48 lines
1.9 KiB
YAML
48 lines
1.9 KiB
YAML
- name: add unstable to repos
|
|
shell: |
|
|
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
|
|
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
|
|
- name: Update aptitude
|
|
apt: update_cache=yes
|
|
- name: install wireguard
|
|
apt: name=wireguard state=latest
|
|
- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean))
|
|
# the kernel version is hard coded because this is what DO currently uses
|
|
# and that's what i use
|
|
apt: name=linux-headers-4.19.0-6-cloud-amd64
|
|
- name: install misc other things the internet says i need
|
|
apt: name=build-essential
|
|
- name: install misc other things the internet says i need
|
|
apt: name=dkms
|
|
- name: needed for handling dns requests
|
|
apt: name=openresolv
|
|
- name: enable kernel relay/forwarding
|
|
shell: |
|
|
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
|
|
echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
|
|
sudo sysctl -p /etc/sysctl.conf
|
|
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
|
|
iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE
|
|
- name: ensure /etc/wireguard/ exists
|
|
file:
|
|
path: /etc/wireguard/
|
|
state: directory
|
|
|
|
- name: Generate keys
|
|
shell: |
|
|
printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
|
|
wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
|
|
vars:
|
|
umask: "077"
|
|
- name: register publickey for later use
|
|
shell: cat /etc/wireguard/publickey
|
|
register: server_publickey
|
|
|
|
# do this to avoid idiot "hey you can't start, u already started!!!" erros.
|
|
# fucker.
|
|
- name: register publickey for later use
|
|
shell: wg-quick down /etc/wireguard/wg0.conf
|
|
ignore_errors: True
|