From 9e61abbbf3f55017d8b4a7dc4068859d5687355e Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Tue, 18 Apr 2023 18:24:55 +0200 Subject: [PATCH] Optimized wireguard roles --- playbook.yml | 25 ++++++++------- .../README.md} | 2 +- .../meta/main.yml | 2 ++ .../tasks/main.yml | 0 .../README.md | 0 .../files/set-mtu.service | 0 .../handlers/main.yml | 6 ++++ .../meta/main.yml | 2 ++ .../tasks/main.yml | 11 +++++++ .../templates/set-mtu.sh.j2 | 0 .../README.md | 0 .../files/wireguard-ip.conf | 0 .../handlers/main.yml | 3 ++ .../tasks/main.yml | 24 ++++++++------ .../handlers/main.yml | 16 ---------- roles/pc_application-wireguard/tasks/main.yml | 32 ------------------- .../meta/main.yml | 2 -- 17 files changed, 54 insertions(+), 71 deletions(-) rename roles/{server_native-wireguard-behind-firewall/readme.md => client_application-wireguard-behind-firewall/README.md} (74%) create mode 100644 roles/client_application-wireguard-behind-firewall/meta/main.yml rename roles/{server_native-wireguard-behind-firewall => client_application-wireguard-behind-firewall}/tasks/main.yml (100%) rename roles/{pc_application-wireguard => client_application-wireguard}/README.md (100%) rename roles/{pc_application-wireguard => client_application-wireguard}/files/set-mtu.service (100%) create mode 100644 roles/client_application-wireguard/handlers/main.yml create mode 100644 roles/client_application-wireguard/meta/main.yml create mode 100644 roles/client_application-wireguard/tasks/main.yml rename roles/{pc_application-wireguard => client_application-wireguard}/templates/set-mtu.sh.j2 (100%) rename roles/{server_native-wireguard => independent-application-wireguard}/README.md (100%) rename roles/{pc_application-wireguard => independent-application-wireguard}/files/wireguard-ip.conf (100%) rename roles/{server_native-wireguard => independent-application-wireguard}/handlers/main.yml (57%) rename roles/{server_native-wireguard => independent-application-wireguard}/tasks/main.yml (52%) delete mode 100644 roles/pc_application-wireguard/handlers/main.yml delete mode 100644 roles/pc_application-wireguard/tasks/main.yml delete mode 100644 roles/server_native-wireguard-behind-firewall/meta/main.yml diff --git a/playbook.yml b/playbook.yml index 369012fe..c263bc38 100644 --- a/playbook.yml +++ b/playbook.yml @@ -14,16 +14,25 @@ - server_native-disc-space-check - server_native-free-disc-space - server_native-btrfs-health-check -- name: setup standard wireguard hosts - hosts: wireguard + +# Wireguard Rollen +- name: setup standard wireguard + hosts: wireguard_server become: true roles: - - server_native-wireguard -- name: setup wireguard hosts behind firewall\nat + - independent-application-wireguard + +- name: setup wireguard client behind firewall\nat hosts: wireguard_behind_firewall become: true roles: - - server_native-wireguard-behind-firewall + - client_application-wireguard-behind-firewall + +- name: setup wireguard client + hosts: wireguard_client + become: true + roles: + - client_application-wireguard # Native Webserver Roles - name: setup homepages @@ -185,12 +194,6 @@ - pc_collection-administrator-base - pc_driver-non-free -- name: pc_application-wireguard - hosts: application_wireguard - become: true - roles: - - pc_application-wireguard - - name: pc_collection-office hosts: collection_officetools become: true diff --git a/roles/server_native-wireguard-behind-firewall/readme.md b/roles/client_application-wireguard-behind-firewall/README.md similarity index 74% rename from roles/server_native-wireguard-behind-firewall/readme.md rename to roles/client_application-wireguard-behind-firewall/README.md index 78bb5cf9..5a45a737 100644 --- a/roles/server_native-wireguard-behind-firewall/readme.md +++ b/roles/client_application-wireguard-behind-firewall/README.md @@ -1,4 +1,4 @@ -# server_native-wireguard-behind-nat +# client-wireguard-behind-nat # see - https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39 diff --git a/roles/client_application-wireguard-behind-firewall/meta/main.yml b/roles/client_application-wireguard-behind-firewall/meta/main.yml new file mode 100644 index 00000000..ceb632fc --- /dev/null +++ b/roles/client_application-wireguard-behind-firewall/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- client_application-wireguard diff --git a/roles/server_native-wireguard-behind-firewall/tasks/main.yml b/roles/client_application-wireguard-behind-firewall/tasks/main.yml similarity index 100% rename from roles/server_native-wireguard-behind-firewall/tasks/main.yml rename to roles/client_application-wireguard-behind-firewall/tasks/main.yml diff --git a/roles/pc_application-wireguard/README.md b/roles/client_application-wireguard/README.md similarity index 100% rename from roles/pc_application-wireguard/README.md rename to roles/client_application-wireguard/README.md diff --git a/roles/pc_application-wireguard/files/set-mtu.service b/roles/client_application-wireguard/files/set-mtu.service similarity index 100% rename from roles/pc_application-wireguard/files/set-mtu.service rename to roles/client_application-wireguard/files/set-mtu.service diff --git a/roles/client_application-wireguard/handlers/main.yml b/roles/client_application-wireguard/handlers/main.yml new file mode 100644 index 00000000..d6b27b95 --- /dev/null +++ b/roles/client_application-wireguard/handlers/main.yml @@ -0,0 +1,6 @@ +- name: "restart set-mtu.service" + systemd: + name: set-mtu.service + state: restarted + enabled: yes + daemon_reload: yes \ No newline at end of file diff --git a/roles/client_application-wireguard/meta/main.yml b/roles/client_application-wireguard/meta/main.yml new file mode 100644 index 00000000..8f894353 --- /dev/null +++ b/roles/client_application-wireguard/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- independent-application-wireguard \ No newline at end of file diff --git a/roles/client_application-wireguard/tasks/main.yml b/roles/client_application-wireguard/tasks/main.yml new file mode 100644 index 00000000..1e0b7cc7 --- /dev/null +++ b/roles/client_application-wireguard/tasks/main.yml @@ -0,0 +1,11 @@ +- name: create set-mtu.service + copy: + src: set-mtu.service + dest: /etc/systemd/system/set-mtu.service + notify: restart set-mtu.service + +- name: create set-mtu.sh + template: + src: set-mtu.sh.j2 + dest: /usr/local/bin/set-mtu.sh + notify: restart set-mtu.service diff --git a/roles/pc_application-wireguard/templates/set-mtu.sh.j2 b/roles/client_application-wireguard/templates/set-mtu.sh.j2 similarity index 100% rename from roles/pc_application-wireguard/templates/set-mtu.sh.j2 rename to roles/client_application-wireguard/templates/set-mtu.sh.j2 diff --git a/roles/server_native-wireguard/README.md b/roles/independent-application-wireguard/README.md similarity index 100% rename from roles/server_native-wireguard/README.md rename to roles/independent-application-wireguard/README.md diff --git a/roles/pc_application-wireguard/files/wireguard-ip.conf b/roles/independent-application-wireguard/files/wireguard-ip.conf similarity index 100% rename from roles/pc_application-wireguard/files/wireguard-ip.conf rename to roles/independent-application-wireguard/files/wireguard-ip.conf diff --git a/roles/server_native-wireguard/handlers/main.yml b/roles/independent-application-wireguard/handlers/main.yml similarity index 57% rename from