innernet-playbook/roles/server/tasks/main.yml

123 lines
3.4 KiB
YAML

# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe <https://fsfe.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Gather which packages are installed on the server
tags: [update, uninstall]
package_facts:
manager: auto
- name: Make sure needed packages for innernet and wireguard are installed
apt:
package:
- python3-pexpect
- rsync
- sqlite3
- wireguard
- wireguard-tools
- ufw
- name: Remove existing innernet configuration
tags: [never, uninstall]
expect:
command: "innernet-server uninstall {{ network_name }}"
responses:
(?i)delete: "yes"
when: "'innernet-server' in ansible_facts.packages"
- name: Remove innernet package on server
tags: [never, uninstall]
apt:
name: innernet-server
state: absent
purge: yes
when: "'innernet-server' in ansible_facts.packages"
- name: Install innernet package on server
tags: [update]
block:
- name: Copy innernet-server package to server
tags: [update]
synchronize:
src: "innernet-server.deb"
dest: "/tmp/innernet-server.deb"
- name: Install innernet-server package
tags: [update]
apt:
deb: "/tmp/innernet-server.deb"
update_cache: true
install_recommends: true
# If 1. innernet-server not installed or 2. `update` tag executed
when: "'innernet-server' not in ansible_facts.packages or 'update' in ansible_run_tags"
- name: Check if innernet network is initialised
stat:
path: "/etc/innernet-server/{{ network_name }}.conf"
register: conf_file
- name: Create base network if not existent yet
shell: |
innernet-server new \
--network-name "{{ network_name }}" \
--network-cidr "{{ network_cidr }}" \
--external-endpoint "[{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}]:{{ network_listen_port }}" \
--listen-port {{ network_listen_port }}
when: not conf_file.stat.exists
- name: Get existing CIDRs from innernet-server database
tags: [cidr]
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from cidrs;"'
register: existing_cidrs
- name: Create new CIDRs
tags: [cidr]
shell: |
innernet-server add-cidr "{{ network_name }}" \
--name "{{ item.key }}" \
--parent "{{ item.value.parent }}" \
--cidr "{{ item.value.cidr }}" \
--yes
loop: "{{ cidrs | dict2items }}"
when:
- item.key not in existing_cidrs.stdout_lines
# Configure manually defined peers (mostly humans)
- name: Get existing peers from innernet-server database
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"'
register: existing_peers
run_once: true
- name: Add manually defined peers
include_tasks: add_peer.yml
vars:
peer_name: "{{ item.key }}"
peer_cidr: "{{ item.value.cidr }}"
peer_admin: "{{ item.value.admin | default('false') }}"
manual: true
loop: "{{ manual_peers | dict2items }}"
when:
- item.key not in existing_peers.stdout_lines
- name: Enable firewall and allow SSH
tags: [listen_port, firewall]
ufw:
state: enabled
default: deny
to_port: 22
rule: allow
- name: Allow UDP traffic on WireGuard port
tags: [listen_port, firewall]
ufw:
to_port: "{{ network_listen_port }}"
rule: allow
- name: Restart and enable innernet-server daemon
systemd:
name: "innernet-server@{{ network_name }}"
state: restarted
enabled: yes
daemon_reload: yes