parent
485842e739
commit
2452a0aa5b
@ -0,0 +1,9 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
62306462666461356361643838636461396665633234363731396465643663373731343438363062
|
||||
6166323433353631366639663933653439333961353539610a343234383436666463326161613538
|
||||
32396161616537363261643965616439333637346535643136643732623939346538623534336236
|
||||
3339643664633834630a323464376464343832636265623362353337316139333164613237323964
|
||||
38616264346536623633623337613363646262313637313431323666393537623665626262643963
|
||||
30316162303330396663636537633766333065386435376462653661653666323734363564323466
|
||||
33303738363731376363663935383439616363383238346537326363343330386361613363623662
|
||||
65663634363636633937
|
@ -0,0 +1,17 @@
|
||||
all:
|
||||
children:
|
||||
dockerhosts:
|
||||
hosts:
|
||||
awful-1.awful.club:
|
||||
vpn:
|
||||
hosts:
|
||||
vpn.awful.club:
|
||||
dev:
|
||||
hosts:
|
||||
localhost:
|
||||
onprem:
|
||||
hosts:
|
||||
hatchery:
|
||||
hydra-ling:
|
||||
lurker-ling:
|
||||
ling-bane:
|
@ -0,0 +1,25 @@
|
||||
- name: Deploy Arke
|
||||
hosts: dockerhosts
|
||||
remote_user: josiah
|
||||
tasks:
|
||||
- name: Get hostname for troubleshooting
|
||||
command: hostname
|
||||
register: hostname
|
||||
- debug: msg="{{ hostname.stdout }}"
|
||||
- name: Pull latest version from github
|
||||
shell: cd /home/josiah/arke/ && git pull
|
||||
- name: Build from the latest version
|
||||
shell: cd ~/arke/ && docker build -t arke -f dockerfile .
|
||||
|
||||
- name: Check if there are any existing arke containers running
|
||||
shell: docker ps | grep 'arke' | awk '{print $1}'
|
||||
register: result
|
||||
- name: and kill it
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker ps | grep 'arke' | awk '{print $1}' | xargs docker kill
|
||||
when: result.stdout != ""
|
||||
- name: Remove any existing containers using the arke name, its mine and i must have it
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker container rm arke
|
||||
- name: Run the newly built docker container
|
||||
command: docker run -d --name arke --mount source=towervol,target=/shared/ arke:latest
|
@ -0,0 +1,105 @@
|
||||
- name: setup mojo repo
|
||||
hosts: prod
|
||||
tasks:
|
||||
- name: print hostname
|
||||
command: hostname
|
||||
register: hostname
|
||||
- debug: msg="{{ hostname.stdout }}"
|
||||
- name: try to update directory
|
||||
shell: cd /home/josiah/mojojojo-bot && git pull
|
||||
register: result
|
||||
ignore_errors: True
|
||||
- name: if the folder doesn't exist, clone from remote
|
||||
shell: cd /home/josiah/ && git clone http://git.awful.club/hosted/mojojojo-bot.git
|
||||
when: result is failed
|
||||
|
||||
- name: Deploy mojo webclient
|
||||
hosts: prod
|
||||
vars_files:
|
||||
- mojo-vars-vault.yml
|
||||
tasks:
|
||||
- name: Build from the latest version
|
||||
shell: cd /home/josiah/mojojojo-bot/mojo-web && docker build -t mojo-web -f dockerfile .
|
||||
- name: Check if there are any existing mojo-web containers running and kill them
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker ps | grep 'mojo-web' | awk '{print $1}' | xargs docker kill
|
||||
ignore_errors: True
|
||||
- name: Run the newly built docker container
|
||||
command: docker container run -e "SLACK_BOT_TOKEN={{ VAULT_SLACK_BOT_TOKEN }}" --restart "always" -d --mount type="bind",source="/mnt/volume_sfo2_znc",target=/shared/ mojo-web
|
||||
|
||||
- name: Deploy mojo rtmclient
|
||||
hosts: prod
|
||||
vars_files:
|
||||
- mojo-vars-vault.yml
|
||||
tasks:
|
||||
- name: Build from the latest version
|
||||
shell: cd /home/josiah/mojojojo-bot/mojo-rtm && docker build -t mojo-rtm -f dockerfile .
