Set up wireguard in dev cluster
This commit is contained in:
parent
1a16fc7f9e
commit
a4f9aa2d98
9 changed files with 78 additions and 15 deletions
|
@ -1,5 +1,5 @@
|
|||
[cluster_nodes]
|
||||
#ubuntu1 ansible_host=192.168.42.10
|
||||
debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 private_ip=192.168.42.20 interface=enp1s0 dns_server=208.67.222.222
|
||||
debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 private_ip=192.168.42.21 interface=enp1s0 dns_server=208.67.222.222
|
||||
debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 private_ip=192.168.42.22 interface=enp1s0 dns_server=208.67.222.222
|
||||
debian1 ansible_host=192.168.42.20 ansible_user=root public_ip=192.168.42.20 dns_server=208.67.222.222 vpn_ip=10.68.70.11 public_vpn_port=51820
|
||||
debian2 ansible_host=192.168.42.21 ansible_user=root public_ip=192.168.42.21 dns_server=208.67.222.222 vpn_ip=10.68.70.12 public_vpn_port=51820
|
||||
debian3 ansible_host=192.168.42.22 ansible_user=root public_ip=192.168.42.22 dns_server=208.67.222.222 vpn_ip=10.68.70.13 public_vpn_port=51820
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
{
|
||||
"data_dir": "/var/lib/consul",
|
||||
"bind_addr": "0.0.0.0",
|
||||
"advertise_addr": "{{ public_ip }}",
|
||||
"advertise_addr": "{{ vpn_ip }}",
|
||||
"addresses": {
|
||||
"dns": "0.0.0.0",
|
||||
"http": "0.0.0.0"
|
||||
},
|
||||
"retry_join": [
|
||||
{% for selected_host in groups['cluster_nodes']|reject("sameas", ansible_fqdn) %}{# @FIXME: Reject doesn't work #}
|
||||
"{{ hostvars[selected_host]['private_ip'] }}" {{ "," if not loop.last else "" }}
|
||||
{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}{# @FIXME: Reject doesn't work #}
|
||||
"{{ hostvars[selected_host]['vpn_ip'] }}" {{ "," if not loop.last else "" }}
|
||||
{% endfor %}
|
||||
],
|
||||
"bootstrap_expect": 3,
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
nameserver {{ private_ip }}
|
||||
nameserver {{ vpn_ip }}
|
||||
nameserver {{ dns_server }}
|
||||
|
|
5
ansible/roles/network/handlers/main.yml
Normal file
5
ansible/roles/network/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: reload wireguard
|
||||
service:
|
||||
name: wg-quick@wgdeuxfleurs
|
||||
state: restarted
|
|
@ -9,3 +9,49 @@
|
|||
name: net.ipv4.ip_forward
|
||||
value: "1"
|
||||
sysctl_set: yes
|
||||
|
||||
# Wireguard configuration
|
||||
- name: "Enable backports repository"
|
||||
apt_repository:
|
||||
repo: deb http://deb.debian.org/debian buster-backports main
|
||||
state: present
|
||||
|
||||
- name: "Install wireguard"
|
||||
apt:
|
||||
name:
|
||||
- wireguard
|
||||
- wireguard-tools
|
||||
- "linux-headers-{{ ansible_kernel }}"
|
||||
state: present
|
||||
|
||||
- name: "Create wireguard configuration direcetory"
|
||||
file: path=/etc/wireguard/ state=directory
|
||||
|
||||
- name: "Check if wireguard private key exists"
|
||||
stat: path=/etc/wireguard/privkey
|
||||
register: wireguard_privkey
|
||||
|
||||
- name: "Create wireguard private key"
|
||||
shell: wg genkey > /etc/wireguard/privkey
|
||||
when: wireguard_privkey.stat.exists == false
|
||||
notify:
|
||||
- reload wireguard
|
||||
|
||||
- name: "Secure wireguard private key"
