diff --git a/deployments/mediaServer/docker-compose.yml b/deployments/mediaServer/docker-compose.yml index a84f0ec..c6febd7 100644 --- a/deployments/mediaServer/docker-compose.yml +++ b/deployments/mediaServer/docker-compose.yml @@ -72,3 +72,17 @@ services: - "/Volumes/usenet/audio/:/music" - "/Volumes/usenet/movies/:/movies" - "/Volumes/usenet/itunes-synology/iTunes Media/Automatically Add to iTunes.localized/:/itunes" + lazylibrarian: + image: "thraxis/lazylibrarian-calibre" + ports: + - "5299:5299" + restart: unless-stopped + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Chicago + volumes: + - "/Users/josiah/Documents/apps/lazylibrarian:/config" + - "/Users/josiah/Downloads/usenet-complete/:/downloads" + - "/Volumes/usenet/book-library/books/:/books" + - "/Volumes/usenet/book-library/audiobooks:/audiobooks" diff --git a/deployments/serverBuild/ipsec.conf b/deployments/serverBuild/ipsec.conf index f8faa02..3509e5f 100644 --- a/deployments/serverBuild/ipsec.conf +++ b/deployments/serverBuild/ipsec.conf @@ -1,27 +1,23 @@ - +# basic configuration config setup - charondebug="ike 1, knl 1, cfg 0" - uniqueids=no + charondebug="all" + uniqueids=yes + strictcrlpolicy=no -conn ikev2-vpn - auto=add - compress=no - type=tunnel - keyexchange=ikev2 - fragmentation=yes - forceencaps=yes - dpdaction=clear - dpddelay=300s - rekey=no - left=%any - leftid=@vpn.awful.club - leftcert=awful-server-cert.pem - leftsendcert=always - leftsubnet=0.0.0.0/0 - right=%any - rightid=%any - rightauth=eap-mschapv2 - rightsourceip=10.10.10.0/24 - rightdns=1.1.1.1,1.0.0.1 - rightsendcert=never - eap_identity=%identity +# connection to amsterdam datacenter +conn home-to-digitalocean + authby=secret + left=%defaultroute + leftid=165.22.156.25 + leftsubnet=10.138.0.0/16 + right=0.0.0.0 + rightsubnet=192.168.1.0/24 + ike=aes256-sha2_256-modp1024! + esp=aes256-sha2_256! + keyingtries=0 + ikelifetime=1h + lifetime=8h + dpddelay=30 + dpdtimeout=120 + dpdaction=restart + auto=start diff --git a/deployments/serverBuild/ipsec.secrets b/deployments/serverBuild/ipsec.secrets deleted file mode 100644 index 03549aa..0000000 --- a/deployments/serverBuild/ipsec.secrets +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA "awful-server-key.pem" - -jowj : EAP "fake-password" - -# get secrets from other files -include ipsec.*.secrets - diff --git a/deployments/serverBuild/vpnBuild.yml b/deployments/serverBuild/vpnBuild.yml index 5a97177..6abf3ac 100644 --- a/deployments/serverBuild/vpnBuild.yml +++ b/deployments/serverBuild/vpnBuild.yml @@ -6,6 +6,8 @@ become: yes vars: vpn_packages: [ 'strongswan','strongswan-pki','ufw' ] + remote_host: 165.22.156.25 + local_host: 0.0.0.0 tasks: - name: Update apt @@ -14,31 +16,23 @@ - name: Install required system packages apt: name={{ vpn_packages }} state=latest - - name: Build temp pki dir structure - cacerts - shell: mkdir -p ~/pki/cacerts - - name: Build temp pki dir structure - certs - shell: mkdir -p ~/pki/certs - - name: Build temp pki dir structure - private and set perms - shell: mkdir -p ~/pki/private && chmod 700 ~/pki + - name: set kernel params + shell: | + cat >> /etc/sysctl.conf << EOF + net.ipv4.ip_forward = 1 + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.send_redirects = 0 + EOF - - name: Generate root key 4096 bit RSA - shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-ca-key.pem + - name: save kernel params + shell: sysctl -p /etc/sysctl.conf + + - name: Generate preshared key + shell: openssl rand -hex 32 + register: awful_psk - - name: Create root cert authority & sign with root key - become_method: sudo - shell: ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/awful-ca-key.pem --type rsa --dn "CN=vpn.awful.club" --outform pem > ~/pki/cacerts/awful-ca-cert.pem - - - name: Generate cert for the VPN host - shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-server-key.pem - - - name: Create & sign VPN server cert with CA cert. - shell: ipsec pki --pub --in ~/pki/private/awful-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert ~/pki/cacerts/awful-ca-cert.pem --cakey ~/pki/private/awful-ca-key.pem --dn "CN=vpn.awful.club" --san "vpn.awful.club" --flag serverAuth --flag ikeIntermediate --outform pem > ~/pki/certs/awful-server-cert.pem - - - name: move temp pki dir structure to proper /etc/ipsec.d/ dir - shell: sudo cp -r ~/pki/* /etc/ipsec.d/ - - - name: make backup of default sswan conf file - shell: sudo mv /etc/ipsec.conf /etc/ipsec.conf.original + - debug: + msg: got this key {{ awful_psk }} - name: Copy my ipsec.conf file to the VPN host # this file does a lot. view more info in the readme.md @@ -48,81 +42,17 @@ owner: root group: root - - name: Copy my ipsec.secrets file to the VPN host - # this file does a lot. view more info in the readme.md - copy: - src: ipsec.secrets - dest: /etc/ipsec.secrets - owner: root - group: root + - name: remove existing ipsec.secerts + shell: rm /etc/ipsec.secrets - - name: restart strongswan - shell: systemctl restart strongswan - - - name: allow SSH connections - ufw: - rule: allow - name: OpenSSH - - - name: Deny everything and enable UFW - ufw: - state: enabled - policy: deny - - - name: rate limit ssh connections - ufw: - rule: limit - port: ssh - proto: tcp - - - name: Allow all access from RFC1918 networks to this host - ufw: - rule: allow - src: '{{ item }}' - loop: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - - - name: Allow tcp ipsec ports - ufw: - rule: allow - port: 500 - port: 4500 - proto: tcp - - - name: Allow udp ipsec ports - ufw: - rule: allow - port: 4500 - port: 500 - proto: udp - - - name: copy local before.rules to vpn host - copy: - src: before.rules - dest: /etc/ufw/before.rules - owner: root - group: root + - name: create ipsec.secrets with psk info + shell: | + cat >> /etc/ipsec.secrets << EOF + {{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}" + EOF - - name: copy local sysctl.conf to vpn host - copy: - src: sysctl.conf - dest: /etc/ufw/sysctl.conf - owner: root - group: root + - name: update route rules + shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE - - name: disable ufw to save config - ufw: - state: disabled - - - name: reload ufw to activate changes - ufw: - state: enabled - - - name: Copy ca-cert down to local machine - fetch: - src: /etc/ipsec.d/cacerts/awful-ca-cert.pem - dest: awful-ca-cert.pem - flat: yes + # - name: copy psk down to local machine + # local_action: copy_content={{ awful_psk }} dest=psk.txt