From 4d1b0469173c74ec57786876d808a1de733d3006 Mon Sep 17 00:00:00 2001 From: josiah Date: Sun, 15 Nov 2020 13:36:59 -0600 Subject: [PATCH] Prepare for wg migration from hatchery to larva. - add 192.168/16 routing info to wg.0 - remove old -hatchery.conf - remove dumb stuff in readme, meta - add tag to main play --- ansible/cloud_wg.yml | 2 +- ansible/roles/wg_vpn/README.md | 3 +- ansible/roles/wg_vpn/meta/main.yml | 53 ------------------- ansible/roles/wg_vpn/tasks/main.yml | 11 +++- .../roles/wg_vpn/templates/wg0-hatchery.conf | 8 --- ansible/roles/wg_vpn/templates/wg0-larva.conf | 11 ++++ ansible/roles/wg_vpn/templates/wg0.conf | 9 +++- 7 files changed, 29 insertions(+), 68 deletions(-) delete mode 100644 ansible/roles/wg_vpn/meta/main.yml delete mode 100644 ansible/roles/wg_vpn/templates/wg0-hatchery.conf create mode 100644 ansible/roles/wg_vpn/templates/wg0-larva.conf diff --git a/ansible/cloud_wg.yml b/ansible/cloud_wg.yml index 680b462..be0d758 100644 --- a/ansible/cloud_wg.yml +++ b/ansible/cloud_wg.yml @@ -5,4 +5,4 @@ tasks: - debug: msg="Deploying wg to cloud server" roles: - - { name: wg_vpn } + - { name: wg_vpn, tags: ['wg_vpn'] } diff --git a/ansible/roles/wg_vpn/README.md b/ansible/roles/wg_vpn/README.md index 5daf2fe..f641a36 100644 --- a/ansible/roles/wg_vpn/README.md +++ b/ansible/roles/wg_vpn/README.md @@ -10,8 +10,7 @@ this playbook doesn't handle /creating the machines/. they have to be online and Role Variables -------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +nothing lol usage ----- diff --git a/ansible/roles/wg_vpn/meta/main.yml b/ansible/roles/wg_vpn/meta/main.yml deleted file mode 100644 index 3a212a9..0000000 --- a/ansible/roles/wg_vpn/meta/main.yml +++ /dev/null @@ -1,53 +0,0 @@ -galaxy_info: - author: your name - description: your description - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) - - min_ansible_version: 2.4 - - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. - \ No newline at end of file diff --git a/ansible/roles/wg_vpn/tasks/main.yml b/ansible/roles/wg_vpn/tasks/main.yml index 53a9b4c..182bc31 100644 --- a/ansible/roles/wg_vpn/tasks/main.yml +++ b/ansible/roles/wg_vpn/tasks/main.yml @@ -7,12 +7,18 @@ echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable +- name: Install linux headers + apt: + name: "linux-headers-{{ ansible_kernel }}" + - name: install wireguard apt: name: - wireguard - build-essential - dkms + - wireguard-dkms + - wireguard-tools update_cache: yes state: latest @@ -57,8 +63,9 @@ - clients - client_pvl -- name: Create hatchery file in /etc/wireguard/. - template: src=wg0-hatchery.conf dest=/etc/wireguard/ owner=root mode=0600 +- name: Create larva file in /etc/wireguard/. + template: src=wg0-larva.conf dest=/etc/wireguard/ owner=root mode=0600 tags: - clients - client_hatchery + diff --git a/ansible/roles/wg_vpn/templates/wg0-hatchery.conf b/ansible/roles/wg_vpn/templates/wg0-hatchery.conf deleted file mode 100644 index 686e978..0000000 --- a/ansible/roles/wg_vpn/templates/wg0-hatchery.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Interface] -PrivateKey = {{ wireguard_clients[3]['privkey'] }} -Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }} - -[Peer] -PublicKey = {{ wireguard_server_pubkey }} -Endpoint = vpn.awful.club:51820 -AllowedIPs = 0.0.0.0/0 diff --git a/ansible/roles/wg_vpn/templates/wg0-larva.conf b/ansible/roles/wg_vpn/templates/wg0-larva.conf new file mode 100644 index 0000000..92c2f67 --- /dev/null +++ b/ansible/roles/wg_vpn/templates/wg0-larva.conf @@ -0,0 +1,11 @@ +[Interface] +PrivateKey = {{ wireguard_clients[3]['privkey'] }} +Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }} + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = {{ wireguard_server_pubkey }} +Endpoint = vpn.awful.club:51820 +AllowedIPs = 10.200.219.0/24 diff --git a/ansible/roles/wg_vpn/templates/wg0.conf b/ansible/roles/wg_vpn/templates/wg0.conf index 83090e3..453cde4 100644 --- a/ansible/roles/wg_vpn/templates/wg0.conf +++ b/ansible/roles/wg_vpn/templates/wg0.conf @@ -28,6 +28,11 @@ PublicKey = {{ client.pubkey }} this will produce an offset of the start of the network with a /32 CIDR prefix which in this case will be the desired 10.0.0.15/32. #} -AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} - +{% if client.name == 'larva' %} +AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }}, 192.168.0.0/16 + +{% else %} +AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} + +{% endif %} {% endfor %}