# Network

Our infrascture may have machines accross multiple locations. We need to ensure that all machines can communicate with each other, even if they are behind a NAT. To allow such configuration, we will be using a VPN, more precisely, Wireguard. This also has the advantage of encrypting all traffic going between nodes.

To ease the installation process, the installation is handled by [Jawher Moussa's ansible playbook](https://github.com/jawher/automation-wireguard).

## Configuration

When adding a new host to the inventory, the following entry needs to be added:
```yaml
all:
  hosts:
    <hostname>:
      wireguard_ip: <wireguard_ip>
      [...]
```

The `wireguard_ip` is the unique IP address the host will use to communicate with other hosts. 

It is also recommended to change the `wireguard_port` in `inventory/*/group_vars/all.yml` to a random port for added obfuscation.
Lastly, you can modify the `wireguard_mask_bits` to change the size of the subnet, but it is recommended to keep it at 8 for 254 IPs.

### UFW

For added security, UFW can be installed, but isn't enabled by default with these playbooks. To enable it, set the `enable_ufw` variable to `true` in `inventory/*/group_vars/all.yml`.

You will need to read more about the playbook's documentation [here](https://github.com/jawher/automation-wireguard).

## Installation

To install Wireguard on all hosts, run the following commands:
```bash
# Select the desired environment
export ENV=<environment>

# Install Wireguard
make wg
```