diff --git a/ansible/all.yml b/ansible/all.yml index a62ebe9..4fc5b94 100644 --- a/ansible/all.yml +++ b/ansible/all.yml @@ -12,3 +12,10 @@ - debug: msg="Deploying wg." roles: - { name: wg_vpn } + +- name: cloud wg config + hosts: vpn + tasks: + - debug: msg="Deploying wg to cloud server" + roles: + - { name: wg_vpn } diff --git a/ansible/anisble.cfg b/ansible/ansible.cfg similarity index 100% rename from ansible/anisble.cfg rename to ansible/ansible.cfg diff --git a/ansible/client_matrix.yml b/ansible/client_matrix.yml new file mode 100644 index 0000000..283a0b0 --- /dev/null +++ b/ansible/client_matrix.yml @@ -0,0 +1,8 @@ +--- + +- name: generate ios client config + hosts: dev #localhost + tasks: + - debug: msg="generate phone config" + roles: + - { name: wg_vpn } diff --git a/ansible/cloud_wg.yml b/ansible/cloud_wg.yml new file mode 100644 index 0000000..680b462 --- /dev/null +++ b/ansible/cloud_wg.yml @@ -0,0 +1,8 @@ +--- + +- name: cloud wg config + hosts: vpn + tasks: + - debug: msg="Deploying wg to cloud server" + roles: + - { name: wg_vpn } diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index e0a06dd..8f4783e 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -5,3 +5,31 @@ gather_facts: True source_os: arch become: yes create_user: josiah + + +# all of this is stolen from mrled, because fuck this is way better than what i was doing. +# Wireguard docs +# TODO: lookup plugin to generate the pubkey from the privkey +# TODO: set all these as hostvars, use hostvars['HOSTNAME'].wireguard_privkey etc +# (should be ok even for e.g. glitch, which doesn't get provisioned from Ansible) +# To generate the keys: +# - wg genkey | tee privatekey | wg pubkey > publickey +# - save the privkey in the vault and the pubkey here +# - Delete the privatekey and publickey files +wireguard_vpn_network: 10.200.219.0/24 +wireguard_server_privkey: "{{ vault_wireguard_server_privkey }}" +wireguard_server_pubkey: e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo= +wireguard_server_offset: 1 +wireguard_clients: + - name: matrix + offset: 10 + privkey: "{{ vault_wireguard_client_privkey_matrix }}" + pubkey: lNoFqmeHfSDb/VB0mutpFzb4cZELOjSVOYQCLEfQIRU= + - name: pvl + offset: 11 + privkey: "{{ vault_wireguard_client_privkey_pvl }}" + pubkey: l/j+UXtrxTqqTTjxjgheQ3B2QppZWs07na4GypZw9GM= + - name: ling8 + offset: 12 + privkey: "{{ vault_wireguard_client_privkey_ling8 }}" + pubkey: YqGQE6yUz6rjBFRWgZyj5mPEaGavxrmO/cclO5o+VBQ= diff --git a/ansible/group_vars/all/vault.yml b/ansible/group_vars/all/vault.yml new file mode 100644 index 0000000..b4e7b5f --- /dev/null +++ b/ansible/group_vars/all/vault.yml @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.1;AES256 +37626464343231323066306337616434313033366530356236336163353031396135333731306538 +3337343633343338383034636236393230396439346565390a343838643861363239326339613633 +33643363666233323631356661633164333538326566623736396138363063393366343261343932 +3165316631643363630a303830393962303732383439623938303364313937633338383333323564 +35646335313963373864646334336364386633326431393361393265306233343265303434613266 +33656636386432396431393034343738643366613163306530363562636564313863373138633738 +61376663303835333137653262393064396366316163373034646135633131336264343533313936 +64346163323930363266383863666139336337646232383135383635633064663334376532663439 +30306565643938323730373064353038306536646431623332623832326461663836656231346161 +34373563333363323364393135343234323334313462356234383563333566646339633935323037 +36663761366566633965336234323364376633343732396636363934613934666533343435616236 +31623934383462376637323637333039633536633336373662623430663337656461613437626330 +61626665643532393139383039393961316435626662313630343139386636343165303063616363 +30353261386639613563313233643538333134363235336263343634643833643538623065653264 +65396136373937663864326434656438323830393063313332623733383433333033613936393039 +64656537636161373033653231663631363661323361636637663234393634623738646263323035 +32323639653137643136313432396161346633343334616234393161366161323761626633636238 +39623161396235633138653736666164656465663733616238623136633934656162313936386666 +62396265323938633530383161643634303236346562336133663366333330623930313133653164 +64663638386261653763393338396637396539613366643637343361343838616561633033323037 +38373437613561303763383464626365333233303962363139373434306334393630 diff --git a/ansible/group_vars/all/mojo-vars-vault.yml b/ansible/group_vars/mojos/mojo-vars-vault.yml similarity index 100% rename from ansible/group_vars/all/mojo-vars-vault.yml rename to ansible/group_vars/mojos/mojo-vars-vault.yml diff --git a/ansible/hosts.yml b/ansible/hosts.yml index 0ae563f..951bbf5 100644 --- a/ansible/hosts.yml +++ b/ansible/hosts.yml @@ -9,6 +9,7 @@ all: dev: hosts: localhost: + ansible_connection: local onprem_clients: hosts: hydra-ling: diff --git a/ansible/readme.org b/ansible/readme.org new file mode 100644 index 0000000..c8ea780 --- /dev/null +++ b/ansible/readme.org @@ -0,0 +1,9 @@ +* setup from scratch: +~ansible-playbook -i hosts.yml all.yml --ask-vault-pass --ask-become-pass~ + + +* wg + +** clients +you probably want to deploy clients individually most of the time. to do that, provide a tag, like: +~ansible-playbook -i hosts.yml client_matrix.yml --ask-vault-pass --ask-become-pass --tags matrix_client~ diff --git a/ansible/roles/droplets/tasks/serverbuild.yml b/ansible/roles/droplets/tasks/serverbuild.yml index 1f9615c..cc6c719 100644 --- a/ansible/roles/droplets/tasks/serverbuild.yml +++ b/ansible/roles/droplets/tasks/serverbuild.yml @@ -4,7 +4,7 @@ vars: create_user: josiah copy_local_key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/digitalocean.pub') }}" - sys_packages: [ 'curl', 'vim', 'git', 'fail2ban' ] + sys_packages: [ 'curl', 'vim', 'git', 'fail2ban', 'mosh' ] tasks: - name: Make sure we have a 'sudo' group diff --git a/ansible/roles/home-net/vars/main.yml b/ansible/roles/home-net/vars/main.yml index 0b7eb25..0ba8d59 100644 --- a/ansible/roles/home-net/vars/main.yml +++ b/ansible/roles/home-net/vars/main.yml @@ -1 +1 @@ -sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential' ] +sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential', 'mosh' ] diff --git a/ansible/roles/wg_vpn/README.md b/ansible/roles/wg_vpn/README.md index 1c08054..58d4497 100644 --- a/ansible/roles/wg_vpn/README.md +++ b/ansible/roles/wg_vpn/README.md @@ -15,19 +15,15 @@ A description of the settable variables for this role should go here, including shit i'm still fixing ----------------- +---------------------- - its not actually working yet - mobile device seems like it connects - but i can't browse around. - arch tasks suck because ansible + pacman is bad. +- - -Example Playbook ----------------- - -I don't know what to put here because i don't understand how roles work lmao - `ansible-playbook -i ../hosts.yml tasks/main.yml -v` - +misc +---- useful for generating mobile device configs: qrencode -t ansiutf8 < /etc/wireguard/mobile.conf License diff --git a/ansible/roles/wg_vpn/defaults/main.yml b/ansible/roles/wg_vpn/defaults/main.yml index 90d58e7..28764b6 100644 --- a/ansible/roles/wg_vpn/defaults/main.yml +++ b/ansible/roles/wg_vpn/defaults/main.yml @@ -1,2 +1,5 @@ --- -# defaults file for wg_vpn \ No newline at end of file + +wireguard_server_listen_port: 51820 + +wireguard_server_lan_interface: enp3s0 diff --git a/ansible/roles/wg_vpn/handlers/main.yml b/ansible/roles/wg_vpn/handlers/main.yml index c5cf63f..94cb9dd 100644 --- a/ansible/roles/wg_vpn/handlers/main.yml +++ b/ansible/roles/wg_vpn/handlers/main.yml @@ -1,2 +1,5 @@ --- -# handlers file for wg_vpn \ No newline at end of file +# handlers file for wg_vpn + +- name: restart wireguard + service: name=wg-quick@wg0.service state=restarted diff --git a/ansible/roles/wg_vpn/tasks/main.yml b/ansible/roles/wg_vpn/tasks/main.yml index fbb728e..9706864 100644 --- a/ansible/roles/wg_vpn/tasks/main.yml +++ b/ansible/roles/wg_vpn/tasks/main.yml @@ -2,65 +2,39 @@ # tasks file for wg_vpn # playbook to go from a "base configured" server to a wg vpn peer -- name: "generating config