basic done
parent
aa317319ea
commit
9f0338371f
|
@ -1,5 +1,7 @@
|
||||||
# -*- mode: ruby -*-
|
# -*- mode: ruby -*-
|
||||||
# vi: set ft=ruby :
|
# vi: set ft=ruby :
|
||||||
|
#
|
||||||
|
n_peer_nodes = 2
|
||||||
|
|
||||||
Vagrant.configure("2") do |config|
|
Vagrant.configure("2") do |config|
|
||||||
config.vm.box = "generic/ubuntu2004"
|
config.vm.box = "generic/ubuntu2004"
|
||||||
|
@ -25,11 +27,14 @@ Vagrant.configure("2") do |config|
|
||||||
ansible.playbook = "playbooks/server_init.yml"
|
ansible.playbook = "playbooks/server_init.yml"
|
||||||
ansible.become = true
|
ansible.become = true
|
||||||
ansible.host_key_checking = false
|
ansible.host_key_checking = false
|
||||||
ansible.verbose = "v"
|
ansible.verbose = "vv"
|
||||||
|
ansible.extra_vars = {
|
||||||
|
"n_peer_nodes" => n_peer_nodes
|
||||||
|
}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
(1..3).each do |i|
|
(1..n_peer_nodes).each do |i|
|
||||||
config.vm.define "kp-client#{i}" do |client|
|
config.vm.define "kp-client#{i}" do |client|
|
||||||
client.vm.hostname = "kp-client#{i}"
|
client.vm.hostname = "kp-client#{i}"
|
||||||
client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network"
|
client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network"
|
||||||
|
@ -41,6 +46,14 @@ Vagrant.configure("2") do |config|
|
||||||
libvirt.nested = true
|
libvirt.nested = true
|
||||||
libvirt.cpus = 1
|
libvirt.cpus = 1
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Ansible provisioning
|
||||||
|
client.vm.provision "server_init", type:'ansible' do |ansible|
|
||||||
|
ansible.playbook = "playbooks/peer_init.yml"
|
||||||
|
ansible.become = true
|
||||||
|
ansible.host_key_checking = false
|
||||||
|
ansible.verbose = "vv"
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Install wireguard and ufw
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- wireguard
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Get the machine hostname
|
||||||
|
ansible.builtin.shell: hostname
|
||||||
|
register: hostname_stdout
|
||||||
|
|
||||||
|
- name: Gather the root node public ip, and its privatekey
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
root_node_public_ip: "{{ lookup('file', './keys/root_node_public_ip.txt') }}"
|
||||||
|
root_node_public_key: "{{ lookup('file', './keys/root_node_public_key.txt') }}"
|
||||||
|
peer_id: " {{ hostname_stdout.stdout | regex_replace('^.*?(\\d+)$', '\\1') }}"
|
||||||
|
|
||||||
|
- name: Set privateky location
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
private_keyfile_location: "./keys/peer{{ peer_id | trim }}_private_key.txt"
|
||||||
|
|
||||||
|
- name: Read privatekey
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
peer_node_private_key: "{{ lookup('file', private_keyfile_location) }}"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Install the peer wireguard template to the server
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "./templates/peer_wg0.conf"
|
||||||
|
dest: "/etc/wireguard/wg0.conf"
|
|
@ -1,6 +1,9 @@
|
||||||
---
|
---
|
||||||
- hosts: all
|
- hosts: all
|
||||||
become: yes
|
become: yes
|
||||||
|
vars:
|
||||||
|
peer_node_privkeys: []
|
||||||
|
peer_node_pubkeys: []
|
||||||
tasks:
|
tasks:
|
||||||
- name: Install wireguard and ufw
|
- name: Install wireguard and ufw
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
|
@ -12,13 +15,45 @@
|
||||||
- name: Generate a wireguard server privatekey
|
- name: Generate a wireguard server privatekey
|
||||||
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
|
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
|
||||||
|
|
||||||
|
- name: Read privatekey from the wireguard folder and generate public key
|
||||||
|
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey"
|
||||||
|
register: root_node_public_key_stdout
|
||||||
|
|
||||||
- name: Read privatekey from the wireguard folder
|
- name: Read privatekey from the wireguard folder
|
||||||
ansible.builtin.shell: "cat /etc/wireguard/private.key"
|
ansible.builtin.shell: "cat /etc/wireguard/private.key"
|
||||||
register: server_private_key_stdout
|
register: root_node_private_key_stdout
|
||||||
|
|
||||||
|
- name: Create keys directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/tmp/keys"
|
||||||
|
state: directory
|
||||||
|
|
||||||
- name: Set the file content to a variable
|
- name: Set the file content to a variable
