service. Core has an interface on this VPN and is expected to forward
packets between it and the institute's other private networks.
+The following tasks install WireGuard™, configure it with
+[[=private/front-wg0.conf=][=private/front-wg0.conf=]] (or [[file:private/front-wg0-empty.conf][=private/front-wg0-empty.conf=]] if it does
+not exist), and enable the service.
+
+#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
+
+- name: Enable IP forwarding.
+ become: yes
+ sysctl:
+ name: net.ipv4.ip_forward
+ value: "1"
+ state: present
+
+- name: Install WireGuard™.
+ become: yes
+ apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+ become: yes
+ vars:
+ srcs:
+ - ../private/front-wg0.conf
+ - ../private/front-wg0-empty.conf
+ copy:
+ src: "{{ lookup('first_found', srcs) }}"
+ dest: /etc/wireguard/wg0.conf
+ mode: u=r,g=,o=
+ owner: root
+ group: root
+ notify: Restart WireGuard™.
+ tags: accounts
+
+- name: Start WireGuard™.
+ become: yes
+ systemd:
+ service: wg-quick@wg0
+ state: started
+ tags: actualizer
+
+- name: Enable WireGuard™.
+ become: yes
+ systemd:
+ service: wg-quick@wg0
+ enabled: yes
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
+
+- name: Restart WireGuard™.
+ become: yes
+ systemd:
+ service: wg-quick@wg0
+ state: restarted
+ tags: actualizer
+#+END_SRC
+
+The "empty" WireGuard™ configuration file (below) is used until the
+~./inst client~ command adds the first client, and generates an actual
+[[=private/front-wg0.conf=][=private/front-wg0.conf=]].
+
+#+NAME: =private/front-wg0-empty.conf=
+#+CAPTION: [[file:private/front-wg0-empty.conf][=private/front-wg0-empty.conf=]]
+#+BEGIN_SRC conf :tangle private/front-wg0-empty.conf :tangle-mode u=rw,g=,o=
+[Interface]
+Address = 10.177.87.1/24
+ListenPort = 39608
+PostUp = wg set %i private-key /etc/wireguard/private-key
+PostUp = resolvectl dns %i 192.168.56.1
+PostUp = resolvectl domain %i small.private
+#+END_SRC
+
+*** Example =private/front-wg0.conf=
+
The example [[=private/front-wg0.conf=][=private/front-wg0.conf=]] below recognizes Core by its
public key and routes the institute's private networks to it. It also
recognizes Dick's notebook and his (replacement) phone, assigning them
host numbers 4 and 6 on the VPN.
+This is just an example. The actual file is edited by the ~./inst
+client~ command and so is not tangled from the following block.
+
#+NAME: =private/front-wg0.conf=
-#+CAPTION: [[file:private/front-wg0.conf][=private/front-wg0.conf=]]
-#+BEGIN_SRC conf :tangle private/front-wg0.conf :tangle-mode u=rw,g=,o=
+#+CAPTION: =private/front-wg0.conf=
+#+BEGIN_SRC conf
[Interface]
Address = 10.177.87.1/24
ListenPort = 39608
AllowedIPs = 10.84.139.0/24
#+END_SRC
-The following tasks install WireGuard™, configure it with
-[[=private/front-wg0.conf=][=private/front-wg0.conf=]], and enable the service.
-
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
-
-- name: Enable IP forwarding.
- become: yes
- sysctl:
- name: net.ipv4.ip_forward
- value: "1"
- state: present
-
-- name: Install WireGuard™.
- become: yes
- apt: pkg=wireguard
-
-- name: Configure WireGuard™.
- become: yes
- copy:
- src: ../private/front-wg0.conf
- dest: /etc/wireguard/wg0.conf
- mode: u=r,g=,o=
- owner: root
- group: root
- notify: Restart WireGuard™.
-
-- name: Start WireGuard™.
- become: yes
- systemd:
- service: wg-quick@wg0
- state: started
- tags: actualizer
-
-- name: Enable WireGuard™.
- become: yes
- systemd:
- service: wg-quick@wg0
- enabled: yes
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
-
-- name: Restart WireGuard™.
- become: yes
- systemd:
- service: wg-quick@wg0
- state: restarted
- tags: actualizer
-#+END_SRC
-
** Configure Kamailio
Front uses Kamailio to provide a SIP service on the public VPN so that
additional route Gate needs is to the public VPN via Core. The rest
(private Ethernet and campus VPN) are directly connected.