on relay server" - debug: - msg: "config on relay is starting" - verbosity: 1 -- name: generate config on relay server - include: pretasks_debian.yml - become: yes +- name: add unstable to repos + shell: | + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable -- name: "generating config on local mac" - debug: - msg: "config on mac is starting" - verbosity: 1 - when: source_os == 'macos' -- name: generate config on local mac - include: pretasks_mac.yml - delegate_to: localhost - when: source_os == 'macos' +- name: install wireguard + apt: + name: + - wireguard + - build-essential + - dkms + update_cache: yes + state: latest -- name: "generating config on local arch" - debug: - msg: "config on arch is starting" - verbosity: 1 - when: source_os == 'arch' -- name: generate config on local arch - include: pretasks_arch.yml - delegate_to: localhost - when: source_os == 'arch' + +- name: Enable IP forwarding + sysctl: name={{ item }} value=1 state=present + with_items: + - net.ipv4.ip_forward + - net.ipv6.conf.all.forwarding -- name: generate config for IOS on local machine - include: pretasks_ios.yml - delegate_to: localhost +- name: Create wireguard config directory + file: state=directory path=/etc/wireguard owner=root group=root mode=0700 -- name: "completing config on server" - debug: - msg: "config on relay is resuming" - verbosity: 1 -- name: complete config, wg up on relay server - include: posttasks_debian.yml - become: yes - -- name: complete config, wg up on local mac - include: posttasks_mac.yml - delegate_to: localhost - when: source_os == 'macos' +- name: Install wireguard configuration + template: src=wg0.conf dest=/etc/wireguard/wg0.conf owner=root group=root mode=0600 + notify: restart wireguard -- name: "generating config on local arch" - debug: - msg: "config on arch is completing" - verbosity: 1 - when: source_os == 'arch' -- name: complete config on local arch - include: posttasks_arch.yml - delegate_to: localhost - when: source_os == 'arch' +- name: Start wireguard + service: name=wg-quick@wg0.service enabled=yes state=started -- name: "generating config for iOS" - debug: - msg: "config for IOS is completing" - verbosity: 1 -- name: complete config for IOS on local machine - include: posttasks_ios.yml - delegate_to: localhost +- name: Create matrix.conf file in ~/wireguard/. + template: src=ios.conf dest=/etc/wireguard/ owner=root mode=0600 + tags: + - clients + - client_matrix diff --git a/ansible/roles/wg_vpn/tasks/posttasks_arch.yml b/ansible/roles/wg_vpn/tasks/posttasks_arch.yml deleted file mode 100644 index ef06df4..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_arch.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: (local) fill out the rest of the wg0.conf file - blockinfile: - path: /etc/wireguard/wg0.conf - block: | - Address = 10.200.219.2/32, fd86:ea04:1115::2/128 - DNS = 1.1.1.1 - - [Peer] - PublicKey = {{ server_publickey.stdout }} - Endpoint = vpn.awful.club:51820 - AllowedIPs = 0.0.0.0/0 - delegate_to: localhost - become: yes - -- name: (local) bring wg up on local - shell: wg-quick up wg0 - delegate_to: localhost - become: yes - ignore_errors: True diff --git a/ansible/roles/wg_vpn/tasks/posttasks_debian.yml b/ansible/roles/wg_vpn/tasks/posttasks_debian.yml deleted file mode 100644 index 11b82be..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_debian.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: fill out the rest of the wg0.conf file - blockinfile: - path: /etc/wireguard/wg0.conf - block: | - Address = 10.200.219.1/24 - Address = fd86:ea04:1115::1/64 - ListenPort = 51820 - SaveConfig = true - [Peer] - # name = pvl - PublicKey = {{ client_publickey.stdout }} - AllowedIPs = 10.200.219.19/32, fd86:ea04:1115::19/128 - [Peer] - # name = matrix - PublicKey = {{ ios_publickey.stdout }} - AllowedIPs = 10.200.219.10/32, fd86:ea04:1115::10/128 - -- name: bring wg up on the relay node - shell: wg-quick up /etc/wireguard/wg0.conf diff --git a/ansible/roles/wg_vpn/tasks/posttasks_ios.yml b/ansible/roles/wg_vpn/tasks/posttasks_ios.yml deleted file mode 100644 index 5e89c7f..