Add wild_net_cidr to Core's AllowedIPs in the client configurations.

author Matt Birkholz <matt@birchwood-abbey.net>

Sat, 28 Jun 2025 01:17:49 +0000 (19:17 -0600)

committer Matt Birkholz <matt@birchwood-abbey.net>

Sat, 28 Jun 2025 01:17:49 +0000 (19:17 -0600)
author Matt Birkholz <matt@birchwood-abbey.net>
Sat, 28 Jun 2025 01:17:49 +0000 (19:17 -0600)
committer Matt Birkholz <matt@birchwood-abbey.net>
Sat, 28 Jun 2025 01:17:49 +0000 (19:17 -0600)
diff --git a/README.org b/README.org

index 35166aeccef3785bbdf7011493834f806bfee7f9..e276961afc42fadb80942b224a105acd5b168edc 100644 (file)
--- a/README.org
+++ b/README.org
@@ -2035,6 +2035,7 @@ PostUp = resolvectl domain %i small.private
  PublicKey = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c=
  AllowedIPs = 10.177.87.2
  AllowedIPs = 192.168.56.0/24
+AllowedIPs = 192.168.57.0/24
  AllowedIPs = 10.84.139.0/24
  
  # dick
@@ -2059,12 +2060,13 @@ PostUp = wg set %i private-key /etc/wireguard/private-key
  PostUp = resolvectl dns %i 192.168.56.1
  PostUp = resolvectl domain %i small.private
  
-# Front
  [Peer]
  PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
+EndPoint = 192.168.15.5:39608
  AllowedIPs = 10.177.87.1
-AllowedIPs = 10.177.87.0/24
  AllowedIPs = 192.168.56.0/24
+AllowedIPs = 192.168.57.0/24
+AllowedIPs = 10.177.87.0/24
  AllowedIPs = 10.84.139.0/24
  #+END_SRC
  
@@ -4692,7 +4694,7 @@ command after Gate is configured or new gate is "in position"
  #+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml :noweb no-export
  
  - name: Install UFW.
-  become:
+  become: yes
    apt: pkg=ufw
  
  - name: Configure UFW policy.
@@ -4884,15 +4886,19 @@ The configuration used on ~thing~, the IoT appliance, looks like this:
  #+BEGIN_SRC conf
  [Interface]
  Address = 10.84.139.2
-PrivateKey = KIwQT5eGOl9w1qOa5I+2xx5kJH3z4xdpmirS/eGdsXY=
+PrivateKey = wg set %i private-key /etc/wireguard/private-key
+DNS = 192.168.56.1
+Domain = small.private
  
  # Gate
  [Peer]
  PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
+EndPoint = 192.168.57.1:51820
  AllowedIPs = 10.84.139.1
-AllowedIPs = 10.84.139.0/24
  AllowedIPs = 192.168.56.0/24
+AllowedIPs = 192.168.57.0/24
  AllowedIPs = 10.177.87.0/24
+AllowedIPs = 10.84.139.0/24
  #+END_SRC
  
  And the configuration used on Dick's notebook when it is on campus
@@ -4910,9 +4916,10 @@ PostUp = resolvectl domain wg0 small.private
  [Peer]
  PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI=
  AllowedIPs = 10.84.139.1
-AllowedIPs = 10.84.139.0/24
  AllowedIPs = 192.168.56.0/24
+AllowedIPs = 192.168.57.0/24
  AllowedIPs = 10.177.87.0/24
+AllowedIPs = 10.84.139.0/24
  #+END_SRC
  
  The following tasks install WireGuard™, configure it with
@@ -5535,9 +5542,10 @@ sub mysystem (@) {
  
  mysystem "ansible-playbook playbooks/check-inst-vars.yml >/dev/null";
  
-our ($domain_name, $domain_priv, $private_net_cidr,
+our ($domain_name, $domain_priv,
       $front_addr, $front_wg_pubkey,
       $public_wg_net_cidr, $public_wg_port,
+     $private_net_cidr, $wild_net_cidr,
       $gate_wild_addr, $gate_wg_pubkey,
       $campus_wg_net_cidr, $campus_wg_port,
       $core_addr, $core_wg_pubkey);
@@ -5557,15 +5565,16 @@ The playbook that updates [[file:private/vars.pl][=private/vars.pl=]]:
        content: |
          $domain_name = "{{ domain_name }}";
          $domain_priv = "{{ domain_priv }}";
-        $private_net_cidr = "{{ private_net_cidr }}";
  
          $front_addr = "{{ front_addr }}";
          $front_wg_pubkey = "{{ front_wg_pubkey }}";
  
          $public_wg_net_cidr = "{{ public_wg_net_cidr }}";
-
          $public_wg_port = "{{ public_wg_port }}";
  
+        $private_net_cidr = "{{ private_net_cidr }}";
+        $wild_net_cidr = "{{ wild_net_cidr }}";
+
          $gate_wild_addr = "{{ gate_wild_addr }}";
          $gate_wg_pubkey = "{{ gate_wg_pubkey }}";
  
