feat: Move from Debian to Fedora

2026-04-21 01:32:58 +02:00
parent 3b900d7b9c
commit 25cf191476
9 changed files with 112 additions and 175 deletions
--- a/.ansible/roles/ykn.role_wireguard
+++ b/.ansible/roles/ykn.role_wireguard
@@ -0,0 +1 @@
+/home/alegall/git/ykn/ansible/role_wireguard
--- a/README.md
+++ b/README.md
@@ -1,89 +1,3 @@
 # role_wireguard

-Rôle de déploiement de wireguard.
-
-## Variables
-
-### wireguard_module_host
-
-Variable permettant de déployer le module (dkms) de wireguard sur l'hôte qui héberge le conteneur.
-
-*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
-
-### wireguard_restart_services
-
-Redémarrer les services si la configuration a été modifiée.
-
-*<span style="text-decoration: underline">Valeur par défaut:</span> `true`*
-
-### wireguard_interfaces
-
-Configuration des interfaces de wireguard (`/etc/wireguard/wgX.conf`).
-
-*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
-
-## Exemples
-
-Dans les exemples ci-dessous, j'utilise aussi le rôle *nftables* afin d'installer et configurer le pare-feu logiciel éponyme.
-
-### host_vars/infra-wgclient-2316.nyx.ykn.local.yml
-
-```yaml
---
-
-# BEGIN role_ifupdown
-ifupdown_interfaces:
-  - interface: eth0
-    ipv4:
-      inet: static
-      address: 192.168.1.51
-      mask: 24
-      gateway: 192.168.1.254
-      dns: 192.168.1.254
-    ipv6:
-      inet: auto
-# END role_ifupdown
-
-# BEGIN role_nftables
-nftables_rules:
-  - filename: wireguard
-    rules:
-      - ip saddr 10.5.89.1 udp dport 51820 accept
-# END role_nftables
-
-# BEGIN role_wireguard
-wireguard_end_ip: "{{ (ifupdown_interfaces | first).ipv4.address | split('.') | last }}"
-wireguard_module_host: neree.gaia.ykn.local
-wireguard_interfaces:
-  - addresses:
-      - 192.168.100.{{ wireguard_end_ip }}/24
-      - fd00:a100::b{{ wireguard_end_ip }}/64
-    privkey: !vault |
-      $ANSIBLE_VAULT;1.1;AES256
-      31316231366435626664353933356139396430363366363633666434323135663366666435356462
-      6431636238336163326330376437343639613137386265390a323433386134323538653330643062
-      38353336323263313466623865393865306662396432363063383532653932346332306363346233
-      3165383635326264630a313661386236633137376432653333623533393765333565376336623933
-      6638
-    peers:
-      - name: hyperion.erebos.ykn.local
-        pubkey: gGd7wgu7Npe6rhEkG6qQ8SQ7KRVihAeBsyJ2qV+MslA=
-        endpoint: "[10.5.89.1]:1194"
-        allowed_ips:
-          - 0.0.0.0/0
-          - ::/0
-        persistent_keepalive: 25
-# END role_wireguard
-```
-
-### playbook.yml
-
-```yaml
---
-
- name: Déployer wireguard
-  hosts: infra-wgclient-2316.nyx.ykn.local
-  roles:
-    - name: nftables
-    - name: wireguard
-```
+Deploy wireguard interface file.
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,20 +1,22 @@
 ---
 # defaults file for wireguard

-wireguard_module_host: ""
-wireguard_restart_services: true
+# Server mode enabled
+wireguard_server: false

-wireguard_interfaces: []
-# Exemple:
-#  - listen_port:
-#    privkey:
-#    addresses:
-#      - 10.10.10.1/24
-#    peers:
-#      - name:
-#        pubkey:
-#        endpoint:
-#        allowed_ips:
-#          - 0.0.0.0/0
-#          - ::/0
-#        persistent_keepalive:
+# Interface options
+wireguard_interface_name: wg0
+wireguard_interface_listen_port: 1194
+wireguard_interface_addresses: []
+
+# Peers
+wireguard_interfaces:
+# Example:
+  # - name: qbittorrent-stack on pumbaa
+  #   allowed_ips: 192.168.26.101/24
+  #   endpoint: ""
+  #   persistent_keepalive: 25
+  #   publickey: ""
+
+# Define is store secrets in OpenBao
+wireguard_openbao_mount: ""
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,23 +1,10 @@
 ---
 # handlers file for wireguard

- name: Activer les services
+- name: Enable and restart service
  ansible.builtin.systemd:
+    name: wg-quick@{{ wireguard_interface_name }}.service
+    daemon_reload: true
    enabled: true
-    name: wg-quick@wg{{ item }}.service
-  become: true
-  loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
-  loop_control:
-    index_var: index
-    label: wg{{ index }}
-
- name: Redémarrer les services
-  ansible.builtin.systemd:
    state: restarted
-    name: wg-quick@wg{{ item }}.service
-  when: wireguard_restart_services
  become: true
-  loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
-  loop_control:
-    index_var: index
-    label: wg{{ index }}
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,15 +1,15 @@
 galaxy_info:
  namespace: ykn
  author: pulsar89.5
-  description: Rôle de déploiement de wireguard
+  description: Deploy wireguard interface file

  license: GPL-3.0-or-later

-  min_ansible_version: '2.1'
+  min_ansible_version: 2.20.4

  platforms:
-    - name: Debian
+    - name: Fedora
      versions:
-        - all
+        - "43"

