Merge branch 'wg-fix' of jowj/adc into master

ansible/all.yml

@@ -12,3 +12,10 @@
     - debug: msg="Deploying wg."
   roles:
     - { name: wg_vpn }
+
+- name: cloud wg config
+  hosts: vpn
+  tasks:
+    - debug: msg="Deploying wg to cloud server"
+  roles:
+    - { name: wg_vpn }

ansible/client_matrix.yml

@@ -0,0 +1,8 @@
+---
+
+- name: generate ios client config
+  hosts: dev #localhost
+  tasks:
+    - debug: msg="generate phone config"
+  roles:
+    - { name: wg_vpn }

ansible/cloud_wg.yml

@@ -0,0 +1,8 @@
+---
+
+- name: cloud wg config
+  hosts: vpn
+  tasks:
+    - debug: msg="Deploying wg to cloud server"
+  roles:
+    - { name: wg_vpn }

ansible/group_vars/all/main.yml

@@ -5,3 +5,31 @@ gather_facts: True
 source_os: arch
 become: yes
 create_user: josiah
+
+
+# all of this is stolen from mrled, because fuck this is way better than what i was doing.
+# Wireguard docs
+# TODO: lookup plugin to generate the pubkey from the privkey
+# TODO: set all these as hostvars, use hostvars['HOSTNAME'].wireguard_privkey etc
+#       (should be ok even for e.g. glitch, which doesn't get provisioned from Ansible)
+# To generate the keys:
+# - wg genkey | tee privatekey | wg pubkey > publickey
+# - save the privkey in the vault and the pubkey here
+# - Delete the privatekey and publickey files
+wireguard_vpn_network: 10.200.219.0/24
+wireguard_server_privkey: "{{ vault_wireguard_server_privkey }}"
+wireguard_server_pubkey: e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo=
+wireguard_server_offset: 1
+wireguard_clients:
+  - name: matrix
+    offset: 10
+    privkey: "{{ vault_wireguard_client_privkey_matrix }}"
+    pubkey: lNoFqmeHfSDb/VB0mutpFzb4cZELOjSVOYQCLEfQIRU=
+  - name: pvl
+    offset: 11
+    privkey: "{{ vault_wireguard_client_privkey_pvl }}"
+    pubkey: l/j+UXtrxTqqTTjxjgheQ3B2QppZWs07na4GypZw9GM=
+  - name: ling8
+    offset: 12
+    privkey: "{{ vault_wireguard_client_privkey_ling8 }}"
+    pubkey: YqGQE6yUz6rjBFRWgZyj5mPEaGavxrmO/cclO5o+VBQ=

ansible/group_vars/all/vault.yml

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+37626464343231323066306337616434313033366530356236336163353031396135333731306538
+3337343633343338383034636236393230396439346565390a343838643861363239326339613633
+33643363666233323631356661633164333538326566623736396138363063393366343261343932
+3165316631643363630a303830393962303732383439623938303364313937633338383333323564
+35646335313963373864646334336364386633326431393361393265306233343265303434613266
+33656636386432396431393034343738643366613163306530363562636564313863373138633738
+61376663303835333137653262393064396366316163373034646135633131336264343533313936
+64346163323930363266383863666139336337646232383135383635633064663334376532663439
+30306565643938323730373064353038306536646431623332623832326461663836656231346161
+34373563333363323364393135343234323334313462356234383563333566646339633935323037
+36663761366566633965336234323364376633343732396636363934613934666533343435616236
+31623934383462376637323637333039633536633336373662623430663337656461613437626330
+61626665643532393139383039393961316435626662313630343139386636343165303063616363
+30353261386639613563313233643538333134363235336263343634643833643538623065653264
+65396136373937663864326434656438323830393063313332623733383433333033613936393039
+64656537636161373033653231663631363661323361636637663234393634623738646263323035
+32323639653137643136313432396161346633343334616234393161366161323761626633636238
+39623161396235633138653736666164656465663733616238623136633934656162313936386666
+62396265323938633530383161643634303236346562336133663366333330623930313133653164
+64663638386261653763393338396637396539613366643637343361343838616561633033323037
+38373437613561303763383464626365333233303962363139373434306334393630

ansible/hosts.yml

@@ -9,6 +9,7 @@ all:
     dev:
       hosts:
         localhost:
+          ansible_connection: local
     onprem_clients:
       hosts:
         hydra-ling:

ansible/readme.org

@@ -0,0 +1,9 @@
+* setup from scratch:
+~ansible-playbook -i hosts.yml all.yml --ask-vault-pass --ask-become-pass~
+
+
+* wg
+
+** clients
+you probably want to deploy clients individually most of the time. to do that, provide a tag, like:
+~ansible-playbook -i hosts.yml client_matrix.yml --ask-vault-pass --ask-become-pass --tags matrix_client~

