Set up wireguard in dev cluster
This commit is contained in:
parent
1a16fc7f9e
commit
a4f9aa2d98
9 changed files with 78 additions and 15 deletions
|
@ -1,5 +1,5 @@
|
||||||
[cluster_nodes]
|
[cluster_nodes]
|
||||||
#ubuntu1 ansible_host=192.168.42.10
|
#ubuntu1 ansible_host=192.168.42.10
|
||||||
debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 private_ip=192.168.42.20 interface=enp1s0 dns_server=208.67.222.222
|
debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 dns_server=208.67.222.222 vpn_ip=10.68.70.11 public_vpn_port=51820
|
||||||
debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 private_ip=192.168.42.21 interface=enp1s0 dns_server=208.67.222.222
|
debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 dns_server=208.67.222.222 vpn_ip=10.68.70.12 public_vpn_port=51820
|
||||||
debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 private_ip=192.168.42.22 interface=enp1s0 dns_server=208.67.222.222
|
debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 dns_server=208.67.222.222 vpn_ip=10.68.70.13 public_vpn_port=51820
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
{
|
{
|
||||||
"data_dir": "/var/lib/consul",
|
"data_dir": "/var/lib/consul",
|
||||||
"bind_addr": "0.0.0.0",
|
"bind_addr": "0.0.0.0",
|
||||||
"advertise_addr": "{{ public_ip }}",
|
"advertise_addr": "{{ vpn_ip }}",
|
||||||
"addresses": {
|
"addresses": {
|
||||||
"dns": "0.0.0.0",
|
"dns": "0.0.0.0",
|
||||||
"http": "0.0.0.0"
|
"http": "0.0.0.0"
|
||||||
},
|
},
|
||||||
"retry_join": [
|
"retry_join": [
|
||||||
{% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #}
|
{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}{# @FIXME: Reject doesn't work #}
|
||||||
"{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }}
|
"{{ hostvars[selected_host]['vpn_ip'] }}" {{ "," if not loop.last else "" }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
],
|
],
|
||||||
"bootstrap_expect": 3,
|
"bootstrap_expect": 3,
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
nameserver {{ private_ip }}
|
nameserver {{ vpn_ip }}
|
||||||
nameserver {{ dns_server }}
|
nameserver {{ dns_server }}
|
||||||
|
|
5
ansible/roles/network/handlers/main.yml
Normal file
5
ansible/roles/network/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: reload wireguard
|
||||||
|
service:
|
||||||
|
name: wg-quick@wgdeuxfleurs
|
||||||
|
state: restarted
|
|
@ -9,3 +9,49 @@
|
||||||
name: net.ipv4.ip_forward
|
name: net.ipv4.ip_forward
|
||||||
value: "1"
|
value: "1"
|
||||||
sysctl_set: yes
|
sysctl_set: yes
|
||||||
|
|
||||||
|
# Wireguard configuration
|
||||||
|
- name: "Enable backports repository"
|
||||||
|
apt_repository:
|
||||||
|
repo: deb http://deb.debian.org/debian buster-backports main
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Install wireguard"
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- wireguard
|
||||||
|
- wireguard-tools
|
||||||
|
- "linux-headers-{{ ansible_kernel }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: "Create wireguard configuration direcetory"
|
||||||
|
file: path=/etc/wireguard/ state=directory
|
||||||
|
|
||||||
|
- name: "Check if wireguard private key exists"
|
||||||
|
stat: path=/etc/wireguard/privkey
|
||||||
|
register: wireguard_privkey
|
||||||
|
|
||||||
|
- name: "Create wireguard private key"
|
||||||
|
shell: wg genkey > /etc/wireguard/privkey
|
||||||
|
when: wireguard_privkey.stat.exists == false
|
||||||
|
notify:
|
||||||
|
- reload wireguard
|
||||||
|
|
||||||
|
- name: "Secure wireguard private key"
|
||||||
|
file: path=/etc/wireguard/privkey mode=0600
|
||||||
|
|
||||||
|
- name: "Retrieve wireguard private key"
|
||||||
|
shell: cat /etc/wireguard/privkey
