From 83f8b2509bf31cb448c71e77bb38c5a5889b199c Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 3 Dec 2022 17:16:37 -0500 Subject: [PATCH 1/3] Start a wireguard role. --- .gitattributes | 1 + ansible/playbook.yaml | 63 ++++++++++--------- ansible/roles/wireguard/tasks/common.yaml | 15 +++++ ansible/roles/wireguard/tasks/freebsd.yaml | 53 ++++++++++++++++ ansible/roles/wireguard/tasks/linux.yaml | 24 +++++++ ansible/roles/wireguard/tasks/main.yaml | 2 + ansible/roles/wireguard/tasks/peruser.yaml | 29 +++++++++ .../wireguard/tasks/peruser_freebsd.yaml | 0 .../roles/wireguard/tasks/peruser_linux.yaml | 0 9 files changed, 156 insertions(+), 31 deletions(-) create mode 100644 ansible/roles/wireguard/tasks/common.yaml create mode 100644 ansible/roles/wireguard/tasks/freebsd.yaml create mode 100644 ansible/roles/wireguard/tasks/linux.yaml create mode 100644 ansible/roles/wireguard/tasks/main.yaml create mode 100644 ansible/roles/wireguard/tasks/peruser.yaml create mode 100644 ansible/roles/wireguard/tasks/peruser_freebsd.yaml create mode 100644 ansible/roles/wireguard/tasks/peruser_linux.yaml diff --git a/.gitattributes b/.gitattributes index 90dd4e1..6ae4113 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ cargo_credentials.toml filter=git-crypt diff=git-crypt +wireguard_configs/ filter=git-crypt diff=git-crypt diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 258d15c..5d55635 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -2,37 +2,38 @@ vars: ansible_become: True roles: - - sudo - - users - - package_manager - - zrepl - - zsh - - network - - sshd - - base - - firewall - - cpu - - ntp - - build - - graphics - - gpg - - fonts - - alacritty - - sway - - emacs - - firefox - - devfs - - ssh_client - - sshfs - - jail - - fuse - - autofs - - exfat - - bhyve - - media - - kubernetes - - google_cloud_sdk - - ansible + # - sudo + # - users + # - package_manager + # - zrepl + # - zsh + # - network + # - sshd + # - base + # - firewall + # - cpu + # - ntp + # - build + # - graphics + # - gpg + # - fonts + # - alacritty + # - sway + # - emacs + # - firefox + # - devfs + # - ssh_client + # - sshfs + # - jail + # - fuse + # - autofs + # - exfat + # - bhyve + # - media + # - kubernetes + # - google_cloud_sdk + # - ansible + - wireguard - hosts: nat_dhcp:homeserver_nat_dhcp vars: diff --git a/ansible/roles/wireguard/tasks/common.yaml b/ansible/roles/wireguard/tasks/common.yaml new file mode 100644 index 0000000..fef1101 --- /dev/null +++ b/ansible/roles/wireguard/tasks/common.yaml @@ -0,0 +1,15 @@ +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +- include_tasks: + file: tasks/peruser.yaml + apply: + become: yes + become_user: "{{ initialize_user }}" + when: users is defined + loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" + loop_control: + loop_var: initialize_user diff --git a/ansible/roles/wireguard/tasks/freebsd.yaml b/ansible/roles/wireguard/tasks/freebsd.yaml new file mode 100644 index 0000000..6a6688f --- /dev/null +++ b/ansible/roles/wireguard/tasks/freebsd.yaml @@ -0,0 +1,53 @@ +- name: Install packages + package: + name: + - wireguard + state: present + +- name: Configure wireguard + copy: + src: "{{ item }}" + dest: /usr/local/etc/wireguard/ + mode: 0440 + owner: root + group: root + with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf" + +- name: Enable Wireguard + when: enabled_wireguard is defined + systemd: + enabled: yes + name: "wg-quick@{{ item }}" + daemon_reload: yes + loop: "{{ enabled_wireguard }}" + +- name: Enable gateway + when: wireguard_gateway