innernet-playbook/roles/client/tasks/main.yml

141 lines
3.9 KiB
YAML

# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe <https://fsfe.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Get innernet-server hostname from inventory groups
set_fact:
# Assuming that we only have one innernet server, we take the first
# occurence
innernet_server: "{{ groups['innernet_server'][0] }}"
run_once: true
- name: Convert hostname to innernet peer name
tags: [peers]
# we want the mere host name before the domain, so e.g.
# * server1.fsfe.org -> server1
# * cont1.noris.fsfeurope.org -> cont1-noris
set_fact:
innernet_client: "{{ innernet_client | replace(item.0, item.1) }}"
vars:
- innernet_client: "{{ ansible_host }}"
loop:
- ['.', '-']
- ['-fsfeurope-org', '']
- ['-fsfe-org', '']
- ['-fsfe-be', '']
- name: Get existing peers from innernet-server database
tags: [peers]
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"'
register: existing_peers
delegate_to: "{{ innernet_server }}"
- name: Gather which packages are installed on the client
tags: [update]
package_facts:
manager: auto
- name: Make sure needed packages for innernet and wireguard are installed
apt:
package:
- python3-pexpect
- rsync
- wireguard
- wireguard-tools
- ufw
- name: Remove existing innernet
tags: [never, uninstall]
expect:
command: "innernet uninstall {{ network_name }}"
responses:
(?i)delete: "yes"
- name: Install innernet package on client
tags: [update]
block:
- name: Copy innernet package to client
synchronize:
src: "innernet.deb"
dest: "/tmp/innernet.deb"
- name: Install innernet client package
apt:
deb: "/tmp/innernet.deb"
update_cache: true
install_recommends: true
# If 1. innernet not installed or 2. `update` tag executed
when: "'innernet' not in ansible_facts.packages or 'update' in ansible_run_tags"
- name: Make client a new innernet peer
tags: [peers]
block:
- name: Add client as innernet peer
shell: |
innernet-server add-peer "{{ network_name }}" \
--name "{{ innernet_client }}" \
--cidr "{{ cidrs[machine_cidr]['cidr'] }}" \
--admin "false" \
--save-config "/root/{{ innernet_client }}.toml" \
--invite-expires "14d" \
--auto-ip \
--yes
delegate_to: "{{ innernet_server }}"
- name: Copy peer invitation file from server to controller
fetch:
src: "/root/{{ innernet_client }}.toml"
dest: "{{ playbook_dir }}/roles/client/files/{{ innernet_client }}.toml"
flat: yes
fail_on_missing: yes
delegate_to: "{{ innernet_server }}"
- name: Copy peer invitation file from controller to client
copy:
src: "{{ innernet_client }}.toml"
dest: "/root/{{ innernet_client }}.toml"
- name: Install peer invitation on client
shell: |
innernet install /root/{{ innernet_client }}.toml \
--default-name \
--delete-invite
- name: Delete peer invitation file from client
file:
state: absent
path: "/root/{{ innernet_client }}.toml"
- name: Delete peer invitation file from server
file:
state: absent
path: "/root/{{ innernet_client }}.toml"
delegate_to: "{{ innernet_server }}"
when:
- innernet_client not in existing_peers.stdout_lines
- name: Set listen port
tags: [listen_port]
ini_file:
path: "/etc/innernet/{{ network_name }}.conf"
section: interface
option: listen-port
value: "{{ network_listen_port }}"
mode: 600
backup: yes
- name: Allow UDP traffic on WireGuard port
tags: [listen_port, firewall]
ufw:
to_port: "{{ network_listen_port }}"
rule: allow
proto: udp
- name: Restart and enable innernet daemon
systemd:
name: "innernet@{{ network_name }}"
state: restarted
enabled: yes
daemon_reload: yes