Refactor lmn_vpn role

- Separate `lmn_vpn` from `lmn_teacherlaptop`. - Implement a check for the availability of the wireguard-server during the wg-config rollout. - Enhance variable support with a standardized naming schema: - VPN selection via `vpn` variable (`none`, `wg`). - Wireguard configuration (endpoint, allowed IPs, ip_cdr, dns, searchpath). - Run wg-config role in separate play with serial 1 to avoid conflicts, when the role attempts to determine the next free Wireguard IP on the server when role try to Add a check to verify if the radius certificate is revoked. - Ensure required packages and services are only installed and configured if the `vpn` variable is set. - Provide documentation for `lmn_vpn` module.
2025-03-20 21:13:20 +01:00 · 2025-03-20 21:13:20 +01:00 · f1cb7486a5
commit f1cb7486a5
parent a68aaeb81c
11 changed files with 676 additions and 580 deletions
--- a/roles/lmn_teacherlaptop/tasks/main.yml
+++ b/roles/lmn_teacherlaptop/tasks/main.yml
@ -3,7 +3,6 @@
  ansible.builtin.apt:
    name:
      - plasma-discover
-      - wireguard
      - nextcloud-desktop
      - dolphin-nextcloud
        # - krb5-auth-dialog
@ -18,24 +17,6 @@
    - lmn-packagekit.rules
    - lmn-networkmanager.rules

- name: Copy mountserver script to /usr/local/bin
-  ansible.builtin.copy:
-    src: mountserver
-    dest: /usr/local/bin/
-    mode: "0755"
-
- name: Copy NetworkManager dispatcher-script (10-lmn-mount.sh)
-  ansible.builtin.copy:
-    src: 10-lmn-mount.sh
-    dest: /etc/NetworkManager/dispatcher.d/
-    mode: "0755"
-
- name: Create link to dispatcher-script (10-lmn-mount.sh)
-  ansible.builtin.file:
-    src: ../10-lmn-mount.sh
-    dest: /etc/NetworkManager/dispatcher.d/pre-down.d/10-lmn-mount.sh
-    state: link
-
 - name: Deploy sudo configurations (apt for role-teacher)
  ansible.builtin.copy:
    dest: /etc/sudoers.d/90-lmn-teacherlaptop
@ -45,10 +26,3 @@
    content: |
      %role-teacher ALL=(root) NOPASSWD: /usr/bin/apt
      %role-teacher ALL=(root) NOPASSWD: /usr/sbin/cryptsetup
-      %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mountserver
-
- name: Configure Wireguard
-  ansible.builtin.include_tasks: wg_config.yml
-  tags:
-    - never
-    - wgconfig
--- a/roles/lmn_teacherlaptop/tasks/wg_config.yml
+++ b/roles/lmn_teacherlaptop/tasks/wg_config.yml
@ -1,109 +0,0 @@
---
-
- name: Set facts wg_clientname
-  ansible.builtin.set_fact:
-    wg_clientname: "{{ ansible_hostname }}"
-
- name: Get Wiregard-Privatekey from server
-  ansible.builtin.shell:
-    cmd: grep PrivateKey /etc/wireguard/wg0.conf | sed -En 's/.*=\s*(.+)/\1/p'
-  register: wg_serverprivkey
-  delegate_to: wireguard_server
-
- name: Create public key (Server)
-  ansible.builtin.command:
-    cmd: "wg pubkey"
-  args:
-    stdin: "{{ wg_serverprivkey.stdout }}"
-  register: wg_serverpubkey
-
- name: Set facts wg_publickey (Server)
-  ansible.builtin.set_fact:
-    wg_serverpublickey: "{{ wg_serverpubkey.stdout }}"
-
- name: Check if Wiregard-Config exists on server
-  ansible.builtin.command:
-    cmd: "grep -A 3 '# BEGIN ANSIBLE MANAGED BLOCK {{ wg_clientname }}' /etc/wireguard/wg0.conf"
