From e527d3fd8a442493197f750542e6748ac76fc09a Mon Sep 17 00:00:00 2001 From: KemoNine Date: Tue, 4 Aug 2020 05:37:36 +0000 Subject: [PATCH] Initial ansible attempts --- ansible/README.md | 7 +++++++ ansible/deploy-controller.sh | 6 ++++++ ansible/inventory-wireguard | 31 +++++++++++++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 ansible/README.md create mode 100644 ansible/deploy-controller.sh create mode 100644 ansible/inventory-wireguard diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..fb984f9 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,7 @@ +# Ansible + +Some basic Ansible 'stuff' for managing PiFrames. + +This is very much WIP and nothing in this directory should **NOT** be used unless you plan on submitting patches / fixes / etc. + +For now the goal of this code is to get a basic WireGuard deployment going for the PiFrameFleet area of the project. diff --git a/ansible/deploy-controller.sh b/ansible/deploy-controller.sh new file mode 100644 index 0000000..38c1078 --- /dev/null +++ b/ansible/deploy-controller.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/ +# https://github.com/githubixx/ansible-role-wireguard + +TAGS_SKIP=wg_install ansible -i inventory-wireguard -m include_role -a name=githubixx.ansible_role_wireguard wg --limit controller --check diff --git a/ansible/inventory-wireguard b/ansible/inventory-wireguard new file mode 100644 index 0000000..1253b19 --- /dev/null +++ b/ansible/inventory-wireguard @@ -0,0 +1,31 @@ +--- +wg: + hosts: + frame1: + ansible_host: 10.5.5.100 + wireguard_address: 192.168.254.11/32 + frame2: + ansible_host: 10.5.5.101 + wireguard_address: 192.168.254.11/32 + controller: + ansible_connection: local + wireguard_address: 192.168.254.1/32 + wireguard_endpoint: "" + wireguard_postup: + - ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0 + - iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT + - iptables -A FORWARD -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT + - iptables -A FORWARD -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP + - iptables -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT + - iptables -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP + wireguard_postdown: + - ip route del 192.168.254.0/24 via 192.168.254.1 dev wg0 + - iptables -D -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT + - iptables -D -A FORWARD -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT + - iptables -D -A FORWARD -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP + - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT + - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP + vars: + wireguard_allowed_ips: "172.16.8.10/24" + wireguard_endpoint: piframefleet.domain.tld + wireguard_persistent_keepalive: 30