add wireguard credentials

Makefile

@@ -8,8 +8,6 @@ help: ## Print the help message
 		sort | \
 		column -s ':' -t
 
-include wg.mk
-
 .PHONY: check
 check: ## Check you have all dependencies
 	@command -v graph-easy >/dev/null || { echo "Install perl-graph-easy" && exit 1 ;}
@@ -17,10 +15,6 @@ check: ## Check you have all dependencies
 	@command -v lowdown >/dev/null || { echo "Install lowdown" && exit 1 ;}
 	@echo "All dependencies installed"
 
-%/:
-	mkdir $@
-	echo '*' > $@.gitignore
-
 ########## Network Map ##########
 
 graph_program != type graph-easy > /dev/null && printf graph-easy || printf dot 

ansible/hosts.yaml

@@ -5,9 +5,12 @@ all:
     libc_locale: en_GB.UTF-8 UTF-8
     var_locale: LANG=en_GB.UTF-8
 
-wireguard:
+ungrouped:
   hosts:
-    192.168.0.93:
+    nimbus:
+cloud:
+  hosts:
+    nimbus:
 arch:
   hosts:
-    10.0.0.1:
+    nimbus:

ansible/playbooks/files/wireguard/server_head

@@ -1,26 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-33343563633965306633313265643038646236633465353133386365346663336163646430333962
-6165663662663065623232383636336236376363623762640a633139343330646532333631396639
-39323432323636626166636561383539353161646636666131623833396138666531616366633032
-3064646331643732660a613562343637393134323830643263393464363332663664623761636636
-38343638623539636134633735313161353233333936396638653066346163613335353266343334
-39313062633261393038636131313665653631333039633533363236636131323337633031386436
-38366435386334303366636231643565383931373936313365363165666464636236376262363336
-31363664336535343363646231306237383739326239356232343761623937666533663131323266
-30323138663666666538353063623566333961326233646533323831363433653764323566333564
-37633865313966336164336433306663343435653062396533633037333430366266376465613039
-35373762306363393534373861633839353736373463346638613838636466383762336562386434
-37666133666662633331313863636161343031666438363638356538623164343764353431373566
-35653662326134366366323835623265663530323132313138393566653063376163366132326232
-62653337383336396466386631393739633164646433373231656664376463306333643663393061
-32303535323336313364343131333633633261313761326566643733646564313432396165316532
-62303539653763343963343865626135633738666331366334353530393961623337363035333662
-38396533376166363164623531396238356632336534386636363364646263623334336666343834
-37396235346431393033303834323163646561643162646135383162623034343366613431366563
-66386330323933363035393330326539336134616364303037633230663664373335663739343361
-36653533333139336331393239626335623337663133393538343361303431636661316666383733
-64343234306336353163323235633031343138643661333863373965623666336331636339653862
-61616431366439643063313336336530383164313639646130383362643339386264333264376236
-63333531616561636638376635623738623933363933663439373137396334623361656233616236
-64386638653336616366653836663762306334363065356162353431633332633537623362643363
-3265

ansible/playbooks/wireguard.yml

@@ -1,6 +1,6 @@
 ---
 - name: Install Wireguard on Server
-  hosts: wireguard
+  hosts: nimbus
   become: true
 
   tasks:
@@ -12,8 +12,12 @@
 
     - name: Copy keys to server
       ansible.builtin.copy:
-        src: wireguard/wg0.conf
+        src: wireguard/
-        dest: /etc/wireguard/wg0.conf
+        dest: /etc/wireguard/server_public_key
+
+    - name: Remember the public key
+      ansible.builtin.command: cat /etc/wireguard/server_public_key
+      register: wireguard_public_key
 
     - name: Get server public IP
       ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
@@ -30,3 +34,73 @@
         name: wg-quick@wg0
         enabled: yes
 
+- name: Install Wireguard on Host
+  hosts: localhost
+  become: true
+
+  tasks:
+    - name: Install wireguard tools
+      ansible.builtin.package:
+        name:
+          - wireguard-tools
+
+    - name: Create private key
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/dmz_public_key
+        cmd: "wg genkey | tee dmz_private_key | wg pubkey > dmz_public_key"
+
+    - name: Remember the public key
+      ansible.builtin.command: cat /etc/wireguard/dmz_public_key
+      register: client_public_key
+
+- name: Generate Server Config
+  hosts: nimbus
+  become: true
+
+  tasks:
+
+    - name: Create wg0 configuration
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/wg0.conf
+        cmd: |
+          echo "
+          [Interface]
+          Address = 10.0.0.1/24
+          SaveConfig = true
+          PrivateKey = $(cat server_private_key)
+          ListenPort = 51900
+          
+          PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+          PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+          
+          [Peer]
+          PublicKey = {{ hostvars['localhost']['client_public_key']['stdout'] }}
+          AllowedIPs = 10.0.0.2/32
+          " > /etc/wireguard/wg0.conf
+
+
+- name: Generate Client Config
+  hosts: localhost
+  become: true
+
+  tasks:
+
+    - name: Create wg0 client configuration
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/wg0-client.conf
+        cmd: |
+          echo "
+          [Interface]
+          Address = 10.0.0.2/32
+          PrivateKey = $(cat dmz_private_key)
+          DNS = 9.9.9.9
+
+          [Peer]
+          PublicKey = {{ hostvars['nimbus']['wireguard_public_key']['stdout'] }}
+          Endpoint = space.xecut.me:51900
+          AllowedIPs = 10.0.0.1/32
+          " > /etc/wireguard/wg0-client.conf
+

