From 2518af19bb2b63d03cd16ef1271cf4544bb6d74e Mon Sep 17 00:00:00 2001 From: jowj Date: Thu, 24 Oct 2019 17:02:09 -0500 Subject: [PATCH] Break out whole job into pre/post os specific tasks. - this isn't complete yet - will have a lot of refactoring to do when i'm done. --- .../wg_vpn/tasks/posttasks_arch.yml | 22 ++++++++ .../wg_vpn/tasks/posttasks_debian.yml | 21 ++++++++ .../wg_vpn/tasks/posttasks_mac.yml | 20 +++++++ .../wg_vpn/tasks/pretasks_arch.yml | 37 +++++++++++++ .../wg_vpn/tasks/pretasks_debian.yml | 53 +++++++++++++++++++ .../serverBuild/wg_vpn/tasks/pretasks_mac.yml | 25 +++++++++ 6 files changed, 178 insertions(+) create mode 100644 deployments/serverBuild/wg_vpn/tasks/posttasks_arch.yml create mode 100644 deployments/serverBuild/wg_vpn/tasks/posttasks_debian.yml create mode 100644 deployments/serverBuild/wg_vpn/tasks/posttasks_mac.yml create mode 100644 deployments/serverBuild/wg_vpn/tasks/pretasks_arch.yml create mode 100644 deployments/serverBuild/wg_vpn/tasks/pretasks_debian.yml create mode 100644 deployments/serverBuild/wg_vpn/tasks/pretasks_mac.yml diff --git a/deployments/serverBuild/wg_vpn/tasks/posttasks_arch.yml b/deployments/serverBuild/wg_vpn/tasks/posttasks_arch.yml new file mode 100644 index 0000000..0bf62ed --- /dev/null +++ b/deployments/serverBuild/wg_vpn/tasks/posttasks_arch.yml @@ -0,0 +1,22 @@ +- hosts: vpn + remote_user: josiah + gather_facts: false + become: yes + + tasks: + - name: (local) fill out the rest of the wg0.conf file + blockinfile: + path: /etc/wireguard/wg0.conf + block: | + Address = 10.200.219.2/32, fd86:ea04:1115::2/128 + DNS = 1.1.1.1 + + [Peer] + PublicKey = {{ server_publickey.stdout }} + Endpoint = vpn.awful.club:51820 + AllowedIPs = 0.0.0.0/0 + delegate_to: localhost + + - name: (local) bring wg up on local + shell: wg-quick up wg0 + delegate_to: localhost diff --git a/deployments/serverBuild/wg_vpn/tasks/posttasks_debian.yml b/deployments/serverBuild/wg_vpn/tasks/posttasks_debian.yml new file mode 100644 index 0000000..38041b2 --- /dev/null +++ b/deployments/serverBuild/wg_vpn/tasks/posttasks_debian.yml @@ -0,0 +1,21 @@ +- hosts: vpn + remote_user: josiah + gather_facts: false + become: yes + + tasks: + - name: fill out the rest of the wg0.conf file + blockinfile: + path: /etc/wireguard/wg0.conf + block: | + Address = 10.200.219.1/24 + Address = fd86:ea04:1115::1/64 + ListenPort = 51820 + SaveConfig = true + [Peer] + # name = luggable-laptop + PublicKey = {{ arch_publickey.stdout }} + AllowedIPs = 10.200.219.2/32, fd86:ea04:1115::2/128 + + - name: bring wg up on the relay node + shell: wg-quick up /etc/wireguard/wg0.conf diff --git a/deployments/serverBuild/wg_vpn/tasks/posttasks_mac.yml b/deployments/serverBuild/wg_vpn/tasks/posttasks_mac.yml new file mode 100644 index 0000000..2aec5f7 --- /dev/null +++ b/deployments/serverBuild/wg_vpn/tasks/posttasks_mac.yml @@ -0,0 +1,20 @@ +- hosts: localhost + connection: local + gather_facts: false + + tasks: + - name: (local) fill out the rest of the wg0.conf file + blockinfile: + path: ~/wireguard//wg0.conf + block: | + Address = 10.200.219.19/32, fd86:ea04:1115::19/128 + DNS = 1.1.1.1 + + [Peer] + PublicKey = {{ server_publickey.stdout }} + Endpoint = vpn.awful.club:51820 + AllowedIPs = 0.0.0.0/0 + + - name: (local) bring wg up on local + shell: wg-quick up wg0 + diff --git a/deployments/serverBuild/wg_vpn/tasks/pretasks_arch.yml b/deployments/serverBuild/wg_vpn/tasks/pretasks_arch.yml new file mode 100644 index 0000000..e7a654a --- /dev/null +++ b/deployments/serverBuild/wg_vpn/tasks/pretasks_arch.yml @@ -0,0 +1,37 @@ +--- +# tasks file for wg_vpn +# this is useful for running plays /from/ an arch machine that will join the wg net. + +# install wg, generate keys, files on local machine +- hosts: vpn + remote_user: josiah + gather_facts: false + become: yes + + tasks: + - name: (local) install wg (i use) arch (btw) + pacman: + update_cache: yes + name: wireguard-tools, wireguard-arch + state: present + delegate_to: localhost + + - name: (local) ensure /etc/wireguard/ exists + file: + path: /etc/wireguard/ + state: directory + delegate_to: localhost + + - name: (local) Generate keys + shell: | + printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf + wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey + vars: + umask: "077" + delegate_to: localhost + + - name: (local) register publickey for later use + shell: cat /etc/wireguard/publickey + register: arch_publickey + delegate_to: localhost + diff --git a/deployments/serverBuild/wg_vpn/tasks/pretasks_debian.yml b/deployments/serverBuild/wg_vpn/tasks/pretasks_debian.yml new file mode 100644 index 0000000..f1b997e --- /dev/null +++ b/deployments/serverBuild/wg_vpn/tasks/pretasks_debian.yml @@ -0,0 +1,53 @@ +- hosts: vpn + remote_user: josiah + gather_facts: false + become: yes + + tasks: + - name: add unstable to repos + shell: | + echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list + printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable + + - name: Update aptitude + apt: update_cache=yes + + - name: install wireguard + apt: name=wireguard state=latest + + - name: install linux headers (necessary on older cloud kernels (fuck u digitalocean)) + # the kernel version is hard coded because this is what DO currently uses + # and that's what i use + apt: name=linux-headers-4.19.0-6-cloud-amd64 + - name: install misc other things the internet says i need + apt: name=build-essential + - name: install misc other things the internet says i need + apt: name=dkms + - name: needed for handling dns requests + apt: name=openresolv + + - name: enable kernel relay/forwarding + shell: | + echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf + echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf + sudo sysctl -p /etc/sysctl.conf + iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT + iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE + + - name: ensure /etc/wireguard/ exists + file: + path: /etc/wireguard/ + state: directory + + - name: Generate keys + shell: | + printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf + wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey + vars: + umask: "077" + + - name: register publickey for later use + shell: cat /etc/wireguard/publickey + register: server_publickey diff --git a/deployments/serverBuild/wg_vpn/tasks/pretasks_mac.yml b/deployments/serverBuild/wg_vpn/tasks/pretasks_mac.yml new file mode 100644 index 0000000..216a0ad --- /dev/null +++ b/deployments/serverBuild/wg_vpn/tasks/pretasks_mac.yml @@ -0,0 +1,25 @@ +- hosts: local + gather_facts: false + + tasks: + - name: Update brew + homebrew: update_homebrew=yes + + - name: install wireguard + homebrew: name=wireguard-tools state=latest + + - name: make wg dir since macs are now weird about /etc/anything + file: + path: ~/wireguard/ + state: directory + + - name: Generate keys + shell: | + printf "[Interface]\nPrivateKey = " > ~/wireguard/wg0.conf + wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey + vars: + umask: "077" + + - name: register publickey for later use + shell: cat ~/wireguard/publickey + register: macos_publickey