-  failed_when: False
-  register: wg_serverconfig
-  delegate_to: wireguard_server
-
- name: Set facts wg_ip
-  ansible.builtin.set_fact:
-    wg_ip: "{{ wg_serverconfig.stdout | regex_search('AllowedIPs = ([0-9.]+)/32', '\\1', multiline=True) | first }}"
-  when:  wg_serverconfig.rc == 0 and wg_ip is not defined
-
- name: Check if Wireguard exists on client
-  ansible.builtin.stat:
-    path: /etc/NetworkManager/system-connections/wg0.nmconnection
-  register: wg_clientconfig
-
- name: Search IP address in NetworkManager config
-  ansible.builtin.command:
-    cmd: cat /etc/NetworkManager/system-connections/wg0.nmconnection
-  register: wg_address
-  when: wg_clientconfig.stat.exists
-
- name: Set facts wg_ip
-  ansible.builtin.set_fact:
-    wg_ip: "{{ wg_address.stdout | regex_search('address1=([0-9.]+)/.*', '\\1', multiline=True) | first }}"
-  when: wg_address.rc is defined and wg_address.rc == 0 and wg_ip is not defined
-
- name: Set facts wg_privatekey
-  ansible.builtin.set_fact:
-    wg_privatekey: "{{ wg_address.stdout | regex_search('private-key=(.*)$', '\\1', multiline=True) | first }}"
-  when: wg_address.rc is defined and wg_address.rc == 0 and wg_privatekey is not defined
-
- name: Search maximum AllowedIP
-  ansible.builtin.shell:
-    cmd: grep AllowedIPs /etc/wireguard/wg0.conf | sed -En 's/.*=\s*([0-9.]+)\/32.*/\1/p' | sort -t . -k 3,3n -k 4,4n | tail -n 1
-  register: wg_ipmax
-  delegate_to: wireguard_server
-  when: wg_ip is not defined
-
- name: Set facts wg_ip
-  ansible.builtin.set_fact:
-    wg_ip: "{{ wg_ipmax.stdout | ipmath(1) }}"
-  when: wg_ipmax.rc is defined and wg_ipmax.rc == 0 and wg_ipmax.stdout and wg_ip is not defined
-
- name: Create private key
-  ansible.builtin.command:
-    cmd: "wg genkey"
-  register: wg_genkey
-  when: wg_privatekey is not defined
-
- name: Set facts wg_privatekey
-  ansible.builtin.set_fact:
-    wg_privatekey: "{{ wg_genkey.stdout }}"
-  when: wg_genkey.stdout is defined
-
- name: Create Wireguard-Config
-  ansible.builtin.template:
-    src: wg0.nmconnection.j2
-    dest: /etc/NetworkManager/system-connections/wg0.nmconnection
-    mode: 0600
-   
- name: Create public key
-  ansible.builtin.command:
-    cmd: "wg pubkey"
-  args:
-    stdin: "{{ wg_privatekey }}"
-  register: wg_pubkey
-
- name: Set facts wg_publickey
-  ansible.builtin.set_fact:
-    wg_publickey: "{{ wg_pubkey.stdout }}"
-
- name: Print WG IP
-  debug:
-    msg: "{{ wg_publickey }} -- {{ wg_pubkey.stdout }}"
-
- name: Set Wireguard Serverconfig
-  ansible.builtin.blockinfile:
-    marker: "# {mark} ANSIBLE MANAGED BLOCK {{ wg_clientname }}"
-    path: /etc/wireguard/wg0.conf
-    block: |
-      [Peer]
-      PublicKey = {{ wg_publickey }}
-      AllowedIPs = {{ wg_ip }}/32
-  delegate_to: wireguard_server
--- a/roles/lmn_vpn/defaults/main.yml
+++ b/roles/lmn_vpn/defaults/main.yml
@ -0,0 +1,9 @@
+---
+vpn: none
+ 
+# Wireguad config
+wg_endpoint: "203.0.113.1:51820"
+wg_allowed_ips: "10.0.0.0/16;"
+wg_ip_cdr: 24
+wg_dns: "9.9.9.9"
+wg_dns_search: "example.com"
--- a/roles/lmn_teacherlaptop/files/10-lmn-mount.sh
