diff --git a/.gitattributes b/.gitattributes index 90dd4e1..505af13 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ cargo_credentials.toml filter=git-crypt diff=git-crypt +**/wireguard_configs/** filter=git-crypt diff=git-crypt diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd index 90dafca..2e2ac18 100644 --- a/ansible/environments/laptop/host_vars/odofreebsd +++ b/ansible/environments/laptop/host_vars/odofreebsd @@ -50,3 +50,6 @@ efi_dev: /dev/gpt/EFI sound_default_unit: 5 sway_conf_files: - launch_gpg +wireguard_directory: odo +enabled_wireguard: + - wgh diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 258d15c..d7bf5e9 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -33,6 +33,7 @@ - kubernetes - google_cloud_sdk - ansible + - wireguard - hosts: nat_dhcp:homeserver_nat_dhcp vars: diff --git a/ansible/roles/wireguard/files/wireguard_configs/odo/wgf.conf b/ansible/roles/wireguard/files/wireguard_configs/odo/wgf.conf new file mode 100644 index 0000000..51001a1 Binary files /dev/null and b/ansible/roles/wireguard/files/wireguard_configs/odo/wgf.conf differ diff --git a/ansible/roles/wireguard/files/wireguard_configs/odo/wgh.conf b/ansible/roles/wireguard/files/wireguard_configs/odo/wgh.conf new file mode 100644 index 0000000..13893b8 Binary files /dev/null and b/ansible/roles/wireguard/files/wireguard_configs/odo/wgh.conf differ diff --git a/ansible/roles/wireguard/tasks/common.yaml b/ansible/roles/wireguard/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/wireguard/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/wireguard/tasks/freebsd.yaml b/ansible/roles/wireguard/tasks/freebsd.yaml new file mode 100644 index 0000000..8ff24c4 --- /dev/null +++ b/ansible/roles/wireguard/tasks/freebsd.yaml @@ -0,0 +1,45 @@ +- name: Install packages + package: + name: + - wireguard + state: present + +- name: Configure wireguard + copy: + src: "{{ item }}" + dest: /usr/local/etc/wireguard/ + mode: 0440 + owner: root + group: wheel + with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf" + +- name: Enable gateway + when: wireguard_gateway is defined and wireguard_gateway == true + community.general.sysrc: + name: "{{ item }}" + value: "YES" + path: /etc/rc.conf.d/routing + loop: + - gateway_enable + - ipv6_gateway_enable + +- name: Enable wireguard service + when: enabled_wireguard is defined + community.general.sysrc: + name: wireguard_enable + value: "YES" + path: /etc/rc.conf.d/wireguard + +- name: Disable wireguard service + when: enabled_wireguard is not defined + community.general.sysrc: + name: wireguard_enable + value: "NO" + path: /etc/rc.conf.d/wireguard + +- name: Set enabled wireguard list + when: enabled_wireguard is defined + community.general.sysrc: + name: wireguard_interfaces + value: "{{ enabled_wireguard|join(' ') }}" + path: /etc/rc.conf.d/wireguard diff --git a/ansible/roles/wireguard/tasks/linux.yaml b/ansible/roles/wireguard/tasks/linux.yaml new file mode 100644 index 0000000..d3ba5b9 --- /dev/null +++ b/ansible/roles/wireguard/tasks/linux.yaml @@ -0,0 +1,24 @@ +- name: Install packages + package: + name: + - wireguard-tools + - qrencode # For generating qr codes to send to phone with `qrencode -t ansiutf8 -r ` + - systemd-resolvconf # For wg-quick to regenerate resolv.conf + state: present + +- name: Configure wireguard + copy: + src: "{{ item }}" + dest: /etc/wireguard/ + mode: 0440 + owner: root + group: root + with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf" + +- name: Enable Wireguard + when: enabled_wireguard is defined + systemd: + enabled: yes + name: "wg-quick@{{ item }}" + daemon_reload: yes + loop: "{{ enabled_wireguard }}" diff --git a/ansible/roles/wireguard/tasks/main.yaml b/ansible/roles/wireguard/tasks/main.yaml new file mode 100644 index 0000000..8a66fbe --- /dev/null +++ b/ansible/roles/wireguard/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + when: wireguard_directory is defined diff --git a/ansible/roles/wireguard/tasks/peruser.yaml b/ansible/roles/wireguard/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/wireguard/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/wireguard/tasks/peruser_freebsd.yaml b/ansible/roles/wireguard/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/wireguard/tasks/peruser_linux.yaml b/ansible/roles/wireguard/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29