switch to duconet-wg service mesh

wireguard/README.md

@@ -1,5 +1,9 @@
 # Wireguard
 
+## Install Wireguard
+
+<https://www.wireguard.com/install/>
+
 ## Ansible
 
 ```bash
@@ -8,70 +12,113 @@ ansible-playbook -i ansible/inventory.yaml wireguard/wireguard.yaml
 ansible-playbook -i ansible/inventory.yaml wireguard/peers.yaml
 ```
 
+## DNS Records
+
+Collect DNS records from vars.yaml
+
+```bash
+cat wireguard/vars.yaml | \
+    yq -r '.ip | map([.hostname + "-wg.reeselink.com", .address]).[].[]' > dns/duconet-wg.txt
+```
+
 ## CLI Setup
 
 ```bash
 # Peer 1
 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 
-ip link add dev wg0 type wireguard
+ip link add dev duconet-wg type wireguard
 
-ip address add dev wg0 10.10.10.1/24
+ip address add dev duconet-wg fd00:fd41:d0f1:1010::0/64
 
-wg set wg0 \
+wg set duconet-wg \
     listen-port 51821 \
     private-key /etc/wireguard/privatekey
 
-wg set wg0 \
+wg set duconet-wg \
     peer CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.200.253:51821
 
-ip link set up dev wg0
-touch /etc/wireguard/wg0.conf
-wg-quick save wg0
+ip link set up dev duconet-wg
+touch /etc/wireguard/duconet-wg.conf
+wg-quick save duconet-wg
 
 # Peer 2
 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 
-ip link add dev wg0 type wireguard
+ip link add dev duconet-wg type wireguard
 
-ip address add dev wg0 10.10.10.2/24
+ip address add dev duconet-wg 10.10.10.2/24
 
-wg set wg0 \
+wg set duconet-wg \
     listen-port 51821 \
     private-key /etc/wireguard/privatekey \
     peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.203.197:51821
 
-ip link set up dev wg0
-touch /etc/wireguard/wg0.conf
-wg-quick save wg0
+ip link set up dev duconet-wg
+touch /etc/wireguard/duconet-wg.conf
+wg-quick save duconet-wg
 
 # Peer 3
 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 
-ip link add dev wg0 type wireguard
+ip link add dev duconet-wg type wireguard
 
-ip address add dev wg0 10.10.10.3/24
+ip address add dev duconet-wg 10.10.10.3/24
 
-wg set wg0 \
+wg set duconet-wg \
     listen-port 51821 \
     private-key /etc/wireguard/privatekey \
     peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.203.197:51821
 
-wg set wg0 \
+wg set duconet-wg \
     peer 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.2.10:51821
 
-ip link set up dev wg0
-touch /etc/wireguard/wg0.conf
-wg-quick save wg0
-
-# teardown
-ip link delete wg0
+ip link set up dev duconet-wg
+touch /etc/wireguard/duconet-wg.conf
+wg-quick save duconet-wg
+```
+
+## Teardown
+
+```bash
+# teardown
+ip link delete duconet-wg
+systemctl disable wg-quick@duconet-wg
+```
+
+## Truenas
+
+Because truenas's /etc/wireguard is ephemeral we need to create scripts to save and load
+our wireguard config at shutdown/boot.
+
+Select these scripts in system settings -> advanced -> init/shutdown scripts
+
+Startup Script:
+
+/mnt/enc1/truenas/wireguard/duconet-save.sh
+
+```bash
+#!/bin/bash
+
+cp -a /mnt/enc1/truenas/wireguard/* /etc/wireguard/
+wg-quick up duconet-wg
+```
+
+Shutdown Script:
+
+/mnt/enc1/truenas/wireguard/duconet-load.sh
+
+```bash
+#!/bin/bash
+
+wg-quick save duconet-wg
+cp -a /etc/wireguard/* /mnt/enc1/truenas/wireguard/
 ```

