Move wireguard to new config system

system/base/utils/tasks/main.yml

@@ -3,6 +3,7 @@
   ansible.builtin.apt:
     name:
       - "acl"
+      - "gettext-base"
       - "git"
       - "htop"
       - "man"

vpn/bridge/templates/ifupdown.d/00-interface

@@ -16,7 +16,7 @@ case ${PHASE} in
         /usr/sbin/ip link add ${IFACE} type bridge
         /usr/sbin/ip link set dev ${IFACE} type bridge forward_delay 0
 
-        /usr/sbin/sysctl -q -w net.ipv6.conf.br0.autoconf=0
+        /usr/sbin/sysctl -q -w net.ipv6.conf.${IFACE}.autoconf=0
 
         /usr/sbin/ip -4 address add {{ vpn_bridge_inet_address }}/{{ vpn_bridge_inet_prefixlen }} dev ${IFACE}
         /usr/sbin/ip -6 address add {{ vpn_bridge_inet6_address }}/{{ vpn_bridge_inet6_prefixlen }} dev ${IFACE} nodad

vpn/bridge/templates/ifupdown.d/20-routes

@@ -14,11 +14,11 @@ fi
 case ${PHASE} in
     "pre-up")
 {% if vpn_bridge_routing_table is defined %}
-        /usr/sbin/ip -4 rule add dev $IFACE table {{ vpn_bridge_routing_table }}
+        /usr/sbin/ip -4 rule add dev ${IFACE} table {{ vpn_bridge_routing_table }}
-        /usr/sbin/ip -6 rule add dev $IFACE table {{ vpn_bridge_routing_table }}
+        /usr/sbin/ip -6 rule add dev ${IFACE} table {{ vpn_bridge_routing_table }}
 
-        /usr/sbin/ip -4 rule add dev $IFACE to {{ local_inet_network }} table main priority 1
+        /usr/sbin/ip -4 rule add dev ${IFACE} to {{ local_inet_network }} table main priority 1
-        /usr/sbin/ip -6 rule add dev $IFACE to {{ local_inet6_network }} table main priority 1
+        /usr/sbin/ip -6 rule add dev ${IFACE} to {{ local_inet6_network }} table main priority 1
 {% endif %}
         ;;
     "post-up")
@@ -27,11 +27,11 @@ case ${PHASE} in
         ;;
     "post-down")
 {% if vpn_bridge_routing_table is defined %}
-        /usr/sbin/ip -6 rule del dev $IFACE to {{ local_inet6_network }} table main priority 1
+        /usr/sbin/ip -6 rule del dev ${IFACE} to {{ local_inet6_network }} table main priority 1
-        /usr/sbin/ip -4 rule del dev $IFACE to {{ local_inet_network }} table main priority 1
+        /usr/sbin/ip -4 rule del dev ${IFACE} to {{ local_inet_network }} table main priority 1
 
-        /usr/sbin/ip -6 rule del dev $IFACE table {{ vpn_bridge_routing_table }}
+        /usr/sbin/ip -6 rule del dev ${IFACE} table {{ vpn_bridge_routing_table }}
-        /usr/sbin/ip -4 rule del dev $IFACE table {{ vpn_bridge_routing_table }}
+        /usr/sbin/ip -4 rule del dev ${IFACE} table {{ vpn_bridge_routing_table }}
 {% endif %}
         ;;
 esac

vpn/wireguard/tasks/main.yml

@@ -3,33 +3,55 @@
   ansible.builtin.apt:
     name: "wireguard"
 
