infra-ansible
ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
commit e6fcd3c05687ba7cfee6d2fe4cec4f15c295885e parent 03cedf9e0c2f6a652d041a53b55201689b2ec4aa Author: Jul <jul@9o.is> Date: Sat, 1 Jun 2024 17:30:59 +0800 group local tasks into ansible blocks Diffstat:
| M | host/roles/alpine/tasks/build.yml | | | 152 | ++++++++++++++++++++++++++++++++++++++----------------------------------------- |
| M | host/roles/setup/tasks/wireguard_client.yml | | | 200 | +++++++++++++++++++++++++++++++++++++------------------------------------------ |
2 files changed, 167 insertions(+), 185 deletions(-)
diff --git a/host/roles/alpine/tasks/build.yml b/host/roles/alpine/tasks/build.yml @@ -1,81 +1,75 @@ - --- -- name: create iso directory +- name: build alpine locally delegate_to: localhost - file: - path: '{{ alpine_output }}/iso' - mode: '0700' - state: directory - -- name: add Containerfile - delegate_to: localhost - template: - src: Containerfile.j2 - dest: '{{ alpine_output }}/Containerfile' - mode: '0600' - -- name: add entrypoint.sh - delegate_to: localhost - template: - src: entrypoint.sh.j2 - dest: '{{ alpine_output }}/entrypoint.sh' - mode: '0755' - -- name: add mkimg.x.sh - delegate_to: localhost - template: - src: mkimg.x.sh.j2 - dest: '{{ alpine_output }}/mkimg.x.sh' - mode: '0755' - -- name: add genapkovl-mkimgoverlay.sh - delegate_to: localhost - template: - src: genapkovl-mkimgoverlay.sh.j2 - dest: '{{ alpine_output }}/genapkovl-mkimgoverlay.sh' - mode: '0755' - -- name: build alpine-builder - delegate_to: localhost - podman_image: - name: alpine-builder - path: '{{ alpine_output }}' - force: true - register: alpine_builder - -- name: check alpine iso - delegate_to: localhost - stat: - path: '{{ alpine_iso }}' - register: iso_file - -- name: build alpine iso - delegate_to: localhost - containers.podman.podman_container: - name: 'alpine-builder-{{ inventory_hostname }}' - image: alpine-builder - rm: true - detach: false - volume: - - '{{ alpine_iso_dir }}:/iso' - when: not iso_file.stat.exists or alpine_builder.changed - register: iso_build - -- name: fix ownership of iso directory - become: true - delegate_to: localhost - file: - path: '{{ alpine_iso_dir }}' - state: directory - recurse: true - owner: user - group: user - -- name: show next steps - debug: - msg: - - 'ISO is ready for manual installation.' - - '1) Mount iso {{ playbook_dir }}/{{ alpine_iso }}' - - '2) Run setup-disk' - when: not debian_preinstalled and iso_build.changed - + block: + - name: create iso directory + file: + path: '{{ alpine_output }}/iso' + mode: '0700' + state: directory + + - name: add Containerfile + template: + src: Containerfile.j2 + dest: '{{ alpine_output }}/Containerfile' + mode: '0600' + + - name: add entrypoint.sh + template: + src: entrypoint.sh.j2 + dest: '{{ alpine_output }}/entrypoint.sh' + mode: '0755' + + - name: add mkimg.x.sh + template: + src: mkimg.x.sh.j2 + dest: '{{ alpine_output }}/mkimg.x.sh' + mode: '0755' + + - name: add genapkovl-mkimgoverlay.sh + template: + src: genapkovl-mkimgoverlay.sh.j2 + dest: '{{ alpine_output }}/genapkovl-mkimgoverlay.sh' + mode: '0755' + + - name: build alpine-builder + podman_image: + name: alpine-builder + path: '{{ alpine_output }}' + force: true + register: alpine_builder + + - name: check alpine iso + become: true + stat: + path: '{{ alpine_iso }}' + register: iso_file + + - name: build alpine iso + containers.podman.podman_container: + name: 'alpine-builder-{{ inventory_hostname }}' + image: alpine-builder + rm: true + detach: false + volume: + - '{{ alpine_iso_dir }}:/iso' + when: not iso_file.stat.exists or alpine_builder.changed + register: iso_build + + - name: fix ownership of iso directory + become: true + file: + path: '{{ alpine_iso_dir }}' + state: directory + recurse: true + owner: user + group: user + + - name: show next steps + debug: + msg: + - 'ISO is ready for manual installation.' + - '1) Mount iso {{ playbook_dir }}/{{ alpine_iso }}' + - '2) Run setup-disk' + when: not debian_preinstalled and iso_build.changed + diff --git a/host/roles/setup/tasks/wireguard_client.yml b/host/roles/setup/tasks/wireguard_client.yml @@ -1,109 +1,97 @@ --- -- name: create client wireguard directory +- name: set up local wireguard client become: true delegate_to: localhost - file: - path: /rw/config/wireguard - owner: root - group: root - mode: '0700' - state: directory - -- name: link /etc/wireguard - become: true - delegate_to: localhost - file: - src: /rw/config/wireguard - dest: /etc/wireguard - owner: root - group: root - force: true - state: link - -- name: edit client interface - become: true - delegate_to: localhost - ini_file: - path: '/etc/wireguard/{{ wg_client_iface }}.conf' - owner: root - group: root - mode: '0600' - section: Interface - option: '{{ item.option }}' - value: '{{ item.value }}' - with_items: - - option: PrivateKey - value: '{{ wg_client_private_key }}' - - option: Address - value: '{{ wg_client_ip }}/32' - notify: restart client wireguard - -- name: add server peer to client config - become: true - delegate_to: localhost - delegate_facts: true - ini_file: - path: '/etc/wireguard/{{ wg_client_iface }}.conf' - owner: root - group: root - mode: '0600' - section: Peer - option: '{{ item.option }}' - value: '{{ item.value }}' - with_items: - - option: PublicKey - value: '{{ wg_server_public_key }}' - - option: AllowedIPs - value: '{{ wg_server_ip }}/32' - - option: Endpoint - value: '{{ ansible_default_ipv4.address }}:{{ wireguard_port }} # {{ ansible_nodename }}' - - option: PersistentKeepalive - value: 25 - notify: restart client wireguard - -- name: autostart wireguard - become: true - delegate_to: localhost - copy: - dest: /rw/config/rc.local.d/wireguard.rc - owner: root - group: root - mode: '0755' - content: | - #!/bin/sh - rm -rf /etc/wireguard - ln -s /rw/config/wireguard /etc/wireguard - -- name: autostart wireguard {{ wg_client_iface }} - become: true - delegate_to: localhost - copy: - dest: '/rw/config/rc.local.d/wireguard-{{ wg_client_iface }}.rc' - owner: root - group: root - mode: '0755' - content: | - #!/bin/sh - while [ ! -e /etc/wireguard/{{ wg_client_iface }}.conf ]; do sleep 1; done - systemctl start wg-quick@{{ wg_client_iface }} - -- name: resolve {{ ansible_nodename }} to {{ wg_server_ip }} - become: true - delegate_to: localhost - delegate_facts: true - lineinfile: - path: /etc/hosts - search_string: '{{ wg_server_ip }}' - line: '{{ wg_server_ip }} {{ ansible_nodename }}' - insertbefore: '### START default local hosts' - -- name: persist /etc/hosts for qubes - become: true - delegate_to: localhost - delegate_facts: true - lineinfile: - path: /rw/config/hosts - search_string: '{{ wg_server_ip }}' - line: '{{ wg_server_ip }} {{ ansible_nodename }}' - insertbefore: '### START default local hosts' - + block: + - name: create wireguard directory + file: + path: /rw/config/wireguard + owner: root + group: root + mode: '0700' + state: directory + + - name: link /etc/wireguard + file: + src: /rw/config/wireguard + dest: /etc/wireguard + owner: root + group: root + force: true + state: link + + - name: edit client interface + ini_file: + path: '/etc/wireguard/{{ wg_client_iface }}.conf' + owner: root + group: root + mode: '0600' + section: Interface + option: '{{ item.option }}' + value: '{{ item.value }}' + with_items: + - option: PrivateKey + value: '{{ wg_client_private_key }}' + - option: Address + value: '{{ wg_client_ip }}/32' + notify: restart client wireguard + + - name: add server peer to client config + delegate_facts: true + ini_file: + path: '/etc/wireguard/{{ wg_client_iface }}.conf' + owner: root + group: root + mode: '0600' + section: Peer + option: '{{ item.option }}' + value: '{{ item.value }}' + with_items: + - option: PublicKey + value: '{{ wg_server_public_key }}' + - option: AllowedIPs + value: '{{ wg_server_ip }}/32' + - option: Endpoint + value: '{{ ansible_default_ipv4.address }}:{{ wireguard_port }} # {{ ansible_nodename }}' + - option: PersistentKeepalive + value: 25 + notify: restart client wireguard + + - name: autostart wireguard + copy: + dest: /rw/config/rc.local.d/wireguard.rc + owner: root + group: root + mode: '0755' + content: | + #!/bin/sh + rm -rf /etc/wireguard + ln -s /rw/config/wireguard /etc/wireguard + + - name: autostart wireguard {{ wg_client_iface }} + copy: + dest: '/rw/config/rc.local.d/wireguard-{{ wg_client_iface }}.rc' + owner: root + group: root + mode: '0755' + content: | + #!/bin/sh + while [ ! -e /etc/wireguard/{{ wg_client_iface }}.conf ]; do sleep 1; done + systemctl start wg-quick@{{ wg_client_iface }} + + - name: resolve {{ ansible_nodename }} to {{ wg_server_ip }} + delegate_facts: true + lineinfile: + path: /etc/hosts + search_string: '{{ wg_server_ip }}' + line: '{{ wg_server_ip }} {{ ansible_nodename }}' + insertbefore: '### START default local hosts' + + - name: persist /etc/hosts for qubes + delegate_facts: true + lineinfile: + path: /rw/config/hosts + search_string: '{{ wg_server_ip }}' + line: '{{ wg_server_ip }} {{ ansible_nodename }}' + insertbefore: '### START default local hosts' +