Optimise wireguard

2023-09-18 12:06:24 +02:00 · 2023-09-18 12:06:24 +02:00 · 45dc5a151f
commit 45dc5a151f
parent 6bcf35137f
6 changed files with 5 additions and 179 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,14 +4,7 @@ cloud_update: false
 cloud_name: cloud
 cloud_home: "/opt/{{ cloud_name }}"
 cloud_type: "cloud"
 cloud_env: production
 cloud_env_path: "{{ cloud_home }}/{{ cloud_env }}"
 cloud_host_group: server
 cloud_control_version: 1.0.0
 cloud_control_name: cloud-control
 cloud_git_branch_main: main
 cloud_stage: prod
 cloud_tzdata: Europe/Berlin
 cloud_apps: /opt
@ -85,9 +78,9 @@ fail2ban_activate_modules:
  - nginx
 ## WIREGUARD
-wireguard_enabled: True
+wireguard_gateway_enabled: True
 wireguard_is_gateway: False
-wireguard_allow_adjacent_client_traffic: False
+wireguard_allow_adjacent_client_traffic: True
 wireguard_keepalive: 25
 wireguard_gateway_interface: eth0
--- a/tasks/cloud_control.yml
+++ b/tasks/cloud_control.yml
@ -1,8 +0,0 @@
 ---
 - name: setup Cloud Control script
  template:
    src: "templates{{ cloud_control_path }}/cloud-control.j2"
    dest: "{{ cloud_control_path }}/{{ cloud_control_name }}"
    owner: root
    group: root
    mode: 0754
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -30,8 +30,6 @@
 - name: Setup and configure fail2ban service
  import_tasks: fail2ban.yml
 - name: Setup and configure cloud control script
  import_tasks: cloud_control.yml
 - name: Setup mount points
  import_tasks: mount.yml
@ -61,4 +59,4 @@
 - name: Setup wireguard vpn
  import_tasks: wireguard.yml
-  when: wireguard_enabled
+  when: wireguard_gateway_enabled
--- a/templates/etc/wireguard/wireguard-client.conf.j2
+++ b/templates/etc/wireguard/wireguard-client.conf.j2
@ -1,11 +1,11 @@
 [Interface]
-Address = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[wireguard_client_host].index }}/32
+Address = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[wireguard_client_host].index }}/{{ wireguard_gateway_net_cidr }}
 PrivateKey = {{ wireguard_clients[wireguard_client_host].private_key }}
 DNS = {{ cloud_internal_dns }}
 [Peer]
 PublicKey = {{ wireguard_gateway_public_key }}
 Endpoint = {{ wireguard_gateway_host }}:{{ wireguard_gateway_port }}
-AllowedIPs = {{ wireguard_gateway_net_prefix }}.1/{% if wireguard_allow_adjacent_client_traffic %}{{ wireguard_gateway_net_cidr }}{% else %}32{% endif %}
+AllowedIPs = {{ wireguard_gateway_net_prefix }}{% if wireguard_allow_adjacent_client_traffic %}.0/{{ wireguard_gateway_net_cidr }}{% else %}.1/32{% endif %}
 PersistentKeepalive = {{ wireguard_keepalive }}
--- a/templates/usr/local/bin/cloud-control.j2
+++ b/templates/usr/local/bin/cloud-control.j2
@ -1,155 +0,0 @@
 #!/bin/bash
 set -e
 ### VARIABLE ###################################################################
 environment_folder={{ cloud_env_path }}
 environment="{{ cloud_env }}"
 host_type="{{ cloud_host_group }}"
 script_name=$(basename $0)
 cloud_name="{{ cloud_name }}"
 cloud_type="{{ cloud_type }}"
 version="{{ cloud_control_version }}"
 branch_main="{{ cloud_git_branch_main }}"
 ################################################################################
 ### FUNCTION ###################################################################
 to_working_directory() {
    if [ ! -d $environment_folder/.git ] || [ ! -d $environment_folder ]; then
        echo "Environment '$environment' in '$environment_folder' not available or folder not a git repository! Abort."
