moving vpn to direct configuration

2020-12-26 14:42:53 +01:00 · 2020-12-26 14:42:53 +01:00 · 93e5d39c7b
commit 93e5d39c7b
parent 18d4c99571
6 changed files with 64 additions and 7 deletions
--- a/doc/uncloud-manual-2020-08-01.org
+++ b/doc/uncloud-manual-2020-08-01.org
@ -120,8 +120,7 @@ ALTER ROLE
    #+BEGIN_SRC sh
 psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
 =require
-    #+END_SRC
-
+g    #+END_SRC

 ** Bootstrap
   - Login via a user so that the user object gets created
@ -145,6 +144,25 @@ psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/unc
   python manage.py import-vat-rates
   #+END_SRC

+** Worker nodes
+   Nodes that realise services (VMHosts, VPNHosts, etc.) need to be
+   accessible from the main node and also need access to the database.
+
+   Workers usually should have an "uncloud" user account, even though
+   strictly speaking the username can be any.
+
+*** WireGuardVPN Server
+    - Allow write access to /etc/wireguard for uncloud user
+    - Allow sudo access to "ip" and "wg"
+
+   #+BEGIN_SRC sh
+   chown uncloud /etc/wireguard/
+   [14:30] vpn-2a0ae5c1200:/etc/sudoers.d# cat uncloud
+   app ALL=(ALL) NOPASSWD:/sbin/ip
+   app ALL=(ALL) NOPASSWD:/usr/bin/wg
+   #+END_SRC
+
+
 * Testing / CLI Access
  Access via the commandline (CLI) can be done using curl or
  httpie. In our examples we will use httpie.
--- a/uncloud/models.py
+++ b/uncloud/models.py
@ -170,3 +170,11 @@ class UncloudTask(models.Model):
    """

    task_id = models.UUIDField(primary_key=True)
+
+# class UncloudRequestLog(models.Model):
+#     """
+#     Class to store requests and logs
+#     """
+
+
+#     log = models.CharField(max_length=256)
--- a/uncloud_net/models.py
+++ b/uncloud_net/models.py
@ -48,6 +48,9 @@ class WireGuardVPNPool(models.Model):

    @property
    def ip_network(self):
+        """
+        Return the IP network based on our address and mask
+        """
        return ipaddress.ip_network(f"{self.network}/{self.network_mask}")

    def __str__(self):
--- a/uncloud_net/services.py
+++ b/uncloud_net/services.py
@ -22,7 +22,6 @@ def create_wireguard_vpn(owner, public_key, network_mask):
        free_lease.delete()

    except WireGuardVPNFreeLeases.DoesNotExist:
-
        # First object
        if count == 0:
            vpn = WireGuardVPN.objects.create(owner=owner,
@ -42,6 +41,11 @@ def create_wireguard_vpn(owner, public_key, network_mask):
                                                   wireguard_public_key=public_key)


+    config = pool.wireguard_config
+    server = pool.vpn_server_hostname
+    wg_name = pool.wg_name
+
+    configure_wireguard_server_on_host.apply_async((wg_name, config),
+                                                   queue=server)

-    configure_wireguard_server(pool)
    return vpn
--- a/uncloud_net/tasks.py
+++ b/uncloud_net/tasks.py
@ -8,6 +8,7 @@ import subprocess
 import logging
 import uuid

+
 log = logging.getLogger(__name__)

@shared_task
@ -15,7 +16,30 @@ def whereami():
    print(os.uname())
    return os.uname()

-def configure_wireguard_server(wireguardvpnpool):
+@shared_task
+def configure_wireguard_server_on_host(wg_name, config):
+    """
+    - Create wireguard config (DB query -> string)
+    - Submit config to cdist worker
+    - Change config locally on worker / commit / shared
+    """
+
+    # Write config
+    fname = f"/etc/wireguard/{{wg_name}}.conf"
+    with open(fname, "w") as fd:
+        fd.write(config)
+
+    # Ensure the device exists
+    subprocess.run(f"ip link show {{wg_name}} || sudo ip link add {{wg_name}} type wireguard",
+                   shell=True, check=True)
+
+    # Ensure the config is correct
+    subprocess.run(f"sudo wg setconf {{wg_name}} {{fname}}",
+                   shell=True, check=True)
+
+
+
+def configure_wireguard_server_via_cdist(wireguardvpnpool):
    """
    - Create wireguard config (DB query -> string)
    - Submit config to cdist worker
@ -37,7 +61,7 @@ def cdist_configure_wireguard_server(config, server):
    """
    Create config and configure server.

-    To be executed on the cdist workers.
+    To be executed on the cdist worker.
    """

    dirname= "/home/app/.cdist/type/__ungleich_wireguard/files/"
--- a/uncloud_pay/tasks.py
+++ b/uncloud_pay/tasks.py
@ -6,6 +6,6 @@ from uncloud.models import UncloudTask

@shared_task(bind=True)
 def check_balance(self):
-    UncloudTask.objects.create(task_id=self.id)
+    UncloudTask.objects.create(task_id=self.request.id)
    print("for each user res is 50")
    return 50