Support multi-peer site connections and unify node access structure, enhance tproxy configuration flexibility:

- Merge hubs and sites into node_map for unified access - Refactor xray tproxy to use node_map and xray_xxx variables - Update tproxy-config.json template references accordingly - add vpn-keys entries including us-proxy, ca-proxy, icp-huawei - Support list format for wireguard_peer to allow multiple peer connections
2025-05-14 17:50:37 +08:00 · 2025-05-14 17:50:37 +08:00 · a1aa9fc5fd
commit a1aa9fc5fd
parent 3f092026af
5 changed files with 173 additions and 129 deletions
--- a/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml
+++ b/ansible/playbooks/roles/vhosts/vpn-overlay/wireguard/site/tasks/main.yml
@ -20,10 +20,21 @@
         | list | first }}
    features: "{{ overlay_data.features }}"

+- name: 标准化 wireguard_peer 为列表
+  set_fact:
+    wireguard_peers: >-
+      {{ [current_node.wireguard_peer] if current_node.wireguard_peer is string else current_node.wireguard_peer }}
+
 - name: 提取对端 peer 节点列表
  set_fact:
-    peer_node_list: "{{ (overlay_data.sites + overlay_data.hubs) | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}"
-    peer_key_list: "{{ overlay_keys['keys'] | selectattr('name', 'equalto', current_node.wireguard_peer) | list }}"
+    peer_node_list: >-
+      {{ (overlay_data.sites + overlay_data.hubs)
+         | selectattr('name', 'in', wireguard_peers)
+         | list }}
+    peer_key_list: >-
+      {{ overlay_keys['keys']
+         | selectattr('name', 'in', wireguard_peers)
+         | list }}

 - name: 校验 wireguard_peer 是否匹配成功
  fail:
--- a/ansible/playbooks/roles/vhosts/vpn-overlay/xray/tproxy/tasks/main.yml
+++ b/ansible/playbooks/roles/vhosts/vpn-overlay/xray/tproxy/tasks/main.yml
@ -13,16 +13,28 @@
    sites_map: "{{ dict(overlay_config.sites | map(attribute='name') | zip(overlay_config.sites)) }}"
  when: overlay_config.sites is defined

+- name: Convert all nodes (hubs + sites) to one dict as node_map
+  set_fact:
+    node_map: >-
+      {{ dict((overlay_config.hubs + overlay_config.sites)
+               | map(attribute='name')
+               | zip(overlay_config.hubs + overlay_config.sites)) }}
+
 - name: 显示主机名
  debug:
-    var: overlay_config
-  when: debug | default(false)
+    var: node_map
+  when: debug | default(true)
+
+- name: Show value for this node
+  debug:
+    msg: "{{ node_map[inventory_hostname] }}"
+  when: debug | default(true)

 - set_fact:
-    xray_uuid: "{{ hubs_map[inventory_hostname].xray.uuid }}"
-    xray_remote_domain: "{{ hubs_map[inventory_hostname].xray.remote_domain }}"
-    xray_cert_path: "{{ hubs_map[inventory_hostname].xray.cert_path }}"
-    xray_key_path: "{{ hubs_map[inventory_hostname].xray.key_path }}"
+    xray_uuid: "{{ node_map[inventory_hostname].xray.uuid }}"
+    xray_remote_domain: "{{ node_map[inventory_hostname].xray.remote_domain }}"
+    xray_cert_path: "{{ node_map[inventory_hostname].xray.cert_path }}"
+    xray_key_path: "{{ node_map[inventory_hostname].xray.key_path }}"

