From 7d113fcddd341f1e4b04ceb2785087d50b8e1556 Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sun, 24 Aug 2025 13:31:38 +0100
Subject: Add wireguard configuration to dotfiles role

This is a simple role that works only for one host. There are multiple
complications that I should keep in mind in the future.

* There is should be a way to install dotfiles on boxes without GPG key
  there. So, files with secrets in them should be gated.
* Wireguard configuration should be per host. Each host should have it
  is own private key.
---
 misc/dotfiles/wireguard/onion-dns-down.sh |  7 +++++++
 misc/dotfiles/wireguard/onion-dns-up.sh   | 18 ++++++++++++++++
 misc/dotfiles/wireguard/wgtor0.conf       | 22 +++++++++++++++++++
 misc/dotfiles/wireguard/wgvpn0.conf       | 17 +++++++++++++++
 roles/dotfiles/tasks/main.yml             | 23 ++++++++++++++++++++
 roles/wgconfig/defaults/main.yml          |  3 +++
 roles/wgconfig/tasks/main.yml             | 35 +++++++++++++++++++++++++++++++
 7 files changed, 125 insertions(+)
 create mode 100755 misc/dotfiles/wireguard/onion-dns-down.sh
 create mode 100755 misc/dotfiles/wireguard/onion-dns-up.sh
 create mode 100644 misc/dotfiles/wireguard/wgtor0.conf
 create mode 100644 misc/dotfiles/wireguard/wgvpn0.conf
 create mode 100644 roles/wgconfig/defaults/main.yml
 create mode 100644 roles/wgconfig/tasks/main.yml

diff --git a/misc/dotfiles/wireguard/onion-dns-down.sh b/misc/dotfiles/wireguard/onion-dns-down.sh
new file mode 100755
index 0000000..b271700
--- /dev/null
+++ b/misc/dotfiles/wireguard/onion-dns-down.sh
@@ -0,0 +1,7 @@
+#! /usr/bin/env sh
+
+iface=$1
+
+/usr/sbin/scutil <<EOF
+remove State:/Network/Service/$iface/DNS
+EOF
diff --git a/misc/dotfiles/wireguard/onion-dns-up.sh b/misc/dotfiles/wireguard/onion-dns-up.sh
new file mode 100755
index 0000000..d8f69b9
--- /dev/null
+++ b/misc/dotfiles/wireguard/onion-dns-up.sh
@@ -0,0 +1,18 @@
+#! /usr/bin/env sh
+
+# macOS as usual has it is own way to do DNS. Even when we set DNS in
+# WireGuard config, onion addresses will not be resolved anyway. Moreover,
+# nslookup (and probably other standard cli utilities will work properly), but
+# Firefox at the same time will not.
+# The only workaround I found it to set `SupplementalMatchDomains` manually
+# with `scutil`. This trick worked for OpenVPN for long time as well.
+
+iface=$1
+dns=$2
+
+scutil <<EOF
+d.init
+d.add ServerAddresses * $dns
+d.add SupplementalMatchDomains * onion
+set State:/Network/Service/$iface/DNS
+EOF
diff --git a/misc/dotfiles/wireguard/wgtor0.conf b/misc/dotfiles/wireguard/wgtor0.conf
new file mode 100644
index 0000000..3f217c3
--- /dev/null
+++ b/misc/dotfiles/wireguard/wgtor0.conf
@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+66653962643936356331393865643262303630343363346232636461666633383938366562346135
+3334336566326662393835393061313034353337613039340a386633333537626466373034343933
+37336666326364353438353666663138306531636334386434633238356233343439616538336635
+3762666439353563350a373331663732313665626566613965326365626638396361323038333436
+66303766303261633966646634656161346464616538356530666461346665316366613938383330
+63336436343934316236303335306331313638343930623061343536666139653330363133346330
+32633665346136653664383464373365663063613832373263626366646633373037363263643830
+38636238303030373134343631643930626537356135363831663864373339303739616639363838
+64306633613439366462393935646535376331396537616164656263363862396131313538366330
+30383732323565366166303831373061356239326262306361373837663032623631643564313639
+39333064623534313336366161633435343062653136333539383764366366653639353534343335
+64343331356632643061313263336362323836343738393332333832353465343237356365326635
+62333661373365623463343931633530613466356330303833613035613933323830616664393937
+36613330326265383035623536303865393733663733316636633731373533636132633031613339
+63333666343331353833643263343731306234313435373331353235353131383563633935653339
+35373865303962383837373862346630663633653638323533323037613539663364306635393365
+39613931653338646163333461326534663535306334626134316563646438666536643136376635
+39346338646563376462313564643137373030666330663863633835663165376462646234333239
+66616630326262623734613232666132366337656565306638346132323166383165633961313033
+34393437623336323565386531613737353739303064393764613366363136363035343039396463
+6531
diff --git a/misc/dotfiles/wireguard/wgvpn0.conf b/misc/dotfiles/wireguard/wgvpn0.conf
new file mode 100644
index 0000000..97691b7
--- /dev/null
+++ b/misc/dotfiles/wireguard/wgvpn0.conf
@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+61366266653839616332383237343332373262313963343564636431336533303034346434636233
+3037376439386635323531333838366564303565663535390a383763623731323633396433326237
+37326438303662313337313239626461303464316566623639376330303338383934306238666331
+6564393861316231370a636432343934343830393439303739636630626137326463636634613463
+66333461383964656235383363626365373066663962393137343364643537396433366634336439
+61303832373039633636666364393432333863613462313539313063666263336363623833396233
+66366133613563613036383636333334343830373464396662353637323630336232653431326465
+66356630353336373731306130643438653736366331343139643765643633366439633566656534
+63343235663032366531663561356161646537623665613535656132356139366461643361646436
+32336530323435623938623561363966616638333637653862313161616139373235316334373233
+30646265393337326565326161386461356663663064353130356136363266653163363164636234
+33396334323264303264303563346439326530646531356463346562383235303538643066656366
+31326533373466346430303461323237623031643730313566333561333162636632656332313637
+61333038336466356561353237306430313032616639383539663731343031663731636333326631
+34663831353832386638666131313737636631303237663761376434313935613438376532666261
+32633835386431663238
diff --git a/roles/dotfiles/tasks/main.yml b/roles/dotfiles/tasks/main.yml
index 424588d..73c9a90 100644
--- a/roles/dotfiles/tasks/main.yml
+++ b/roles/dotfiles/tasks/main.yml
@@ -74,6 +74,29 @@
         sshconfig_jumphost: '{{ dotfiles_jumphost }}'
       when: has_ssh.rc == 0
 
