Optimise wireguard

2023-09-18 12:06:24 +02:00 · 2023-09-18 12:06:24 +02:00 · 45dc5a151f
commit 45dc5a151f
parent 6bcf35137f
6 changed files with 5 additions and 179 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,14 +4,7 @@ cloud_update: false
 cloud_name: cloud
 cloud_home: "/opt/{{ cloud_name }}"
 cloud_type: "cloud"
-cloud_env: production
-cloud_env_path: "{{ cloud_home }}/{{ cloud_env }}"
-cloud_host_group: server
-cloud_control_version: 1.0.0
-cloud_control_name: cloud-control
-cloud_git_branch_main: main
 cloud_stage: prod
-
 cloud_tzdata: Europe/Berlin

 cloud_apps: /opt
@ -85,9 +78,9 @@ fail2ban_activate_modules:
  - nginx

 ## WIREGUARD
-wireguard_enabled: True
+wireguard_gateway_enabled: True
 wireguard_is_gateway: False
-wireguard_allow_adjacent_client_traffic: False
+wireguard_allow_adjacent_client_traffic: True
 wireguard_keepalive: 25

 wireguard_gateway_interface: eth0
--- a/tasks/cloud_control.yml
+++ b/tasks/cloud_control.yml
@ -1,8 +0,0 @@
---
- name: setup Cloud Control script
-  template:
-    src: "templates{{ cloud_control_path }}/cloud-control.j2"
-    dest: "{{ cloud_control_path }}/{{ cloud_control_name }}"
-    owner: root
-    group: root
-    mode: 0754
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -30,8 +30,6 @@
 - name: Setup and configure fail2ban service
  import_tasks: fail2ban.yml

- name: Setup and configure cloud control script
-  import_tasks: cloud_control.yml

 - name: Setup mount points
  import_tasks: mount.yml
@ -61,4 +59,4 @@

 - name: Setup wireguard vpn
  import_tasks: wireguard.yml
-  when: wireguard_enabled
+  when: wireguard_gateway_enabled
--- a/templates/etc/wireguard/wireguard-client.conf.j2
+++ b/templates/etc/wireguard/wireguard-client.conf.j2
@ -1,11 +1,11 @@
 [Interface]
-Address = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[wireguard_client_host].index }}/32
+Address = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[wireguard_client_host].index }}/{{ wireguard_gateway_net_cidr }}
 PrivateKey = {{ wireguard_clients[wireguard_client_host].private_key }}
 DNS = {{ cloud_internal_dns }}

 [Peer]
 PublicKey = {{ wireguard_gateway_public_key }}
 Endpoint = {{ wireguard_gateway_host }}:{{ wireguard_gateway_port }}
-AllowedIPs = {{ wireguard_gateway_net_prefix }}.1/{% if wireguard_allow_adjacent_client_traffic %}{{ wireguard_gateway_net_cidr }}{% else %}32{% endif %}
+AllowedIPs = {{ wireguard_gateway_net_prefix }}{% if wireguard_allow_adjacent_client_traffic %}.0/{{ wireguard_gateway_net_cidr }}{% else %}.1/32{% endif %}