-- name: "configure wireguard"
+- name: "create interface directory hierarchy"
-  ansible.builtin.template:
+  ansible.builtin.file:
-    src: "./{{ vpn_wireguard_role }}/IFACE.conf"
+    path: "{{ system_etc_root_directory }}/network/interfaces/{{ item }}"
-    dest: "/etc/wireguard/{{ vpn_wireguard_iface }}.conf"
+    state: "directory"
-    mode: 0600
-  register: vpn_wireguard_conf
-
-- name: "post-up nftables inet script"
-  ansible.builtin.template:
-    src: "./post-up-IFACE-inet.nft"
-    dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-inet.nft"
     mode: 0755
-  register: vpn_wireguard_post_up_iface_inet_nft
+  loop:
+    - "{{ vpn_wireguard_iface }}"
+    - "{{ vpn_wireguard_iface }}/ifup.d"
+    - "{{ vpn_wireguard_iface }}/ifdown.d"
+    - "{{ vpn_wireguard_iface }}/nftables"
+    - "{{ vpn_wireguard_iface }}/wireguard"
+
+- name: "wireguard configuration"
+  ansible.builtin.template:
+    src: "./wireguard/wireguard-{{ vpn_wireguard_role }}.conf"
+    dest: "\
+      {{ system_etc_root_directory }}/network/interfaces/\
+      {{ vpn_wireguard_iface }}/wireguard/wireguard-{{ vpn_wireguard_role }}.conf"
+    mode: 0600
+  register: vpn_wireguard_configuration
+
+- name: "nftables up script"
+  ansible.builtin.template:
+    src: "./nftables/up.nft"
+    dest: "\
+      {{ system_etc_root_directory }}/network/interfaces/\
+      {{ vpn_wireguard_iface }}/nftables/up.nft"
+    mode: 0644
+  register: vpn_wireguard_nftables_up
+
+- name: "interface up scripts"
+  ansible.builtin.template:
+    src: "./ifupdown.d/{{ item }}"
+    dest: "\
+      {{ system_etc_root_directory }}/network/interfaces/\
+      {{ vpn_wireguard_iface }}/ifup.d/{{ item }}"
+    mode: 0755
+  loop:
+    - "00-interface"
+    - "10-nftables"
+    - "20-routes-{{ vpn_wireguard_role }}"
+  register: vpn_wireguard_interface_up
 
 - name: "configure interface"
   ansible.builtin.template:
-    src: "./{{ vpn_wireguard_role }}/IFACE"
+    src: "./interface"
     dest: "/etc/network/interfaces.d/{{ vpn_wireguard_iface }}"
     mode: 0644
-    validate: >
+  register: vpn_wireguard_interface_file
-      bash -c
-      'if ! diff %s /etc/network/interfaces.d/{{ vpn_wireguard_iface }} &&
-          ip link show dev {{ vpn_wireguard_iface }} ;
-       then
-           ifdown {{ vpn_wireguard_iface }} ;
-       fi'
-  register: vpn_wireguard_intf
 
 - name: "restart interface"
   ansible.builtin.shell: |
@@ -40,12 +62,27 @@
         ifup {{ vpn_wireguard_iface }}
     fi
   when:
-    vpn_wireguard_conf.changed or
+    vpn_wireguard_configuration.changed or
-    vpn_wireguard_post_up_iface_inet_nft.changed or
+    vpn_wireguard_nftables_up.changed or
-    vpn_wireguard_intf.changed
+    vpn_wireguard_interface_up.changed or
+    vpn_wireguard_interface_file.changed
 
-- name: "pre-down nftables inet script"
+- name: "nftables down script"
   ansible.builtin.template:
-    src: "./pre-down-IFACE-inet.nft"
+    src: "./nftables/down.nft"
-    dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft"
+    dest: "\
+      {{ system_etc_root_directory }}/network/interfaces/\
+      {{ vpn_wireguard_iface }}/nftables/down.nft"
+    mode: 0644
+
+- name: "interface down scripts"
+  ansible.builtin.template:
+    src: "./ifupdown.d/{{ item }}"
+    dest: "\
+      {{ system_etc_root_directory }}/network/interfaces/\
+      {{ vpn_wireguard_iface }}/ifdown.d/{{ item }}"
     mode: 0755
+  loop:
+    - "00-interface"
+    - "10-nftables"
+    - "20-routes-{{ vpn_wireguard_role }}"

vpn/wireguard/templates/client/IFACE

@@ -1,21 +0,0 @@
-auto {{ vpn_wireguard_iface }}
-iface {{ vpn_wireguard_iface }} inet6 static
-    pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
-    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
-
-    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-    post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
-
-    pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
-    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
-
-    mtu {{ vpn_wireguard_mtu }}
-
-    address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }}
-
-iface {{ vpn_wireguard_iface }} inet static
-    post-up ip route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
-
-    pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
-
-    address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }}