ansible/roles/droplets/tasks/serverbuild.yml

@@ -4,7 +4,7 @@
   vars:
     create_user: josiah
     copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/digitalocean.pub') }}"
-    sys_packages: [ 'curl', 'vim', 'git', 'fail2ban' ]
+    sys_packages: [ 'curl', 'vim', 'git', 'fail2ban', 'mosh' ]
 
   tasks:
     - name: Make sure we have a 'sudo' group

ansible/roles/home-net/vars/main.yml

@@ -1 +1 @@
-sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential' ]
+sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential', 'mosh' ]

ansible/roles/wg_vpn/README.md

@@ -15,19 +15,15 @@ A description of the settable variables for this role should go here, including
 
 
 shit i'm still fixing
-----------------
+----------------------
 - its not actually working yet
   - mobile device seems like it connects
   - but i can't browse around.
 - arch tasks suck because ansible + pacman is bad.
+- 
 
-
-Example Playbook
-----------------
-
-I don't know what to put here because i don't understand how roles work lmao
-	`ansible-playbook -i ../hosts.yml tasks/main.yml -v`
-		 
+misc
+----
 useful for generating mobile device configs: qrencode -t ansiutf8 < /etc/wireguard/mobile.conf
 
 License

ansible/roles/wg_vpn/defaults/main.yml

@@ -1,2 +1,5 @@
 ---
-# defaults file for wg_vpn
+
+wireguard_server_listen_port: 51820
+
+wireguard_server_lan_interface: enp3s0

ansible/roles/wg_vpn/handlers/main.yml

@@ -1,2 +1,5 @@
 ---
-# handlers file for wg_vpn
+# handlers file for wg_vpn
+
+- name: restart wireguard
+  service: name=wg-quick@wg0.service state=restarted

ansible/roles/wg_vpn/tasks/main.yml

@@ -2,65 +2,39 @@
 # tasks file for wg_vpn
 # playbook to go from a "base configured" server to a wg vpn peer
 
-- name: "generating config on relay server"
-  debug:
-    msg: "config on relay is starting"
-    verbosity: 1
-- name: generate config on relay server
-  include: pretasks_debian.yml
-  become: yes
+- name: add unstable to repos
+  shell: |
+    echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
+    printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
 
-- name: "generating config on local mac"
-  debug:
-    msg: "config on mac is starting"
-    verbosity: 1
-  when: source_os == 'macos'
-- name: generate config on local mac
-  include: pretasks_mac.yml
-  delegate_to: localhost
-  when: source_os == 'macos'
+- name: install wireguard
+  apt:
+    name:
+      - wireguard
+      - build-essential
+      - dkms
+    update_cache: yes
+    state: latest
 
-- name: "generating config on local arch"
-  debug:
-    msg: "config on arch is starting"
-    verbosity: 1
-  when: source_os == 'arch'
-- name: generate config on local arch
-  include: pretasks_arch.yml
-  delegate_to: localhost
-  when: source_os == 'arch'
+    
+- name: Enable IP forwarding
+  sysctl: name={{ item }} value=1 state=present
+  with_items:
+    - net.ipv4.ip_forward
+    - net.ipv6.conf.all.forwarding
 
-- name: generate config for IOS on local machine
-  include: pretasks_ios.yml
-  delegate_to: localhost
+- name: Create wireguard config directory
+  file: state=directory path=/etc/wireguard owner=root group=root mode=0700
 
-- name: "completing config on server"
-  debug:
-    msg: "config on relay is resuming"
-    verbosity: 1
-- name: complete config, wg up on relay server
-  include: posttasks_debian.yml
-  become: yes
-  
-- name: complete config, wg up on local mac
-  include: posttasks_mac.yml
-  delegate_to: localhost
-  when: source_os == 'macos'
+- name: Install wireguard configuration
+  template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600
+  notify: restart wireguard
 
-- name: "generating config on local arch"
-  debug:
-    msg: "config on arch is completing"
-    verbosity: 1
-  when: source_os == 'arch'
-- name: complete config on local arch
-  include: posttasks_arch.yml
-  delegate_to: localhost
-  when: source_os == 'arch'
+- name: Start wireguard
+  service: name=wg-quick@wg0.service enabled=yes state=started
 
