From 04bfba2ee71d8db9305a4b4cd8118ffcf2bdd6c3 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Fri, 27 Jun 2025 19:17:49 -0600 Subject: [PATCH] Add wild_net_cidr to Core's AllowedIPs in the client configurations. Fixed the "Install UFW." task's incomplete "become" key. Added missing EndPoints. Hid an example PrivateKey. --- README.org | 31 +++++++++++++++++++++---------- inst | 7 +++++-- playbooks/check-inst-vars.yml | 5 +++-- roles_t/gate/tasks/main.yml | 2 +- 4 files changed, 30 insertions(+), 15 deletions(-) diff --git a/README.org b/README.org index 35166ae..e276961 100644 --- a/README.org +++ b/README.org @@ -2035,6 +2035,7 @@ PostUp = resolvectl domain %i small.private PublicKey = lGhC51IBgZtlq4H2bsYFuKvPtV0VAEwUvVIn5fW7D0c= AllowedIPs = 10.177.87.2 AllowedIPs = 192.168.56.0/24 +AllowedIPs = 192.168.57.0/24 AllowedIPs = 10.84.139.0/24 # dick @@ -2059,12 +2060,13 @@ PostUp = wg set %i private-key /etc/wireguard/private-key PostUp = resolvectl dns %i 192.168.56.1 PostUp = resolvectl domain %i small.private -# Front [Peer] PublicKey = S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4= +EndPoint = 192.168.15.5:39608 AllowedIPs = 10.177.87.1 -AllowedIPs = 10.177.87.0/24 AllowedIPs = 192.168.56.0/24 +AllowedIPs = 192.168.57.0/24 +AllowedIPs = 10.177.87.0/24 AllowedIPs = 10.84.139.0/24 #+END_SRC @@ -4692,7 +4694,7 @@ command after Gate is configured or new gate is "in position" #+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml :noweb no-export - name: Install UFW. - become: + become: yes apt: pkg=ufw - name: Configure UFW policy. @@ -4884,15 +4886,19 @@ The configuration used on ~thing~, the IoT appliance, looks like this: #+BEGIN_SRC conf [Interface] Address = 10.84.139.2 -PrivateKey = KIwQT5eGOl9w1qOa5I+2xx5kJH3z4xdpmirS/eGdsXY= +PrivateKey = wg set %i private-key /etc/wireguard/private-key +DNS = 192.168.56.1 +Domain = small.private # Gate [Peer] PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= +EndPoint = 192.168.57.1:51820 AllowedIPs = 10.84.139.1 -AllowedIPs = 10.84.139.0/24 AllowedIPs = 192.168.56.0/24 +AllowedIPs = 192.168.57.0/24 AllowedIPs = 10.177.87.0/24 +AllowedIPs = 10.84.139.0/24 #+END_SRC And the configuration used on Dick's notebook when it is on campus @@ -4910,9 +4916,10 @@ PostUp = resolvectl domain wg0 small.private [Peer] PublicKey = y3cjFnvQbylmH4lGTujpqc8rusIElmJ4Gu9hh6iR7QI= AllowedIPs = 10.84.139.1 -AllowedIPs = 10.84.139.0/24 AllowedIPs = 192.168.56.0/24 +AllowedIPs = 192.168.57.0/24 AllowedIPs = 10.177.87.0/24 +AllowedIPs = 10.84.139.0/24 #+END_SRC The following tasks install WireGuard™, configure it with @@ -5535,9 +5542,10 @@ sub mysystem (@) { mysystem "ansible-playbook playbooks/check-inst-vars.yml >/dev/null"; -our ($domain_name, $domain_priv, $private_net_cidr, +our ($domain_name, $domain_priv, $front_addr, $front_wg_pubkey, $public_wg_net_cidr, $public_wg_port, + $private_net_cidr, $wild_net_cidr, $gate_wild_addr, $gate_wg_pubkey, $campus_wg_net_cidr, $campus_wg_port, $core_addr, $core_wg_pubkey); @@ -5557,15 +5565,16 @@ The playbook that updates [[file:private/vars.pl][=private/vars.pl=]]: content: | $domain_name = "{{ domain_name }}"; $domain_priv = "{{ domain_priv }}"; - $private_net_cidr = "{{ private_net_cidr }}"; $front_addr = "{{ front_addr }}"; $front_wg_pubkey = "{{ front_wg_pubkey }}"; $public_wg_net_cidr = "{{ public_wg_net_cidr }}"; - $public_wg_port = "{{ public_wg_port }}"; + $private_net_cidr = "{{ private_net_cidr }}"; + $wild_net_cidr = "{{ wild_net_cidr }}"; + $gate_wild_addr = "{{ gate_wild_addr }}"; $gate_wg_pubkey = "{{ gate_wg_pubkey }}"; @@ -6451,6 +6460,7 @@ PostUp = resolvectl domain %i $domain_priv PublicKey = $core_wg_pubkey AllowedIPs = $core_wg_addr AllowedIPs = $private_net_cidr +AllowedIPs = $wild_net_cidr AllowedIPs = $campus_wg_net_cidr\n"; write_wg_server ("private/front-wg0.conf", \@member_peers, @@ -6507,7 +6517,7 @@ sub write_wg_client ($$$$$$) { my $O = new IO::File; my $DNS = ($type eq "android" ? " -DNS=$core_addr\nDomain=$domain_priv" +DNS = $core_addr\nDomain = $domain_priv" : " PostUp = resolvectl dns %i $core_addr PostUp = resolvectl domain %i $domain_priv"); @@ -6521,6 +6531,7 @@ PublicKey = $pubkey EndPoint = $endpt AllowedIPs = $server_addr AllowedIPs = $private_net_cidr +AllowedIPs = $wild_net_cidr AllowedIPs = $public_wg_net_cidr AllowedIPs = $campus_wg_net_cidr\n"; close $O or die "Could not close $file.tmp: $!\n"; diff --git a/inst b/inst index 4774363..172f501 100755 --- a/inst +++ b/inst @@ -58,9 +58,10 @@ sub mysystem (@) { mysystem "ansible-playbook playbooks/check-inst-vars.yml >/dev/null"; -our ($domain_name, $domain_priv, $private_net_cidr, +our ($domain_name, $domain_priv, $front_addr, $front_wg_pubkey, $public_wg_net_cidr, $public_wg_port, + $private_net_cidr, $wild_net_cidr, $gate_wild_addr, $gate_wg_pubkey, $campus_wg_net_cidr, $campus_wg_port, $core_addr, $core_wg_pubkey); @@ -428,6 +429,7 @@ PostUp = resolvectl domain %i $domain_priv PublicKey = $core_wg_pubkey AllowedIPs = $core_wg_addr AllowedIPs = $private_net_cidr +AllowedIPs = $wild_net_cidr AllowedIPs = $campus_wg_net_cidr\n"; write_wg_server ("private/front-wg0.conf", \@member_peers, @@ -484,7 +486,7 @@ sub write_wg_client ($$$$$$) { my $O = new IO::File; my $DNS = ($type eq "android" ? " -DNS=$core_addr\nDomain=$domain_priv" +DNS = $core_addr\nDomain = $domain_priv" : " PostUp = resolvectl dns %i $core_addr PostUp = resolvectl domain %i $domain_priv"); @@ -498,6 +500,7 @@ PublicKey = $pubkey EndPoint = $endpt AllowedIPs = $server_addr AllowedIPs = $private_net_cidr +AllowedIPs = $wild_net_cidr AllowedIPs = $public_wg_net_cidr AllowedIPs = $campus_wg_net_cidr\n"; close $O or die "Could not close $file.tmp: $!\n"; diff --git a/playbooks/check-inst-vars.yml b/playbooks/check-inst-vars.yml index 81a29ec..9919862 100644 --- a/playbooks/check-inst-vars.yml +++ b/playbooks/check-inst-vars.yml @@ -7,15 +7,16 @@ content: | $domain_name = "{{ domain_name }}"; $domain_priv = "{{ domain_priv }}"; - $private_net_cidr = "{{ private_net_cidr }}"; $front_addr = "{{ front_addr }}"; $front_wg_pubkey = "{{ front_wg_pubkey }}"; $public_wg_net_cidr = "{{ public_wg_net_cidr }}"; - $public_wg_port = "{{ public_wg_port }}"; + $private_net_cidr = "{{ private_net_cidr }}"; + $wild_net_cidr = "{{ wild_net_cidr }}"; + $gate_wild_addr = "{{ gate_wild_addr }}"; $gate_wg_pubkey = "{{ gate_wg_pubkey }}"; diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml index 5f062ad..2a57881 100644 --- a/roles_t/gate/tasks/main.yml +++ b/roles_t/gate/tasks/main.yml @@ -60,7 +60,7 @@ notify: Apply netplan. - name: Install UFW. - become: + become: yes apt: pkg=ufw - name: Configure UFW policy. -- 2.25.1