~comcloudway/ansible-ccw.icu: containers/wireguard: new role

8 files changed, 103 insertions(+), 1 deletions(-)

M .gitignore
A roles/containers/wireguard/defaults/main.yml
A roles/containers/wireguard/tasks/config.yml
A roles/containers/wireguard/tasks/main.yml
A roles/containers/wireguard/tasks/network.yml
A roles/containers/wireguard/tasks/setup.yml
A roles/containers/wireguard/templates/52_vpn.nft.template
M run.yml

M .gitignore => .gitignore +2 -0

@@ 1,2 1,4 @@
 hosts.yml
 group_vars/all/secret.yml
+output/
+!output/README.org

A roles/containers/wireguard/defaults/main.yml => roles/containers/wireguard/defaults/main.yml +10 -0

@@ 0,0 1,10 @@
+---
+wireguard_domain: "vpn.ccw.icu"
+wireguard_project_dir: "vpn"
+wireguard_port: "51820"
+wireguard_peers:
+  - default
+wireguard_timezone: "Europe/London"
+wireguard_bridge_subnet: "149.102.148.89/21"
+wireguard_bridge_gateway: "149.102.144.1"
+wireguard_bridge_parent: "eth0"

A roles/containers/wireguard/tasks/config.yml => roles/containers/wireguard/tasks/config.yml +16 -0

@@ 0,0 1,16 @@
+---
+- name: Wait for peer config to be generated
+  ansible.builtin.wait_for:
+    path: "{{ container_dir }}\
+        /{{ wireguard_project_dir }}\
+        /config\
+        /peer_{{ item }}/peer_{{ item }}.conf"
+  loop: "{{ wireguard_peers }}"
+- name: Fetch peer config
+  ansible.builtin.fetch:
+    dest: ./output
+    src: "{{ container_dir }}\
+        /{{ wireguard_project_dir }}\
+        /config\
+        /peer_{{ item }}/peer_{{ item }}.conf"
+  loop: "{{ wireguard_peers }}"

A roles/containers/wireguard/tasks/main.yml => roles/containers/wireguard/tasks/main.yml +4 -0

@@ 0,0 1,4 @@
+---
+- include_tasks: setup.yml
+- include_tasks: network.yml
+- include_tasks: config.yml

A roles/containers/wireguard/tasks/network.yml => roles/containers/wireguard/tasks/network.yml +14 -0

@@ 0,0 1,14 @@
+---
+- name: Make sure the nftables vpn rule exists
+  become: true
+  template:
+    src: ../templates/52_vpn.nft.template
+    dest: /etc/nftables.d/52_vpn.nft
+  register: firewall
+
+- name: Restart nftables
+  become: true
+  service:
+    name: nftables
+    state: restarted
+  when: firewall.changed

A roles/containers/wireguard/tasks/setup.yml => roles/containers/wireguard/tasks/setup.yml +38 -0

@@ 0,0 1,38 @@
+---
+- name: Ensure wireguard-dir "{{ wireguard_project_dir }}" exists
+  file:
+    path: "{{ container_dir }}/{{ wireguard_project_dir }}"
+    state: directory
+    recurse: true
+
+- name: Setup wireguard
+  docker_container:
+    name: wireguard
+    image: linuxserver/wireguard:1.0.20210914-alpine
+    restart_policy: unless-stopped
+    env:
+      PUID: "1000"
+      PGID: "1000"
+      TZ: "{{ wireguard_timezone }}"
+      SERVERURL: "{{ wireguard_domain }}"
+      SERVERPORT: "{{ wireguard_port }}"
+      PEERS: "{{ wireguard_peers | join(',') }}"
+      INTERNAL_SUBNET: "10.0.0.0"
+      ALLOWEDIPS: "0.0.0.0/0, ::/0"
+      PEERDNS: "1.1.1.1"
+    ports:
+      - "{{ wireguard_port }}:{{ wireguard_port }}/udp"
+    volumes:
+      - "{{ container_dir }}\
+        /{{ wireguard_project_dir }}\
+        /config\
+        :/config"
+    mounts:
+      - source: /lib/modules
+        target: /lib/modules
+        type: bind
+    capabilities:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      net.ipv4.conf.all.src_valid_mark: 1

A roles/containers/wireguard/templates/52_vpn.nft.template => roles/containers/wireguard/templates/52_vpn.nft.template +8 -0

@@ 0,0 1,8 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+	chain input {
+        # allow wireguard vpn
+		udp dport {{ wireguard_port }} accept comment "Allow wireguard"
+	}
+}

M run.yml => run.yml +11 -1

@@ 1,10 1,14 @@
 ---
 ############################################
 # SETUP BASE SYSTEM
+# overwrites the ssh user set in the hosts.yml,
+# because the non-root user has yet to be created
 ############################################
 - name: setup base system
   hosts: all
-  become: true
+  remote_user: root
+  vars:
+    ansible_ssh_user: root
   roles:
     - role: system
       tags: system


@@ 48,3 52,9 @@
   roles:
     - role: containers/uptime-kuma
       tags: status
+# Setup Wireguard
+- name: setup Wireguard
+  hosts: all
+  roles:
+    - role: containers/wireguard
+      tags: vpn