network.rec

@@ -5,6 +5,10 @@ name: ISP Router
 location: kralizec
 ISP: Orion
 
+name: ISP Router
+location: krov
+ISP: Yettel
+
 %rec: host
 %doc: These are the real machines, most of which run VMs or containters.
 %key: name
@@ -13,10 +17,8 @@ name: moxx
 location: kralizec
 local_access: 192.168.1.200:8006
 
-name: nimbus
+name: Serverko
-location: xecut
+location: krov
-description: raspberry pi
-os: Arch Linux Aarm
 
 %rec: lxc
 %doc: A container, usually on a Proxmox host.
@@ -88,3 +90,4 @@ host: Serverko
 
 name: tor12
 host: nginx
+

wg.mk

@@ -1,54 +0,0 @@
-public_key = $(shell cat /etc/wireguard/dmz_public_key)
-name := $(shell git config list | grep user.nam | cut -d= -f2)
-
-
-# Local keys
-
-wireguard/dmz_private_key: | /bin/wg wireguard/
-	wg genkey > $@
-	chmod 700 $@
-
-wireguard/dmz_public_key: wireguard/dmz_private_key | /bin/wg
-	$| pubkey < $< > $@
-
-##############################
-
-wgkeys.rec: wireguard/dmz_public_key
-	$(info Adding wireguard key as '$(name)')
-	recins --verbose $@ -t $(basename $@) -f name -v '$(name)' -f pubkey -v '$(shell cat $<)'
-	git add $@
-	git commit -m"add wireguard key for $(name)"
-	$(info Remember to git push)
-
-wireguard/dmz.conf: wireguard/dmz_bare.conf | wireguard/dmz_private_key
-	sed 's#PRIVATE_KEY#$(shell cat $|)#' $< > $@
-
-wireguard/dmz_bare.conf: wgkeys.rec | xecut/nimbus/dmz.conf
-	recsel $< -t $(basename $<) -e 'name = "$(name)"' | recfmt -f $| > $@
-
-###### Wireguard configuration #####
-
-wireguard/wg_peers.txt: wgkeys.rec | xecut/nimbus/wg_peer.fmt
-	recsel $< -t $(basename $<) | recfmt -f $| > $@
-
-ignored += ansible/playbooks/files/wireguard/wg0.conf
-
-ansible/playbooks/files/wireguard/wg0.conf: wireguard/wg_peers.txt | ansible/playbooks/files/wireguard/server_head
-	cd ansible && ansible-vault view playbooks/files/wireguard/server_head > playbooks/files/wireguard/wg0.conf
-	cat $< >> $@
-	cd ansible && ansible-vault encrypt playbooks/files/wireguard/wg0.conf
-
-
-##### Installing Wireguard Client #####
-
-.PHONY: wg-create
-wg-create: wireguard/dmz.conf ## Set up wireguard keys (do this before installing)
-
-.PHONY: wg-install
-wg-install: /etc/wireguard/dmz.conf ## Install wireguard keys (use sudo)
-/etc/wireguard/dmz.conf: wireguard/dmz.conf | /bin/wg
-	cp $< $@
-
-.PHONY: wg-setup
-wg-setup: ansible/playbooks/files/wireguard/wg0.conf ## Renew the wireguard config
-	make -C ansible wireguard

wgkeys.rec

@@ -1,12 +0,0 @@
-%rec: wgkeys
-%key: id
-%type: name,pubkey line
-%type: id int
-%auto: id
-%mandatory: name
-+ pubkey
-
-id: 2
-name: Malin Freeborn
-pubkey: loNnXRalD0ZyOLadSWm31rqOuRfEbgtX9O4/z7eSIho=
-

xecut/nimbus/dmz.conf

@@ -1,12 +0,0 @@
-# Client configuration for wireguard to nimbus at xecut.
-
-[Interface]
-Address = 10.0.0.2/32
-PrivateKey = PRIVATE_KEY
-DNS = 9.9.9.9
-
-[Peer]
-PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
-Endpoint = space.xecut.me:51900
-AllowedIPs = 10.0.0.{{id}}/24
-

xecut/nimbus/wg_peer.fmt

@@ -1,4 +0,0 @@
-[Peer]
-PublicKey = {{pubkey}}
-AllowedIPs = 10.0.0.{{id}}/32
-

xecut/nimbus/wireguard_client.conf

@@ -1,14 +0,0 @@
-
-[Interface]
-Address = 10.0.0.1/24
-SaveConfig = true
-PrivateKey = PRIVATE_KEY
-ListenPort = 51900
-
-PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-
-[Peer]
-PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
-AllowedIPs = 10.0.0.2/32
-