diff options
| -rw-r--r-- | chaos-at-home/ch-mimas.yml | 2 | ||||
| -rw-r--r-- | chaos-at-home/ch-pan.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ch-mimas.yml | 23 | ||||
| -rw-r--r-- | inventory/host_vars/ch-pan.yml | 23 | ||||
| -rw-r--r-- | inventory/host_vars/ch-router.yml | 19 | ||||
| -rw-r--r-- | roles/network/wireguard/p2p/defaults/main.yml | 9 | ||||
| -rw-r--r-- | roles/network/wireguard/p2p/tasks/main.yml | 16 | ||||
| -rw-r--r-- | roles/network/wireguard/p2p/templates/systemd.netdev.j2 | 4 | ||||
| -rw-r--r-- | roles/network/wireguard/p2p/templates/systemd.network.j2 | 6 |
9 files changed, 91 insertions, 13 deletions
diff --git a/chaos-at-home/ch-mimas.yml b/chaos-at-home/ch-mimas.yml index 178f9093..8aee418f 100644 --- a/chaos-at-home/ch-mimas.yml +++ b/chaos-at-home/ch-mimas.yml @@ -19,6 +19,8 @@ roles: - role: storage/zfs/pools - role: storage/zfs/sanoid + - role: network/wireguard/base + - role: network/wireguard/p2p - role: network/bind - role: acmetool/base - role: apt-repo/spreadspace diff --git a/chaos-at-home/ch-pan.yml b/chaos-at-home/ch-pan.yml index 93871234..6edd32fc 100644 --- a/chaos-at-home/ch-pan.yml +++ b/chaos-at-home/ch-pan.yml @@ -11,6 +11,8 @@ - name: Payload Setup hosts: ch-pan roles: + - role: network/wireguard/base + - role: network/wireguard/p2p - role: network/bind - role: dyndns/server - role: acmetool/base diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index 2bafafe1..32db8f65 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -47,6 +47,29 @@ zfs_sanoid_modules: process_children_only: yes +wireguard_p2p_interface: + name: remote0 + description: connection to chaos-at-home internal services + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + static_routes: + - dest: "{{ network_zones.svc.prefix }}" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + +wireguard_p2p_peers: + - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" + endpoint: + host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix }}" + - "{{ network_zones.svc.prefix }}" + - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + + bind_option_empty_zones_enable: no bind_option_allow_transfer: [] bind_option_allow_recursion: diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml index 9f18ed93..5beabb31 100644 --- a/inventory/host_vars/ch-pan.yml +++ b/inventory/host_vars/ch-pan.yml @@ -41,6 +41,29 @@ sshd_allowusers_host: "{{ admin_users_host + ['dyndns'] }}" ntp_variant: systemd-timesyncd +wireguard_p2p_interface: + name: remote0 + description: connection to chaos-at-home internal services + listen_port: 51820 + addresses: + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" + static_routes: + - dest: "{{ network_zones.svc.prefix }}" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + - dest: "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + gw: "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + +wireguard_p2p_peers: + - pub_key: "9pUDet+les5aI9UnHHVgyw95hNBxlAX8DBCxTjigpEI=" + endpoint: + host: "{{ network_zones.magenta.prefix | ansible.utils.ipaddr(network_zones.magenta.offsets['ch-router']) | ansible.utils.ipaddr('address') }}" + port: 51820 + allowed_ips: + - "{{ network_zones.remote.prefix }}" + - "{{ network_zones.svc.prefix }}" + - "{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/32" + + nginx_server_names_hash_bucket_size: 64 acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/ch-router.yml b/inventory/host_vars/ch-router.yml index 794ae485..ce4ed984 100644 --- a/inventory/host_vars/ch-router.yml +++ b/inventory/host_vars/ch-router.yml @@ -163,8 +163,9 @@ openwrt_mixin: define prefix_mgmt = {{ network_zones.mgmt.prefix }} define prefix_openvpn = 192.168.8.0/24 define prefix_remote = 192.168.51.0/24 + define prefix_svc = {{ network_zones.svc.prefix }} define prefixes_internal = { {{ network_zones.svc.prefix }}, {{ network_zones.lan.prefix }} } - + define ip_prometheus_legacy = {{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }} table inet global { ## INPUT @@ -213,8 +214,8 @@ openwrt_mixin: iif $nic_internal ip saddr $prefixes_internal oif $nic_magenta accept iif $nic_internal ip saddr $prefixes_internal oifname $nic_openvpn ip daddr $prefix_openvpn accept iifname $nic_openvpn ip saddr $prefix_openvpn oif $nic_internal ip daddr $prefixes_internal accept - iif $nic_internal ip saddr $prefixes_internal oifname $nic_remote ip daddr $prefix_remote accept - iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr $prefixes_internal accept ## TODO: