~xenrox/ansible

9f30a90364ac268c963259eb8289efcbf6dee1a3 — Thorben Günther a month ago 1f2402a
wireguard(_*): Read keys from vault

References: https://todo.xenrox.net/~xenrox/infrastructure/7
M playbooks/avalon.yml => playbooks/avalon.yml +2 -2
@@ 43,8 43,8 @@
    - { role: navidrome }
    # - { role: screego } # docker
    - { role: syncthing }
    # - { role: wireguard } # file secret
    # - { role: wireguard_vpn_server } # file secret
    - { role: wireguard }
    - { role: wireguard_vpn_server }
    # - { role: uptime_kuma } # docker
    - { role: gotify_server }
    - { role: gotify_app }

M roles/wireguard/templates/wg0.netdev.j2 => roles/wireguard/templates/wg0.netdev.j2 +3 -3
@@ 5,12 5,12 @@ Description=WireGuard tunnel wg0

[WireGuard]
ListenPort=51820
PrivateKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ inventory_hostname ~ '.key') }}
PrivateKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ inventory_hostname ~ '.key:content') | trim }}

{% for host in groups['wireguard'] if host != inventory_hostname %}
[WireGuardPeer]
PublicKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ host ~ '.pub') }}
PresharedKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ inventory_hostname ~ '_' ~ host ~ '.psk') }}
PublicKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ host ~ '.pub:content') | trim }}
PresharedKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ inventory_hostname ~ '_' ~ host ~ '.psk:content') | trim }}
AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
Endpoint={{ host }}:51820


M roles/wireguard_vpn_client/templates/wg1.conf.j2 => roles/wireguard_vpn_client/templates/wg1.conf.j2 +3 -3
@@ 1,10 1,10 @@
[Interface]
Address = 10.200.200.2/24
PrivateKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/localhost.key') }}
PrivateKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/localhost.key:content') | trim }}
DNS = 10.200.200.1

[Peer]
PublicKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/xenrox.net.pub') }}
PresharedKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/localhost.psk') }}
PublicKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/xenrox.net.pub:content') | trim }}
PresharedKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/localhost.psk:content') | trim }}
Endpoint = xenrox.net:51821
AllowedIPs = 0.0.0.0/0, ::/0

M roles/wireguard_vpn_server/templates/wg1.netdev.j2 => roles/wireguard_vpn_server/templates/wg1.netdev.j2 +3 -3
@@ 5,12 5,12 @@ Description=WireGuard VPN wg1

[WireGuard]
ListenPort=51821
PrivateKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/xenrox.net.key') }}
PrivateKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/xenrox.net.key:content') | trim }}

{% for client in wireguard_clients %}
[WireGuardPeer]
PublicKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/' ~ client.name ~ '.pub') }}
PresharedKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/' ~ client.name ~ '.psk') }}
PublicKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/' ~ client.name ~ '.pub:content') | trim }}
PresharedKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/' ~ client.name ~ '.psk:content') | trim }}
AllowedIPs={{ client.address }}/32

{% endfor %}

M terraform_vault/secrets.tf => terraform_vault/secrets.tf +24 -0
@@ 5,9 5,33 @@ resource "vault_generic_secret" "ansible_secrets" {
  data_json = file("/home/xenrox/decrypted/vault/${each.key}")
}

# keycloak users

resource "vault_generic_secret" "users" {
  for_each = fileset("/home/xenrox/decrypted/vault/users", "*.json")

  path      = trimsuffix("ansible/users/${each.key}", ".json")
  data_json = file("/home/xenrox/decrypted/vault/users/${each.key}")
}

# wireguard keys

resource "vault_generic_secret" "wireguard" {
  for_each = fileset("/home/xenrox/decrypted/wireguard", "*")

  path = "ansible/wireguard/${each.key}"
  data_json = jsonencode({
    content = file("/home/xenrox/decrypted/wireguard/${each.key}")
  })
}

# wireguard VPN keys
#
resource "vault_generic_secret" "wireguard_vpn" {
  for_each = fileset("/home/xenrox/decrypted/wireguard_vpn", "*")

  path = "ansible/wireguard_vpn/${each.key}"
  data_json = jsonencode({
    content = file("/home/xenrox/decrypted/wireguard_vpn/${each.key}")
  })
}