fix(wireguard): resolve docker forward drop and firewalld interface binding issues

2026-06-21 20:20:36 +03:00 · 2026-06-21 20:20:36 +03:00 · 8dae045682
commit 8dae045682
parent 3524a85008
7 changed files with 162 additions and 0 deletions
--- a/ansible/prod/group_vars/all/vars.yml
+++ b/ansible/prod/group_vars/all/vars.yml
@ -24,6 +24,14 @@ storagebox_managed_directories:
    mode: "0777"
 iklim_password: "{{ vault_iklim_password }}"
 # WireGuard — prod (runs on iklim-db-01; routes developer traffic to 10.20.20.0/24)
 wireguard_enable_routing: true
 wireguard_routed_subnet: "10.20.20.0/24"
 wireguard_clients:
  - name: murat-inspiron-15-3525
    public_key: "8nYHZvSwxCr2uwOYohLG3DlC85NbVNhKnPxYtOEKvE0="
    allowed_ips: 10.8.0.2/32
 act_runner_labels: "prod-runner:docker://catthehacker/ubuntu:act-22.04,ubuntu-24.04,{{ inventory_hostname }}"
 swarm_manager_ip: "10.20.10.11"
 mongodb_replset_name: "rs0"
--- a/ansible/prod/prod-db-wireguard.yml
+++ b/ansible/prod/prod-db-wireguard.yml
@ -0,0 +1,25 @@
 ---
 # WireGuard setup — iklim-db-01 (prod VPN gateway for developer DB access)
 #
 # Full setup (WireGuard + db_stack firewall rules on all DB nodes):
 #   ansible-playbook prod-db-wireguard.yml --vault-password-file=../.vault_pass
 #
 # WireGuard only (re-deploy config or update peers):
 #   ansible-playbook prod-db-wireguard.yml --vault-password-file=../.vault_pass --tags wireguard
 #
 # DB node firewall rules only:
 #   ansible-playbook prod-db-wireguard.yml --vault-password-file=../.vault_pass --tags db_stack
 - name: DB-01 — WireGuard (Prod Developer Access)
  hosts: iklim-db-01
  become: yes
  roles:
    - role: wireguard
      tags: [wireguard]
 - name: DB Nodes — Firewalld DB/etcd Port Rules
  hosts: iklim-db-*
  become: yes
  roles:
    - role: db_stack
      tags: [db_stack]
--- a/ansible/prod/roles/db_stack/tasks/db_node.yml
+++ b/ansible/prod/roles/db_stack/tasks/db_node.yml
@ -41,3 +41,21 @@
    mode: '0400'
    owner: "{{ storagebox_uid }}"
    group: "{{ storagebox_gid }}"
 # Allow DB and etcd ports from within the DB subnet so that:
 # - db-02/03 accept WireGuard-masqueraded traffic (src = 10.20.20.11 after NAT on db-01)
 # - db-01 handles intra-subnet Patroni/etcd coordination and masquerade return traffic
 # WireGuard client direct access to db-01 (src 10.8.0.0/24) is handled by the wireguard role.
 - name: Allow DB and etcd ports from DB subnet in firewalld
  ansible.posix.firewalld:
    rich_rule: >-
      rule family="ipv4" source address="10.20.20.0/24"
      port port="{{ item }}" protocol="tcp" accept
    zone: drop
    state: enabled
    permanent: true
    immediate: true
  loop:
    - "5432"
    - "27017"
    - "2379"
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@ -30,6 +30,7 @@
      - python3-passlib
      - htop
      - btop
      - tmux
    state: present
 - name: Set timezone
--- a/ansible/roles/wireguard/defaults/main.yml
+++ b/ansible/roles/wireguard/defaults/main.yml
@ -11,3 +11,7 @@ wireguard_db_mongo_proxy_port: 27017
 # Her client için: name, public_key, allowed_ips
 # group_vars/all/vars.yml içinde tanımlanır
 wireguard_clients: []
 # IP forwarding + firewalld policy — prod db-01 enables this
 wireguard_enable_routing: false
 wireguard_routed_subnet: ""   # prod: "10.20.20.0/24"
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@ -82,3 +82,86 @@
 - name: Print server public key (client config için gerekli)
  ansible.builtin.debug:
    msg: "WireGuard server public key: {{ wg_server_public_key }}"
 - name: Enable IP forwarding (persistent)
  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_file: /etc/sysctl.d/99-wireguard.conf
    state: present
    reload: yes
  when: wireguard_enable_routing
 - name: Bind WireGuard interface to drop zone permanently
  ansible.builtin.command: firewall-cmd --permanent --zone=drop --add-interface={{ wireguard_interface }}
  register: _wg_zone
  failed_when: _wg_zone.rc != 0 and 'ALREADY_ENABLED' not in _wg_zone.stderr
  changed_when: _wg_zone.rc == 0