is defined and wireguard_gateway == true + community.general.sysrc: + name: "{{ item }}" + value: "YES" + path: /etc/rc.conf.d/routing + loop: + - gateway_enable + - ipv6_gateway_enable + +- name: Enable wireguard service + when: enabled_wireguard is defined + community.general.sysrc: + name: wireguard_enable + value: "YES" + path: /etc/rc.conf.d/wireguard + +- name: Disable wireguard service + when: enabled_wireguard is not defined + community.general.sysrc: + name: wireguard_enable + value: "NO" + path: /etc/rc.conf.d/wireguard + +- name: Set enabled wireguard list + when: enabled_wireguard is defined + community.general.sysrc: + name: wireguard_interfaces + value: "{{ enabled_wireguard|join(' ') }}" + path: /etc/rc.conf.d/wireguard diff --git a/ansible/roles/wireguard/tasks/linux.yaml b/ansible/roles/wireguard/tasks/linux.yaml new file mode 100644 index 0000000..d3ba5b9 --- /dev/null +++ b/ansible/roles/wireguard/tasks/linux.yaml @@ -0,0 +1,24 @@ +- name: Install packages + package: + name: + - wireguard-tools + - qrencode # For generating qr codes to send to phone with `qrencode -t ansiutf8 -r ` + - systemd-resolvconf # For wg-quick to regenerate resolv.conf + state: present + +- name: Configure wireguard + copy: + src: "{{ item }}" + dest: /etc/wireguard/ + mode: 0440 + owner: root + group: root + with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf" + +- name: Enable Wireguard + when: enabled_wireguard is defined + systemd: + enabled: yes + name: "wg-quick@{{ item }}" + daemon_reload: yes + loop: "{{ enabled_wireguard }}" diff --git a/ansible/roles/wireguard/tasks/main.yaml b/ansible/roles/wireguard/tasks/main.yaml new file mode 100644 index 0000000..8a66fbe --- /dev/null +++ b/ansible/roles/wireguard/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + when: wireguard_directory is defined diff --git a/ansible/roles/wireguard/tasks/peruser.yaml b/ansible/roles/wireguard/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/wireguard/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/wireguard/tasks/peruser_freebsd.yaml b/ansible/roles/wireguard/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/wireguard/tasks/peruser_linux.yaml b/ansible/roles/wireguard/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 From b5ffd1e44d5f5adfe5ac96d79fee24ea14101b3e Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 3 Dec 2022 17:20:38 -0500 Subject: [PATCH 2/3] Add wireguard configs for odo. --- .gitattributes | 2 +- ansible/environments/laptop/host_vars/odofreebsd | 3 +++ .../files/wireguard_configs/odo/wgf.conf | Bin 0 -> 281 bytes .../files/wireguard_configs/odo/wgh.conf | Bin 0 -> 337 bytes ansible/roles/wireguard/tasks/freebsd.yaml | 8 -------- 5 files changed, 4 insertions(+), 9 deletions(-) create mode 100644 ansible/roles/wireguard/files/wireguard_configs/odo/wgf.conf create mode 100644 ansible/roles/wireguard/files/wireguard_configs/odo/wgh.conf diff --git a/.gitattributes b/.gitattributes index 6ae4113..505af13 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,2 @@ cargo_credentials.toml filter=git-crypt diff=git-crypt -wireguard_configs/ filter=git-crypt diff=git-crypt +**/wireguard_configs/** filter=git-crypt diff=git-crypt diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd index 90dafca..2e2ac18 100644 --- a/ansible/environments/laptop/host_vars/odofreebsd +++ b/ansible/environments/laptop/host_vars/odofreebsd @@ -50,3 +50,6 @@ efi_dev: /dev/gpt/EFI sound_default_unit: 5 sway_conf_files: - launch_gpg +wireguard_directory: odo +enabled_wireguard: + - wgh diff --git a/ansible/roles/wireguard/files/wireguard_configs/odo/wgf.conf b/ansible/roles/wireguard/files/wireguard_configs/odo/wgf.conf new file mode 100644 index 0000000000000000000000000000000000000000..51001a1208d94cb5d55f74bd954e944aaddc3d76 GIT binary patch literal 281 zcmV+!0p|VyM@dveQdv+`0CP)PQAoMs;e_{$iA->_-?il?