|
||||||
|
register: wireguard_privkey
|
||||||
|
|
||||||
|
- name: "Retrieve wireguard public key"
|
||||||
|
shell: wg pubkey < /etc/wireguard/privkey
|
||||||
|
register: wireguard_pubkey
|
||||||
|
|
||||||
|
- name: "Deploy wireguard configuration"
|
||||||
|
template: src=wireguard.conf.j2 dest=/etc/wireguard/wgdeuxfleurs.conf mode=0600
|
||||||
|
notify:
|
||||||
|
- reload wireguard
|
||||||
|
|
||||||
|
- name: "Enable Wireguard systemd service at boot"
|
||||||
|
service: name=wg-quick@wgdeuxfleurs state=started enabled=yes daemon_reload=yes
|
||||||
|
|
|
@ -10,8 +10,8 @@
|
||||||
-A INPUT -s 192.168.1.254 -j ACCEPT
|
-A INPUT -s 192.168.1.254 -j ACCEPT
|
||||||
-A INPUT -s 82.253.205.190 -j ACCEPT
|
-A INPUT -s 82.253.205.190 -j ACCEPT
|
||||||
{% for selected_host in groups['cluster_nodes'] %}
|
{% for selected_host in groups['cluster_nodes'] %}
|
||||||
-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT
|
-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -p udp --dport 51820 -j ACCEPT
|
||||||
-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT
|
-A INPUT -s {{ hostvars[selected_host]['vpn_ip'] }} -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
# Local
|
# Local
|
||||||
|
|
12
ansible/roles/network/templates/wireguard.conf.j2
Normal file
12
ansible/roles/network/templates/wireguard.conf.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
[Interface]
|
||||||
|
Address = {{ vpn_ip }}
|
||||||
|
PrivateKey = {{ wireguard_privkey.stdout }}
|
||||||
|
ListenPort = 51820
|
||||||
|
|
||||||
|
{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}
|
||||||
|
[Peer]
|
||||||
|
PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}
|
||||||
|
Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}
|
||||||
|
AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32
|
||||||
|
PersistentKeepalive = 25
|
||||||
|
{% endfor %}
|
|
@ -5,9 +5,9 @@ addresses {
|
||||||
}
|
}
|
||||||
|
|
||||||
advertise {
|
advertise {
|
||||||
http = "{{ public_ip }}"
|
http = "{{ vpn_ip }}"
|
||||||
rpc = "{{ public_ip }}"
|
rpc = "{{ vpn_ip }}"
|
||||||
serf = "{{ public_ip }}"
|
serf = "{{ vpn_ip }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
data_dir = "/var/lib/nomad"
|
data_dir = "/var/lib/nomad"
|
||||||
|
@ -25,10 +25,10 @@ client {
|
||||||
enabled = true
|
enabled = true
|
||||||
#cpu_total_compute = 4000
|
#cpu_total_compute = 4000
|
||||||
servers = ["127.0.0.1:4648"]
|
servers = ["127.0.0.1:4648"]
|
||||||
network_interface = "{{ interface }}"
|
|
||||||
options {
|
options {
|
||||||
docker.privileged.enabled = "true"
|
docker.privileged.enabled = "true"
|
||||||
docker.volumes.enabled = "true"
|
docker.volumes.enabled = "true"
|
||||||
}
|
}
|
||||||
|
network_interface = "wgdeuxfleurs"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -48,7 +48,7 @@
|
||||||
nfs.export-volumes: "off"
|
nfs.export-volumes: "off"
|
||||||
cluster.lookup-optimize: "on"
|
cluster.lookup-optimize: "on"
|
||||||
|
|
||||||
cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
|
cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['vpn_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: "Create mountpoint"
|
- name: "Create mountpoint"
|
||||||
|
@ -61,7 +61,7 @@
|
||||||
tags: gluster-fstab
|
tags: gluster-fstab
|
||||||
mount:
|
mount:
|
||||||
path: /mnt/glusterfs
|
path: /mnt/glusterfs
|
||||||
src: "{{ private_ip }}:/donnees"
|
src: "{{ vpn_ip }}:/donnees"
|
||||||
fstype: glusterfs
|
fstype: glusterfs
|
||||||
opts: "defaults,_netdev,noauto,x-systemd.automount"
|
opts: "defaults,_netdev,noauto,x-systemd.automount"
|
||||||
state: present
|
state: present
|
||||||
|
|
Reference in a new issue