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_ios.yml +++ /dev/null @@ -1,11 +0,0 @@ -- name: (local) fill out the rest of the wg0.conf file - blockinfile: - path: ~/wireguard/ios.conf - block: | - Address = 10.200.219.10/32, fd86:ea04:1115::10/128 - DNS = 1.1.1.1 - - [Peer] - PublicKey = {{ server_publickey.stdout }} - Endpoint = vpn.awful.club:51820 - AllowedIPs = 0.0.0.0/0, ::/0 diff --git a/ansible/roles/wg_vpn/tasks/posttasks_mac.yml b/ansible/roles/wg_vpn/tasks/posttasks_mac.yml deleted file mode 100644 index a17d7fb..0000000 --- a/ansible/roles/wg_vpn/tasks/posttasks_mac.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: (local) fill out the rest of the wg0.conf file - blockinfile: - path: ~/wireguard/wg0.conf - block: | - Address = 10.200.219.19/32, fd86:ea04:1115::19/128 - DNS = 1.1.1.1 - - [Peer] - PublicKey = {{ server_publickey.stdout }} - Endpoint = vpn.awful.club:51820 - AllowedIPs = 0.0.0.0/0, ::/0 - -# - name: (local) bring wg up on local -# shell: wg-quick up wg0 - diff --git a/ansible/roles/wg_vpn/tasks/pretasks_arch.yml b/ansible/roles/wg_vpn/tasks/pretasks_arch.yml deleted file mode 100644 index 51b9936..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_arch.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# tasks file for wg_vpn -# this is useful for running plays /from/ an arch machine that will join the wg net. - -# install wg, generate keys, files on local machine -- name: (local) install wg (i use) arch (btw) - pacman: - update_cache: yes - name: wireguard-tools, wireguard-arch, wireguard-dkms - state: present - delegate_to: localhost - become: yes - # ansible has a hard time parsing the pacman files - # ignore errors once you verify shit is installed / patched. - ignore_errors: True - -- name: (local) ensure /etc/wireguard/ exists - file: - path: /etc/wireguard/ - state: directory - delegate_to: localhost - -- name: (local) Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf - wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey - vars: - umask: "077" - delegate_to: localhost - become: yes - -- name: (local) register publickey for later use - shell: cat /etc/wireguard/publickey - register: client_publickey - delegate_to: localhost - become: yes diff --git a/ansible/roles/wg_vpn/tasks/pretasks_debian.yml b/ansible/roles/wg_vpn/tasks/pretasks_debian.yml deleted file mode 100644 index e39dd9c..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_debian.yml +++ /dev/null @@ -1,47 +0,0 @@ -- name: add unstable to repos - shell: | - echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list - printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable -- name: Update aptitude - apt: update_cache=yes -- name: install wireguard - apt: name=wireguard state=latest -- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean)) - # the kernel version is hard coded because this is what DO currently uses - # and that's what i use - apt: name=linux-headers-4.19.0-6-cloud-amd64 -- name: install misc other things the internet says i need - apt: name=build-essential -- name: install misc other things the internet says i need - apt: name=dkms -- name: needed for handling dns requests - apt: name=openresolv -- name: enable kernel relay/forwarding - shell: | - echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf - echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf - sudo sysctl -p /etc/sysctl.conf - iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT - iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE -- name: ensure /etc/wireguard/ exists - file: - path: /etc/wireguard/ - state: directory - -- name: Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf - wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey - vars: - umask: "077" -- name: register publickey for later use - shell: cat /etc/wireguard/publickey - register: server_publickey - -# do this to avoid idiot "hey you can't start, u already started!!!" erros. -# fucker. -- name: register publickey for later use - shell: wg-quick down /etc/wireguard/wg0.conf - ignore_errors: True diff --git a/ansible/roles/wg_vpn/tasks/pretasks_ios.yml b/ansible/roles/wg_vpn/tasks/pretasks_ios.yml deleted file mode 100644 index 8c6bcb8..