ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a5850cfcee
playbooks/vpn-wireguard-over-vless.yml

66 lines
2.4 KiB
YAML
Raw Blame History

---
- name: Deploy bidirectional WireGuard over VLESS for XWorkmate bridge distribution
hosts: xworkmate_bridge_distributed
become: true
gather_facts: true
roles:
- role: roles/vhosts/xworkmate_bridge_distributed_vpn/
- name: Refresh xworkmate-bridge distributed runtime config
hosts: xworkmate_bridge_distributed
become: true
gather_facts: true
roles:
- role: roles/vhosts/xworkmate_bridge/
tags: [xworkmate_bridge]
- name: Validate XWorkmate bridge private distributed path
hosts: xworkmate_bridge_distributed
become: true
gather_facts: false
tasks:
- name: Resolve current distributed VPN node
ansible.builtin.set_fact:
xworkmate_bridge_distributed_current_node: "{{ xworkmate_bridge_distributed_vpn_nodes[inventory_hostname] }}"
- name: Resolve peer distributed VPN node
ansible.builtin.set_fact:
xworkmate_bridge_distributed_peer_node: "{{ xworkmate_bridge_distributed_vpn_nodes[xworkmate_bridge_distributed_current_node.peer] }}"
- name: Verify peer WireGuard address is reachable
ansible.builtin.command:
cmd: "ping -c 3 -W 2 {{ xworkmate_bridge_distributed_peer_node.wg_ip }}"
changed_when: false
when: not ansible_check_mode
- name: Read local bridge auth token for private peer validation
ansible.builtin.shell: |
set -euo pipefail
systemctl cat xworkmate-bridge.service |
sed -n 's/^Environment="BRIDGE_AUTH_TOKEN=\(.*\)"$/\1/p' |
head -n 1
args:
executable: /bin/bash
register: xworkmate_bridge_private_validation_token
changed_when: false
no_log: true
when: not ansible_check_mode
- name: Verify peer bridge API through WireGuard private endpoint
ansible.builtin.uri:
url: "http://{{ xworkmate_bridge_distributed_peer_node.wg_ip }}:{{ xworkmate_bridge_distributed_vpn_forwarder_port }}/api/ping"
headers:
Authorization: "Bearer {{ xworkmate_bridge_private_validation_token.stdout }}"
return_content: true
register: xworkmate_bridge_private_peer_ping
changed_when: false
no_log: true
when: not ansible_check_mode
- name: Assert peer bridge private ping succeeded
ansible.builtin.assert:
that:
- xworkmate_bridge_private_peer_ping.status == 200
- xworkmate_bridge_private_peer_ping.json.status | default('') == 'ok'
when: not ansible_check_mode
Reference in New Issue View Git Blame Copy Permalink