feat: Move from Debian to Fedora

2026-04-21 01:32:58 +02:00
parent 3b900d7b9c
commit 77254a7f59
9 changed files with 112 additions and 175 deletions
--- a/.ansible/roles/ykn.role_wireguard
+++ b/.ansible/roles/ykn.role_wireguard
@@ -0,0 +1 @@
 /home/alegall/git/ykn/ansible/role_wireguard
--- a/README.md
+++ b/README.md
@@ -1,89 +1,3 @@
 # role_wireguard
-Rôle de déploiement de wireguard.
+Deploy wireguard interface file.
 ## Variables
 ### wireguard_module_host
 Variable permettant de déployer le module (dkms) de wireguard sur l'hôte qui héberge le conteneur.
 *<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
 ### wireguard_restart_services
 Redémarrer les services si la configuration a été modifiée.
 *<span style="text-decoration: underline">Valeur par défaut:</span> `true`*
 ### wireguard_interfaces
 Configuration des interfaces de wireguard (`/etc/wireguard/wgX.conf`).
 *<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
 ## Exemples
 Dans les exemples ci-dessous, j'utilise aussi le rôle *nftables* afin d'installer et configurer le pare-feu logiciel éponyme.
 ### host_vars/infra-wgclient-2316.nyx.ykn.local.yml
 ```yaml
 ---
 # BEGIN role_ifupdown
 ifupdown_interfaces:
  - interface: eth0
    ipv4:
      inet: static
      address: 192.168.1.51
      mask: 24
      gateway: 192.168.1.254
      dns: 192.168.1.254
    ipv6:
      inet: auto
 # END role_ifupdown
 # BEGIN role_nftables
 nftables_rules:
  - filename: wireguard
    rules:
      - ip saddr 10.5.89.1 udp dport 51820 accept
 # END role_nftables
 # BEGIN role_wireguard
 wireguard_end_ip: "{{ (ifupdown_interfaces | first).ipv4.address | split('.') | last }}"
 wireguard_module_host: neree.gaia.ykn.local
 wireguard_interfaces:
  - addresses:
      - 192.168.100.{{ wireguard_end_ip }}/24
      - fd00:a100::b{{ wireguard_end_ip }}/64
    privkey: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      31316231366435626664353933356139396430363366363633666434323135663366666435356462
      6431636238336163326330376437343639613137386265390a323433386134323538653330643062
      38353336323263313466623865393865306662396432363063383532653932346332306363346233
      3165383635326264630a313661386236633137376432653333623533393765333565376336623933
      6638
    peers:
      - name: hyperion.erebos.ykn.local
        pubkey: gGd7wgu7Npe6rhEkG6qQ8SQ7KRVihAeBsyJ2qV+MslA=
        endpoint: "[10.5.89.1]:1194"
        allowed_ips:
          - 0.0.0.0/0
          - ::/0
        persistent_keepalive: 25
 # END role_wireguard
 ```
 ### playbook.yml
 ```yaml
 ---
 - name: Déployer wireguard
  hosts: infra-wgclient-2316.nyx.ykn.local
  roles:
    - name: nftables
    - name: wireguard
 ```
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,20 +1,22 @@
 ---
 # defaults file for wireguard
-wireguard_module_host: ""
+# Server mode enabled
-wireguard_restart_services: true
+wireguard_server: true
-wireguard_interfaces: []
+# Interface options
-# Exemple:
+wireguard_interface_name: wg0
-#  - listen_port:
+wireguard_interface_listen_port: 1194
-#    privkey:
+wireguard_interface_addresses: []
-#    addresses:
+
-#      - 10.10.10.1/24
+# Peers
-#    peers:
+wireguard_interfaces:
-#      - name:
+# Example:
-#        pubkey:
+  # - name: qbittorrent-stack on pumbaa
-#        endpoint:
+  #   allowed_ips: 192.168.26.101/24
-#        allowed_ips:
+  #   endpoint: ""
-#          - 0.0.0.0/0
+  #   persistent_keepalive: 25
-#          - ::/0
+  #   publickey: ""
-#        persistent_keepalive:
+
 # Define is store secrets in OpenBao
 wireguard_openbao_mount: ""
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,23 +1,10 @@
 ---
 # handlers file for wireguard
- name: Activer les services
+- name: Enable and restart service
  ansible.builtin.systemd:
    name: wg-quick@{{ wireguard_interface_name }}.service
    daemon_reload: true
    enabled: true
    name: wg-quick@wg{{ item }}.service
  become: true
  loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
  loop_control:
    index_var: index
    label: wg{{ index }}
 - name: Redémarrer les services
  ansible.builtin.systemd:
    state: restarted
    name: wg-quick@wg{{ item }}.service
  when: wireguard_restart_services
  become: true
  loop: "{{ deploy.results | selectattr('changed', 'equalto', true) | map(attribute='index') }}"
  loop_control:
    index_var: index
    label: wg{{ index }}
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,15 +1,15 @@
 galaxy_info:
  namespace: ykn
  author: pulsar89.5
-  description: Rôle de déploiement de wireguard
+  description: Deploy wireguard interface file
  license: GPL-3.0-or-later
-  min_ansible_version: '2.1'
+  min_ansible_version: 2.20.4
  platforms:
-    - name: Debian
+    - name: Fedora
      versions:
-        - all
+        - "43"
 dependencies: []
--- a/tasks/container.yml
+++ b/tasks/container.yml
@@ -1,22 +0,0 @@
 ---
 # tasks file for wireguard
 - name: Tâches de gestion du module du noyau
  block:
    - name: Charger le module du noyau
      community.general.modprobe:
        name: wireguard
        state: present
  rescue:
    - name: Installer le module du noyau sur l'hôte
      ansible.builtin.apt:
        update_cache: true
        name: wireguard-dkms
  become: true
  delegate_to: "{{ wireguard_module_host | default(omit, true) }}"
 - name: Installer l'outil de configuration
  ansible.builtin.apt:
    update_cache: true
    name: wireguard-tools
  become: true
--- a/tasks/keys.yml
+++ b/tasks/keys.yml
@@ -0,0 +1,40 @@
 ---
 # tasks file for wireguard
 - name: Create and store keys in OpenBao
  block:
    - name: Get keys from OpenBao
      community.hashi_vault.vault_kv2_get:
        engine_mount_point: "{{ wireguard_openbao_mount }}"
        path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
      when: wireguard_openbao_mount | length > 0
      delegate_to: 127.0.0.1
  rescue:
    - name: Generate peers privatekey # noqa: no-changed-when
      ansible.builtin.command:
        argv:
          - wg
          - genkey
      register: peer_privatekey
    - name: Generate peers publickey # noqa: no-changed-when
      ansible.builtin.command:
        argv:
          - wg
          - pubkey
        stdin: "{{ peer_privatekey.stdout }}"
      register: peer_publickey
    - name: Write keys to OpenBao
      community.hashi_vault.vault_kv2_write:
        engine_mount_point: "{{ wireguard_openbao_mount }}"
        path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
        data:
          privatekey: "{{ peer_privatekey.stdout }}"
          publickey: "{{ peer_publickey.stdout }}"
        read_before_write: true
      when:
        - wireguard_openbao_mount | length > 0
        - peer_privatekey.stdout | default('') | length > 0
        - peer_publickey.stdout | default('') | length > 0
      delegate_to: 127.0.0.1
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,33 +1,34 @@
 ---
 # tasks file for wireguard
- name: Installer le paquet
+- name: Install packages
-  ansible.builtin.apt:
+  ansible.builtin.dnf:
-    update_cache: true
+    name: wireguard-tools
    name: wireguard
  when: wireguard_module_host | length == 0
  become: true
- name: Importer les tâches spécifique aux conteneurs
+- name: Include tasks to generate keys for server
-  ansible.builtin.import_tasks:
+  ansible.builtin.include_tasks:
-    file: container.yml
+    file: keys.yml
-  when: wireguard_module_host | length > 0
+  when: wireguard_server
  vars:
    peer: "{{ inventory_hostname }}"
- name: Déployer la configuration des interfaces
+- name: Include tasks to generate keys for peers
  ansible.builtin.include_tasks:
    file: keys.yml
  when: wireguard_server
  loop: "{{ wireguard_peers }}"
  loop_control:
    label: "{{ peer }}"
  vars:
    peer: "{{ item.name }}"
 - name: Deploy interface
  ansible.builtin.template:
    src: wgN.j2
-    dest: /etc/wireguard/{{ interface }}.conf
+    dest: /etc/wireguard/{{ wireguard_interface_name }}.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  loop: "{{ wireguard_interfaces }}"
  loop_control:
    index_var: index
    label: "{{ interface }}"
  vars:
    interface: wg{{ index }}
  become: true
-  register: deploy
+  notify: Enable and restart service
  notify:
    - Activer les services
    - Redémarrer les services
--- a/templates/wgN.j2
+++ b/templates/wgN.j2
@@ -1,22 +1,36 @@
 # {{ ansible_managed }}
-[Interface]
+{%- if wireguard_openbao_mount | length > 0 %}
-{% if item.listen_port is defined %}
+{%- set openbao_path = [inventory_hostname, ansible_role_name, inventory_hostname] | join('/') %}
-ListenPort = {{ item.listen_port }}
+{%- set privatekey = lookup('community.hashi_vault.vault_kv2_get', openbao_path)['data']['data']['privatekey'] %}
-{% endif %}
+{%- else %}
-PrivateKey = {{ item.privkey }}
+{%- set privatekey = wireguard_interface_privatekey %}
-Address = {{ item.addresses | join(', ') }}
+{%- endif %}
 [Interface]
 Address = {{ wireguard_interface_addresses | join(', ') }}
 ListenPort = {{ wireguard_interface_listen_port }}
 PrivateKey = {{ privatekey }}
 {% for peer in wireguard_peers -%}
 {% if wireguard_openbao_mount | length > 0 -%}
 {% set openbao_path = [inventory_hostname, ansible_role_name, peer.name] | join('/') -%}
 {% set publickey = lookup('community.hashi_vault.vault_kv2_get', openbao_path)['data']['data']['publickey'] -%}
 {% else -%}
 {% set publickey = peer.publickey -%}
 {% endif -%}
 {% for peer in item.peers %}
 [Peer]
 # {{ peer.name }}
-PublicKey = {{ peer.pubkey }}
+AllowedIPs = {{ peer.allowed_ips | join(', ') }}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}
 {% endif %}
 AllowedIPs = {{ peer.allowed_ips | join(', ') }}
 {% if peer.persistent_keepalive is defined %}
 PersistentKeepalive = {{ peer.persistent_keepalive }}
 {% endif %}
 PublicKey = {{ publickey }}
 {% if not loop.last %}
 {% endif %}
 {% endfor %}
		`@@ -0,0 +1 @@`
							`/home/alegall/git/ykn/ansible/role_wireguard`