 - name: Bind routed interface to drop zone permanently
  ansible.builtin.command: firewall-cmd --permanent --zone=drop --add-interface={{ wireguard_routed_interface | default('eth1') }}
  register: _eth1_zone
  failed_when: _eth1_zone.rc != 0 and 'ALREADY_ENABLED' not in _eth1_zone.stderr
  changed_when: _eth1_zone.rc == 0
  when: wireguard_enable_routing and wireguard_routed_subnet != ""
 - name: Create firewalld policy for WireGuard routing
  ansible.builtin.command: firewall-cmd --permanent --new-policy=wg-to-db
  register: _policy_create
  failed_when: _policy_create.rc != 0 and 'NAME_CONFLICT' not in _policy_create.stderr and 'already exists' not in _policy_create.stderr
  changed_when: _policy_create.rc == 0
  when: wireguard_enable_routing
 - name: Set policy ingress zone
  ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-ingress-zone=drop
  register: _ingress
  failed_when: _ingress.rc != 0 and 'already' not in _ingress.stderr | lower
  changed_when: _ingress.rc == 0
  when: wireguard_enable_routing
 - name: Set policy egress zone
  ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-egress-zone=drop
  register: _egress
  failed_when: _egress.rc != 0 and 'already' not in _egress.stderr | lower
  changed_when: _egress.rc == 0
  when: wireguard_enable_routing
 - name: Add forward rule to policy (WG subnet to DB subnet only)
  ansible.builtin.command: >
    firewall-cmd --permanent --policy=wg-to-db
    --add-rich-rule='rule family="ipv4" source address="{{ wireguard_subnet }}"
    destination address="{{ wireguard_routed_subnet }}" accept'
  register: _fwd_rule
  failed_when: _fwd_rule.rc != 0 and 'already' not in _fwd_rule.stderr | lower
  changed_when: _fwd_rule.rc == 0
  when: wireguard_enable_routing and wireguard_routed_subnet != ""
 - name: Enable masquerade on policy
  ansible.builtin.command: firewall-cmd --permanent --policy=wg-to-db --add-masquerade
  register: _masq
  failed_when: _masq.rc != 0 and 'already' not in _masq.stderr | lower
  changed_when: _masq.rc == 0
  when: wireguard_enable_routing
 - name: Add direct firewalld rule to allow wg0 to eth1 forwarding in iptables (Docker fix)
  ansible.builtin.command: >
    firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i {{ wireguard_interface }} -o {{ wireguard_routed_interface | default('eth1') }} -j ACCEPT
  register: _fw_dir_fwd
  failed_when: _fw_dir_fwd.rc != 0 and 'ALREADY_ENABLED' not in _fw_dir_fwd.stderr
  changed_when: _fw_dir_fwd.rc == 0
  when: wireguard_enable_routing and wireguard_routed_subnet != ""
  notify: restart wireguard
 - name: Add direct firewalld rule to allow eth1 to wg0 forwarding in iptables (Docker fix)
  ansible.builtin.command: >
    firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i {{ wireguard_routed_interface | default('eth1') }} -o {{ wireguard_interface }} -j ACCEPT
  register: _fw_dir_rev
  failed_when: _fw_dir_rev.rc != 0 and 'ALREADY_ENABLED' not in _fw_dir_rev.stderr
  changed_when: _fw_dir_rev.rc == 0
  when: wireguard_enable_routing and wireguard_routed_subnet != ""
  notify: restart wireguard
 - name: Reload firewalld to activate routing policy
  ansible.builtin.command: firewall-cmd --reload
  changed_when: false
  when: wireguard_enable_routing
--- a/terraform/hetzner/prod/firewall.tf
+++ b/terraform/hetzner/prod/firewall.tf
@ -279,3 +279,26 @@ resource "hcloud_firewall" "db" {
    role        = "db"
  }
 }
 resource "hcloud_firewall" "db_wireguard" {
  name = "${local.name_prefix}-firewall-db-wireguard"
  rule {
    direction   = "in"
    protocol    = "udp"
    port        = "51820"
    source_ips  = ["0.0.0.0/0", "::/0"]
    description = "WireGuard VPN — public (auth via cryptographic key, db-01 only)"
  }
  labels = {
    environment = local.environment
    role        = "db"
    purpose     = "wireguard"
  }
 }
 resource "hcloud_firewall_attachment" "db_wireguard" {
  firewall_id = hcloud_firewall.db_wireguard.id
  server_ids  = [hcloud_server.db["iklim-db-01"].id]
 }