From 15b78abf218a41f87f3730cda7512527806486ce Mon Sep 17 00:00:00 2001 From: josiah Date: Sun, 15 Nov 2020 13:37:58 -0600 Subject: [PATCH] Move to wg portal setup on larva. - add parent play for configuring the rpi - add dedicated rpi.yml to configure the base - copy over templates, handlers from the wg play - import the rpi.yml in main.yml --- ansible/group_vars/all/main.yml | 2 +- .../host_vars/larva.home.jowj.net/main.yml | 1 + ansible/roles/home-net/handlers/main.yml | 5 ++++ ansible/roles/home-net/tasks/main.yml | 6 ++++ ansible/roles/home-net/tasks/rpi.yml | 30 +++++++++++++++++++ ansible/roles/home-net/templates/main.yml | 11 +++++++ ansible/roles/home-net/templates/wg0.conf | 11 +++++++ ansible/wg_homeportal.yml | 8 +++++ 8 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/home-net/handlers/main.yml create mode 100644 ansible/roles/home-net/tasks/rpi.yml create mode 100644 ansible/roles/home-net/templates/main.yml create mode 100644 ansible/roles/home-net/templates/wg0.conf create mode 100644 ansible/wg_homeportal.yml diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index aa16b54..584f279 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -40,7 +40,7 @@ wireguard_clients: offset: 12 privkey: "{{ vault_wireguard_client_privkey_ling8 }}" pubkey: YqGQE6yUz6rjBFRWgZyj5mPEaGavxrmO/cclO5o+VBQ= - - name: hatchery + - name: larva offset: 13 privkey: "{{ vault_wireguard_client_privkey_hatchery }}" pubkey: kguQg0CvB7N1fJDO8i0Nj4C1cUKUsawfHyArwiaGxis= diff --git a/ansible/host_vars/larva.home.jowj.net/main.yml b/ansible/host_vars/larva.home.jowj.net/main.yml index dde047a..fd72b3a 100644 --- a/ansible/host_vars/larva.home.jowj.net/main.yml +++ b/ansible/host_vars/larva.home.jowj.net/main.yml @@ -1,3 +1,4 @@ ansible_python_interpreter: /usr/bin/python3 interactive: yes acmedns_base_lego_arch: arm64 +base_rpi: true diff --git a/ansible/roles/home-net/handlers/main.yml b/ansible/roles/home-net/handlers/main.yml new file mode 100644 index 0000000..94cb9dd --- /dev/null +++ b/ansible/roles/home-net/handlers/main.yml @@ -0,0 +1,5 @@ +--- +# handlers file for wg_vpn + +- name: restart wireguard + service: name=wg-quick@wg0.service state=restarted diff --git a/ansible/roles/home-net/tasks/main.yml b/ansible/roles/home-net/tasks/main.yml index de60e27..aaa8368 100644 --- a/ansible/roles/home-net/tasks/main.yml +++ b/ansible/roles/home-net/tasks/main.yml @@ -1,3 +1,9 @@ +--- + +- name: Import raspberry pi tasks + import_tasks: rpi.yml + when: base_rpi + - name: Make sure we have a 'sudo' group group: name: sudo diff --git a/ansible/roles/home-net/tasks/rpi.yml b/ansible/roles/home-net/tasks/rpi.yml new file mode 100644 index 0000000..19b2f39 --- /dev/null +++ b/ansible/roles/home-net/tasks/rpi.yml @@ -0,0 +1,30 @@ +--- + +- name: install wireguard + apt: + name: + - wireguard + - wireguard-dkms + - wireguard-tools + update_cache: yes + state: latest + +- name: Enable IP forwarding + sysctl: name={{ item }} value=1 state=present + with_items: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding + +- name: Configure firewall (Ubuntu) + ufw: rule=allow port=51820 proto=udp + when: ansible_distribution == "Ubuntu" + +- name: Create wireguard config directory + file: state=directory path=/etc/wireguard owner=root group=root mode=0700 + +- name: Install wireguard configuration + template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600 + notify: restart wireguard + +- name: Start wireguard + service: name=wg-quick@wg0.service enabled=yes state=started diff --git a/ansible/roles/home-net/templates/main.yml b/ansible/roles/home-net/templates/main.yml new file mode 100644 index 0000000..92c2f67 --- /dev/null +++ b/ansible/roles/home-net/templates/main.yml @@ -0,0 +1,11 @@ +[Interface] +PrivateKey = {{ wireguard_clients[3]['privkey'] }} +Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }} + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = {{ wireguard_server_pubkey }} +Endpoint = vpn.awful.club:51820 +AllowedIPs = 10.200.219.0/24 diff --git a/ansible/roles/home-net/templates/wg0.conf b/ansible/roles/home-net/templates/wg0.conf new file mode 100644 index 0000000..92c2f67 --- /dev/null +++ b/ansible/roles/home-net/templates/wg0.conf @@ -0,0 +1,11 @@ +[Interface] +PrivateKey = {{ wireguard_clients[3]['privkey'] }} +Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[3]['offset']) }} + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = {{ wireguard_server_pubkey }} +Endpoint = vpn.awful.club:51820 +AllowedIPs = 10.200.219.0/24 diff --git a/ansible/wg_homeportal.yml b/ansible/wg_homeportal.yml new file mode 100644 index 0000000..ced4453 --- /dev/null +++ b/ansible/wg_homeportal.yml @@ -0,0 +1,8 @@ +--- + +- name: setup on prem portal wg host. + hosts: larva.home.jowj.net + tasks: + - debug: msg="Deploying wg portal" + roles: + - { name: home-net, tags: ['home-net'] }