infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit a01c4a9095e27adfe82a91b8fe5bc508ba1461cc
parent 1734a0364217ee7b69ac0606ed5d3b6286dc9805
Author: Jul <jul@9o.is>
Date:   Tue, 21 May 2024 17:31:44 +0800

set up server01 local testing environment

Diffstat:

Mhost/ansible.cfg | 2+-


Ahost/env/000_cross_env_vars | 3+++


Ahost/env/prod/group_vars/all/000_cross_env_vars | 2++


Ahost/env/prod/group_vars/all/env_specific | 12++++++++++++


Ahost/env/prod/host_vars/server01.qh.is | 20++++++++++++++++++++


Rhost/inventory.ini -> host/env/prod/hosts | 0


Ahost/env/test/group_vars/all/000_cross_env_vars | 2++


Ahost/env/test/group_vars/all/env_specific | 12++++++++++++


Ahost/env/test/host_vars/server01.local | 20++++++++++++++++++++


Ahost/env/test/hosts | 2++


Dhost/group_vars/all | 13-------------


Dhost/host_vars/server01.qh.is | 20--------------------


Mhost/roles/openssh/tasks/user.yml | 2+-


Mhost/roles/wireguard/handlers/main.yml | 2+-


Mhost/roles/wireguard/tasks/client.yml | 46++++++++++++++++++++--------------------------


Mhost/roles/wireguard/tasks/main.yml | 5-----


Mhost/roles/wireguard/tasks/server.yml | 5+++++


17 files changed, 101 insertions(+), 67 deletions(-)

diff --git a/host/ansible.cfg b/host/ansible.cfg
@@ -1,5 +1,5 @@
 [defaults]
-inventory = inventory.ini
+inventory = ./env/test
 vault_password_file = contrib/vault-password.sh
 