wireguard/interface.yaml

@@ -2,37 +2,39 @@
   hosts: 
     - colors
     - kubernetes
-    - localhost
     - truenas
+    - nextcloud-aio
+    - unifi-external
   become: true
   become_user: root
   become_method: sudo
   vars_files:
     - vars.yaml
   tasks:
-  - name: Delete wg0 link
-    shell: ip link del wg0
-    ignore_errors: yes
-  - name: Add wg0 link
-    shell: ip link add dev wg0 type wireguard
-    ignore_errors: yes
-  - name: Add wg0 addresses
-    shell: "ip address add dev wg0 {{ ip[inventory_hostname].address }}/64"
+  - name: Check if duconet-wg exists
+    shell: ip link show duconet-wg
+    register: link_check
     ignore_errors: yes
+  - name: Add duconet-wg link
+    shell: ip link add dev duconet-wg type wireguard
+    when: link_check.rc != 0
+  - name: Add duconet-wg addresses
+    shell: "ip address add dev duconet-wg {{ ip[inventory_hostname].address }}/64"
+    when: link_check.rc != 0
   - name: wg set port/key
     shell: >
-      wg set wg0
+      wg set duconet-wg
       listen-port {{ wireguard.listen_port }}
       private-key /etc/wireguard/privatekey
   - name: Set link up
-    shell: ip link set up dev wg0
-  - name: Touch wg0.conf
+    shell: ip link set up dev duconet-wg
+  - name: Touch duconet-wg.conf
     ansible.builtin.file:
-      path: /etc/wireguard/wg0.conf
+      path: /etc/wireguard/duconet-wg.conf
       state: touch
   - name: save wg config
-    shell: wg-quick save wg0
-  - name: Enable wg-quick@wg0
+    shell: wg-quick save duconet-wg
+  - name: Enable wg-quick@duconet-wg
     ansible.builtin.systemd_service:
-      name: wg-quick@wg0
+      name: wg-quick@duconet-wg
       enabled: true

wireguard/keys.yaml

@@ -2,7 +2,9 @@
   hosts:
     - colors
     - kubernetes
-    - localhost
+    - truenas
+    - nextcloud-aio
+    - unifi-external
   become: true
   become_user: root
   become_method: sudo
@@ -17,7 +19,7 @@
     register: key
   - name: Generate pubkey and privatekey
     shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
-    when: not key.stat.exists
+    when: not key.stat.exists or key.stat.size == 0
   - name: cat pubkey
     command: cat /etc/wireguard/publickey
     register: pubkey

wireguard/peers.yaml

@@ -2,8 +2,9 @@
   hosts: 
     - colors
     - kubernetes
-    - localhost
     - truenas
+    - nextcloud-aio
+    - unifi-external
   become: true
   become_user: root
   become_method: sudo
@@ -12,7 +13,7 @@
   tasks:
   - name: wg set peers
     shell: >
-      wg set wg0
+      wg set duconet-wg
       peer {{ item.public_key }}
       allowed-ips '{{ ip[item.name].address }}'
       {% if item.endpoint %}
@@ -20,11 +21,4 @@
       {% endif %}
     loop: "{{ peers }}"
   - name: save wg config
-    shell: wg-quick save wg0
-  - name: Add IP address of all hosts to /etc/hosts
-    lineinfile:
-      dest: /etc/hosts
-      regexp: '.*{{ item.value.address }}$'
-      line: "{{ item.value.address }} {{ item.value.hostname }}"
-      state: present
-    loop: "{{ ip | dict2items }}"
+    shell: wg-quick save duconet-wg

wireguard/vars.yaml

@@ -1,6 +1,7 @@
 wireguard:
   listen_port: 51821
   allowed_ips: fd00:fd41:d0f1:1010::0/64
+  interface: duconet-wg
 peers:
   - name: yellow
     public_key: kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw=
@@ -18,11 +19,14 @@ peers:
     public_key: BwLY8W9nUCpF2xpLlvbkPkwQDV1Kqe+afCINXjEhQnY=
     endpoint: node3.reeselink.com:51821
   - name: driveripper
-    public_key: 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8=
+    public_key: o7alrWFIMHZyeMNJDotj7Aa8ggAZ3xxcMehVnjCJjmA=
     endpoint: driveripper.reeselink.com:51821
-  - name: localhost
-    public_key: kZVVQ9gIoUb5Uo9DnlCduyLzuH7puc+hGQwvPRV4QQM=
-    endpoint: ""
+  - name: unifi-external
+    public_key: UdbGYnVoxv9J7iv98EJ5hRfjlvPvHENsUqNJQADRHQI=
+    endpoint: unifi-external.reeselink.com:51821
+  - name: nextcloud-aio
+    public_key: G4L1WGm9nIwaw2p6oZqT4W7+ekoziCePrjI8AFwXHTw=
+    endpoint: nextcloud-aio.reeselink.com:51821
 ip:
   yellow: 
     address: fd00:fd41:d0f1:1010::1
@@ -42,6 +46,9 @@ ip:
   driveripper:
     address: fd00:fd41:d0f1:1010::6
     hostname: driveripper
-  localhost:
+  unifi-external:
     address: fd00:fd41:d0f1:1010::7
-    hostname: reesework
+    hostname: unifi-external
+  nextcloud-aio:
+    address: fd00:fd41:d0f1:1010::8
+    hostname: nextcloud-aio