roles/server_native-wireguard/handlers/main.yml rename to roles/independent-application-wireguard/handlers/main.yml index 6127fc1c..8dfccf37 100644 --- a/roles/server_native-wireguard/handlers/main.yml +++ b/roles/independent-application-wireguard/handlers/main.yml @@ -4,3 +4,6 @@ state: restarted enabled: yes daemon_reload: yes + +- name: "reload sysctl configuration" + shell: "sysctl --load='/etc/sysctl.d/wireguard-ip.conf'" diff --git a/roles/server_native-wireguard/tasks/main.yml b/roles/independent-application-wireguard/tasks/main.yml similarity index 52% rename from roles/server_native-wireguard/tasks/main.yml rename to roles/independent-application-wireguard/tasks/main.yml index 3c653cf8..9fcbe6d7 100644 --- a/roles/server_native-wireguard/tasks/main.yml +++ b/roles/independent-application-wireguard/tasks/main.yml @@ -1,21 +1,27 @@ - name: install wireguard for Arch - pacman: name=wireguard-tools state=present + pacman: + name: wireguard-tools + state: present when: ansible_os_family == "Archlinux" - name: install wireguard for Ubuntu - apt: name=wireguard state=present + apt: + name: wireguard + state: present when: ansible_os_family == "Debian" +- name: create wireguard-ip.conf + copy: + src: "wireguard-ip.conf" + dest: /etc/sysctl.d/wireguard-ip.conf + owner: root + group: root + notify: reload sysctl configuration + - name: create /etc/wireguard/wg0.conf copy: src: "{{ inventory_dir }}/files/{{ inventory_hostname }}/etc/wireguard/wg0.conf" dest: /etc/wireguard/wg0.conf owner: root group: root - notify: restart wireguard - -- name: enable ipv4-forwarding - shell: sysctl net.ipv4.ip_forward=1 - -- name: enable ipv6-forwarding - shell: sysctl net.ipv6.conf.all.forwarding=1 + notify: restart wireguard \ No newline at end of file diff --git a/roles/pc_application-wireguard/handlers/main.yml b/roles/pc_application-wireguard/handlers/main.yml deleted file mode 100644 index 7a05661b..00000000 --- a/roles/pc_application-wireguard/handlers/main.yml +++ /dev/null @@ -1,16 +0,0 @@ -- name: "restart set-mtu.service" - systemd: - name: set-mtu.service - state: restarted - enabled: yes - daemon_reload: yes - -- name: "restart wireguard" - systemd: - name: wg-quick@wg0.service - state: restarted - enabled: yes - daemon_reload: yes - -- name: "reload sysctl configuration" - shell: "sysctl -p" \ No newline at end of file diff --git a/roles/pc_application-wireguard/tasks/main.yml b/roles/pc_application-wireguard/tasks/main.yml deleted file mode 100644 index 80f02c5b..00000000 --- a/roles/pc_application-wireguard/tasks/main.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: install wireguard - pacman: - name: wireguard-tools - state: present - -- name: create set-mtu.service - copy: - src: set-mtu.service - dest: /etc/systemd/system/set-mtu.service - notify: restart set-mtu.service - -- name: create set-mtu.sh - template: - src: set-mtu.sh.j2 - dest: /usr/local/bin/set-mtu.sh - notify: restart set-mtu.service - -- name: create wireguard-ip.conf - copy: - src: "wireguard-ip.conf" - dest: /etc/sysctl.d/wireguard-ip.conf - owner: root - group: root - notify: reload sysctl configuration - -- name: create /etc/wireguard/wg0.conf - copy: - src: "{{ inventory_dir }}/files/{{ inventory_hostname }}/etc/wireguard/wg0.conf" - dest: /etc/wireguard/wg0.conf - owner: root - group: root - notify: restart wireguard diff --git a/roles/server_native-wireguard-behind-firewall/meta/main.yml b/roles/server_native-wireguard-behind-firewall/meta/main.yml deleted file mode 100644 index e59f3444..00000000 --- a/roles/server_native-wireguard-behind-firewall/meta/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -dependencies: -- server_native-wireguard