[CODE] add tasks
This commit is contained in:
parent
54cffa0cdc
commit
1900ac0301
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
templates/tmp/
|
||||||
|
files/tmp/
|
12
README.md
12
README.md
|
@ -13,7 +13,17 @@ none
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
TODO
|
Central configuration:
|
||||||
|
* `tinc_vpn_id`: name of the vpn to be created (default: `vpn0`)
|
||||||
|
* `tinc_central_host`: hostname of the always-on server (default: `hetzner-01`)
|
||||||
|
* `tinc_vpn_net`: local vpn network (IPv4, CIDR notation)
|
||||||
|
* `tinc_remote_nets`: list of remote networks, that should be forwarded to localhost (TODO: currently only one entry supported)
|
||||||
|
* `net_cidr`: IPv4 network range (CIDR notation)
|
||||||
|
* `gateway`: VPN network IP address of the gateway
|
||||||
|
|
||||||
|
Configuration for each host:
|
||||||
|
* `tinc_client_ip`: own IP address in the tinc-local network
|
||||||
|
* `tinc_public_addr`: public domain or IP address of the central server
|
||||||
|
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
|
|
|
@ -1,2 +1,10 @@
|
||||||
---
|
---
|
||||||
# defaults file for tinc
|
# defaults file for tinc
|
||||||
|
tinc_base_dir: /etc/tinc
|
||||||
|
tinc_tmp_pubkey: "tmp/rsa_key-{{ ansible_hostname }}.pub"
|
||||||
|
|
||||||
|
# ID of the vpn to create
|
||||||
|
tinc_vpn_id: vpn0
|
||||||
|
|
||||||
|
# hostname of the always-on server
|
||||||
|
tinc_central_host: hetzner-01
|
||||||
|
|
13
tasks/distribute.yml
Normal file
13
tasks/distribute.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
# Tinc VPN Hostfile Distribution
|
||||||
|
|
||||||
|
- name: Distribute - Set different base dir for macOS
|
||||||
|
set_fact:
|
||||||
|
tinc_base_dir: /usr/local/etc/tinc
|
||||||
|
when: (override_os_family is defined) | ternary(override_os_family,ansible_os_family) == "Darwin"
|
||||||
|
|
||||||
|
- name: Distribute - Copy hostfiles to targets
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: "{{ role_path }}/files/tmp/"
|
||||||
|
dest: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/hosts/"
|
|
@ -1,2 +1,93 @@
|
||||||
---
|
---
|
||||||
# tasks file for tinc
|
# Tinc VPN Setup and Configuration
|
||||||
|
|
||||||
|
- name: Main - Set different base dir for macOS
|
||||||
|
set_fact:
|
||||||
|
tinc_base_dir: /usr/local/etc/tinc
|
||||||
|
when: (override_os_family is defined) | ternary(override_os_family,ansible_os_family) == "Darwin"
|
||||||
|
|
||||||
|
- name: Main - Install tinc
|
||||||
|
include_tasks: "{{ item }}"
|
||||||
|
with_first_found:
|
||||||
|
- "setup-{{ ansible_distribution }}.yml"
|
||||||
|
- "setup-{{ (override_os_family is defined) | ternary(override_os_family,ansible_os_family) }}.yml"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Main - Create tinc directories
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/hosts"
|
||||||
|
state: directory
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Main - Create new host keypair
|
||||||
|
become: yes
|
||||||
|
shell: |
|
||||||
|
export PATH=/usr/local/sbin:/usr/local/bin:$PATH
|
||||||
|
tincd -n {{ tinc_vpn_id }} -K4096
|
||||||
|
args:
|
||||||
|
chdir: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}"
|
||||||
|
creates: rsa_key.priv
|
||||||
|
|
||||||
|
- name: Main - Create config
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/tinc.conf.j2"
|
||||||
|
dest: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/tinc.conf"
|
||||||
|
|
||||||
|
- name: Main - Fetch public key
|
||||||
|
become: yes
|
||||||
|
fetch:
|
||||||
|
src: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/rsa_key.pub"
|
||||||
|
dest: "{{ role_path }}/templates/tmp/rsa_key-{{ ansible_hostname }}.pub"
|
||||||
|
flat: yes
|
||||||
|
|
||||||
|
- name: Main - Create own hostfile
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/hostfile.j2"
|
||||||
|
dest: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/hosts/{{ ansible_hostname }}"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Main - Create tinc-up script
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/tinc-up.j2"
|
||||||
|
dest: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/tinc-up"
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
- name: Main - Create tinc-down script
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: "{{ role_path }}/templates/tinc-down.j2"
|
||||||
|
dest: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/tinc-down"
|
||||||
|
mode: '0755'
|
||||||
|
|
||||||
|
|
||||||
|
- name: Tinc - Fetch all hostfiles
|
||||||
|
become: yes
|
||||||
|
fetch:
|
||||||
|