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_ios.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: make wg dir since macs are now weird about /etc/anything - file: - path: ~/wireguard/ - state: directory - -- name: Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > ~/wireguard/ios.conf - wg genkey | tee -a ~/wireguard/ios.conf | wg pubkey > ~/wireguard/ios_publickey - vars: - umask: "077" - -- name: register publickey for later use - shell: cat ~/wireguard/ios_publickey - register: ios_publickey diff --git a/ansible/roles/wg_vpn/tasks/pretasks_mac.yml b/ansible/roles/wg_vpn/tasks/pretasks_mac.yml deleted file mode 100644 index 82d6ded..0000000 --- a/ansible/roles/wg_vpn/tasks/pretasks_mac.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: Update brew - homebrew: update_homebrew=yes - -- name: install wireguard - homebrew: name=wireguard-tools state=latest - -- name: make wg dir since macs are now weird about /etc/anything - file: - path: ~/wireguard/ - state: directory - -- name: Generate keys - shell: | - printf "[Interface]\nPrivateKey = " > ~/wireguard/wg0.conf - wg genkey | tee -a ~/wireguard/wg0.conf | wg pubkey > ~/wireguard/publickey - vars: - umask: "077" - -- name: register publickey for later use - shell: cat ~/wireguard/publickey - register: client_publickey diff --git a/ansible/roles/wg_vpn/templates/ios.conf b/ansible/roles/wg_vpn/templates/ios.conf new file mode 100644 index 0000000..79fadf2 --- /dev/null +++ b/ansible/roles/wg_vpn/templates/ios.conf @@ -0,0 +1,9 @@ +[Interface] +PrivateKey = {{ wireguard_clients[0]['privkey'] }} +Address = {{ wireguard_vpn_network | ipsubnet(32, wireguard_clients[0]['offset']) }} +DNS = 1.1.1.1 + +[Peer] +PublicKey = {{ wireguard_server_pubkey }} +Endpoint = vpn.awful.club:51820 +AllowedIPs = 0.0.0.0/0 diff --git a/ansible/roles/wg_vpn/templates/ios_example.conf b/ansible/roles/wg_vpn/templates/ios_example.conf new file mode 100644 index 0000000..e7e27db --- /dev/null +++ b/ansible/roles/wg_vpn/templates/ios_example.conf @@ -0,0 +1,9 @@ +[Interface] +PrivateKey = +Address = 10.200.219.10/32 +DNS = 1.1.1.1 + +[Peer] +PublicKey = e49UyNg/kqPETyT9K6nqIYjtTwlR8hY8Brm/P66xnmo= +Endpoint = vpn.awful.club:51820 +AllowedIPs = 0.0.0.0/0 diff --git a/ansible/roles/wg_vpn/templates/wg0.conf b/ansible/roles/wg_vpn/templates/wg0.conf new file mode 100644 index 0000000..83090e3 --- /dev/null +++ b/ansible/roles/wg_vpn/templates/wg0.conf @@ -0,0 +1,33 @@ +[Interface] +PrivateKey = {{ wireguard_server_privkey }} +{# + We want the Address field here to be an IP address + with the whole network in CIDR notation, like 10.0.0.1/24. + + If wireguard_vpn_network is a CIDR network like 10.0.0.0/24, + and wireguard_server_offset is an integer like 1, + this will produce an offset of the start of the network + CIDR prefix, + which in this case will be the desired 10.0.0.1/24. +#} +Address = {{ wireguard_vpn_network | ipaddr(wireguard_server_offset) }} +ListenPort = {{ wireguard_server_listen_port }} + +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +{% for client in wireguard_clients %} +[Peer] +# {{ client.name }} +PublicKey = {{ client.pubkey }} +{# + We want the Address field here to be an IP address + withOUT the whole network in CIDR notation, like 10.0.0.15/32. + + If wireguard_vpn_network is a CIDR network like 10.0.0.0/24, + and client.offset is an integer like 15, + this will produce an offset of the start of the network with a /32 CIDR prefix + which in this case will be the desired 10.0.0.15/32. +#} +AllowedIPs = {{ wireguard_vpn_network | ipsubnet(32, client.offset) }} + +{% endfor %} diff --git a/ansible/roles/wg_vpn/vars/main.yml b/ansible/roles/wg_vpn/vars/main.yml index d9f42d1..78e1a71 100644 --- a/ansible/roles/wg_vpn/vars/main.yml +++ b/ansible/roles/wg_vpn/vars/main.yml @@ -1,2 +1,2 @@ --- -# vars file for wg_vpn \ No newline at end of file +# vars file for wg_vpn