infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit bd994074ad65c8e8a073cd16d312fbc257d42532
parent bd9dad250283236058b4ad308d77d90cd88b0dc7
Author: Jul <jul@9o.is>
Date:   Tue, 14 May 2024 05:15:40 +0800

install wireguard on server

Diffstat:

Mhost/group_vars/all | 11+++++++++++


Mhost/inventory.yml | 9+++++++++


Mhost/readme.md | 4++--


Mhost/roles/firewall/templates/iptables-custom-rules.j2 | 3++-


Ahost/roles/wireguard/handlers/main.yml | 12++++++++++++


Ahost/roles/wireguard/tasks/client.yml | 77+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Ahost/roles/wireguard/tasks/main.yml | 12++++++++++++


Ahost/roles/wireguard/tasks/server.yml | 42++++++++++++++++++++++++++++++++++++++++++


Mhost/site.yml | 17++++++++++++-----


9 files changed, 179 insertions(+), 8 deletions(-)

diff --git a/host/group_vars/all b/host/group_vars/all
@@ -1,3 +1,14 @@
 openssh_port: 57123
+wireguard_port: 62620
 k0s_version: v1.30.0+k0s.0
 
+wg_client_public_key: ZlBc9LbWP4CBm/9aIbZ2dwPZQbkYdvi7TZimAo5czWk=
+wg_client_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36613738326461313533666264313364393138653062393165303061363832623661616162616437
+          3862356239656230363034626665303639316131373761640a363866373862376535313533373966
+          37656432366437316135366635313639663433323663363934303263646431383065386335643038
+          6562656233336532360a343666306138356231373063353066303030663462616630323237646535
+          31336539323665653562333265323939396365306366343763616631383133653037613130613434
+          6231663264373733353832346338623136636532363333626162
+
diff --git a/host/inventory.yml b/host/inventory.yml
@@ -9,4 +9,13 @@ servers:
       static_gateway: 89.147.110.1
       static_nameservers: 93.95.224.28 93.95.224.29
       static_mtu: 576
+      wg_server_public_key: DcQpBGdChVTyLMR/UUfPNHa8sQz9J5I+3BSIJ7f3qhw=
+      wg_server_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31626538636263303764343161633635636439323630336631336230366430323562633530393934
+          6435336263616664383930656362633365613463373965620a663833313234643762626130376662
+          65663965303864363162306265373437346337643734353363656130613435303236663834376533
+          3132326665323861620a356439353663383237383630366461303233343062626564623231323134
+          36303534316462316537356166363462613434393631373332313931393362646634336362656638
+          3465306231393835613662643230346637643639383938633435
 
diff --git a/host/readme.md b/host/readme.md
@@ -1,7 +1,7 @@
 ### Installation
 
 ```
-ansible-playbook site.yml --tags init --user root
-ansible-playbook site.yml --tags kubes
+ansible-playbook site.yml --tags raw-setup --user root
+ansible-playbook site.yml --user root
 ```
 
diff --git a/host/roles/firewall/templates/iptables-custom-rules.j2 b/host/roles/firewall/templates/iptables-custom-rules.j2
@@ -61,8 +61,9 @@ $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
 $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 $IPT -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
  
-# Allowed ports ssh
+# Allowed service ports
 $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT
+$IPT -A INPUT -i ${PUB_IF} -p udp --destination-port {{ wireguard_port }} -m conntrack --ctstate NEW -j ACCEPT
  
