From 3f9f881fafa3994a8a0dc3b738eca077c4f4d054 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 20 Aug 2020 23:09:01 +0200 Subject: add role wireguard p2p --- dan/ele-gwhetzner.yml | 1 + dan/host_vars/ele-gwhetzner.yml | 28 ++++++++------- inventory/host_vars/ele-gwhetzner.yml | 14 ++++++++ inventory/host_vars/s2-thetys.yml | 17 +++++++++ .../gateway/tasks/systemd-iptables.service.j2 | 42 ---------------------- .../gateway/templates/systemd-iptables.service.j2 | 42 ++++++++++++++++++++++ roles/wireguard/p2p/defaults/main.yml | 18 ++++++++++ roles/wireguard/p2p/handlers/main.yml | 6 ++++ roles/wireguard/p2p/tasks/main.yml | 20 +++++++++++ .../p2p/tasks/systemd-iptables.service.j2 | 42 ++++++++++++++++++++++ roles/wireguard/p2p/templates/systemd.netdev.j2 | 26 ++++++++++++++ roles/wireguard/p2p/templates/systemd.network.j2 | 7 ++++ spreadspace/host_vars/s2-thetys.yml | 10 ++++++ spreadspace/s2-thetys.yml | 2 ++ 14 files changed, 221 insertions(+), 54 deletions(-) delete mode 100644 roles/wireguard/gateway/tasks/systemd-iptables.service.j2 create mode 100644 roles/wireguard/gateway/templates/systemd-iptables.service.j2 create mode 100644 roles/wireguard/p2p/defaults/main.yml create mode 100644 roles/wireguard/p2p/handlers/main.yml create mode 100644 roles/wireguard/p2p/tasks/main.yml create mode 100644 roles/wireguard/p2p/tasks/systemd-iptables.service.j2 create mode 100644 roles/wireguard/p2p/templates/systemd.netdev.j2 create mode 100644 roles/wireguard/p2p/templates/systemd.network.j2 create mode 100644 spreadspace/host_vars/s2-thetys.yml diff --git a/dan/ele-gwhetzner.yml b/dan/ele-gwhetzner.yml index 26069582..04824a34 100644 --- a/dan/ele-gwhetzner.yml +++ b/dan/ele-gwhetzner.yml @@ -9,3 +9,4 @@ - role: apt-repo/spreadspace - role: wireguard/base - role: wireguard/gateway + - role: wireguard/p2p diff --git a/dan/host_vars/ele-gwhetzner.yml b/dan/host_vars/ele-gwhetzner.yml index a2b6d67a..8b579bb0 100644 --- a/dan/host_vars/ele-gwhetzner.yml +++ b/dan/host_vars/ele-gwhetzner.yml @@ -1,13 +1,17 @@ $ANSIBLE_VAULT;1.2;AES256;dan -63613763393832643163353733663563356666323338356338323465626566383934623265316335 -3931633335623561653232363531303533353363393030300a353732336235323137643937313939 -62396430653465366139623464633632366331623738376262323932316632633431393561633464 -3863383033633766630a373737373937646563653632613035303261376163376365396237623538 -36643138353435656265303639663035326330626534326264306263353663656231653362626235 -61613337303863336664303266303831366135376264336239353565633739636136356263636539 -32666637613536613036316636656134666261333561313230613136313939396636303064633731 -35386232386235666264326239353736303163643264313737613436356265366366613031393439 -36643038353862323361613138363165323431656132396638346539643932623663303366333365 -62353865356537333263393566623762666563333131323664346462306532613263323263643837 -61643265666366393237626266316439356331333438646462643730353137333433623031306631 -38326131363565326232 +36343835316464333566383362316662323461393339643462653138303565333663373938663836 +3764643539303864386532636539343461613063383865380a356237663837663931326266376131 +62306631366466393736323764396539653661666363326335626439326430613537656363333163 +6332336333346664310a613066373039336531346131656563353265646562366261393532333664 +31323731663838633731653961333934326636313866336235613838643732313632616339643837 +34386533363835333632633634336262633665353663393662303165336639373136616161616266 +61656566656136613238383963376239666264373230313337303131353861633461323732373130 +38623537333163393662616537356435383462363265613736313161393466336566646431373531 +32643430323730326536306464396261393564323366643065663865633666303862326236393338 +37663864646434353634373762313236613130653733643763646265366232376639653164303935 +37646139316166633136626265316130326363323436623035633731656665373965366362613965 +61353038636462393666666438306239656563316537373262633362303937346336333830313137 +64613639323631326662386638343734356362366466623930633837353666663933353666333538 +62653038316330616637633365316536643666666537303764306134326561343036303631383830 +36666539386239633361323337303061626261313039323334636237336331633463383037626462 +30396361316663636531 diff --git a/inventory/host_vars/ele-gwhetzner.yml b/inventory/host_vars/ele-gwhetzner.yml index 2c970fda..7d2d032a 100644 --- a/inventory/host_vars/ele-gwhetzner.yml +++ b/inventory/host_vars/ele-gwhetzner.yml @@ -77,3 +77,17 @@ wireguard_gateway_tunnels: allowed_ips: - 192.168.254.6/32 - 192.168.20.0/24 + + +wireguard_p2p_interface: + name: wg-thetys + description: external management interface for thetys + priv_key: "{{ vault_wireguard_p2p_interface.priv_key }}" + listen_port: 51920 + addresses: + - 192.168.123.1/30 + +wireguard_p2p_peer: + pub_key: "RDNeaG06AUkEZqEr/v3zTidroGfTBTsXluOx2ArITyE=" + allowed_ips: + - 192.168.123.2/32 diff --git a/inventory/host_vars/s2-thetys.yml b/inventory/host_vars/s2-thetys.yml index 6ab3eba1..b9a0fdb6 100644 --- a/inventory/host_vars/s2-thetys.yml +++ b/inventory/host_vars/s2-thetys.yml @@ -63,3 +63,20 @@ rtmp_streamer_inst_name: feed rtmp_streamer_nginx_image_version: 2020-04-29.7 rtmp_streamer_decklink_card: "DeckLink Mini Recorder" rtmp_streamer_recording_enabled: yes + + +wireguard_p2p_interface: + name: wg-mgmt + description: external management interface + priv_key: "{{ vault_wireguard_p2p_interface.priv_key }}" + addresses: + - 192.168.123.2/30 + +wireguard_p2p_peer: + pub_key: "r/pFU+OOHmSZUJPSA15emuCQhC/MvLnmfx5o5MPl7yo=" + keepalive_interval: 10 + endpoint: + host: 178.63.180.138 + port: 51920 + allowed_ips: + - 192.168.123.1/32 diff --git a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2 b/roles/wireguard/gateway/tasks/systemd-iptables.service.j2 deleted file mode 100644 index 11cf4b8a..00000000 --- a/roles/wireguard/gateway/tasks/systemd-iptables.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -[Unit] -Wants=network-online.target -After=network-online.target - - -[Service] -Type=oneshot - -{% if 'ip_snat' in item.value %} -ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1 -{% for addr in item.value.addresses %} -ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} -{% endfor %} -{% endif %} -{% for forward in item.value.port_forwardings | default([]) %} -{% for port in forward.tcp_ports | default([]) %} -ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} -{% endfor %} -{% for port in forward.udp_ports | default([]) %} -ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} -{% endfor %} -{% endfor %} - -{% if 'ip_snat' in item.value %} -{% for addr in item.value.addresses %} -ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} -{% endfor %} -{% endif %} -{% for forward in item.value.port_forwardings | default([]) %} -{% for port in forward.tcp_ports | default([]) %} -ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} -{% endfor %} -{% for port in forward.udp_ports | default([]) %} -ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} -{% endfor %} -{% endfor %} - -RemainAfterExit=yes - - -[Install] -WantedBy=multi-user.target diff --git a/roles/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/wireguard/gateway/templates/systemd-iptables.service.j2 new file mode 100644 index 00000000..11cf4b8a --- /dev/null +++ b/roles/wireguard/gateway/templates/systemd-iptables.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Wants=network-online.target +After=network-online.target + + +[Service] +Type=oneshot + +{% if 'ip_snat' in item.value %} +ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1 +{% for addr in item.value.addresses %} +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +{% if 'ip_snat' in item.value %} +{% for addr in item.value.addresses %} +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +RemainAfterExit=yes + + +[Install] +WantedBy=multi-user.target diff --git a/roles/wireguard/p2p/defaults/main.yml b/roles/wireguard/p2p/defaults/main.yml new file mode 100644 index 00000000..9d93b810 --- /dev/null +++ b/roles/wireguard/p2p/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# wireguard_p2p_interface: +# name: p2p +# description: some wireguard tunnel +# priv_key: secret +# listen_port: 1234 +# addresses: +# - 192.168.123.254/24 + +# wireguard_p2p_peer: +# pub_key: public_key_of_peer +# keepalive_interval: 10 +# endpoint: +# host: 5.6.7.8 +# port: 1234 +# allowed_ips: +# - 192.168.255.3/32 +# - 192.168.123.0/24 diff --git a/roles/wireguard/p2p/handlers/main.yml b/roles/wireguard/p2p/handlers/main.yml new file mode 100644 index 00000000..625032dc --- /dev/null +++ b/roles/wireguard/p2p/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart systemd-networkd + systemd: + daemon_reload: yes + name: systemd-networkd + state: restarted diff --git a/roles/wireguard/p2p/tasks/main.yml b/roles/wireguard/p2p/tasks/main.yml