sbaildon · sbaildon · May 16, 2020 · May 13, 2020 · May 15, 2020 · May 16, 2020
diff --git a/playbooks/network.yml b/playbooks/network.yml
@@ -12,50 +12,26 @@
       enabled: yes
       state: started
 
-  - name: "Create new zone"
-    firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
-      permanent: yes
-      state: present
-    register: new_zone
-
-  - name: "Reload firewalld config to enable new zone"
-    systemd:
-      name: firewalld
-      state: reloaded
-    when: new_zone.changed
-
-  - name: "Assign new zone to interface"
-    firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
-      interface: eth0
-      permanent: yes
-      state: enabled
-
   - name: "Allow https traffic"
     firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
       service: https
       permanent: yes
       state: enabled
 
   - name: "Allow http traffic"
     firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
       service: http
       permanent: yes
       state: enabled
 
   - name: "Allow ssh traffic"
     firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
       service: ssh
       permanent: yes
       state: enabled
 
   - name: "Allow custom ssh traffic"
     firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
       port: "{{ security.ssh.custom_port }}/tcp"
       permanent: yes
       state: enabled

diff --git a/playbooks/software.yml b/playbooks/software.yml
@@ -29,19 +29,6 @@
       dnf:
         name: docker-ce
 
-  - name: "Install wireguard"
-    block:
-    - name: "Add wireguard repository"
-      yum_repository:
-        name: "wireguard"
-        description: "Copr repo for wireguard owned by jdoss"
-        baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/epel-7-$basearch/"
-        gpgcheck: yes
-        gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
-    - name: "Install wireguard packages"
-      dnf:
-        name: ['wireguard-dkms', 'wireguard-tools']
-
   - name: "Install docker-py"
     pip:
       name: docker-py

diff --git a/playbooks/wireguard.yml b/playbooks/wireguard.yml
@@ -2,97 +2,122 @@
 - hosts: vps
 
   tasks:
-  - name: "Install dependencies"
+  - name: "Install wireguard"
     dnf:
-      name: ["kernel-devel", "kernel-headers", "python3-firewall"]
-    register: deps
+      name: wireguard-tools
 
-  - name: "reboot"
-    reboot:
-    when: deps.changed
+  - name: "Create wireguard directory"
+    file:
+      path: /etc/wireguard
+      state: directory
+      mode: 0755
+
+  - name: "Generate private key"
+    shell:
+      chdir: "/etc/wireguard/"
+      cmd: "wg genkey | tee private_key"
+      creates: "/etc/wireguard/private_key"
+    register: wireguard_genkey
+
+  - name: "Set private key mode"
+    file:
+      state: file
+      mode: 0600
+      path: "/etc/wireguard/private_key"
+    when: wireguard_genkey.changed
+
+  - name: "Read private key"
+    slurp:
+      src: "/etc/wireguard/private_key"
+    register: slurped_private_key
+
+  - set_fact:
+      private_key: "{{ slurped_private_key.content | b64decode }}"
 
-  - name: "wait for reboot"
-    wait_for:
-      host: "{{ vps.ip_address }}"
-    when: deps.changed
+  - name: "Generate public key"
+    shell:
+      chdir: "/etc/wireguard/"
+      cmd: "cat /etc/wireguard/private_key | wg pubkey | tee public_key"
+      creates: "/etc/wireguard/public_key"
+    register: public_key
 
   - debug:
-      msg: "Maybe you'll need to install kernel first, then wg, then reboot"
+      msg: "Public key {{ public_key.stdout }}"
+    when: public_key.changed
+
+  - name: "Deploy network interface file"
+    copy:
+      src: "../resources/wireguard/wg0.network"
+      dest: "/etc/systemd/network/wg0.network"
+      mode: 0600
+      owner: "systemd-network"
+      group: "systemd-network"
+
+  - name: "Deploy netdev file"
+    template:
+      src: "../resources/wireguard/wg0.netdev.j2"
+      dest: "/etc/systemd/network/wg0.netdev"
+      mode: 0600
+      owner: "systemd-network"
+      group: "systemd-network"
 
