diff --git a/.ansible/roles/ykn.role_wireguard b/.ansible/roles/ykn.role_wireguard
new file mode 120000
index 0000000..256fa7b
--- /dev/null
+++ b/.ansible/roles/ykn.role_wireguard
@@ -0,0 +1 @@
+/home/alegall/git/ykn/ansible/role_wireguard
\ No newline at end of file
diff --git a/README.md b/README.md
index 919ee3f..044fde9 100644
--- a/README.md
+++ b/README.md
@@ -1,89 +1,3 @@
# role_wireguard
-Rôle de déploiement de wireguard.
-
-## Variables
-
-### wireguard_module_host
-
-Variable permettant de déployer le module (dkms) de wireguard sur l'hôte qui héberge le conteneur.
-
-*Valeur par défaut: aucune*
-
-### wireguard_restart_services
-
-Redémarrer les services si la configuration a été modifiée.
-
-*Valeur par défaut: `true`*
-
-### wireguard_interfaces
-
-Configuration des interfaces de wireguard (`/etc/wireguard/wgX.conf`).
-
-*Valeur par défaut: aucune*
-
-## Exemples
-
-Dans les exemples ci-dessous, j'utilise aussi le rôle *nftables* afin d'installer et configurer le pare-feu logiciel éponyme.
-
-### host_vars/infra-wgclient-2316.nyx.ykn.local.yml
-
-```yaml
----
-
-# BEGIN role_ifupdown
-ifupdown_interfaces:
- - interface: eth0
- ipv4:
- inet: static
- address: 192.168.1.51
- mask: 24
- gateway: 192.168.1.254
- dns: 192.168.1.254
- ipv6:
- inet: auto
-# END role_ifupdown
-
-# BEGIN role_nftables
-nftables_rules:
- - filename: wireguard
- rules:
- - ip saddr 10.5.89.1 udp dport 51820 accept
-# END role_nftables
-
-# BEGIN role_wireguard
-wireguard_end_ip: "{{ (ifupdown_interfaces | first).ipv4.address | split('.') | last }}"
-wireguard_module_host: neree.gaia.ykn.local
-wireguard_interfaces:
- - addresses:
- - 192.168.100.{{ wireguard_end_ip }}/24
- - fd00:a100::b{{ wireguard_end_ip }}/64
- privkey: !vault |
- $ANSIBLE_VAULT;1.1;AES256
- 31316231366435626664353933356139396430363366363633666434323135663366666435356462
- 6431636238336163326330376437343639613137386265390a323433386134323538653330643062
- 38353336323263313466623865393865306662396432363063383532653932346332306363346233
- 3165383635326264630a313661386236633137376432653333623533393765333565376336623933
- 6638
- peers:
- - name: hyperion.erebos.ykn.local
- pubkey: gGd7wgu7Npe6rhEkG6qQ8SQ7KRVihAeBsyJ2qV+MslA=
- endpoint: "[10.5.89.1]:1194"
- allowed_ips:
- - 0.0.0.0/0
- - ::/0
- persistent_keepalive: 25
-# END role_wireguard
-```
-
-### playbook.yml
-
-```yaml
----
-
-- name: Déployer wireguard
- hosts: infra-wgclient-2316.nyx.ykn.local
- roles:
- - name: nftables
- - name: wireguard
-```
+Deploy wireguard interface file.
