Set up wireguard in dev cluster

This commit is contained in:
Alex 2020-05-21 15:27:09 +02:00
parent 1a16fc7f9e
commit a4f9aa2d98
9 changed files with 78 additions and 15 deletions

View file

@ -1,5 +1,5 @@
[cluster_nodes] [cluster_nodes]
#ubuntu1 ansible_host=192.168.42.10 #ubuntu1 ansible_host=192.168.42.10
debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 private_ip=192.168.42.20 interface=enp1s0 dns_server=208.67.222.222 debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 dns_server=208.67.222.222 vpn_ip=10.68.70.11 public_vpn_port=51820
debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 private_ip=192.168.42.21 interface=enp1s0 dns_server=208.67.222.222 debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 dns_server=208.67.222.222 vpn_ip=10.68.70.12 public_vpn_port=51820
debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 private_ip=192.168.42.22 interface=enp1s0 dns_server=208.67.222.222 debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 dns_server=208.67.222.222 vpn_ip=10.68.70.13 public_vpn_port=51820

View file

@ -1,14 +1,14 @@
{ {
"data_dir": "/var/lib/consul", "data_dir": "/var/lib/consul",
"bind_addr": "0.0.0.0", "bind_addr": "0.0.0.0",
"advertise_addr": "{{ public_ip }}", "advertise_addr": "{{ vpn_ip }}",
"addresses": { "addresses": {
"dns": "0.0.0.0", "dns": "0.0.0.0",
"http": "0.0.0.0" "http": "0.0.0.0"
}, },
"retry_join": [ "retry_join": [
{% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #} {% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}{# @FIXME: Reject doesn't work #}
"{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }} "{{ hostvars[selected_host]['vpn_ip'] }}" {{ "," if not loop.last else "" }}
{% endfor %} {% endfor %}
], ],
"bootstrap_expect": 3, "bootstrap_expect": 3,

View file

@ -1,2 +1,2 @@
nameserver {{ private_ip }} nameserver {{ vpn_ip }}
nameserver {{ dns_server }} nameserver {{ dns_server }}

View file

@ -0,0 +1,5 @@
---
- name: reload wireguard
service:
name: wg-quick@wgdeuxfleurs
state: restarted

View file

@ -9,3 +9,49 @@
name: net.ipv4.ip_forward name: net.ipv4.ip_forward
value: "1" value: "1"
sysctl_set: yes sysctl_set: yes
# Wireguard configuration
- name: "Enable backports repository"
apt_repository:
repo: deb http://deb.debian.org/debian buster-backports main
state: present
- name: "Install wireguard"
apt:
name:
- wireguard
- wireguard-tools
- "linux-headers-{{ ansible_kernel }}"
state: present
- name: "Create wireguard configuration direcetory"
file: path=/etc/wireguard/ state=directory
- name: "Check if wireguard private key exists"
stat: path=/etc/wireguard/privkey
register: wireguard_privkey
- name: "Create wireguard private key"
shell: wg genkey > /etc/wireguard/privkey
when: wireguard_privkey.stat.exists == false
notify:
- reload wireguard
- name: "Secure wireguard private key"
file: path=/etc/wireguard/privkey mode=0600
- name: "Retrieve wireguard private key"
shell: cat /etc/wireguard/privkey
register: wireguard_privkey
- name: "Retrieve wireguard public key"
shell: wg pubkey < /etc/wireguard/privkey
register: wireguard_pubkey
- name: "Deploy wireguard configuration"
template: src=wireguard.conf.j2 dest=/etc/wireguard/wgdeuxfleurs.conf mode=0600
notify:
- reload wireguard
- name: "Enable Wireguard systemd service at boot"
service: name=wg-quick@wgdeuxfleurs state=started enabled=yes daemon_reload=yes

View file

@ -10,8 +10,8 @@
-A INPUT -s 192.168.1.254 -j ACCEPT -A INPUT -s 192.168.1.254 -j ACCEPT
-A INPUT -s 82.253.205.190 -j ACCEPT -A INPUT -s 82.253.205.190 -j ACCEPT
{% for selected_host in groups['cluster_nodes'] %} {% for selected_host in groups['cluster_nodes'] %}
-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT -A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -p udp --dport 51820 -j ACCEPT
-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT -A INPUT -s {{ hostvars[selected_host]['vpn_ip'] }} -j ACCEPT
{% endfor %} {% endfor %}
# Local # Local

View file

@ -0,0 +1,12 @@
[Interface]
Address = {{ vpn_ip }}
PrivateKey = {{ wireguard_privkey.stdout }}
ListenPort = 51820
{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}
[Peer]
PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}
Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}
AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32
PersistentKeepalive = 25
{% endfor %}

View file

@ -5,9 +5,9 @@ addresses {
} }
advertise { advertise {
http = "{{ public_ip }}" http = "{{ vpn_ip }}"
rpc = "{{ public_ip }}" rpc = "{{ vpn_ip }}"
serf = "{{ public_ip }}" serf = "{{ vpn_ip }}"
} }
data_dir = "/var/lib/nomad" data_dir = "/var/lib/nomad"
@ -25,10 +25,10 @@ client {
enabled = true enabled = true
#cpu_total_compute = 4000 #cpu_total_compute = 4000
servers = ["127.0.0.1:4648"] servers = ["127.0.0.1:4648"]
network_interface = "{{ interface }}"
options { options {
docker.privileged.enabled = "true" docker.privileged.enabled = "true"
docker.volumes.enabled = "true" docker.volumes.enabled = "true"
} }
network_interface = "wgdeuxfleurs"
} }

View file

@ -48,7 +48,7 @@
nfs.export-volumes: "off" nfs.export-volumes: "off"
cluster.lookup-optimize: "on" cluster.lookup-optimize: "on"
cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}" cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['vpn_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
run_once: true run_once: true
- name: "Create mountpoint" - name: "Create mountpoint"
@ -61,7 +61,7 @@
tags: gluster-fstab tags: gluster-fstab
mount: mount:
path: /mnt/glusterfs path: /mnt/glusterfs
src: "{{ private_ip }}:/donnees" src: "{{ vpn_ip }}:/donnees"
fstype: glusterfs fstype: glusterfs
opts: "defaults,_netdev,noauto,x-systemd.automount" opts: "defaults,_netdev,noauto,x-systemd.automount"
state: present state: present