Add wireguard
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Kasper Juul Hermansen 2022-02-24 13:57:19 +01:00
parent 5f301ce32a
commit 1663a469c2
Signed by: kjuulh
GPG Key ID: 0F95C140730F2F23
11 changed files with 264 additions and 19 deletions

View File

@ -2,6 +2,14 @@
k3s_version: v1.22.3+k3s1
ansible_user: root
systemd_dir: /etc/systemd/system
systemd_network_dir: /etc/systemd/network
master_ip: "{{ hostvars[groups['serverctl_master_hosts'][0]]['ansible_host'] | default(groups['serverctl_master_hosts'][0]) }}"
extra_server_args: ""
extra_agent_args: ""
ansible_become_method: su
ufw_enabled: true
wireguard_mask_bits: 24
wireguard_port: 51871

View File

@ -0,0 +1,18 @@
[serverctl_master_hosts]
[serverctl_node_hosts]
[serverctl_mesh_nodes]
65.21.50.146 ansible_host=65.21.50.146 wireguard_ip=192.168.0.1
65.21.251.3 ansible_host=65.21.251.3 wireguard_ip=192.168.0.2
65.21.255.102 ansible_host=65.21.255.102 wireguard_ip=192.168.0.3
95.216.162.16 ansible_host=95.216.162.16 wireguard_ip=192.168.0.4
[serverctl_mesh_nodes:vars]
pipelining=true
ansible_ssh_user=root
ansible_ssh_port=22
[serverctl_cluster:children]
serverctl_master_hosts
serverctl_node_hosts

View File

@ -0,0 +1,7 @@
---
- hosts: serverctl_mesh_nodes
gather_facts: yes
tasks:
- name: ping
command: "ping -c3 {{ hostvars[item].wireguard_ip}}"
with_items: "{{groups['all']}}"

View File

@ -0,0 +1,7 @@
---
- name: systemd network restart
service:
name: systemd-networkd
state: restarted
enabled: yes
become: yes

View File

@ -0,0 +1,128 @@
---
- name: update packages
apt:
update_cache: yes
cache_valid_time: 3600
become: yes
- name: install ufw
apt:
name: ufw
state: present
become: yes
when: ufw_enabled
- name: Allow SSH in UFW
ufw:
rule: allow
port: "{{ ansible_ssh_port }}"
proto: tcp
become: yes
when: ufw_enabled
- name: Set ufw logging
ufw:
logging: "on"
become: yes
when: ufw_enabled
- name: inter-node Wireguard UFW connectivity
ufw:
rule: allow
src: "{{ hostvars[item].wireguard_ip }}"
with_items: "{{ groups['all'] }}"
become: yes
when: ufw_enabled and item != inventory_hostname
- name: Reject everything and enable UFW
ufw:
state: enabled
policy: reject
log: yes
become: yes
when: ufw_enabled
- name: enable and persist ip forwarding
sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
sysctl_set: yes
reload: yes
- name: install wireguard
apt:
name: wireguard
state: present
become: yes
- name: generate wireguard keypair
shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
args:
creates: /etc/wireguard/privatekey
become: yes
- name: register private key
shell: cat /etc/wireguard/privatekey
register: wireguard_private_key
changed_when: false
become: yes
- name: register public key
shell: cat /etc/wireguard/publickey
register: wireguard_public_key
changed_when: false
become: yes
- name: generate preshared keypair
shell: "wg genpsk > /etc/wireguard/psk-{{item}}"
args:
creates: "/etc/wireguard/psk-{{item}}"
when: inventory_hostname < item
with_items: "{{groups['serverctl_mesh_nodes']}}"
become: yes
- name: register preshared key
shell: "cat /etc/wireguard/psk-{{item}}"
register: wireguard_preshared_key
changed_when: false
when: inventory_hostname < item
with_items: "{{groups['serverctl_mesh_nodes']}}"
become: yes
- name: message preshared keys
set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
when: item.skipped is not defined
with_items: "{{wireguard_preshared_key.results}}"
become: yes
- name: Setup wgserverctl0 device
template:
src: 'systemd.netdev'
dest: '{{systemd_network_dir}}/99-wg0.netdev'
owner: root
group: systemd-network
mode: 0640
become: yes
notify: systemd network restart
- name: Setup wgserverctl0 network
template:
src: 'systemd.network'
dest: "{{systemd_network_dir}}/99-wg0.network"
owner: root
group: systemd-network
mode: 0640
become: yes
notify: systemd network restart
#- name: Start and enalbe wireguard on book
# systemd:
# name: wg-quick@wgserverctl0
# enabled: yes
# state: started
#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
# with_indexed_items: "{{groups.serverctl_mesh_nodes}}"

