From 0f5590ce6fb626aec38e92910507cc5f2f7b5c8a Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Mon, 14 Oct 2024 13:50:03 +0200 Subject: [PATCH 01/12] netplan: add tasks for managing netplan --- tasks/main.yml | 31 +++++++++++++++++++++++++++---- tasks/setup-ubuntu.yml | 9 +++++++++ 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 35dd31db..dd4930d7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -87,7 +87,7 @@ - name: Register if config/private key already exists on target host ansible.builtin.stat: - path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" + path: "{{ wireguard_use_netplan | ternary('/etc/netplan/70-wireguard.yaml', wireguard_remote_directory + '/' + wireguard_interface + '.conf') }}" register: wireguard__register_config_file tags: - wg-generate-keys @@ -120,7 +120,7 @@ block: - name: Read WireGuard config file ansible.builtin.slurp: - src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" + src: "{{ wireguard_use_netplan | ternary('/etc/netplan/70-wireguard.yaml', wireguard_remote_directory + '/' + wireguard_interface + '.conf') }}" register: wireguard__register_config no_log: '{{ ansible_verbosity < 3 }}' tags: @@ -128,7 +128,11 @@ - name: Set private key fact ansible.builtin.set_fact: - wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" + wireguard_private_key: >- + {{ wireguard__register_config['content'] | b64decode | + regex_findall(wireguard_use_netplan | + ternary('key:\s*(.*)$', 'PrivateKey\s*=\s*(.*)$'), multiline=True) | + first }} no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config @@ -157,6 +161,7 @@ mode: 0700 tags: - wg-config + when: not wireguard_use_netplan - name: Generate WireGuard configuration file ansible.builtin.template: @@ -169,9 +174,25 @@ no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config + when: not wireguard_use_netplan notify: - reconfigure wireguard +- name: Generate WireGuard configuration file for netplan + ansible.builtin.template: + src: etc/netplan/wireguard.yaml.j2 + dest: "/etc/netplan/70-wireguard.yaml" + owner: root + group: root + mode: "0600" + backup: "{{ wireguard_conf_backup }}" + no_log: '{{ ansible_verbosity < 3 }}' + tags: + - wg-config + when: wireguard_use_netplan + notify: + - reconfigure netplan + - name: Ensure legacy reload-module-on-update is absent ansible.builtin.file: dest: "{{ wireguard_remote_directory }}/.reload-module-on-update" @@ -184,4 +205,6 @@ name: "wg-quick@{{ wireguard_interface }}" state: "{{ wireguard_service_state }}" enabled: "{{ wireguard_service_enabled }}" - when: not ansible_os_family == 'Darwin' + when: + - not ansible_os_family == 'Darwin' + - not wireguard_use_netplan diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index 57a40676..c639a35a 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -2,6 +2,15 @@ # Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later +- name: Check if Netplan is supported + ansible.builtin.assert: + that: + - ansible_distribution == "Ubuntu" + - ansible_distribution_version is version('17.10', '>=') + fail_msg: "Netplan is only supported on Ubuntu 17.10 and later versions" + success_msg: "Netplan is supported on this system" + when: wireguard_use_netplan + - name: (Ubuntu) Update APT package cache ansible.builtin.apt: update_cache: "{{ wireguard_ubuntu_update_cache }}" From 7a4f00b9489c0d6487c710656ee9fa10fe34be21 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Mon, 14 Oct 2024 13:50:20 +0200 Subject: [PATCH 02/12] netplan: add handlers for managing netplan --- handlers/main.