Строки в настройке WireGuard имеют ошибку в правах.
Как их изменить и на какой файл?
Скрипт всей сети:
terraform {
required_providers {
yandex = {
source = "yandex-cloud/yandex"
}
}
}
provider "yandex" {
token = var.token
cloud_id = var.cloud_id
folder_id = var.folder_id
}
resource "yandex_vpc_network" "network_internet" {
name = "INTERNET"
}
resource "yandex_vpc_subnet" "subnet_internet" {
zone = "ru-central1-b"
network_id = yandex_vpc_network.network_internet.id
v4_cidr_blocks = ["192.168.100.0/24"]
}
resource "yandex_compute_instance" "web1" {
name = "web1"
hostname = "web1"
platform_id = "standard-v3"
zone = "ru-central1-b"
resources {
cores = 2
memory = 1
core_fraction = 50
}
boot_disk {
initialize_params {
image_id = "fd85bjns7h0brudf99vt"
size = 10
type = "network-hdd"
}
}
network_interface {
subnet_id = yandex_vpc_subnet.subnet_internet.id
ip_address = "192.168.100.10"
nat = true
}
metadata = {
ssh-keys = "altlinux:${file("~/.ssh/id_rsa.pub")}"
}
timeouts {
create = "10m"
}
}
resource "yandex_compute_instance" "web2" {
name = "web2"
hostname = "web2"
platform_id = "standard-v3"
zone = "ru-central1-b"
resources {
cores = 2
memory = 1
core_fraction = 50
}
boot_disk {
initialize_params {
image_id = "fd85bjns7h0brudf99vt"
size = 10
type = "network-hdd"
}
}
network_interface {
subnet_id = yandex_vpc_subnet.subnet_internet.id
ip_address = "192.168.100.20"
nat = true
}
metadata = {
ssh-keys = "altlinux:${file("~/.ssh/id_rsa.pub")}"
}
timeouts {
create = "10m"
}
}
resource "yandex_compute_instance" "webadm" {
name = "webadm"
hostname = "webadm"
platform_id = "standard-v3"
zone = "ru-central1-b"
resources {
cores = 2
memory = 1
core_fraction = 50
}
boot_disk {
initialize_params {
image_id = "fd85bjns7h0brudf99vt"
size = 10
type = "network-hdd"
}
}
network_interface {
subnet_id = yandex_vpc_subnet.subnet_internet.id
ip_address = "192.168.100.30"
nat = true
}
metadata = {
ssh-keys = "altlinux:${file("~/.ssh/id_rsa.pub")}"
}
timeouts {
create = "10m"
}
}
resource "yandex_lb_network_load_balancer" "lb-web" {
name = "lb-web"
listener {
name = "http"
port = 80
external_address_spec {
ip_version = "ipv4"
}
}
listener {
name = "https"
port = 443
external_address_spec {
ip_version = "ipv4"
}
}
attached_target_group {
target_group_id = yandex_lb_target_group.lb-group.id
healthcheck {
name = "http"
http_options {
port = 80
path = "/"
}
}
}
}
resource "yandex_lb_target_group" "lb-group" {
name = "lb-group"
target {
subnet_id = yandex_vpc_subnet.subnet_internet.id
address = yandex_compute_instance.web1.network_interface.0.ip_address
}
target {
subnet_id = yandex_vpc_subnet.subnet_internet.id
address = yandex_compute_instance.web2.network_interface.0.ip_address
}
target {
subnet_id = yandex_vpc_subnet.subnet_internet.id
address = yandex_compute_instance.webadm.network_interface.0.ip_address
}
}
output "lb_ip" {
value = yandex_lb_network_load_balancer.lb-web
}
output "webadm_ip" {
value = yandex_compute_instance.webadm.network_interface.0.ip_address
}
resource "null_resource" "vpn_setup" {
depends_on = [
yandex_compute_instance.webadm,
yandex_compute_instance.web1,
yandex_compute_instance.web2
]
provisioner "remote-exec" {
inline = [
"sudo su",
"apt-get update",
"apt-get install -y wireguard-tools-wg-quick",
"umask 0777 && wg genkey | tee /etc/wireguard/server.key | wg pubkey > /etc/wireguard/server.pub",
"umask 0777 && wg genkey | tee /etc/wireguard/client.key | wg pubkey > /etc/wireguard/client.pub",
"bash -c 'echo -e \"[Interface]\\nAddress = 10.0.0.1/24\\nPrivateKey = $(cat /etc/wireguard/server.key)\\nListenPort = 51820\\n\\n[Peer]\\nPublicKey = $(cat /etc/wireguard/client.pub)\\nAllowedIPs = 10.0.0.2/32\" > /etc/wireguard/wg0.conf'",
"bash -c 'echo -e \"[Interface]\\nAddress = 10.0.0.2/24\\nPrivateKey = $(cat /etc/wireguard/client.key)\\n\\n[Peer]\\nPublicKey = $(cat /etc/wireguard/server.pub)\\nEndpoint = $(yandex_compute_instance.webadm.network_interface.0.nat_ip_address):51820\\nAllowedIPs = 0.0.0.0/0\" > /etc/wireguard/wg0.conf'",
