feat: add support for wireguard vpn#80
Open
iambaboucarr wants to merge 14 commits into
Open
Conversation
- Added validation tasks to ensure each VPN peer has required fields (name, public_key, allowed_ips) and that allowed_ips are unique. - Updated comments and documentation for clarity regarding VPN access restrictions. - Adjusted firewall rules and monitoring configurations to support the new setup.
iambaboucarr
requested review from
bobjolliffe,
jason-p-pickering and
tkipkurgat
- Modified .gitignore to allow specific files in group_vars and host_vars directories. - Updated hosts.template to reflect changes in configuration file paths. - Added vars.yml for WireGuard VPN peers configuration, including key generation instructions.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Modified the pg_hba.conf entry for VPN users to use 'hostssl' instead of 'host', enforcing SSL connections for added security. - Updated documentation to reflect the change in access requirements, emphasizing the need for SSL even with VPN encryption.
- Added conditional logic to Apache2 and Nginx instance templates to enable Glowroot monitoring only when not locked down by WireGuard settings. - Updated tasks to re-render instance configurations for both Apache2 and Nginx without Glowroot proxy blocks based on the defined conditions.
…erver-side - Introduced `wireguard_auto_generate_keys` and `wireguard_auto_generate_psk` options to allow server-side key generation for clients, simplifying peer configuration. - Updated validation tasks to ensure peers have required fields based on the key generation mode. - Enhanced documentation to clarify the new configuration options and their implications for client setup. - Added tasks for generating client keys and managing orphaned key files, improving overall management of WireGuard peers.
- Introduced a dedicated LXD container for the WireGuard hub, improving isolation and management of VPN services. - Updated playbook to include tasks for provisioning the hub container, managing UDP port forwarding, and generating peer configurations. - Enhanced peer setup tasks to pull configurations from the hub, ensuring secure and consistent VPN access for app containers. - Refactored existing tasks to streamline the WireGuard role, removing deprecated server setup tasks and improving overall clarity and maintainability.
|
Contributor
The PR does not work, -- there is an error running playboook,
Its not distributed setup ready, -- there are tasks taht are lxd related, should be called only if ansible connection is lxd.
Keep it simpleHave wireguard playbook running separately, -- this playbook imports wireguard related tasks. Which at this stage should just
There are tasks that harden firewall, removing rules which were not even there before, -- I think there are not needed, since you branch has never been merged, lockdown_monitor.yml removes:
lockdown_postgres.yml removes:
lockdown_instances.yml removes:
|
…atures - Introduced `playbooks/wireguard.yml` for standalone WireGuard mesh setup, allowing for easier debugging and management. - Added `playbooks/wireguard-lockdown.yml` to restrict access to Grafana, Prometheus, Munin, Glowroot, and PostgreSQL to the VPN subnet. - Updated `dhis2.yml` to auto-import the new playbooks, streamlining the deployment process. - Refactored instance configuration templates to conditionally remove Glowroot proxy blocks based on lockdown settings. - Adjusted role defaults and tasks to improve clarity and maintainability, including disabling legacy monitoring lockdown behavior.
|
- Enhanced `wireguard.yml` to accurately capture the deployment mode from the wireguard hub host's hostvars, ensuring correct behavior in LXD environments. - Added a new task in `hub.yml` to wait for LXD connection readiness, improving reliability during the deployment process. - Introduced a wait task in `lxd_container.yml` for cloud-init completion, preventing race conditions that could lead to installation failures.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds support for Wireguard VPN
WireGuard local client
Glowroot local access (via WireGuard)
Grafana local access (via WireGuard)
DB access via local PgAdmin client (via WireGuard)