@@ -6451,6 +6460,7 @@ PostUp = resolvectl domain %i $domain_priv
  PublicKey = $core_wg_pubkey
  AllowedIPs = $core_wg_addr
  AllowedIPs = $private_net_cidr
+AllowedIPs = $wild_net_cidr
  AllowedIPs = $campus_wg_net_cidr\n";
  
    write_wg_server ("private/front-wg0.conf", \@member_peers,
@@ -6507,7 +6517,7 @@ sub write_wg_client ($$$$$$) {
    my $O = new IO::File;
    my $DNS = ($type eq "android"
              ? "
-DNS=$core_addr\nDomain=$domain_priv"
+DNS = $core_addr\nDomain = $domain_priv"
              : "
  PostUp = resolvectl dns %i $core_addr
  PostUp = resolvectl domain %i $domain_priv");
@@ -6521,6 +6531,7 @@ PublicKey = $pubkey
  EndPoint = $endpt
  AllowedIPs = $server_addr
  AllowedIPs = $private_net_cidr
+AllowedIPs = $wild_net_cidr
  AllowedIPs = $public_wg_net_cidr
  AllowedIPs = $campus_wg_net_cidr\n";
    close $O or die "Could not close $file.tmp: $!\n";
diff --git a/inst b/inst

index 4774363bb5614ef3783a2d4d49b0b354fa0e61f3..172f501cc01c8fe169ad8a6bac6c823cfa3d5d88 100755 (executable)
--- a/inst
+++ b/inst
@@ -58,9 +58,10 @@ sub mysystem (@) {
  
  mysystem "ansible-playbook playbooks/check-inst-vars.yml >/dev/null";
  
-our ($domain_name, $domain_priv, $private_net_cidr,
+our ($domain_name, $domain_priv,
       $front_addr, $front_wg_pubkey,
       $public_wg_net_cidr, $public_wg_port,
+     $private_net_cidr, $wild_net_cidr,
       $gate_wild_addr, $gate_wg_pubkey,
       $campus_wg_net_cidr, $campus_wg_port,
       $core_addr, $core_wg_pubkey);
@@ -428,6 +429,7 @@ PostUp = resolvectl domain %i $domain_priv
  PublicKey = $core_wg_pubkey
  AllowedIPs = $core_wg_addr
  AllowedIPs = $private_net_cidr
+AllowedIPs = $wild_net_cidr
  AllowedIPs = $campus_wg_net_cidr\n";
  
    write_wg_server ("private/front-wg0.conf", \@member_peers,
@@ -484,7 +486,7 @@ sub write_wg_client ($$$$$$) {
    my $O = new IO::File;
    my $DNS = ($type eq "android"
              ? "
-DNS=$core_addr\nDomain=$domain_priv"
+DNS = $core_addr\nDomain = $domain_priv"
              : "
  PostUp = resolvectl dns %i $core_addr
  PostUp = resolvectl domain %i $domain_priv");
@@ -498,6 +500,7 @@ PublicKey = $pubkey
  EndPoint = $endpt
  AllowedIPs = $server_addr
  AllowedIPs = $private_net_cidr
+AllowedIPs = $wild_net_cidr
  AllowedIPs = $public_wg_net_cidr
  AllowedIPs = $campus_wg_net_cidr\n";
    close $O or die "Could not close $file.tmp: $!\n";
diff --git a/playbooks/check-inst-vars.yml b/playbooks/check-inst-vars.yml

index 81a29ecb6b98c9f1e8ef6c78a3da2434f8a1395e..99198624fd3efb173da04850dd3cb52c4310919f 100644 (file)
--- a/playbooks/check-inst-vars.yml
+++ b/playbooks/check-inst-vars.yml
@@ -7,15 +7,16 @@
        content: |
          $domain_name = "{{ domain_name }}";
          $domain_priv = "{{ domain_priv }}";
-        $private_net_cidr = "{{ private_net_cidr }}";
  
          $front_addr = "{{ front_addr }}";
          $front_wg_pubkey = "{{ front_wg_pubkey }}";
  
          $public_wg_net_cidr = "{{ public_wg_net_cidr }}";
-
          $public_wg_port = "{{ public_wg_port }}";
  
+        $private_net_cidr = "{{ private_net_cidr }}";
+        $wild_net_cidr = "{{ wild_net_cidr }}";
+
          $gate_wild_addr = "{{ gate_wild_addr }}";
          $gate_wg_pubkey = "{{ gate_wg_pubkey }}";
  
diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml

index 5f062add13a9d2a65e153a283377f99317dee3ec..2a5788166bf95db2ca9565e7f6fd56a5a713f58b 100644 (file)
--- a/roles_t/gate/tasks/main.yml
+++ b/roles_t/gate/tasks/main.yml
@@ -60,7 +60,7 @@
    notify: Apply netplan.
  
  - name: Install UFW.
-  become:
+  become: yes
    apt: pkg=ufw
  
  - name: Configure UFW policy.
author	Matt Birkholz <matt@birchwood-abbey.net>
	Sat, 28 Jun 2025 01:17:49 +0000 (19:17 -0600)
committer	Matt Birkholz <matt@birchwood-abbey.net>
	Sat, 28 Jun 2025 01:17:49 +0000 (19:17 -0600)
README.org		patch \| blob \| history
inst		patch \| blob \| history
playbooks/check-inst-vars.yml		patch \| blob \| history
roles_t/gate/tasks/main.yml		patch \| blob \| history