summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDmitry Ilvokhin <d@ilvokhin.com>2024-05-19 19:26:01 +0100
committerDmitry Ilvokhin <d@ilvokhin.com>2024-05-19 19:26:01 +0100
commit5ec7c4b1b31bb3cea080005b0245d09e05048e11 (patch)
treed43a4d3a38a017493384c9fdb595f1ed980a7fb3
parentb4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6 (diff)
downloadinfra-5ec7c4b1b31bb3cea080005b0245d09e05048e11.tar.gz
infra-5ec7c4b1b31bb3cea080005b0245d09e05048e11.tar.bz2
infra-5ec7c4b1b31bb3cea080005b0245d09e05048e11.zip
Migrate away from networkd for wireguard
Migrate due to a bug [1], which wasn't fixed for some time. [1]: https://github.com/systemd/systemd/issues/25547
Diffstat
-rw-r--r--roles/wgnet/handlers/main.yml6
-rw-r--r--roles/wgnet/tasks/main.yml23
-rw-r--r--roles/wgnet/templates/wg0.conf.j214
3 files changed, 32 insertions, 11 deletions
diff --git a/roles/wgnet/handlers/main.yml b/roles/wgnet/handlers/main.yml
index 21c5377..e5a3add 100644
--- a/roles/wgnet/handlers/main.yml
+++ b/roles/wgnet/handlers/main.yml
@@ -1,2 +1,4 @@
-- name: Reload network
- ansible.builtin.command: networkctl reload
+- name: Reload wgnet
+ ansible.builtin.service:
+ name: wg-quick@wg0
+ state: reloaded
diff --git a/roles/wgnet/tasks/main.yml b/roles/wgnet/tasks/main.yml
index 8e5a632..c776a84 100644
--- a/roles/wgnet/tasks/main.yml
+++ b/roles/wgnet/tasks/main.yml
@@ -10,12 +10,17 @@
- name: Configure WireGuard for wgnet
ansible.builtin.template:
- src: "{{ item.src }}"
- dest: "/etc/systemd/network/{{ item.dest }}"
- owner: systemd-network
- group: systemd-network
- mode: u+rw,g+r,o+r
- loop:
- - { src: templates/wg0.netdev.j2, dest: wg0.netdev }
- - { src: templates/wg0.network.j2, dest: wg0.network }
- notify: Reload network
+ src: templates/wg0.conf.j2
+ dest: /etc/wireguard/wg0.conf
+ owner: root
+ group: root
+ # Config containes private key for this host, so permissions are
+ # restricted.
+ mode: u+rw,g-rw,o-rw
+ notify: Reload wgnet
+
+- name: Enable WireGuard service for wgnet
+ ansible.builtin.service:
+ name: wg-quick@wg0
+ enabled: yes
+ state: started
diff --git a/roles/wgnet/templates/wg0.conf.j2 b/roles/wgnet/templates/wg0.conf.j2
new file mode 100644
index 0000000..f79b2b4
--- /dev/null
+++ b/roles/wgnet/templates/wg0.conf.j2
@@ -0,0 +1,14 @@
+[Interface]
+PrivateKey = {{ wireguard_private_key }}
+Address = 10.0.0.1/24
+ListenPort = 51820
+
+# flame
+[Peer]
+PublicKey = YUuBBTKHXsD6tTzcAVWXakZffWKlGS5fAdx7zWSXtlI=
+AllowedIPs = 10.0.0.2/32
+
+# water
+[Peer]
+PublicKey = X0Gw37N+AUkZjiyZ9buZ8c2ZzFr+niX3FZjxlyqQq0Q=
+AllowedIPs = 10.0.0.3/32
generated by cgit v1.2.3-70-g09d2 (git 2.49.0) at 2025-04-27 23:31:01 +0000