From 1cbe132db47aaadbbc8c5a91d3d9367d19abab2c Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Thu, 4 Jan 2024 13:19:01 +0100 Subject: Add playbook for setting up wireguard --- playbooks.d/vpn-wireguard/description.txt | 1 + playbooks.d/vpn-wireguard/etc/defaults | 1 + playbooks.d/vpn-wireguard/playbook.bash | 84 +++++++++++++++++++++++++++++++ playbooks.d/vpn-wireguard/share/interface | 4 ++ playbooks.d/vpn-wireguard/share/peer | 4 ++ 5 files changed, 94 insertions(+) create mode 100644 playbooks.d/vpn-wireguard/description.txt create mode 100644 playbooks.d/vpn-wireguard/etc/defaults create mode 100644 playbooks.d/vpn-wireguard/playbook.bash create mode 100644 playbooks.d/vpn-wireguard/share/interface create mode 100644 playbooks.d/vpn-wireguard/share/peer (limited to 'playbooks.d') diff --git a/playbooks.d/vpn-wireguard/description.txt b/playbooks.d/vpn-wireguard/description.txt new file mode 100644 index 0000000..da242c7 --- /dev/null +++ b/playbooks.d/vpn-wireguard/description.txt @@ -0,0 +1 @@ +A meshed VPN through Wireguard diff --git a/playbooks.d/vpn-wireguard/etc/defaults b/playbooks.d/vpn-wireguard/etc/defaults new file mode 100644 index 0000000..178e2fd --- /dev/null +++ b/playbooks.d/vpn-wireguard/etc/defaults @@ -0,0 +1 @@ +pkg.wireguard=wireguard diff --git a/playbooks.d/vpn-wireguard/playbook.bash b/playbooks.d/vpn-wireguard/playbook.bash new file mode 100644 index 0000000..ae2167d --- /dev/null +++ b/playbooks.d/vpn-wireguard/playbook.bash @@ -0,0 +1,84 @@ +#!/usr/bin/env bash + +# shellcheck disable=SC2034 + +BASHTARD_PLAYBOOK_VARS[$BASHTARD_PLAYBOOK.ip]="required" + +playbook_add() { + local data + + data="$(playbook_path "data")" + + pkg install wireguard + + # If there's no data directory yet, make it with a proper gitignore to ensure + # the private key is not included + if [[ ! -d "$data" ]] + then + mkdir -pv -- "$data" + cat <<-EOF >> "$data/.gitignore" + privkey + EOF + fi + + # Generate the private key for this machine + ( umask 077 && wg genkey > "$data/privkey" ) + + # Generate the peerfile for this machine + file_template "peer" \ + endpoint="$(config "$BASHTARD_PLAYBOOK.endpoint")" \ + ip="$(config "$BASHTARD_PLAYBOOK.ip")" \ + port="$(config "$BASHTARD_PLAYBOOK.port" "52345")" \ + pubkey="$(wg pubkey < "$data/privkey")" \ + > "$data/${BASHTARD_PLATFORM[fqdn]}" + + # Run the sync stage to make sure all the configuration files are written as + # desired + playbook_sync + + # TODO: Enable the wireguard interface + systemctl enable --now wg-quick@wg$(config "$BASTHARD_PLAYBOOK.interface_id" "0").service +} + +playbook_sync() { + local data + local wgconf + + data="$(playbook_path "data")" + wgconf="$(config "fs.etcdir")/wireguard/wg$(config "$BASHTARD_PLAYBOOK.interface_id" "0").conf" + + # Create the wireguard config directory + mkdir -pv "$(config "fs.etcdir")/wireguard" + + # Write the Interface section + file_template "interface" \ + ip="$(config "$BASHTARD_PLAYBOOK.ip")" \ + port="$(config "$BASHTARD_PLAYBOOK.port" "52345")" \ + privkey="$(cat "$data/privkey")" \ + > "$wgconf" + + info "$BASHTARD_PLAYBOOK" "Generating wireguard configuration at $wgconf" + + # Include peerfiles for all other machines + for path in "$data"/* + do + local peer="$(basename "$path")" + + [[ "$peer" == "privkey" ]] && continue + [[ "$peer" == "${BASHTARD_PLATFORM[fqdn]}" ]] && continue + + # Append all peers, but prepend them with newlines so the resulting file + # looks a little nicer + printf "\n" >> "$wgconf" + cat "$path" >> "$wgconf" + done + + # TODO: Refresh the wireguard interface + systemctl reload wg-quick@wg$(config "$BASTHARD_PLAYBOOK.interface_id" "0").service +} + +playbook_del() { + systemctl disable --now wg-quick@wg$(config "$BASTHARD_PLAYBOOK.interface_id" "0").service + rm -f -- "$(config "fs.etcdir")/wireguard/wg$(config "$BASHTARD_PLAYBOOK.interface_id" "0").conf" + pkg uninstall wireguard +} diff --git a/playbooks.d/vpn-wireguard/share/interface b/playbooks.d/vpn-wireguard/share/interface new file mode 100644 index 0000000..b45cb16 --- /dev/null +++ b/playbooks.d/vpn-wireguard/share/interface @@ -0,0 +1,4 @@ +[Interface] +Address = ${ip} +ListenPort = ${port} +PrivateKey = ${privkey} diff --git a/playbooks.d/vpn-wireguard/share/peer b/playbooks.d/vpn-wireguard/share/peer new file mode 100644 index 0000000..ef4eb7c --- /dev/null +++ b/playbooks.d/vpn-wireguard/share/peer @@ -0,0 +1,4 @@ +[Peer] +AllowedIPs = ${ip} +Endpoint = ${endpoint}:${port} +PublicKey = ${pubkey} -- cgit v1.1