 - name: Install Xray using official script
  shell: |
--- a/ansible/playbooks/roles/vhosts/vpn-overlay/xray/tproxy/templates/tproxy-config.json.j2
+++ b/ansible/playbooks/roles/vhosts/vpn-overlay/xray/tproxy/templates/tproxy-config.json.j2
@ -11,8 +11,8 @@
      "port": 51830,
      "protocol": "dokodemo-door",
      "settings": {
-        "address": "{{ hubs_map[inventory_hostname].xray.relay_address }}",
-        "port": {{ hubs_map[inventory_hostname].xray.relay_port }},
+        "address": "{{ xray_remote_domain }}",
+        "port": 51820,
        "network": "udp"
      }
    }
@ -23,11 +23,11 @@
      "settings": {
        "vnext": [
          {
-            "address": "{{ hubs_map[inventory_hostname].xray.relay_address }}",
+            "address": "{{ xray_remote_domain }}",
            "port": 1443,
            "users": [
              {
-                "id": "{{ hubs_map[inventory_hostname].xray.uuid }}",
+                "id": "{{ xray_uuid }}",
                "encryption": "none",
                "flow": "xtls-rprx-vision"
              }
@ -39,7 +39,7 @@
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
-          "serverName": "{{ hubs_map[inventory_hostname].xray.remote_domain }}",
+          "serverName": "{{ xray_remote_domain }}",
          "allowInsecure": false,
          "fingerprint": "chrome"
        }
--- a/config/sit/vpn-keys.yaml
+++ b/config/sit/vpn-keys.yaml
@ -1,30 +1,4 @@
 keys:
-  - name: master-1
-    private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          35363663306235633966383634393535366462633039383137316163653166643832376264653965
-          3163363463663535363734343135643061653834353134610a393465636431346635643231613632
-          66393139656238333637353132663937633632396230313438656135353066383234353139343666
-          6230626332326437310a626639363063613062616239623734333131633865393063343030353133
-          32323465393434343634646238636531646230356365343264656364333132316636353338353133
-          6261663131646237316635306438613938396639383439653665
-    public_key: <master_public_key>
-
-  - name: slave-1
-    private_key: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          64393432666564616632613366663264326338643931653966653961643362306562643537663636
-          6434343630366165623261623363376333306339333164360a353037383261616335623561386538
-          64633762323939656633313433306330333533373434323664393965373038623431653539633561
-          3461626530613863640a353931346639653961303136303763303432653532636438636532613936
-          64313264643465303663646135383537623930626137656264323433373536326530613131363134
-          6334613964626261323838616534623639616133303564653063
-    public_key: <slave_public_key>
-
-  - name: site_c
-    private_key: <site_c_private_key>
-    public_key: <site_c_public_key>
-
  - name: cn-hub
    private_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
@ -44,8 +18,23 @@ keys:
          3833613132373666303563623863373735396566666239316536

  - name: global-hub
-    private_key: <hub2_private_key>
-    public_key: <hub2_public_key>
+    private_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              63343838666530633031313536616535313936373634396165376132333661616534663937626632
+              3530646463663462383130323930356239636438643035380a343433303064383531663332303839
+              32613733323263623836346266383363336361323036383536313031386435386534646661616463
+              6631346431316334620a643831313033326261333365623037306565663131373664343930623665
+              31346564363635323765336465646466663631376538626237386165326464326632323438663038
+              3937363832363731353834633663646538666232336239353936
+    public_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              34666430316566393939656436323231623935316331373264383830653934323261656136373666
+              3630356330396362323763383832376538633163636331650a376339326661363431353532303831
+              37336134303235633334643036326564313163626433613261333062336238316333363165386263
+              3666386330343261340a333662636630356635373938623335656462633039353565383133613935
+              35643661363334313733346430633432353736343463613264393433623135613833376435333661
+              3462643164356563346166656237613334616130386532393565
+
  - name: deepflow-demo
    private_key: !vault |
              $ANSIBLE_VAULT;1.1;AES256
@ -82,3 +71,75 @@ keys:
              32643065663739303161626261393062613764346662633365336162613134633131383062646133
              6437313463376164386465663365386436633466363633383366