vpn/wireguard/templates/ifupdown.d/00-interface

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+if [ ${MODE} == "start" ]
+then
+    set -ue
+elif [ ${MODE} == "stop" ]
+then
+    set -u
+else
+    echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2
+    exit 1
+fi
+
+case ${PHASE} in
+    "pre-up")
+        /usr/sbin/ip link add ${IFACE} type wireguard
+        /usr/sbin/ip link set dev ${IFACE} mtu {{ vpn_wireguard_mtu }}
+
+        /usr/sbin/sysctl -q -w net.ipv6.conf.${IFACE}.autoconf=0
+
+        /usr/bin/wg setconf ${IFACE} {{ system_etc_root_directory }}/network/interfaces/${IFACE}/wireguard/wireguard-{{ vpn_wireguard_role }}.conf
+
+        /usr/sbin/ip -4 address add {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }} dev ${IFACE}
+        /usr/sbin/ip -6 address add {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }} dev ${IFACE}
+        ;;
+    "post-up")
+        ;;
+    "pre-down")
+        ;;
+    "post-down")
+        /usr/sbin/ip -6 address flush dev ${IFACE}
+        /usr/sbin/ip -4 address flush dev ${IFACE}
+
+        /usr/sbin/ip link delete dev ${IFACE}
+        ;;
+esac

vpn/wireguard/templates/ifupdown.d/10-nftables

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+if [ ${MODE} == "start" ]
+then
+    set -ue
+elif [ ${MODE} == "stop" ]
+then
+    set -u
+else
+    echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2
+    exit 1
+fi
+
+IFDIR={{ system_etc_root_directory }}/network/interfaces/${IFACE}
+
+case ${PHASE} in
+    "pre-up")
+        /usr/bin/envsubst '${IFACE}' < ${IFDIR}/nftables/up.nft | /usr/sbin/nft -f /dev/stdin
+        ;;
+    "post-up")
+        ;;
+    "pre-down")
+        ;;
+    "post-down")
+        /usr/bin/envsubst '${IFACE}' < ${IFDIR}/nftables/down.nft | /usr/sbin/nft -f /dev/stdin
+        ;;
+esac

vpn/wireguard/templates/ifupdown.d/20-routes-client

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+if [ ${MODE} == "start" ]
+then
+    set -ue
+elif [ ${MODE} == "stop" ]
+then
+    set -u
+else
+    echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2
+    exit 1
+fi
+
+case ${PHASE} in
+    "pre-up")
+        ;;
+    "post-up")
+        /usr/sbin/ip -4 route add default dev ${IFACE} table {{ vpn_wireguard_routing_table }}
+        /usr/sbin/ip -6 route add default dev ${IFACE} table {{ vpn_wireguard_routing_table }}
+        ;;
+    "pre-down")
+        /usr/sbin/ip -6 route del default dev ${IFACE} table {{ vpn_wireguard_routing_table }}
+        /usr/sbin/ip -4 route del default dev ${IFACE} table {{ vpn_wireguard_routing_table }}
+        ;;
+    "post-down")
+        ;;
+esac

vpn/wireguard/templates/ifupdown.d/20-routes-server

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+if [ ${MODE} == "start" ]
+then
+    set -ue
+elif [ ${MODE} == "stop" ]
+then
+    set -u
+else
+    echo "$(basename ${0}): mode must be one of either 'start' or 'stop'" 1>&2
+    exit 1
+fi
+
+case ${PHASE} in
+    "pre-up")
+{% if vpn_wireguard_routing_table is defined %}
+        /usr/sbin/ip -4 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+        /usr/sbin/ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+{% endif %}
+        ;;
+    "post-up")
+{% for client in vpn_wireguard_clients %}
+{% if 'inet_subnet' in client %}
+        /usr/sbin/ip -4 route add {{ client.inet_subnet }} dev ${IFACE}
+{% endif %}
+{% if 'inet6_subnet' in client %}
+        /usr/sbin/ip -6 route add {{ client.inet6_subnet }} dev ${IFACE}
+{% endif %}
+{% endfor %}
+        ;;
+    "pre-down")
+{% for client in vpn_wireguard_clients %}
+{% if 'inet6_subnet' in client %}
+        /usr/sbin/ip -6 route del {{ client.inet6_subnet }} dev ${IFACE}
+{% endif %}
+{% if 'inet_subnet' in client %}
+        /usr/sbin/ip -4 route del {{ client.inet_subnet }} dev ${IFACE}
+{% endif %}
+{% endfor %}
+        ;;
+    "post-down")
+{% if vpn_wireguard_routing_table is defined %}
+        /usr/sbin/ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+        /usr/sbin/ip -4 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+{% endif %}
+        ;;
+esac

