extern/innernet-playbook
1
0
Fork 1
mirror of https://git.fsfe.org/fsfe-system-hackers/innernet-playbook.git synced 2024-11-22 14:43:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
4bc1adb811
innernet-playbook/roles/server/tasks/main.yml
max.mehl bfec9af6f0
enhance update of listen-port on clients 
The server cannot change its port. Therefore we set two different ports.
We also remove the redundant firewall tag
2022-03-04 12:48:44 +01:00

122 lines
3.4 KiB
YAML
Raw Blame History

# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe <https://fsfe.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Gather which packages are installed on the server
tags: [update, uninstall]
package_facts:
manager: auto
- name: Make sure needed packages for innernet and wireguard are installed
apt:
package:
- python3-pexpect
- rsync
- sqlite3
- wireguard
- wireguard-tools
- ufw
- name: Remove existing innernet configuration
tags: [never, uninstall]
expect:
command: "innernet-server uninstall {{ network_name }}"
responses:
(?i)delete: "yes"
when: "'innernet-server' in ansible_facts.packages"
- name: Remove innernet package on server
tags: [never, uninstall]
apt:
name: innernet-server
state: absent
purge: yes
when: "'innernet-server' in ansible_facts.packages"
- name: Install innernet package on server
tags: [update]
block:
- name: Copy innernet-server package to server
tags: [update]
synchronize:
src: "innernet-server.deb"
dest: "/tmp/innernet-server.deb"
- name: Install innernet-server package
tags: [update]
apt:
deb: "/tmp/innernet-server.deb"
update_cache: true
install_recommends: true
# If 1. innernet-server not installed or 2. `update` tag executed
when: "'innernet-server' not in ansible_facts.packages or 'update' in ansible_run_tags"
- name: Check if innernet network is initialised
stat:
path: "/etc/innernet-server/{{ network_name }}.conf"
register: conf_file
- name: Create base network if not existent yet
shell: |
innernet-server new \
--network-name "{{ network_name }}" \
--network-cidr "{{ network_cidr }}" \
--external-endpoint "[{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}]:{{ network_listen_port }}" \
--listen-port {{ network_listen_port }}
when: not conf_file.stat.exists
- name: Get existing CIDRs from innernet-server database
tags: [cidr]
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from cidrs;"'
register: existing_cidrs
- name: Create new CIDRs
tags: [cidr]
shell: |
innernet-server add-cidr "{{ network_name }}" \
--name "{{ item.key }}" \
--parent "{{ item.value.parent }}" \
--cidr "{{ item.value.cidr }}" \
--yes
loop: "{{ cidrs | dict2items }}"
when:
- item.key not in existing_cidrs.stdout_lines
# Configure manually defined peers (mostly humans)
- name: Get existing peers from innernet-server database
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"'
register: existing_peers
run_once: true
- name: Add manually defined peers
include_tasks: add_peer.yml
vars:
peer_name: "{{ item.key }}"
peer_cidr: "{{ item.value.cidr }}"
peer_admin: "{{ item.value.admin | default('false') }}"
manual: true
loop: "{{ manual_peers | dict2items }}"
when:
- item.key not in existing_peers.stdout_lines
- name: Enable firewall and allow SSH
ufw:
state: enabled
default: deny
to_port: 22
rule: allow
- name: Allow UDP traffic on WireGuard port
ufw:
to_port: "{{ network_listen_port_server }}"
rule: allow
- name: Restart and enable innernet-server daemon
tags: [update, listen_port]
systemd:
name: "innernet-server@{{ network_name }}"
state: restarted
enabled: yes
daemon_reload: yes
Reference in New Issue View Git Blame Copy Permalink