diff --git a/common/wireguard/tasks/main.yml b/common/wireguard/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..5ab5d4e8bc91c351928bca908acdf0d8a0f6eb9d --- /dev/null +++ b/common/wireguard/tasks/main.yml @@ -0,0 +1,59 @@ +--- + +# Die Wireguard Keys müssen vorher erstellt werden +# wg genkey | tee privatekey | wg pubkey > publickey + +- include_tasks: ../functions/get_secret.yml + with_items: + - { path: /etc/wireguard/privatekey, length: -1 } + + +- name: "Install Wireguard Packages" + apt: + state: present + name: + - iptables + - wireguard + - wireguard-tools + + +- name: "Create folders" + file: + path: "{{ item }}" + state: directory + owner: root + group: root + with_items: + - "/etc/wireguard/" + + +- name: "Enable IPv4 forwarding" + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: true + state: present + reload: true + + +- name: "Create config files for wg0" + template: + src: "{{ inventory_hostname }}.conf" + dest: "/etc/wireguard/wg0.conf" + + +# more info: https://www.ivpn.net/knowledgebase/linux/linux-autostart-wireguard-in-systemd/ +- name: "Enable systemd service for wg0" + ansible.builtin.systemd: + name: "wg-quick@wg0" + enabled: true + masked: no + +- name: "Reload systemd service" + ansible.builtin.systemd: + daemon_reload: true + +- name: "Start systemd service for wg0" + ansible.builtin.systemd: + name: "wg-quick@wg0" + state: started diff --git a/common/wireguard/templates/carrot.conf b/common/wireguard/templates/carrot.conf new file mode 100644 index 0000000000000000000000000000000000000000..c6b1745923f2bac898d13fa7bcaedc44be08c413 --- /dev/null +++ b/common/wireguard/templates/carrot.conf @@ -0,0 +1,14 @@ +[Interface] +PrivateKey = {{ privatekey }} +Address = 10.43.1.2 +ListenPort = 51821 + +PostUp = iptables -t nat -I POSTROUTING -s 10.43.1.1 -o eth0 -j MASQUERADE +# PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE +PreDown = iptables -t nat -D POSTROUTING -s 10.43.1.1 -o eth0 -j MASQUERADE +# PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE + +[Peer] +PublicKey = Ir90KFkQqGIedB7ST7zIRGQyd7Ip11fn2rnuIHdF3m0= +Endpoint = {{ hostvars['webserver'].ext_ip4 }}:51821 +AllowedIPs = 10.43.1.1, 10.42.1.1, 10.44.0.0/24 diff --git a/functions b/functions index 900377e4f72486f6699ecf736f96adfbc04e92da..e8a049414bca2b14b158444dac1b94c2ca90d9be 160000 --- a/functions +++ b/functions @@ -1 +1 @@ -Subproject commit 900377e4f72486f6699ecf736f96adfbc04e92da +Subproject commit e8a049414bca2b14b158444dac1b94c2ca90d9be diff --git a/host_vars/carrot b/host_vars/carrot new file mode 100644 index 0000000000000000000000000000000000000000..04f184723a9552487c7518d0e766806e9c3682b3 --- /dev/null +++ b/host_vars/carrot @@ -0,0 +1,42 @@ + +# Host spezifische Variablen + +motd_lines: + - "Carrot - Interner VPN Endpunkt @ warpzone" + - "Haupt-IP @ eth0: {{ansible_eth0.ipv4.address}}" + +debian_sources: + - "deb http://ftp2.de.debian.org/debian/ bullseye main contrib non-free" + - "deb http://ftp.debian.org/debian bullseye-updates main contrib non-free" + - "deb http://security.debian.org/ bullseye-security main contrib non-free" + +debian_keys_id: + +debian_keys_url: + + +# Primäre IP Adressen des Hosts +#ext_ip4: <keine> +#ext_ip6: <keine> +int_ip4: 192.168.0.202 + + +# Art des Hosts: physical, vm, lxc +host_type: "lxc" + + +administratorenteam: + - "void" + - "sandhome" + - "3d" + - "jabertwo" + + +# Monitoring aktivieren +alert: + load: + warn: 2 + crit: 4 + disks: + - { mountpoint: "/", warn: "5 GB", crit: "1 GB" } + diff --git a/hosts b/hosts index 856150182f621b4a72332a9131a2079a49efdb6b..4915b1655557f6a93dc51daee545603d816587dd 100644 --- a/hosts +++ b/hosts @@ -1,6 +1,6 @@ # Nameskonvention für Server: Pratchett Name/Charaktere -# Nächste freie Namen: carrot, vimes +# Nächste freie Namen: vimes [prod] @@ -18,6 +18,11 @@ weatherwax ansible_ssh_host=192.168.0.200 # Wichtige Optionen: Nesting = Yes, keyctl = enabled ogg ansible_ssh_host=192.168.0.201 +# Server für VPN Verbindung zum Webserver +# Container auf dem internen Proxmox Server +# Wichtige Optionen: Nesting = Yes, keyctl = enabled +carrot ansible_ssh_host=192.168.0.202 + # Externe Server Warpzone # Öffentlicher Root Server Warpzone bei Hetzner tiffany ansible_ssh_host=159.69.57.15 diff --git a/site.yml b/site.yml index 766764d31b0205d387069c9dda87443ecde2b00d..44b2b3072ccd3ff49897b879da6f0dc9eb41c0d9 100644 --- a/site.yml +++ b/site.yml @@ -29,6 +29,13 @@ - { role: common/cronapt, tags: cronapt } +- hosts: carrot + remote_user: root + roles: + - { role: common/cronapt, tags: cronapt } + - { role: common/wireguard, tags: wireguard } + + - hosts: ogg remote_user: root roles: