extern/innernet-playbook
1
0
Fork 1
mirror of https://git.fsfe.org/fsfe-system-hackers/innernet-playbook.git synced 2024-11-24 15:43:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

enhance update of listen-port on clients

Browse Source 
The server cannot change its port. Therefore we set two different ports.
We also remove the redundant firewall tag
This commit is contained in:
max.mehl 2022-03-04 12:36:00 +01:00
parent 3d0f79110d
commit bfec9af6f0
No known key found for this signature in database
GPG Key ID: 2704E4AB371E2E92
4 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -109,6 +109,5 @@ available ones:
* `cidr`: configure CIDRs * `cidr`: configure CIDRs
* `update`: update the innernet binaries * `update`: update the innernet binaries
* `firewall`: configure firewall settings
* `listen_port`: edit/set the listen port between server and clients * `listen_port`: edit/set the listen port between server and clients
* `uninstall`: delete innernet configuration and packages from systems * `uninstall`: delete innernet configuration and packages from systems

3
group_vars/all.yml
View File

@ -5,7 +5,8 @@ network_name: "fsfe"
# 65,536 usable IP addresses # 65,536 usable IP addresses
network_cidr: "10.200.0.0/16" network_cidr: "10.200.0.0/16"
# wiregaurd listening port # wiregaurd listening port
network_listen_port: "51820" network_listen_port_clients: "51820"
network_listen_port_server: "51820"
cidrs: cidrs:
## humans ## humans
## 10.200.16.1 to 10.200.31.254 ## 10.200.16.1 to 10.200.31.254

18
roles/client/tasks/main.yml
View File

@ -100,24 +100,22 @@
when: when:
- innernet_client not in existing_peers.stdout_lines - innernet_client not in existing_peers.stdout_lines
- name: Set listen port - name: Set listen port on client
tags: [listen_port] tags: [listen_port]
ini_file: shell: |
path: "/etc/innernet/{{ network_name }}.conf" innernet set-listen-port {{ network_name }} \
section: interface -l {{ network_listen_port_clients }} \
option: listen-port --yes
value: "{{ network_listen_port }}"
mode: 600
backup: yes
- name: Allow UDP traffic on WireGuard port - name: Allow UDP traffic on WireGuard port
tags: [listen_port, firewall] tags: [listen_port]
ufw: ufw:
to_port: "{{ network_listen_port }}" to_port: "{{ network_listen_port_clients }}"
rule: allow rule: allow
proto: udp proto: udp
- name: Restart and enable innernet daemon - name: Restart and enable innernet daemon
tags: [update, listen_port]
systemd: systemd:
name: "innernet@{{ network_name }}" name: "innernet@{{ network_name }}"
state: restarted state: restarted

5
roles/server/tasks/main.yml
View File

@ -101,7 +101,6 @@
- item.key not in existing_peers.stdout_lines - item.key not in existing_peers.stdout_lines
- name: Enable firewall and allow SSH - name: Enable firewall and allow SSH
tags: [listen_port, firewall]
ufw: ufw:
state: enabled state: enabled
default: deny default: deny
@ -109,12 +108,12 @@
rule: allow rule: allow
- name: Allow UDP traffic on WireGuard port - name: Allow UDP traffic on WireGuard port
tags: [listen_port, firewall]
ufw: ufw:
to_port: "{{ network_listen_port }}" to_port: "{{ network_listen_port_server }}"
rule: allow rule: allow
- name: Restart and enable innernet-server daemon - name: Restart and enable innernet-server daemon
tags: [update, listen_port]
systemd: systemd:
name: "innernet-server@{{ network_name }}" name: "innernet-server@{{ network_name }}"
state: restarted state: restarted