new file mode 100644 index 00000000..78cfaf43 --- /dev/null +++ b/roles/wireguard/p2p/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: install wireguard interfaces (netdev) + template: + src: systemd.netdev.j2 + dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.netdev" + mode: 0640 + group: systemd-network + notify: restart systemd-networkd + +- name: install wireguard interfaces (network) + template: + src: systemd.network.j2 + dest: "/etc/systemd/network/{{ wireguard_p2p_interface.name }}.network" + notify: restart systemd-networkd + +- name: enable systemd-networkd + systemd: + name: systemd-networkd + enabled: yes + state: started diff --git a/roles/wireguard/p2p/tasks/systemd-iptables.service.j2 b/roles/wireguard/p2p/tasks/systemd-iptables.service.j2 new file mode 100644 index 00000000..11cf4b8a --- /dev/null +++ b/roles/wireguard/p2p/tasks/systemd-iptables.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Wants=network-online.target +After=network-online.target + + +[Service] +Type=oneshot + +{% if 'ip_snat' in item.value %} +ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1 +{% for addr in item.value.addresses %} +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +{% if 'ip_snat' in item.value %} +{% for addr in item.value.addresses %} +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }} +{% endfor %} +{% endif %} +{% for forward in item.value.port_forwardings | default([]) %} +{% for port in forward.tcp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} +ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + +RemainAfterExit=yes + + +[Install] +WantedBy=multi-user.target diff --git a/roles/wireguard/p2p/templates/systemd.netdev.j2 b/roles/wireguard/p2p/templates/systemd.netdev.j2 new file mode 100644 index 00000000..04abfa1d --- /dev/null +++ b/roles/wireguard/p2p/templates/systemd.netdev.j2 @@ -0,0 +1,26 @@ +[NetDev] +Name={{ wireguard_p2p_interface.name }} +Kind=wireguard +{% if 'description' in wireguard_p2p_interface %} +Description={{ wireguard_p2p_interface.description }} +{% endif %} + + +[WireGuard] +PrivateKey={{ wireguard_p2p_interface.priv_key }} +{% if 'listen_port' in wireguard_p2p_interface %} +ListenPort={{ wireguard_p2p_interface.listen_port }} +{% endif %} + + +[WireGuardPeer] +PublicKey={{ wireguard_p2p_peer.pub_key }} +{% for ip in wireguard_p2p_peer.allowed_ips %} +AllowedIPs={{ ip }} +{% endfor %} +{% if 'endpoint' in wireguard_p2p_peer %} +Endpoint={{ wireguard_p2p_peer.endpoint.host }}:{{ wireguard_p2p_peer.endpoint.port | default(51820) }} +{% endif %} +{% if 'keepalive_interval' in wireguard_p2p_peer %} +PersistentKeepalive={{ wireguard_p2p_peer.keepalive_interval }} +{% endif %} diff --git a/roles/wireguard/p2p/templates/systemd.network.j2 b/roles/wireguard/p2p/templates/systemd.network.j2 new file mode 100644 index 00000000..3d1e2431 --- /dev/null +++ b/roles/wireguard/p2p/templates/systemd.network.j2 @@ -0,0 +1,7 @@ +[Match] +Name={{ wireguard_p2p_interface.name }} + +[Network] +{% for addr in wireguard_p2p_interface.addresses %} +Address={{ addr }} +{% endfor %} diff --git a/spreadspace/host_vars/s2-thetys.yml b/spreadspace/host_vars/s2-thetys.yml new file mode 100644 index 00000000..bf5235d1 --- /dev/null +++ b/spreadspace/host_vars/s2-thetys.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.2;AES256;spreadspace +61666533323633643162623235616235356437623831636262356531346132343733386236623539 +3464383863633638616664363230653362646666616237630a383333663031633936646134633234 +35613439333966613531343133356561656232613539306532613130666261373935376631656531 +6462663166666363610a353830393235643030386466333633626130323438623063393465653530 +62626662386234303730646338316364306561623435623435666366343366313062363131383335 +33643766383962636565623933323730623664613264346637316662376138316234323136383339 +63353930616532363738616537613862646463373932636435323965393333356232653665326233 +65376163373633376631636363633531636561363261633662376361383332316362333036303031 +3734 diff --git a/spreadspace/s2-thetys.yml b/spreadspace/s2-thetys.yml index 71239000..44a05609 100644 --- a/spreadspace/s2-thetys.yml +++ b/spreadspace/s2-thetys.yml @@ -8,6 +8,8 @@ - role: core/zsh - role: core/cpu-microcode - role: apt-repo/spreadspace + - role: wireguard/base + - role: wireguard/p2p - role: zfs/base - role: streaming/blackmagic/desktopvideo - role: kubernetes/base -- cgit v1.2.3