Add homeserver to infra

2022-02-24 21:36:07 +01:00
parent 9eaca5ae11
commit 5c9f96be8e
13 changed files with 171 additions and 86 deletions
--- a/infrastructure/create-resources/ansible/roles/wireguard/mesh/tasks/main.yml
+++ b/infrastructure/create-resources/ansible/roles/wireguard/mesh/tasks/main.yml
@@ -1,93 +1,54 @@
 ---
- name: update packages
-  apt:
-    update_cache: yes
-    cache_valid_time: 3600
-  become: yes
-
- name: install ufw
-  apt:
-    name: ufw
-    state: present
-  become: yes
-  when: ufw_enabled
-
- name: Allow SSH in UFW
-  ufw:
-    rule: allow
-    port: "{{ ansible_ssh_port }}"
-    proto: tcp
-  become: yes
-  when: ufw_enabled
-
- name: Set ufw logging
-  ufw:
-    logging: "on"
-  become: yes
-  when: ufw_enabled
-
- name: inter-node Wireguard UFW connectivity
-  ufw:
-    rule: allow
-    src: "{{ hostvars[item].wireguard_ip }}"
-  with_items: "{{ groups['all'] }}"
-  become: yes
-  when: ufw_enabled and item != inventory_hostname
-
- name: Reject everything and enable UFW
-  ufw:
-    state: enabled
-    policy: reject
-    log: yes
-  become: yes
-  when: ufw_enabled
-
- name: enable and persist ip forwarding
-  sysctl:
-    name: net.ipv4.ip_forward
-    value: "1"
-    state: present
-    sysctl_set: yes
-    reload: yes
+- name: Print distro
+  ansible.builtin.debug:
+    msg: Current distro {{ansible_distribution}}

 - name: install wireguard
  apt:
    name: wireguard
    state: present
  become: yes
+  when: ansible_distribution == 'Debian' or ansible_distribution == "Ubuntu"
+
+- name: install wireguard
+  pacman:
+    name: wireguard-tools
+    state: present
+  become: yes
+  when: ansible_distribution == "Archlinux"

 - name: generate wireguard keypair
-  shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
+  shell: wg genkey | tee /etc/wireguard/serverctl-privatekey | wg pubkey | tee /etc/wireguard/serverctl-publickey
  args:
-    creates: /etc/wireguard/privatekey
+    creates: /etc/wireguard/serverctl-privatekey
  become: yes

 - name: register private key
-  shell: cat /etc/wireguard/privatekey
+  shell: cat /etc/wireguard/serverctl-privatekey
  register: wireguard_private_key
  changed_when: false
  become: yes

 - name: register public key
-  shell: cat /etc/wireguard/publickey
+  shell: cat /etc/wireguard/serverctl-publickey
  register: wireguard_public_key
  changed_when: false
  become: yes

 - name: generate preshared keypair
-  shell: "wg genpsk > /etc/wireguard/psk-{{item}}"
+  shell: "wg genpsk > /etc/wireguard/serverctl-psk-{{item}}"
  args:
-    creates: "/etc/wireguard/psk-{{item}}"
+    creates: "/etc/wireguard/serverctl-psk-{{item}}"
  when: inventory_hostname < item
-  with_items: "{{groups['serverctl_cluster']}}"
+  with_items: "{{groups['serverctl_super_cluster']}}"
  become: yes

 - name: register preshared key
-  shell: "cat /etc/wireguard/psk-{{item}}"
+  shell: "cat /etc/wireguard/serverctl-psk-{{item}}"
  register: wireguard_preshared_key
  changed_when: false
  when: inventory_hostname < item
-  with_items: "{{groups['serverctl_cluster']}}"
+  with_items: "{{groups['serverctl_super_cluster']}}"
  become: yes

 - name: message preshared keys
@@ -96,10 +57,15 @@
  with_items: "{{wireguard_preshared_key.results}}"
  become: yes

+#- name: print hostvars
+#  ansible.builtin.debug:
+#    msg: "{{hostvars[item]}}"
+#  with_items: "{{groups['serverctl_super_cluster']}}"
+
 - name: Setup wg0 device
  template:
    src: 'systemd.netdev'
-    dest: '{{systemd_network_dir}}/99-wg0.netdev'
+    dest: '{{systemd_network_dir}}/99-serverctl-wg0.netdev'
    owner: root
    group: systemd-network
    mode: 0640
@@ -109,7 +75,7 @@
 - name: Setup wg0 network
  template:
    src: 'systemd.network'
-    dest: "{{systemd_network_dir}}/99-wg0.network"
+    dest: "{{systemd_network_dir}}/99-serverctl-wg0.network"
    owner: root
    group: systemd-network
    mode: 0640
--- a/infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.netdev
+++ b/infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.netdev
@@ -1,20 +1,22 @@
 [NetDev]
-Name=wg0
+Name=serverctl-wg0
 Kind=wireguard
-Description=WireGuard tunnel wg0
+Description=WireGuard tunnel serverctl-wg0

 [WireGuard]
 ListenPort={{ wireguard_port }}
 PrivateKey={{ wireguard_private_key.stdout }}

-{% for peer in groups['serverctl_cluster'] %}
+{% for peer in groups['serverctl_super_cluster'] %}
 {% if peer != inventory_hostname %}

 [WireGuardPeer]
 PublicKey={{ hostvars[peer].wireguard_public_key.stdout }}
 PresharedKey={{ wireguard_preshared_keys[peer] if inventory_hostname < peer else hostvars[peer].wireguard_preshared_keys[inventory_hostname] }}
 AllowedIPs={{ hostvars[peer].wireguard_ip }}/32
+{% if not hostvars[peer].client_server %}
 Endpoint={{ hostvars[peer].ansible_host }}:{{ wireguard_port }}
 PersistentKeepalive=25
 {% endif %}
+{% endif %}
 {% endfor %}
--- a/infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.network
+++ b/infrastructure/create-resources/ansible/roles/wireguard/mesh/templates/systemd.network
@@ -1,5 +1,5 @@
 [Match]
-Name=wg0
+Name=serverctl-wg0

 [Network]
 Address={{ wireguard_ip }}/{{ wireguard_mask_bits }}