basic done
parent
aa317319ea
commit
9f0338371f
|
@ -1,5 +1,7 @@
|
|||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
#
|
||||
n_peer_nodes = 2
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
config.vm.box = "generic/ubuntu2004"
|
||||
|
@ -25,11 +27,14 @@ Vagrant.configure("2") do |config|
|
|||
ansible.playbook = "playbooks/server_init.yml"
|
||||
ansible.become = true
|
||||
ansible.host_key_checking = false
|
||||
ansible.verbose = "v"
|
||||
ansible.verbose = "vv"
|
||||
ansible.extra_vars = {
|
||||
"n_peer_nodes" => n_peer_nodes
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
(1..3).each do |i|
|
||||
(1..n_peer_nodes).each do |i|
|
||||
config.vm.define "kp-client#{i}" do |client|
|
||||
client.vm.hostname = "kp-client#{i}"
|
||||
client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network"
|
||||
|
@ -41,6 +46,14 @@ Vagrant.configure("2") do |config|
|
|||
libvirt.nested = true
|
||||
libvirt.cpus = 1
|
||||
end
|
||||
|
||||
# Ansible provisioning
|
||||
client.vm.provision "server_init", type:'ansible' do |ansible|
|
||||
ansible.playbook = "playbooks/peer_init.yml"
|
||||
ansible.become = true
|
||||
ansible.host_key_checking = false
|
||||
ansible.verbose = "vv"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Install wireguard and ufw
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- wireguard
|
||||
state: present
|
||||
|
||||
- name: Get the machine hostname
|
||||
ansible.builtin.shell: hostname
|
||||
register: hostname_stdout
|
||||
|
||||
- name: Gather the root node public ip, and its privatekey
|
||||
ansible.builtin.set_fact:
|
||||
root_node_public_ip: "{{ lookup('file', './keys/root_node_public_ip.txt') }}"
|
||||
root_node_public_key: "{{ lookup('file', './keys/root_node_public_key.txt') }}"
|
||||
peer_id: " {{ hostname_stdout.stdout | regex_replace('^.*?(\\d+)$', '\\1') }}"
|
||||
|
||||
- name: Set privateky location
|
||||
ansible.builtin.set_fact:
|
||||
private_keyfile_location: "./keys/peer{{ peer_id | trim }}_private_key.txt"
|
||||
|
||||
- name: Read privatekey
|
||||
ansible.builtin.set_fact:
|
||||
peer_node_private_key: "{{ lookup('file', private_keyfile_location) }}"
|
||||
|
||||
|
||||
- name: Install the peer wireguard template to the server
|
||||
ansible.builtin.template:
|
||||
src: "./templates/peer_wg0.conf"
|
||||
dest: "/etc/wireguard/wg0.conf"
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
vars:
|
||||
peer_node_privkeys: []
|
||||
peer_node_pubkeys: []
|
||||
tasks:
|
||||
- name: Install wireguard and ufw
|
||||
ansible.builtin.apt:
|
||||
|
@ -12,13 +15,45 @@
|
|||
- name: Generate a wireguard server privatekey
|
||||
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
|
||||
|
||||
- name: Read privatekey from the wireguard folder and generate public key
|
||||
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey"
|
||||
register: root_node_public_key_stdout
|
||||
|
||||
- name: Read privatekey from the wireguard folder
|
||||
ansible.builtin.shell: "cat /etc/wireguard/private.key"
|
||||
register: server_private_key_stdout
|
||||
register: root_node_private_key_stdout
|
||||
|
||||
- name: Create keys directory
|
||||
ansible.builtin.file:
|
||||
path: "/tmp/keys"
|
||||
state: directory
|
||||
|
||||
- name: Set the file content to a variable
|
||||
ansible.builtin.set_fact:
|
||||
server_private_key: "{{ server_private_key_stdout.stdout }}"
|
||||
root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"
|
||||
root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"
|
||||
|
||||
- name: Generate privatekeys for the peer nodes
|
||||
ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"
|
||||
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||
|
||||
- name: Generate pubkeys for the peer nodes
|
||||
ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt | wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"
|
||||
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||
|
||||
- name: Copy generated private keys to temporal keys location
|
||||
ansible.builtin.fetch:
|
||||
src: "/tmp/keys/peer{{ item }}_private_key.txt"
|
||||
dest: "./keys/peer{{ item }}_private_key.txt"
|
||||
flat: yes
|
||||
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||
|
||||
- name: Copy generated public keys to temporal keys location
|
||||
ansible.builtin.fetch:
|
||||
src: "/tmp/keys/peer{{ item }}_public_key.txt"
|
||||
dest: "./keys/peer{{ item }}_public_key.txt"
|
||||
flat: yes
|
||||
loop: "{{ range(1, n_peer_nodes + 1) | list }}"
|
||||
|
||||
- name: Get the default public interface
|
||||
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
|
||||
|
@ -28,6 +63,14 @@
|
|||
ansible.builtin.set_fact:
|
||||
server_public_interface: "{{ server_public_interface_stdout.stdout }}"
|
||||
|
||||
- name: Temporal remap of the interface to eth1
|
||||
ansible.builtin.set_fact:
|
||||
server_public_interface: "eth1"
|
||||
|
||||
- name: show the eth1 interface address
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ ansible_eth1.ipv4.address }}"
|
||||
|
||||
- name: Protect the privatekey by allowing only the root user to read
|
||||
ansible.builtin.file:
|
||||
path: "/etc/wireguard/private.key"
|
||||
|
@ -46,7 +89,7 @@
|
|||
|
||||
- name: Install the server wireguard template to the server
|
||||
ansible.builtin.template:
|
||||
src: "server_wg0.conf"
|
||||
src: "./templates/server_wg0.conf"
|
||||
dest: "/etc/wireguard/wg0.conf"
|
||||
|
||||
- name: Ensure that the permissions to the config are not too open
|
||||
|
@ -81,3 +124,17 @@
|
|||
name: wg-quick@wg0.service
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: Store the public to temportal directory so that the clients will be able to read it
|
||||
ansible.builtin.copy:
|
||||
content: "{{ root_node_public_key }}"
|
||||
dest: "./keys/root_node_public_key.txt"
|
||||
become: false
|
||||
delegate_to: localhost
|
||||
|
||||
- name: Store the public ip of the node to temportal directory so that the clients will be able to read it
|
||||
ansible.builtin.copy:
|
||||
content: "{{ ansible_eth1.ipv4.address }}"
|
||||
dest: "./keys/root_node_public_ip.txt"
|
||||
become: false
|
||||
delegate_to: localhost
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
{% set peer_id_int = peer_id | int %}
|
||||
{% set peer_ip = peer_id_int + 1 %}
|
||||
[Interface]
|
||||
PrivateKey = {{ peer_node_private_key }}
|
||||
Address = 10.6.0.{{ peer_ip }}/24
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ root_node_public_key }}
|
||||
AllowedIPs = 10.6.0.0/24
|
||||
Endpoint = {{ root_node_public_ip }}:51820
|
|
@ -1,5 +1,5 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ server_private_key }}
|
||||
PrivateKey = {{ root_node_private_key }}
|
||||
Address = 10.6.0.1/24
|
||||
ListenPort = 51820
|
||||
SaveConfig = true
|
Loading…
Reference in New Issue