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index afb49601..159b8cb9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,3 +33,23 @@ - not ansible_os_family == 'Darwin' - wireguard_service_enabled == "yes" listen: "reconfigure wireguard" + +- name: Generating Netplan Configuration + ansible.builtin.command: netplan generate + listen: reconfigure netplan + notify: netplan apply config + become: true + +- name: Applying Netplan Configuration + ansible.builtin.command: netplan apply + listen: netplan apply config + notify: restart systemd-networkd + become: true + +- name: Restart systemd-networkd + ansible.builtin.systemd: + name: systemd-networkd + state: restarted + listen: restart systemd-networkd + become: true + when: wireguard_interface_restart From 6d1d83d85c36b61ed931ed6c528e600dc2cf8522 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Mon, 14 Oct 2024 13:50:37 +0200 Subject: [PATCH 03/12] netplan: add default variables --- defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 4557b7b2..00cb9a37 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -133,3 +133,9 @@ wireguard_centos7_standard_reboot_timeout: "600" # The default of "standard" will install the kernel module # with kmod-wireguard from ELRepo. wireguard_rockylinux8_installation_method: "standard" + +######################################### +# Settings for netplan +######################################### +# Set to "true" if you want to use netplan to configure WireGuard. +wireguard_use_netplan: false From 95c478defdf6045d7509d64155dc397175f62322 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Mon, 14 Oct 2024 13:52:22 +0200 Subject: [PATCH 04/12] netplan: add template --- templates/etc/netplan/wireguard.yaml.j2 | 100 ++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 templates/etc/netplan/wireguard.yaml.j2 diff --git a/templates/etc/netplan/wireguard.yaml.j2 b/templates/etc/netplan/wireguard.yaml.j2 new file mode 100644 index 00000000..07c00bee --- /dev/null +++ b/templates/etc/netplan/wireguard.yaml.j2 @@ -0,0 +1,100 @@ +# {{ ansible_managed }} +network: + version: 2 + renderer: networkd + tunnels: + wg0: + mode: wireguard + # {{ inventory_hostname }} +{% if wireguard_address is defined %} + addresses: + - {{ wireguard_address }} +{% endif %} +{% if wireguard_addresses is defined %} + addresses: +{% for wg_addr in wireguard_addresses %} + - {{ wg_addr }} +{% endfor %} +{% endif %} + key: {{ wireguard_private_key }} + port: {{ wireguard_port }} +{% if wireguard_mtu is defined %} + mtu: {{ wireguard_mtu }} +{% endif %} +{% if wireguard_fwmark is defined %} + mark: {{ wireguard_fwmark }} +{% endif %} +{% if wireguard_table is defined %} + routing-table: {{ wireguard_table }} +{% endif %} + peers: +{% for host in ansible_play_hosts %} +{% if host != inventory_hostname %} + - # Name = {{ host }} + keys: + public: {{ hostvars[host].wireguard__fact_public_key }} +{% if hostvars[host].wireguard_preshared_key is defined %} + shared: {{ hostvars[host].wireguard_preshared_key }} +{% endif %} +{% if hostvars[host].wireguard_allowed_ips is defined %} + allowed-ips: + - {{ hostvars[host].wireguard_allowed_ips }} +{% else %} +{% if wireguard_address is defined %} + allowed-ips: + - {{ hostvars[host].wireguard_address.split('/')[0] }}/32 +{% endif %} +{% if wireguard_addresses is defined %} + allowed-ips: +{% for wg_addr in hostvars[host].wireguard_addresses %} +{% if (wg_addr | ansible.utils.ipv4) %} + - {{ wg_addr.split('/')[0] }}/32 +{% elif (wg_addr | ansible.utils.ipv6) %} + - {{ wg_addr.split('/')[0] }}/128 +{% endif %} +{% endfor %} +{% endif %} +{% endif %} +{% if hostvars[host].wireguard_persistent_keepalive is defined %} + keepalive: {{ hostvars[host].wireguard_persistent_keepalive }} +{% endif %} +{% if (hostvars[host].wireguard_dc is defined and wireguard_dc is defined and wireguard_dc['name'] != hostvars[host].wireguard_dc['name']) %} + endpoint: {{ hostvars[host].wireguard_dc['endpoint'] }}:{{ hostvars[host].wireguard_dc['port'] }} +{% elif hostvars[host].wireguard_port is defined %} +{% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %} + endpoint: {{ hostvars[host].wireguard_endpoint }}:{{ hostvars[host].wireguard_port }} +{% else %} + endpoint: {{ host }}:{{ hostvars[host].wireguard_port }} +{% endif %} +{% elif