diff options
| author | alex <alex@pdp7.net> | 2025-12-20 22:07:20 +0100 |
|---|---|---|
| committer | alexpdp7 <alex@corcoles.net> | 2025-12-20 21:08:30 +0000 |
| commit | 5a24fd7d873ec37ec85e6a74f8caabdf18e02f79 (patch) | |
| tree | aa6dfe0d570a3ff5400d2be7a708780b075d089d /personal_infra | |
| parent | ca18caa3dd75790cf5c90868520172edef577b38 (diff) | |
Replace tinc with wireguard
Closes #693
Diffstat (limited to 'personal_infra')
| -rw-r--r-- | personal_infra/playbooks/setup_wireguard.yaml | 48 | ||||
| -rw-r--r-- | personal_infra/puppet/modules/tinc/manifests/init.pp | 4 |
2 files changed, 50 insertions, 2 deletions
diff --git a/personal_infra/playbooks/setup_wireguard.yaml b/personal_infra/playbooks/setup_wireguard.yaml new file mode 100644 index 00000000..20b26f6f --- /dev/null +++ b/personal_infra/playbooks/setup_wireguard.yaml @@ -0,0 +1,48 @@ +--- +- hosts: tinc + tasks: + - name: install wireguard + package: + name: wireguard-tools + - name: install iptables + package: + name: iptables + - name: generate keypair + shell: + cmd: umask 0077 && wg genkey | tee privatekey | wg pubkey > publickey + chdir: /etc/wireguard + creates: /etc/wireguard/publickey + - name: fetch public keys + fetch: + src: /etc/wireguard/publickey + dest: /tmp/wireguard-publickeys + - name: slurp private keys + slurp: + src: /etc/wireguard/privatekey + register: privatekey + - name: configure + copy: + content: | + [Interface] + Address = {{ network.self_internal_ip }}/24 + SaveConfig = true + PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + ListenPort = 51820 + PrivateKey = {{ privatekey['content'] | b64decode }} + + {% for host in groups['tinc'] %} + {% if host != inventory_hostname %} + [Peer] + PublicKey = {{ lookup('file', '/tmp/wireguard-publickeys/{}/etc/wireguard/publickey'.format(host)) }} + AllowedIPs = {{ hostvars[host].network.self_internal_network }} + Endpoint = {{ hostvars[host].network.public_hostname }}:51820 + + {% endif %} + {% endfor %} + dest: /etc/wireguard/wg0.conf + - name: enable wireguard + service: + name: wg-quick@wg0 + state: restarted + enabled: yes diff --git a/personal_infra/puppet/modules/tinc/manifests/init.pp b/personal_infra/puppet/modules/tinc/manifests/init.pp index ed5b5d9a..ee92d6df 100644 --- a/personal_infra/puppet/modules/tinc/manifests/init.pp +++ b/personal_infra/puppet/modules/tinc/manifests/init.pp @@ -42,8 +42,8 @@ cat /etc/ansible/tinc/public_${location['address']}.pem >>/etc/tinc/${tinc_name} } service {"tinc@${tinc_name}": - ensure => running, - enable => true, + ensure => stopped, + enable => false, } if($facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '9') { |