add role wireguard p2p

author: Christian Pointner <equinox@spreadspace.org> 2020-08-20 23:09:01 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2020-08-20 23:09:01 +0200
commit: 3f9f881fafa3994a8a0dc3b738eca077c4f4d054 (patch)
tree: d3fc6aefddf3e920a103d8063163677565142620
parent: s2-thetys: use zfs on recording disk (diff)
13 files changed, 179 insertions, 12 deletions
diff --git a/dan/ele-gwhetzner.yml b/dan/ele-gwhetzner.yml
index 26069582..04824a34 100644
--- a/dan/ele-gwhetzner.yml
+++ b/dan/ele-gwhetzner.yml
@@ -9,3 +9,4 @@
   - role: apt-repo/spreadspace
   - role: wireguard/base
   - role: wireguard/gateway
+  - role: wireguard/p2p
diff --git a/dan/host_vars/ele-gwhetzner.yml b/dan/host_vars/ele-gwhetzner.yml
index a2b6d67a..8b579bb0 100644
--- a/dan/host_vars/ele-gwhetzner.yml
+++ b/dan/host_vars/ele-gwhetzner.yml
@@ -1,13 +1,17 @@
 $ANSIBLE_VAULT;1.2;AES256;dan
-63613763393832643163353733663563356666323338356338323465626566383934623265316335
-3931633335623561653232363531303533353363393030300a353732336235323137643937313939
-62396430653465366139623464633632366331623738376262323932316632633431393561633464
-3863383033633766630a373737373937646563653632613035303261376163376365396237623538
-36643138353435656265303639663035326330626534326264306263353663656231653362626235
-61613337303863336664303266303831366135376264336239353565633739636136356263636539
-32666637613536613036316636656134666261333561313230613136313939396636303064633731
-35386232386235666264326239353736303163643264313737613436356265366366613031393439
-36643038353862323361613138363165323431656132396638346539643932623663303366333365
-62353865356537333263393566623762666563333131323664346462306532613263323263643837
-61643265666366393237626266316439356331333438646462643730353137333433623031306631
-38326131363565326232
+36343835316464333566383362316662323461393339643462653138303565333663373938663836
+3764643539303864386532636539343461613063383865380a356237663837663931326266376131
+62306631366466393736323764396539653661666363326335626439326430613537656363333163
+6332336333346664310a613066373039336531346131656563353265646562366261393532333664
+31323731663838633731653961333934326636313866336235613838643732313632616339643837
+34386533363835333632633634336262633665353663393662303165336639373136616161616266
+61656566656136613238383963376239666264373230313337303131353861633461323732373130
+38623537333163393662616537356435383462363265613736313161393466336566646431373531
+32643430323730326536306464396261393564323366643065663865633666303862326236393338
+37663864646434353634373762313236613130653733643763646265366232376639653164303935
+37646139316166633136626265316130326363323436623035633731656665373965366362613965
+61353038636462393666666438306239656563316537373262633362303937346336333830313137
+64613639323631326662386638343734356362366466623930633837353666663933353666333538
+62653038316330616637633365316536643666666537303764306134326561343036303631383830
+36666539386239633361323337303061626261313039323334636237336331633463383037626462
+30396361316663636531
diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml
index 2c970fda..7d2d032a 100644
--- a/inventory/host_vars/ele-gwhetzner.yml
+++ b/inventory/host_vars/ele-gwhetzner.yml
@@ -77,3 +77,17 @@ wireguard_gateway_tunnels:
       allowed_ips:
         - 192.168.254.6/32
         - 192.168.20.0/24
+
+
+wireguard_p2p_interface:
+  name: wg-thetys
+  description: external management interface for thetys
+  priv_key: "{{ vault_wireguard_p2p_interface.priv_key }}"
