wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-10 23:03:03 +02:00
Code Issues Projects Releases Wiki Activity

Move to netaddr filter

Browse source
This commit is contained in:
Jack Ivanov 2019-05-14 18:11:13 +02:00
parent f7d0451275
commit 630f1224e2
5 changed files with 23 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
config.cfg
View file

@ -40,20 +40,8 @@ wireguard_port: 51820
wireguard_PersistentKeepalive: 0
# WireGuard network configuration
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
wireguard_network_ipv4: 10.19.49.0/24
wireguard_network_ipv6: fd9d:bc11:4021::/48
# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
@ -101,16 +89,8 @@ dns_servers:
- 2606:4700:4700::1001
# Randomly generated IP address for the local dns resolver
local_service_ip: >-
10.
{{- 255 | random(start=20, seed=algo_server_name + ansible_fqdn + 'second') }}.
{{- 255 | random(seed=algo_server_name + ansible_fqdn + 'third') }}.
{{- 255 | random(seed=algo_server_name + ansible_fqdn + 'fourth') }}
local_service_ipv6: >-
FD{{ 99 | random(seed=algo_server_name + ansible_fqdn + 'first') }}:
{{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'second') }}:
{{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'third') }}:
{{- 9999 | random(seed=algo_server_name + ansible_fqdn + 'fourth') }}::1
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself

14
main.yml
View file

@ -2,11 +2,19 @@
- hosts: localhost
become: false
tasks:
- name: Verify Ansible meets Drupal VM's version requirements.
- name: Ensure the requirements installed
debug:
msg: "{{ '' | ipaddr }}"
ignore_errors: true
no_log: true
register: ipaddr
- name: Verify Ansible meets Algo VPN requirements.
assert:
that: "ansible_version.full is version('2.7.10', '==')"
that:
- ansible_version.full is version('2.7.10', '==')
- not ipaddr.failed
msg: >
Ansible version is {{ ansible_version.full }}.
You must update the requirements to use this version of Algo.
Try to run python -m pip install -U -r requirements.txt

1
requirements.txt
View file

@ -1 +1,2 @@
ansible==2.7.10
netaddr

8
roles/wireguard/defaults/main.yml
View file

@ -10,5 +10,9 @@ wireguard_dns_servers: >-
{% else %}
{% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %}
wireguard_client_ip: "{{ _wireguard_network_ipv4['clients_range'] }}.{{ _wireguard_network_ipv4['clients_start'] + index|int + 1 }}/{{ _wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ _wireguard_network_ipv6['clients_range'] }}{{ _wireguard_network_ipv6['clients_start'] + index|int + 1 }}/{{ _wireguard_network_ipv6['prefix'] }}{% endif %}"
wireguard_server_ip: "{{ _wireguard_network_ipv4['gateway'] }}/{{ _wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ _wireguard_network_ipv6['gateway'] }}/{{ _wireguard_network_ipv6['prefix'] }}{% endif %}"
wireguard_client_ip: >-
{{ wireguard_network_ipv4 | ipaddr(index|int+2) }}
{{ ',' + wireguard_network_ipv6 | ipaddr(index|int+2) if ipv6_support else '' }}
wireguard_server_ip: >-
{{ wireguard_network_ipv4 | ipaddr('1') }}
{{ ',' + wireguard_network_ipv6 | ipaddr('1') if ipv6_support else '' }}

3
roles/wireguard/templates/server.conf.j2
View file

@ -11,7 +11,6 @@ SaveConfig = false
[Peer]
# {{ u }}
PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + u) }}
AllowedIPs = {{ _wireguard_network_ipv4['clients_range'] }}.{{ _wireguard_network_ipv4['clients_start'] + index }}/32{% if ipv6_support %},{{ _wireguard_network_ipv6['clients_range'] }}{{ _wireguard_network_ipv6['clients_start'] + index }}/128{% endif %}
AllowedIPs = {{ wireguard_network_ipv4 | ipaddr(index|int+1) }}{{ ',' + wireguard_network_ipv6 | ipaddr(index) if ipv6_support else '' }}
{% endif %}
{% endfor %}