switch to duconet-wg service mesh

README.md

@@ -8,12 +8,13 @@ A project to store homelab stuff.
   - [Table of Contents](#table-of-contents)
   - [Platforms](#platforms)
     - [Reverse Proxy](#reverse-proxy)
-    - [Storage](#storage)
+    - [Service Mesh](#service-mesh)
+    - [Data Storage](#data-storage)
   - [Components](#components)
     - [CoreDNS](#coredns)
     - [Metal LB](#metal-lb)
     - [Nginx Ingress](#nginx-ingress)
-    - [Storage](#storage-1)
+    - [Storage](#storage)
   - [Apps](#apps)
     - [Dashboard](#dashboard)
     - [Nextcloud](#nextcloud)
@@ -64,9 +65,15 @@ be installed on bare metal machine(s) via ansible to ensure max performance and
 Each machine that acts as a reverse proxy will add its public ipv4 and ipv6 address(es) to
 the public domains used for external and internal access (*.reeseapps.com).
 
-### Storage
+### Service Mesh
 
-All servers will use ISCSI 
+All devices will be connected via wireguard and will talk over the wireguard connection. See
+the wireguard folder for more details. It's advisable to create DNS records internally pointing
+to the wireguard-assigned IP addresses.
+
+### Data Storage
+
+All servers will use ISCSI.
 
 ## Components
 
@@ -85,7 +92,7 @@ helm repo update
 helm upgrade --install \
     --namespace=coredns \
     --create-namespace \
-    --values coredns-values.yaml \
+    --values coredns/coredns-values.yaml \
     coredns \
     coredns/coredns
 ```
@@ -328,7 +335,7 @@ helm repo update
 # enc0 storage (iscsi)
 helm upgrade \
 --install \
---values truenas-iscsi-enc0.yaml \
+--values democratic-csi/truenas-iscsi-enc0.yaml \
 --namespace democratic-csi \
 --create-namespace \
 --set driver.config.httpConnection.apiKey=$(cat secrets/truenas-api-key) \
@@ -337,7 +344,7 @@ zfs-iscsi-enc0 democratic-csi/democratic-csi
 # enc1 storage (iscsi)
 helm upgrade \
 --install \
---values truenas-iscsi-enc1.yaml \
+--values democratic-csi/truenas-iscsi-enc1.yaml \
 --namespace democratic-csi \
 --create-namespace \
 --set driver.config.httpConnection.apiKey=$(cat secrets/truenas-api-key) \
@@ -346,7 +353,7 @@ zfs-iscsi-enc1 democratic-csi/democratic-csi
 # enc1 storage (nfs)
 helm upgrade \
 --install \
---values truenas-nfs-enc1.yaml \
+--values democratic-csi/truenas-nfs-enc1.yaml \
 --namespace democratic-csi \
 --create-namespace \
 --set driver.config.httpConnection.apiKey=$(cat secrets/truenas-api-key) \
@@ -576,7 +583,7 @@ helm repo update
 helm upgrade --install \
     gitea \
     gitea-charts/gitea \
-    --values gitea-values.yaml \
+    --values gitea/gitea-values.yaml \
     --namespace gitea \
     --create-namespace
 ```

ansible/inventory.yaml

@@ -12,12 +12,13 @@ colors:
     orange:
     yellow:
 
-apt:
+nextcloud-aio:
+  hosts:
+    nextcloud-aio:
+
+unifi-external:
   hosts:
     unifi-external:
-    nextcloud-aio:
-    replicator:
-    dns:
 
 hardware: 
   hosts:

coredns/coredns-values.yaml

@@ -120,7 +120,7 @@ servers:
   - name: prometheus
     parameters: 0.0.0.0:9153
   - name: forward
-    parameters: . /etc/resolv.conf
+    parameters: . 10.1.0.1
   - name: cache
     parameters: 30
   - name: loop

