1.5 KiB
Network
Our infrascture may have machines accross multiple locations. We need to ensure that all machines can communicate with each other, even if they are behind a NAT. To allow such configuration, we will be using a VPN, more precisely, Wireguard. This also has the advantage of encrypting all traffic going between nodes.
To ease the installation process, the installation is handled by Jawher Moussa's ansible playbook.
Configuration
When adding a new host to the inventory, the following entry needs to be added:
all:
hosts:
<hostname>:
wireguard_ip: <wireguard_ip>
[...]
The wireguard_ip is the unique IP address the host will use to communicate with other hosts.
It is also recommended to change the wireguard_port in inventory/*/group_vars/all.yml to a random port for added obfuscation.
Lastly, you can modify the wireguard_mask_bits to change the size of the subnet, but it is recommended to keep it at 8 for 254 IPs.
UFW
For added security, UFW can be installed, but isn't enabled by default with these playbooks. To enable it, set the enable_ufw variable to true in inventory/*/group_vars/all.yml.
You will need to read more about the playbook's documentation here.
Installation
To install Wireguard on all hosts, run the following commands:
# Select the desired environment
export ENV=<environment>
# Install Wireguard
make wg