 PersistentKeepalive = {{ wireguard_keepalive }}
--- a/templates/usr/local/bin/cloud-control.j2
+++ b/templates/usr/local/bin/cloud-control.j2
@ -1,155 +0,0 @@
-#!/bin/bash
-set -e
-
-
-### VARIABLE ###################################################################
-environment_folder={{ cloud_env_path }}
-environment="{{ cloud_env }}"
-host_type="{{ cloud_host_group }}"
-script_name=$(basename $0)
-cloud_name="{{ cloud_name }}"
-cloud_type="{{ cloud_type }}"
-version="{{ cloud_control_version }}"
-branch_main="{{ cloud_git_branch_main }}"
-################################################################################
-
-
-
-### FUNCTION ###################################################################
-to_working_directory() {
-    if [ ! -d $environment_folder/.git ] || [ ! -d $environment_folder ]; then
-        echo "Environment '$environment' in '$environment_folder' not available or folder not a git repository! Abort."
-        exit 1
-    fi
-    cd $environment_folder/$environment
-}
-
-help() {
-    echo "$script_name, version $version by L.Hahn"
-    echo ""
-    echo "  $cloud_name script for cloud control"
-    echo "  You can checkout environment (branches), rollout configurations,"
-    echo "  run ansible and restore entire configurations."
-    echo ""
-    echo "Usage: $script_name [command] [options]"
-    echo ""
-    echo "commands:"
-    echo "  - help                    print this help"
-    echo "  - maintenance             setup local server into maintenance mode; no automatic ansible call"
-    echo "  - environment"
-    echo "      download <branch>     checkout <branch> from remote repository"
-    echo "      update                load latest remote changes for current branch"
-    echo "      reset                 stash changes and reset current branch from remote repository with latest changes"
-    echo "      restore               checkout latest $branch_main branch from remote repository"
-    echo "  - update                  get latest roles according to environment requirements.yml"
-    echo "  - play                 play current loaded ansible playbooks"
-    echo "  - reset                   perform 1. environment restore, 2. update, 3. execute"
-    echo ""
-    echo ""
-    echo "example:"
-    echo "~# $script_name environment update"
-    echo "  this will download changes from the currently active remote branch"
-}
-
-environment() {
-    to_working_directory
-    current_branch=$(git branch | grep "^\*" | cut -d " " -f 2)
-    current_upstream=$(git rev-parse $current_branch@{upstream})
-
-    env_option=$1
-    case $env_option in
-        "update")
-            echo "### Updating branch '$current_branch' in $environment_folder ###"
-            git pull
-            ;;
-        "reset")
-            echo "### Resetting branch '$current_branch' in $environment_folder ###"
-            git reset --hard $current_branch
-            git pull
-            ;;
-        "restore")
-            echo "### Restoring branch '$branch_main' in $environment_folder ###"
-            git reset --hard HEAD
-            git clean -f
-            git checkout $branch_main
-            git pull
-            ;;
-        "download")
-            if [ $# -lt 2 ]; then
-                echo "Missing branch name for environment downloading"
-                exit 1
-            fi
-            echo "### Stashing branch '$current_branch' & downloading branch '$2' in $environment_folder ###"
-            git stash
-            git checkout -b $2 origin/$2
-            git pull
-            ;;
-        *)
-            echo "Unknown environments option '$env_option', abort!"
-            exit 1
-            ;;
-    esac
-}
-
-maintenance() {
-    to_working_directory
-    echo "maint"
-}
-
-update() {
-    to_working_directory
-    ansible-galaxy install -f -p roles/ -r requirements.yml
-}
-
-play() {
-    to_working_directory
-    ansible-playbook $cloud_type"-"$host_type".yml"
-}
-################################################################################
-
-
-### MAIN #######################################################################
-if [ $# -eq 0 ]; then
-    help
-    exit 1
-fi
-script_command=$1
-
-case $script_command in
-    "help")
-        help
-        ;;
-    "maintenance")
-        maintenance
-        ;;
-    "environment")
-        if [ $# -lt 2 ]; then
-            echo "ERROR! environment command needs options! None provided."
-            echo "Call '~# $script_name help' for more information."
-            exit 1
-        fi
-        environment $2 $3
-        ;;
-    "update")
-        update
-        ;;
-    "play")
-        play
-        ;;
-    "reset")
-        echo "#=== restore environment ===#"
-        environment restore
-        echo ""
-        echo "#=== update roles ===#"
-        update
-        echo ""
-        echo "#=== play playbook ===#"
-        play
-        echo ""
-        ;;
-    *)
-        echo "Unknown command '$script_command', abort!"
-        echo "Call '~# $script_name help' for more information."
-        ;;
-esac
-################################################################################
--- a/vars/main.yml
+++ b/vars/main.yml
@ -3,5 +3,3 @@ sshd_path: "/etc/ssh"
 sshd_conf: "{{ sshd_path }}/sshd_config"
 fail2ban_path: "/etc/fail2ban"
 fail2ban_jail_conf: "{{ fail2ban_path }}/jail.local"
-
-cloud_control_path: "/usr/local/bin"