^iEE5_l=u;)j;ds`mNO{ z>*f?Aml+w{zhJeOrM)P*wKyQQYGjg3+-SbZ2D_gb32b1n!>rNE&;LHfvoHlNZj(() zzqk7~W})5F)mcI>dHe!i2JMA}y^KQN-aAqSV=>Qi>Gksu-}zL2A-@6WD>E8r?-$6@ zgPb081xngV1>OqUzyi-0S09rZ*}S4g=|~De7L0c>*g4~NqkrDZC}wgBxvk9+s?qz^ z*yr(xo%U@mr|ph9&ZoeI@=z8f@y!^Y;^+9LJ)E=in2Vx{^2a$pj}Xt*TCj-;W%dZv!G6py7#R`;1 literal 0 HcmV?d00001 diff --git a/ansible/roles/wireguard/files/wireguard_configs/odo/wgh.conf b/ansible/roles/wireguard/files/wireguard_configs/odo/wgh.conf new file mode 100644 index 0000000000000000000000000000000000000000..13893b8319dd2d4875aaf33b3ccf2488ebf5027e GIT binary patch literal 337 zcmV-X0j~Z4M@dveQdv+`0ESYaAccBT1=Ema(Q4Aayb?`Ecw%B8k5wOiVK)E_zWn%A!ly#c`M;vj7Q1apF%9va5o*h^cyx=aG|iwF`qF z*61Q8ycqfq5MB@2@5JtnLHXwDNf%>X1D6ul?PP05DQh}$GcuIZ(1SdezS%P{9}MGq zD(;dXA0dPno83hvO47m=?yKiLe9CXESB?qR=U*e&e*satwY%2uGr;Pe5liB{K607< zb%47Qk%q5mpTfbs@`-%qN#YY=BCX*xuF%WP9e4{#A~W0fFX)6o*l`Y5T=+>< j?fBV~3%!tJkBaVX4U8{5>n1jeqxcbl*m&0;R0-8CX7!>W literal 0 HcmV?d00001 diff --git a/ansible/roles/wireguard/tasks/freebsd.yaml b/ansible/roles/wireguard/tasks/freebsd.yaml index 6a6688f..6b8b3fe 100644 --- a/ansible/roles/wireguard/tasks/freebsd.yaml +++ b/ansible/roles/wireguard/tasks/freebsd.yaml @@ -13,14 +13,6 @@ group: root with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf" -- name: Enable Wireguard - when: enabled_wireguard is defined - systemd: - enabled: yes - name: "wg-quick@{{ item }}" - daemon_reload: yes - loop: "{{ enabled_wireguard }}" - - name: Enable gateway when: wireguard_gateway is defined and wireguard_gateway == true community.general.sysrc: From e32c2b1f6b9ea29fb9a1db553b7e53240ed0eeac Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Sat, 3 Dec 2022 17:22:53 -0500 Subject: [PATCH 3/3] cleanup --- ansible/playbook.yaml | 62 +++++++++++----------- ansible/roles/wireguard/tasks/freebsd.yaml | 2 +- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 5d55635..d7bf5e9 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -2,37 +2,37 @@ vars: ansible_become: True roles: - # - sudo - # - users - # - package_manager - # - zrepl - # - zsh - # - network - # - sshd - # - base - # - firewall - # - cpu - # - ntp - # - build - # - graphics - # - gpg - # - fonts - # - alacritty - # - sway - # - emacs - # - firefox - # - devfs - # - ssh_client - # - sshfs - # - jail - # - fuse - # - autofs - # - exfat - # - bhyve - # - media - # - kubernetes - # - google_cloud_sdk - # - ansible + - sudo + - users + - package_manager + - zrepl + - zsh + - network + - sshd + - base + - firewall + - cpu + - ntp + - build + - graphics + - gpg + - fonts + - alacritty + - sway + - emacs + - firefox + - devfs + - ssh_client + - sshfs + - jail + - fuse + - autofs + - exfat + - bhyve + - media + - kubernetes + - google_cloud_sdk + - ansible - wireguard - hosts: nat_dhcp:homeserver_nat_dhcp diff --git a/ansible/roles/wireguard/tasks/freebsd.yaml b/ansible/roles/wireguard/tasks/freebsd.yaml index 6b8b3fe..8ff24c4 100644 --- a/ansible/roles/wireguard/tasks/freebsd.yaml +++ b/ansible/roles/wireguard/tasks/freebsd.yaml @@ -10,7 +10,7 @@ dest: /usr/local/etc/wireguard/ mode: 0440 owner: root - group: root + group: wheel with_fileglob: "files/wireguard_configs/{{ wireguard_directory }}/*.conf" - name: Enable gateway