mirror of
https://git.fsfe.org/fsfe-system-hackers/innernet-playbook.git
synced 2024-11-28 09:33:12 +01:00
update README
This commit is contained in:
parent
75c2682bef
commit
1eb595bec2
92
README.md
92
README.md
@ -16,8 +16,15 @@ There is a need for some of our servers to connect to other IPv6-only hosts. Sin
|
|||||||
|
|
||||||
![An overview](fsfe-innernet.png)
|
![An overview](fsfe-innernet.png)
|
||||||
|
|
||||||
|
You can learn more about innernet by looking at its [source code](./innernet-src) or reading this informative [blog post](https://blog.tonari.no/introducing-innernet) of its creator.
|
||||||
|
|
||||||
# Preparation
|
# Preparation
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
* A somewhat recent version of `ansible`
|
||||||
|
* `git`
|
||||||
|
|
||||||
## Clone the repo
|
## Clone the repo
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@ -25,39 +32,47 @@ git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/innernet-pla
|
|||||||
cd innernet-playbook
|
cd innernet-playbook
|
||||||
```
|
```
|
||||||
|
|
||||||
## Build binaries from submodule at `./innernet-src`
|
# Deployment
|
||||||
|
|
||||||
Since [innernet](https://github.com/tonarino/innernet) is new software, it is not yet included in the Debian repositories. Thus, before running the playbook we need to build the `innernet` and `innernet-server` binaries. At the moment, we are using `1.5.1`, but you can choose any other available version by setting the environment variable accordingly. Please also note that you need [`cargo-deb`](https://github.com/kornelski/cargo-deb) installed to successfully compile the Debian packages.
|
In the scope of this playbook and its roles, we have three different categories of computers:
|
||||||
|
|
||||||
```bash
|
1. The innernet server, being the central connector of all innernet peers
|
||||||
./build-debs.sh
|
2. Automatically managed machines that are innernet peers, mostly VMs
|
||||||
```
|
3. Manually managed peers, for example admins and other humans
|
||||||
|
|
||||||
You can learn more about innernet by looking at its [source code](./innernet-src) or reading this informative [blog post](https://blog.tonari.no/introducing-innernet) of its creator.
|
## Configure server and all clients
|
||||||
|
|
||||||
## Preparing `ansible`
|
Run the whole playbook to configure everything. For the innernet server and
|
||||||
|
automatically managed machines, all will be handled. For the manually managed
|
||||||
To ensure this playbook works on different machines, [pipenv](https://pipenv.pypa.io/en/latest/) is used to pin the version of `ansible`. So, to use the same version of Ansible that this playbook was tested with, simply run:
|
peers, you will be given an invitation file.
|
||||||
|
|
||||||
```bash
|
|
||||||
pipenv install --dev # for developing or
|
|
||||||
pipenv install # for simply running this playbook
|
|
||||||
pipenv shell
|
|
||||||
```
|
|
||||||
|
|
||||||
Now, you should be in a shell that is running the correct version of the `ansible` and `ansible-playbook` executable.
|
|
||||||
|
|
||||||
## Execution
|
|
||||||
|
|
||||||
### Run the playbook
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ansible-playbook deploy.yml
|
ansible-playbook deploy.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Add a new machine
|
||||||
|
|
||||||
|
In order to add e.g. a virtual machine to the networks, run these steps:
|
||||||
|
|
||||||
|
1. In the inventory, add the `innernet_client` group to the host
|
||||||
|
2. Run the playbook with `ansible-playbook -l newserver.org deploy.yml`
|
||||||
|
|
||||||
|
This will configure both the necessary parts on the server and the new machine.
|
||||||
|
|
||||||
|
## Add a new manually managed peer
|
||||||
|
|
||||||
|
In order to add a new human or otherwise manually managed innernet peer, run
|
||||||
|
these steps:
|
||||||
|
|
||||||
|
1. In `all.yml`, add a new entry for `manual_peers`
|
||||||
|
2. Run the playbook with `ansible-playbook -l innernet_server deploy.yml`
|
||||||
|
3. Install innernet and import the invitation file on the new peer's computer
|
||||||
|
(see below). They are in `roles/client/files/` then.
|
||||||
|
|
||||||
### Distribute the invitation files
|
### Distribute the invitation files
|
||||||
|
|
||||||
Some invitation files are for humans, so you need to send these files to them securely. I suggest using someting like `wormohle`.
|
Some invitation files are for humans, so you need to send these files to them
|
||||||
|
securely. We suggest using someting like `wormohle`.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo apt install magic-wormhole
|
sudo apt install magic-wormhole
|
||||||
@ -65,8 +80,35 @@ cd roles/client/files
|
|||||||
wormhole send <name_of_peer>.toml
|
wormhole send <name_of_peer>.toml
|
||||||
```
|
```
|
||||||
|
|
||||||
### Associations
|
# Update
|
||||||
|
|
||||||
Please be aware that the `admins` CIDR [is associated](https://github.com/tonarino/innernet#adding-associations-between-cidrs) with all other CIDRs (i.e. `humans > others` and `machines`).
|
Since [innernet](https://github.com/tonarino/innernet) is new software, it is
|
||||||
|
not yet included in the Debian repositories. Thus, before running the playbook
|
||||||
|
we need to build the `innernet` and `innernet-server` binaries.
|
||||||
|
|
||||||
## Development
|
In order to switch to a newer version of innernet, run the following steps:
|
||||||
|
|
||||||
|
1. Check out the desired tag in the `innernet-src` submodule
|
||||||
|
2. Run the build script: `./build-debs.sh`
|
||||||
|
3. Run the playbook with `ansible-playbook -t update deploy.yml`
|
||||||
|
|
||||||
|
# Associations
|
||||||
|
|
||||||
|
The different CIDRs can have [associations](https://github.com/tonarino/innernet#adding-associations-between-cidrs), e.g. so that admins can access
|
||||||
|
machines, although they are not in the same subnet.
|
||||||
|
|
||||||
|
These have to be configure by an admin!
|
||||||
|
|
||||||
|
Currently, the `admins` CIDR is associated with all other CIDRs (i.e. `humans` >
|
||||||
|
`others` and `machines`).
|
||||||
|
|
||||||
|
# Ansible tags
|
||||||
|
|
||||||
|
Some tags allow you to specify just certain operations. Here are the currently
|
||||||
|
available ones:
|
||||||
|
|
||||||
|
* `cidr`: configure CIDRs
|
||||||
|
* `update`: update the innernet binaries
|
||||||
|
* `firewall`: configure firewall settings
|
||||||
|
* `listen_port`: edit/set the listen port between server and clients
|
||||||
|
* `uninstall`: delete innernet configuration and packages from systems
|
||||||
|
Loading…
Reference in New Issue
Block a user