Support multi-peer site connections and unify node access structure, enhance tproxy configuration flexibility:

- Merge hubs and sites into node_map for unified access
- Refactor xray tproxy to use node_map and xray_xxx variables
- Update tproxy-config.json template references accordingly
- add vpn-keys entries including us-proxy, ca-proxy, icp-huawei
- Support list format for wireguard_peer to allow multiple peer connections
This commit is contained in:
Haitao Pan 2025-05-14 17:50:37 +08:00
parent 3f092026af
commit a1aa9fc5fd
5 changed files with 173 additions and 129 deletions

View File

@ -20,10 +20,21 @@
| list | first }}
features: "{{ overlay_data.features }}"
- name: 标准化 wireguard_peer 为列表
set_fact:
wireguard_peers: >-
{{ [current_node.wireguard_peer] if current_node.wireguard_peer is string else current_node.wireguard_peer }}
- name: 提取对端 peer 节点列表
set_fact:
peer_node_list: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}"
peer_key_list: "{{ overlay_keys['keys'] | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}"
peer_node_list: >-
{{ (overlay_data.sites + overlay_data.hubs)
| selectattr('name', 'in', wireguard_peers)
| list }}
peer_key_list: >-
{{ overlay_keys['keys']
| selectattr('name', 'in', wireguard_peers)
| list }}
- name: 校验 wireguard_peer 是否匹配成功
fail:

View File

@ -13,16 +13,28 @@
sites_map: "{{ dict(overlay_config.sites | map(attribute='name') | zip(overlay_config.sites)) }}"
when: overlay_config.sites is defined
- name: Convert all nodes (hubs + sites) to one dict as node_map
set_fact:
node_map: >-
{{ dict((overlay_config.hubs + overlay_config.sites)
| map(attribute='name')
| zip(overlay_config.hubs + overlay_config.sites)) }}
- name: 显示主机名
debug:
var: overlay_config
when: debug | default(false)
var: node_map
when: debug | default(true)
- name: Show value for this node
debug:
msg: "{{ node_map[inventory_hostname] }}"
when: debug | default(true)
- set_fact:
xray_uuid: "{{ hubs_map[inventory_hostname].xray.uuid }}"
xray_remote_domain: "{{ hubs_map[inventory_hostname].xray.remote_domain }}"
xray_cert_path: "{{ hubs_map[inventory_hostname].xray.cert_path }}"
xray_key_path: "{{ hubs_map[inventory_hostname].xray.key_path }}"
xray_uuid: "{{ node_map[inventory_hostname].xray.uuid }}"
xray_remote_domain: "{{ node_map[inventory_hostname].xray.remote_domain }}"
xray_cert_path: "{{ node_map[inventory_hostname].xray.cert_path }}"
xray_key_path: "{{ node_map[inventory_hostname].xray.key_path }}"
- name: Install Xray using official script
shell: |

View File

@ -11,8 +11,8 @@
"port": 51830,
"protocol": "dokodemo-door",
"settings": {
"address": "{{ hubs_map[inventory_hostname].xray.relay_address }}",
"port": {{ hubs_map[inventory_hostname].xray.relay_port }},
"address": "{{ xray_remote_domain }}",
"port": 51820,
"network": "udp"
}
}
@ -23,11 +23,11 @@
"settings": {
"vnext": [
{
"address": "{{ hubs_map[inventory_hostname].xray.relay_address }}",
"address": "{{ xray_remote_domain }}",
"port": 1443,
"users": [
{
"id": "{{ hubs_map[inventory_hostname].xray.uuid }}",
"id": "{{ xray_uuid }}",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
@ -39,7 +39,7 @@
"network": "tcp",
"security": "tls",
"tlsSettings": {
"serverName": "{{ hubs_map[inventory_hostname].xray.remote_domain }}",
"serverName": "{{ xray_remote_domain }}",
"allowInsecure": false,
"fingerprint": "chrome"
}