|
||||
- name: Check if there are any existing mojo-rtm containers running and kill them
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker ps | grep 'mojo-rtm' | awk '{print $1}' | xargs docker kill
|
||||
ignore_errors: True
|
||||
- name: Run the newly built docker container
|
||||
command: docker container run -e "SLACK_BOT_TOKEN={{ VAULT_SLACK_BOT_TOKEN }}" --restart "always" -d --mount type="bind",source="/mnt/volume_sfo2_znc",target=/shared/ mojo-rtm
|
||||
|
||||
- name: deploy znc server
|
||||
hosts: dockerhosts
|
||||
remote_user: josiah
|
||||
tasks:
|
||||
- name: update or create the directory
|
||||
shell: cd /home/josiah/znc-docker/ && git pull
|
||||
register: result
|
||||
ignore_errors: True
|
||||
|
||||
# if the folder doesn't exist, clone source.
|
||||
- shell: cd /home/josiah && git clone https://github.com/jowj/znc-docker.git
|
||||
when: result is failed
|
||||
- name: build from latest version
|
||||
shell: cd ~/znc-docker/full && docker build -t znc -f Dockerfile .
|
||||
- name: Check if there are any existing ZNC containers running and kill it
|
||||
shell: docker ps | grep 'znc' | awk '{print $1}'
|
||||
register: result
|
||||
- name: if there are running containers, remove them
|
||||
shell: docker ps | grep 'znc' | awk '{print $1}' | xargs docker kill
|
||||
when: result.stdout != ""
|
||||
- name: discover if any containers with ZNC in name
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker container ls | grep 'znc'
|
||||
register: result
|
||||
ignore_errors: True
|
||||
- name: remove any existing containers with ZNC in name
|
||||
shell: docker container rm znc
|
||||
when: result is succeeded
|
||||
- name: run the container (assumes the volume is already set up)
|
||||
command: docker run --restart "always" -d -p 5000:5000 --mount type="bind",source="/mnt/volume_sfo2_znc/",target=/znc-data znc
|
||||
|
||||
- name: Deploy Arke
|
||||
hosts: dockerhosts
|
||||
remote_user: josiah
|
||||
tasks:
|
||||
- name: Get hostname for troubleshooting
|
||||
command: hostname
|
||||
register: hostname
|
||||
- debug: msg="{{ hostname.stdout }}"
|
||||
- name: update the directory, or log to register if dir doesn't exist'
|
||||
shell: cd /home/josiah/arke/ && git pull
|
||||
register: result
|
||||
ignore_errors: True
|
||||
- name: If last step failed, clone the repo.
|
||||
shell: cd /home/josiah/ && git clone https://github.com/jowj/arke.git
|
||||
when: result is failed
|
||||
- name: Build from the latest version
|
||||
shell: cd ~/arke/ && docker build -t arke -f dockerfile .
