spanskiduh
/
kp_wireguard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

basic done

main
Gasper Spagnolo 2023-03-09 18:24:52 +01:00
parent aa317319ea
commit 9f0338371f
5 changed files with 121 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
vg/Vagrantfile vendored
View File

@ -1,5 +1,7 @@
# -*- mode: ruby -*- # -*- mode: ruby -*-
# vi: set ft=ruby : # vi: set ft=ruby :
#
n_peer_nodes = 2
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
config.vm.box = "generic/ubuntu2004" config.vm.box = "generic/ubuntu2004"
@ -25,11 +27,14 @@ Vagrant.configure("2") do |config|
ansible.playbook = "playbooks/server_init.yml" ansible.playbook = "playbooks/server_init.yml"
ansible.become = true ansible.become = true
ansible.host_key_checking = false ansible.host_key_checking = false
ansible.verbose = "v" ansible.verbose = "vv"
ansible.extra_vars = {
"n_peer_nodes" => n_peer_nodes
}
end end
end end
(1..3).each do |i| (1..n_peer_nodes).each do |i|
config.vm.define "kp-client#{i}" do |client| config.vm.define "kp-client#{i}" do |client|
client.vm.hostname = "kp-client#{i}" client.vm.hostname = "kp-client#{i}"
client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network" client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network"
@ -41,6 +46,14 @@ Vagrant.configure("2") do |config|
libvirt.nested = true libvirt.nested = true
libvirt.cpus = 1 libvirt.cpus = 1
end end
# Ansible provisioning
client.vm.provision "server_init", type:'ansible' do |ansible|
ansible.playbook = "playbooks/peer_init.yml"
ansible.become = true
ansible.host_key_checking = false
ansible.verbose = "vv"
end
end end
end end
end end

33
vg/playbooks/peer_init.yml
View File

@ -0,0 +1,33 @@
---
- hosts: all
become: yes
tasks:
- name: Install wireguard and ufw
ansible.builtin.apt:
name:
- wireguard
state: present
- name: Get the machine hostname
ansible.builtin.shell: hostname
register: hostname_stdout
- name: Gather the root node public ip, and its privatekey
ansible.builtin.set_fact:
root_node_public_ip: "{{ lookup('file', './keys/root_node_public_ip.txt') }}"
root_node_public_key: "{{ lookup('file', './keys/root_node_public_key.txt') }}"
peer_id: " {{ hostname_stdout.stdout | regex_replace('^.*?(\\d+)$', '\\1') }}"
- name: Set privateky location
ansible.builtin.set_fact:
private_keyfile_location: "./keys/peer{{ peer_id | trim }}_private_key.txt"
- name: Read privatekey
ansible.builtin.set_fact:
peer_node_private_key: "{{ lookup('file', private_keyfile_location) }}"
- name: Install the peer wireguard template to the server
ansible.builtin.template:
src: "./templates/peer_wg0.conf"
dest: "/etc/wireguard/wg0.conf"

63
vg/playbooks/server_init.yml
View File

@ -1,6 +1,9 @@
--- ---
- hosts: all - hosts: all
become: yes become: yes
vars:
peer_node_privkeys: []
peer_node_pubkeys: []
tasks: tasks:
- name: Install wireguard and ufw - name: Install wireguard and ufw
ansible.builtin.apt: ansible.builtin.apt:
@ -12,13 +15,45 @@
- name: Generate a wireguard server privatekey - name: Generate a wireguard server privatekey
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key" ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
- name: Read privatekey from the wireguard folder and generate public key
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey"
register: root_node_public_key_stdout
- name: Read privatekey from the wireguard folder - name: Read privatekey from the wireguard folder
ansible.builtin.shell: "cat /etc/wireguard/private.key" ansible.builtin.shell: "cat /etc/wireguard/private.key"
register: server_private_key_stdout register: root_node_private_key_stdout
- name: Create keys directory
ansible.builtin.file:
path: "/tmp/keys"
state: directory
- name: Set the file content to a variable - name: Set the file content to a variable
ansible.builtin.set_fact: ansible.builtin.set_fact:
server_private_key: "{{ server_private_key_stdout.stdout }}" root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"
root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"
- name: Generate privatekeys for the peer nodes
ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
- name: Generate pubkeys for the peer nodes
ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt | wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
- name: Copy generated private keys to temporal keys location
ansible.builtin.fetch:
src: "/tmp/keys/peer{{ item }}_private_key.txt"
dest: "./keys/peer{{ item }}_private_key.txt"
flat: yes
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
- name: Copy generated public keys to temporal keys location
ansible.builtin.fetch:
src: "/tmp/keys/peer{{ item }}_public_key.txt"
dest: "./keys/peer{{ item }}_public_key.txt"
flat: yes
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
- name: Get the default public interface - name: Get the default public interface
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'" ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
@ -28,6 +63,14 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
server_public_interface: "{{ server_public_interface_stdout.stdout }}" server_public_interface: "{{ server_public_interface_stdout.stdout }}"
- name: Temporal remap of the interface to eth1
ansible.builtin.set_fact:
server_public_interface: "eth1"
- name: show the eth1 interface address
ansible.builtin.debug:
msg: "{{ ansible_eth1.ipv4.address }}"
- name: Protect the privatekey by allowing only the root user to read - name: Protect the privatekey by allowing only the root user to read
ansible.builtin.file: ansible.builtin.file:
path: "/etc/wireguard/private.key" path: "/etc/wireguard/private.key"
@ -46,7 +89,7 @@
- name: Install the server wireguard template to the server - name: Install the server wireguard template to the server
ansible.builtin.template: ansible.builtin.template:
src: "server_wg0.conf" src: "./templates/server_wg0.conf"
dest: "/etc/wireguard/wg0.conf" dest: "/etc/wireguard/wg0.conf"
- name: Ensure that the permissions to the config are not too open - name: Ensure that the permissions to the config are not too open
@ -81,3 +124,17 @@
name: wg-quick@wg0.service name: wg-quick@wg0.service
enabled: yes enabled: yes
state: started state: started
- name: Store the public to temportal directory so that the clients will be able to read it
ansible.builtin.copy:
content: "{{ root_node_public_key }}"
dest: "./keys/root_node_public_key.txt"
become: false
delegate_to: localhost
- name: Store the public ip of the node to temportal directory so that the clients will be able to read it
ansible.builtin.copy:
content: "{{ ansible_eth1.ipv4.address }}"
dest: "./keys/root_node_public_ip.txt"
become: false
delegate_to: localhost

10
vg/playbooks/templates/peer_wg0.conf Normal file
View File

@ -0,0 +1,10 @@
{% set peer_id_int = peer_id | int %}
{% set peer_ip = peer_id_int + 1 %}
[Interface]
PrivateKey = {{ peer_node_private_key }}
Address = 10.6.0.{{ peer_ip }}/24
[Peer]
PublicKey = {{ root_node_public_key }}
AllowedIPs = 10.6.0.0/24
Endpoint = {{ root_node_public_ip }}:51820

2
vg/playbooks/server_wg0.conf → vg/playbooks/templates/server_wg0.conf
View File

@ -1,5 +1,5 @@
[Interface] [Interface]
PrivateKey = {{ server_private_key }} PrivateKey = {{ root_node_private_key }}
Address = 10.6.0.1/24 Address = 10.6.0.1/24
ListenPort = 51820 ListenPort = 51820
SaveConfig = true SaveConfig = true