From f6b1c20983ac9319199764437565af7a9fee091f Mon Sep 17 00:00:00 2001 From: lhahn Date: Mon, 18 Sep 2023 12:06:24 +0200 Subject: [PATCH] Optimise wireguard --- defaults/main.yml | 11 +- tasks/cloud_control.yml | 8 - tasks/main.yml | 2 - .../etc/wireguard/wireguard-client.conf.j2 | 4 +- templates/usr/local/bin/cloud-control.j2 | 155 ------------------ vars/main.yml | 2 - 6 files changed, 4 insertions(+), 178 deletions(-) delete mode 100755 tasks/cloud_control.yml delete mode 100755 templates/usr/local/bin/cloud-control.j2 diff --git a/defaults/main.yml b/defaults/main.yml index c5cccfc..5e840d9 100755 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,14 +4,7 @@ cloud_update: false cloud_name: cloud cloud_home: "/opt/{{ cloud_name }}" cloud_type: "cloud" -cloud_env: production -cloud_env_path: "{{ cloud_home }}/{{ cloud_env }}" -cloud_host_group: server -cloud_control_version: 1.0.0 -cloud_control_name: cloud-control -cloud_git_branch_main: main cloud_stage: prod - cloud_tzdata: Europe/Berlin cloud_apps: /opt @@ -61,7 +54,7 @@ users: ssh_key: "ssh-rsa ABCDEF" ## SSH -ssh_port: 22 +ssh_port: 1802 ssh_configs: - Protocol 2 - "Port {{ cloud_ssh_port }}" @@ -87,7 +80,7 @@ fail2ban_activate_modules: ## WIREGUARD wireguard_enabled: True wireguard_is_gateway: False -wireguard_allow_adjacent_client_traffic: False +wireguard_allow_adjacent_client_traffic: True wireguard_keepalive: 25 wireguard_gateway_interface: eth0 diff --git a/tasks/cloud_control.yml b/tasks/cloud_control.yml deleted file mode 100755 index 8bd2795..0000000 --- a/tasks/cloud_control.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: setup Cloud Control script - template: - src: "templates{{ cloud_control_path }}/cloud-control.j2" - dest: "{{ cloud_control_path }}/{{ cloud_control_name }}" - owner: root - group: root - mode: 0754 diff --git a/tasks/main.yml b/tasks/main.yml index 91abfd5..efdc2f4 100755 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -30,8 +30,6 @@ - name: Setup and configure fail2ban service import_tasks: fail2ban.yml -- name: Setup and configure cloud control script - import_tasks: cloud_control.yml - name: Setup mount points import_tasks: mount.yml diff --git a/templates/etc/wireguard/wireguard-client.conf.j2 b/templates/etc/wireguard/wireguard-client.conf.j2 index f5a6e3e..9bcef77 100644 --- a/templates/etc/wireguard/wireguard-client.conf.j2 +++ b/templates/etc/wireguard/wireguard-client.conf.j2 @@ -1,11 +1,11 @@ [Interface] -Address = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[wireguard_client_host].index }}/32 +Address = {{ wireguard_gateway_net_prefix }}.{{ wireguard_clients[wireguard_client_host].index }}/{{ wireguard_gateway_net_cidr }} PrivateKey = {{ wireguard_clients[wireguard_client_host].private_key }} DNS = {{ cloud_internal_dns }} [Peer] PublicKey = {{ wireguard_gateway_public_key }} Endpoint = {{ wireguard_gateway_host }}:{{ wireguard_gateway_port }} -AllowedIPs = {{ wireguard_gateway_net_prefix }}.1/{% if wireguard_allow_adjacent_client_traffic %}{{ wireguard_gateway_net_cidr }}{% else %}32{% endif %} +AllowedIPs = {{ wireguard_gateway_net_prefix }}{% if wireguard_allow_adjacent_client_traffic %}.0/{{ wireguard_gateway_net_cidr }}{% else %}.1/32{% endif %} PersistentKeepalive = {{ wireguard_keepalive }} diff --git a/templates/usr/local/bin/cloud-control.j2 b/templates/usr/local/bin/cloud-control.j2 deleted file mode 100755 index 6179181..0000000 --- a/templates/usr/local/bin/cloud-control.j2 +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash -set -e - - -### VARIABLE ################################################################### -environment_folder={{ cloud_env_path }} -environment="{{ cloud_env }}" -host_type="{{ cloud_host_group }}" -script_name=$(basename $0) -cloud_name="{{ cloud_name }}" -cloud_type="{{ cloud_type }}" -version="{{ cloud_control_version }}" -branch_main="{{ cloud_git_branch_main }}" -################################################################################ - - - -### FUNCTION ################################################################### -to_working_directory() { - if [ ! -d $environment_folder/.git ] || [ ! -d $environment_folder ]; then - echo "Environment '$environment' in '$environment_folder' not available or folder not a git repository! Abort." - exit 1 - fi - cd $environment_folder/$environment -} - -help() { - echo "$script_name, version $version by L.Hahn" - echo "" - echo " $cloud_name script for cloud control" - echo " You can checkout environment (branches), rollout configurations," - echo " run ansible and restore entire configurations." - echo "" - echo "Usage: $script_name [command] [options]" - echo "" - echo "commands:" - echo " - help print this help" - echo " - maintenance setup local server into maintenance mode; no automatic ansible call" - echo " - environment" - echo " download checkout from remote repository" - echo " update load latest remote changes for current branch" - echo " reset stash changes and reset current branch from remote repository with latest changes" - echo " restore checkout latest $branch_main branch from remote repository" - echo " - update get latest roles according to environment requirements.yml" - echo " - play play current loaded ansible playbooks" - echo " - reset perform 1. environment restore, 2. update, 3. execute" - echo "" - echo "" - echo "example:" - echo "~# $script_name environment update" - echo " this will download changes from the currently active remote branch" -} - -environment() { - to_working_directory - current_branch=$(git branch | grep "^\*" | cut -d " " -f 2) - current_upstream=$(git rev-parse $current_branch@{upstream}) - - env_option=$1 - case $env_option in - "update") - echo "### Updating branch '$current_branch' in $environment_folder ###" - git pull - ;; - "reset") - echo "### Resetting branch '$current_branch' in $environment_folder ###" - git reset --hard $current_branch - git pull - ;; - "restore") - echo "### Restoring branch '$branch_main' in $environment_folder ###" - git reset --hard HEAD - git clean -f - git checkout $branch_main - git pull - ;; - "download") - if [ $# -lt 2 ]; then - echo "Missing branch name for environment downloading" - exit 1 - fi - echo "### Stashing branch '$current_branch' & downloading branch '$2' in $environment_folder ###" - git stash - git checkout -b $2 origin/$2 - git pull - ;; - *) - echo "Unknown environments option '$env_option', abort!" - exit 1 - ;; - esac -} - -maintenance() { - to_working_directory - echo "maint" -} - -update() { - to_working_directory - ansible-galaxy install -f -p roles/ -r requirements.yml -} - -play() { - to_working_directory - ansible-playbook $cloud_type"-"$host_type".yml" -} -################################################################################ - - -### MAIN ####################################################################### -if [ $# -eq 0 ]; then - help - exit 1 -fi -script_command=$1 - -case $script_command in - "help") - help - ;; - "maintenance") - maintenance - ;; - "environment") - if [ $# -lt 2 ]; then - echo "ERROR! environment command needs options! None provided." - echo "Call '~# $script_name help' for more information." - exit 1 - fi - environment $2 $3 - ;; - "update") - update - ;; - "play") - play - ;; - "reset") - echo "#=== restore environment ===#" - environment restore - echo "" - echo "#=== update roles ===#" - update - echo "" - echo "#=== play playbook ===#" - play - echo "" - ;; - *) - echo "Unknown command '$script_command', abort!" - echo "Call '~# $script_name help' for more information." - ;; -esac -################################################################################ \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml index 9598da3..93fc966 100755 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,5 +3,3 @@ sshd_path: "/etc/ssh" sshd_conf: "{{ sshd_path }}/sshd_config" fail2ban_path: "/etc/fail2ban" fail2ban_jail_conf: "{{ fail2ban_path }}/jail.local" - -cloud_control_path: "/usr/local/bin"