wireguard
This commit is contained in:
Elizabeth Hunt
parent
c4fd626c78
commit
5c566ef8d0
1
TODO.md
1
TODO.md
|
|
@ -2,3 +2,4 @@
|
|||
- [ ] read email for service accounts dmarc.report, postmaster email users, give access to infra users
|
||||
- [ ] allow infra users to ssh into any machine in infra, regular users into their tilde account on himmel
|
||||
- [ ] allow ufw and setup wireguard on himmel
|
||||
- [ ] internal vpn for infra, figure out routing
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
---
|
||||
|
||||
- name: Wireguard Endpoint
|
||||
ansible.builtin.import_playbook: playbooks/deploy-wireguard-endpoint.yml
|
||||
|
||||
- name: Common configurations
|
||||
ansible.builtin.import_playbook: playbooks/deploy-common.yml
|
||||
|
||||
|
|
@ -17,3 +20,6 @@
|
|||
|
||||
- name: Gitea
|
||||
ansible.builtin.import_playbook: playbooks/deploy-gitea.yml
|
||||
|
||||
- name: Wireguard Mesh
|
||||
ansible.builtin.import_playbook: playbooks/deploy-wireguard-mesh.yml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
Registering a new internal machine <hostname>:
|
||||
|
||||
1. Register <hostname>.pub.infra.hatecomputers.club A record -> public ipv4
|
||||
2. Register <hostname>.int.infra.hatecomputers.club A record -> internal ipv4 in 10.155.0.0/16 subnet
|
||||
3. Put it on the internal VPN. i.e. add <hostname>.pub... in the wireguard-mesh after allowing ssh to root and everything
|
||||
4. Run the wireguard-mesh playbook
|
||||
5. Update the inventory record in wireguard-mesh to <hostname>.int...
|
||||
6. Now run the deploy-common playbook to allow ssh only internally, debugging as necessary if needed ; it should just work :))
|
||||
7. Add your new roles!
|
||||
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
|
||||
host_domains:
|
||||
fern.hatecomputers.club:
|
||||
# - fern.hatecomputers.club
|
||||
fern.infra.hatecomputers.club:
|
||||
- fern.hatecomputers.club
|
||||
- auth.hatecomputers.club
|
||||
- mail.hatecomputers.club
|
||||
himmel.hatecomputers.club:
|
||||
# - himmel.hatecomputers.club
|
||||
himmel.infra.hatecomputers.club:
|
||||
- himmel.hatecomputers.club
|
||||
- git.hatecomputers.club
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
wireguard_listen_port: 51830
|
||||
wireguard_subnet: 10.155.0.0/16
|
||||
29
inventory
29
inventory
|
|
@ -1,24 +1,31 @@
|
|||
[docker]
|
||||
fern.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[host_domains]
|
||||
fern.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[nginx]
|
||||
fern.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[certbot]
|
||||
fern.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[kanidm]
|
||||
fern.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[mail]
|
||||
fern.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[gitea]
|
||||
himmel.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[wireguard-mesh]
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
fern.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
||||
[wireguard-endpoint]
|
||||
himmel.int.infra.hatecomputers.club ansible_user=root ansible_connection=ssh
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: Wireguard-endpoint setup
|
||||
hosts: wireguard-endpoint
|
||||
roles:
|
||||
- wireguard-endpoint
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: Wireguard-mesh setup
|
||||
hosts: wireguard-mesh
|
||||
roles:
|
||||
- wireguard-mesh
|
||||
|
|
@ -0,0 +1 @@
|
|||
wireguard.cfg
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
|
||||
- name: Install wireguard
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- wireguard
|
||||
state: latest
|
||||
|
||||
- name: Copy config
|
||||
ansible.builtin.copy:
|
||||
src: wireguard.cfg
|
||||
dest: /etc/wireguard/hatecomputers.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
||||
- name: Enable and persist ip forwarding
|
||||
ansible.builtin.sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: "1"