        exit 1
    fi
    cd $environment_folder/$environment
 }
 help() {
    echo "$script_name, version $version by L.Hahn"
    echo ""
    echo "  $cloud_name script for cloud control"
    echo "  You can checkout environment (branches), rollout configurations,"
    echo "  run ansible and restore entire configurations."
    echo ""
    echo "Usage: $script_name [command] [options]"
    echo ""
    echo "commands:"
    echo "  - help                    print this help"
    echo "  - maintenance             setup local server into maintenance mode; no automatic ansible call"
    echo "  - environment"
    echo "      download <branch>     checkout <branch> from remote repository"
    echo "      update                load latest remote changes for current branch"
    echo "      reset                 stash changes and reset current branch from remote repository with latest changes"
    echo "      restore               checkout latest $branch_main branch from remote repository"
    echo "  - update                  get latest roles according to environment requirements.yml"
    echo "  - play                 play current loaded ansible playbooks"
    echo "  - reset                   perform 1. environment restore, 2. update, 3. execute"
    echo ""
    echo ""
    echo "example:"
    echo "~# $script_name environment update"
    echo "  this will download changes from the currently active remote branch"
 }
 environment() {
    to_working_directory
    current_branch=$(git branch | grep "^\*" | cut -d " " -f 2)
    current_upstream=$(git rev-parse $current_branch@{upstream})
    env_option=$1
    case $env_option in
        "update")
            echo "### Updating branch '$current_branch' in $environment_folder ###"
            git pull
            ;;
        "reset")
            echo "### Resetting branch '$current_branch' in $environment_folder ###"
            git reset --hard $current_branch
            git pull
            ;;
        "restore")
            echo "### Restoring branch '$branch_main' in $environment_folder ###"
            git reset --hard HEAD
            git clean -f
            git checkout $branch_main
            git pull
            ;;
        "download")
            if [ $# -lt 2 ]; then
                echo "Missing branch name for environment downloading"
                exit 1
            fi
            echo "### Stashing branch '$current_branch' & downloading branch '$2' in $environment_folder ###"
            git stash
            git checkout -b $2 origin/$2
            git pull
            ;;
        *)
            echo "Unknown environments option '$env_option', abort!"
            exit 1
            ;;
    esac
 }
 maintenance() {
    to_working_directory
    echo "maint"
 }
 update() {
    to_working_directory
    ansible-galaxy install -f -p roles/ -r requirements.yml
 }
 play() {
    to_working_directory
    ansible-playbook $cloud_type"-"$host_type".yml"
 }
 ################################################################################
 ### MAIN #######################################################################
 if [ $# -eq 0 ]; then
    help
    exit 1
 fi
 script_command=$1
 case $script_command in
    "help")
        help
        ;;
    "maintenance")
        maintenance
        ;;
    "environment")
        if [ $# -lt 2 ]; then
            echo "ERROR! environment command needs options! None provided."
            echo "Call '~# $script_name help' for more information."
            exit 1
        fi
        environment $2 $3
        ;;
    "update")
        update
        ;;
    "play")
        play
        ;;
    "reset")
        echo "#=== restore environment ===#"
        environment restore
        echo ""
        echo "#=== update roles ===#"
        update
        echo ""
        echo "#=== play playbook ===#"
        play
        echo ""
        ;;
    *)
        echo "Unknown command '$script_command', abort!"
        echo "Call '~# $script_name help' for more information."
        ;;
 esac
 ################################################################################
--- a/vars/main.yml
+++ b/vars/main.yml
@ -3,5 +3,3 @@ sshd_path: "/etc/ssh"
 sshd_conf: "{{ sshd_path }}/sshd_config"
 fail2ban_path: "/etc/fail2ban"
 fail2ban_jail_conf: "{{ fail2ban_path }}/jail.local"
 cloud_control_path: "/usr/local/bin"