organize folders and MVP wireguard mesh

wireguard/README.md

@@ -0,0 +1,77 @@
+# Wireguard
+
+## Ansible
+
+```bash
+ansible-playbook -i ansible/inventory.yaml wireguard/keys.yaml
+ansible-playbook -i ansible/inventory.yaml wireguard/wireguard.yaml
+ansible-playbook -i ansible/inventory.yaml wireguard/peers.yaml
+```
+
+## CLI Setup
+
+```bash
+# Peer 1
+wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+
+ip link add dev wg0 type wireguard
+
+ip address add dev wg0 10.10.10.1/24
+
+wg set wg0 \
+    listen-port 51821 \
+    private-key /etc/wireguard/privatekey
+
+wg set wg0 \
+    peer CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0= \
+    allowed-ips '10.10.10.0/24' \
+    endpoint 10.1.200.253:51821
+
+ip link set up dev wg0
+touch /etc/wireguard/wg0.conf
+wg-quick save wg0
+
+# Peer 2
+wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+
+ip link add dev wg0 type wireguard
+
+ip address add dev wg0 10.10.10.2/24
+
+wg set wg0 \
+    listen-port 51821 \
+    private-key /etc/wireguard/privatekey \
+    peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
+    allowed-ips '10.10.10.0/24' \
+    endpoint 10.1.203.197:51821
+
+ip link set up dev wg0
+touch /etc/wireguard/wg0.conf
+wg-quick save wg0
+
+# Peer 3
+wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+
+ip link add dev wg0 type wireguard
+
+ip address add dev wg0 10.10.10.3/24
+
+wg set wg0 \
+    listen-port 51821 \
+    private-key /etc/wireguard/privatekey \
+    peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
+    allowed-ips '10.10.10.0/24' \
+    endpoint 10.1.203.197:51821
+
+wg set wg0 \
+    peer 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8= \
+    allowed-ips '10.10.10.0/24' \
+    endpoint 10.1.2.10:51821
+
+ip link set up dev wg0
+touch /etc/wireguard/wg0.conf
+wg-quick save wg0
+
+# teardown
+ip link delete wg0
+```

wireguard/interface.yaml

@@ -0,0 +1,38 @@
+- name: Configure Wireguard Network Link
+  hosts: 
+    - colors
+    - kubernetes
+    - localhost
+    - truenas
+  become: true
+  become_user: root
+  become_method: sudo
+  vars_files:
+    - vars.yaml
+  tasks:
+  - name: Delete wg0 link
+    shell: ip link del wg0
+    ignore_errors: yes
+  - name: Add wg0 link
+    shell: ip link add dev wg0 type wireguard
+    ignore_errors: yes
+  - name: Add wg0 addresses
+    shell: "ip address add dev wg0 {{ ip[inventory_hostname].address }}/64"
+    ignore_errors: yes
+  - name: wg set port/key
+    shell: >
+      wg set wg0
+      listen-port {{ wireguard.listen_port }}
+      private-key /etc/wireguard/privatekey
+  - name: Set link up
+    shell: ip link set up dev wg0
+  - name: Touch wg0.conf
+    ansible.builtin.file:
+      path: /etc/wireguard/wg0.conf
+      state: touch
+  - name: save wg config
+    shell: wg-quick save wg0
+  - name: Enable wg-quick@wg0
+    ansible.builtin.systemd_service:
+      name: wg-quick@wg0
+      enabled: true

wireguard/keys.yaml

@@ -0,0 +1,26 @@
+- name: Update nginx stream configuration
+  hosts:
+    - colors
+    - kubernetes
+    - localhost
+  become: true
+  become_user: root
+  become_method: sudo
+  tasks:
+  - name: Ensure wireguard directory exists
+    ansible.builtin.file:
+      path: /etc/wireguard
+      state: directory
+      mode: '0700'
+  - name: Check if privatekey exists
+    stat: path=/etc/wireguard/privatekey
+    register: key
+  - name: Generate pubkey and privatekey
+    shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
+    when: not key.stat.exists
+  - name: cat pubkey
+    command: cat /etc/wireguard/publickey
+    register: pubkey
+  - name: Print publickey to console
+    debug:
+      msg: "{{pubkey.stdout}}"

