From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Sat, 22 Nov 2025 20:10:04 +0000 (-0700)
Subject: Generate Core's wg0.conf, rather than provide an example.
X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=79b78cb7704a1809ca92245497f73c86798cad1e;p=Institute

Generate Core's wg0.conf, rather than provide an example.
---

diff --git a/README.org b/README.org
index d7ae271..5bc4b20 100644
--- a/README.org
+++ b/README.org
@@ -752,17 +752,12 @@ front_addr: 192.168.15.4
 
 The example address is a private network address because the example
 configuration is intended to run in a test jig made up of VirtualBox
-virtual machines and networks, and the VirtualBox user manual uses
-~192.168.15.0~ in its example configuration of a "NAT Network"
-(simulating Front's ISP's network).
-
-Finally, four host addresses are needed frequently in the Ansible
-code.  The first two are Core's and Gate's addresses on the private
-Ethernet.  The other two are Gate's and the campus Wi-Fi's addresses
-on the wild Ethernet.  The following code block chooses host 1 for
-Core and host 2 for Gate on the private Ethernet.  On the wild
-Ethernet, host 1 is Gate and host 2 is the access point (or wired
-IoT appliance).
+virtual machines and networks.
+
+Finally, five host addresses are needed frequently in the Ansible
+code.  Each is made available in both CIDR and IPv4 address formats.
+Again this is site-independent, non-private boilerplate referenced
+with ~address-vars~ in the =default/main.yml= files.
 
 #+CAPTION: [[file:private/vars.yml][=private/vars.yml=]]
 #+BEGIN_SRC conf :tangle private/vars.yml
@@ -772,6 +767,8 @@ gate_wild_addr_cidr:
                     "{{ wild_net_cidr | ansible.utils.ipaddr('1') }}"
 front_wg_addr_cidr:
                "{{ public_wg_net_cidr | ansible.utils.ipaddr('1') }}"
+core_wg_addr_cidr:
+               "{{ public_wg_net_cidr | ansible.utils.ipaddr('2') }}"
 
 core_addr:   "{{ core_addr_cidr | ansible.utils.ipaddr('address') }}"
 gate_addr:   "{{ gate_addr_cidr | ansible.utils.ipaddr('address') }}"
@@ -779,6 +776,8 @@ gate_wild_addr:
         "{{ gate_wild_addr_cidr | ansible.utils.ipaddr('address') }}"
 front_wg_addr:
          "{{ front_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
+core_wg_addr:
+          "{{ core_wg_addr_cidr | ansible.utils.ipaddr('address') }}"
 #+END_SRC
 
 
@@ -3655,27 +3654,8 @@ with a route to the campus networks.  As described in [[*Configure Public WireGu
 WireGuard™ Subnet]] for Front, Core is expected to forward packets from/to the
 private networks.
 
-The following example [[=private/core-wg0.conf=][=private/core-wg0.conf=]] configuration recognizes
-Front by its public key, ~S+6HaT~, looking for it at the institute's
-public IP address and a special port.
-
-#+NAME: =private/core-wg0.conf=
-#+CAPTION: [[file:private/core-wg0.conf][=private/core-wg0.conf=]]
-#+BEGIN_SRC conf :tangle private/core-wg0.conf :tangle-mode u=rw,g=,o=
-[Interface]
-Address = 10.177.87.2
-PostUp = wg set %i private-key /etc/wireguard/private-key
-
-# Front
-[Peer]
-EndPoint = 192.168.15.4:39608
-PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
-AllowedIPs = 10.177.87.1
-AllowedIPs = 10.177.87.0/24
-#+END_SRC
-
-The following tasks install WireGuard™, configure it with
-[[=private/core-wg0.conf=][=private/core-wg0.conf=]], and enable the service.
+The following tasks install WireGuard™, configure it and enable the
+service.
 
 #+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/core/tasks/main.yml
@@ -3694,6 +3674,17 @@ The following tasks install WireGuard™, configure it with
 - name: Configure WireGuard™.
   become: yes
   copy:
+    content: |
+      [Interface]
+      Address = {{ core_wg_addr }}
+      PostUp = wg set %i private-key /etc/wireguard/private-key
+
+      # Front
+      [Peer]
+      EndPoint = {{ front_addr }}:{{ public_wg_port }}
+      PublicKey = {{ front_wg_pubkey }}
+      AllowedIPs = {{ front_wg_addr }}
+      AllowedIPs = {{ public_wg_net_cidr }}
     src: ../private/core-wg0.conf
     dest: /etc/wireguard/wg0.conf
     mode: u=r,g=,o=
diff --git a/private/core-wg0.conf b/private/core-wg0.conf
deleted file mode 100644
index 09519c4..0000000
--- a/private/core-wg0.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-[Interface]
-Address = 10.177.87.2
-PostUp = wg set %i private-key /etc/wireguard/private-key
-
-# Front
-[Peer]
-EndPoint = 192.168.15.4:39608
-PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
-AllowedIPs = 10.177.87.1
-AllowedIPs = 10.177.87.0/24
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 0db4f9c..b1b7849 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -653,6 +653,17 @@
 - name: Configure WireGuard™.
   become: yes
   copy:
+    content: |
+      [Interface]
+      Address = {{ core_wg_addr }}
+      PostUp = wg set %i private-key /etc/wireguard/private-key
+
+      # Front
+      [Peer]
+      EndPoint = {{ front_addr }}:{{ public_wg_port }}
+      PublicKey = {{ front_wg_pubkey }}
+      AllowedIPs = {{ front_wg_addr }}
+      AllowedIPs = {{ public_wg_net_cidr }}
     src: ../private/core-wg0.conf
     dest: /etc/wireguard/wg0.conf
     mode: u=r,g=,o=