-- name: "generating config for iOS"
-  debug:
-    msg: "config for IOS is completing"
-    verbosity: 1
-- name: complete config for IOS on local machine
-  include: posttasks_ios.yml
-  delegate_to: localhost      
+- name: Create matrix.conf file in ~/wireguard/.
+  template: src=ios.conf dest=/etc/wireguard/ owner=root mode=0600
+  tags:
+    - clients
+    - client_matrix

ansible/roles/wg_vpn/tasks/posttasks_arch.yml

@@ -1,19 +0,0 @@
-- name: (local) fill out the rest of the wg0.conf file
-  blockinfile:
-    path: /etc/wireguard/wg0.conf
-    block: |
-      Address = 10.200.219.2/32, fd86:ea04:1115::2/128
-      DNS = 1.1.1.1
-
-      [Peer]
-      PublicKey = {{ server_publickey.stdout }}
-      Endpoint = vpn.awful.club:51820
-      AllowedIPs = 0.0.0.0/0
-  delegate_to: localhost
-  become: yes
-
-- name: (local) bring wg up on local
-  shell: wg-quick up wg0
-  delegate_to: localhost
-  become: yes
-  ignore_errors: True

ansible/roles/wg_vpn/tasks/posttasks_debian.yml

@@ -1,19 +0,0 @@
-- name: fill out the rest of the wg0.conf file
-  blockinfile:
-    path: /etc/wireguard/wg0.conf
-    block: |
-      Address = 10.200.219.1/24
-      Address = fd86:ea04:1115::1/64          
-      ListenPort = 51820
-      SaveConfig = true
-      [Peer]
-      # name = pvl
-      PublicKey = {{ client_publickey.stdout }}
-      AllowedIPs = 10.200.219.19/32, fd86:ea04:1115::19/128
-      [Peer]
-      # name = matrix
-      PublicKey = {{ ios_publickey.stdout }}
-      AllowedIPs = 10.200.219.10/32, fd86:ea04:1115::10/128
-
-- name: bring wg up on the relay node
-  shell: wg-quick up /etc/wireguard/wg0.conf

ansible/roles/wg_vpn/tasks/posttasks_ios.yml

@@ -1,11 +0,0 @@
-- name: (local) fill out the rest of the wg0.conf file
-  blockinfile:
-    path: ~/wireguard/ios.conf
-    block: |
-      Address = 10.200.219.10/32, fd86:ea04:1115::10/128
-      DNS = 1.1.1.1
-          
-      [Peer]
-      PublicKey = {{ server_publickey.stdout }}
-      Endpoint = vpn.awful.club:51820
-      AllowedIPs = 0.0.0.0/0, ::/0

ansible/roles/wg_vpn/tasks/posttasks_mac.yml

@@ -1,15 +0,0 @@
-- name: (local) fill out the rest of the wg0.conf file
-  blockinfile:
-    path: ~/wireguard/wg0.conf
-    block: |
-      Address = 10.200.219.19/32, fd86:ea04:1115::19/128
-      DNS = 1.1.1.1
-      
-      [Peer]
-      PublicKey = {{ server_publickey.stdout }}
-      Endpoint = vpn.awful.club:51820
-      AllowedIPs = 0.0.0.0/0, ::/0
-
-# - name: (local) bring wg up on local
-#   shell: wg-quick up wg0
- 

ansible/roles/wg_vpn/tasks/pretasks_arch.yml

@@ -1,36 +0,0 @@
----
-# tasks file for wg_vpn
-# this is useful for running plays /from/ an arch machine that will join the wg net.
-
-# install wg, generate keys, files on local machine
-- name: (local) install wg (i use) arch (btw)
-  pacman:
-    update_cache: yes
-    name: wireguard-tools, wireguard-arch, wireguard-dkms
-    state: present
-  delegate_to: localhost
-  become: yes
-  # ansible has a hard time parsing the pacman files
-  # ignore errors once you verify shit is installed / patched.
-  ignore_errors: True
-  
-- name: (local) ensure /etc/wireguard/ exists
-  file:
-    path: /etc/wireguard/
-    state: directory
-  delegate_to: localhost
-
-- name: (local) Generate keys
-  shell: |
-    printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
-    wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
-  vars:
-    umask: "077"
-  delegate_to: localhost
-  become: yes
-              
-- name: (local) register publickey for later use
-  shell: cat /etc/wireguard/publickey
-  register: client_publickey        
-  delegate_to: localhost
-  become: yes