+  listen_port: 51920
+  addresses:
+  - 192.168.123.1/30
+
+wireguard_p2p_peer:
+  pub_key: "RDNeaG06AUkEZqEr/v3zTidroGfTBTsXluOx2ArITyE="
+  allowed_ips:
+    - 192.168.123.2/32
diff --git a/inventory/host_vars/s2-thetys.yml b/inventory/host_vars/s2-thetys.yml
index 6ab3eba1..b9a0fdb6 100644
--- a/inventory/host_vars/s2-thetys.yml
+++ b/inventory/host_vars/s2-thetys.yml
@@ -63,3 +63,20 @@ rtmp_streamer_inst_name: feed
 rtmp_streamer_nginx_image_version: 2020-04-29.7
 rtmp_streamer_decklink_card: "DeckLink Mini Recorder"
 rtmp_streamer_recording_enabled: yes
+
+
+wireguard_p2p_interface:
+  name: wg-mgmt
+  description: external management interface
+  priv_key: "{{ vault_wireguard_p2p_interface.priv_key }}"
+  addresses:
+  - 192.168.123.2/30
+
+wireguard_p2p_peer:
+  pub_key: "r/pFU+OOHmSZUJPSA15emuCQhC/MvLnmfx5o5MPl7yo="
+  keepalive_interval: 10
+  endpoint:
+    host: 178.63.180.138
+    port: 51920
+  allowed_ips:
+    - 192.168.123.1/32
diff --git a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2 b/roles/wireguard/gateway/templates/systemd-iptables.service.j2
index 11cf4b8a..11cf4b8a 100644
--- a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2
+++ b/roles/wireguard/gateway/templates/systemd-iptables.service.j2
diff --git a/roles/wireguard/p2p/defaults/main.yml b/roles/wireguard/p2p/defaults/main.yml
new file mode 100644
index 00000000..9d93b810
--- /dev/null
+++ b/roles/wireguard/p2p/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+# wireguard_p2p_interface:
+#   name: p2p
+#   description: some wireguard tunnel
+#   priv_key: secret
+#   listen_port: 1234
+#   addresses:
+#   - 192.168.123.254/24
+
+# wireguard_p2p_peer:
+#   pub_key: public_key_of_peer
+#   keepalive_interval: 10
+#   endpoint:
+#     host: 5.6.7.8
+#     port: 1234
+#   allowed_ips:
+#     - 192.168.255.3/32
+#     - 192.168.123.0/24
diff --git a/roles/wireguard/p2p/handlers/main.yml b/roles/wireguard/p2p/handlers/main.yml
new file mode 100644
index 00000000..625032dc
--- /dev/null
+++ b/roles/wireguard/p2p/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart systemd-networkd
+  systemd:
+    daemon_reload: yes
+    name: systemd-networkd
+    state: restarted
diff --git a/roles/wireguard/p2p/tasks/main.yml b/roles/wireguard/p2p/tasks/main.yml
new file mode 100644
index 00000000..78cfaf43
--- /dev/null
+++ b/roles/wireguard/p2p/tasks/main.yml
@@ -0,0 +1,20 @@
+---
+- name: install wireguard interfaces (netdev)
+  template:
+    src: systemd.netdev.j2
+    dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.netdev"
+    mode: 0640
+    group: systemd-network
+  notify: restart systemd-networkd
+
+- name: install wireguard interfaces (network)
+  template:
+    src: systemd.network.j2
+    dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network"
+  notify: restart systemd-networkd
+
+- name: enable systemd-networkd
+  systemd:
+    name: systemd-networkd
+    enabled: yes
+    state: started
diff --git a/roles/wireguard/p2p/tasks/systemd-iptables.service.j2 b/roles/wireguard/p2p/tasks/systemd-iptables.service.j2
new file mode 100644
index 00000000..11cf4b8a
--- /dev/null
+++ b/roles/wireguard/p2p/tasks/systemd-iptables.service.j2
@@ -0,0 +1,42 @@
+[Unit]
+Wants=network-online.target
+After=network-online.target
+
+
+[Service]
+Type=oneshot
+
+{% if 'ip_snat' in item.value %}
+ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
+{%   for addr in item.value.addresses %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+{% if 'ip_snat' in item.value %}
