~xenrox/ansible: wireguard(_*): Read keys from vault

5 files changed, 35 insertions(+), 11 deletions(-)

M playbooks/avalon.yml
M roles/wireguard/templates/wg0.netdev.j2
M roles/wireguard_vpn_client/templates/wg1.conf.j2
M roles/wireguard_vpn_server/templates/wg1.netdev.j2
M terraform_vault/secrets.tf

M playbooks/avalon.yml => playbooks/avalon.yml +2 -2

@@ 43,8 43,8 @@
     - { role: navidrome }
     # - { role: screego } # docker
     - { role: syncthing }
-    # - { role: wireguard } # file secret
-    # - { role: wireguard_vpn_server } # file secret
+    - { role: wireguard }
+    - { role: wireguard_vpn_server }
     # - { role: uptime_kuma } # docker
     - { role: gotify_server }
     - { role: gotify_app }

M roles/wireguard/templates/wg0.netdev.j2 => roles/wireguard/templates/wg0.netdev.j2 +3 -3

@@ 5,12 5,12 @@ Description=WireGuard tunnel wg0
 
 [WireGuard]
 ListenPort=51820
-PrivateKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ inventory_hostname ~ '.key') }}
+PrivateKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ inventory_hostname ~ '.key:content') | trim }}
 
 {% for host in groups['wireguard'] if host != inventory_hostname %}
 [WireGuardPeer]
-PublicKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ host ~ '.pub') }}
-PresharedKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ inventory_hostname ~ '_' ~ host ~ '.psk') }}
+PublicKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ host ~ '.pub:content') | trim }}
+PresharedKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ inventory_hostname ~ '_' ~ host ~ '.psk:content') | trim }}
 AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
 Endpoint={{ host }}:51820

M roles/wireguard_vpn_client/templates/wg1.conf.j2 => roles/wireguard_vpn_client/templates/wg1.conf.j2 +3 -3

@@ 1,10 1,10 @@
 [Interface]
 Address = 10.200.200.2/24
-PrivateKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/localhost.key') }}
+PrivateKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/localhost.key:content') | trim }}
 DNS = 10.200.200.1
 
 [Peer]
-PublicKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/xenrox.net.pub') }}
-PresharedKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/localhost.psk') }}
+PublicKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/xenrox.net.pub:content') | trim }}
+PresharedKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/localhost.psk:content') | trim }}
 Endpoint = xenrox.net:51821
 AllowedIPs = 0.0.0.0/0, ::/0

M roles/wireguard_vpn_server/templates/wg1.netdev.j2 => roles/wireguard_vpn_server/templates/wg1.netdev.j2 +3 -3

@@ 5,12 5,12 @@ Description=WireGuard VPN wg1
 
 [WireGuard]
 ListenPort=51821
-PrivateKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/xenrox.net.key') }}
+PrivateKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/xenrox.net.key:content') | trim }}
 
 {% for client in wireguard_clients %}
 [WireGuardPeer]
-PublicKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/' ~ client.name ~ '.pub') }}
-PresharedKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/' ~ client.name ~ '.psk') }}
+PublicKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/' ~ client.name ~ '.pub:content') | trim }}
+PresharedKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/' ~ client.name ~ '.psk:content') | trim }}
 AllowedIPs={{ client.address }}/32
 
 {% endfor %}

M terraform_vault/secrets.tf => terraform_vault/secrets.tf +24 -0

@@ 5,9 5,33 @@ resource "vault_generic_secret" "ansible_secrets" {
   data_json = file("/home/xenrox/decrypted/vault/${each.key}")
 }
 
+# keycloak users
+
 resource "vault_generic_secret" "users" {
   for_each = fileset("/home/xenrox/decrypted/vault/users", "*.json")
 
   path      = trimsuffix("ansible/users/${each.key}", ".json")
   data_json = file("/home/xenrox/decrypted/vault/users/${each.key}")
 }
+
+# wireguard keys
+
+resource "vault_generic_secret" "wireguard" {
+  for_each = fileset("/home/xenrox/decrypted/wireguard", "*")
+
+  path = "ansible/wireguard/${each.key}"
+  data_json = jsonencode({
+    content = file("/home/xenrox/decrypted/wireguard/${each.key}")
+  })
+}
+
+# wireguard VPN keys
+#
+resource "vault_generic_secret" "wireguard_vpn" {
+  for_each = fileset("/home/xenrox/decrypted/wireguard_vpn", "*")
+
+  path = "ansible/wireguard_vpn/${each.key}"
+  data_json = jsonencode({
+    content = file("/home/xenrox/decrypted/wireguard_vpn/${each.key}")
+  })
+}