Murat ÖZDEMİR
ed51b6eedd
- Add new Ansible role `wireguard` to set up WireGuard VPN server on DB node with key generation, firewalld rules, and client peer config. - Introduce `pg-proxy` and `mongo-proxy` socat containers in db_stack to expose PostgreSQL (15432) and MongoDB (17017) on host ports, restricted to WireGuard subnet via firewalld. - Update test environment group_vars with WireGuard client entry for `murat-inspiron-15-3525`. - Modify act_runner config: set `docker_host` to unix socket, remove explicit socket mount from options, and change runner label image to `catthehacker/ubuntu:act-22.04`. - Open UDP port 51820 in Hetzner firewall for WireGuard inbound. - Adjust test-db-post-stack playbook to include wireguard role (tagged). - Update roadmap document with APISIX init step order.
85 lines
2.3 KiB
YAML
85 lines
2.3 KiB
YAML
---
|
|
- name: Install WireGuard
|
|
ansible.builtin.dnf:
|
|
name: wireguard-tools
|
|
state: present
|
|
|
|
- name: Ensure /etc/wireguard directory exists
|
|
ansible.builtin.file:
|
|
path: /etc/wireguard
|
|
state: directory
|
|
mode: "0700"
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Check if WireGuard private key exists
|
|
ansible.builtin.stat:
|
|
path: /etc/wireguard/private.key
|
|
register: wg_key_stat
|
|
|
|
- name: Generate WireGuard keypair
|
|
ansible.builtin.shell: |
|
|
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
|
|
chmod 600 /etc/wireguard/private.key
|
|
chmod 644 /etc/wireguard/public.key
|
|
when: not wg_key_stat.stat.exists
|
|
|
|
- name: Read WireGuard private key
|
|
ansible.builtin.slurp:
|
|
src: /etc/wireguard/private.key
|
|
register: wg_private_key_raw
|
|
|
|
- name: Read WireGuard public key
|
|
ansible.builtin.slurp:
|
|
src: /etc/wireguard/public.key
|
|
register: wg_public_key_raw
|
|
|
|
- name: Set WireGuard key facts
|
|
ansible.builtin.set_fact:
|
|
wg_server_private_key: "{{ wg_private_key_raw.content | b64decode | trim }}"
|
|
wg_server_public_key: "{{ wg_public_key_raw.content | b64decode | trim }}"
|
|
|
|
- name: Deploy wg0.conf
|
|
ansible.builtin.template:
|
|
src: wg0.conf.j2
|
|
dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
|
|
mode: "0600"
|
|
owner: root
|
|
group: root
|
|
notify: restart wireguard
|
|
|
|
- name: Enable and start WireGuard
|
|
ansible.builtin.systemd:
|
|
name: "wg-quick@{{ wireguard_interface }}"
|
|
enabled: true
|
|
state: started
|
|
daemon_reload: true
|
|
|
|
- name: Allow WireGuard UDP port from admin CIDRs
|
|
ansible.posix.firewalld:
|
|
rich_rule: >-
|
|
rule family="ipv4" source address="{{ item }}"
|
|
port port="{{ wireguard_port }}" protocol="udp" accept
|
|
zone: drop
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
loop: "{{ admin_allowed_cidrs.split(' ') }}"
|
|
|
|
- name: Allow DB proxy ports from WireGuard subnet only
|
|
ansible.posix.firewalld:
|
|
rich_rule: >-
|
|
rule family="ipv4" source address="{{ wireguard_subnet }}"
|
|
port port="{{ item }}" protocol="tcp" accept
|
|
zone: drop
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
loop:
|
|
- "{{ wireguard_db_pg_proxy_port }}"
|
|
- "{{ wireguard_db_mongo_proxy_port }}"
|
|
|
|
- name: Print server public key (client config için gerekli)
|
|
ansible.builtin.debug:
|
|
msg: "WireGuard server public key: {{ wg_server_public_key }}"
|