   - name: "Enable net.ipv4.ip_forward"
     sysctl:
       name: net.ipv4.ip_forward
-      value: 1
+      value: "1"
       reload: yes
       state: present
 
   - name: "Enable ipv6 forwarding"
     sysctl:
       name: net.ipv6.conf.all.forwarding
-      value: 1
+      value: "1"
       reload: yes
       state: present
 
-  - name: "Enable masquerading"
+  - name: "Enable public masquerading"
     firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
-      masquerade: yes
+      zone: "public"
+      masquerade: "yes"
       permanent: true
       state: enabled
+      immediate: yes
 
-  - name: "Create wireguard directory"
-    file:
-      path: /etc/wireguard
-      state: directory
-
-  - name: "Generate private keys"
-    shell: wg genkey
-    register: wireguard_genkey
-    changed_when: false
-
-  - set_fact:
-      private_key: "{{ wireguard_genkey.stdout }}"
-
-  - name: "Generate public keys"
-    shell: "echo {{ private_key }} | wg pubkey"
-    register: wireguard_pubkey
-    changed_when: false
-
-  - set_fact:
-      public_key: "{{ wireguard_pubkey.stdout }}"
-
-  - debug:
-      msg: "Public key {{ public_key }}"
-
-  - name: "Configure wireguard"
-    template:
-      src: ../templates/wg0.conf.j2
-      dest: /etc/wireguard/wg0.conf
-      owner: root
-      group: root
-      mode: 600
-
-  - name: "Start wireguard"
-    systemd:
-      name: "wg-quick@wg0"
-      enabled: yes
-      state: restarted
-
-  - name: "Set wireguard interface as trusted"
+  - name: "Assign wireguard interface to internal"
     firewalld:
-      zone: "trusted"
+      zone: "internal"
       interface: wg0
       permanent: true
       state: enabled
 
-  - name: "Allow inital setup wireguard traffic"
+  - name: "Enable internal masquerading"
     firewalld:
-      zone: "{{ security.firewalld.zone_name }}"
-      port: "51820/udp"
+      zone: "internal"
+      masquerade: "yes"
       permanent: true
       state: enabled
+      immediate: yes
+
+  - name: "Add wireguard service to firewalld"
+    copy:
+      src: "../resources/wireguard/wireguard.xml"
+      dest: "/etc/firewalld/services/wireguard.xml"
+      mode: 0600
 
   - name: "Enable firewalld changes"
     systemd:
       name: firewalld
       state: restarted
+
+  - name: "Allow wireguard traffic"
+    firewalld:
+      zone: "public"
+      service: "wireguard"
+      permanent: true
+      state: enabled
+      immediate: yes
+
+  - name: "Restart network"
+    systemd:
+      name: systemd-networkd
+      state: restarted
diff --git a/resources/wireguard/wg0.netdev.j2 b/resources/wireguard/wg0.netdev.j2
@@ -0,0 +1,20 @@
+[NetDev]
+Name=wg0
+Kind=wireguard
+Description=WireGuard tunnel wg0
+
+[WireGuard]
+ListenPort=51820
+PrivateKey={{ private_key }}
+
+[WireGuardPeer]
+PublicKey=plRZD8jv0TX9QOhg2oVHpKvRs+s+1cr13hnE5L/4ySo=
+AllowedIPs=10.192.122.2/32
+
+[WireGuardPeer]
+PublicKey=3h8diHNeLoDBncp8mmCgIpVJHFpiZE+so7lkq7sH83o=
+AllowedIPs=10.192.122.3/32
+
+[WireGuardPeer]
+PublicKey=49UyaJmKfU2grabI5GXb94JrLt5eIJL0fjER5JyNrjI=
+AllowedIPs=10.192.122.4/32
diff --git a/resources/wireguard/wg0.network b/resources/wireguard/wg0.network
@@ -0,0 +1,5 @@
+[Match]
+Name=wg0
+
+[Network]
+Address=10.192.122.1/24
diff --git a/resources/wireguard/wireguard.xml b/resources/wireguard/wireguard.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>wireguard</short>
+  <description>WireGuard aims to provide a VPN that is both simple and highly effective.</description>
+  <port protocol="udp" port="51820"/>
+</service>