Wireguard overlay network setup

Need to migrate away from networkd, because it can't add new wireguard peers now out of the box without hacks. [1]: https://github.com/systemd/systemd/issues/25547
author: Dmitry Ilvokhin <d@ilvokhin.com> 2024-05-19 17:02:45 +0100
committer: Dmitry Ilvokhin <d@ilvokhin.com> 2024-05-19 17:02:45 +0100
commit: b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6 (patch)
tree: 48bc7a65415aa039c22575cf3c3919b5a4cea0f5
parent: 588e86b33df631382027862ed06bfd11e989e01b (diff)
download: infra-b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6.tar.gz
infra-b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6.tar.bz2
infra-b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6.zip
10 files changed, 76 insertions, 0 deletions
diff --git a/host_vars/gate2.ilvokhin.com/secrets.yml b/host_vars/gate2.ilvokhin.com/secrets.yml
new file mode 100644
index 0000000..c0efb29
--- /dev/null
+++ b/host_vars/gate2.ilvokhin.com/secrets.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+32303163313431383761636563313936326637363265396637333664306535336136316138623465
+3837613738346235373166386461353563326264356333360a666530316133613434303831343537
+38656136313130663535636531396131613435656134666537653335663632343466663630376332
+3336393838633166330a323234666136333737633434613036366434646666303033303031613266
+31343933313134383366663639333331323366343139353861376362653030333236633733343462
+38316232366432646463376332326239376662623866363238303464343864313937363230356661
+36613035633736663435373563313832383435336535633930643261333930623032333264343437
+65613663376364313063
diff --git a/host_vars/gate2.ilvokhin.com/wireguard.yml b/host_vars/gate2.ilvokhin.com/wireguard.yml
new file mode 100644
index 0000000..8ff01a9
--- /dev/null
+++ b/host_vars/gate2.ilvokhin.com/wireguard.yml
@@ -0,0 +1,8 @@
+wireguard_public_key: v+ChgF+9IMFK5aN/ngthtZ38Jp7Rr1WVeS2mhQnQ4UE=
+wgnet_ip: 10.0.0.1
+
+# Reserved for flame.
+# wgnet_ip: 10.0.0.2
+
+# Reserved for water.
+# wgnet_ip: 10.0.0.3
diff --git a/hosts.yml b/hosts.yml
index 9a25a20..1ee35af 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -5,3 +5,8 @@ web:
 mail:
   hosts:
     mail.ilvokhin.com:
+
+vpn:
+  hosts:
+    # TODO: This is a temporary hostname.
+    gate2.ilvokhin.com:
diff --git a/master.yml b/master.yml
index 542c7d8..99aa520 100644
--- a/master.yml
+++ b/master.yml
@@ -1,3 +1,4 @@
 - ansible.builtin.import_playbook: essential.yml
 - ansible.builtin.import_playbook: web.yml
 - ansible.builtin.import_playbook: mail.yml
+- ansible.builtin.import_playbook: vpn.yml
diff --git a/roles/wgnet/handlers/main.yml b/roles/wgnet/handlers/main.yml
new file mode 100644
index 0000000..21c5377
--- /dev/null
+++ b/roles/wgnet/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Reload network
+  ansible.builtin.command: networkctl reload
diff --git a/roles/wgnet/meta/main.yml b/roles/wgnet/meta/main.yml
new file mode 100644
index 0000000..45ed5d7
--- /dev/null
+++ b/roles/wgnet/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: wireguard
diff --git a/roles/wgnet/tasks/main.yml b/roles/wgnet/tasks/main.yml
new file mode 100644
index 0000000..8e5a632
--- /dev/null
+++ b/roles/wgnet/tasks/main.yml
@@ -0,0 +1,21 @@
+- name: Configure IPv4 and IPv6 packet forwarding
+  ansible.builtin.sysctl:
+    name: '{{ item }}'
+    value: '1'
+    sysctl_set: true
+  loop:
+    - net.ipv4.ip_forward
+    - net.ipv4.conf.all.forwarding
+    - net.ipv6.conf.all.forwarding
+
+- name: Configure WireGuard for wgnet
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "/etc/systemd/network/{{ item.dest }}"
+    owner: systemd-network
+    group: systemd-network
+    mode: u+rw,g+r,o+r
+  loop:
+    - { src: templates/wg0.netdev.j2, dest: wg0.netdev }
+    - { src: templates/wg0.network.j2, dest: wg0.network }
+  notify: Reload network
diff --git a/roles/wgnet/templates/wg0.netdev.j2 b/roles/wgnet/templates/wg0.netdev.j2
new file mode 100644
index 0000000..d258010
--- /dev/null
+++ b/roles/wgnet/templates/wg0.netdev.j2
@@ -0,0 +1,18 @@
+[NetDev]
+Name=wg0
+Kind=wireguard
+Description="Wireguard Overlay Network"
+
+[WireGuard]
+ListenPort=51820
+PrivateKey={{ wireguard_private_key }}
+
+# flame
+[WireGuardPeer]
+PublicKey=YUuBBTKHXsD6tTzcAVWXakZffWKlGS5fAdx7zWSXtlI=
+AllowedIPs=10.0.0.2/32
+
+# water
+[WireGuardPeer]
+PublicKey=X0Gw37N+AUkZjiyZ9buZ8c2ZzFr+niX3FZjxlyqQq0Q=
+AllowedIPs=10.0.0.3/32
diff --git a/roles/wgnet/templates/wg0.network.j2 b/roles/wgnet/templates/wg0.network.j2
new file mode 100644
index 0000000..2f578e5
--- /dev/null
+++ b/roles/wgnet/templates/wg0.network.j2
@@ -0,0 +1,6 @@
+[Match]
+Name=wg0
+
+[Network]
+Address={{ wgnet_ip }}/24
+IPMasquerade=ipv4
diff --git a/vpn.yml b/vpn.yml
new file mode 100644
index 0000000..bba7ac9
--- /dev/null
+++ b/vpn.yml
@@ -0,0 +1,4 @@
+- name: Setup VPN machines
+  hosts: vpn
+  roles:
+    - { role: wgnet }
author	Dmitry Ilvokhin <d@ilvokhin.com>	2024-05-19 17:02:45 +0100
committer	Dmitry Ilvokhin <d@ilvokhin.com>	2024-05-19 17:02:45 +0100
commit	b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6 (patch)
tree	48bc7a65415aa039c22575cf3c3919b5a4cea0f5
parent	588e86b33df631382027862ed06bfd11e989e01b (diff)
download	infra-b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6.tar.gz infra-b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6.tar.bz2 infra-b4a12dbbf4a4759bf24975ca9bfc5096c90ae8b6.zip