review allowed connections + iif $nic_internal ip saddr { $prefix_svc, $ip_prometheus_legacy } oifname $nic_remote ip daddr $prefix_remote accept + iifname $nic_remote ip saddr $prefix_remote oif $nic_internal ip daddr { $prefix_svc, $ip_prometheus_legacy } accept {% for name, svc in network_services.items() %} iif $nic_magenta oif $nic_internal ip daddr {{ svc.addr }} tcp dport { {{ svc.ports | join(', ') }} } accept comment "Service: {{ name }}" {% endfor %} @@ -362,24 +363,24 @@ openwrt_uci: - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets[inventory_hostname]) }}" nohostroute: 1 - - name: wireguard_remote 'ch-pan' + - name: wireguard_remote 'pan' options: - public_key: "" ## TODO + public_key: "sd/OqiO0hktuJ3FvIBnM8RJpqG0lkN7wWJjdKbU1TSw=" # preshared_key: "" endpoint_host: "{{ hostvars['ch-pan'].network.primary.address | ansible.utils.ipaddr('address') }}" endpoint_port: 51820 allowed_ips: - - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) }}" + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-pan']) | ansible.utils.ipaddr('address') }}" persistent_keepalive: 60 - - name: wireguard_remote 'ch-mimas' + - name: wireguard_remote 'mimas' options: - public_key: "" ## TODO + public_key: "ZpvJ3Myn/FSJTqsEkNB5AQaVAuTqfFFCAqLomkeZV3g=" # preshared_key: "" endpoint_host: "{{ hostvars['ch-mimas'].external_ip }}" endpoint_port: 51820 allowed_ips: - - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) }}" + - "{{ network_zones.remote.prefix | ansible.utils.ipaddr(network_zones.remote.offsets['ch-mimas']) | ansible.utils.ipaddr('address') }}" persistent_keepalive: 60 sqm: diff --git a/roles/network/wireguard/p2p/defaults/main.yml b/roles/network/wireguard/p2p/defaults/main.yml index cb8d6f18..68000a83 100644 --- a/roles/network/wireguard/p2p/defaults/main.yml +++ b/roles/network/wireguard/p2p/defaults/main.yml @@ -5,7 +5,10 @@ # priv_key: secret # listen_port: 1234 # addresses: -# - 192.168.123.254/24 +# - 192.168.255.254/24 +# static_routes: +# - dest: 192.168.123.0/24 +# gw: 192.168.255.3 # wireguard_p2p_peers: # - pub_key: public_key_of_peer @@ -14,5 +17,5 @@ # host: 5.6.7.8 # port: 1234 # allowed_ips: -# - 192.168.255.3/32 -# - 192.168.123.0/24 +# - 192.168.255.3/32 +# - 192.168.123.0/24 diff --git a/roles/network/wireguard/p2p/tasks/main.yml b/roles/network/wireguard/p2p/tasks/main.yml index 78cfaf43..c1c21263 100644 --- a/roles/network/wireguard/p2p/tasks/main.yml +++ b/roles/network/wireguard/p2p/tasks/main.yml @@ -1,4 +1,18 @@ --- +- name: autogenerate wireguard private key file + when: "'priv_key' not in wireguard_p2p_interface" + block: + - name: generate private key + shell: + cmd: "umask 0027; wg genkey > '/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey'" + creates: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey" + + - name: make sure systemd-netword can read the private key file + file: + path: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey" + mode: 0640 + group: systemd-network + - name: install wireguard interfaces (netdev) template: src: systemd.netdev.j2 @@ -13,7 +27,7 @@ dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network" notify: restart systemd-networkd -- name: enable systemd-networkd +- name: make sure systemd-networkd is enabled systemd: name: systemd-networkd enabled: yes diff --git a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 index 336fdfb2..3e73f474 100644 --- a/roles/network/wireguard/p2p/templates/systemd.netdev.j2 +++ b/roles/network/wireguard/p2p/templates/systemd.netdev.j2 @@ -7,7 +7,11 @@ Description={{ wireguard_p2p_interface.description }} [WireGuard] +{% if 'priv_key' in wireguard_p2p_interface %} PrivateKey={{ wireguard_p2p_interface.priv_key }} +{% else %} +PrivateKeyFile=/etc/systemd/network/{{ wireguard_p2p_interface.name }}.privkey +{% endif %} {% if 'listen_port' in wireguard_p2p_interface %} ListenPort={{ wireguard_p2p_interface.listen_port }} {% endif %} diff --git a/roles/network/wireguard/p2p/templates/systemd.network.j2 b/roles/network/wireguard/p2p/templates/systemd.network.j2 index 3d1e2431..e40e610b 100644 --- a/roles/network/wireguard/p2p/templates/systemd.network.j2 +++ b/roles/network/wireguard/p2p/templates/systemd.network.j2 @@ -5,3 +5,9 @@ Name={{ wireguard_p2p_interface.name }} {% for addr in wireguard_p2p_interface.addresses %} Address={{ addr }} {% endfor %} +{% for route in wireguard_p2p_interface.static_routes | default([]) %} + +[Route] +Destination={{ route.dest }} +Gateway={{ route.gw }} +{% endfor %} |