+++ b/roles/lmn_teacherlaptop/files/10-lmn-mount.sh
--- a/roles/lmn_teacherlaptop/files/mountserver
+++ b/roles/lmn_teacherlaptop/files/mountserver
--- a/roles/lmn_vpn/tasks/main.yml
+++ b/roles/lmn_vpn/tasks/main.yml
@ -0,0 +1,31 @@
+---
+- name: Copy mountserver script to /usr/local/bin
+  ansible.builtin.copy:
+    src: mountserver
+    dest: /usr/local/bin/
+    mode: "0755"
+
+- name: Copy NetworkManager dispatcher-script (10-lmn-mount.sh)
+  ansible.builtin.copy:
+    src: 10-lmn-mount.sh
+    dest: /etc/NetworkManager/dispatcher.d/
+    mode: "0755"
+
+- name: Create link to dispatcher-script (10-lmn-mount.sh)
+  ansible.builtin.file:
+    src: ../10-lmn-mount.sh
+    dest: /etc/NetworkManager/dispatcher.d/pre-down.d/10-lmn-mount.sh
+    state: link
+
+- name: Deploy sudo configurations (apt for role-teacher)
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/90-lmn-vpn
+    owner: root
+    group: root
+    mode: '0700'
+    content: |
+      %role-teacher ALL=(root) NOPASSWD: /usr/local/bin/mountserver
+
+- name: Configure Wireguard
+  ansible.builtin.include_tasks: wg_config.yml
+  when: vpn is defined and vpn == "wg"
--- a/roles/lmn_vpn/tasks/wg_config.yml
+++ b/roles/lmn_vpn/tasks/wg_config.yml
@ -0,0 +1,138 @@
+---
+- name: Install wireguard packages
+  ansible.builtin.apt:
+    name:
+      - wireguard
+
+- name: Check if wg_server is reachable
+  ansible.builtin.command: echo "Test if wg_server is reachable"
+  delegate_to: wireguard_server
+  register: result
+  changed_when: false
+
+- name: Inform that wg_server is unreachable
+  ansible.builtin.debug:
+    msg: |
+      Couldn't access wg_server. Possible reasons
+      * server not reachable
+      * no matching ssh-key
+  changed_when: true
+  when: result.unreachable is defined and result.unreachable
+
+- name: Configure WG Server
+  when: result.unreachable is not defined or not result.unreachable
+  block:
+    - name: Set facts wg_clientname
+      ansible.builtin.set_fact:
+        wg_clientname: "{{ ansible_hostname }}"
+
+    - name: Get Wiregard-Privatekey from server
+      ansible.builtin.shell:
+        cmd: grep PrivateKey /etc/wireguard/wg0.conf | sed -En 's/.*=\s*(.+)/\1/p'
+      register: wg_serverprivkey
+      changed_when: false
+      delegate_to: wireguard_server
+
+    - name: Create public key (Server)
+      ansible.builtin.command:
+        cmd: "wg pubkey"
+      args:
+        stdin: "{{ wg_serverprivkey.stdout }}"
+      changed_when: false
+      register: wg_serverpubkey
+
+    - name: Set facts wg_publickey (Server)
+      ansible.builtin.set_fact:
+        wg_serverpublickey: "{{ wg_serverpubkey.stdout }}"
+
+    - name: Check if Wiregard-Config exists on server
+      ansible.builtin.command:
+        cmd: "grep -A 3 '# BEGIN ANSIBLE MANAGED BLOCK {{ wg_clientname }}' /etc/wireguard/wg0.conf"
+      register: wg_serverconfig
+      failed_when: false
+      changed_when: false
+      delegate_to: wireguard_server
+
+    - name: Set facts wg_ip
+      ansible.builtin.set_fact:
+        wg_ip: "{{ wg_serverconfig.stdout | regex_search('AllowedIPs = ([0-9.]+)/32', '\\1', multiline=True) | first }}"
