diff --git a/tasks/wireguard_media.yml b/tasks/wireguard_media.yml index ae525ed..8ad3968 100644 --- a/tasks/wireguard_media.yml +++ b/tasks/wireguard_media.yml @@ -1,97 +1,88 @@ -- name: load media private key into var - set_fact: - vpn_media_server_key: '{{ lookup("file", "files/wireguard/media/server.key" ) }}' - -- name: load media public key into var - set_fact: - vpn_media_server_public_key: '{{ lookup("file", "files/wireguard/media/server.pub" ) }}' - -# this should eventually be replaced with using the -# PrivateKeyFile/PresharedKeyFile options -- name: load preshared media keys into variables - set_fact: - vpn_media_peers: '{{ vpn_media_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}' - with_dict: '{{ vpn_media_peers }}' - -- name: load external media private_keys - set_fact: - vpn_media_peers: '{{ vpn_media_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}' - with_dict: '{{ vpn_media_peers }}' - when: item.key in ['mobile_peer_1', 'mobile_peer_2', 'tv'] - -- name: copy wireguard media configuration files +- name: Copy Wireguard media configuration files become: true - template: + ansible.builtin.template: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - - { src: 'templates/network/wireguard/media/wg1.netdev.j2', dest: '/etc/systemd/network/wg1.netdev' } - - { - src: 'templates/network/wireguard/media/wg1.network.j2', - dest: '/etc/systemd/network/wg1.network', - } + - src: 'templates/network/wireguard/media/wg1.netdev.j2' + dest: '/etc/systemd/network/wg1.netdev' + - src: 'templates/network/wireguard/media/wg1.network.j2' + dest: '/etc/systemd/network/wg1.network' notify: restart systemd-networkd -- name: copy external media configurations - template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - mode: '0600' - loop: - - { src: 'templates/network/wireguard/media/mobile_1.wireguard.j2', dest: '/tmp/mobile_1.conf' } - - { src: 'templates/network/wireguard/media/mobile_2.wireguard.j2', dest: '/tmp/mobile_2.conf' } - - { src: 'templates/network/wireguard/media/tv.wireguard.j2', dest: '/tmp/tv.conf' } - when: copy_vpn_media_configurations - -- name: create wireguard media directories +- name: Create Wireguard media directories become: true - file: - path: '{{ item | dirname }}' + ansible.builtin.file: + path: '{{ item }}' owner: root group: systemd-network mode: '0640' state: directory + recurse: true loop: - - '{{ vpn_media_server_key_path }}' - - '{{ vpn_media_server_public_key_path }}' + - '{{ vpn_media_key_directory }}' -- name: copy wireguard media credentials +- name: Copy Wireguard server media credentials become: true - copy: + ansible.builtin.copy: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - - { src: 'files/wireguard/media/server.pub', dest: '{{ vpn_media_server_public_key_path }}' } - - { src: 'files/wireguard/media/server.key', dest: '{{ vpn_media_server_key_path }}' } + - src: 'files/wireguard/media/server.pub' + dest: '{{ vpn_media_server_public_key_path }}' + - src: 'files/wireguard/media/server.key' + dest: '{{ vpn_media_server_key_path }}' -- name: copy mobile media wireguard credentials +- name: Copy Wireguard mobile media credentials become: true - copy: + ansible.builtin.copy: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - - { src: 'files/wireguard/media/mobile-1.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/mobile_1.pub' } - - { src: 'files/wireguard/media/mobile-1.key', dest: '{{ vpn_media_server_key_path|dirname }}/mobile_1.key' } - - { src: 'files/wireguard/media/mobile-2.