 [diff]
diff --git a/host/env/000_cross_env_vars b/host/env/000_cross_env_vars
@@ -0,0 +1,3 @@
+wireguard_port: 62620
+ssh_authorized_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4zNrHVit/S7gU3qW2IbSP8jtUpGSP3tb+z/PBSXD66 jul@9o.is
+
diff --git a/host/env/prod/group_vars/all/000_cross_env_vars b/host/env/prod/group_vars/all/000_cross_env_vars
@@ -0,0 +1 @@
+../../../000_cross_env_vars
+\ No newline at end of file
diff --git a/host/env/prod/group_vars/all/env_specific b/host/env/prod/group_vars/all/env_specific
@@ -0,0 +1,12 @@
+wg_client_iface: wg0
+wg_client_ip: 10.0.0.1
+wg_client_public_key: ZlBc9LbWP4CBm/9aIbZ2dwPZQbkYdvi7TZimAo5czWk=
+wg_client_private_key: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    36613738326461313533666264313364393138653062393165303061363832623661616162616437
+    3862356239656230363034626665303639316131373761640a363866373862376535313533373966
+    37656432366437316135366635313639663433323663363934303263646431383065386335643038
+    6562656233336532360a343666306138356231373063353066303030663462616630323237646535
+    31336539323665653562333265323939396365306366343763616631383133653037613130613434
+    6231663264373733353832346338623136636532363333626162
+
diff --git a/host/env/prod/host_vars/server01.qh.is b/host/env/prod/host_vars/server01.qh.is
@@ -0,0 +1,20 @@
+static_interface: ens3
+static_ip: 89.147.110.9
+static_subnet: 255.255.255.0
+static_gateway: 89.147.110.1
+static_mtu: 576
+static_nameservers:
+  - 93.95.224.28
+  - 93.95.224.29
+
+wg_server_ip: 10.0.0.2
+wg_server_public_key: DcQpBGdChVTyLMR/UUfPNHa8sQz9J5I+3BSIJ7f3qhw=
+wg_server_private_key: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    31626538636263303764343161633635636439323630336631336230366430323562633530393934
+    6435336263616664383930656362633365613463373965620a663833313234643762626130376662
+    65663965303864363162306265373437346337643734353363656130613435303236663834376533
+    3132326665323861620a356439353663383237383630366461303233343062626564623231323134
+    36303534316462316537356166363462613434393631373332313931393362646634336362656638
+    3465306231393835613662643230346637643639383938633435
+
diff --git a/host/inventory.ini b/host/env/prod/hosts
diff --git a/host/env/test/group_vars/all/000_cross_env_vars b/host/env/test/group_vars/all/000_cross_env_vars
@@ -0,0 +1 @@
+../../../000_cross_env_vars
+\ No newline at end of file
diff --git a/host/env/test/group_vars/all/env_specific b/host/env/test/group_vars/all/env_specific
@@ -0,0 +1,12 @@
+wg_client_iface: wg1
+wg_client_ip: 10.0.1.1
+wg_client_public_key: iPeRMgySCZVvggZXwQZfFFhWUci/gf0Nucn6b92KJm4=
+wg_client_private_key: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    32633934376532326533326234336138636461316334656237323961643137396239316564663332
+    6337363735323436633461393564373333393636643130390a666266393631373937626365376131
+    32316130323338626364333231303131313131323032393261373833623131633831343232323936
+    3966336430343030320a353039633133633536616131646131396532626362333534313830346339
+    63613832373866303030626431636565323034383333303139336564626435383065613537316662
+    3532613138343633303234623135633061346539663539336534
+
diff --git a/host/env/test/host_vars/server01.local b/host/env/test/host_vars/server01.local
@@ -0,0 +1,20 @@
+static_interface: enX0
+static_ip: 10.137.0.5
+static_subnet: 255.255.255.255
+static_gateway: 10.137.0.39
+static_mtu: 1500
+static_nameservers:
+  - 10.139.1.1
+  - 10.139.1.2
+
+wg_server_ip: 10.0.1.2
+wg_server_public_key: w2ihUZo9B25oTGPgrRyOg/XnOmIH2BktSB3UWV0a2GQ=
+wg_server_private_key: !vault |
+    $ANSIBLE_VAULT;1.1;AES256
+    65333939613964373839363935313561356537303738323736303335643861316562346164623665
+    3031663162663033386366316265633636363164356161360a616437616632393963643734303338
+    31316434316431356361616639343339623138616336356331626430383235623238636331656564
+    6432623361343863340a616130653136663065313862373631373731653331393763313435393765
+    32326533623666646439633462376663646466616436613635616434663738366535623038343562
+    6462653265326630343561343831323562613435376639303263
+
diff --git a/host/env/test/hosts b/host/env/test/hosts
@@ -0,0 +1,2 @@
+[servers]
+server01.local
diff --git a/host/group_vars/all b/host/group_vars/all
@@ -1,13 +0,0 @@
-wireguard_port: 62620
-
-wg_client_ip: 10.0.0.2
-wg_client_public_key: ZlBc9LbWP4CBm/9aIbZ2dwPZQbkYdvi7TZimAo5czWk=
-wg_client_private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          36613738326461313533666264313364393138653062393165303061363832623661616162616437
-          3862356239656230363034626665303639316131373761640a363866373862376535313533373966
-          37656432366437316135366635313639663433323663363934303263646431383065386335643038
-          6562656233336532360a343666306138356231373063353066303030663462616630323237646535
-          31336539323665653562333265323939396365306366343763616631383133653037613130613434
-          6231663264373733353832346338623136636532363333626162
-
diff --git a/host/host_vars/server01.qh.is b/host/host_vars/server01.qh.is
@@ -1,20 +0,0 @@
-static_interface: ens3
-static_ip: 89.147.110.9
-static_subnet: 255.255.255.0
-static_gateway: 89.147.110.1
-static_mtu: 576
-static_nameservers:
-  - 93.95.224.28
-  - 93.95.224.29
-
-wg_server_ip: 10.0.0.1
-wg_server_public_key: DcQpBGdChVTyLMR/UUfPNHa8sQz9J5I+3BSIJ7f3qhw=
-wg_server_private_key: !vault |
-    $ANSIBLE_VAULT;1.1;AES256
-    31626538636263303764343161633635636439323630336631336230366430323562633530393934
-    6435336263616664383930656362633365613463373965620a663833313234643762626130376662
-    65663965303864363162306265373437346337643734353363656130613435303236663834376533
-    3132326665323861620a356439353663383237383630366461303233343062626564623231323134
-    36303534316462316537356166363462613434393631373332313931393362646634336362656638
-    3465306231393835613662643230346637643639383938633435
-
diff --git a/host/roles/openssh/tasks/user.yml b/host/roles/openssh/tasks/user.yml
@@ -34,5 +34,5 @@
     group: user
     mode: '0644'
     content: |
-      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4zNrHVit/S7gU3qW2IbSP8jtUpGSP3tb+z/PBSXD66 jul@9o.is
+      {{ ssh_authorized_key }}
 
