'templates/openvpn/server-lan.j2', - dest: '/etc/openvpn/server/server-lan.conf', - } - - { - src: 'templates/openvpn/server-mobile.j2', - dest: '/etc/openvpn/server/server-mobile.conf', - } - -- name: link openvpn configuration files - become: true - file: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - state: link - loop: - - { - src: '/etc/openvpn/server/server-lan.conf', - dest: '/etc/openvpn/server-lan.conf', - } - - { - src: '/etc/openvpn/server/server-mobile.conf', - dest: '/etc/openvpn/server-mobile.conf', - } - -- name: restart openvpn lan server - become: true - systemd: - name: openvpn@server-lan - state: restarted - enabled: true - -- name: restart openvpn mobile server - become: true - systemd: - name: openvpn@server-mobile - state: restarted - enabled: true diff --git a/templates/mobile.wireguard.j2 b/templates/mobile.wireguard.j2 new file mode 100644 index 0000000..f8c9a43 --- /dev/null +++ b/templates/mobile.wireguard.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }} + +[Interface] +Address={{ vpn_peers.mobile.ip }}/24 +PrivateKey={{ vpn_peers.mobile.private_key }} + +[Peer] +PublicKey={{ vpn_server_public_key }} +PresharedKey={{ vpn_peers.mobile.preshared_key }} +AllowedIPs={{ vpn_listen_address }}/32 +Endpoint={{ wan_ip_address }}:{{ vpn_port }} diff --git a/templates/mpd.j2 b/templates/mpd.j2 index 900b38f..30f09e1 100644 --- a/templates/mpd.j2 +++ b/templates/mpd.j2 @@ -93,11 +93,11 @@ input { # blocks. Setting this block is optional, though the server will only attempt # autodetection for one sound card. # -{% for peer in vpn_peers %} +{% for peer, properties in vpn_peers.items() %} audio_output { type "pulse" - name "Pulse remote {{ peer.name }}" - server "{{ peer.ip }}" + name "Pulse remote {{ peer }}" + server "{{ properties.ip }}" } {% endfor %} diff --git a/templates/network/wg0.netdev.j2 b/templates/network/wg0.netdev.j2 index 1997052..4d454de 100644 --- a/templates/network/wg0.netdev.j2 +++ b/templates/network/wg0.netdev.j2 @@ -9,11 +9,11 @@ Description=WireGuard tunnel wg0 ListenPort={{ vpn_port }} PrivateKey={{ vpn_server_key }} -{% for peer in vpn_peers %} +{% for peer, properties in vpn_peers.items() %} [WireGuardPeer] -PublicKey={{ peer.public_key }} -PresharedKey={{ peer.preshared_key }} -AllowedIPs={{ peer.ip }}/32 +PublicKey={{ properties.public_key }} +PresharedKey={{ properties.preshared_key }} +AllowedIPs={{ properties.ip }}/32 {% if not loop.last %} {% endif %} diff --git a/vars/network.yml b/vars/network.yml index aea1db1..99d252f 100644 --- a/vars/network.yml +++ b/vars/network.yml @@ -1,7 +1,9 @@ bridge_interface: 'br0' bridge_source_interface: 'enp5s0' bridge_mac: '70:85:c2:5a:ce:91' + lan_ip_address: '192.168.178.185' +wan_ip_address: '178.85.119.159' http_port: 80 https_port: 443 diff --git a/vars/vpn.yml b/vars/vpn.yml index 7d7779e..17dfa09 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -9,29 +9,23 @@ vpn_destination_range: '10.0.0.1/32' vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub' vpn_server_key_path: '/etc/wireguard/keys/private/server.key' -vpn_server_key: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 36316631633737623637633465336534323661346562326361616561326262373930376539633264 - 6438653132356266353037666466373833643633343338380a373964646339663965306332393361 - 63393630653931336430333639326364666131346437666638383738323537656632346131616436 - 3137656634316632340a326139373963626364653934303830653466356533636664396161643734 - 30383661393361336561666366663637333166323732326664376431363463346132656335306436 - 3163386561623765396236316263616631323134626537383839 + +copy_mobile_conf: false vpn_peers: - - { - name: 'desktop', - ip: '10.0.0.3', - public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=', - preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.key', - preshared_key_source_path: 'files/wireguard/preshared-desktop.key', - preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n613030653137313136613864613432613261303064373562313863353736656562343333333639323736656634663861373236353934653335643630633061340a643063633439383435316230633164666161386530373839393934643137313735353031306264663237626665356561356261306230376365643830633532370a343037393832386332323962626434303034393561373664306630623465306138646661386562306131343633323134393437393235636563346435383366373566333038396233383437656562613066383232333466623130333635303136" - } - - { - name: 'laptop', - ip: '10.0.0.2', - public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=', - preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.key', - preshared_key_source_path: 'files/wireguard/preshared-laptop.key', - preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n336435613338343639663239376633313631363439663837633832656331323039653638343366316630346137336665646461633437643066653164623537390a633862383165613032626434633063333564636662376635353638313435356530303430356336336533343137313061343637363465663436363465663664390a643832643133656330666661646535343034303235623464383532313431363035636530643966333532376236623239393363666266316363303061376565343263396433613339383661393130326562323766643135313365613766663063" - } + laptop: + ip: '10.0.0.2' + public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=' + preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.psk' + preshared_key_source_path: 'files/wireguard/preshared-laptop.psk' + desktop: + ip: '10.0.0.3' + public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=' + preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.psk' + preshared_key_source_path: 'files/wireguard/preshared-desktop.psk' + mobile: + ip: '10.0.0.4' + public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=' + preshared_key_path: '/etc/wireguard/keys/private/preshared-mobile.psk' + preshared_key_source_path: 'files/wireguard/preshared-mobile.psk' + private_key_source_path: 'files/wireguard/mobile.key'