+- name: Configure wireguard if installed
+  tags: wireguard
+  block:
+    - name: Check if wireguard is installed
+      ansible.builtin.command: wg --version
+      changed_when: false
+      failed_when: false
+      register: has_wireguard
+
+    - name: Get actual hostname
+      ansible.builtin.command: hostname
+      changed_when: false
+      failed_when: false
+      register: hostname
+
+    - ansible.builtin.include_role:
+        name: wgconfig
+      vars:
+        wgconfig_user: '{{ dotfiles_user }}'
+        wgconfig_group: '{{ dotfiles_group }}'
+        wgconfig_homedir: '{{ dotfiles_homedir }}'
+      when: has_wireguard.rc == 0 and hostname.stdout == "silver"
+
 - name: Configure git if installed
   tags: git
   block:
diff --git a/roles/wgconfig/defaults/main.yml b/roles/wgconfig/defaults/main.yml
new file mode 100644
index 0000000..0d5634b
--- /dev/null
+++ b/roles/wgconfig/defaults/main.yml
@@ -0,0 +1,3 @@
+wgconfig_user: d
+wgconfig_group: d
+wgconfig_homedir: /home/{{ wgconfig_user }}
diff --git a/roles/wgconfig/tasks/main.yml b/roles/wgconfig/tasks/main.yml
new file mode 100644
index 0000000..9ece687
--- /dev/null
+++ b/roles/wgconfig/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: Setup wireguard config directory
+  ansible.builtin.file:
+    path: '{{ wgconfig_homedir }}/.wireguard'
+    state: directory
+    owner: '{{ wgconfig_user }}'
+    group: '{{ wgconfig_group }}'
+    mode: u+rw,g-rw,o-rw
+  tags:
+    - dotfiles
+
+- name: Copy wireguard config files to home directory
+  ansible.builtin.copy:
+    src: misc/dotfiles/wireguard/{{ item }}
+    dest: '{{ wgconfig_homedir }}/.wireguard/{{ item }}'
+    owner: '{{ wgconfig_user }}'
+    group: '{{ wgconfig_group }}'
+    mode: u+rw,g-rw,o-rw
+  loop:
+    - wgvpn0.conf
+    - wgtor0.conf
+  tags:
+    - dotfiles
+
+- name: Copy wireguard scripts to home directory
+  ansible.builtin.copy:
+    src: misc/dotfiles/wireguard/{{ item }}
+    dest: '{{ wgconfig_homedir }}/.wireguard/{{ item }}'
+    owner: '{{ wgconfig_user }}'
+    group: '{{ wgconfig_group }}'
+    mode: u+rwx,g-rw,o-rw
+  loop:
+    - onion-dns-up.sh
+    - onion-dns-down.sh
+  tags:
+    - dotfiles
-- 
cgit v1.2.3-70-g09d2