democratic-csi/truenas-nfs-enc1.yaml

@@ -45,7 +45,8 @@ driver:
       shareHost: democratic-csi-server.reeselink.com
       shareAlldirs: false
       shareAllowedHosts: []
-      shareAllowedNetworks: []
+      shareAllowedNetworks:
+        - "fd00:fd41:d0f1:1010::0/64"
       shareMaprootUser: root
       shareMaprootGroup: root
       shareMapallUser: ""

dns/README.md

@@ -0,0 +1,90 @@
+# Network Management
+
+- [Network Management](#network-management)
+  - [DNS Caching](#dns-caching)
+  - [Route53](#route53)
+  - [Reeselink Addresses](#reeselink-addresses)
+  - [Reeseapps Addresses](#reeseapps-addresses)
+  - [Duconet WG Addresses](#duconet-wg-addresses)
+
+## DNS Caching
+
+Use unifi to cache important DNS records. The following are critical:
+
+- `driveripper-wg.reeselink.com` `Host (AAAA)` `fd00:fd41:d0f1:1010::6`
+- `democratic-csi-server.reeselink.com` `Host (A)` `fd00:fd41:d0f1:1010::6`
+- `driveripper.reeseapps.com` `Host (A)` `10.1.200.253`
+- `driveripper.reeseapps.com` `Host (A)` `10.1.203.197`
+- `driveripper.reeseapps.com` `Host (AAAA)` `2600:1700:1e6c:a81f:153e:9c35:8ff3:fa3`
+- `driveripper.reeseapps.com` `Host (AAAA)` `2600:1700:1e6c:a81f:793d:7abf:e94d:9bc4`
+
+## Route53
+
+```bash
+aws route53 list-hosted-zones
+
+# reeselink
+aws route53 change-resource-record-sets --hosted-zone-id Z0092652G7L97DSINN18 --change-batch file://
+
+# reeseapps
+aws route53 change-resource-record-sets --hosted-zone-id Z012820733346FJ0U4FUF --change-batch file://
+```
+
+## Reeselink Addresses
+
+These are convenience dns records so you don't have to remember every ip address. IPV6 and IPV4.
+
+```bash
+aws route53 change-resource-record-sets --hosted-zone-id Z0092652G7L97DSINN18 --change-batch file://dns/reeselink.json
+```
+
+You can extract these addresses into a text file with:
+
+```bash
+# IPV6
+cat dns/reeselink.json | \
+    jq -c -r '[ .Changes.[] |
+        select( .ResourceRecordSet.Type | . == "AAAA") ]
+        | .[]
+        | .ResourceRecordSet
+        | .Name,.ResourceRecords.[].Value' > dns/ipv6.txt
+
+# IPV4
+cat dns/reeselink.json | \
+    jq -c -r '[ .Changes.[] | 
+        select( .ResourceRecordSet.Type | . == "A") ] 
+        | .[]
+        | .ResourceRecordSet
+        | .Name,.ResourceRecords.[].Value' > dns/ipv4.txt
+```
+
+## Reeseapps Addresses
+
+```bash
+aws route53 change-resource-record-sets --hosted-zone-id Z012820733346FJ0U4FUF --change-batch file://dns/reeseapps.json
+```
+
+## Duconet WG Addresses
+
+After generating new addresses from wireguard's vars.yaml. Use find and replace regex
+with the following:
+
+```regex
+(.*.reeselink.com)\n(.*)$
+```
+
+```regex
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "$1",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "$2"
+                    }
+                ]
+            }
+        },
+```

dns/duconet-wg.txt

@@ -0,0 +1,104 @@
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "yellow-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::1"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "orange-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::2"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "node1-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::3"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "node2-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::4"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "node3-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::5"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "driveripper-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::6"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "unifi-external-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::7"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "nextcloud-aio-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::8"
+                    }
+                ]
+            }
+        },