diff --git a/defaults/main.yml b/defaults/main.yml
index 4640a2d..19511e7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,20 +1,22 @@
---
# defaults file for wireguard
-wireguard_module_host: ""
-wireguard_restart_services: true
+# Server mode enabled
+wireguard_server: false
-wireguard_interfaces: []
-# Exemple:
-# - listen_port:
-# privkey:
-# addresses:
-# - 10.10.10.1/24
-# peers:
-# - name:
-# pubkey:
-# endpoint:
-# allowed_ips:
-# - 0.0.0.0/0
-# - ::/0
-# persistent_keepalive:
+# Interface options
+wireguard_interface_name: wg0
+wireguard_interface_listen_port: 1194
+wireguard_interface_addresses: []
+
+# Peers
+wireguard_interfaces:
+# Example:
+ # - name: qbittorrent-stack on pumbaa
+ # allowed_ips: 192.168.26.101/24
+ # endpoint: ""
+ # persistent_keepalive: 25
+ # publickey: ""
+
+# Define is store secrets in OpenBao
+wireguard_openbao_mount: ""
diff --git a/handlers/main.yml b/handlers/main.yml
index 213edf6..75f6dce 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,23 +1,10 @@
---
# handlers file for wireguard
-- name: Activer les services
+- name: Enable and restart service
ansible.builtin.systemd:
+ name: wg-quick@{{ wireguard_interface_name }}.service
+ daemon_reload: true
enabled: true
- name: wg-quick@wg{{ item }}.service
- become: true
- loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
- loop_control:
- index_var: index
- label: wg{{ index }}
-
-- name: Redémarrer les services
- ansible.builtin.systemd:
state: restarted
- name: wg-quick@wg{{ item }}.service
- when: wireguard_restart_services
become: true
- loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
- loop_control:
- index_var: index
- label: wg{{ index }}
diff --git a/meta/main.yml b/meta/main.yml
index 7334127..5afa998 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,15 +1,15 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
- description: Rôle de déploiement de wireguard
+ description: Deploy wireguard interface file
license: GPL-3.0-or-later
- min_ansible_version: '2.1'
+ min_ansible_version: 2.20.4
platforms:
- - name: Debian
+ - name: Fedora
versions:
- - all
+ - "43"
dependencies: []
diff --git a/tasks/container.yml b/tasks/container.yml
deleted file mode 100644
index 3a61bdd..0000000
--- a/tasks/container.yml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-# tasks file for wireguard
-
-- name: Tâches de gestion du module du noyau
- block:
- - name: Charger le module du noyau
- community.general.modprobe:
- name: wireguard
- state: present
- rescue:
- - name: Installer le module du noyau sur l'hôte
- ansible.builtin.apt:
- update_cache: true
- name: wireguard-dkms
- become: true
- delegate_to: "{{ wireguard_module_host | default(omit, true) }}"
-
-- name: Installer l'outil de configuration
- ansible.builtin.apt:
- update_cache: true
- name: wireguard-tools
- become: true
diff --git a/tasks/keys.yml b/tasks/keys.yml
new file mode 100644
index 0000000..8f2fa1f
--- /dev/null
+++ b/tasks/keys.yml
@@ -0,0 +1,40 @@
+---
+# tasks file for wireguard
+
+- name: Create and store keys in OpenBao
+ block:
+ - name: Get keys from OpenBao
+ community.hashi_vault.vault_kv2_get:
+ engine_mount_point: "{{ wireguard_openbao_mount }}"
+ path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
+ when: wireguard_openbao_mount | length > 0
+ delegate_to: 127.0.0.1
+ rescue:
+ - name: Generate peers privatekey # noqa: no-changed-when
+ ansible.builtin.command:
+ argv:
+ - wg
+ - genkey
+ register: peer_privatekey
+
+ - name: Generate peers publickey # noqa: no-changed-when
+ ansible.builtin.command:
+ argv:
+ - wg
+ - pubkey
+ stdin: "{{ peer_privatekey.stdout }}"
