From a777228013e6dd7108b36bd93289fa13b322df14 Mon Sep 17 00:00:00 2001 From: sonny Date: Sat, 1 Mar 2025 14:21:36 +0100 Subject: [PATCH] Refactor default wireguard setup - Replaced set_fact based setup with lookup plugin - Replaced inline definition of credentials with alternative systemd file directives --- tasks/wireguard.yml | 33 +++++-------------- .../wireguard/default/mobile.wireguard.j2 | 6 ++-- .../network/wireguard/default/wg0.netdev.j2 | 4 +-- vars/vpn.yml | 11 ++++--- 4 files changed, 19 insertions(+), 35 deletions(-) diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml index 0efcc47..577bdaf 100644 --- a/tasks/wireguard.yml +++ b/tasks/wireguard.yml @@ -1,24 +1,3 @@ -- name: Load private key into var - ansible.builtin.set_fact: - vpn_server_key: '{{ lookup("file", "files/wireguard/default/server.key") }}' - -- name: Load public key into var - ansible.builtin.set_fact: - vpn_server_public_key: '{{ lookup("file", "files/wireguard/default/server.pub") }}' - -# this should eventually be replaced with using the -# PrivateKeyFile/PresharedKeyFile options -- name: Load preshared keys into variables - ansible.builtin.set_fact: - vpn_peers: '{{ vpn_peers | combine({item.key: item.value | combine({"preshared_key": lookup("file", item.value.preshared_key_source_path)})}) }}' - with_dict: '{{ vpn_peers }}' - -- name: Load mobile private_key - ansible.builtin.set_fact: - vpn_peers: '{{ vpn_peers | combine({item.key: item.value | combine({"private_key": lookup("file", item.value.private_key_source_path)})}) }}' - with_dict: '{{ vpn_peers }}' - when: item.key == "mobile" - - name: Copy wireguard configuration files become: true ansible.builtin.template: @@ -50,10 +29,11 @@ mode: '0640' state: directory loop: + - '{{ vpn_key_directory }}' - '{{ vpn_server_key_path }}' - '{{ vpn_server_public_key_path }}' -- name: Copy wireguard credentials +- name: Copy Wireguard server credentials become: true ansible.builtin.copy: src: '{{ item.src }}' @@ -66,8 +46,9 @@ dest: '{{ vpn_server_public_key_path }}' - src: 'files/wireguard/default/server.key' dest: '{{ vpn_server_key_path }}' + notify: restart systemd-networkd -- name: Copy mobile wireguard credentials +- name: Copy Wireguard mobile credentials become: true ansible.builtin.copy: src: '{{ item.src }}' @@ -77,9 +58,10 @@ mode: '0640' loop: - src: 'files/wireguard/default/mobile.pub' - dest: '{{ vpn_server_public_key_path | dirname }}/mobile.pub' + dest: '{{ vpn_key_directory }}/public/mobile.pub' - src: 'files/wireguard/default/mobile.key' - dest: '{{ vpn_server_key_path | dirname }}/mobile.key' + dest: '{{ vpn_key_directory }}/private/mobile.key' + notify: restart systemd-networkd - name: Copy wireguard preshared keys become: true @@ -90,3 +72,4 @@ group: systemd-network mode: '0640' with_dict: '{{ vpn_peers }}' + notify: restart systemd-networkd diff --git a/templates/network/wireguard/default/mobile.wireguard.j2 b/templates/network/wireguard/default/mobile.wireguard.j2 index a0fd7b9..b5d1041 100644 --- a/templates/network/wireguard/default/mobile.wireguard.j2 +++ b/templates/network/wireguard/default/mobile.wireguard.j2 @@ -2,10 +2,10 @@ [Interface] Address={{ vpn_peers.mobile.ip }}/24 -PrivateKey={{ vpn_peers.mobile.private_key }} +PrivateKey={{ lookup("file", vpn_peers.mobile.private_key_source_path) }} [Peer] -PublicKey={{ vpn_server_public_key }} -PresharedKey={{ vpn_peers.mobile.preshared_key }} +PublicKey={{ lookup("file", vpn_server_public_key_path) }} +PresharedKey={{ lookup("file", vpn_peers.mobile.preshared_key_path) }} AllowedIPs={{ vpn_listen_address }}/32 Endpoint={{ domain_name }}:{{ vpn_port }} diff --git a/templates/network/wireguard/default/wg0.netdev.j2 b/templates/network/wireguard/default/wg0.netdev.j2 index 24021fb..39b0ec4 100644 --- a/templates/network/wireguard/default/wg0.netdev.j2 +++ b/templates/network/wireguard/default/wg0.netdev.j2 @@ -7,12 +7,12 @@ Description=WireGuard tunnel wg0 [WireGuard] ListenPort={{ vpn_port }} -PrivateKey={{ vpn_server_key }} +PrivateKeyFile={{ vpn_server_key_path }} {% for peer, properties in vpn_peers.items() %} [WireGuardPeer] PublicKey={{ properties.public_key }} -PresharedKey={{ properties.preshared_key }} +PresharedKeyFile={{ properties.preshared_key_path }} AllowedIPs={{ properties.ip }}/32 {% if not loop.last %} diff --git a/vars/vpn.yml b/vars/vpn.yml index 900a641..e5ad24f 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -6,8 +6,9 @@ vpn_interface: 'wg0' vpn_source_range: '10.0.0.0/24' vpn_destination_range: '10.0.0.1/32' -vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub' -vpn_server_key_path: '/etc/wireguard/keys/private/server.key' +vpn_key_directory: '/etc/wireguard/keys' +vpn_server_public_key_path: '{{ vpn_key_directory }}/public/server.pub' +vpn_server_key_path: '{{ vpn_key_directory }}/private/server.key' copy_vpn_configurations: false @@ -15,16 +16,16 @@ vpn_peers: laptop: ip: '10.0.0.2' public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.psk' + preshared_key_path: '{{ vpn_key_directory }}/private/preshared-laptop.psk' preshared_key_source_path: 'files/wireguard/default/preshared-laptop.psk' desktop: ip: '10.0.0.3' public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.psk' + preshared_key_path: '{{ vpn_key_directory }}/private/preshared-desktop.psk' preshared_key_source_path: 'files/wireguard/default/preshared-desktop.psk' mobile: ip: '10.0.0.4' public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=' - preshared_key_path: '/etc/wireguard/keys/private/preshared-mobile.psk' + preshared_key_path: '{{ vpn_key_directory }}/private/preshared-mobile.psk' preshared_key_source_path: 'files/wireguard/default/preshared-mobile.psk' private_key_source_path: 'files/wireguard/default/mobile.key'