mirror of
https://git.fsfe.org/fsfe-system-hackers/innernet-playbook.git
synced 2024-11-22 22:53:08 +01:00
123 lines
3.4 KiB
YAML
123 lines
3.4 KiB
YAML
# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe <https://fsfe.org>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
---
|
|
- name: Gather which packages are installed on the server
|
|
tags: [update, uninstall]
|
|
package_facts:
|
|
manager: auto
|
|
|
|
- name: Make sure needed packages for innernet and wireguard are installed
|
|
apt:
|
|
package:
|
|
- python3-pexpect
|
|
- rsync
|
|
- sqlite3
|
|
- wireguard
|
|
- wireguard-tools
|
|
- ufw
|
|
|
|
- name: Remove existing innernet configuration
|
|
tags: [never, uninstall]
|
|
expect:
|
|
command: "innernet-server uninstall {{ network_name }}"
|
|
responses:
|
|
(?i)delete: "yes"
|
|
when: "'innernet-server' in ansible_facts.packages"
|
|
|
|
- name: Remove innernet package on server
|
|
tags: [never, uninstall]
|
|
apt:
|
|
name: innernet-server
|
|
state: absent
|
|
purge: yes
|
|
when: "'innernet-server' in ansible_facts.packages"
|
|
|
|
- name: Install innernet package on server
|
|
tags: [update]
|
|
block:
|
|
- name: Copy innernet-server package to server
|
|
tags: [update]
|
|
synchronize:
|
|
src: "innernet-server.deb"
|
|
dest: "/tmp/innernet-server.deb"
|
|
|
|
- name: Install innernet-server package
|
|
tags: [update]
|
|
apt:
|
|
deb: "/tmp/innernet-server.deb"
|
|
update_cache: true
|
|
install_recommends: true
|
|
# If 1. innernet-server not installed or 2. `update` tag executed
|
|
when: "'innernet-server' not in ansible_facts.packages or 'update' in ansible_run_tags"
|
|
|
|
- name: Check if innernet network is initialised
|
|
stat:
|
|
path: "/etc/innernet-server/{{ network_name }}.conf"
|
|
register: conf_file
|
|
|
|
- name: Create base network if not existent yet
|
|
shell: |
|
|
innernet-server new \
|
|
--network-name "{{ network_name }}" \
|
|
--network-cidr "{{ network_cidr }}" \
|
|
--external-endpoint "[{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}]:{{ network_listen_port }}" \
|
|
--listen-port {{ network_listen_port }}
|
|
when: not conf_file.stat.exists
|
|
|
|
- name: Get existing CIDRs from innernet-server database
|
|
tags: [cidr]
|
|
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from cidrs;"'
|
|
register: existing_cidrs
|
|
|
|
- name: Create new CIDRs
|
|
tags: [cidr]
|
|
shell: |
|
|
innernet-server add-cidr "{{ network_name }}" \
|
|
--name "{{ item.key }}" \
|
|
--parent "{{ item.value.parent }}" \
|
|
--cidr "{{ item.value.cidr }}" \
|
|
--yes
|
|
loop: "{{ cidrs | dict2items }}"
|
|
when:
|
|
- item.key not in existing_cidrs.stdout_lines
|
|
|
|
# Configure manually defined peers (mostly humans)
|
|
- name: Get existing peers from innernet-server database
|
|
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"'
|
|
register: existing_peers
|
|
run_once: true
|
|
|
|
- name: Add manually defined peers
|
|
include_tasks: add_peer.yml
|
|
vars:
|
|
peer_name: "{{ item.key }}"
|
|
peer_cidr: "{{ item.value.cidr }}"
|
|
peer_admin: "{{ item.value.admin | default('false') }}"
|
|
manual: true
|
|
loop: "{{ manual_peers | dict2items }}"
|
|
when:
|
|
- item.key not in existing_peers.stdout_lines
|
|
|
|
- name: Enable firewall and allow SSH
|
|
tags: [listen_port, firewall]
|
|
ufw:
|
|
state: enabled
|
|
default: deny
|
|
to_port: 22
|
|
rule: allow
|
|
|
|
- name: Allow UDP traffic on WireGuard port
|
|
tags: [listen_port, firewall]
|
|
ufw:
|
|
to_port: "{{ network_listen_port }}"
|
|
rule: allow
|
|
|
|
- name: Restart and enable innernet-server daemon
|
|
systemd:
|
|
name: "innernet-server@{{ network_name }}"
|
|
state: restarted
|
|
enabled: yes
|
|
daemon_reload: yes
|