|
||||
|
||||
- name: Check if there are any existing arke containers running
|
||||
shell: docker ps | grep 'arke' | awk '{print $1}'
|
||||
register: result
|
||||
- name: and kill it
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker ps | grep 'arke' | awk '{print $1}' | xargs docker kill
|
||||
when: result.stdout != ""
|
||||
- name: Remove any existing containers using the arke name, its mine and i must have it
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker container rm arke
|
||||
ignore_errors: True
|
||||
- name: Run the newly built docker container
|
||||
command: docker run -d --name arke --mount type="bind",source="/mnt/volume_sfo2_znc",target=/shared/ arke:latest
|
@ -0,0 +1,55 @@
|
||||
- hosts: vpn
|
||||
remote_user: root
|
||||
gather_facts: false
|
||||
vars:
|
||||
create_user: josiah
|
||||
copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/digitalocean.pub') }}"
|
||||
sys_packages: [ 'curl', 'vim', 'git', 'fail2ban' ]
|
||||
|
||||
tasks:
|
||||
- name: Make sure we have a 'sudo' group
|
||||
group:
|
||||
name: sudo
|
||||
state: present
|
||||
|
||||
- name: Allow sudo group to have passwordless sudo
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%sudo'
|
||||
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
|
||||
- name: Create a new regular user with sudo privileges
|
||||
user:
|
||||
name: "{{ create_user }}"
|
||||
state: present
|
||||
groups: sudo
|
||||
append: true
|
||||
create_home: true
|
||||
shell: /bin/bash
|
||||
|
||||
- name: Set authorized key for remote user
|
||||
authorized_key:
|
||||
user: "{{ create_user }}"
|
||||
state: present
|
||||
key: "{{ copy_local_key }}"
|
||||
|
||||
|
||||
- name: Disable password authentication for root
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
regexp: '^#?PermitRootLogin'
|
||||
line: 'PermitRootLogin no'
|
||||
|
||||
- name: Update apt
|
||||
apt: update_cache=yes
|
||||
|
||||
- name: Install required system packages
|
||||
apt: name={{ sys_packages }} state=latest
|
||||
|
||||
- name: Restart sshd
|
||||
service:
|
||||
name: sshd.service
|
||||
state: restarted
|
@ -0,0 +1,38 @@
|
||||
- hosts: onprem
|
||||
remote_user: josiah
|
||||
gather_facts: false
|
||||
become: yes
|
||||
vars:
|
||||
create_user: josiah
|
||||
sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential' ]
|
||||
|
||||
tasks:
|
||||
- name: Install aptitude using apt
|
||||
apt: name=aptitude state=latest update_cache=yes force_apt_get=yes
|
||||
|
||||
- name: Install required system packages for docker install
|
||||
apt: name={{ item }} state=latest update_cache=yes
|
||||
loop: [ 'apt-transport-https', 'ca-certificates', 'software-properties-common' ]
|
||||
|
||||
- name: Add Docker GPG apt Key
|
||||
apt_key:
|
||||
url: https://download.docker.com/linux/debian/gpg
|
||||
state: present
|
||||
|
||||
- name: Add Docker Repository
|
||||
apt_repository:
|
||||
repo: deb https://download.docker.com/linux/ubuntu bionic stable
|
||||
state: present
|
||||
|
||||
- name: Update apt
|
||||
apt: update_cache=yes
|
||||
|
||||
- name: Install required system packages
|
||||
apt: name={{ sys_packages }} state=latest
|
||||
|
||||
- name: add 'josiah' to docker group
|
||||
user:
|
||||
name='josiah'
|
||||
groups=docker
|
||||
append=yes
|
||||
|
@ -0,0 +1,42 @@
|
||||
- name: setup mojo repo
|
||||
hosts: prod
|
||||
tasks:
|
||||
- name: print hostname
|
||||
command: hostname
|
||||
register: hostname
|
||||
- debug: msg="{{ hostname.stdout }}"
|
||||
- name: try to update directory
|
||||
shell: cd /home/josiah/mojojojo-bot && git pull
|
||||
register: result
|
||||
ignore_errors: True
|
||||
- name: if the folder doesn't exist, clone from remote
|
||||
shell: cd /home/josiah/ && git clone http://git.awful.club/hosted/mojojojo-bot.git
|
||||
when: result is failed
|
||||
|
||||
- name: Deploy mojo webclient
|
||||
hosts: prod
|
||||
vars_files:
|
||||
- vault-vars-mojo.yml
|
||||
tasks:
|
||||
- name: Build from the latest version
|
||||
shell: cd /home/josiah/mojojojo-bot/mojo-web && docker build -t mojo-web -f dockerfile .