dns/ipv6.txt

@@ -20,3 +20,19 @@ unifi-external.reeselink.com
 2600:1700:1e6c:a81f:5054:ff:fea0:200c
 e3s1plus.reeselink.com
 2600:1700:1e6c:a81f:19a4:37de:9672:1f76
+yellow-wg.reeselink.com
+fd00:fd41:d0f1:1010::1
+orange-wg.reeselink.com
+fd00:fd41:d0f1:1010::2
+node1-wg.reeselink.com
+fd00:fd41:d0f1:1010::3
+node2-wg.reeselink.com
+fd00:fd41:d0f1:1010::4
+node3-wg.reeselink.com
+fd00:fd41:d0f1:1010::5
+driveripper-wg.reeselink.com
+fd00:fd41:d0f1:1010::6
+unifi-external-wg.reeselink.com
+fd00:fd41:d0f1:1010::7
+nextcloud-aio-wg.reeselink.com
+fd00:fd41:d0f1:1010::8

dns/reeselink.json

@@ -299,6 +299,110 @@
                     }
                 ]
             }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "yellow-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::1"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "orange-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::2"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "node1-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::3"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "node2-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::4"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "node3-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::5"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "driveripper-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::6"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "unifi-external-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::7"
+                    }
+                ]
+            }
+        },
+        {
+            "Action": "UPSERT",
+            "ResourceRecordSet": {
+                "Name": "nextcloud-aio-wg.reeselink.com",
+                "Type": "AAAA",
+                "TTL": 300,
+                "ResourceRecords": [
+                    {
+                        "Value": "fd00:fd41:d0f1:1010::8"
+                    }
+                ]
+            }
         }
     ]
 }

gitea/gitea-values.yaml

@@ -60,7 +60,7 @@ service:
       metallb.universe.tf/allow-shared-ip: "production"
 
 redis-cluster:
-  enabled: true
+  enabled: false
   image:
     tag: 7.2
 

hosts/update_hosts.yaml

@@ -1,13 +0,0 @@
-- name: Update /etc/hosts
-  hosts: kubernetes
-  become: true
-  become_user: root
-  become_method: sudo
-  tasks:
-  - name: Copy /etc/hosts
-    ansible.builtin.copy:
-      src: ./hosts
-      dest: /etc/hosts
-      owner: root
-      group: root
-      mode: '0644'

k3s/hosts/README.md

@@ -5,5 +5,5 @@ Updates /etc/hosts on each kubernetes node with the correct IP for democratic-cs
 ## Update Hosts
 
 ```bash
-ansible-playbook -i ansible/inventory.yaml nodes/update_hosts.yaml
+ansible-playbook -i ansible/inventory.yaml k3s/hosts/update_hosts.yaml
 ```

k3s/hosts/hosts

@@ -1,3 +1,4 @@
 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
-172.20.0.1  democratic-csi-server.reeselink.com
+# 172.20.0.1  democratic-csi-server.reeselink.com
+fd00:fd41:d0f1:1010::6 democratic-csi-server.reeselink.com

k3s/hosts/update_hosts.yaml

@@ -0,0 +1,20 @@
+- name: Update /etc/hosts
+  hosts: kubernetes
+  become: true
+  become_user: root
+  become_method: sudo
+  tasks:
+  - name: Copy /etc/hosts
+    ansible.builtin.copy:
+      src: ./hosts
+      dest: /etc/hosts
+      owner: root
+      group: root
+      mode: '0644'
+  # - name: Add IP address of all hosts to /etc/hosts
+  #   lineinfile:
+  #     dest: /etc/hosts
+  #     regexp: '.*{{ item.value.address }}$'
+  #     line: "{{ item.value.address }} {{ item.value.hostname }}"
+  #     state: present
+  #   loop: "{{ ip | dict2items }}"