|
||||
file: path=/etc/wireguard/privkey mode=0600
|
||||
|
||||
- name: "Retrieve wireguard private key"
|
||||
shell: cat /etc/wireguard/privkey
|
||||
register: wireguard_privkey
|
||||
|
||||
- name: "Retrieve wireguard public key"
|
||||
shell: wg pubkey < /etc/wireguard/privkey
|
||||
register: wireguard_pubkey
|
||||
|
||||
- name: "Deploy wireguard configuration"
|
||||
template: src=wireguard.conf.j2 dest=/etc/wireguard/wgdeuxfleurs.conf mode=0600
|
||||
notify:
|
||||
- reload wireguard
|
||||
|
||||
- name: "Enable Wireguard systemd service at boot"
|
||||
service: name=wg-quick@wgdeuxfleurs state=started enabled=yes daemon_reload=yes
|
||||
|
|
|
@ -10,8 +10,8 @@
|
|||
-A INPUT -s 192.168.1.254 -j ACCEPT
|
||||
-A INPUT -s 82.253.205.190 -j ACCEPT
|
||||
{% for selected_host in groups['cluster_nodes'] %}
|
||||
-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT
|
||||
-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT
|
||||
-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -p udp --dport 51820 -j ACCEPT
|
||||
-A INPUT -s {{ hostvars[selected_host]['vpn_ip'] }} -j ACCEPT
|
||||
{% endfor %}
|
||||
|
||||
# Local
|
||||
|
|
12
ansible/roles/network/templates/wireguard.conf.j2
Normal file
12
ansible/roles/network/templates/wireguard.conf.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
[Interface]
|
||||
Address = {{ vpn_ip }}
|
||||
PrivateKey = {{ wireguard_privkey.stdout }}
|
||||
ListenPort = 51820
|
||||
|
||||
{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}
|
||||
[Peer]
|
||||
PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}
|
||||
Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}
|
||||
AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32
|
||||
PersistentKeepalive = 25
|
||||
{% endfor %}
|
|
@ -5,9 +5,9 @@ addresses {
|
|||
}
|
||||
|
||||
advertise {
|
||||
http = "{{ public_ip }}"
|
||||
rpc = "{{ public_ip }}"
|
||||
serf = "{{ public_ip }}"
|
||||
http = "{{ vpn_ip }}"
|
||||
rpc = "{{ vpn_ip }}"
|
||||
serf = "{{ vpn_ip }}"
|
||||
}
|
||||
|
||||
data_dir = "/var/lib/nomad"
|
||||
|
@ -25,10 +25,10 @@ client {
|
|||
enabled = true
|
||||
#cpu_total_compute = 4000
|
||||
servers = ["127.0.0.1:4648"]
|
||||
network_interface = "{{ interface }}"
|
||||
options {
|
||||
docker.privileged.enabled = "true"
|
||||
docker.volumes.enabled = "true"
|
||||
}
|
||||
network_interface = "wgdeuxfleurs"
|
||||
}
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
nfs.export-volumes: "off"
|
||||
cluster.lookup-optimize: "on"
|
||||
|
||||
cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['private_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
|
||||
cluster: "{% for selected_host in groups['cluster_nodes'] %}{{ hostvars[selected_host]['vpn_ip'] }}{{ ',' if not loop.last else '' }}{% endfor %}"
|
||||
run_once: true
|
||||
|
||||
- name: "Create mountpoint"
|
||||
|
@ -61,7 +61,7 @@
|
|||
tags: gluster-fstab
|
||||
mount:
|
||||
path: /mnt/glusterfs
|
||||
src: "{{ private_ip }}:/donnees"
|
||||
src: "{{ vpn_ip }}:/donnees"
|
||||
fstype: glusterfs
|
||||
opts: "defaults,_netdev,noauto,x-systemd.automount"
|
||||
state: present
|
||||
|
|
Reference in a new issue