# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe # # SPDX-License-Identifier: AGPL-3.0-or-later --- - name: Get innernet-server hostname from inventory groups set_fact: # Assuming that we only have one innernet server, we take the first # occurence innernet_server: "{{ groups['innernet_server'][0] }}" run_once: true - name: Convert hostname to innernet peer name tags: [peers] # we want the mere host name before the domain, so e.g. # * server1.fsfe.org -> server1 # * cont1.noris.fsfeurope.org -> cont1-noris set_fact: innernet_client: "{{ innernet_client | replace(item.0, item.1) }}" vars: - innernet_client: "{{ ansible_host }}" loop: - ['.', '-'] - ['-fsfeurope-org', ''] - ['-fsfe-org', ''] - ['-fsfe-be', ''] - name: Get existing peers from innernet-server database tags: [peers] shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"' register: existing_peers delegate_to: "{{ innernet_server }}" - name: Gather which packages are installed on the client tags: [update] package_facts: manager: auto - name: Make sure needed packages for innernet and wireguard are installed apt: package: - python3-pexpect - rsync - wireguard - wireguard-tools - ufw - name: Remove existing innernet tags: [never, uninstall] expect: command: "innernet uninstall {{ network_name }}" responses: (?i)delete: "yes" - name: Install innernet package on client tags: [update] block: - name: Copy innernet package to client synchronize: src: "innernet.deb" dest: "/tmp/innernet.deb" - name: Install innernet client package apt: deb: "/tmp/innernet.deb" update_cache: true install_recommends: true # If 1. innernet not installed or 2. `update` tag executed when: "'innernet' not in ansible_facts.packages or 'update' in ansible_run_tags" - name: Make client a new innernet peer tags: [peers] block: - name: Add client as innernet peer shell: | innernet-server add-peer "{{ network_name }}" \ --name "{{ innernet_client }}" \ --cidr "{{ machine_cidr.name }}" \ --admin "{{ machine_cidr.admin }}" \ --save-config "/root/{{ innernet_client }}.toml" \ --invite-expires "14d" \ --auto-ip \ --yes delegate_to: "{{ innernet_server }}" - name: Copy peer invitation file from server to controller fetch: src: "/root/{{ innernet_client }}.toml" dest: "{{ playbook_dir }}/roles/client/files/{{ innernet_client }}.toml" flat: yes fail_on_missing: yes delegate_to: "{{ innernet_server }}" - name: Copy peer invitation file from controller to client copy: src: "{{ innernet_client }}.toml" dest: "/root/{{ innernet_client }}.toml" - name: Install peer invitation on client shell: | innernet install /root/{{ innernet_client }}.toml \ --default-name \ --delete-invite - name: Delete peer invitation file from client file: state: absent path: "/root/{{ innernet_client }}.toml" - name: Delete peer invitation file from server file: state: absent path: "/root/{{ innernet_client }}.toml" delegate_to: "{{ innernet_server }}" when: - innernet_client not in existing_peers.stdout_lines - name: Set listen port tags: [listen_port] ini_file: path: "/etc/innernet/{{ network_name }}.conf" section: interface option: listen-port value: "{{ network_listen_port }}" mode: 600 backup: yes - name: Allow UDP traffic on WireGuard port tags: [listen_port, firewall] ufw: to_port: "{{ network_listen_port }}" rule: allow proto: udp - name: Restart and enable innernet daemon systemd: name: "innernet@{{ network_name }}" state: restarted enabled: yes daemon_reload: yes