From a4f9aa2d9830e9fdc3504a6d2842359ee4ab38f0 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 21 May 2020 15:27:09 +0200 Subject: [PATCH] Set up wireguard in dev cluster --- ansible/lxvm | 6 +-- ansible/roles/consul/templates/consul.json.j2 | 6 +-- ansible/roles/consul/templates/resolv.conf.j2 | 2 +- ansible/roles/network/handlers/main.yml | 5 ++ ansible/roles/network/tasks/main.yml | 46 +++++++++++++++++++ ansible/roles/network/templates/rules.v4.j2 | 4 +- .../roles/network/templates/wireguard.conf.j2 | 12 +++++ ansible/roles/nomad/templates/nomad.hcl.j2 | 8 ++-- ansible/roles/storage/tasks/main.yml | 4 +- 9 files changed, 78 insertions(+), 15 deletions(-) create mode 100644 ansible/roles/network/handlers/main.yml create mode 100644 ansible/roles/network/templates/wireguard.conf.j2 diff --git a/ansible/lxvm b/ansible/lxvm index 8d31f55..f5e517c 100644 --- a/ansible/lxvm +++ b/ansible/lxvm @@ -1,5 +1,5 @@ [cluster_nodes] #ubuntu1 ansible_host=192.168.42.10 -debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 private_ip=192.168.42.20 interface=enp1s0 dns_server=208.67.222.222 -debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 private_ip=192.168.42.21 interface=enp1s0 dns_server=208.67.222.222 -debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 private_ip=192.168.42.22 interface=enp1s0 dns_server=208.67.222.222 +debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 dns_server=208.67.222.222 vpn_ip=10.68.70.11 public_vpn_port=51820 +debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 dns_server=208.67.222.222 vpn_ip=10.68.70.12 public_vpn_port=51820 +debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 dns_server=208.67.222.222 vpn_ip=10.68.70.13 public_vpn_port=51820 diff --git a/ansible/roles/consul/templates/consul.json.j2 b/ansible/roles/consul/templates/consul.json.j2 index b6c86aa..4a36dc2 100644 --- a/ansible/roles/consul/templates/consul.json.j2 +++ b/ansible/roles/consul/templates/consul.json.j2 @@ -1,14 +1,14 @@ { "data_dir": "/var/lib/consul", "bind_addr": "0.0.0.0", - "advertise_addr": "{{ public_ip }}", + "advertise_addr": "{{ vpn_ip }}", "addresses": { "dns": "0.0.0.0", "http": "0.0.0.0" }, "retry_join": [ - {% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #} - "{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }} + {% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}{# @FIXME: Reject doesn't work #} + "{{ hostvars[selected_host]['vpn_ip'] }}" {{ "," if not loop.last else "" }} {% endfor %} ], "bootstrap_expect": 3, diff --git a/ansible/roles/consul/templates/resolv.conf.j2 b/ansible/roles/consul/templates/resolv.conf.j2 index 2404034..4da20b9 100644 --- a/ansible/roles/consul/templates/resolv.conf.j2 +++ b/ansible/roles/consul/templates/resolv.conf.j2 @@ -1,2 +1,2 @@ -nameserver {{ private_ip }} +nameserver {{ vpn_ip }} nameserver {{ dns_server }} diff --git a/ansible/roles/network/handlers/main.yml b/ansible/roles/network/handlers/main.yml new file mode 100644 index 0000000..30bdf2b --- /dev/null +++ b/ansible/roles/network/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload wireguard + service: + name: wg-quick@wgdeuxfleurs + state: restarted diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml index 1443e0c..e8e059a 100644 --- a/ansible/roles/network/tasks/main.yml +++ b/ansible/roles/network/tasks/main.yml @@ -9,3 +9,49 @@ name: net.ipv4.ip_forward value: "1" sysctl_set: yes + +# Wireguard configuration +- name: "Enable backports repository" + apt_repository: + repo: deb http://deb.debian.org/debian buster-backports main + state: present + +- name: "Install wireguard" + apt: + name: + - wireguard + - wireguard-tools + - "linux-headers-{{ ansible_kernel }}" + state: present + +- name: "Create wireguard configuration direcetory" + file: path=/etc/wireguard/ state=directory + +- name: "Check if wireguard private key exists" + stat: path=/etc/wireguard/privkey + register: wireguard_privkey + +- name: "Create wireguard private key" + shell: wg genkey > /etc/wireguard/privkey + when: wireguard_privkey.stat.exists == false + notify: + - reload wireguard + +- name: "Secure wireguard private key" + file: path=/etc/wireguard/privkey mode=0600 + +- name: "Retrieve wireguard private key" + shell: cat /etc/wireguard/privkey + register: wireguard_privkey + +- name: "Retrieve wireguard public key" + shell: wg pubkey < /etc/wireguard/privkey + register: wireguard_pubkey + +- name: "Deploy wireguard configuration" + template: src=wireguard.conf.j2 dest=/etc/wireguard/wgdeuxfleurs.conf mode=0600 + notify: + - reload wireguard + +- name: "Enable Wireguard systemd service at boot" + service: name=wg-quick@wgdeuxfleurs state=started enabled=yes daemon_reload=yes diff --git a/ansible/roles/network/templates/rules.v4.j2 b/ansible/roles/network/templates/rules.v4.j2 index a446139..ef2cf64 100644 --- a/ansible/roles/network/templates/rules.v4.j2 +++ b/ansible/roles/network/templates/rules.v4.j2 @@ -10,8 +10,8 @@ -A INPUT -s 192.168.1.254 -j ACCEPT -A INPUT -s 82.253.205.190 -j ACCEPT {% for selected_host in groups['cluster_nodes'] %} --A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT --A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT +-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -p udp --dport 51820 -j ACCEPT +-A INPUT -s {{ hostvars[selected_host]['vpn_ip'] }} -j ACCEPT {% endfor %} # Local diff --git a/ansible/roles/network/templates/wireguard.conf.j2 b/ansible/roles/network/templates/wireguard.conf.j2 new file mode 100644 index 0000000..907d546 --- /dev/null +++ b/ansible/roles/network/templates/wireguard.conf.j2 @@ -0,0 +1,12 @@ +[Interface] +Address = {{ vpn_ip }} +PrivateKey = {{ wireguard_privkey.stdout }} +ListenPort = 51820 + +{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %} +[Peer] +PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }} +Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }} +AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32 +PersistentKeepalive = 25 +{% endfor %} diff --git a/ansible/roles/nomad/templates/nomad.hcl.j2 b/ansible/roles/nomad/templates/nomad.hcl.j2 index b0be6a8..8d62d9b 100644 --- a/ansible/roles/nomad/templates/nomad.hcl.j2 +++ b/ansible/roles/nomad/templates/nomad.hcl.j2 @@ -5,9 +5,9 @@ addresses { } advertise { - http = "{{ public_ip }}" - rpc = "{{ public_ip }}" - serf = "{{ public_ip }}" + http = "{{ vpn_ip }}" + rpc = "{{ vpn_ip }}" + serf = "{{ vpn_ip }}" } data_dir = "/var/lib/nomad" @@ -25,10 +25,10 @@ client { enabled = true #cpu_total_compute = 4000 servers = ["127.0.0.1:4648"] - network_interface = "{{ interface }}" options { docker.privileged.enabled = "true" docker.volumes.enabled = "true" } + network_interface = "wgdeuxfleurs" } diff --git a/ansible/roles/storage/tasks/main.yml b/ansible/roles/storage/tasks/main.yml index a1f2d8f..1bb8d16 100644 --- a/ansible/roles/storage/tasks/main.yml +++ b/ansible/roles/storage/tasks/main.yml @@ -48,7 +48,7 @@ nfs.export-volumes: "off" cluster.lookup-optimize: "on" - cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}" + cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['vpn_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}" run_once: true - name: "Create mountpoint" @@ -61,7 +61,7 @@ tags: gluster-fstab mount: path: /mnt/glusterfs - src: "{{ private_ip }}:/donnees" + src: "{{ vpn_ip }}:/donnees" fstype: glusterfs opts: "defaults,_netdev,noauto,x-systemd.automount" state: present