 dependencies: []
--- a/tasks/container.yml
+++ b/tasks/container.yml
@@ -1,22 +0,0 @@
---
-# tasks file for wireguard
-
- name: Tâches de gestion du module du noyau
-  block:
-    - name: Charger le module du noyau
-      community.general.modprobe:
-        name: wireguard
-        state: present
-  rescue:
-    - name: Installer le module du noyau sur l'hôte
-      ansible.builtin.apt:
-        update_cache: true
-        name: wireguard-dkms
-  become: true
-  delegate_to: "{{ wireguard_module_host | default(omit, true) }}"
-
- name: Installer l'outil de configuration
-  ansible.builtin.apt:
-    update_cache: true
-    name: wireguard-tools
-  become: true
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -0,0 +1,40 @@
+---
+# tasks file for wireguard
+
+- name: Create and store keys in OpenBao
+  block:
+    - name: Get keys from OpenBao
+      community.hashi_vault.vault_kv2_get:
+        engine_mount_point: "{{ wireguard_openbao_mount }}"
+        path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
+      when: wireguard_openbao_mount | length > 0
+      delegate_to: 127.0.0.1
+  rescue:
+    - name: Generate peers privatekey # noqa: no-changed-when
+      ansible.builtin.command:
+        argv:
+          - wg
+          - genkey
+      register: peer_privatekey
+
+    - name: Generate peers publickey # noqa: no-changed-when
+      ansible.builtin.command:
+        argv:
+          - wg
+          - pubkey
+        stdin: "{{ peer_privatekey.stdout }}"
+      register: peer_publickey
+
+    - name: Write keys to OpenBao
+      community.hashi_vault.vault_kv2_write:
+        engine_mount_point: "{{ wireguard_openbao_mount }}"
+        path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
+        data:
+          privatekey: "{{ peer_privatekey.stdout }}"
+          publickey: "{{ peer_publickey.stdout }}"
+        read_before_write: true
+      when:
+        - wireguard_openbao_mount | length > 0
+        - peer_privatekey.stdout | default('') | length > 0
+        - peer_publickey.stdout | default('') | length > 0
+      delegate_to: 127.0.0.1
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,33 +1,34 @@
 ---
 # tasks file for wireguard

- name: Installer le paquet
-  ansible.builtin.apt:
-    update_cache: true
-    name: wireguard
-  when: wireguard_module_host | length == 0
+- name: Install packages
+  ansible.builtin.dnf:
+    name: wireguard-tools
  become: true

- name: Importer les tâches spécifique aux conteneurs
-  ansible.builtin.import_tasks:
-    file: container.yml
-  when: wireguard_module_host | length > 0
+- name: Include tasks to generate keys for server
+  ansible.builtin.include_tasks:
+    file: keys.yml
+  when: wireguard_server
+  vars:
+    peer: "{{ inventory_hostname }}"

- name: Déployer la configuration des interfaces
+- name: Include tasks to generate keys for peers
+  ansible.builtin.include_tasks:
+    file: keys.yml
+  when: wireguard_server
+  loop: "{{ wireguard_peers }}"
+  loop_control:
+    label: "{{ peer }}"
+  vars:
+    peer: "{{ item.name }}"
+
+- name: Deploy interface
  ansible.builtin.template:
    src: wgN.j2
-    dest: /etc/wireguard/{{ interface }}.conf
+    dest: /etc/wireguard/{{ wireguard_interface_name }}.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
-  loop: "{{ wireguard_interfaces }}"
-  loop_control:
-    index_var: index
-    label: "{{ interface }}"
-  vars:
-    interface: wg{{ index }}
  become: true
-  register: deploy
-  notify:
-    - Activer les services
-    - Redémarrer les services
+  notify: Enable and restart service
--- a/templates/wgN.j2
+++ b/templates/wgN.j2
@@ -1,22 +1,36 @@
 # {{ ansible_managed }}

-[Interface]
-{% if item.listen_port is defined %}
-ListenPort = {{ item.listen_port }}
-{% endif %}
-PrivateKey = {{ item.privkey }}
-Address = {{ item.addresses | join(', ') }}
+{%- if wireguard_openbao_mount | length > 0 %}
+{%- set openbao_path = [inventory_hostname, ansible_role_name, inventory_hostname] | join('/') %}
+{%- set privatekey = lookup('community.hashi_vault.vault_kv2_get', openbao_path)['data']['data']['privatekey'] %}
+{%- else %}
+{%- set privatekey = wireguard_interface_privatekey %}
+{%- endif %}
+
+[Interface]
+Address = {{ wireguard_interface_addresses | join(', ') }}
+ListenPort = {{ wireguard_interface_listen_port }}
+PrivateKey = {{ privatekey }}
+
+{% for peer in wireguard_peers -%}
+{% if wireguard_openbao_mount | length > 0 -%}
+{% set openbao_path = [inventory_hostname, ansible_role_name, peer.name] | join('/') -%}
+{% set publickey = lookup('community.hashi_vault.vault_kv2_get', openbao_path)['data']['data']['publickey'] -%}
+{% else -%}
+{% set publickey = peer.publickey -%}
+{% endif -%}

-{% for peer in item.peers %}
 [Peer]
 # {{ peer.name }}
-PublicKey = {{ peer.pubkey }}
+AllowedIPs = {{ peer.allowed_ips | join(', ') }}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}
-AllowedIPs = {{ peer.allowed_ips | join(', ') }}
 {% if peer.persistent_keepalive is defined %}
 PersistentKeepalive = {{ peer.persistent_keepalive }}
 {% endif %}
+PublicKey = {{ publickey }}
+{% if not loop.last %}

+{% endif %}
 {% endfor %}
				`@@ -0,0 +1 @@`
				`/home/alegall/git/ykn/ansible/role_wireguard`