-The following example [[=private/gate-wg0.conf=][=private/gate-wg0.conf=]] configuration recognizes
-a wired IoT appliance, Dick's notebook and his replacement phone,
-assigning them the host numbers 3, 4 and 6 respectively.
+The following tasks install WireGuard™, configure it with
+[[=private/gate-wg0.conf=][=private/gate-wg0.conf=]] (or =private/gate-wg0-empty.conf= if it does
+not exist), and enable the service.
+
+#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml
+
+- name: Enable IP forwarding.
+ become: yes
+ sysctl:
+ name: net.ipv4.ip_forward
+ value: "1"
+ state: present
+
+- name: Install WireGuard™.
+ become: yes
+ apt: pkg=wireguard
+
+- name: Configure WireGuard™.
+ become: yes
+ vars:
+ srcs:
+ - ../private/gate-wg0.conf
+ - ../private/gate-wg0-empty.conf
+ copy:
+ src: "{{ lookup('first_found', srcs) }}"
+ dest: /etc/wireguard/wg0.conf
+ mode: u=r,g=,o=
+ owner: root
+ group: root
+ notify: Restart WireGuard™.
+ tags: accounts
+
+- name: Start WireGuard™.
+ become: yes
+ systemd:
+ service: wg-quick@wg0
+ state: started
+ tags: actualizer
+
+- name: Enable WireGuard™.
+ become: yes
+ systemd:
+ service: wg-quick@wg0
+ enabled: yes
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml
+
+- name: Restart WireGuard™.
+ become: yes
+ systemd:
+ service: wg-quick@wg0
+ state: restarted
+ tags: actualizer
+#+END_SRC
+
+The "empty" WireGuard™ configuration file (below) is used until the
+~./inst client~ command adds the first client, and generates an actual
+[[=private/gate-wg0.conf=][=private/gate-wg0.conf=]].
+
+#+NAME: =private/gate-wg0-empty.conf=
+#+CAPTION: [[file:private/gate-wg0.empty.conf][=private/gate-wg0.empty.conf=]]
+#+BEGIN_SRC conf :tangle private/gate-wg0-empty.conf :tangle-mode u=rw,g=,o=
+[Interface]
+Address = 10.84.139.1/24
+ListenPort = 51820
+PostUp = wg set %i private-key /etc/wireguard/private-key
+#+END_SRC
+
+*** Example =private/gate-wg0.conf=
+
+The example [[=private/gate-wg0.conf=][=private/gate-wg0.conf=]] below recognizes a wired IoT
+appliance, Dick's notebook and his replacement phone, assigning them
+the host numbers 3, 4 and 6 respectively.
+
+This is just an example. The actual file is edited by the ~./inst
+client~ command and so should not be tangled from the following block.
#+NAME: =private/gate-wg0.conf=
-#+CAPTION: [[file:private/gate-wg0.conf][=private/gate-wg0.conf=]]
-#+BEGIN_SRC conf :tangle private/gate-wg0.conf :tangle-mode u=rw,g=,o=
+#+CAPTION: =private/gate-wg0.conf=
+#+BEGIN_SRC conf
[Interface]
Address = 10.84.139.1/24
ListenPort = 51820
AllowedIPs = 10.84.139.0/24
#+END_SRC
-The following tasks install WireGuard™, configure it with
-[[=private/gate-wg0.conf=][=private/gate-wg0.conf=]], and enable the service.
-
-#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml
-
-- name: Enable IP forwarding.
- become: yes
- sysctl:
- name: net.ipv4.ip_forward
- value: "1"
- state: present
-
-- name: Install WireGuard™.
- become: yes
- apt: pkg=wireguard
-
-- name: Configure WireGuard™.
- become: yes
- copy:
- src: ../private/gate-wg0.conf
- dest: /etc/wireguard/wg0.conf
- mode: u=r,g=,o=
- owner: root
- group: root
- notify: Restart WireGuard™.
-
-- name: Start WireGuard™.
- become: yes
- systemd:
- service: wg-quick@wg0
- state: started
- tags: actualizer
-
-- name: Enable WireGuard™.
- become: yes
- systemd:
- service: wg-quick@wg0
- enabled: yes
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml
-
-- name: Restart WireGuard™.
- become: yes
- systemd:
- service: wg-quick@wg0
- state: restarted
- tags: actualizer
-#+END_SRC
-
* The Campus Role
projects / Institute / commitdiff