 # Do not log smb/windows sharing packets - too much logging
 $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 137:139 -j REJECT
diff --git a/host/roles/wireguard/handlers/main.yml b/host/roles/wireguard/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: restart server wireguard
+  shell: |
+    wg-quick down wg0
+    wg-quick up wg0
+
+- name: restart client wireguard
+  delegate_to: localhost
+  shell: |
+    wg-quick down wg0
+    wg-quick up wg0
+
diff --git a/host/roles/wireguard/tasks/client.yml b/host/roles/wireguard/tasks/client.yml
@@ -0,0 +1,77 @@
+---
+- name: create client wireguard directory
+  delegate_to: localhost
+  file:
+    path: /rw/config/wireguard
+    owner: root
+    group: root
+    mode: '0700'
+    state: directory
+
+- name: link /etc/wireguard
+  delegate_to: localhost
+  block: 
+    - name: remove /etc/wireguard
+      file:
+        dest: /etc/wireguard
+        state: absent
+    - name: link /etc/wireguard
+      file: 
+        src: /rw/config/wireguard
+        dest: /etc/wireguard
+        owner: root
+        group: root
+        state: link
+
+- name: edit client interface
+  delegate_to: localhost
+  ini_file:
+    path: /etc/wireguard/wg0.conf
+    owner: root
+    group: root
+    mode: '0600'
+    section: Interface
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+  with_items:
+    - option: PrivateKey
+      value: '{{ wg_client_private_key }}'
+    - option: Address
+      value: 10.0.0.2/24
+  notify: restart client wireguard
+
+- name: add server peer to client config
+  delegate_to: localhost
+  delegate_facts: true
+  ini_file:
+    path: /etc/wireguard/wg0.conf
+    owner: root
+    group: root
+    mode: '0600'
+    section: Peer
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+  with_items:
+    - option: PublicKey
+      value: '{{ wg_server_public_key }}'
+    - option: AllowedIPs
+      value: 10.0.0.0/24
+    - option: Endpoint
+      value: '{{ ansible_nodename }}:{{ wireguard_port }}'
+    - option: PersistentKeepalive
+      value: 25
+  notify: restart client wireguard
+
+- name: autostart wireguard
+  delegate_to: localhost
+  copy:
+    dest: /rw/config/rc.local.d/wireguard.rc
+    owner: root
+    group: root
+    mode: '0755'
+    content: |
+      #!/bin/sh
+      rm -rf /etc/wireguard
+      ln -s /rw/config/wireguard /etc/wireguard
+      wg-quick up wg0
+
diff --git a/host/roles/wireguard/tasks/main.yml b/host/roles/wireguard/tasks/main.yml
@@ -0,0 +1,12 @@
+---
+- name: install wireguard
+  package:
+    name: wireguard
+    state: present
+
+- name: configure wireguard client
+  include_tasks: client.yml
+
+- name: configure wireguard server
+  include_tasks: server.yml
+
diff --git a/host/roles/wireguard/tasks/server.yml b/host/roles/wireguard/tasks/server.yml
@@ -0,0 +1,42 @@
+---
+- name: create server wireguard directory
+  file:
+    path: /etc/wireguard
+    owner: root
+    group: root
+    mode: '0700'
+    state: directory
+
+- name: configure server interface
+  ini_file:
+    path: /etc/wireguard/wg0.conf
+    owner: root
+    group: root
+    mode: '0600'
+    section: Interface
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+  with_items:
+    - option: PrivateKey
+      value: '{{ wg_server_private_key }}'
+    - option: Address
+      value: 10.0.0.1/24
+    - option: ListenPort
+      value: '{{ wireguard_port }}'
+  notify: restart server wireguard
+
+- name: add client peer to server config
+  ini_file:
+    path: /etc/wireguard/wg0.conf
+    owner: root
+    group: root
+    mode: '0600'
+    section: Peer
+    option: '{{ item.option }}'
+    value: '{{ item.value }}'
+  with_items:
+    - option: PublicKey
+      value: '{{ wg_client_public_key }}'
+    - option: AllowedIPs
+      value: 10.0.0.2/32
+  notify: restart server wireguard
diff --git a/host/site.yml b/host/site.yml
@@ -2,17 +2,24 @@
 - name: Raw Setup
   hosts: servers
   gather_facts: false
-  tags: init
+  tags: raw-setup
   roles:
     - raw-setup
 
 - name: Setup
   hosts: servers
-  tags: init
   roles:
-    - setup
-    - firewall
-    - openssh
+    - role: setup
+      tags: setup
+
+    - role: openssh
+      tags: openssh
+
+    - role: wireguard
+      tags: wireguard
+
+    - role: firewall
+      tags: firewall
 
 - name: Kubernetes
   hosts: servers