network/README.md

@@ -1,52 +0,0 @@
-# Network Management
-
-- [Network Management](#network-management)
-  - [Route53](#route53)
-  - [Reeselink Addresses](#reeselink-addresses)
-  - [Reeseapps Addresses](#reeseapps-addresses)
-
-## Route53
-
-```bash
-aws route53 list-hosted-zones
-
-# reeselink
-aws route53 change-resource-record-sets --hosted-zone-id Z0092652G7L97DSINN18 --change-batch file://
-
-# reeseapps
-aws route53 change-resource-record-sets --hosted-zone-id Z012820733346FJ0U4FUF --change-batch file://
-```
-
-## Reeselink Addresses
-
-These are convenience dns records so you don't have to remember every ip address. IPV6 and IPV4.
-
-```bash
-aws route53 change-resource-record-sets --hosted-zone-id Z0092652G7L97DSINN18 --change-batch file://network/reeselink.json
-```
-
-You can extract these addresses into a text file with:
-
-```bash
-# IPV6
-cat network/reeselink.json | \
-    jq -c -r '[ .Changes.[] |
-        select( .ResourceRecordSet.Type | . == "AAAA") ]
-        | .[]
-        | .ResourceRecordSet
-        | .Name,.ResourceRecords.[].Value' > network/ipv6.txt
-
-# IPV4
-cat network/reeselink.json | \
-    jq -c -r '[ .Changes.[] | 
-        select( .ResourceRecordSet.Type | . == "A") ] 
-        | .[]
-        | .ResourceRecordSet
-        | .Name,.ResourceRecords.[].Value' > network/ipv4.txt
-```
-
-## Reeseapps Addresses
-
-```bash
-aws route53 change-resource-record-sets --hosted-zone-id Z012820733346FJ0U4FUF --change-batch file://network/reeseapps.json
-```

nextcloud/README.md

@@ -45,8 +45,12 @@ node.session.auth.password = <password>
 ```
 
 ```bash
+# Discover targets
 iscsiadm -m discovery -t st -p driveripper.reeselink.com
-iscsiadm -m node --login
+# Login to the nextcloud-data target
+iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:nextcloud-aio-data -l
+# Automatically login on startup
+iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:nextcloud-aio-data -o update -n node.startup -v automatic
 ```
 
 ## Setup

wireguard/README.md

@@ -1,5 +1,9 @@
 # Wireguard
 
+## Install Wireguard
+
+<https://www.wireguard.com/install/>
+
 ## Ansible
 
 ```bash
@@ -8,70 +12,113 @@ ansible-playbook -i ansible/inventory.yaml wireguard/wireguard.yaml
 ansible-playbook -i ansible/inventory.yaml wireguard/peers.yaml
 ```
 
+## DNS Records
+
+Collect DNS records from vars.yaml
+
+```bash
+cat wireguard/vars.yaml | \
+    yq -r '.ip | map([.hostname + "-wg.reeselink.com", .address]).[].[]' > dns/duconet-wg.txt
+```
+
 ## CLI Setup
 
 ```bash
 # Peer 1
 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 
-ip link add dev wg0 type wireguard
+ip link add dev duconet-wg type wireguard
 
-ip address add dev wg0 10.10.10.1/24
+ip address add dev duconet-wg fd00:fd41:d0f1:1010::0/64
 
-wg set wg0 \
+wg set duconet-wg \
     listen-port 51821 \
     private-key /etc/wireguard/privatekey
 
-wg set wg0 \
+wg set duconet-wg \
     peer CQxNsdPgfzjvOszjn/UZHFdAY3k+D9J+vI8qKUjCYV0= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.200.253:51821
 
-ip link set up dev wg0
+ip link set up dev duconet-wg
-touch /etc/wireguard/wg0.conf
+touch /etc/wireguard/duconet-wg.conf
-wg-quick save wg0
+wg-quick save duconet-wg
 
 # Peer 2
 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 
-ip link add dev wg0 type wireguard
+ip link add dev duconet-wg type wireguard
 
-ip address add dev wg0 10.10.10.2/24
+ip address add dev duconet-wg 10.10.10.2/24
 