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
server_private_key: "{{ server_private_key_stdout.stdout }}"
|
root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"
|
||||||
|
root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"
|
||||||
|
|
||||||
|
- name: Generate privatekeys for the peer nodes
|
||||||
|
ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"
|
||||||
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||||
|
|
||||||
|
- name: Generate pubkeys for the peer nodes
|
||||||
|
ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt | wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"
|
||||||
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||||
|
|
||||||
|
- name: Copy generated private keys to temporal keys location
|
||||||
|
ansible.builtin.fetch:
|
||||||
|
src: "/tmp/keys/peer{{ item }}_private_key.txt"
|
||||||
|
dest: "./keys/peer{{ item }}_private_key.txt"
|
||||||
|
flat: yes
|
||||||
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||||
|
|
||||||
|
- name: Copy generated public keys to temporal keys location
|
||||||
|
ansible.builtin.fetch:
|
||||||
|
src: "/tmp/keys/peer{{ item }}_public_key.txt"
|
||||||
|
dest: "./keys/peer{{ item }}_public_key.txt"
|
||||||
|
flat: yes
|
||||||
|
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||||
|
|
||||||
- name: Get the default public interface
|
- name: Get the default public interface
|
||||||
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
|
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
|
||||||
|
@ -28,6 +63,14 @@
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
server_public_interface: "{{ server_public_interface_stdout.stdout }}"
|
server_public_interface: "{{ server_public_interface_stdout.stdout }}"
|
||||||
|
|
||||||
|
- name: Temporal remap of the interface to eth1
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
server_public_interface: "eth1"
|
||||||
|
|
||||||
|
- name: show the eth1 interface address
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "{{ ansible_eth1.ipv4.address }}"
|
||||||
|
|
||||||
- name: Protect the privatekey by allowing only the root user to read
|
- name: Protect the privatekey by allowing only the root user to read
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "/etc/wireguard/private.key"
|
path: "/etc/wireguard/private.key"
|
||||||
|
@ -46,7 +89,7 @@
|
||||||
|
|
||||||
- name: Install the server wireguard template to the server
|
- name: Install the server wireguard template to the server
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: "server_wg0.conf"
|
src: "./templates/server_wg0.conf"
|
||||||
dest: "/etc/wireguard/wg0.conf"
|
dest: "/etc/wireguard/wg0.conf"
|
||||||
|
|
||||||
- name: Ensure that the permissions to the config are not too open
|
- name: Ensure that the permissions to the config are not too open
|
||||||
|
@ -81,3 +124,17 @@
|
||||||
name: wg-quick@wg0.service
|
name: wg-quick@wg0.service
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: Store the public to temportal directory so that the clients will be able to read it
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "{{ root_node_public_key }}"
|
||||||
|
dest: "./keys/root_node_public_key.txt"
|
||||||
|
become: false
|
||||||
|
delegate_to: localhost
|
||||||
|
|
||||||
|
- name: Store the public ip of the node to temportal directory so that the clients will be able to read it
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "{{ ansible_eth1.ipv4.address }}"
|
||||||
|
dest: "./keys/root_node_public_ip.txt"
|
||||||
|
become: false
|
||||||
|
delegate_to: localhost
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
{% set peer_id_int = peer_id | int %}
|
||||||
|
{% set peer_ip = peer_id_int + 1 %}
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = {{ peer_node_private_key }}
|
||||||
|
Address = 10.6.0.{{ peer_ip }}/24
|
||||||
|
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ root_node_public_key }}
|
||||||
|
AllowedIPs = 10.6.0.0/24
|
||||||
|
Endpoint = {{ root_node_public_ip }}:51820
|
|
@ -1,5 +1,5 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
PrivateKey = {{ server_private_key }}
|
PrivateKey = {{ root_node_private_key }}
|
||||||
Address = 10.6.0.1/24
|
Address = 10.6.0.1/24
|
||||||
ListenPort = 51820
|
ListenPort = 51820
|
||||||
SaveConfig = true
|
SaveConfig = true
|
Loading…
Reference in New Issue