diff --git a/host/roles/wireguard/handlers/main.yml b/host/roles/wireguard/handlers/main.yml
@@ -7,7 +7,7 @@
 - name: restart client wireguard
   delegate_to: localhost
   service:
-    name: wg-quick@wg0
+    name: wg-quick@{{ wg_client_iface }}
     state: restarted
 
 - name: restart nftables
diff --git a/host/roles/wireguard/tasks/client.yml b/host/roles/wireguard/tasks/client.yml
@@ -21,7 +21,7 @@
 - name: edit client interface
   delegate_to: localhost
   ini_file:
-    path: /etc/wireguard/wg0.conf
+    path: '/etc/wireguard/{{ wg_client_iface }}.conf'
     owner: root
     group: root
     mode: '0600'
@@ -39,7 +39,7 @@
   delegate_to: localhost
   delegate_facts: true
   ini_file:
-    path: /etc/wireguard/wg0.conf
+    path: '/etc/wireguard/{{ wg_client_iface }}.conf'
     owner: root
     group: root
     mode: '0600'
@@ -68,7 +68,18 @@
       #!/bin/sh
       rm -rf /etc/wireguard
       ln -s /rw/config/wireguard /etc/wireguard
-      systemctl start wg-quick@wg0
+
+- name: autostart wireguard {{ wg_client_iface }}
+  delegate_to: localhost
+  copy:
+    dest: '/rw/config/rc.local.d/wireguard-{{ wg_client_iface }}.rc'
+    owner: root
+    group: root
+    mode: '0755'
+    content: |
+      #!/bin/sh
+      while [ ! -e /etc/wireguard/{{ wg_client_iface }}.conf ]; do sleep 1; done
+      systemctl start wg-quick@{{ wg_client_iface }}
 
 - name: resolve {{ ansible_nodename }} to {{ wg_server_ip }}
   delegate_to: localhost
@@ -77,31 +88,14 @@
     path: /etc/hosts
     search_string: '{{ wg_server_ip }}'
     line: '{{ wg_server_ip }} {{ ansible_nodename }}'
-    owner: root
-    group: root
-    mode: '0644'
+    insertbefore: '### START default local hosts'
 
 - name: persist /etc/hosts for qubes
   delegate_to: localhost
   delegate_facts: true
-  block:
-    - name: add {{ wg_server_ip }} to /rw/config/hosts
-      lineinfile:
-        path: /rw/config/hosts
-        create: true
-        search_string: '{{ wg_server_ip }}'
-        line: '{{ wg_server_ip }} {{ ansible_nodename }}'
-        owner: root
-        group: root
-        mode: '0644'
-    - name: create rc.local script
-      copy:
-        dest: /rw/config/rc.local.d/hosts.rc
-        owner: root
-        group: root
-        mode: '0755'
-        content: |
-          #!/bin/sh
-          cat /rw/config/hosts >> /etc/hosts
-
+  lineinfile:
+    path: /rw/config/hosts
+    search_string: '{{ wg_server_ip }}'
+    line: '{{ wg_server_ip }} {{ ansible_nodename }}'
+    insertbefore: '### START default local hosts'
 
diff --git a/host/roles/wireguard/tasks/main.yml b/host/roles/wireguard/tasks/main.yml
@@ -1,9 +1,4 @@
 ---
-- name: install wireguard
-  package:
-    name: wireguard
-    state: present
-
 - name: configure wireguard client
   include_tasks: client.yml
 
diff --git a/host/roles/wireguard/tasks/server.yml b/host/roles/wireguard/tasks/server.yml
@@ -1,4 +1,9 @@
 ---
+- name: install wireguard
+  package:
+    name: wireguard
+    state: present
+
 - name: create server wireguard directory
   file:
     path: /etc/wireguard