+  - name: tky-proxy
+    private_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              39303737303631303963613131373734373338663232366534303832646664326365353730313665
+              3664643734336466613839663239613433373837633064300a373634343034323739646565326464
+              32343237303731656666323332656138643533323338626631626630316435623564616330333237
+              6339626537376163360a376663653533663332353163303363386564373233666230323735343863
+              66363730653134343037363739353464663834373134656639303932646635336664303537376665
+              3961393930616464343632363039333465633364626433363761
+    public_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              61366364303934343039356565643939613032373932356264393739343832366231653335373132
+              3732346666336566396133343836393961336533323530310a636131316266653132346663306461
+              39613036396330376235623765313166303163393264373436316236366234666532343866383235
+              3230366539313162310a323130663530653339623366613336616433666136336463306237326461
+              36363536376230313135336463386566393964613238353134663432353762626166303938323266
+              3963383862363236643361346165373538323332363764633131
+
+  - name: us-proxy
+    private_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              34373039646561366365363831636438633462633536343834356263396331333864396161363630
+              6631373964666239663064633936333135653663306464320a316463363362313336373437383937
+              38663665323531346536363030333637663631623765373466386664623332616432613334623933
+              6362353736396662300a343430633865363637313732383065613836363231623862616535383033
+              38333861393761633437316435306263356131353133376532323661366465616130616332366436
+              3430663134636430613139333238343265613764616234383362
+    public_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              62316266633037313333333966646331613830633733616438666533303735613763376632336562
+              3864333538333535323862333230663664306561386534340a343038356565643530323061323034
+              35353663643465616633346363626430623435396263646339373137303830303031326462653966
+              3266313038373466300a643833373063363862643533393838613266666363326363383034653366
+              34633063616361653762323130363832353132613531326131323336353339616166396464303337
+              6338353132333964376163333537363337316438313266623933
+
+  - name: ca-proxy
+    private_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              39303965663333646238656661376238653732363366653264353234396635313464316563613761
+              3937323936393363373265653864313034343462626633360a303036643838366465623965623365
+              35646332626232356661343966623637613037666336376562323864306630396536646230623664
+              6431636530326362320a383965356336313563336261633030666534613936653037393737356637
+              30323935393662333533373561303661366437626264383837376562323466323531616165643233
+              3233643237303764346130323139613537666132646532643864
+    public_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              61343962366534343435356236663132656636313634393563663164323630646363666264626434
+              3439316233626333656362623332613433313130396430610a633839393561326438636533666162
+              63663330313934353462663334643365323766376337363835633439653064386237373531323637
+              6338333364366239350a313636636438653736336563383665366661343066373761333431343933
+              36303062643639613632383565383534306438363461336634343662646435666231343565616333
+              6239326436633462346466393862336332383665313134393738
+
+  - name: icp-huawei
+    private_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              34356563313165386632656365393865356631663936656337316136343437363538393463363639
+              3562343736663335643230626335346265336365613835370a373361633064356264623932393232
+              63386433643761373634333232393136316333353165336463323736366363313662333863656462
+              3136323033626666340a623730346234396664343863656335303263376562613230373363343938
+              36633838303966303434336165393838346531383362316161366431393765373765396137316466
+              3866643163393061613732623938613035396536333837353363
+    public_key: !vault |
+              $ANSIBLE_VAULT;1.1;AES256
+              63383631656563313335646566356237333737653232656439336230633037346566626663653333
+              6533663536666464616537376236383734313231393762640a643962666334326261386462653233
+              39386632343965346161623761393034313532633236613430663261366530363638653430383864
+              3535323031663634320a366134323832323034373430383264353066333666323932663230336333
+              65643263363538653033326236623434366631366339313964646263316536643237643535313663
+              3062623634613961636532636438393830613132656266306539
+
--- a/config/sit/vpn-overlay.yaml
+++ b/config/sit/vpn-overlay.yaml
@ -1,5 +1,5 @@
 # 基础网络参数
-wg_network: 172.16.0.0/16
+wg_network: 172.30.0.0/16
 bridge_network: 10.253.0.0/16
 vxlan_id: 100
 hub_port: 51820
@ -50,32 +50,39 @@ hubs:
      remote_domain: "cn-proxy.onwalk.net"
    wireguard_peer:
      - master-1
-      - slave-1 
-      - agent-1 
-      - agent-1 
-    uuid: ""
-    remote_domain: "global-proxy.onwalk.net"
-    cert_path: "/etc/ssl/onwalk.net.pem"
-    key_path: "/etc/ssl/onwalk.net.key"
+      - slave-1
+      - agent-1
+      - agent-1

+sites:
  - name: tky-proxy
-    interface: eth0
-    wg_ip: 172.30.0.1
-    br_ip: 10.253.253.1
-    local_ip: 172.30.0.1
+    interface: ens5
+    public_ip: 52.196.108.28
+    wg_ip: 172.31.0.2
+    br_ip: 10.253.254.2
+    local_ip: 172.31.0.2
    remote_ip: 172.31.0.1
+    wireguard_peer:
+      - global-hub
+    allowed_ips: "172.30.0.0/16,172.31.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
-      remote_domain: "global-proxy.onwalk.net"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"
+      relay_address: "global-proxy.onwalk.net"
+      relay_port: '51820'
+      remote_domain: "global-proxy.onwalk.net"

