wireguard

This commit is contained in:
Elizabeth Hunt 2024-03-24 22:51:07 -04:00
parent c4fd626c78
commit 5c566ef8d0
12 changed files with 192 additions and 15 deletions

View File

@ -2,3 +2,4 @@
- [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users - [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users
- [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel - [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel
- [ ] allow ufw and setup wireguard on himmel - [ ] allow ufw and setup wireguard on himmel
- [ ] internal vpn for infra, figure out routing

View File

@ -1,5 +1,8 @@
--- ---
- name: Wireguard Endpoint
ansible.builtin.import_playbook: playbooks/deploy-wireguard-endpoint.yml
- name: Common configurations - name: Common configurations
ansible.builtin.import_playbook: playbooks/deploy-common.yml ansible.builtin.import_playbook: playbooks/deploy-common.yml
@ -17,3 +20,6 @@
- name: Gitea - name: Gitea
ansible.builtin.import_playbook: playbooks/deploy-gitea.yml ansible.builtin.import_playbook: playbooks/deploy-gitea.yml
- name: Wireguard Mesh
ansible.builtin.import_playbook: playbooks/deploy-wireguard-mesh.yml

9
docs/INFRA_PLAYBOOK.md Normal file
View File

@ -0,0 +1,9 @@
Registering a new internal machine <hostname>:
1. Register <hostname>.pub.infra.hatecomputers.club A record -> public ipv4
2. Register <hostname>.int.infra.hatecomputers.club A record -> internal ipv4 in 10.155.0.0/16 subnet
3. Put it on the internal VPN. i.e. add <hostname>.pub... in the wireguard-mesh after allowing ssh to root and everything
4. Run the wireguard-mesh playbook
5. Update the inventory record in wireguard-mesh to <hostname>.int...
6. Now run the deploy-common playbook to allow ssh only internally, debugging as necessary if needed ; it should just work :))
7. Add your new roles!

View File

@ -1,10 +1,10 @@
--- ---
host_domains: host_domains:
fern.hatecomputers.club: fern.infra.hatecomputers.club:
# - fern.hatecomputers.club - fern.hatecomputers.club
- auth.hatecomputers.club - auth.hatecomputers.club
- mail.hatecomputers.club - mail.hatecomputers.club
himmel.hatecomputers.club: himmel.infra.hatecomputers.club:
# - himmel.hatecomputers.club - himmel.hatecomputers.club
- git.hatecomputers.club - git.hatecomputers.club

View File

@ -0,0 +1,4 @@
---
wireguard_listen_port: 51830
wireguard_subnet: 10.155.0.0/16

View File

@ -1,24 +1,31 @@
[docker] [docker]
fern.hatecomputers.club ansible_user=root ansible_connection=ssh fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[host_domains] [host_domains]
fern.hatecomputers.club ansible_user=root ansible_connection=ssh fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[nginx] [nginx]
fern.hatecomputers.club ansible_user=root ansible_connection=ssh fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[certbot] [certbot]
fern.hatecomputers.club ansible_user=root ansible_connection=ssh fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[kanidm] [kanidm]
fern.hatecomputers.club ansible_user=root ansible_connection=ssh fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[mail] [mail]
fern.hatecomputers.club ansible_user=root ansible_connection=ssh fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[gitea] [gitea]
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[wireguard-mesh]
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
[wireguard-endpoint]
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh

View File

@ -0,0 +1,6 @@
---
- name: Wireguard-endpoint setup
hosts: wireguard-endpoint
roles:
- wireguard-endpoint

View File

@ -0,0 +1,6 @@
---
- name: Wireguard-mesh setup
hosts: wireguard-mesh
roles:
- wireguard-mesh

View File

@ -0,0 +1 @@
wireguard.cfg

View File

@ -0,0 +1,40 @@
---
- name: Install wireguard
ansible.builtin.apt:
name:
- wireguard
state: latest
- name: Copy config
ansible.builtin.copy:
src: wireguard.cfg
dest: /etc/wireguard/hatecomputers.conf
owner: root
group: root
mode: 0600
- name: Enable and persist ip forwarding
ansible.builtin.sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
sysctl_set: true
reload: true
- name: Allow wireguard endpoint ufw
ansible.builtin.ufw:
rule: allow
port: '51820'
proto: 'udp'
- name: Start wireguard and enable on boot
ansible.builtin.systemd:
name: wg-quick@hatecomputers
enabled: true
state: started
- name: Hotreload wireguard
ansible.builtin.shell: >
bash -c
"wg syncconf inframesh <(wg-quick strip inframesh)"

View File

@ -0,0 +1,80 @@
---
- name: Install wireguard
ansible.builtin.apt:
name:
- wireguard
- ufw
state: present
- name: Get node ips from dns records
ansible.builtin.shell: "dig +short {{ item }} | tail -n1"
register: wireguard_node_ip
with_items: "{{ groups['wireguard-mesh'] }}"
- name: Massage node ips
ansible.builtin.set_fact: >
wireguard_node_ips={{ wireguard_node_ips|default({})
| combine( {item.item: item.stdout} ) }}
with_items: "{{ wireguard_node_ip.results }}"
- name: Allow wireguard endpoint ufw
ansible.builtin.ufw:
rule: allow
port: "{{ wireguard_listen_port }}"
proto: 'udp'
- name: Generate Wireguard keypair
ansible.builtin.shell: >
wg genkey | tee /etc/wireguard/privatekey
| wg pubkey | tee /etc/wireguard/publickey
args:
creates: /etc/wireguard/privatekey
- name: Register private key
ansible.builtin.shell: cat /etc/wireguard/privatekey
register: wireguard_private_key
changed_when: false
- name: Register public key
ansible.builtin.shell: cat /etc/wireguard/publickey
register: wireguard_public_key
changed_when: false
- name: Generate Preshared keyskeypair
ansible.builtin.shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"
args:
creates: "/etc/wireguard/psk-{{ item }}"
when: inventory_hostname < item
with_items: "{{ groups['wireguard-mesh'] }}"
- name: Register preshared key
ansible.builtin.shell: "cat /etc/wireguard/psk-{{ item }}"
register: wireguard_preshared_key
changed_when: false
when: inventory_hostname < item
with_items: "{{ groups['wireguard-mesh'] }}"
- name: Massage preshared keys
ansible.builtin.set_fact: >
wireguard_preshared_keys={{ wireguard_preshared_keys|default({})
| combine( {item.item: item.stdout} ) }}
when: item.skipped is not defined
with_items: "{{ wireguard_preshared_key.results }}"
- name: Build config
ansible.builtin.template:
src: inframesh.conf.j2
dest: /etc/wireguard/inframesh.conf
owner: root
mode: 0640
- name: Enable wireguard
ansible.builtin.systemd:
name: wg-quick@inframesh
enabled: true
- name: Hotreload wireguard
ansible.builtin.shell: >
bash -c
"wg syncconf inframesh <(wg-quick strip inframesh)"

View File

@ -0,0 +1,17 @@
[Interface]
Address={{ wireguard_node_ips[inventory_hostname] }}/32
SaveConfig=true
ListenPort={{ wireguard_listen_port }}
PrivateKey={{ wireguard_private_key.stdout }}
{% for peer in groups['wireguard-mesh'] %}
{% if peer != inventory_hostname %}
[Peer]
PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
AllowedIPs={{ wireguard_node_ips[peer] }}/32
Endpoint={{ peer | replace('.int.', '.pub.') }}:{{ wireguard_listen_port }}
{% endif %}
{% endfor %}