|
||||
- name: Check if there are any existing mojo-web containers running and kill them
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker ps | grep 'mojo-web' | awk '{print $1}' | xargs docker kill
|
||||
ignore_errors: True
|
||||
- name: Run the newly built docker container
|
||||
command: docker container run -e "SLACK_BOT_TOKEN={{ VAULT_SLACK_BOT_TOKEN }}" --restart "always" -d --mount type="bind",source="/mnt/volume_sfo2_znc",target=/shared/ mojo-web
|
||||
|
||||
- name: Deploy mojo rtmclient
|
||||
hosts: prod
|
||||
vars_files:
|
||||
- vault-vars-mojo.yml
|
||||
tasks:
|
||||
- name: Build from the latest version
|
||||
shell: cd /home/josiah/mojojojo-bot/mojo-rtm && docker build -t mojo-rtm -f dockerfile .
|
||||
- name: Check if there are any existing mojo-rtm containers running and kill them
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker ps | grep 'mojo-rtm' | awk '{print $1}' | xargs docker kill
|
||||
ignore_errors: True
|
||||
- name: Run the newly built docker container
|
||||
command: docker container run -e "SLACK_BOT_TOKEN={{ VAULT_SLACK_BOT_TOKEN }}" --restart "always" -d --mount type="bind",source="/mnt/volume_sfo2_znc",target=/shared/ mojo-rtm
|
@ -0,0 +1,18 @@
|
||||
- name: Copy splunk modules to corp deploy server
|
||||
hosts: corp
|
||||
# vars_files:
|
||||
# - mojo-vars-vault.yml
|
||||
remote_user: josiah_ledbetter
|
||||
tasks:
|
||||
- name: Copy item to remote server
|
||||
copy:
|
||||
# make sure the permissions of the file you are copying are readable by ansible user
|
||||
src: /Users/josiah_ledbetter/Documents/projects/splunk/configs/filething/
|
||||
# src must not end in "/" or it will only copy files inside dir instead of entire dir
|
||||
dest: /opt/splunk/temp/
|
||||
owner: splunk
|
||||
group: splunk
|
||||
# these below affect the entire task, and should not go under the command's indention level. This took WAY too longer to figure out.
|
||||
become: "true"
|
||||
become_method: sudo
|
||||
become_user: root
|
@ -0,0 +1,8 @@
|
||||
all:
|
||||
children:
|
||||
corp:
|
||||
hosts:
|
||||
AUS01GMSPLUNK01:
|
||||
vdc:
|
||||
hosts:
|
||||
v1-cs-sec-splunk01:
|
@ -0,0 +1,41 @@
|
||||
Role Name
|
||||
=========
|
||||
|
||||
Playbook to bootstrap wg vpn for my personal use
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
this playbook doesn't handle /creating the machines/. they have to be online and accessible either in my home network or in my cloud setup.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||
|
||||
|
||||
shit i'm still fixing
|
||||
----------------
|
||||
- its not actually working yet
|
||||
- mobile device seems like it connects
|
||||
- but i can't browse around.
|
||||
- arch tasks suck because ansible + pacman is bad.