hostvars[host].wireguard_endpoint is defined %} +{% if hostvars[host].wireguard_endpoint != "" %} + endpoint: {{ hostvars[host].wireguard_endpoint }}:{{ wireguard_port }} +{% else %} + # No endpoint defined for this peer +{% endif %} +{% else %} + endpoint: {{ host }}:{{ wireguard_port }} +{% endif %} +{% endif %} +{% endfor %} +{% if wireguard_unmanaged_peers is defined %} + # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable +{% for peer in wireguard_unmanaged_peers.keys() %} + - # Name = {{ peer }} + keys: + public: {{ wireguard_unmanaged_peers[peer].public_key }} +{% if wireguard_unmanaged_peers[peer].preshared_key is defined %} + shared: {{ wireguard_unmanaged_peers[peer].preshared_key }} +{% endif %} +{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %} + allowed-ips: + - {{ wireguard_unmanaged_peers[peer].allowed_ips }} +{% endif %} +{% if wireguard_unmanaged_peers[peer].endpoint is defined %} + endpoint: {{ wireguard_unmanaged_peers[peer].endpoint }} +{% endif %} +{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %} + keepalive: {{ wireguard_unmanaged_peers[peer].persistent_keepalive }} +{% endif %} +{% endfor %} +{% endif %} From 552781609d241eb96f7fede81c6e8d751ea83f99 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Tue, 15 Oct 2024 10:12:44 +0200 Subject: [PATCH 05/12] netplan: proper var name, more conditions, linting --- defaults/main.yml | 15 +++++++++------ handlers/main.yml | 10 +++++++++- tasks/main.yml | 40 +++++++++++++++++++++++++++++----------- tasks/setup-ubuntu.yml | 2 +- 4 files changed, 48 insertions(+), 19 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 00cb9a37..f7fcf9a5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -93,6 +93,15 @@ wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}" # Set package cache valid time wireguard_ubuntu_cache_valid_time: "3600" +# Set to "true" if you want to use netplan to configure WireGuard. +wireguard_ubuntu_use_netplan: false + +# Netplan directory to store WireGuard configuration on the remote hosts +wireguard_ubuntu_netplan_remote_directory: "/etc/netplan" + +# Netplan configuration file priority +wireguard_ubuntu_netplan_conf_priority: "70" + ####################################### # Settings only relevant for CentOS 7 ####################################### @@ -133,9 +142,3 @@ wireguard_centos7_standard_reboot_timeout: "600" # The default of "standard" will install the kernel module # with kmod-wireguard from ELRepo. wireguard_rockylinux8_installation_method: "standard" - -######################################### -# Settings for netplan -######################################### -# Set to "true" if you want to use netplan to configure WireGuard. -wireguard_use_netplan: false diff --git a/handlers/main.yml b/handlers/main.yml index 159b8cb9..cb5a3c27 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -38,13 +38,19 @@ ansible.builtin.command: netplan generate listen: reconfigure netplan notify: netplan apply config + changed_when: true become: true + when: + - wireguard_ubuntu_use_netplan - name: Applying Netplan Configuration ansible.builtin.command: netplan apply listen: netplan apply config notify: restart systemd-networkd + changed_when: true become: true + when: + - wireguard_ubuntu_use_netplan - name: Restart systemd-networkd ansible.builtin.systemd: @@ -52,4 +58,6 @@ state: restarted listen: restart systemd-networkd become: true - when: wireguard_interface_restart + when: + - wireguard_ubuntu_use_netplan + - wireguard_interface_restart diff --git a/tasks/main.yml b/tasks/main.yml index dd4930d7..e41e6363 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -87,7 +87,14 @@ - name: Register if config/private key already exists on target host ansible.builtin.stat: - path: "{{ wireguard_use_netplan | ternary('/etc/netplan/70-wireguard.yaml', wireguard_remote_directory + '/' + wireguard_interface + '.conf') }}" + path: >- + {{ wireguard_ubuntu_use_netplan | ternary( + wireguard_ubuntu_netplan_remote_directory + '/' + + wireguard_ubuntu_netplan_conf_priority | string + '-' + + wireguard_interface + '.yaml', + wireguard_remote_directory + '/' + + wireguard_interface + '.conf' + ) }} register: wireguard__register_config_file tags: - wg-generate-keys @@ -103,6 +110,7 @@ register: wireguard__register_private_key changed_when: false no_log: '{{ ansible_verbosity < 3 }}' + check_mode: false tags: - wg-generate-keys @@ -120,7 +128,14 @@ block: - name: Read WireGuard config file ansible.builtin.slurp: - src: "{{ wireguard_use_netplan | ternary('/etc/netplan/70-wireguard.yaml', wireguard_remote_directory + '/' + wireguard_interface + '.conf') }}" + src: >- + {{ wireguard_ubuntu_use_netplan | ternary( + wireguard_ubuntu_netplan_remote_directory + '/' + + wireguard_ubuntu_netplan_conf_priority | string + '-' + + wireguard_interface + '.yaml', + wireguard_remote_directory + '/' + + wireguard_interface + '.conf' + ) }} register: wireguard__register_config no_log: '{{ ansible_verbosity < 3 }}' tags: @@ -130,7 +145,7 @@ ansible.builtin.set_fact: wireguard_private_key: >- {{ wireguard__register_config['content'] | b64decode | - regex_findall(wireguard_use_netplan | + regex_findall(wireguard_ubuntu_use_netplan | ternary('key:\s*(.*)$', 'PrivateKey\s*=\s*(.*)$'), multiline=True) | first }} no_log: '{{ ansible_verbosity < 3 }}' @@ -161,7 +176,7 @@ mode: 0700 tags: - wg-config - when: not wireguard_use_netplan + when: not wireguard_ubuntu_use_netplan - name: Generate WireGuard configuration file ansible.builtin.template: @@ -174,22 +189,25 @@ no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config - when: not wireguard_use_netplan + when: not wireguard_ubuntu_use_netplan notify: - reconfigure wireguard - name: Generate WireGuard configuration file for netplan ansible.builtin.template: src: etc/netplan/wireguard.yaml.j2 - dest: "/etc/netplan/70-wireguard.yaml" - owner: root - group: root - mode: "0600" + dest: >- + {{- wireguard_ubuntu_netplan_remote_directory + '/' + + wireguard_ubuntu_netplan_conf_priority | string + '-' + + wireguard_interface + '.yaml' -}} + owner: "{{ wireguard_conf_owner }}" + group: "{{ wireguard_conf_group }}" + mode: "{{ wireguard_conf_mode }}" backup: "{{ wireguard_conf_backup }}" no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config - when: wireguard_use_netplan + when: wireguard_ubuntu_use_netplan notify: - reconfigure netplan @@ -207,4 +225,4 @@ enabled: "{{ wireguard_service_enabled }}" when: - not ansible_os_family == 'Darwin' - - not wireguard_use_netplan + - not wireguard_ubuntu_use_netplan diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index c639a35a..436a34c0 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -9,7 +9,7 @@ - ansible_distribution_version is version('17.10', '>=') fail_msg: "Netplan is only supported on Ubuntu 17.10 and later versions" success_msg: "Netplan is supported on this system" - when: wireguard_use_netplan + when: wireguard_ubuntu_use_netplan - name: (Ubuntu) Update APT package cache ansible.builtin.apt: From a84886f7db73564fb5c68741480deb44e6f13403 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Tue, 15 Oct 2024 10:26:16 +0200 Subject: [PATCH 06/12] netplan: rename netplan template file --- tasks/main.yml | 2 +- templates/etc/netplan/{wireguard.yaml.j2 => wg0.yaml.j2} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename templates/etc/netplan/{wireguard.yaml.j2 => wg0.yaml.j2} (100%) diff --git a/tasks/main.yml b/tasks/main.yml index e41e6363..f034edb0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -195,7 +195,7 @@ - name: Generate WireGuard configuration file for netplan ansible.builtin.template: - src: etc/netplan/wireguard.yaml.j2 + src: etc/netplan/wg0.yaml.j2 dest: >- {{- wireguard_ubuntu_netplan_remote_directory + '/' + wireguard_ubuntu_netplan_conf_priority | string + '-' + diff --git a/templates/etc/netplan/wireguard.yaml.j2 b/templates/etc/netplan/wg0.yaml.j2 similarity index 100% rename from templates/etc/netplan/wireguard.yaml.j2 rename to templates/etc/netplan/wg0.yaml.j2 From c87beda5c2f67bc4b6ab13c193d653651ec24468 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Sun, 3 Nov 2024 10:33:59 +0100 Subject: [PATCH 07/12] netplan: simplify logic --- defaults/main.yml | 21 ++++++--- tasks/main.yml | 43 +++---------------- .../etc/netplan/{wg0.yaml.j2 => wg.yaml.j2} | 0 3 files changed, 19 insertions(+), 45 deletions(-) rename templates/etc/netplan/{wg0.yaml.j2 => wg.yaml.j2} (100%) diff --git a/defaults/main.yml b/defaults/main.yml index f7fcf9a5..1f942f7e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,14 @@ ####################################### # Directory to store WireGuard configuration on the remote hosts -wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}" +wireguard_remote_directory: >- + {%- if wireguard_ubuntu_use_netplan -%} + /etc/netplan + {%- elif ansible_os_family == 'Darwin' -%} + /opt/local/etc/wireguard + {%- else -%} + /etc/wireguard + {%- endif %} # The default port WireGuard will listen if not specified otherwise. wireguard_port: "51820" @@ -18,6 +25,12 @@ wireguard_interface: "wg0" # The default owner of the wg.conf file wireguard_conf_owner: root +# By default a WireGuard configuration file in "wireguard_remote_directory" +# directory will be created that is called like the value of "wireguard_interface" +# plus ".conf". If "wireguard_ubuntu_use_netplan" is set to "true" this should +# be changed to "70-{{ wireguard_interface }}.yaml" e.g. +wireguard_conf_filename: "{{ wireguard_interface }}.conf" + # The default group of the wg.conf file wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}" @@ -96,12 +109,6 @@ wireguard_ubuntu_cache_valid_time: "3600" # Set to "true" if you want to use netplan to configure WireGuard. wireguard_ubuntu_use_netplan: false -# Netplan directory to store WireGuard configuration on the remote hosts -wireguard_ubuntu_netplan_remote_directory: "/etc/netplan" - -# Netplan configuration file priority -wireguard_ubuntu_netplan_conf_priority: "70" - ####################################### # Settings only relevant for CentOS 7 ####################################### diff --git a/tasks/main.yml b/tasks/main.yml index f034edb0..0abf0b33 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -87,14 +87,7 @@ - name: Register if config/private key already exists on target host ansible.builtin.stat: - path: >- - {{ wireguard_ubuntu_use_netplan | ternary( - wireguard_ubuntu_netplan_remote_directory + '/' + - wireguard_ubuntu_netplan_conf_priority | string + '-' + - wireguard_interface + '.yaml', - wireguard_remote_directory + '/' + - wireguard_interface + '.conf' - ) }} + path: "{{ wireguard_remote_directory }}/{{ wireguard_conf_filename }}" register: wireguard__register_config_file tags: - wg-generate-keys @@ -128,14 +121,7 @@ block: - name: Read WireGuard config file ansible.builtin.slurp: - src: >- - {{ wireguard_ubuntu_use_netplan | ternary( - wireguard_ubuntu_netplan_remote_directory + '/' + - wireguard_ubuntu_netplan_conf_priority | string + '-' + - wireguard_interface + '.yaml', - wireguard_remote_directory + '/' + - wireguard_interface + '.conf' - ) }} + src: "{{ wireguard_remote_directory }}/{{ wireguard_conf_filename }}" register: wireguard__register_config no_log: '{{ ansible_verbosity < 3 }}' tags: @@ -180,8 +166,8 @@ - name: Generate WireGuard configuration file ansible.builtin.template: - src: etc/wireguard/wg.conf.j2 - dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" + src: "etc/{{ 'wireguard/wg.conf.j2' if not wireguard_ubuntu_use_netplan else 'netplan/wg.yaml.j2' }}" + dest: "{{ wireguard_remote_directory }}/{{ wireguard_conf_filename }}" owner: "{{ wireguard_conf_owner }}" group: "{{ wireguard_conf_group }}" mode: "{{ wireguard_conf_mode }}" @@ -189,27 +175,8 @@ no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config - when: not wireguard_ubuntu_use_netplan - notify: - - reconfigure wireguard - -- name: Generate WireGuard configuration file for netplan - ansible.builtin.template: - src: etc/netplan/wg0.yaml.j2 - dest: >- - {{- wireguard_ubuntu_netplan_remote_directory + '/' + - wireguard_ubuntu_netplan_conf_priority | string + '-' + - wireguard_interface + '.yaml' -}} - owner: "{{ wireguard_conf_owner }}" - group: "{{ wireguard_conf_group }}" - mode: "{{ wireguard_conf_mode }}" - backup: "{{ wireguard_conf_backup }}" - no_log: '{{ ansible_verbosity < 3 }}' - tags: - - wg-config - when: wireguard_ubuntu_use_netplan notify: - - reconfigure netplan + - "reconfigure {{ 'wireguard' if not wireguard_ubuntu_use_netplan else 'netplan' }}" - name: Ensure legacy reload-module-on-update is absent ansible.builtin.file: diff --git a/templates/etc/netplan/wg0.yaml.j2 b/templates/etc/netplan/wg.yaml.j2 similarity index 100% rename from templates/etc/netplan/wg0.yaml.j2 rename to templates/etc/netplan/wg.yaml.j2 From dd24ad0bec58154ef2de21010eeb8fe1af1373cd Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Sun, 3 Nov 2024 10:34:23 +0100 Subject: [PATCH 08/12] netplan: update docs --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 7e652500..8cb86f4f 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,7 @@ These variables can be changed in `group_vars/` e.g.: # Directory to store WireGuard configuration on the remote hosts wireguard_remote_directory: "/etc/wireguard" # On Linux # wireguard_remote_directory: "/opt/local/etc/wireguard" # On MacOS +# wireguard_remote_directory: "/etc/netplan" # On Ubuntu if wireguard_ubuntu_use_netplan is true # The default port WireGuard will listen if not specified otherwise. wireguard_port: "51820" @@ -233,6 +234,9 @@ wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}" # Set package cache valid time wireguard_ubuntu_cache_valid_time: "3600" +# Set to "true" if netplan should be used to configure WireGuard interfaces +wireguard_ubuntu_use_netplan: false + ####################################### # Settings only relevant for CentOS 7 ####################################### From 1c4d62a17ed886ea271b0fdbc6e4c68f44c8d46f Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Sun, 3 Nov 2024 10:48:01 +0100 Subject: [PATCH 09/12] netplan: molecule tests --- molecule/netplan/converge.yml | 13 +++++ molecule/netplan/molecule.yml | 89 +++++++++++++++++++++++++++++++++++ molecule/netplan/prepare.yml | 14 ++++++ molecule/netplan/verify.yml | 33 +++++++++++++ 4 files changed, 149 insertions(+) create mode 100644 molecule/netplan/converge.yml create mode 100644 molecule/netplan/molecule.yml create mode 100644 molecule/netplan/prepare.yml create mode 100644 molecule/netplan/verify.yml diff --git a/molecule/netplan/converge.yml b/molecule/netplan/converge.yml new file mode 100644 index 00000000..65ebfab8 --- /dev/null +++ b/molecule/netplan/converge.yml @@ -0,0 +1,13 @@ +--- +# Copyright (C) 2020-2023 Robert Wimmer +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Setup WireGuard + hosts: all + remote_user: vagrant + become: true + gather_facts: true + tasks: + - name: Include WireGuard role + ansible.builtin.include_role: + name: githubixx.ansible_role_wireguard diff --git a/molecule/netplan/molecule.yml b/molecule/netplan/molecule.yml new file mode 100644 index 00000000..70b4774c --- /dev/null +++ b/molecule/netplan/molecule.yml @@ -0,0 +1,89 @@ +--- +# Copyright (C) 2020-2023 Robert Wimmer +# Copyright (C) 2020 Pierre Ozoux +# SPDX-License-Identifier: GPL-3.0-or-later + +dependency: + name: galaxy + +driver: + name: vagrant + provider: + name: libvirt + type: libvirt + +platforms: + - name: test-wg-ubuntu2004 + box: alvistack/ubuntu-20.04 + memory: 1536 + cpus: 2 + interfaces: + - auto_config: true + network_name: private_network + type: static + ip: 172.16.10.10 + groups: + - vpn + - ubuntu + - name: test-wg-ubuntu2204 + box: alvistack/ubuntu-22.04 + memory: 1536 + cpus: 2 + interfaces: + - auto_config: true + network_name: private_network + type: static + ip: 172.16.10.20 + groups: + - vpn + - ubuntu + - name: test-wg-ubuntu2404 + box: alvistack/ubuntu-24.04 + memory: 1536 + cpus: 2 + interfaces: + - auto_config: true + network_name: private_network + type: static + ip: 172.16.10.30 + groups: + - vpn + - ubuntu + +provisioner: + name: ansible + connection_options: + ansible_ssh_user: vagrant + ansible_become: true + log: true + lint: + name: ansible-lint + inventory: + host_vars: + test-wg-ubuntu2004: + wireguard_address: "10.10.10.10/24" + wireguard_port: 51820 + wireguard_persistent_keepalive: "30" + wireguard_endpoint: "172.16.10.10" + test-wg-ubuntu2204: + wireguard_address: "10.10.10.20/24" + wireguard_port: 51820 + wireguard_persistent_keepalive: "30" + wireguard_endpoint: "172.16.10.20" + wireguard_conf_backup: true + test-wg-ubuntu2404: + wireguard_address: "10.10.10.30/24" + wireguard_port: 51820 + wireguard_persistent_keepalive: "30" + wireguard_endpoint: "172.16.10.30" + wireguard_ubuntu_use_netplan: true + wireguard_conf_filename: "70-wg0.yaml" + +scenario: + name: netplan + test_sequence: + - prepare + - converge + +verifier: + name: ansible diff --git a/molecule/netplan/prepare.yml b/molecule/netplan/prepare.yml new file mode 100644 index 00000000..93ff46c7 --- /dev/null +++ b/molecule/netplan/prepare.yml @@ -0,0 +1,14 @@ +--- +# Copyright (C) 2024 Robert Wimmer +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Prepare Ubuntu hosts + hosts: ubuntu + remote_user: vagrant + become: true + gather_facts: true + tasks: + - name: Update APT package cache + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 diff --git a/molecule/netplan/verify.yml b/molecule/netplan/verify.yml new file mode 100644 index 00000000..066d4404 --- /dev/null +++ b/molecule/netplan/verify.yml @@ -0,0 +1,33 @@ +--- +# Copyright (C) 2023 Robert Wimmer +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Verify setup + hosts: all + vars: + hosts_count: "{{ groups['vpn'] | length }}" + tasks: + - name: Count WireGuard interfaces + ansible.builtin.shell: | + set -o errexit + set -o pipefail + set -o nounset + wg | grep "peer: " | wc -l + exit 0 + args: + executable: "/bin/bash" + register: wireguard__interfaces_count + changed_when: false + + - name: Print WireGuard interface count + ansible.builtin.debug: + var: wireguard__interfaces_count.stdout + + - name: Print hosts count in vpn group + ansible.builtin.debug: + var: hosts_count + + - name: There should be as much WireGuard interfaces as hosts in vpn group minus one + ansible.builtin.assert: + that: + - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int" From 592c4fe02393950edad335487778c3225a41ab31 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Sun, 3 Nov 2024 11:22:47 +0100 Subject: [PATCH 10/12] netplan: avoid syncconf check if using netplan --- README.md | 3 +++ handlers/main.yml | 1 + tasks/main.yml | 1 + 3 files changed, 5 insertions(+) diff --git a/README.md b/README.md index 8cb86f4f..cedb46e2 100644 --- a/README.md +++ b/README.md @@ -198,6 +198,9 @@ wireguard_service_state: "started" # If you have a more dynamic routing setup then setting this to "true" might be # the safest way to go. Also if you want to avoid the possibility creating some # hard to detect side effects this option should be considered. +# If using netplan to configure WireGuard interfaces this option should be set +# to "true" if netplan configuration should be applied, otherwise it will +# just be generated. wireguard_interface_restart: false # Normally the role automatically creates a private key the very first time diff --git a/handlers/main.yml b/handlers/main.yml index cb5a3c27..ce155480 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -51,6 +51,7 @@ become: true when: - wireguard_ubuntu_use_netplan + - wireguard_interface_restart - name: Restart systemd-networkd ansible.builtin.systemd: diff --git a/tasks/main.yml b/tasks/main.yml index 0abf0b33..0bc2723a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -50,6 +50,7 @@ - name: Make sure wg syncconf option is available when: - not wireguard_interface_restart + - not wireguard_ubuntu_use_netplan tags: - wg-config block: From 73241b45ae241ded8b3e4afb5a7f818a6f868231 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Sun, 3 Nov 2024 12:18:34 +0100 Subject: [PATCH 11/12] netplan: implement changes from commit fa7b0db --- templates/etc/netplan/wg.yaml.j2 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/templates/etc/netplan/wg.yaml.j2 b/templates/etc/netplan/wg.yaml.j2 index 07c00bee..4ba8afb1 100644 --- a/templates/etc/netplan/wg.yaml.j2 +++ b/templates/etc/netplan/wg.yaml.j2 @@ -17,7 +17,9 @@ network: {% endfor %} {% endif %} key: {{ wireguard_private_key }} +{% if wireguard_endpoint is not defined or wireguard_endpoint != "" %} port: {{ wireguard_port }} +{% endif %} {% if wireguard_mtu is defined %} mtu: {{ wireguard_mtu }} {% endif %} @@ -29,7 +31,7 @@ network: {% endif %} peers: {% for host in ansible_play_hosts %} -{% if host != inventory_hostname %} +{% if host != inventory_hostname and ((hostvars[host].wireguard_endpoint is not defined or hostvars[host].wireguard_endpoint != "") or (wireguard_endpoint is not defined or wireguard_endpoint != "")) %} - # Name = {{ host }} keys: public: {{ hostvars[host].wireguard__fact_public_key }} @@ -55,7 +57,7 @@ network: {% endfor %} {% endif %} {% endif %} -{% if hostvars[host].wireguard_persistent_keepalive is defined %} +{% if hostvars[host].wireguard_persistent_keepalive is defined and (hostvars[host].wireguard_endpoint is not defined or hostvars[host].wireguard_endpoint != "") %} keepalive: {{ hostvars[host].wireguard_persistent_keepalive }} {% endif %} {% if (hostvars[host].wireguard_dc is defined and wireguard_dc is defined and wireguard_dc['name'] != hostvars[host].wireguard_dc['name']) %} From 452aa5b03083f3d50a90615be7ddd628c0480759 Mon Sep 17 00:00:00 2001 From: kbcz1989 Date: Wed, 6 Nov 2024 11:41:24 +0100 Subject: [PATCH 12/12] netplan: final changes --- README.md | 11 ++++++++--- molecule/netplan/molecule.yml | 1 + templates/etc/netplan/wg.yaml.j2 | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cedb46e2..3d823eea 100644 --- a/README.md +++ b/README.md @@ -139,9 +139,14 @@ These variables can be changed in `group_vars/` e.g.: ```yaml # Directory to store WireGuard configuration on the remote hosts -wireguard_remote_directory: "/etc/wireguard" # On Linux -# wireguard_remote_directory: "/opt/local/etc/wireguard" # On MacOS -# wireguard_remote_directory: "/etc/netplan" # On Ubuntu if wireguard_ubuntu_use_netplan is true +wireguard_remote_directory: >- + {%- if wireguard_ubuntu_use_netplan -%} + /etc/netplan + {%- elif ansible_os_family == 'Darwin' -%} + /opt/local/etc/wireguard + {%- else -%} + /etc/wireguard + {%- endif %} # The default port WireGuard will listen if not specified otherwise. wireguard_port: "51820" diff --git a/molecule/netplan/molecule.yml b/molecule/netplan/molecule.yml index 70b4774c..f288ab33 100644 --- a/molecule/netplan/molecule.yml +++ b/molecule/netplan/molecule.yml @@ -78,6 +78,7 @@ provisioner: wireguard_endpoint: "172.16.10.30" wireguard_ubuntu_use_netplan: true wireguard_conf_filename: "70-wg0.yaml" + wireguard_interface_restart: true scenario: name: netplan diff --git a/templates/etc/netplan/wg.yaml.j2 b/templates/etc/netplan/wg.yaml.j2 index 4ba8afb1..e5b5be68 100644 --- a/templates/etc/netplan/wg.yaml.j2 +++ b/templates/etc/netplan/wg.yaml.j2 @@ -3,7 +3,7 @@ network: version: 2 renderer: networkd tunnels: - wg0: + {{ wireguard_interface }}: mode: wireguard # {{ inventory_hostname }} {% if wireguard_address is defined %}