wireguard/peers.yaml

@@ -0,0 +1,30 @@
+- name: Add wireguard peers to each server
+  hosts: 
+    - colors
+    - kubernetes
+    - localhost
+    - truenas
+  become: true
+  become_user: root
+  become_method: sudo
+  vars_files:
+    - vars.yaml
+  tasks:
+  - name: wg set peers
+    shell: >
+      wg set wg0
+      peer {{ item.public_key }}
+      allowed-ips '{{ ip[item.name].address }}'
+      {% if item.endpoint %}
+      endpoint '{{ item.endpoint }}'
+      {% endif %}
+    loop: "{{ peers }}"
+  - name: save wg config
+    shell: wg-quick save wg0
+  - name: Add IP address of all hosts to /etc/hosts
+    lineinfile:
+      dest: /etc/hosts
+      regexp: '.*{{ item.value.address }}$'
+      line: "{{ item.value.address }} {{ item.value.hostname }}"
+      state: present
+    loop: "{{ ip | dict2items }}"

wireguard/vars.yaml

@@ -0,0 +1,47 @@
+wireguard:
+  listen_port: 51821
+  allowed_ips: fd00:fd41:d0f1:1010::0/64
+peers:
+  - name: yellow
+    public_key: kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw=
+    endpoint: yellow.reeselink.com:51821
+  - name: orange
+    public_key: CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0=
+    endpoint: orange.reeselink.com:51821
+  - name: node1
+    public_key: 1K3CszRSSnUSWpgL7q57+LTgOEbIt8TonSK1gV/JnXE=
+    endpoint: node1.reeselink.com:51821
+  - name: node2
+    public_key: /7IGSgTEPh+lGYtkMUME2+0XlZEz1ILLd8J0oIxgnjA=
+    endpoint: node2.reeselink.com:51821
+  - name: node3
+    public_key: BwLY8W9nUCpF2xpLlvbkPkwQDV1Kqe+afCINXjEhQnY=
+    endpoint: node3.reeselink.com:51821
+  - name: driveripper
+    public_key: 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8=
+    endpoint: driveripper.reeselink.com:51821
+  - name: localhost
+    public_key: kZVVQ9gIoUb5Uo9DnlCduyLzuH7puc+hGQwvPRV4QQM=
+    endpoint: ""
+ip:
+  yellow: 
+    address: fd00:fd41:d0f1:1010::1
+    hostname: yellow
+  orange:
+    address: fd00:fd41:d0f1:1010::2
+    hostname: orange
+  node1:
+    address: fd00:fd41:d0f1:1010::3
+    hostname: node1
+  node2:
+    address: fd00:fd41:d0f1:1010::4
+    hostname: node2
+  node3:
+    address: fd00:fd41:d0f1:1010::5
+    hostname: node3
+  driveripper:
+    address: fd00:fd41:d0f1:1010::6
+    hostname: driveripper
+  localhost:
+    address: fd00:fd41:d0f1:1010::7
+    hostname: reesework

wireguard/wireguard.yaml

@@ -1,76 +0,0 @@
-- name: Update nginx stream configuration
-  hosts: colors
-  become: true
-  become_user: root
-  become_method: sudo
-  vars_files:
-    - vars.yaml
-  tasks:
-  - name: Remove http.d dir before repopulating
-    file:
-      path: /etc/nginx/http.d/
-      state: absent
-  - name: Remove stream.d dir before repopulating
-    file:
-      path: /etc/nginx/stream.d/
-      state: absent
-  - name: Create stream.d dir
-    ansible.builtin.file:
-      path: /etc/nginx/stream.d
-      state: directory
-      mode: '0755'
-  - name: Create http.d dir
-    ansible.builtin.file:
-      path: /etc/nginx/http.d
-      state: directory
-      mode: '0755'
-  - name: Copy nginx.conf
-    template:
-      src: nginx.conf
-      dest: /etc/nginx/nginx.conf
-      owner: root
-      group: root
-      mode: '0644'
-  - name: Copy .htpasswd
-    template:
-      src: ../secrets/.htpasswd
-      dest: /etc/nginx/.htpasswd
-      owner: nginx
-      group: nginx
-      mode: '0600'
-  - name: Copy stream configurations
-    template:
-      src: "{{ item }}"
-      dest: /etc/nginx/stream.d/{{ item | basename }}
-      owner: root
-      group: root
-      mode: '0644'
-    with_fileglob:
-    - stream.d/*
-  - name: Template all http configurations
-    template:
-      src: https.conf
-      dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
-      owner: root
-      group: root
-      mode: '0644'
-    loop: "{{ http }}"
-  - name: Test nginx configuration
-    ansible.builtin.shell: /usr/sbin/nginx -t
-  - name: Stop nginx service
-    ansible.builtin.systemd_service:
-      state: stopped
-      name: nginx
-  - name: Remove old socket files
-    file:
-      path: /var/lib/nginx/tmp/nginx_http.sock
-      state: absent
-  - name: Remove old socket files
-    file:
-      path: /var/lib/nginx/tmp/nginx_https.sock
-      state: absent
-  - name: Reload nginx service
-    ansible.builtin.systemd_service:
-      state: started
-      name: nginx
-      enabled: true