|
||||
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
I don't know what to put here because i don't understand how roles work lmao
|
||||
`ansible-playbook -i ../hosts.yml tasks/main.yml -v`
|
||||
|
||||
useful for generating mobile device configs: qrencode -t ansiutf8 < /etc/wireguard/mobile.conf
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
BSD
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
email: me@jowj.net
|
@ -0,0 +1,2 @@
|
||||
---
|
||||
# defaults file for wg_vpn
|
@ -0,0 +1,2 @@
|
||||
---
|
||||
# handlers file for wg_vpn
|
@ -0,0 +1,53 @@
|
||||
galaxy_info:
|
||||
author: your name
|
||||
description: your description
|
||||
company: your company (optional)
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||
# - BSD-3-Clause (default)
|
||||
# - MIT
|
||||
# - GPL-2.0-or-later
|
||||
# - GPL-3.0-only
|
||||
# - Apache-2.0
|
||||
# - CC-BY-4.0
|
||||
license: license (GPL-2.0-or-later, MIT, etc)
|
||||
|
||||
min_ansible_version: 2.4
|
||||
|
||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||
# min_ansible_container_version:
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
# platforms:
|
||||
# - name: Fedora
|
||||
# versions:
|
||||
# - all
|
||||
# - 25
|
||||
# - name: SomePlatform
|
||||
# versions:
|
||||
# - all
|
||||
# - 1.0
|
||||
# - 7
|
||||
# - 99.99
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
||||
|
@ -0,0 +1,73 @@
|
||||
---
|
||||
# tasks file for wg_vpn
|
||||
# playbook to go from a "base configured" server to a wg vpn peer
|
||||
- hosts: onprem
|
||||
remote_user: josiah
|
||||
gather_facts: True
|
||||
vars:
|
||||
source_os: arch
|
||||
|
||||
tasks:
|
||||
- name: "generating config on relay server"
|
||||
debug:
|
||||
msg: "config on relay is starting"
|
||||
verbosity: 1
|
||||
- name: generate config on relay server
|
||||
include: pretasks_debian.yml
|
||||
become: yes
|
||||
|
||||
- name: "generating config on local mac"
|
||||
debug:
|
||||
msg: "config on mac is starting"
|
||||
verbosity: 1
|
||||
when: source_os == 'macos'
|
||||
- name: generate config on local mac
|
||||
include: pretasks_mac.yml
|
||||
delegate_to: localhost
|
||||
when: source_os == 'macos'
|
||||
|
||||
- name: "generating config on local arch"
|
||||
debug:
|
||||
msg: "config on arch is starting"
|
||||
verbosity: 1
|
||||
when: source_os == 'arch'
|
||||
- name: generate config on local arch
|
||||
include: pretasks_arch.yml
|
||||
delegate_to: localhost
|
||||
when: source_os == 'arch'
|
||||
|
||||
- name: generate config for IOS on local machine
|
||||
include: pretasks_ios.yml
|
||||
delegate_to: localhost
|
||||
|
||||
- name: "completing config on server"
|
||||
debug:
|
||||
msg: "config on relay is resuming"
|
||||
verbosity: 1
|
||||
- name: complete config, wg up on relay server
|
||||
include: posttasks_debian.yml
|
||||
become: yes
|
||||
|
||||
- name: complete config, wg up on local mac
|
||||
include: posttasks_mac.yml
|
||||
delegate_to: localhost
|
||||
when: source_os == 'macos'
|
||||
|
||||
- name: "generating config on local arch"
|
||||
debug:
|
||||
msg: "config on arch is completing"
|
||||
verbosity: 1
|
||||
when: source_os == 'arch'
|
||||
- name: complete config on local arch
|
||||
include: posttasks_arch.yml
|
||||
delegate_to: localhost
|
||||
when: source_os == 'arch'
|
||||
|
||||
- name: "generating config for iOS"
|
||||
debug:
|
||||
msg: "config for IOS is completing"
|
||||
verbosity: 1
|
||||
- name: complete config for IOS on local machine
|
||||
include: posttasks_ios.yml
|
||||
delegate_to: localhost
|
||||
|
@ -0,0 +1,19 @@
|
||||
- name: (local) fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: /etc/wireguard/wg0.conf
|
||||
block: |
|
||||
Address = 10.200.219.2/32, fd86:ea04:1115::2/128
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ server_publickey.stdout }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
|
||||
- name: (local) bring wg up on local
|
||||
shell: wg-quick up wg0
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
ignore_errors: True
|
@ -0,0 +1,19 @@
|
||||
- name: fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: /etc/wireguard/wg0.conf
|
||||
block: |
|
||||
Address = 10.200.219.1/24
|
||||
Address = fd86:ea04:1115::1/64
|
||||
ListenPort = 51820
|
||||
SaveConfig = true
|
||||
[Peer]
|
||||
# name = pvl
|
||||
PublicKey = {{ client_publickey.stdout }}
|
||||
AllowedIPs = 10.200.219.19/32, fd86:ea04:1115::19/128
|
||||
[Peer]
|
||||
# name = matrix
|
||||
PublicKey = {{ ios_publickey.stdout }}
|
||||
AllowedIPs = 10.200.219.10/32, fd86:ea04:1115::10/128
|
||||
|
||||
- name: bring wg up on the relay node
|
||||
shell: wg-quick up /etc/wireguard/wg0.conf
|
@ -0,0 +1,11 @@
|
||||
- name: (local) fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: ~/wireguard/ios.conf
|
||||
block: |
|
||||
Address = 10.200.219.10/32, fd86:ea04:1115::10/128
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ server_publickey.stdout }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
@ -0,0 +1,15 @@
|
||||
- name: (local) fill out the rest of the wg0.conf file
|
||||
blockinfile:
|
||||
path: ~/wireguard/wg0.conf
|
||||
block: |
|
||||
Address = 10.200.219.19/32, fd86:ea04:1115::19/128
|
||||
DNS = 1.1.1.1
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ server_publickey.stdout }}
|
||||
Endpoint = vpn.awful.club:51820
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
||||
|
||||
# - name: (local) bring wg up on local
|
||||
# shell: wg-quick up wg0
|
||||
|
@ -0,0 +1,36 @@
|
||||
---
|
||||
# tasks file for wg_vpn
|
||||
# this is useful for running plays /from/ an arch machine that will join the wg net.
|
||||
|
||||
# install wg, generate keys, files on local machine
|
||||
- name: (local) install wg (i use) arch (btw)
|
||||
pacman:
|
||||
update_cache: yes
|
||||
name: wireguard-tools, wireguard-arch, wireguard-dkms
|
||||
state: present
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
# ansible has a hard time parsing the pacman files
|
||||
# ignore errors once you verify shit is installed / patched.
|
||||
ignore_errors: True
|
||||
|
||||
- name: (local) ensure /etc/wireguard/ exists
|
||||
file:
|
||||
path: /etc/wireguard/
|
||||
state: directory
|
||||
delegate_to: localhost
|
||||
|
||||
- name: (local) Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
|
||||
wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
delegate_to: localhost
|
||||
become: yes
|
||||
|
||||
- name: (local) register publickey for later use
|
||||
shell: cat /etc/wireguard/publickey
|
||||
register: client_publickey
|
||||
delegate_to: localhost
|
||||
become: yes
|
@ -0,0 +1,47 @@
|
||||
- name: add unstable to repos
|
||||
shell: |
|
||||
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
|
||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
|
||||
- name: Update aptitude
|
||||
apt: update_cache=yes
|
||||
- name: install wireguard
|
||||
apt: name=wireguard state=latest
|
||||
- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean))
|
||||
# the kernel version is hard coded because this is what DO currently uses
|
||||
# and that's what i use
|
||||
apt: name=linux-headers-4.19.0-6-cloud-amd64
|
||||
- name: install misc other things the internet says i need
|
||||
apt: name=build-essential
|
||||
- name: install misc other things the internet says i need
|
||||
apt: name=dkms
|
||||
- name: needed for handling dns requests
|
||||
apt: name=openresolv
|
||||
- name: enable kernel relay/forwarding
|
||||
shell: |
|
||||
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
|
||||
echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
|
||||
sudo sysctl -p /etc/sysctl.conf
|
||||
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
|
||||
iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE
|
||||
- name: ensure /etc/wireguard/ exists
|
||||
file:
|
||||
path: /etc/wireguard/
|
||||
state: directory
|
||||
|
||||
- name: Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
|
||||
wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
- name: register publickey for later use
|
||||
shell: cat /etc/wireguard/publickey
|
||||
register: server_publickey
|
||||
|
||||
# do this to avoid idiot "hey you can't start, u already started!!!" erros.
|
||||
# fucker.
|
||||
- name: register publickey for later use
|
||||
shell: wg-quick down /etc/wireguard/wg0.conf
|
||||
ignore_errors: True
|
@ -0,0 +1,15 @@
|
||||
- name: make wg dir since macs are now weird about /etc/anything
|
||||
file:
|
||||
path: ~/wireguard/
|
||||
state: directory
|
||||
|
||||
- name: Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > ~/wireguard/ios.conf
|
||||
wg genkey | tee -a ~/wireguard/ios.conf | wg pubkey > ~/wireguard/ios_publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
|
||||
- name: register publickey for later use
|
||||
shell: cat ~/wireguard/ios_publickey
|
||||
register: ios_publickey
|
@ -0,0 +1,21 @@
|
||||
- name: Update brew
|
||||
homebrew: update_homebrew=yes
|
||||
|
||||
- name: install wireguard
|
||||
homebrew: name=wireguard-tools state=latest
|
||||
|
||||
- name: make wg dir since macs are now weird about /etc/anything
|
||||
file:
|
||||
path: ~/wireguard/
|
||||
state: directory
|
||||
|
||||
- name: Generate keys
|
||||
shell: |
|
||||
printf "[Interface]\nPrivateKey = " > ~/wireguard/wg0.conf
|
||||
wg genkey | tee -a ~/wireguard/wg0.conf | wg pubkey > ~/wireguard/publickey
|
||||
vars:
|
||||
umask: "077"
|
||||
|
||||
- name: register publickey for later use
|
||||
shell: cat ~/wireguard/publickey
|
||||
register: client_publickey
|
@ -0,0 +1,2 @@
|
||||
localhost
|
||||
|
@ -0,0 +1,25 @@
|
||||
---
|
||||
- hosts: vpn
|
||||
roles:
|
||||
- wg_vpn
|
||||
|
||||
tasks:
|
||||
- name: Verify remote wg node has wg running
|
||||
shell: ping -c1 10.200.219.1
|
||||
register: remote_result
|
||||
- assert:
|
||||
that:
|
||||
- "'1 packets transmitted, 1 packets received' in remote_result.stdout"
|
||||
|
||||
- name: Verify remote wg node has wg running
|
||||
shell: ping -c1 10.200.219.2
|
||||
register: local_result
|
||||
- assert:
|
||||
that:
|
||||
- "'1 packets transmitted, 1 packets received' in local_result.stdout"
|
||||
- name: Verify that local node can talk to remote
|
||||
shell: ping -c1 10.200.219.1
|
||||
register: tunnel_result
|
||||
- assert:
|
||||
that:
|
||||
- "'1 packets transmitted, 1 packets received' in tunnel_result.stdout"
|
@ -0,0 +1,2 @@
|
||||
---
|
||||
# vars file for wg_vpn
|
@ -0,0 +1,31 @@
|
||||
- name: deploy znc server
|
||||
hosts: dockerhosts
|
||||
remote_user: josiah
|
||||
tasks:
|
||||
- name: update or create the directory
|
||||
shell: cd /home/josiah/znc-docker/ && git pull
|
||||
register: result
|
||||
ignore_errors: True
|
||||
|
||||
# if the folder doesn't exist, clone source.
|
||||
- command: cd /home/josiah && git clone https://github.com/jowj/znc-docker.git
|
||||
when: result is failed
|
||||
- name: build from latest version
|
||||
shell: cd ~/znc-docker/full && docker build -t znc -f Dockerfile .
|
||||
- name: Check if there are any existing ZNC containers running and kill it
|
||||
shell: docker ps | grep 'znc' | awk '{print $1}'
|
||||
register: result
|
||||
- name: if there are running containers, remove them
|
||||
shell: docker ps | grep 'znc' | awk '{print $1}' | xargs docker kill
|
||||
when: result.stdout != ""
|
||||
- name: discover if any containers with ZNC in name
|
||||
# this has to be a shell because command: isn't interactive
|
||||
shell: docker container ls | grep 'znc'
|
||||
register: result
|
||||
ignore_errors: True
|
||||
- name: remove any existing containers with ZNC in name
|
||||
shell: docker container rm znc
|
||||
when: result is succeeded
|
||||
- name: run the container (assumes the volume is already set up)
|
||||
command: docker run -d -p 5000:5000 --mount type="bind",source="/mnt/volume_sfo2_znc/",target=/znc-data znc
|
||||
|
Loading…
Reference in new issue