+ register: peer_publickey
+
+ - name: Write keys to OpenBao
+ community.hashi_vault.vault_kv2_write:
+ engine_mount_point: "{{ wireguard_openbao_mount }}"
+ path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
+ data:
+ privatekey: "{{ peer_privatekey.stdout }}"
+ publickey: "{{ peer_publickey.stdout }}"
+ read_before_write: true
+ when:
+ - wireguard_openbao_mount | length > 0
+ - peer_privatekey.stdout | default('') | length > 0
+ - peer_publickey.stdout | default('') | length > 0
+ delegate_to: 127.0.0.1
diff --git a/tasks/main.yml b/tasks/main.yml
index 0a690fb..aa1a197 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,33 +1,34 @@
---
# tasks file for wireguard
-- name: Installer le paquet
- ansible.builtin.apt:
- update_cache: true
- name: wireguard
- when: wireguard_module_host | length == 0
+- name: Install packages
+ ansible.builtin.dnf:
+ name: wireguard-tools
become: true
-- name: Importer les tâches spécifique aux conteneurs
- ansible.builtin.import_tasks:
- file: container.yml
- when: wireguard_module_host | length > 0
+- name: Include tasks to generate keys for server
+ ansible.builtin.include_tasks:
+ file: keys.yml
+ when: wireguard_server
+ vars:
+ peer: "{{ inventory_hostname }}"
-- name: Déployer la configuration des interfaces
+- name: Include tasks to generate keys for peers
+ ansible.builtin.include_tasks:
+ file: keys.yml
+ when: wireguard_server
+ loop: "{{ wireguard_peers }}"
+ loop_control:
+ label: "{{ peer }}"
+ vars:
+ peer: "{{ item.name }}"
+
+- name: Deploy interface
ansible.builtin.template:
src: wgN.j2
- dest: /etc/wireguard/{{ interface }}.conf
+ dest: /etc/wireguard/{{ wireguard_interface_name }}.conf
owner: root
group: root
mode: u=rw,g=r,o=r
- loop: "{{ wireguard_interfaces }}"
- loop_control:
- index_var: index
- label: "{{ interface }}"
- vars:
- interface: wg{{ index }}
become: true
- register: deploy
- notify:
- - Activer les services
- - Redémarrer les services
+ notify: Enable and restart service
diff --git a/templates/wgN.j2 b/templates/wgN.j2
index fa1b6d8..b354915 100644
--- a/templates/wgN.j2
+++ b/templates/wgN.j2
@@ -1,22 +1,36 @@
# {{ ansible_managed }}
-[Interface]
-{% if item.listen_port is defined %}
-ListenPort = {{ item.listen_port }}
-{% endif %}
-PrivateKey = {{ item.privkey }}
-Address = {{ item.addresses | join(', ') }}
+{%- if wireguard_openbao_mount | length > 0 %}
+{%- set openbao_path = [inventory_hostname, ansible_role_name, inventory_hostname] | join('/') %}
+{%- set privatekey = lookup('community.hashi_vault.vault_kv2_get', openbao_path)['data']['data']['privatekey'] %}
+{%- else %}
+{%- set privatekey = wireguard_interface_privatekey %}
+{%- endif %}
+
+[Interface]
+Address = {{ wireguard_interface_addresses | join(', ') }}
+ListenPort = {{ wireguard_interface_listen_port }}
+PrivateKey = {{ privatekey }}
+
+{% for peer in wireguard_peers -%}
+{% if wireguard_openbao_mount | length > 0 -%}
+{% set openbao_path = [inventory_hostname, ansible_role_name, peer.name] | join('/') -%}
+{% set publickey = lookup('community.hashi_vault.vault_kv2_get', openbao_path)['data']['data']['publickey'] -%}
+{% else -%}
+{% set publickey = peer.publickey -%}
+{% endif -%}
-{% for peer in item.peers %}
[Peer]
# {{ peer.name }}
-PublicKey = {{ peer.pubkey }}
+AllowedIPs = {{ peer.allowed_ips | join(', ') }}
{% if peer.endpoint is defined %}
Endpoint = {{ peer.endpoint }}
{% endif %}
-AllowedIPs = {{ peer.allowed_ips | join(', ') }}
{% if peer.persistent_keepalive is defined %}
PersistentKeepalive = {{ peer.persistent_keepalive }}
{% endif %}
+PublicKey = {{ publickey }}
+{% if not loop.last %}
+{% endif %}
{% endfor %}