+      when: wg_serverconfig.rc == 0 and wg_ip is not defined
+
+    - name: Check if Wireguard exists on client
+      ansible.builtin.stat:
+        path: /etc/NetworkManager/system-connections/wg0.nmconnection
+      register: wg_clientconfig
+
+    - name: Search IP address in NetworkManager config
+      ansible.builtin.command:
+        cmd: cat /etc/NetworkManager/system-connections/wg0.nmconnection
+      register: wg_address
+      changed_when: false
+      when: wg_clientconfig.stat.exists
+
+    - name: Set facts wg_ip
+      ansible.builtin.set_fact:
+        wg_ip: "{{ wg_address.stdout | regex_search('address1=([0-9.]+)/.*', '\\1', multiline=True) | first }}"
+      when: wg_address.rc is defined and wg_address.rc == 0 and wg_ip is not defined
+
+    - name: Set facts wg_privatekey
+      ansible.builtin.set_fact:
+        wg_privatekey: "{{ wg_address.stdout | regex_search('private-key=(.*)$', '\\1', multiline=True) | first }}"
+      when: wg_address.rc is defined and wg_address.rc == 0 and wg_privatekey is not defined
+
+    - name: Search maximum AllowedIP
+      ansible.builtin.shell:
+        cmd: grep AllowedIPs /etc/wireguard/wg0.conf | sed -En 's/.*=\s*([0-9.]+)\/32.*/\1/p' | sort -t . -k 3,3n -k 4,4n | tail -n 1
+      register: wg_ipmax
+      changed_when: false
+      delegate_to: wireguard_server
+      when: wg_ip is not defined
+
+    - name: Set facts wg_ip
+      ansible.builtin.set_fact:
+        wg_ip: "{{ wg_ipmax.stdout | ansible.utils.ipmath(1) }}"
+      when: wg_ipmax.rc is defined and wg_ipmax.rc == 0 and wg_ipmax.stdout and wg_ip is not defined
+
+    - name: Create private key
+      ansible.builtin.command:
+        cmd: "wg genkey"
+      register: wg_genkey
+      changed_when: false
+      when: wg_privatekey is not defined
+
+    - name: Set facts wg_privatekey
+      ansible.builtin.set_fact:
+        wg_privatekey: "{{ wg_genkey.stdout }}"
+      when: wg_genkey.stdout is defined
+
+    - name: Create Wireguard-Config
+      ansible.builtin.template:
+        src: wg0.nmconnection.j2
+        dest: /etc/NetworkManager/system-connections/wg0.nmconnection
+        mode: '0600'
+
+    - name: Create public key
+      ansible.builtin.command:
+        cmd: "wg pubkey"
+      args:
+        stdin: "{{ wg_privatekey }}"
+      register: wg_pubkey
+      changed_when: false
+
+    - name: Set facts wg_publickey
+      ansible.builtin.set_fact:
+        wg_publickey: "{{ wg_pubkey.stdout }}"
+
+    - name: Print WG IP
+      ansible.builtin.debug:
+        msg: "{{ wg_publickey }} -- {{ wg_pubkey.stdout }}"
+
+    - name: Set Wireguard Serverconfig
+      ansible.builtin.blockinfile:
+        marker: "# {mark} ANSIBLE MANAGED BLOCK {{ wg_clientname }}"
+        path: /etc/wireguard/wg0.conf
+        block: |
+          [Peer]
+          PublicKey = {{ wg_publickey }}
+          AllowedIPs = {{ wg_ip }}/32
+      delegate_to: wireguard_server
--- a/roles/lmn_teacherlaptop/templates/wg0.nmconnection.j2
+++ b/roles/lmn_teacherlaptop/templates/wg0.nmconnection.j2