-wg set wg0 \
+wg set duconet-wg \
     listen-port 51821 \
     private-key /etc/wireguard/privatekey \
     peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.203.197:51821
 
-ip link set up dev wg0
+ip link set up dev duconet-wg
-touch /etc/wireguard/wg0.conf
+touch /etc/wireguard/duconet-wg.conf
-wg-quick save wg0
+wg-quick save duconet-wg
 
 # Peer 3
 wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
 
-ip link add dev wg0 type wireguard
+ip link add dev duconet-wg type wireguard
 
-ip address add dev wg0 10.10.10.3/24
+ip address add dev duconet-wg 10.10.10.3/24
 
-wg set wg0 \
+wg set duconet-wg \
     listen-port 51821 \
     private-key /etc/wireguard/privatekey \
     peer kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.203.197:51821
 
-wg set wg0 \
+wg set duconet-wg \
     peer 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8= \
     allowed-ips '10.10.10.0/24' \
     endpoint 10.1.2.10:51821
 
-ip link set up dev wg0
+ip link set up dev duconet-wg
-touch /etc/wireguard/wg0.conf
+touch /etc/wireguard/duconet-wg.conf
-wg-quick save wg0
+wg-quick save duconet-wg
-
+```
-# teardown
+
-ip link delete wg0
+## Teardown
+
+```bash
+# teardown
+ip link delete duconet-wg
+systemctl disable wg-quick@duconet-wg
+```
+
+## Truenas
+
+Because truenas's /etc/wireguard is ephemeral we need to create scripts to save and load
+our wireguard config at shutdown/boot.
+
+Select these scripts in system settings -> advanced -> init/shutdown scripts
+
+Startup Script:
+
+/mnt/enc1/truenas/wireguard/duconet-save.sh
+
+```bash
+#!/bin/bash
+
+cp -a /mnt/enc1/truenas/wireguard/* /etc/wireguard/
+wg-quick up duconet-wg
+```
+
+Shutdown Script:
+
+/mnt/enc1/truenas/wireguard/duconet-load.sh
+
+```bash
+#!/bin/bash
+
+wg-quick save duconet-wg
+cp -a /etc/wireguard/* /mnt/enc1/truenas/wireguard/
 ```

wireguard/interface.yaml

@@ -2,37 +2,39 @@
   hosts: 
     - colors
     - kubernetes
-    - localhost
     - truenas
+    - nextcloud-aio
+    - unifi-external
   become: true
   become_user: root
   become_method: sudo
   vars_files:
     - vars.yaml
   tasks:
-  - name: Delete wg0 link
+  - name: Check if duconet-wg exists
-    shell: ip link del wg0
+    shell: ip link show duconet-wg
-    ignore_errors: yes
+    register: link_check
-  - name: Add wg0 link
-    shell: ip link add dev wg0 type wireguard
-    ignore_errors: yes
-  - name: Add wg0 addresses
-    shell: "ip address add dev wg0 {{ ip[inventory_hostname].address }}/64"
     ignore_errors: yes
+  - name: Add duconet-wg link
+    shell: ip link add dev duconet-wg type wireguard
+    when: link_check.rc != 0
+  - name: Add duconet-wg addresses
+    shell: "ip address add dev duconet-wg {{ ip[inventory_hostname].address }}/64"
+    when: link_check.rc != 0
   - name: wg set port/key
     shell: >
-      wg set wg0
+      wg set duconet-wg
       listen-port {{ wireguard.listen_port }}
       private-key /etc/wireguard/privatekey
   - name: Set link up
-    shell: ip link set up dev wg0
+    shell: ip link set up dev duconet-wg
-  - name: Touch wg0.conf
+  - name: Touch duconet-wg.conf