vpn/wireguard/templates/interface

@@ -0,0 +1,2 @@
+auto {{ vpn_wireguard_iface }}
+iface {{ vpn_wireguard_iface }} inet6 manual

vpn/wireguard/templates/nftables/down.nft

@@ -0,0 +1,4 @@
+#!/usr/bin/env -S nft -f
+
+flush table inet ${IFACE}_inet
+delete table inet ${IFACE}_inet

vpn/wireguard/templates/nftables/up.nft

@@ -0,0 +1,19 @@
+#!/usr/bin/env -S nft -f
+
+table inet ${IFACE}_inet {
+        chain forward {
+                type filter hook forward priority 0;
+                iif ${IFACE} tcp flags syn tcp option maxseg size set rt mtu;
+                oif ${IFACE} tcp flags syn tcp option maxseg size set rt mtu;
+        }
+{% if vpn_wireguard_role == "server" %}
+
+        chain postrouting {
+                type nat hook postrouting priority 100;
+                iif ${IFACE} oif { {{ [
+                        ansible_default_ipv4.interface | default(ansible_default_ipv6.interface),
+                        ansible_default_ipv6.interface | default(ansible_default_ipv4.interface)
+                    ] | unique | join(", ") }} } masquerade;
+        }
+{% endif %}
+}

vpn/wireguard/templates/post-up-IFACE-inet.nft

@@ -1,16 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table inet {{ vpn_wireguard_iface }}_inet {
-        chain forward {
-                type filter hook forward priority 0;
-                iif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
-                oif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
-        }
-{% if vpn_wireguard_role == "server" %}
-
-        chain postrouting {
-                type nat hook postrouting priority 100;
-                iif {{ vpn_wireguard_iface }} oif { {{ [ansible_default_ipv4.interface, ansible_default_ipv6.interface] | unique | join(", ") }} } masquerade;
-        }
-{% endif %}
-}

vpn/wireguard/templates/pre-down-IFACE-inet.nft

@@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table inet {{ vpn_wireguard_iface }}_inet
-delete table inet {{ vpn_wireguard_iface }}_inet

vpn/wireguard/templates/server/IFACE

@@ -1,49 +0,0 @@
-auto {{ vpn_wireguard_iface }}
-iface {{ vpn_wireguard_iface }} inet6 static
-    pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
-    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
-
-    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
-{% if vpn_wireguard_routing_table is defined %}
-    post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
-{% endif %}
-{% for client in vpn_wireguard_clients %}
-{% if 'inet6_subnet' in client %}
-    post-up ip route add {{ client.inet6_subnet }} dev $IFACE
-{% endif %}
-{% endfor %}
-
-{% for client in vpn_wireguard_clients %}
-{% if 'inet6_subnet' in client %}
-    pre-down ip route del {{ client.inet6_subnet }} dev $IFACE
-{% endif %}
-{% endfor %}
-{% if vpn_wireguard_routing_table is defined %}
-    pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
-{% endif %}
-    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
-
-    mtu {{ vpn_wireguard_mtu }}
-
-    address {{ vpn_wireguard_inet6_address }}/{{ vpn_wireguard_inet6_prefixlen }}
-
-iface {{ vpn_wireguard_iface }} inet static
-{% if vpn_wireguard_routing_table is defined %}
-    post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
-{% endif %}
-{% for client in vpn_wireguard_clients %}
-{% if 'inet_subnet' in client %}
-    post-up ip route add {{ client.inet_subnet }} dev $IFACE
-{% endif %}
-{% endfor %}
-
-{% for client in vpn_wireguard_clients %}
-{% if 'inet_subnet' in client %}
-    pre-down ip route del {{ client.inet_subnet }} dev $IFACE
-{% endif %}
-{% endfor %}
-{% if vpn_wireguard_routing_table is defined %}
-    pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
-{% endif %}
-
-    address {{ vpn_wireguard_inet_address }}/{{ vpn_wireguard_inet_prefixlen }}