View File

@ -1,30 +1,4 @@
keys:
- name: master-1
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
35363663306235633966383634393535366462633039383137316163653166643832376264653965
3163363463663535363734343135643061653834353134610a393465636431346635643231613632
66393139656238333637353132663937633632396230313438656135353066383234353139343666
6230626332326437310a626639363063613062616239623734333131633865393063343030353133
32323465393434343634646238636531646230356365343264656364333132316636353338353133
6261663131646237316635306438613938396639383439653665
public_key: <master_public_key>
- name: slave-1
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
64393432666564616632613366663264326338643931653966653961643362306562643537663636
6434343630366165623261623363376333306339333164360a353037383261616335623561386538
64633762323939656633313433306330333533373434323664393965373038623431653539633561
3461626530613863640a353931346639653961303136303763303432653532636438636532613936
64313264643465303663646135383537623930626137656264323433373536326530613131363134
6334613964626261323838616534623639616133303564653063
public_key: <slave_public_key>
- name: site_c
private_key: <site_c_private_key>
public_key: <site_c_public_key>
- name: cn-hub
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
@ -44,8 +18,23 @@ keys:
3833613132373666303563623863373735396566666239316536
- name: global-hub
private_key: <hub2_private_key>
public_key: <hub2_public_key>
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
63343838666530633031313536616535313936373634396165376132333661616534663937626632
3530646463663462383130323930356239636438643035380a343433303064383531663332303839
32613733323263623836346266383363336361323036383536313031386435386534646661616463
6631346431316334620a643831313033326261333365623037306565663131373664343930623665
31346564363635323765336465646466663631376538626237386165326464326632323438663038
3937363832363731353834633663646538666232336239353936
public_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34666430316566393939656436323231623935316331373264383830653934323261656136373666
3630356330396362323763383832376538633163636331650a376339326661363431353532303831
37336134303235633334643036326564313163626433613261333062336238316333363165386263
3666386330343261340a333662636630356635373938623335656462633039353565383133613935
35643661363334313733346430633432353736343463613264393433623135613833376435333661
3462643164356563346166656237613334616130386532393565
- name: deepflow-demo
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
@ -82,3 +71,75 @@ keys:
32643065663739303161626261393062613764346662633365336162613134633131383062646133
6437313463376164386465663365386436633466363633383366
- name: tky-proxy
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
39303737303631303963613131373734373338663232366534303832646664326365353730313665
3664643734336466613839663239613433373837633064300a373634343034323739646565326464
32343237303731656666323332656138643533323338626631626630316435623564616330333237
6339626537376163360a376663653533663332353163303363386564373233666230323735343863
66363730653134343037363739353464663834373134656639303932646635336664303537376665
3961393930616464343632363039333465633364626433363761
public_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
61366364303934343039356565643939613032373932356264393739343832366231653335373132
3732346666336566396133343836393961336533323530310a636131316266653132346663306461
39613036396330376235623765313166303163393264373436316236366234666532343866383235
3230366539313162310a323130663530653339623366613336616433666136336463306237326461
36363536376230313135336463386566393964613238353134663432353762626166303938323266
3963383862363236643361346165373538323332363764633131
- name: us-proxy
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34373039646561366365363831636438633462633536343834356263396331333864396161363630
6631373964666239663064633936333135653663306464320a316463363362313336373437383937
38663665323531346536363030333637663631623765373466386664623332616432613334623933
6362353736396662300a343430633865363637313732383065613836363231623862616535383033
38333861393761633437316435306263356131353133376532323661366465616130616332366436
3430663134636430613139333238343265613764616234383362
public_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
62316266633037313333333966646331613830633733616438666533303735613763376632336562
3864333538333535323862333230663664306561386534340a343038356565643530323061323034
35353663643465616633346363626430623435396263646339373137303830303031326462653966
3266313038373466300a643833373063363862643533393838613266666363326363383034653366
34633063616361653762323130363832353132613531326131323336353339616166396464303337
6338353132333964376163333537363337316438313266623933
- name: ca-proxy
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
39303965663333646238656661376238653732363366653264353234396635313464316563613761
3937323936393363373265653864313034343462626633360a303036643838366465623965623365
35646332626232356661343966623637613037666336376562323864306630396536646230623664
6431636530326362320a383965356336313563336261633030666534613936653037393737356637
30323935393662333533373561303661366437626264383837376562323466323531616165643233
3233643237303764346130323139613537666132646532643864
public_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
61343962366534343435356236663132656636313634393563663164323630646363666264626434
3439316233626333656362623332613433313130396430610a633839393561326438636533666162
63663330313934353462663334643365323766376337363835633439653064386237373531323637
6338333364366239350a313636636438653736336563383665366661343066373761333431343933
36303062643639613632383565383534306438363461336634343662646435666231343565616333
6239326436633462346466393862336332383665313134393738
- name: icp-huawei
private_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
34356563313165386632656365393865356631663936656337316136343437363538393463363639
3562343736663335643230626335346265336365613835370a373361633064356264623932393232
63386433643761373634333232393136316333353165336463323736366363313662333863656462
3136323033626666340a623730346234396664343863656335303263376562613230373363343938
36633838303966303434336165393838346531383362316161366431393765373765396137316466
3866643163393061613732623938613035396536333837353363
public_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
63383631656563313335646566356237333737653232656439336230633037346566626663653333
6533663536666464616537376236383734313231393762640a643962666334326261386462653233
39386632343965346161623761393034313532633236613430663261366530363638653430383864
3535323031663634320a366134323832323034373430383264353066333666323932663230336333
65643263363538653033326236623434366631366339313964646263316536643237643535313663
3062623634613961636532636438393830613132656266306539

