kube transfer to single-node host

mesh/README.md

@@ -1,4 +1,7 @@
-# Wireguard
+# Service Mesh
+
+This will be handled by wireguard. The goal is to establish encrypted communication between
+hosts for iscsi/nfs/http services.
 
 ## Install Wireguard
 
@@ -17,7 +20,7 @@ ansible-playbook -i ansible/inventory.yaml mesh/peers.yaml
 Collect DNS records from vars.yaml
 
 ```bash
-cat wireguard/vars.yaml | \
+cat mesh/vars.yaml | \
     yq -r '.ip | map([.hostname + "-wg.reeselink.com", .address]).[].[]' > dns/duconet-wg.txt
 ```
 

mesh/interface.yaml

@@ -2,39 +2,40 @@
   hosts: 
     - colors
     - kubernetes
-    - truenas
-    - nextcloud-aio
-    - unifi-external
+    - managed
   become: true
   become_user: root
   become_method: sudo
   vars_files:
     - vars.yaml
   tasks:
-  - name: Check if duconet-wg exists
-    shell: ip link show duconet-wg
+  - name: Check if {{ wireguard.interface }} exists
+    shell: ip link show {{ wireguard.interface }}
     register: link_check
     ignore_errors: yes
-  - name: Add duconet-wg link
-    shell: ip link add dev duconet-wg type wireguard
-    when: link_check.rc != 0
-  - name: Add duconet-wg addresses
-    shell: "ip address add dev duconet-wg {{ ip[inventory_hostname].address }}/64"
+  - name: Add {{ wireguard.interface }} link
+    shell: ip link add dev {{ wireguard.interface }} type wireguard
     when: link_check.rc != 0
+  - name: Add {{ wireguard.interface }} ipv6 addresses
+    shell: "ip address add dev {{ wireguard.interface }} {{ ip[inventory_hostname].address_ipv6 }}/64"
+    ignore_errors: yes
+  - name: Add {{ wireguard.interface }} ipv4 addresses
+    shell: "ip address add dev {{ wireguard.interface }} {{ ip[inventory_hostname].address_ipv4 }}/24"
+    ignore_errors: yes
   - name: wg set port/key
     shell: >
-      wg set duconet-wg
+      wg set {{ wireguard.interface }}
       listen-port {{ wireguard.listen_port }}
       private-key /etc/wireguard/privatekey
   - name: Set link up
-    shell: ip link set up dev duconet-wg
-  - name: Touch duconet-wg.conf
+    shell: ip link set up dev {{ wireguard.interface }}
+  - name: Touch {{ wireguard.interface }}.conf
     ansible.builtin.file:
-      path: /etc/wireguard/duconet-wg.conf
+      path: /etc/wireguard/{{ wireguard.interface }}.conf
       state: touch
   - name: save wg config
-    shell: wg-quick save duconet-wg
-  - name: Enable wg-quick@duconet-wg
+    shell: wg-quick save {{ wireguard.interface }}
+  - name: Enable wg-quick@{{ wireguard.interface }}
     ansible.builtin.systemd_service:
-      name: wg-quick@duconet-wg
+      name: wg-quick@{{ wireguard.interface }}
       enabled: true

mesh/keys.yaml

@@ -2,9 +2,7 @@
   hosts:
     - colors
     - kubernetes
-    - truenas
-    - nextcloud-aio
-    - unifi-external
+    - managed
   become: true
   become_user: root
   become_method: sudo

mesh/peers.yaml

@@ -2,9 +2,7 @@
   hosts: 
     - colors
     - kubernetes
-    - truenas
-    - nextcloud-aio
-    - unifi-external
+    - managed
   become: true
   become_user: root
   become_method: sudo
@@ -12,17 +10,25 @@
     - vars.yaml
   tasks:
   - name: delete unused peers
-    shell: wg set duconet-wg peer {{ item }} remove
+    shell: wg set {{ wireguard.interface }} peer {{ item }} remove
     loop:
       - "CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0="
   - name: wg set peers
     shell: >
-      wg set duconet-wg
+      wg set {{ wireguard.interface }}
       peer {{ item.public_key }}
-      allowed-ips '{{ ip[item.name].address }}'
+      allowed-ips '{{ ip[item.name].address_ipv6 }},{{ ip[item.name].address_ipv4 }}'
+      persistent-keepalive 5
       {% if item.endpoint %}
       endpoint '{{ item.endpoint }}'
       {% endif %}
     loop: "{{ peers }}"
+  - name: wg delete peers
+    shell: >
+      wg set {{ wireguard.interface }}
+      peer {{ item }} remove
+    loop:
+    - 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8=
+    ignore_errors: yes
   - name: save wg config
-    shell: wg-quick save duconet-wg
+    shell: wg-quick save {{ wireguard.interface }}

mesh/vars.yaml

@@ -1,6 +1,5 @@
 wireguard:
   listen_port: 51821
-  allowed_ips: fd00:fd41:d0f1:1010::0/64
   interface: duconet-wg
 peers:
   - name: yellow
@@ -24,25 +23,39 @@ peers:
   - name: nextcloud-aio
     public_key: G4L1WGm9nIwaw2p6oZqT4W7+ekoziCePrjI8AFwXHTw=
     endpoint: nextcloud-aio.reeselink.com:51821
+  - name: pivpn
+    public_key: mhrhD+orgevCKJyf28KMvzHGy+0LAmNomAN1XcwjrUI=
+    endpoint: pivpn.reeselink.com:51821
 ip:
   yellow: 
-    address: fd00:fd41:d0f1:1010::1
+    address_ipv6: fd00:fd41:d0f1:1010::1
+    address_ipv4: 10.180.238.1
     hostname: yellow
   node1:
-    address: fd00:fd41:d0f1:1010::3
+    address_ipv6: fd00:fd41:d0f1:1010::3
+    address_ipv4: 10.180.238.3
     hostname: node1
   node2:
-    address: fd00:fd41:d0f1:1010::4
+    address_ipv6: fd00:fd41:d0f1:1010::4
+    address_ipv4: 10.180.238.4
     hostname: node2
   node3:
-    address: fd00:fd41:d0f1:1010::5
+    address_ipv6: fd00:fd41:d0f1:1010::5
+    address_ipv4: 10.180.238.5
     hostname: node3
   driveripper:
-    address: fd00:fd41:d0f1:1010::6
+    address_ipv6: fd00:fd41:d0f1:1010::6
+    address_ipv4: 10.180.238.6
     hostname: driveripper
   unifi-external:
-    address: fd00:fd41:d0f1:1010::7
+    address_ipv6: fd00:fd41:d0f1:1010::7
+    address_ipv4: 10.180.238.7
     hostname: unifi-external
   nextcloud-aio:
-    address: fd00:fd41:d0f1:1010::8
+    address_ipv6: fd00:fd41:d0f1:1010::8
+    address_ipv4: 10.180.238.8
     hostname: nextcloud-aio
+  pivpn:
+    address_ipv6: fd00:fd41:d0f1:1010::9
+    address_ipv4: 10.180.238.9
+    hostname: pivpn