diff --git a/plays/vpn/main.yml b/plays/vpn/main.yml index 6a0f9d0..de9b93b 100644 --- a/plays/vpn/main.yml +++ b/plays/vpn/main.yml @@ -4,12 +4,8 @@ roles: - role: "base" tags: "vpn:base" - -# - name: "vpn : bifrost" -# hosts: "bifrost" -# roles: -# - role: "gateway" -# tags: "vpn:gateway" + - role: "wireguard" + tags: "vpn:wireguard" - name: "vpn : asgard" hosts: "asgard" diff --git a/plays/vpn/roles/bridge/files/br0/pre-down-br0-inet.nft b/plays/vpn/roles/bridge/files/pre-down-br0-inet.nft similarity index 100% rename from plays/vpn/roles/bridge/files/br0/pre-down-br0-inet.nft rename to plays/vpn/roles/bridge/files/pre-down-br0-inet.nft diff --git a/plays/vpn/roles/bridge/files/br0/pre-down-br0-ipv4.nft b/plays/vpn/roles/bridge/files/pre-down-br0-ipv4.nft similarity index 100% rename from plays/vpn/roles/bridge/files/br0/pre-down-br0-ipv4.nft rename to plays/vpn/roles/bridge/files/pre-down-br0-ipv4.nft diff --git a/plays/vpn/roles/bridge/meta/argument_specs.yml b/plays/vpn/roles/bridge/meta/argument_specs.yml index 3ca15e0..acb440b 100644 --- a/plays/vpn/roles/bridge/meta/argument_specs.yml +++ b/plays/vpn/roles/bridge/meta/argument_specs.yml @@ -8,44 +8,22 @@ argument_specs: local_network: type: "str" required: false - vpn_bridge_routing_table: - type: "int" - required: true vpn_bridge_dnat: type: "list" elements: "dict" required: true - vpn_bridge_br0_address: + vpn_bridge_address: type: "str" required: true - vpn_bridge_br0_broadcast: + vpn_bridge_broadcast: type: "str" required: true - vpn_bridge_br0_netmask: + vpn_bridge_netmask: type: "str" required: true - vpn_bridge_role: + vpn_wireguard_role: type: "str" required: true - vpn_bridge_wg0_port: + vpn_wireguard_routing_table: type: "int" required: true - vpn_bridge_wg0_interface_private_key: - type: "str" - required: true - vpn_bridge_wg0_preshared_key: - type: "str" - required: true - vpn_bridge_wg0_subnet: - type: "str" - required: true - vpn_bridge_wg0_clients: - type: "list" - elem: "dict" - required: "{{ vpn_bridge_role == 'server' }}" - vpn_bridge_wg0_server_public_key: - type: "str" - required: "{{ vpn_bridge_role == 'client' }}" - vpn_bridge_wg0_server_address: - type: "str" - required: "{{ vpn_bridge_role == 'client' }}" diff --git a/plays/vpn/roles/bridge/tasks/include/br0.yml b/plays/vpn/roles/bridge/tasks/include/br0.yml deleted file mode 100644 index 9ce22be..0000000 --- a/plays/vpn/roles/bridge/tasks/include/br0.yml +++ /dev/null @@ -1,51 +0,0 @@ -- name: "br0 : post-up nftables inet script" - ansible.builtin.template: - src: "./br0/post-up-br0-inet.nft.j2" - dest: "/usr/local/sbin/post-up-br0-inet.nft" - mode: 0755 - register: vpn_bridge_post_up_br0_inet_nft - -- name: "br0 : post-up nftables ipv4 script" - ansible.builtin.template: - src: "./br0/post-up-br0-ipv4.nft.j2" - dest: "/usr/local/sbin/post-up-br0-ipv4.nft" - mode: 0755 - register: vpn_bridge_post_up_br0_ipv4_nft - -- name: "br0 : configure interface" - ansible.builtin.template: - src: "./br0/br0.j2" - dest: "/etc/network/interfaces.d/br0" - mode: 0644 - validate: > - bash -c - 'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ; - then - ifdown br0 ; - fi' - register: vpn_bridge_br0_intf - -- name: "br0 : restart interface" - ansible.builtin.shell: | - if ip link show dev br0 - then - ifdown br0 && ifup br0 - else - ifup br0 - fi - when: - vpn_bridge_post_up_br0_inet_nft.changed or - vpn_bridge_post_up_br0_ipv4_nft.changed or - vpn_bridge_br0_intf.changed - -- name: "br0 : pre-down nftables inet script" - ansible.builtin.copy: - src: "./br0/pre-down-br0-inet.nft" - dest: "/usr/local/sbin/pre-down-br0-inet.nft" - mode: 0755 - -- name: "br0 : pre-down nftables ipv4 script" - ansible.builtin.copy: - src: "./br0/pre-down-br0-ipv4.nft" - dest: "/usr/local/sbin/pre-down-br0-ipv4.nft" - mode: 0755 diff --git a/plays/vpn/roles/bridge/tasks/main.yml b/plays/vpn/roles/bridge/tasks/main.yml index 9ad34c7..898b6d4 100644 --- a/plays/vpn/roles/bridge/tasks/main.yml +++ b/plays/vpn/roles/bridge/tasks/main.yml @@ -1,6 +1,51 @@ -- name: "play:vpn : role:bridge : tasks:br0" - ansible.builtin.import_tasks: "include/br0.yml" - tags: "vpn:bridge:br0" -- name: "play:vpn : role:bridge : tasks:wg0" - ansible.builtin.import_tasks: "include/wg0.yml" - tags: "vpn:bridge:wg0" +- name: "post-up nftables inet script" + ansible.builtin.template: + src: "./post-up-br0-inet.nft.j2" + dest: "/usr/local/sbin/post-up-br0-inet.nft" + mode: 0755 + register: vpn_bridge_post_up_br0_inet_nft + +- name: "post-up nftables ipv4 script" + ansible.builtin.template: + src: "./post-up-br0-ipv4.nft.j2" + dest: "/usr/local/sbin/post-up-br0-ipv4.nft" + mode: 0755 + register: vpn_bridge_post_up_br0_ipv4_nft + +- name: "configure interface" + ansible.builtin.template: + src: "./br0.j2" + dest: "/etc/network/interfaces.d/br0" + mode: 0644 + validate: > + bash -c + 'if ! diff %s /etc/network/interfaces.d/br0 && ip link show dev br0 ; + then + ifdown br0 ; + fi' + register: vpn_bridge_intf + +- name: "restart interface" + ansible.builtin.shell: | + if ip link show dev br0 + then + ifdown br0 && ifup br0 + else + ifup br0 + fi + when: + vpn_bridge_post_up_br0_inet_nft.changed or + vpn_bridge_post_up_br0_ipv4_nft.changed or + vpn_bridge_intf.changed + +- name: "pre-down nftables inet script" + ansible.builtin.copy: + src: "./pre-down-br0-inet.nft" + dest: "/usr/local/sbin/pre-down-br0-inet.nft" + mode: 0755 + +- name: "pre-down nftables ipv4 script" + ansible.builtin.copy: + src: "./pre-down-br0-ipv4.nft" + dest: "/usr/local/sbin/pre-down-br0-ipv4.nft" + mode: 0755 diff --git a/plays/vpn/roles/bridge/templates/br0/br0.j2 b/plays/vpn/roles/bridge/templates/br0.j2 similarity index 62% rename from plays/vpn/roles/bridge/templates/br0/br0.j2 rename to plays/vpn/roles/bridge/templates/br0.j2 index 853228f..542933f 100644 --- a/plays/vpn/roles/bridge/templates/br0/br0.j2 +++ b/plays/vpn/roles/bridge/templates/br0.j2 @@ -4,14 +4,14 @@ iface br0 inet static post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft -{% if vpn_bridge_role == "client" %} - post-up ip rule add dev $IFACE table {{ vpn_bridge_routing_table }} +{% if vpn_wireguard_role == "client" %} + post-up ip rule add dev $IFACE table {{ vpn_wireguard_routing_table }} post-up ip rule add dev $IFACE to {{ local_network }} table main priority 1 {% endif %} -{% if vpn_bridge_role == "client" %} +{% if vpn_wireguard_role == "client" %} pre-down ip rule del dev $IFACE to {{ local_network }} table main priority 1 - pre-down ip rule del dev $IFACE table {{ vpn_bridge_routing_table }} + pre-down ip rule del dev $IFACE table {{ vpn_wireguard_routing_table }} {% endif %} pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft @@ -21,6 +21,6 @@ iface br0 inet static bridge_fd 0 bridge_ports none - address {{ vpn_bridge_br0_address }} - broadcast {{ vpn_bridge_br0_broadcast }} - netmask {{ vpn_bridge_br0_netmask }} + address {{ vpn_bridge_address }} + broadcast {{ vpn_bridge_broadcast }} + netmask {{ vpn_bridge_netmask }} diff --git a/plays/vpn/roles/bridge/templates/br0/post-up-br0-inet.nft.j2 b/plays/vpn/roles/bridge/templates/post-up-br0-inet.nft.j2 similarity index 100% rename from plays/vpn/roles/bridge/templates/br0/post-up-br0-inet.nft.j2 rename to plays/vpn/roles/bridge/templates/post-up-br0-inet.nft.j2 diff --git a/plays/vpn/roles/bridge/templates/br0/post-up-br0-ipv4.nft.j2 b/plays/vpn/roles/bridge/templates/post-up-br0-ipv4.nft.j2 similarity index 100% rename from plays/vpn/roles/bridge/templates/br0/post-up-br0-ipv4.nft.j2 rename to plays/vpn/roles/bridge/templates/post-up-br0-ipv4.nft.j2 diff --git a/plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2 b/plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2 deleted file mode 100644 index 3acc71c..0000000 --- a/plays/vpn/roles/bridge/templates/wg0/wg0.conf.j2 +++ /dev/null @@ -1,23 +0,0 @@ -[Interface] -PrivateKey = {{ vpn_bridge_wg0_interface_private_key }} -{% if vpn_bridge_role == "server" %} -ListenPort = {{ vpn_bridge_wg0_port }} -{% endif %} - -{% if vpn_bridge_role == "server" %} -{% for client in vpn_bridge_wg0_clients %} -[Peer] -PublicKey = {{ client.public_key }} -PresharedKey = {{ vpn_bridge_wg0_preshared_key }} -AllowedIPs = {{ vpn_bridge_wg0_subnet }},{{ client.subnet }} - -{% endfor %} -{% elif vpn_bridge_role == "client" %} -[Peer] -PublicKey = {{ vpn_bridge_wg0_server_public_key }} -PresharedKey = {{ vpn_bridge_wg0_preshared_key }} -Endpoint = {{ vpn_bridge_wg0_server_address }}:{{ vpn_bridge_wg0_port }} -AllowedIPs = 0.0.0.0/0 -PersistentKeepalive = 15 - -{% endif %} diff --git a/plays/vpn/roles/bridge/files/wg0/pre-down-wg0-inet.nft b/plays/vpn/roles/wireguard/files/pre-down-wg0-inet.nft similarity index 100% rename from plays/vpn/roles/bridge/files/wg0/pre-down-wg0-inet.nft rename to plays/vpn/roles/wireguard/files/pre-down-wg0-inet.nft diff --git a/plays/vpn/roles/bridge/files/wg0/pre-down-wg0-ipv4.nft b/plays/vpn/roles/wireguard/files/pre-down-wg0-ipv4.nft similarity index 100% rename from plays/vpn/roles/bridge/files/wg0/pre-down-wg0-ipv4.nft rename to plays/vpn/roles/wireguard/files/pre-down-wg0-ipv4.nft diff --git a/plays/vpn/roles/wireguard/meta/argument_specs.yml b/plays/vpn/roles/wireguard/meta/argument_specs.yml new file mode 100644 index 0000000..2a33d94 --- /dev/null +++ b/plays/vpn/roles/wireguard/meta/argument_specs.yml @@ -0,0 +1,41 @@ +argument_specs: + main: + options: + ansible_default_ipv4: + interface: + type: "str" + required: true + vpn_wireguard_routing_table: + type: "int" + required: true + vpn_wireguard_role: + type: "str" + required: true + vpn_wireguard_address: + type: "str" + required: true + vpn_wireguard_netmask: + type: "str" + required: true + vpn_wireguard_port: + type: "int" + required: true + vpn_wireguard_interface_private_key: + type: "str" + required: true + vpn_wireguard_preshared_key: + type: "str" + required: true + vpn_wireguard_subnet: + type: "str" + required: false + vpn_wireguard_clients: + type: "list" + elem: "dict" + required: "{{ vpn_wireguard_role == 'server' }}" + vpn_wireguard_server_public_key: + type: "str" + required: "{{ vpn_wireguard_role == 'client' }}" + vpn_wireguard_server_address: + type: "str" + required: "{{ vpn_wireguard_role == 'client' }}" diff --git a/plays/vpn/roles/bridge/tasks/include/wg0.yml b/plays/vpn/roles/wireguard/tasks/main.yml similarity index 50% rename from plays/vpn/roles/bridge/tasks/include/wg0.yml rename to plays/vpn/roles/wireguard/tasks/main.yml index 479c35e..6364c57 100644 --- a/plays/vpn/roles/bridge/tasks/include/wg0.yml +++ b/plays/vpn/roles/wireguard/tasks/main.yml @@ -1,27 +1,27 @@ -- name: "wg0 : configure wireguard" +- name: "configure wireguard" ansible.builtin.template: - src: "./wg0/wg0.conf.j2" + src: "./wg0.conf.j2" dest: "/etc/wireguard/wg0.conf" mode: 0600 - register: vpn_bridge_wg0_conf + register: vpn_wireguard_conf -- name: "wg0 : post-up nftables inet script" +- name: "post-up nftables inet script" ansible.builtin.template: - src: "./wg0/post-up-wg0-inet.nft.j2" + src: "./post-up-wg0-inet.nft.j2" dest: "/usr/local/sbin/post-up-wg0-inet.nft" mode: 0755 - register: vpn_bridge_post_up_wg0_inet_nft + register: vpn_wireguard_post_up_wg0_inet_nft -- name: "wg0 : post-up nftables ipv4 script" +- name: "post-up nftables ipv4 script" ansible.builtin.template: - src: "./wg0/post-up-wg0-ipv4.nft.j2" + src: "./post-up-wg0-ipv4.nft.j2" dest: "/usr/local/sbin/post-up-wg0-ipv4.nft" mode: 0755 - register: vpn_bridge_post_up_wg0_ipv4_nft + register: vpn_wireguard_post_up_wg0_ipv4_nft -- name: "wg0 : configure interface" +- name: "configure interface" ansible.builtin.template: - src: "./wg0/wg0.j2" + src: "./wg0.j2" dest: "/etc/network/interfaces.d/wg0" mode: 0644 validate: > @@ -30,9 +30,9 @@ then ifdown wg0 ; fi' - register: vpn_bridge_wg0_intf + register: vpn_wireguard_intf -- name: "wg0 : restart interface" +- name: "restart interface" ansible.builtin.shell: | if ip link show dev wg0 then @@ -41,19 +41,19 @@ ifup wg0 fi when: - vpn_bridge_wg0_conf.changed or - vpn_bridge_post_up_wg0_inet_nft.changed or - vpn_bridge_post_up_wg0_ipv4_nft.changed or - vpn_bridge_wg0_intf.changed + vpn_wireguard_conf.changed or + vpn_wireguard_post_up_wg0_inet_nft.changed or + vpn_wireguard_post_up_wg0_ipv4_nft.changed or + vpn_wireguard_intf.changed -- name: "wg0 : pre-down nftables inet script" +- name: "pre-down nftables inet script" ansible.builtin.copy: - src: "./wg0/pre-down-wg0-inet.nft" + src: "./pre-down-wg0-inet.nft" dest: "/usr/local/sbin/pre-down-wg0-inet.nft" mode: 0755 -- name: "wg0 : pre-down nftables ipv4 script" +- name: "pre-down nftables ipv4 script" ansible.builtin.copy: - src: "./wg0/pre-down-wg0-ipv4.nft" + src: "./pre-down-wg0-ipv4.nft" dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft" mode: 0755 diff --git a/plays/vpn/roles/bridge/templates/wg0/post-up-wg0-inet.nft.j2 b/plays/vpn/roles/wireguard/templates/post-up-wg0-inet.nft.j2 similarity index 100% rename from plays/vpn/roles/bridge/templates/wg0/post-up-wg0-inet.nft.j2 rename to plays/vpn/roles/wireguard/templates/post-up-wg0-inet.nft.j2 diff --git a/plays/vpn/roles/bridge/templates/wg0/post-up-wg0-ipv4.nft.j2 b/plays/vpn/roles/wireguard/templates/post-up-wg0-ipv4.nft.j2 