Merge remote-tracking branch 'upstream/master'
This commit is contained in:
Frédéric Bourqui
commit
afe872e138
20
CHANGELOG.md
20
CHANGELOG.md
|
|
@ -1,6 +1,26 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**3.2.2**
|
||||
|
||||
- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)
|
||||
|
||||
**3.2.1**
|
||||
|
||||
- remove unecessary files (contribution by pierreozoux)
|
||||
|
||||
**3.2.0**
|
||||
|
||||
- add support for RHEL/CentOS (contribution by ahanselka)
|
||||
|
||||
**3.1.0**
|
||||
|
||||
- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka)
|
||||
|
||||
**3.0.1**
|
||||
|
||||
- fix address in README
|
||||
|
||||
**3.0.0**
|
||||
|
||||
- support for Debian added (contribution by ties)
|
||||
|
|
|
|||
|
|
@ -100,7 +100,7 @@ wireguard_postdown: "..."
|
|||
wireguard_save_config: "true"
|
||||
```
|
||||
|
||||
`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries, for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.3.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
|
||||
`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
|
||||
|
||||
Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,9 @@ galaxy_info:
|
|||
- name: Debian
|
||||
versions:
|
||||
- stretch
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
galaxy_tags:
|
||||
- networking
|
||||
- security
|
||||
|
|
|
|||
|
|
@ -6,9 +6,10 @@
|
|||
|
||||
- name: Install WireGuard
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
with_items:
|
||||
vars:
|
||||
packages:
|
||||
- wireguard-dkms
|
||||
- wireguard-tools
|
||||
tags:
|
||||
|
|
@ -66,8 +67,6 @@
|
|||
- name: Generate WireGuard private key
|
||||
shell: "wg genkey"
|
||||
register: wg_private_key_result
|
||||
with_inventory_hostnames:
|
||||
- vpn
|
||||
when: not private_key_file_stat.stat.exists
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
|
@ -75,7 +74,7 @@
|
|||
|
||||
- name: Set private key fact
|
||||
set_fact:
|
||||
wg_private_key: "{{ wg_private_key_result.results[0].stdout }}"
|
||||
wg_private_key: "{{ wg_private_key_result.stdout }}"
|
||||
when: not private_key_file_stat.stat.exists
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
|
@ -84,14 +83,12 @@
|
|||
shell: "echo '{{ wg_private_key }}' | wg pubkey"
|
||||
register: wg_public_key_result
|
||||
when: not private_key_file_stat.stat.exists
|
||||
with_inventory_hostnames:
|
||||
- vpn
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Set public key fact
|
||||
set_fact:
|
||||
wg_public_key: "{{ wg_public_key_result.results[0].stdout }}"
|
||||
wg_public_key: "{{ wg_public_key_result.stdout }}"
|
||||
when: not private_key_file_stat.stat.exists
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
---
|
||||
- name: Install required packages
|
||||
pacman:
|
||||
name: "{{ item }}"
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
become: yes
|
||||
with_items:
|
||||
- linux-headers
|
||||
vars:
|
||||
packages:
|
||||
- linux-headers
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Add WireGuard repository
|
||||
get_url:
|
||||
url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
|
||||
dest: /etc/yum.repos.d/wireguard.repo
|
||||
|
||||
- name: Install EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
update_cache: yes
|
||||
|
|
@ -8,9 +8,10 @@
|
|||
|
||||
- name: Install required packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
with_items:
|
||||
vars:
|
||||
packages:
|
||||
- software-properties-common
|
||||
- linux-headers-{{ ansible_kernel }}
|
||||
tags:
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
localhost
|
||||
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- .
|
||||
|
|
@ -1 +0,0 @@
|
|||
---
|
||||
Reference in New Issue