From d2ae0212552bab8eb1dcc680f4df6cd37fff46d1 Mon Sep 17 00:00:00 2001 From: Jakob Meier Date: Sat, 22 Jul 2023 20:30:55 +0200 Subject: [PATCH] containers/wireguard: new role Initial wireguard support, that outputs the config files in ./output/... --- .gitignore | 2 + roles/containers/wireguard/defaults/main.yml | 10 +++++ roles/containers/wireguard/tasks/config.yml | 16 ++++++++ roles/containers/wireguard/tasks/main.yml | 4 ++ roles/containers/wireguard/tasks/network.yml | 14 +++++++ roles/containers/wireguard/tasks/setup.yml | 38 +++++++++++++++++++ .../wireguard/templates/52_vpn.nft.template | 8 ++++ run.yml | 12 +++++- 8 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 roles/containers/wireguard/defaults/main.yml create mode 100644 roles/containers/wireguard/tasks/config.yml create mode 100644 roles/containers/wireguard/tasks/main.yml create mode 100644 roles/containers/wireguard/tasks/network.yml create mode 100644 roles/containers/wireguard/tasks/setup.yml create mode 100644 roles/containers/wireguard/templates/52_vpn.nft.template diff --git a/.gitignore b/.gitignore index f7f37f6..9ccc9a7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ hosts.yml group_vars/all/secret.yml +output/ +!output/README.org diff --git a/roles/containers/wireguard/defaults/main.yml b/roles/containers/wireguard/defaults/main.yml new file mode 100644 index 0000000..22445c4 --- /dev/null +++ b/roles/containers/wireguard/defaults/main.yml @@ -0,0 +1,10 @@ +--- +wireguard_domain: "vpn.ccw.icu" +wireguard_project_dir: "vpn" +wireguard_port: "51820" +wireguard_peers: + - default +wireguard_timezone: "Europe/London" +wireguard_bridge_subnet: "149.102.148.89/21" +wireguard_bridge_gateway: "149.102.144.1" +wireguard_bridge_parent: "eth0" diff --git a/roles/containers/wireguard/tasks/config.yml b/roles/containers/wireguard/tasks/config.yml new file mode 100644 index 0000000..26b0dd7 --- /dev/null +++ b/roles/containers/wireguard/tasks/config.yml @@ -0,0 +1,16 @@ +--- +- name: Wait for peer config to be generated + ansible.builtin.wait_for: + path: "{{ container_dir }}\ + /{{ wireguard_project_dir }}\ + /config\ + /peer_{{ item }}/peer_{{ item }}.conf" + loop: "{{ wireguard_peers }}" +- name: Fetch peer config + ansible.builtin.fetch: + dest: ./output + src: "{{ container_dir }}\ + /{{ wireguard_project_dir }}\ + /config\ + /peer_{{ item }}/peer_{{ item }}.conf" + loop: "{{ wireguard_peers }}" diff --git a/roles/containers/wireguard/tasks/main.yml b/roles/containers/wireguard/tasks/main.yml new file mode 100644 index 0000000..28f9a66 --- /dev/null +++ b/roles/containers/wireguard/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include_tasks: setup.yml +- include_tasks: network.yml +- include_tasks: config.yml diff --git a/roles/containers/wireguard/tasks/network.yml b/roles/containers/wireguard/tasks/network.yml new file mode 100644 index 0000000..222fa15 --- /dev/null +++ b/roles/containers/wireguard/tasks/network.yml @@ -0,0 +1,14 @@ +--- +- name: Make sure the nftables vpn rule exists + become: true + template: + src: ../templates/52_vpn.nft.template + dest: /etc/nftables.d/52_vpn.nft + register: firewall + +- name: Restart nftables + become: true + service: + name: nftables + state: restarted + when: firewall.changed diff --git a/roles/containers/wireguard/tasks/setup.yml b/roles/containers/wireguard/tasks/setup.yml new file mode 100644 index 0000000..ea0f777 --- /dev/null +++ b/roles/containers/wireguard/tasks/setup.yml @@ -0,0 +1,38 @@ +--- +- name: Ensure wireguard-dir "{{ wireguard_project_dir }}" exists + file: + path: "{{ container_dir }}/{{ wireguard_project_dir }}" + state: directory + recurse: true + +- name: Setup wireguard + docker_container: + name: wireguard + image: linuxserver/wireguard:1.0.20210914-alpine + restart_policy: unless-stopped + env: + PUID: "1000" + PGID: "1000" + TZ: "{{ wireguard_timezone }}" + SERVERURL: "{{ wireguard_domain }}" + SERVERPORT: "{{ wireguard_port }}" + PEERS: "{{ wireguard_peers | join(',') }}" + INTERNAL_SUBNET: "10.0.0.0" + ALLOWEDIPS: "0.0.0.0/0, ::/0" + PEERDNS: "1.1.1.1" + ports: + - "{{ wireguard_port }}:{{ wireguard_port }}/udp" + volumes: + - "{{ container_dir }}\ + /{{ wireguard_project_dir }}\ + /config\ + :/config" + mounts: + - source: /lib/modules + target: /lib/modules + type: bind + capabilities: + - NET_ADMIN + - SYS_MODULE + sysctls: + net.ipv4.conf.all.src_valid_mark: 1 diff --git a/roles/containers/wireguard/templates/52_vpn.nft.template b/roles/containers/wireguard/templates/52_vpn.nft.template new file mode 100644 index 0000000..3549e1f --- /dev/null +++ b/roles/containers/wireguard/templates/52_vpn.nft.template @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { + # allow wireguard vpn + udp dport {{ wireguard_port }} accept comment "Allow wireguard" + } +} diff --git a/run.yml b/run.yml index 4fbe879..7a55ca2 100644 --- a/run.yml +++ b/run.yml @@ -1,10 +1,14 @@ --- ############################################ # SETUP BASE SYSTEM +# overwrites the ssh user set in the hosts.yml, +# because the non-root user has yet to be created ############################################ - name: setup base system hosts: all - become: true + remote_user: root + vars: + ansible_ssh_user: root roles: - role: system tags: system @@ -48,3 +52,9 @@ roles: - role: containers/uptime-kuma tags: status +# Setup Wireguard +- name: setup Wireguard + hosts: all + roles: + - role: containers/wireguard + tags: vpn -- 2.38.5