src: "{{ tinc_base_dir }}/{{ tinc_vpn_id }}/hosts/{{ ansible_hostname }}"
|
||||||
|
dest: "{{ role_path }}/files/tmp/{{ ansible_hostname }}"
|
||||||
|
flat: yes
|
||||||
|
|
||||||
|
|
||||||
|
- name: "Main - Enable {{ tinc_vpn_id }}"
|
||||||
|
become: yes
|
||||||
|
block:
|
||||||
|
- name: "Main - Enable {{ tinc_vpn_id }} in tinc config"
|
||||||
|
lineinfile:
|
||||||
|
name: "{{ tinc_base_dir }}/nets.boot"
|
||||||
|
line: "{{ tinc_vpn_id }}"
|
||||||
|
create: yes
|
||||||
|
- name: "Main - Enable and restart tinc service"
|
||||||
|
systemd:
|
||||||
|
name: tinc
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
- name: "Main - Enable and restart tinc@{{ tinc_vpn_id }} service"
|
||||||
|
systemd:
|
||||||
|
name: "tinc@{{ tinc_vpn_id }}"
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
||||||
|
when: inventory_hostname != 'localhost'
|
||||||
|
|
10
tasks/setup-Darwin.yml
Normal file
10
tasks/setup-Darwin.yml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
# Tinc/Setup: Install tinc application - macOS Version
|
||||||
|
|
||||||
|
- name: Setup - Install
|
||||||
|
package:
|
||||||
|
name: "{{ packages }}"
|
||||||
|
state: present
|
||||||
|
vars:
|
||||||
|
packages:
|
||||||
|
- tinc
|
11
tasks/setup-Debian.yml
Normal file
11
tasks/setup-Debian.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
# Tinc/Setup: Install tinc application - Debian Version
|
||||||
|
|
||||||
|
- name: Setup - Install
|
||||||
|
become: yes
|
||||||
|
apt:
|
||||||
|
name: "{{ packages }}"
|
||||||
|
state: present
|
||||||
|
vars:
|
||||||
|
packages:
|
||||||
|
- tinc
|
9
templates/hostfile.j2
Normal file
9
templates/hostfile.j2
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
{% if tinc_public_addr is defined %}
|
||||||
|
Address = {{ tinc_public_addr }}
|
||||||
|
{% endif %}
|
||||||
|
Subnet = {{ tinc_client_ip }}/32
|
||||||
|
{% if tinc_client_ip == tinc_remote_nets[0].gateway %}
|
||||||
|
Subnet = {{ tinc_remote_nets[0].net_cidr }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% include tinc_tmp_pubkey %}
|
15
templates/tinc-down.j2
Normal file
15
templates/tinc-down.j2
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
{% if ansible_hostname == 'hetzner-01' %}
|
||||||
|
/sbin/ifconfig $INTERFACE down
|
||||||
|
/usr/sbin/ip rule del to {{ tinc_remote_nets[0].net_cidr }} table 5
|
||||||
|
|
||||||
|
{% elif ansible_hostname == 'RaspiBeyerstedt' %}
|
||||||
|
/sbin/ifconfig $INTERFACE down
|
||||||
|
/bin/ip route del {{ tinc_remote_nets[0].net_cidr }} dev eth0
|
||||||
|
|
||||||
|
{% elif ansible_hostname == 'Magrathea' %}
|
||||||
|
/sbin/ifconfig $INTERFACE down
|
||||||
|
/sbin/route -n delete -net {{ tinc_remote_nets[0].net_cidr }} {{ tinc_remote_nets[0].gateway }}
|
||||||
|
|
||||||
|
{% endif %}
|
23
templates/tinc-up.j2
Normal file
23
templates/tinc-up.j2
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
{% if ansible_hostname == 'hetzner-01' %}
|
||||||
|
/sbin/ifconfig $INTERFACE {{ tinc_client_ip | ipaddr('address') }} netmask 255.255.255.0
|
||||||
|
|
||||||
|
/usr/sbin/ip rule add to {{ tinc_remote_nets[0].net_cidr }} table 5
|
||||||
|
/usr/sbin/ip route add {{ tinc_remote_nets[0].net_cidr }} via {{ tinc_remote_nets[0].gateway }} dev {{ tinc_vpn_id }} table 5
|
||||||
|
|
||||||
|
{% elif ansible_hostname == 'RaspiBeyerstedt' %}
|
||||||
|
/sbin/ifconfig $INTERFACE {{ tinc_client_ip | ipaddr('address') }} netmask 255.255.255.0
|
||||||
|
|
||||||
|
/bin/bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
|
||||||
|
/bin/ip route add {{ tinc_remote_nets[0].net_cidr }} dev eth0
|
||||||
|
|
||||||
|
iptables -t nat -A POSTROUTING -o eth0 -s {{ tinc_vpn_net }} -j MASQUERADE
|
||||||
|
|
||||||
|
{% elif ansible_hostname == 'Magrathea' %}
|
||||||
|
# only a single endpoint works, because tun interface is p2p
|
||||||
|
/sbin/ifconfig tun0 inet {{ tinc_client_ip | ipaddr('address') }} {{ tinc_remote_nets[0].gateway }} up netmast 255.255.255.0
|
||||||
|
|
||||||
|
/sbin/route -n add -net {{ tinc_remote_nets[0].net_cidr }} {{ tinc_remote_nets[0].gateway }}
|
||||||
|
|
||||||
|
{% endif %}
|
8
templates/tinc.conf.j2
Normal file
8
templates/tinc.conf.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
Name = {{ ansible_hostname }}
|
||||||
|
{% if (override_os_family is defined) | ternary(override_os_family,ansible_os_family) != 'Darwin' %}
|
||||||
|
Device = /dev/net/tun
|
||||||
|
{% endif %}
|
||||||
|
{% if ansible_hostname != tinc_central_host %}
|
||||||
|
ConnectTo = {{ tinc_central_host }}
|
||||||
|
{% endif %}
|
||||||
|
AddressFamily = any
|
Loading…
Reference in a new issue