A playbook that sets up an internal WireGuard network using innernet (as declaratively as possible)

Go to file

max.mehl 5047342f0f major overhaul of server/client setup, avoiding loops and allowing for targetting one host		2022-03-03 12:30:28 +01:00
group_vars	major overhaul of server/client setup, avoiding loops and allowing for targetting one host	2022-03-03 12:30:28 +01:00
innernet-src@9a59ac3094	checkout v1.5.1 in innernet submodule	2021-11-15 18:45:05 +01:00
inventory@39f680b674	bump inventory	2022-02-24 15:40:27 +01:00
roles	major overhaul of server/client setup, avoiding loops and allowing for targetting one host	2022-03-03 12:30:28 +01:00
.drone.yml	add seaborg IP to testing	2022-02-16 17:25:31 +01:00
.gitignore	add all client files to .gitignore	2021-12-15 18:38:44 +01:00
.gitmodules	add correct upstream as `innernet-src`	2021-11-15 11:38:49 +01:00
ansible.cfg	adding ansible scaffolding	2021-11-05 15:20:44 +01:00
build-debs.sh	fix typo in build script	2021-12-15 18:36:55 +01:00
deploy.yml	major overhaul of server/client setup, avoiding loops and allowing for targetting one host	2022-03-03 12:30:28 +01:00
Dockerfile	change the way in which the .deb packages are built	2021-12-02 17:42:02 +01:00
fsfe-innernet.png	change picture background	2021-11-16 10:04:48 +01:00
open_the_vault.sh	adding ansible scaffolding	2021-11-05 15:20:44 +01:00
README.md	add note on associations in README.md	2021-12-02 17:46:05 +01:00
shell.nix	added shell.nix	2022-01-21 17:18:44 +01:00
vault_passphrase.gpg	adding ansible scaffolding	2021-11-05 15:20:44 +01:00
vault_passphrase.gpg.license	adding ansible scaffolding	2021-11-05 15:20:44 +01:00

README.md

Table of Contents

Motivation
Install

Motivation

There is a need for some of our servers to connect to other IPv6-only hosts. Since this is not always possible without introducing major painpoints elsewhere, we simply create an internal WireGuard network so that the machines in question can communicate securely using IPv4.

Preparation

Clone the repo

git clone --recurse-submodules git@git.fsfe.org:fsfe-system-hackers/innernet-playbook.git
cd innernet-playbook

Build binaries from submodule at `./innernet-src`

Since innernet is new software, it is not yet included in the Debian repositories. Thus, before running the playbook we need to build the innernet and innernet-server binaries. At the moment, we are using 1.5.1, but you can choose any other available version by setting the environment variable accordingly. Please also note that you need cargo-deb installed to successfully compile the Debian packages.

./build-debs.sh

You can learn more about innernet by looking at its source code or reading this informative blog post of its creator.

Preparing `ansible`

To ensure this playbook works on different machines, pipenv is used to pin the version of ansible. So, to use the same version of Ansible that this playbook was tested with, simply run:

pipenv install --dev # for developing or
pipenv install       # for simply running this playbook
pipenv shell

Now, you should be in a shell that is running the correct version of the ansible and ansible-playbook executable.

Execution

Run the playbook

ansible-playbook deploy.yml

Distribute the invitation files

Some invitation files are for humans, so you need to send these files to them securely. I suggest using someting like wormohle.

sudo apt install magic-wormhole
cd roles/client/files
wormhole send <name_of_peer>.toml

Associations

Please be aware that the admins CIDR is associated with all other CIDRs (i.e. humans > others and machines).