neuer Host carrot als interner vpn endpunkt

common/wireguard/tasks/main.yml

+---
+
+# Die Wireguard Keys müssen vorher erstellt werden 
+# wg genkey | tee privatekey | wg pubkey > publickey
+
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+    - { path: /etc/wireguard/privatekey,  length: -1 }
+
+
+- name: "Install Wireguard Packages"
+  apt: 
+    state: present
+    name:
+      - iptables
+      - wireguard 
+      - wireguard-tools
+
+
+- name: "Create folders"
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+  with_items:
+    - "/etc/wireguard/"
+
+
+- name: "Enable IPv4 forwarding"
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    state: present
+    reload: true
+
+
+- name: "Create config files for wg0"
+  template:
+    src: "{{ inventory_hostname }}.conf"
+    dest: "/etc/wireguard/wg0.conf"
+
+
+# more info: https://www.ivpn.net/knowledgebase/linux/linux-autostart-wireguard-in-systemd/
+- name: "Enable systemd service for wg0"
+  ansible.builtin.systemd:
+    name: "wg-quick@wg0"
+    enabled: true
+    masked: no
+
+- name: "Reload systemd service"
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: "Start systemd service for wg0"
+  ansible.builtin.systemd:
+    name: "wg-quick@wg0"
+    state: started

common/wireguard/templates/carrot.conf

+[Interface]
+PrivateKey = {{ privatekey }}
+Address = 10.43.1.2
+ListenPort = 51821
+
+PostUp = iptables -t nat -I POSTROUTING -s 10.43.1.1 -o eth0 -j MASQUERADE
+# PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
+PreDown = iptables -t nat -D POSTROUTING -s 10.43.1.1 -o eth0 -j MASQUERADE
+# PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = Ir90KFkQqGIedB7ST7zIRGQyd7Ip11fn2rnuIHdF3m0=
+Endpoint =  {{ hostvars['webserver'].ext_ip4 }}:51821
+AllowedIPs = 10.43.1.1, 10.42.1.1, 10.44.0.0/24

functions @ e8a04941

-Subproject commit 900377e4f72486f6699ecf736f96adfbc04e92da
+Subproject commit e8a049414bca2b14b158444dac1b94c2ca90d9be

host_vars/carrot

+
+# Host spezifische Variablen
+
+motd_lines:
+  - "Carrot - Interner VPN Endpunkt @ warpzone"
+  - "Haupt-IP @ eth0: {{ansible_eth0.ipv4.address}}"
+
+debian_sources:
+  - "deb http://ftp2.de.debian.org/debian/ bullseye main contrib non-free"
+  - "deb http://ftp.debian.org/debian bullseye-updates main contrib non-free"
+  - "deb http://security.debian.org/ bullseye-security main contrib non-free"
+
+debian_keys_id:
+
+debian_keys_url:
+
+
+# Primäre IP Adressen des Hosts
+#ext_ip4: <keine>
+#ext_ip6: <keine>
+int_ip4: 192.168.0.202
+
+
+# Art des Hosts: physical, vm, lxc
+host_type: "lxc"
+
+
+administratorenteam:
+  - "void"
+  - "sandhome"
+  - "3d"
+  - "jabertwo"
+
+
+# Monitoring aktivieren
+alert:
+  load:
+    warn: 2
+    crit: 4
+  disks:
+    - { mountpoint: "/", warn: "5 GB", crit: "1 GB" }
+

hosts

 
 # Nameskonvention für Server: Pratchett Name/Charaktere
-# Nächste freie Namen: carrot, vimes 
+# Nächste freie Namen: vimes 
 
 [prod]
 
@@ -18,6 +18,11 @@ weatherwax   ansible_ssh_host=192.168.0.200
 # Wichtige Optionen: Nesting = Yes, keyctl = enabled
 ogg          ansible_ssh_host=192.168.0.201
 
+# Server für VPN Verbindung zum Webserver 
+# Container auf dem internen Proxmox Server 
+# Wichtige Optionen: Nesting = Yes, keyctl = enabled
+carrot       ansible_ssh_host=192.168.0.202
+
 # Externe Server Warpzone
 # Öffentlicher Root Server Warpzone bei Hetzner 
 tiffany     ansible_ssh_host=159.69.57.15

site.yml

@@ -29,6 +29,13 @@
     - { role: common/cronapt, tags: cronapt }
 
 
+- hosts: carrot
+  remote_user: root
+  roles:
+    - { role: common/cronapt, tags: cronapt }
+    - { role: common/wireguard, tags: wireguard }
+
+
 - hosts: ogg
   remote_user: root
   roles: