diff options
| -rw-r--r-- | inventory.ini.sample | 4 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/ip6tables.rules | 26 | ||||
| -rw-r--r-- | roles/configure_iptables/templates/iptables.rules | 9 | ||||
| -rw-r--r-- | roles/install_babeld/templates/babeld.conf.j2 | 12 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/fastd_tasks.yml | 12 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/main.yml | 8 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml | 29 | ||||
| -rw-r--r-- | roles/install_wireguard_backbone/tasks/uplink_tasks.yml (renamed from roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml) | 0 | ||||
| -rw-r--r-- | setup_fastd.yml | 28 |
9 files changed, 27 insertions, 101 deletions
diff --git a/inventory.ini.sample b/inventory.ini.sample index d976da5..c54a6b3 100644 --- a/inventory.ini.sample +++ b/inventory.ini.sample @@ -10,6 +10,10 @@ ff-uplink2 [ffrl_uplink] ff-uplink1 +[uplink:children] +mullvad_uplink +ffrl_uplink + [all:vars] hetzner_webservice_username=<hetzner_webservice_username> hetzner_webservice_password=<hetzner_webservice_password> diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules index 78d76c7..dd2d1f2 100644 --- a/roles/configure_iptables/templates/ip6tables.rules +++ b/roles/configure_iptables/templates/ip6tables.rules @@ -11,19 +11,11 @@ {% endif %} {% if 'fastd' in group_names %} -{% for peer in groups['ffrl_uplink'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% for peer in groups['mullvad_uplink'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% endif %} -{% if 'mullvad_uplink' in group_names %} -{% for peer in groups['fastd'] %} +{% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% endif %} -{% if 'ffrl_uplink' in group_names %} +{% if 'uplink' in group_names %} {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} ! -s fe80::/64 ! -d fe80::/64 -j MARK --set-xmark 0x1/0xffffffff {% endfor %} @@ -56,22 +48,12 @@ COMMIT {% endif %} # wireguard_backbone {% if 'fastd' in group_names %} -{% for peer in groups['ffrl_uplink'] %} --A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT --A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT -{% endfor %} -{% for peer in groups['mullvad_uplink'] %} --A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT --A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT -{% endfor %} -{% endif %} -{% if 'mullvad_uplink' in group_names %} -{% for peer in groups['fastd'] %} +{% for peer in groups['uplink'] %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT {% endfor %} {% endif %} -{% if 'ffrl_uplink' in group_names %} +{% if 'uplink' in group_names %} {% for peer in groups['fastd'] %} -A INPUT -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -p udp --dport 6696 -j ACCEPT -A INPUT -p udp --dport {{ hostvars[peer]['wireguard_bb_port'] }} -j ACCEPT diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules index 5b5410d..d832362 100644 --- a/roles/configure_iptables/templates/iptables.rules +++ b/roles/configure_iptables/templates/iptables.rules @@ -11,16 +11,11 @@ {% endif %} {% if 'fastd' in group_names %} -{% for peer in groups['ffrl_uplink'] %} +{% for peer in groups['uplink'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} {% endif %} -{% if 'mullvad_uplink' in group_names %} -{% for peer in groups['fastd'] %} --A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff -{% endfor %} -{% endif %} -{% if 'ffrl_uplink' in group_names %} +{% if 'uplink' in group_names %} {% for peer in groups['fastd'] %} -A PREROUTING -i bb{{ hostvars[peer]['wireguard_bb_name'] }} -j MARK --set-xmark 0x1/0xffffffff {% endfor %} diff --git a/roles/install_babeld/templates/babeld.conf.j2 b/roles/install_babeld/templates/babeld.conf.j2 index 7b436da..47a4d3e 100644 --- a/roles/install_babeld/templates/babeld.conf.j2 +++ b/roles/install_babeld/templates/babeld.conf.j2 @@ -6,19 +6,11 @@ ipv6-subtrees true # You must provide at least one interface for babeld to operate on. {% if 'fastd' in group_names %} -{% for peer in groups['ffrl_uplink'] %} -interface bb{{ hostvars[peer]['wireguard_bb_name'] }} -{% endfor %} -{% for peer in groups['mullvad_uplink'] %} -interface bb{{ hostvars[peer]['wireguard_bb_name'] }} -{% endfor %} -{% endif %} -{% if 'mullvad_uplink' in group_names %} -{% for peer in groups['fastd'] %} +{% for peer in groups['uplink'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} {% endif %} -{% if 'ffrl_uplink' in group_names %} +{% if 'uplink' in group_names %} {% for peer in groups['fastd'] %} interface bb{{ hostvars[peer]['wireguard_bb_name'] }} {% endfor %} diff --git a/roles/install_wireguard_backbone/tasks/fastd_tasks.yml b/roles/install_wireguard_backbone/tasks/fastd_tasks.yml index 36a61d7..d1d9974 100644 --- a/roles/install_wireguard_backbone/tasks/fastd_tasks.yml +++ b/roles/install_wireguard_backbone/tasks/fastd_tasks.yml @@ -5,8 +5,7 @@ dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf mode: 0400 with_items: - - "{{ groups['mullvad_uplink'] }}" - - "{{ groups['ffrl_uplink'] }}" + - "{{ groups['uplink'] }}" - name: create wireguard up scripts for peers template: @@ -14,8 +13,7 @@ dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh mode: 0744 with_items: - - "{{ groups['mullvad_uplink'] }}" - - "{{ groups['ffrl_uplink'] }}" + - "{{ groups['uplink'] }}" - name: create wireguard down scripts for peers template: @@ -23,8 +21,7 @@ dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh mode: 0744 with_items: - - "{{ groups['mullvad_uplink'] }}" - - "{{ groups['ffrl_uplink'] }}" + - "{{ groups['uplink'] }}" - name: start and enable wireguard mesh systemd: @@ -33,5 +30,4 @@ state: started daemon_reload: yes with_items: - - "{{ groups['mullvad_uplink'] }}" - - "{{ groups['ffrl_uplink'] }}" + - "{{ groups['uplink'] }}" diff --git a/roles/install_wireguard_backbone/tasks/main.yml b/roles/install_wireguard_backbone/tasks/main.yml index 8f9ca5a..9ccfe05 100644 --- a/roles/install_wireguard_backbone/tasks/main.yml +++ b/roles/install_wireguard_backbone/tasks/main.yml @@ -7,9 +7,5 @@ - include_tasks: fastd_tasks.yml when: "'fastd' in group_names" -- include_tasks: mullvad_uplink_tasks.yml - when: "'mullvad_uplink' in group_names" - -- include_tasks: ffrl_uplink_tasks.yml - when: "'ffrl_uplink' in group_names" - +- include_tasks: uplink_tasks.yml + when: "'uplink' in group_names" diff --git a/roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml deleted file mode 100644 index d894758..0000000 --- a/roles/install_wireguard_backbone/tasks/mullvad_uplink_tasks.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: create wireguard config for peers - template: - src: wg.conf.j2 - dest: /etc/wireguard/wgbb{{ hostvars[item]['wireguard_bb_name'] }}.conf - mode: 0400 - with_items: "{{ groups['fastd'] }}" - -- name: create wireguard up scripts for peers - template: - src: up.sh.j2 - dest: /etc/wireguard/upbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: "{{ groups['fastd'] }}" - -- name: create wireguard down scripts for peers - template: - src: down.sh.j2 - dest: /etc/wireguard/downbb{{ hostvars[item]['wireguard_bb_name'] }}.sh - mode: 0744 - with_items: "{{ groups['fastd'] }}" - -- name: start and enable wireguard mesh - systemd: - name: wgbackbone@{{ hostvars[item]['wireguard_bb_name'] }}.service - enabled: yes - state: started - daemon_reload: yes - with_items: "{{ groups['fastd'] }}" diff --git a/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml index d894758..d894758 100644 --- a/roles/install_wireguard_backbone/tasks/ffrl_uplink_tasks.yml +++ b/roles/install_wireguard_backbone/tasks/uplink_tasks.yml diff --git a/setup_fastd.yml b/setup_fastd.yml index a47f63f..23a23d1 100644 --- a/setup_fastd.yml +++ b/setup_fastd.yml @@ -19,15 +19,15 @@ - install_radvd - install_bind - install_wireguard - #- install_wireguard_mesh + - install_wireguard_mesh - install_wireguard_backbone - install_babeld - install_fastd #- install_monitoring - update_ssh_keys - install_admin_packages -- name: install openvpn uplink - hosts: mullvad_uplink +- name: basic uplink config + hosts: uplink user: root roles: - configure_journald @@ -42,26 +42,16 @@ - install_wireguard - install_wireguard_backbone - install_babeld - - install_openvpn + #- install_monitoring - update_ssh_keys - install_admin_packages +- name: install openvpn uplink + hosts: mullvad_uplink + user: root + roles: + - install_openvpn - name: setup ffrl hosts: ffrl_uplink user: root roles: - - configure_journald - - configure_sysctl - - configure_iptables - - configure_static_routes - - install_cronie - #- install_php - #- install_nginx - - install_ntp - - install_haveged - - install_wireguard - - install_wireguard_backbone - - install_babeld - setup_ffrl_tunnel - #- install_monitoring - - update_ssh_keys - - install_admin_packages |