mirror of
https://git.fsfe.org/fsfe-system-hackers/innernet-playbook.git
synced 2024-11-25 08:03:11 +01:00
73 lines
2.6 KiB
Markdown
73 lines
2.6 KiB
Markdown
<!-- markdown-toc start - Don't edit this section. Run M-x markdown-toc-refresh-toc -->
|
|
|
|
**Table of Contents**
|
|
|
|
- [Motivation](#motivation)
|
|
- [Install](#install)
|
|
- [Clone the repo](#clone-the-repo)
|
|
- [Build packages from submodule at `./innernet-src`](#build-binaries-from-submodule-at-innernet-src)
|
|
- [Run the playbook](#run-the-playbook)
|
|
|
|
<!-- markdown-toc end -->
|
|
|
|
# Motivation
|
|
|
|
There is a need for some of our servers to connect to other IPv6-only hosts. Since this is not always possible without introducing major painpoints elsewhere, we simply create an internal WireGuard network so that the machines in question can communicate securely using IPv4.
|
|
|
|
![An overview](fsfe-innernet.png)
|
|
|
|
# Preparation
|
|
|
|
## Clone the repo
|
|
|
|
```bash
|
|
git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/innernet-playbook.git
|
|
cd innernet-playbook
|
|
```
|
|
|
|
## Build binaries from submodule at `./innernet-src`
|
|
|
|
Since [innernet](https://github.com/tonarino/innernet) is new software, it is not yet included in the Debian repositories. Thus, before running the playbook we need to build the `innernet` and `innernet-server` binaries. At the moment, we are using `1.5.1`, but you can choose any other available version by setting the environment variable accordingly. Please also note that you need [`cargo-deb`](https://github.com/kornelski/cargo-deb) installed to successfully compile the Debian packages.
|
|
|
|
```bash
|
|
./build-debs.sh
|
|
```
|
|
|
|
You can learn more about innernet by looking at its [source code](./innernet-src) or reading this informative [blog post](https://blog.tonari.no/introducing-innernet) of its creator.
|
|
|
|
## Preparing `ansible`
|
|
|
|
To ensure this playbook works on different machines, [pipenv](https://pipenv.pypa.io/en/latest/) is used to pin the version of `ansible`. So, to use the same version of Ansible that this playbook was tested with, simply run:
|
|
|
|
```bash
|
|
pipenv install --dev # for developing or
|
|
pipenv install # for simply running this playbook
|
|
pipenv shell
|
|
```
|
|
|
|
Now, you should be in a shell that is running the correct version of the `ansible` and `ansible-playbook` executable.
|
|
|
|
## Execution
|
|
|
|
### Run the playbook
|
|
|
|
```bash
|
|
ansible-playbook deploy.yml
|
|
```
|
|
|
|
### Distribute the invitation files
|
|
|
|
Some invitation files are for humans, so you need to send these files to them securely. I suggest using someting like `wormohle`.
|
|
|
|
```bash
|
|
sudo apt install magic-wormhole
|
|
cd roles/client/files
|
|
wormhole send <name_of_peer>.toml
|
|
```
|
|
|
|
### Associations
|
|
|
|
Please be aware that the `admins` CIDR [is associated](https://github.com/tonarino/innernet#adding-associations-between-cidrs) with all other CIDRs (i.e. `humans > others` and `machines`).
|
|
|
|
## Development
|