moving vpn to direct configuration

This commit is contained in:
Nico Schottelius 2020-12-26 14:42:53 +01:00
parent 18d4c99571
commit 93e5d39c7b
6 changed files with 64 additions and 7 deletions

View file

@ -120,8 +120,7 @@ ALTER ROLE
#+BEGIN_SRC sh #+BEGIN_SRC sh
psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
=require =require
#+END_SRC g #+END_SRC
** Bootstrap ** Bootstrap
- Login via a user so that the user object gets created - Login via a user so that the user object gets created
@ -145,6 +144,25 @@ psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/unc
python manage.py import-vat-rates python manage.py import-vat-rates
#+END_SRC #+END_SRC
** Worker nodes
Nodes that realise services (VMHosts, VPNHosts, etc.) need to be
accessible from the main node and also need access to the database.
Workers usually should have an "uncloud" user account, even though
strictly speaking the username can be any.
*** WireGuardVPN Server
- Allow write access to /etc/wireguard for uncloud user
- Allow sudo access to "ip" and "wg"
#+BEGIN_SRC sh
chown uncloud /etc/wireguard/
[14:30] vpn-2a0ae5c1200:/etc/sudoers.d# cat uncloud
app ALL=(ALL) NOPASSWD:/sbin/ip
app ALL=(ALL) NOPASSWD:/usr/bin/wg
#+END_SRC
* Testing / CLI Access * Testing / CLI Access
Access via the commandline (CLI) can be done using curl or Access via the commandline (CLI) can be done using curl or
httpie. In our examples we will use httpie. httpie. In our examples we will use httpie.

View file

@ -170,3 +170,11 @@ class UncloudTask(models.Model):
""" """
task_id = models.UUIDField(primary_key=True) task_id = models.UUIDField(primary_key=True)
# class UncloudRequestLog(models.Model):
# """
# Class to store requests and logs
# """
# log = models.CharField(max_length=256)

View file

@ -48,6 +48,9 @@ class WireGuardVPNPool(models.Model):
@property @property
def ip_network(self): def ip_network(self):
"""
Return the IP network based on our address and mask
"""
return ipaddress.ip_network(f"{self.network}/{self.network_mask}") return ipaddress.ip_network(f"{self.network}/{self.network_mask}")
def __str__(self): def __str__(self):

View file

@ -22,7 +22,6 @@ def create_wireguard_vpn(owner, public_key, network_mask):
free_lease.delete() free_lease.delete()
except WireGuardVPNFreeLeases.DoesNotExist: except WireGuardVPNFreeLeases.DoesNotExist:
# First object # First object
if count == 0: if count == 0:
vpn = WireGuardVPN.objects.create(owner=owner, vpn = WireGuardVPN.objects.create(owner=owner,
@ -42,6 +41,11 @@ def create_wireguard_vpn(owner, public_key, network_mask):
wireguard_public_key=public_key) wireguard_public_key=public_key)
config = pool.wireguard_config
server = pool.vpn_server_hostname
wg_name = pool.wg_name
configure_wireguard_server_on_host.apply_async((wg_name, config),
queue=server)
configure_wireguard_server(pool)
return vpn return vpn

View file

@ -8,6 +8,7 @@ import subprocess
import logging import logging
import uuid import uuid
log = logging.getLogger(__name__) log = logging.getLogger(__name__)
@shared_task @shared_task
@ -15,7 +16,30 @@ def whereami():
print(os.uname()) print(os.uname())
return os.uname() return os.uname()
def configure_wireguard_server(wireguardvpnpool): @shared_task
def configure_wireguard_server_on_host(wg_name, config):
"""
- Create wireguard config (DB query -> string)
- Submit config to cdist worker
- Change config locally on worker / commit / shared
"""
# Write config
fname = f"/etc/wireguard/{{wg_name}}.conf"
with open(fname, "w") as fd:
fd.write(config)
# Ensure the device exists
subprocess.run(f"ip link show {{wg_name}} || sudo ip link add {{wg_name}} type wireguard",
shell=True, check=True)
# Ensure the config is correct
subprocess.run(f"sudo wg setconf {{wg_name}} {{fname}}",
shell=True, check=True)
def configure_wireguard_server_via_cdist(wireguardvpnpool):
""" """
- Create wireguard config (DB query -> string) - Create wireguard config (DB query -> string)
- Submit config to cdist worker - Submit config to cdist worker
@ -37,7 +61,7 @@ def cdist_configure_wireguard_server(config, server):
""" """
Create config and configure server. Create config and configure server.
To be executed on the cdist workers. To be executed on the cdist worker.
""" """
dirname= "/home/app/.cdist/type/__ungleich_wireguard/files/" dirname= "/home/app/.cdist/type/__ungleich_wireguard/files/"

View file

@ -6,6 +6,6 @@ from uncloud.models import UncloudTask
@shared_task(bind=True) @shared_task(bind=True)
def check_balance(self): def check_balance(self):
UncloudTask.objects.create(task_id=self.id) UncloudTask.objects.create(task_id=self.request.id)
print("for each user res is 50") print("for each user res is 50")
return 50 return 50