|
||||
state: present
|
||||
sysctl_set: true
|
||||
reload: true
|
||||
|
||||
- name: Allow wireguard endpoint ufw
|
||||
ansible.builtin.ufw:
|
||||
rule: allow
|
||||
port: '51820'
|
||||
proto: 'udp'
|
||||
|
||||
- name: Start wireguard and enable on boot
|
||||
ansible.builtin.systemd:
|
||||
name: wg-quick@hatecomputers
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
- name: Hotreload wireguard
|
||||
ansible.builtin.shell: >
|
||||
bash -c
|
||||
"wg syncconf inframesh <(wg-quick strip inframesh)"
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
---
|
||||
|
||||
- name: Install wireguard
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- wireguard
|
||||
- ufw
|
||||
state: present
|
||||
|
||||
- name: Get node ips from dns records
|
||||
ansible.builtin.shell: "dig +short {{ item }} | tail -n1"
|
||||
register: wireguard_node_ip
|
||||
with_items: "{{ groups['wireguard-mesh'] }}"
|
||||
|
||||
- name: Massage node ips
|
||||
ansible.builtin.set_fact: >
|
||||
wireguard_node_ips={{ wireguard_node_ips|default({})
|
||||
| combine( {item.item: item.stdout} ) }}
|
||||
with_items: "{{ wireguard_node_ip.results }}"
|
||||
|
||||
- name: Allow wireguard endpoint ufw
|
||||
ansible.builtin.ufw:
|
||||
rule: allow
|
||||
port: "{{ wireguard_listen_port }}"
|
||||
proto: 'udp'
|
||||
|
||||
- name: Generate Wireguard keypair
|
||||
ansible.builtin.shell: >
|
||||
wg genkey | tee /etc/wireguard/privatekey
|
||||
| wg pubkey | tee /etc/wireguard/publickey
|
||||
args:
|
||||
creates: /etc/wireguard/privatekey
|
||||
|
||||
- name: Register private key
|
||||
ansible.builtin.shell: cat /etc/wireguard/privatekey
|
||||
register: wireguard_private_key
|
||||
changed_when: false
|
||||
|
||||
- name: Register public key
|
||||
ansible.builtin.shell: cat /etc/wireguard/publickey
|
||||
register: wireguard_public_key
|
||||
changed_when: false
|
||||
|
||||
- name: Generate Preshared keyskeypair
|
||||
ansible.builtin.shell: "wg genpsk > /etc/wireguard/psk-{{ item }}"
|
||||
args:
|
||||
creates: "/etc/wireguard/psk-{{ item }}"
|
||||
when: inventory_hostname < item
|
||||
with_items: "{{ groups['wireguard-mesh'] }}"
|
||||
|
||||
- name: Register preshared key
|
||||
ansible.builtin.shell: "cat /etc/wireguard/psk-{{ item }}"
|
||||
register: wireguard_preshared_key
|
||||
changed_when: false
|
||||
when: inventory_hostname < item
|
||||
with_items: "{{ groups['wireguard-mesh'] }}"
|
||||
|
||||
- name: Massage preshared keys
|
||||
ansible.builtin.set_fact: >
|
||||
wireguard_preshared_keys={{ wireguard_preshared_keys|default({})
|
||||
| combine( {item.item: item.stdout} ) }}
|
||||
when: item.skipped is not defined
|
||||
with_items: "{{ wireguard_preshared_key.results }}"
|
||||
|
||||
- name: Build config
|
||||
ansible.builtin.template:
|
||||
src: inframesh.conf.j2
|
||||
dest: /etc/wireguard/inframesh.conf
|
||||
owner: root
|
||||
mode: 0640
|
||||
|
||||
- name: Enable wireguard
|
||||
ansible.builtin.systemd:
|
||||
name: wg-quick@inframesh
|
||||
enabled: true
|
||||
|
||||
- name: Hotreload wireguard
|
||||
ansible.builtin.shell: >
|
||||
bash -c
|
||||
"wg syncconf inframesh <(wg-quick strip inframesh)"
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
[Interface]
|
||||
Address={{ wireguard_node_ips[inventory_hostname] }}/32
|
||||
SaveConfig=true
|
||||
ListenPort={{ wireguard_listen_port }}
|
||||
PrivateKey={{ wireguard_private_key.stdout }}
|
||||
|
||||
{% for peer in groups['wireguard-mesh'] %}
|
||||
{% if peer != inventory_hostname %}
|
||||
|
||||
[Peer]
|
||||
PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
|
||||
PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
|
||||
AllowedIPs={{ wireguard_node_ips[peer] }}/32
|
||||
Endpoint={{ peer | replace('.int.', '.pub.') }}:{{ wireguard_listen_port }}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
Loading…
Reference in New Issue