+{%   for addr in item.value.addresses %}
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
+{%   endfor %}
+{% endif %}
+{% for forward in item.value.port_forwardings | default([]) %}
+{%   for port in forward.tcp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
+{%   endfor %}
+{%   for port in forward.udp_ports | default([]) %}
+ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
+{%   endfor %}
+{% endfor %}
+
+RemainAfterExit=yes
+
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/wireguard/p2p/templates/systemd.netdev.j2 b/roles/wireguard/p2p/templates/systemd.netdev.j2
new file mode 100644
index 00000000..04abfa1d
--- /dev/null
+++ b/roles/wireguard/p2p/templates/systemd.netdev.j2
@@ -0,0 +1,26 @@
+[NetDev]
+Name={{ wireguard_p2p_interface.name }}
+Kind=wireguard
+{% if 'description' in wireguard_p2p_interface %}
+Description={{ wireguard_p2p_interface.description }}
+{% endif %}
+
+
+[WireGuard]
+PrivateKey={{ wireguard_p2p_interface.priv_key }}
+{% if 'listen_port' in wireguard_p2p_interface %}
+ListenPort={{ wireguard_p2p_interface.listen_port }}
+{% endif %}
+
+
+[WireGuardPeer]
+PublicKey={{ wireguard_p2p_peer.pub_key }}
+{% for ip in wireguard_p2p_peer.allowed_ips %}
+AllowedIPs={{ ip }}
+{% endfor %}
+{% if 'endpoint' in wireguard_p2p_peer %}
+Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }}
+{% endif %}
+{% if 'keepalive_interval' in wireguard_p2p_peer %}
+PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }}
+{% endif %}
diff --git a/roles/wireguard/p2p/templates/systemd.network.j2 b/roles/wireguard/p2p/templates/systemd.network.j2
new file mode 100644
index 00000000..3d1e2431
--- /dev/null
+++ b/roles/wireguard/p2p/templates/systemd.network.j2
@@ -0,0 +1,7 @@
+[Match]
+Name={{ wireguard_p2p_interface.name }}
+
+[Network]
+{% for addr in wireguard_p2p_interface.addresses %}
+Address={{ addr }}
+{% endfor %}
diff --git a/spreadspace/host_vars/s2-thetys.yml b/spreadspace/host_vars/s2-thetys.yml
new file mode 100644
index 00000000..bf5235d1
--- /dev/null
+++ b/spreadspace/host_vars/s2-thetys.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.2;AES256;spreadspace
+61666533323633643162623235616235356437623831636262356531346132343733386236623539
+3464383863633638616664363230653362646666616237630a383333663031633936646134633234
+35613439333966613531343133356561656232613539306532613130666261373935376631656531
+6462663166666363610a353830393235643030386466333633626130323438623063393465653530
+62626662386234303730646338316364306561623435623435666366343366313062363131383335
+33643766383962636565623933323730623664613264346637316662376138316234323136383339
+63353930616532363738616537613862646463373932636435323965393333356232653665326233
+65376163373633376631636363633531636561363261633662376361383332316362333036303031
+3734
diff --git a/spreadspace/s2-thetys.yml b/spreadspace/s2-thetys.yml
index 71239000..44a05609 100644
--- a/spreadspace/s2-thetys.yml
+++ b/spreadspace/s2-thetys.yml
@@ -8,6 +8,8 @@
   - role: core/zsh
   - role: core/cpu-microcode
   - role: apt-repo/spreadspace
+  - role: wireguard/base
+  - role: wireguard/p2p
   - role: zfs/base
   - role: streaming/blackmagic/desktopvideo
   - role: kubernetes/base
author	Christian Pointner <equinox@spreadspace.org>	2020-08-20 23:09:01 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2020-08-20 23:09:01 +0200
commit	3f9f881fafa3994a8a0dc3b738eca077c4f4d054 (patch)
tree	d3fc6aefddf3e920a103d8063163677565142620
parent	s2-thetys: use zfs on recording disk (diff)