     ansible.builtin.file:
-      path: /etc/wireguard/wg0.conf
+      path: /etc/wireguard/duconet-wg.conf
       state: touch
   - name: save wg config
-    shell: wg-quick save wg0
+    shell: wg-quick save duconet-wg
-  - name: Enable wg-quick@wg0
+  - name: Enable wg-quick@duconet-wg
     ansible.builtin.systemd_service:
-      name: wg-quick@wg0
+      name: wg-quick@duconet-wg
       enabled: true

wireguard/keys.yaml

@@ -2,7 +2,9 @@
   hosts:
     - colors
     - kubernetes
-    - localhost
+    - truenas
+    - nextcloud-aio
+    - unifi-external
   become: true
   become_user: root
   become_method: sudo
@@ -17,7 +19,7 @@
     register: key
   - name: Generate pubkey and privatekey
     shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
-    when: not key.stat.exists
+    when: not key.stat.exists or key.stat.size == 0
   - name: cat pubkey
     command: cat /etc/wireguard/publickey
     register: pubkey

wireguard/peers.yaml

@@ -2,8 +2,9 @@
   hosts: 
     - colors
     - kubernetes
-    - localhost
     - truenas
+    - nextcloud-aio
+    - unifi-external
   become: true
   become_user: root
   become_method: sudo
@@ -12,7 +13,7 @@
   tasks:
   - name: wg set peers
     shell: >
-      wg set wg0
+      wg set duconet-wg
       peer {{ item.public_key }}
       allowed-ips '{{ ip[item.name].address }}'
       {% if item.endpoint %}
@@ -20,11 +21,4 @@
       {% endif %}
     loop: "{{ peers }}"
   - name: save wg config
-    shell: wg-quick save wg0
+    shell: wg-quick save duconet-wg
-  - name: Add IP address of all hosts to /etc/hosts
-    lineinfile:
-      dest: /etc/hosts
-      regexp: '.*{{ item.value.address }}$'
-      line: "{{ item.value.address }} {{ item.value.hostname }}"
-      state: present
-    loop: "{{ ip | dict2items }}"

wireguard/vars.yaml

@@ -1,6 +1,7 @@
 wireguard:
   listen_port: 51821
   allowed_ips: fd00:fd41:d0f1:1010::0/64
+  interface: duconet-wg
 peers:
   - name: yellow
     public_key: kzbHUGzYk6Uyan/NFYY5mh3pxf2IX/WzWZtImeyp6Sw=
@@ -18,11 +19,14 @@ peers:
     public_key: BwLY8W9nUCpF2xpLlvbkPkwQDV1Kqe+afCINXjEhQnY=
     endpoint: node3.reeselink.com:51821
   - name: driveripper
-    public_key: 9/dBUlO9TGf0H9M3xwPiuIuz6Q/u7fSJVZaUxqAiqi8=
+    public_key: o7alrWFIMHZyeMNJDotj7Aa8ggAZ3xxcMehVnjCJjmA=
     endpoint: driveripper.reeselink.com:51821
-  - name: localhost
+  - name: unifi-external
-    public_key: kZVVQ9gIoUb5Uo9DnlCduyLzuH7puc+hGQwvPRV4QQM=
+    public_key: UdbGYnVoxv9J7iv98EJ5hRfjlvPvHENsUqNJQADRHQI=
-    endpoint: ""
+    endpoint: unifi-external.reeselink.com:51821
+  - name: nextcloud-aio
+    public_key: G4L1WGm9nIwaw2p6oZqT4W7+ekoziCePrjI8AFwXHTw=
+    endpoint: nextcloud-aio.reeselink.com:51821
 ip:
   yellow: 
     address: fd00:fd41:d0f1:1010::1
@@ -42,6 +46,9 @@ ip:
   driveripper:
     address: fd00:fd41:d0f1:1010::6
     hostname: driveripper
-  localhost:
+  unifi-external:
     address: fd00:fd41:d0f1:1010::7
-    hostname: reesework
+    hostname: unifi-external
+  nextcloud-aio:
+    address: fd00:fd41:d0f1:1010::8
+    hostname: nextcloud-aio