View File

@ -1,5 +1,5 @@
# 基础网络参数
wg_network: 172.16.0.0/16
wg_network: 172.30.0.0/16
bridge_network: 10.253.0.0/16
vxlan_id: 100
hub_port: 51820
@ -50,32 +50,39 @@ hubs:
remote_domain: "cn-proxy.onwalk.net"
wireguard_peer:
- master-1
- slave-1
- agent-1
- agent-1
uuid: ""
remote_domain: "global-proxy.onwalk.net"
cert_path: "/etc/ssl/onwalk.net.pem"
key_path: "/etc/ssl/onwalk.net.key"
- slave-1
- agent-1
- agent-1
sites:
- name: tky-proxy
interface: eth0
wg_ip: 172.30.0.1
br_ip: 10.253.253.1
local_ip: 172.30.0.1
interface: ens5
public_ip: 52.196.108.28
wg_ip: 172.31.0.2
br_ip: 10.253.254.2
local_ip: 172.31.0.2
remote_ip: 172.31.0.1
wireguard_peer:
- global-hub
allowed_ips: "172.30.0.0/16,172.31.0.0/16"
xray:
uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
remote_domain: "global-proxy.onwalk.net"
cert_path: "/etc/ssl/onwalk.net.pem"
key_path: "/etc/ssl/onwalk.net.key"
relay_address: "global-proxy.onwalk.net"
relay_port: '51820'
remote_domain: "global-proxy.onwalk.net"
- name: us-proxy
interface: eth0
wg_ip: 172.30.0.1
br_ip: 10.253.253.1
local_ip: 172.30.0.1
interface: enX0
public_ip: 54.183.32.0
wg_ip: 172.31.0.3
br_ip: 10.253.254.3
local_ip: 172.31.0.3
remote_ip: 172.31.0.1
wireguard_peer:
- global-hub
allowed_ips: "172.30.0.0/16,172.31.0.0/16"
xray:
uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
remote_domain: "global-proxy.onwalk.net"
@ -83,77 +90,20 @@ hubs:
key_path: "/etc/ssl/onwalk.net.key"
- name: ca-proxy
interface: eth0
wg_ip: 172.30.0.1
br_ip: 10.253.253.1
local_ip: 172.30.0.1
interface: ens5
wg_ip: 172.31.0.4
br_ip: 10.253.254.4
local_ip: 172.31.0.4
remote_ip: 172.31.0.1
wireguard_peer:
- global-hub
allowed_ips: "172.30.0.0/16,172.31.0.0/16"
xray:
uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
remote_domain: "global-proxy.onwalk.net"
cert_path: "/etc/ssl/onwalk.net.pem"
key_path: "/etc/ssl/onwalk.net.key"
# 各个站点定义
sites:
- name: tky-proxy
interface: ens5
public_ip: 1.15.155.245
allowed_ips: "172.16.0.0/16"
wireguard_peer: hub-1
br_ip: 10.253.253.2
wg_ip: 172.16.0.10
local_ip: 172.16.0.10
remote_ip: 172.16.0.11
vless:
enabled: false
uuid: "11111111-1111-1111-1111-111111111111"
transport: ws
tls: true
path: /wg
- name: master-1
interface: ens5
public_ip: 1.15.155.245
allowed_ips: "172.16.0.0/16"
wireguard_peer: hub-1
br_ip: 10.253.253.2
wg_ip: 172.16.0.10
local_ip: 172.16.0.10
remote_ip: 172.16.0.11
vless:
enabled: false
uuid: "11111111-1111-1111-1111-111111111111"
transport: ws
tls: true
path: /wg
- name: slave-1
interface: ens5
public_ip: 1.15.155.245
wireguard_peer: hub-1
allowed_ips: "172.16.0.0/16"
br_ip: 10.253.253.3
wg_ip: 172.16.0.11
local_ip: 172.16.0.11
remote_ip: 172.16.0.10
vless:
enabled: false # 此节点不通过 VLESS直接访问 Hub
- name: site_c
public_ip: 1.15.155.245
wg_ip: 10.100.1.2
br_ip: 172.16.1.2
hub: hub2
public_ip: c.example.com
vless:
enabled: true
endpoint: vless-c.example.com
uuid: "33333333-3333-3333-3333-333333333333"
transport: ws
tls: true
path: /xray
- name: deepflow-demo
interface: wlp0s20f3
public_ip: 172.30.0.10
@ -163,13 +113,6 @@ sites:
remote_ip: 172.30.0.1
wireguard_peer: cn-hub
allowed_ips: "172.30.0.0/16"
vless:
enabled: true
endpoint: vless-c.example.com
uuid: "33333333-3333-3333-3333-333333333333"
transport: ws
tls: true
path: /xray
- name: icp-aliyun
interface: eth0
@ -187,3 +130,20 @@ sites:
relay_address: "cn-proxy.onwalk.net"
relay_port: '51820'
remote_domain: "cn-proxy.onwalk.net"
- name: icp-huawei
interface: eth0
public_ip: 139.9.139.22
wg_ip: 172.30.0.12
br_ip: 10.253.253.12
local_ip: 172.30.0.12
remote_ip: 172.30.0.1
wireguard_peer: cn-hub
allowed_ips: "172.30.0.0/16"
xray:
uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
cert_path: "/etc/ssl/onwalk.net.pem"
key_path: "/etc/ssl/onwalk.net.key"
relay_address: "cn-proxy.onwalk.net"
relay_port: '51820'
remote_domain: "cn-proxy.onwalk.net"