ansible/roles/wg_vpn/tasks/pretasks_debian.yml

@@ -1,47 +0,0 @@
-- name: add unstable to repos
-  shell: |
-    echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
-    printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
-- name: Update aptitude
-  apt: update_cache=yes
-- name: install wireguard
-  apt: name=wireguard state=latest
-- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean))
-  # the kernel version is hard coded because this is what DO currently uses
-  # and that's what i use
-  apt: name=linux-headers-4.19.0-6-cloud-amd64
-- name: install misc other things the internet says i need
-  apt: name=build-essential
-- name: install misc other things the internet says i need      
-  apt: name=dkms
-- name: needed for handling dns requests
-  apt: name=openresolv      
-- name: enable kernel relay/forwarding
-  shell: |
-    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
-    echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
-    sudo sysctl -p /etc/sysctl.conf
-    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
-    iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE
-- name: ensure /etc/wireguard/ exists
-  file:
-    path: /etc/wireguard/
-    state: directory
-    
-- name: Generate keys
-  shell: |
-    printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
-     wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
-  vars:
-    umask: "077"
-- name: register publickey for later use
-  shell: cat /etc/wireguard/publickey
-  register: server_publickey
-
-# do this to avoid idiot "hey you can't start, u already started!!!" erros.
-# fucker.
-- name: register publickey for later use
-  shell: wg-quick down /etc/wireguard/wg0.conf
-  ignore_errors: True

ansible/roles/wg_vpn/tasks/pretasks_ios.yml

@@ -1,15 +0,0 @@
-- name: make wg dir since macs are now weird about /etc/anything
-  file:
-    path: ~/wireguard/
-    state: directory
-
-- name: Generate keys
-  shell: |
-    printf "[Interface]\nPrivateKey = " > ~/wireguard/ios.conf
-    wg genkey | tee -a ~/wireguard/ios.conf | wg pubkey > ~/wireguard/ios_publickey
-  vars:
-    umask: "077"      
-
-- name: register publickey for later use
-  shell: cat ~/wireguard/ios_publickey
-  register: ios_publickey        

ansible/roles/wg_vpn/tasks/pretasks_mac.yml

@@ -1,21 +0,0 @@
-- name: Update brew
-  homebrew: update_homebrew=yes
-
-- name: install wireguard
-  homebrew: name=wireguard-tools state=latest
-
-- name: make wg dir since macs are now weird about /etc/anything
-  file:
-    path: ~/wireguard/
-    state: directory
-
-- name: Generate keys
-  shell: |
-    printf "[Interface]\nPrivateKey = " > ~/wireguard/wg0.conf
-    wg genkey | tee -a ~/wireguard/wg0.conf | wg pubkey > ~/wireguard/publickey
-  vars:
-    umask: "077"      
-
-- name: register publickey for later use
-  shell: cat ~/wireguard/publickey
-  register: client_publickey        

ansible/roles/wg_vpn/templates/ios.conf

@@ -0,0 +1,9 @@
+[Interface]
+PrivateKey = {{ wireguard_clients[0]['privkey'] }}
+Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[0]['offset']) }}
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = {{ wireguard_server_pubkey }}
+Endpoint = vpn.awful.club:51820
+AllowedIPs = 0.0.0.0/0

ansible/roles/wg_vpn/templates/ios_example.conf

@@ -0,0 +1,9 @@
+[Interface]
+PrivateKey = <ios private key>
+Address = 10.200.219.10/32
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo=
+Endpoint = vpn.awful.club:51820
+AllowedIPs = 0.0.0.0/0

ansible/roles/wg_vpn/templates/wg0.conf

@@ -0,0 +1,33 @@
+[Interface]
+PrivateKey = {{ wireguard_server_privkey }}
+{#
+    We want the Address field here to be an IP address
+    with the whole network in CIDR notation, like 10.0.0.1/24.
+
+    If wireguard_vpn_network is a CIDR network like 10.0.0.0/24,
+    and wireguard_server_offset is an integer like 1,
+    this will produce an offset of the start of the network + CIDR prefix,
+    which in this case will be the desired 10.0.0.1/24.
+#}
+Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }}
+ListenPort = {{ wireguard_server_listen_port }}
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+{% for client in wireguard_clients %}
+[Peer]
+# {{ client.name }}
+PublicKey = {{ client.pubkey }}
+{#
+    We want the Address field here to be an IP address
+    withOUT the whole network in CIDR notation, like 10.0.0.15/32.
+
+    If wireguard_vpn_network is a CIDR network like 10.0.0.0/24,
+    and client.offset is an integer like 15,
+    this will produce an offset of the start of the network with a /32 CIDR prefix
+    which in this case will be the desired 10.0.0.15/32.
+#}
+AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }}
+
+{% endfor %}

ansible/roles/wg_vpn/vars/main.yml

@@ -1,2 +1,2 @@
 ---
-# vars file for wg_vpn
+# vars file for wg_vpn