M playbooks/avalon.yml => playbooks/avalon.yml +2 -2
@@ 43,8 43,8 @@
- { role: navidrome }
# - { role: screego } # docker
- { role: syncthing }
- # - { role: wireguard } # file secret
- # - { role: wireguard_vpn_server } # file secret
+ - { role: wireguard }
+ - { role: wireguard_vpn_server }
# - { role: uptime_kuma } # docker
- { role: gotify_server }
- { role: gotify_app }
M roles/wireguard/templates/wg0.netdev.j2 => roles/wireguard/templates/wg0.netdev.j2 +3 -3
@@ 5,12 5,12 @@ Description=WireGuard tunnel wg0
[WireGuard]
ListenPort=51820
-PrivateKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ inventory_hostname ~ '.key') }}
+PrivateKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ inventory_hostname ~ '.key:content') | trim }}
{% for host in groups['wireguard'] if host != inventory_hostname %}
[WireGuardPeer]
-PublicKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ host ~ '.pub') }}
-PresharedKey={{ lookup('file', '/home/xenrox/decrypted/wireguard/' ~ inventory_hostname ~ '_' ~ host ~ '.psk') }}
+PublicKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ host ~ '.pub:content') | trim }}
+PresharedKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard/' ~ inventory_hostname ~ '_' ~ host ~ '.psk:content') | trim }}
AllowedIPs={{ hostvars[host]['wireguard_address'] }}/32
Endpoint={{ host }}:51820
M roles/wireguard_vpn_client/templates/wg1.conf.j2 => roles/wireguard_vpn_client/templates/wg1.conf.j2 +3 -3
@@ 1,10 1,10 @@
[Interface]
Address = 10.200.200.2/24
-PrivateKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/localhost.key') }}
+PrivateKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/localhost.key:content') | trim }}
DNS = 10.200.200.1
[Peer]
-PublicKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/xenrox.net.pub') }}
-PresharedKey = {{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/localhost.psk') }}
+PublicKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/xenrox.net.pub:content') | trim }}
+PresharedKey = {{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/localhost.psk:content') | trim }}
Endpoint = xenrox.net:51821
AllowedIPs = 0.0.0.0/0, ::/0
M roles/wireguard_vpn_server/templates/wg1.netdev.j2 => roles/wireguard_vpn_server/templates/wg1.netdev.j2 +3 -3
@@ 5,12 5,12 @@ Description=WireGuard VPN wg1
[WireGuard]
ListenPort=51821
-PrivateKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/xenrox.net.key') }}
+PrivateKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/xenrox.net.key:content') | trim }}
{% for client in wireguard_clients %}
[WireGuardPeer]
-PublicKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/' ~ client.name ~ '.pub') }}
-PresharedKey={{ lookup('file', '/home/xenrox/decrypted/wireguard_vpn/' ~ client.name ~ '.psk') }}
+PublicKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/' ~ client.name ~ '.pub:content') | trim }}
+PresharedKey={{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/wireguard_vpn/' ~ client.name ~ '.psk:content') | trim }}
AllowedIPs={{ client.address }}/32
{% endfor %}
M terraform_vault/secrets.tf => terraform_vault/secrets.tf +24 -0
@@ 5,9 5,33 @@ resource "vault_generic_secret" "ansible_secrets" {
data_json = file("/home/xenrox/decrypted/vault/${each.key}")
}
+# keycloak users
+
resource "vault_generic_secret" "users" {
for_each = fileset("/home/xenrox/decrypted/vault/users", "*.json")
path = trimsuffix("ansible/users/${each.key}", ".json")
data_json = file("/home/xenrox/decrypted/vault/users/${each.key}")
}
+
+# wireguard keys
+
+resource "vault_generic_secret" "wireguard" {
+ for_each = fileset("/home/xenrox/decrypted/wireguard", "*")
+
+ path = "ansible/wireguard/${each.key}"
+ data_json = jsonencode({
+ content = file("/home/xenrox/decrypted/wireguard/${each.key}")
+ })
+}
+
+# wireguard VPN keys
+#
+resource "vault_generic_secret" "wireguard_vpn" {
+ for_each = fileset("/home/xenrox/decrypted/wireguard_vpn", "*")
+
+ path = "ansible/wireguard_vpn/${each.key}"
+ data_json = jsonencode({
+ content = file("/home/xenrox/decrypted/wireguard_vpn/${each.key}")
+ })
+}