"systemctl enable wg-quick@wg0",
"systemctl start wg-quick@wg0",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.10 'sudo apt-get update && sudo apt-get install -y wireguard'",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.10 'sudo bash -c \"echo -e \\\"[Interface]\\nAddress = 10.0.0.2/24\\nPrivateKey = $(sudo cat /etc/wireguard/client.key)\\n\\n[Peer]\\nPublicKey = $(sudo cat /etc/wireguard/server.pub)\\nEndpoint = $(yandex_compute_instance.webadm.network_interface.0.nat_ip_address):51820\\nAllowedIPs = 0.0.0.0/0\\\" > /etc/wireguard/wg0.conf'\"",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.20 'sudo apt-get update && sudo apt-get install -y wireguard'",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.20 'sudo bash -c \"echo -e \\\"[Interface]\\nAddress = 10.0.0.3/24\\nPrivateKey = $(sudo cat /etc/wireguard/client.key)\\n\\n[Peer]\\nPublicKey = $(sudo cat /etc/wireguard/server.pub)\\nEndpoint = $(yandex_compute_instance.webadm.network_interface.0.nat_ip_address):51820\\nAllowedIPs = 0.0.0.0/0\\\" > /etc/wireguard/wg0.conf'\"",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.10 'sudo systemctl enable wg-quick@wg0'",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.10 'sudo systemctl start wg-quick@wg0'",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.20 'sudo systemctl enable wg-quick@wg0'",
"ssh -o StrictHostKeyChecking=no altlinux@192.168.100.20 'sudo systemctl start wg-quick@wg0'"
]
connection {
type = "ssh"
host = yandex_compute_instance.webadm.network_interface.0.nat_ip_address
user = "altlinux"
private_key = file("~/.ssh/id_rsa")
}
}
}
если прописываю su в самом начале - скрипт не может найти сам wireguard:
xec): Building Dependency Tree... 60%
null_resource.vpn_setup (remote-exec): Building Dependency Tree... Done
null_resource.vpn_setup (remote-exec): E: Couldn't find package wireguard
null_resource.vpn_setup (remote-exec): /tmp/terraform_1874103965.sh: line 4: wg: command not found
null_resource.vpn_setup (remote-exec): /tmp/terraform_1874103965.sh: line 4: /etc/wireguard/server.pub: No such file or directory
null_resource.vpn_setup (remote-exec): tee: /etc/wireguard/server.key: No such file or directory
null_resource.vpn_setup (remote-exec): /tmp/terraform_1874103965.sh: line 5: wg: command not found
null_resource.vpn_setup (remote-exec): /tmp/terraform_1874103965.sh: line 5: /etc/wireguard/client.pub: No such file or directory
null_resource.vpn_setup (remote-exec): tee: /etc/wireguard/client.key: No such file or directory
null_resource.vpn_setup (remote-exec): cat: /etc/wireguard/server.key: No such file or directory
null_resource.vpn_setup (remote-exec): cat: /etc/wireguard/client.pub: No such file or directory
null_resource.vpn_setup (remote-exec): bash: /etc/wireguard/wg0.conf: No such file or directory
null_resource.vpn_setup (remote-exec): cat: /etc/wireguard/client.key: No such file or directory
null_resource.vpn_setup (remote-exec): cat: /etc/wireguard/server.pub: No such file or directory
null_resource.vpn_setup (remote-exec): bash: yandex_compute_instance.webadm.network_interface.0.nat_ip_address: command not found
null_resource.vpn_setup (remote-exec): bash: /etc/wireguard/wg0.conf: No such file or directory
null_resource.vpn_setup (remote-exec): Failed to enable unit: Unit file wg-quick@wg0.service does not exist.
null_resource.vpn_setup (remote-exec): Failed to start wg-quick@wg0.service: Unit wg-quick@wg0.service not found.
null_resource.vpn_setup (remote-exec): Warning: Identity file /home/altlinux/.ssh/id_rsa not accessible: No such file or directory.
null_resource.vpn_setup (remote-exec): The authenticity of host '51.250.93.167 (51.250.93.167)' can't be established.
null_resource.vpn_setup (remote-exec): ED25519 key fingerprint is SHA256:t0AP6DOyzLsh20ldJAjL4X0eyPskQhLy71v/el5VsW8.
null_resource.vpn_setup (remote-exec): Are you sure you want to continue connecting (yes/no)?
null_resource.vpn_setup: Still creating... [40s elapsed]