  - name: us-proxy
-    interface: eth0
-    wg_ip: 172.30.0.1
-    br_ip: 10.253.253.1
-    local_ip: 172.30.0.1
+    interface: enX0
+    public_ip: 54.183.32.0
+    wg_ip: 172.31.0.3
+    br_ip: 10.253.254.3
+    local_ip: 172.31.0.3
    remote_ip: 172.31.0.1
+    wireguard_peer:
+      - global-hub
+    allowed_ips: "172.30.0.0/16,172.31.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      remote_domain: "global-proxy.onwalk.net"
@ -83,77 +90,20 @@ hubs:
      key_path: "/etc/ssl/onwalk.net.key"

  - name: ca-proxy
-    interface: eth0
-    wg_ip: 172.30.0.1
-    br_ip: 10.253.253.1
-    local_ip: 172.30.0.1
+    interface: ens5
+    wg_ip: 172.31.0.4
+    br_ip: 10.253.254.4
+    local_ip: 172.31.0.4
    remote_ip: 172.31.0.1
+    wireguard_peer:
+    - global-hub
+    allowed_ips: "172.30.0.0/16,172.31.0.0/16"
    xray:
      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
      remote_domain: "global-proxy.onwalk.net"
      cert_path: "/etc/ssl/onwalk.net.pem"
      key_path: "/etc/ssl/onwalk.net.key"

-# 各个站点定义
-sites:
-  - name: tky-proxy
-    interface: ens5
-    public_ip: 1.15.155.245
-    allowed_ips: "172.16.0.0/16"
-    wireguard_peer: hub-1
-    br_ip: 10.253.253.2
-    wg_ip: 172.16.0.10
-    local_ip: 172.16.0.10
-    remote_ip: 172.16.0.11
-    vless:
-      enabled: false
-      uuid: "11111111-1111-1111-1111-111111111111"
-      transport: ws
-      tls: true
-      path: /wg
-
-  - name: master-1
-    interface: ens5
-    public_ip: 1.15.155.245
-    allowed_ips: "172.16.0.0/16"
-    wireguard_peer: hub-1
-    br_ip: 10.253.253.2
-    wg_ip: 172.16.0.10
-    local_ip: 172.16.0.10
-    remote_ip: 172.16.0.11
-    vless:
-      enabled: false
-      uuid: "11111111-1111-1111-1111-111111111111"
-      transport: ws
-      tls: true
-      path: /wg
-
-  - name: slave-1
-    interface: ens5
-    public_ip: 1.15.155.245
-    wireguard_peer: hub-1
-    allowed_ips: "172.16.0.0/16"
-    br_ip: 10.253.253.3
-    wg_ip: 172.16.0.11
-    local_ip: 172.16.0.11
-    remote_ip: 172.16.0.10
-    vless:
-      enabled: false  # 此节点不通过 VLESS，直接访问 Hub
-
-  - name: site_c
-    public_ip: 1.15.155.245
-    wg_ip: 10.100.1.2
-    br_ip: 172.16.1.2
-    hub: hub2
-    public_ip: c.example.com
-    vless:
-      enabled: true
-      endpoint: vless-c.example.com
-      uuid: "33333333-3333-3333-3333-333333333333"
-      transport: ws
-      tls: true
-      path: /xray
-
  - name: deepflow-demo
    interface: wlp0s20f3
    public_ip: 172.30.0.10
@ -163,13 +113,6 @@ sites:
    remote_ip: 172.30.0.1
    wireguard_peer: cn-hub
    allowed_ips: "172.30.0.0/16"
-    vless:
-      enabled: true
-      endpoint: vless-c.example.com
-      uuid: "33333333-3333-3333-3333-333333333333"
-      transport: ws
-      tls: true
-      path: /xray

  - name: icp-aliyun
    interface: eth0
@ -187,3 +130,20 @@ sites:
      relay_address: "cn-proxy.onwalk.net"
      relay_port: '51820'
      remote_domain: "cn-proxy.onwalk.net"
+
+  - name: icp-huawei
+    interface: eth0
+    public_ip: 139.9.139.22
+    wg_ip: 172.30.0.12
+    br_ip: 10.253.253.12
+    local_ip: 172.30.0.12
+    remote_ip: 172.30.0.1
+    wireguard_peer: cn-hub
+    allowed_ips: "172.30.0.0/16"
+    xray:
+      uuid: "18d270a9-533d-4b13-b3f1-e7f55540a9b2"
+      cert_path: "/etc/ssl/onwalk.net.pem"
+      key_path: "/etc/ssl/onwalk.net.key"
+      relay_address: "cn-proxy.onwalk.net"
+      relay_port: '51820'
+      remote_domain: "cn-proxy.onwalk.net"