View File

@ -0,0 +1,20 @@
[NetDev]
Name=wg0
Kind=wireguard
Description=WireGuard tunnel wg0
[WireGuard]
ListenPort={{ wireguard_port }}
PrivateKey={{ wireguard_private_key.stdout }}
{% for peer in groups['serverctl_mesh_nodes'] %}
{% if peer != inventory_hostname %}
[WireGuardPeer]
PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
Endpoint={{ hostvars[peer].ansible_host }}:{{ wireguard_port }}
PersistentKeepalive=25
{% endif %}
{% endfor %}

View File

@ -0,0 +1,5 @@
[Match]
Name=wg0
[Network]
Address={{ wireguard_ip }}/{{ wireguard_mask_bits }}

View File

@ -9,6 +9,13 @@
become: yes
roles:
- role: "./k3s/master"
- hosts: serverctl_mesh_nodes
become: yes
gather_facts: yes
roles:
- role: './wireguard/mesh'
#- hosts: serverctl_node_hosts
# become: yes
# roles:

View File

@ -1,4 +1,3 @@
variable "serverctl_master_count" {
default = 0
}
@ -7,6 +6,9 @@ variable "serverctl_node_count" {
default = 0
}
variable "serverctl_mesh_count" {
default = 4
}
resource "hcloud_placement_group" "serverctl_master" {
name = "serverctl_master_group"
@ -72,11 +74,44 @@ resource "hcloud_server" "serverctl_node" {
}
}
resource "hcloud_placement_group" "serverctl_mesh" {
name = "serverctl_mesh_group"
type = "spread"
}
resource "hcloud_server" "serverctl_mesh" {
count = var.serverctl_mesh_count
name = "serverctl-mesh-${count.index}"
image = "debian-11"
server_type = "cx11"
ssh_keys = [
var.hcloud_serverctl_ssh_key_id
]
placement_group_id = hcloud_placement_group.serverctl_mesh.id
lifecycle {
create_before_destroy = true
}
provisioner "remote-exec" {
inline = ["sudo apt update", "sudo apt install python3 -y", "echo Done!"]
connection {
host = self.ipv4_address
type = "ssh"
user = "root"
private_key = file(var.pvt_key)
}
}
}
resource "local_file" "hosts_cfg" {
content = templatefile("${path.module}/templates/hosts.tpl",
content = templatefile("${path.module}/templates/hosts.tftpl",
{
serverctl_masters = hcloud_server.serverctl_master.*.ipv4_address
serverctl_nodes = hcloud_server.serverctl_node.*.ipv4_address
serverctl_mesh_nodes = hcloud_server.serverctl_mesh.*.ipv4_address
}
)
filename = "ansible/inventory/hosts.cfg"

View File

@ -0,0 +1,23 @@
[serverctl_master_hosts]
%{ for ip in serverctl_masters ~}
${ip}
%{ endfor ~}
[serverctl_node_hosts]
%{ for ip in serverctl_nodes ~}
${ip}
%{ endfor ~}
[serverctl_mesh_nodes]
%{ for ip in serverctl_mesh_nodes ~}
${ip} ansible_host=${ip} wireguard_ip=${cidrhost("192.168.0.0/24", index(serverctl_mesh_nodes, ip) + 1)}
%{ endfor ~}
[serverctl_mesh_nodes:vars]
pipelining=true
ansible_ssh_user=root
ansible_ssh_port=22
[serverctl_cluster:children]
serverctl_master_hosts
serverctl_node_hosts

View File

@ -1,13 +0,0 @@
[serverctl_master_hosts]
%{ for ip in serverctl_masters ~}
${ip}
%{ endfor ~}
[serverctl_node_hosts]
%{ for ip in serverctl_nodes ~}
${ip}
%{ endfor ~}
[serverctl_cluster:children]
serverctl_master_hosts
serverctl_node_hosts