similarity index 85% rename from plays/vpn/roles/bridge/templates/wg0/post-up-wg0-ipv4.nft.j2 rename to plays/vpn/roles/wireguard/templates/post-up-wg0-ipv4.nft.j2 index fc375d0..a682238 100644 --- a/plays/vpn/roles/bridge/templates/wg0/post-up-wg0-ipv4.nft.j2 +++ b/plays/vpn/roles/wireguard/templates/post-up-wg0-ipv4.nft.j2 @@ -2,7 +2,7 @@ table ip wg0_ipv4 { -{% if vpn_bridge_role == "server" %} +{% if vpn_wireguard_role == "server" %} chain postrouting { type nat hook postrouting priority 100; iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade; diff --git a/plays/vpn/roles/wireguard/templates/wg0.conf.j2 b/plays/vpn/roles/wireguard/templates/wg0.conf.j2 new file mode 100644 index 0000000..d612bce --- /dev/null +++ b/plays/vpn/roles/wireguard/templates/wg0.conf.j2 @@ -0,0 +1,27 @@ +[Interface] +PrivateKey = {{ vpn_wireguard_interface_private_key }} +{% if vpn_wireguard_role == "server" %} +ListenPort = {{ vpn_wireguard_port }} +{% endif %} + +{% if vpn_wireguard_role == "server" %} +{% for client in vpn_wireguard_clients %} +[Peer] +PublicKey = {{ client.public_key }} +PresharedKey = {{ vpn_wireguard_preshared_key }} +{% if vpn_wireguard_subnet is defined %} +AllowedIPs = {{ vpn_wireguard_subnet }},{{ client.subnet }} +{% else %} +AllowedIPs = {{ client.subnet }} +{% endif %} + +{% endfor %} +{% elif vpn_wireguard_role == "client" %} +[Peer] +PublicKey = {{ vpn_wireguard_server_public_key }} +PresharedKey = {{ vpn_wireguard_preshared_key }} +Endpoint = {{ vpn_wireguard_server_address }}:{{ vpn_wireguard_port }} +AllowedIPs = 0.0.0.0/0 +PersistentKeepalive = 15 + +{% endif %} diff --git a/plays/vpn/roles/bridge/templates/wg0/wg0.j2 b/plays/vpn/roles/wireguard/templates/wg0.j2 similarity index 53% rename from plays/vpn/roles/bridge/templates/wg0/wg0.j2 rename to plays/vpn/roles/wireguard/templates/wg0.j2 index 8d6d500..a28f7ab 100644 --- a/plays/vpn/roles/bridge/templates/wg0/wg0.j2 +++ b/plays/vpn/roles/wireguard/templates/wg0.j2 @@ -6,23 +6,23 @@ iface wg0 inet static post-up /usr/local/sbin/post-up-$IFACE-inet.nft post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft -{% if vpn_bridge_role == "client" %} - post-up ip route add default dev $IFACE table {{ vpn_bridge_routing_table }} -{% elif vpn_bridge_role == "server" %} -{% for client in vpn_bridge_wg0_clients %} +{% if vpn_wireguard_role == "client" %} + post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }} +{% elif vpn_wireguard_role == "server" %} +{% for client in vpn_wireguard_clients %} post-up ip route add {{ client.subnet }} dev $IFACE {% endfor %} {% endif %} -{% if vpn_bridge_role == "server" %} -{% for client in vpn_bridge_wg0_clients %} +{% if vpn_wireguard_role == "server" %} +{% for client in vpn_wireguard_clients %} pre-down ip route del {{ client.subnet }} dev $IFACE {% endfor %} -{% elif vpn_bridge_role == "client" %} - pre-down ip route del default dev $IFACE table {{ vpn_bridge_routing_table }} +{% elif vpn_wireguard_role == "client" %} + pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }} {% endif %} pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft - address {{ vpn_bridge_wg0_address }} - netmask {{ vpn_bridge_wg0_netmask }} + address {{ vpn_wireguard_address }} + netmask {{ vpn_wireguard_netmask }}