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/mobile_2.pub' } - - { src: 'files/wireguard/media/mobile-2.key', dest: '{{ vpn_media_server_key_path|dirname }}/mobile_2.key' } - - { src: 'files/wireguard/media/tv.pub', dest: '{{ vpn_media_server_public_key_path|dirname }}/tv.pub' } - - { src: 'files/wireguard/media/tv.key', dest: '{{ vpn_media_server_key_path|dirname }}/tv.key' } + - src: 'files/wireguard/media/mobile-1.pub' + dest: '{{ vpn_media_key_directory }}/public/mobile_1.pub' + - src: 'files/wireguard/media/mobile-1.key' + dest: '{{ vpn_media_key_directory }}/private/mobile_1.key' + - src: 'files/wireguard/media/mobile-2.pub' + dest: '{{ vpn_media_key_directory }}/public/mobile_2.pub' + - src: 'files/wireguard/media/mobile-2.key' + dest: '{{ vpn_media_key_directory }}/private/mobile_2.key' + - src: 'files/wireguard/media/tv.pub' + dest: '{{ vpn_media_key_directory }}/public/tv.pub' + - src: 'files/wireguard/media/tv.key' + dest: '{{ vpn_media_key_directory }}/private/tv.key' -- name: copy wireguard media preshared keys +- name: Copy wireguard media preshared keys become: true - copy: + ansible.builtin.copy: src: '{{ item.value.preshared_key_source_path }}' dest: '{{ item.value.preshared_key_path }}' owner: root group: systemd-network mode: '0640' with_dict: '{{ vpn_media_peers }}' + +- name: Copy Wireguard external media configurations + become: true + ansible.builtin.template: + src: '{{ item.src }}' + dest: '{{ item.dest }}' + mode: '0600' + owner: '{{ ansible_user_id }}' + loop: + - src: 'templates/network/wireguard/media/mobile_1.wireguard.j2' + dest: '/tmp/mobile_1.conf' + - src: 'templates/network/wireguard/media/mobile_2.wireguard.j2' + dest: '/tmp/mobile_2.conf' + - src: 'templates/network/wireguard/media/tv.wireguard.j2' + dest: '/tmp/tv.conf' + when: copy_vpn_media_configurations diff --git a/templates/network/wireguard/media/mobile_1.wireguard.j2 b/templates/network/wireguard/media/mobile_1.wireguard.j2 index 027949f..f0bbc55 100644 --- a/templates/network/wireguard/media/mobile_1.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_1.wireguard.j2 @@ -2,10 +2,10 @@ [Interface] Address={{ vpn_media_peers.mobile_peer_1.ip }}/24 -PrivateKey={{ vpn_media_peers.mobile_peer_1.private_key }} +PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_1.private_key_source_path) }} [Peer] -PublicKey={{ vpn_media_server_public_key }} -PresharedKey={{ vpn_media_peers.mobile_peer_1.preshared_key }} +PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} +PresharedKey={{ lookup('file', vpn_media_peers.mobile_peer_1.preshared_key_source_path) }} AllowedIPs={{ vpn_media_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/mobile_2.wireguard.j2 b/templates/network/wireguard/media/mobile_2.wireguard.j2 index a8a9c3b..4550c5c 100644 --- a/templates/network/wireguard/media/mobile_2.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_2.wireguard.j2 @@ -2,10 +2,10 @@ [Interface] Address={{ vpn_media_peers.mobile_peer_2.ip }}/24 -PrivateKey={{ vpn_media_peers.mobile_peer_2.private_key }} +PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_2.private_key_source_path) }} [Peer] -PublicKey={{ vpn_media_server_public_key }} -PresharedKey={{ vpn_media_peers.mobile_peer_2.preshared_key }} +PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} +PresharedKey={{ lookup('file', vpn_media_peers.mobile_peer_2.preshared_key_source_path) }} AllowedIPs={{ vpn_media_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/tv.wireguard.j2 b/templates/network/wireguard/media/tv.wireguard.j2 index a9ed256..0b08b87 100644 --- a/templates/network/wireguard/media/tv.wireguard.j2 +++ b/templates/network/wireguard/media/tv.wireguard.j2 @@ -2,10 +2,10 @@ [Interface] Address={{ vpn_media_peers.tv.ip }}/24 -PrivateKey={{ vpn_media_peers.tv.private_key }} +PrivateKey={{ lookup('file', vpn_media_peers.tv.private_key_source_path) }} [Peer] -PublicKey={{ vpn_media_server_public_key }} -PresharedKey={{ vpn_media_peers.tv.preshared_key }} +PublicKey={{ lookup('file', vpn_media_server_public_key_source_path) }} +PresharedKey={{ lookup("file", vpn_media_peers.tv.preshared_key_source_path) }} AllowedIPs={{ vpn_media_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_media_port }} diff --git a/templates/network/wireguard/media/wg1.netdev.j2 b/templates/network/wireguard/media/wg1.netdev.j2 index 9323295..8e5a55f 100644 --- a/templates/network/wireguard/media/wg1.netdev.j2 +++ b/templates/network/wireguard/media/wg1.netdev.j2 @@ -7,12 +7,12 @@ Description=WireGuard tunnel wg1 [WireGuard] ListenPort={{ vpn_media_port }} -PrivateKey={{ vpn_media_server_key }} +PrivateKeyFile={{ vpn_media_server_key_path }} {% for peer, properties in vpn_media_peers.items() %} [WireGuardPeer] PublicKey={{ properties.public_key }} -PresharedKey={{ properties.preshared_key }} +PresharedKeyFile={{ properties.preshared_key_path }} AllowedIPs={{ properties.ip }}/32 {% if not loop.last %} diff --git a/vars/vpn_media.yml b/vars/vpn_media.yml index 5c16a0e..ccbeba6 100644 --- a/vars/vpn_media.yml +++ b/vars/vpn_media.yml @@ -6,40 +6,42 @@ vpn_media_interface: 'wg1' vpn_media_source_range: '10.0.1.0/24' vpn_media_destination_range: '10.0.1.1/32' -vpn_media_server_public_key_path: '/etc/wireguard/keys/public/media_server.pub' -vpn_media_server_key_path: '/etc/wireguard/keys/private/media_server.key' +vpn_media_key_directory: '/etc/wireguard/keys' + +vpn_media_server_public_key_path: '{{ vpn_media_key_directory }}/public/media_server.pub' +vpn_media_server_public_key_source_path: 'files/wireguard/media/server.pub' +vpn_media_server_key_path: '{{ vpn_media_key_directory }}/private/media_server.key' copy_vpn_media_configurations: false -# TODO: move keys in /etc/wireguard/keys to seperate folders # TODO: use simliar task layout as in arch-setup repo vpn_media_peers: laptop: ip: '10.0.1.2' public_key: 'hI4rqlv2afs4RJkt5xR+dYxQODSd6lR0OqWJRlnQdjM=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-media-laptop.psk' + preshared_key_path: '{{ vpn_media_key_directory }}/private/preshared-media-laptop.psk' preshared_key_source_path: 'files/wireguard/media/preshared-laptop.psk' desktop: ip: '10.0.1.3' public_key: 'YDH5lZcxUHM4AU2ZxQrFqjDIV2Z7PSUQKMcYXLExV0E=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-media-desktop.psk' + preshared_key_path: '{{ vpn_media_key_directory }}/private/preshared-media-desktop.psk' preshared_key_source_path: 'files/wireguard/media/preshared-desktop.psk' mobile_peer_1: ip: '10.0.1.4' public_key: '6fj8FXvzT0IUlZLJjQ/+FhwwRDsJeQsUFHqKQcyXdwQ=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-media-mobile-1.psk' + preshared_key_path: '{{ vpn_media_key_directory }}/private/preshared-media-mobile-1.psk' preshared_key_source_path: 'files/wireguard/media/preshared-mobile-1.psk' private_key_source_path: 'files/wireguard/media/mobile-1.key' mobile_peer_2: ip: '10.0.1.5' public_key: 'w/pswNrAYFdEUoaLk3zSqOu4gg2s41BBCN02E//ai1c=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-media-mobile-2.psk' + preshared_key_path: '{{ vpn_media_key_directory }}/private/preshared-media-mobile-2.psk' preshared_key_source_path: 'files/wireguard/media/preshared-mobile-2.psk' private_key_source_path: 'files/wireguard/media/mobile-2.key' tv: ip: '10.0.1.6' public_key: '5+yz9C9PhaLhsvAZ1e3mDsTQpMZVrPZnSQa6ERJIKU0=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-media-tv.psk' + preshared_key_path: '{{ vpn_media_key_directory }}/private/preshared-media-tv.psk' preshared_key_source_path: 'files/wireguard/media/preshared-tv.psk' private_key_source_path: 'files/wireguard/media/tv.key'