vpn access portal

host_vars/webserver

@@ -9,6 +9,7 @@ debian_sources:
   - "deb http://ftp2.de.debian.org/debian/ buster main contrib non-free"
   - "deb http://security.debian.org/ buster/updates main contrib non-free"
   - "deb https://download.docker.com/linux/debian buster stable"
+  - "deb http://deb.debian.org/debian buster-backports main"
 
 debian_keys_id:
 

site.yml

@@ -163,38 +163,52 @@
     - { 
         role: webserver/docker_hackmd, tags: hackmd,
         servicename: "hackmd",
+        basedir: /srv/hackmd, 
         domain: "md.warpzone.ms"
       }
     - { 
         role: webserver/docker_keycloak, tags: keycloak,
         servicename: "keycloak",
+        basedir: /srv/keycloak, 
         domain: "keycloak.warpzone.ms"
       }
     - { 
-        role: webserver/docker_mail, tags: mail 
+        role: webserver/docker_mail, tags: mail, 
+        basedir: /srv/mail, 
       }
     - { 
         role: webserver/docker_matterbridge, tags: matterbridge,
+        basedir: /srv/matterbridge, 
         domain: "www.warpzone.ms" 
       }
     - { 
         role: webserver/docker_matrix, tags: matrix,
         servicename: "matrix",
+        basedir: /srv/matrix, 
         domain: "matrix.warpzone.ms"
       }
+    - { 
+        role: webserver/docker_vpnserver, tags: vpnserver,
+        servicename: "vpnserver",
+        basedir: /srv/vpnserver, 
+        domain: "vpn.warpzone.ms"
+      }
     - { 
         role: webserver/docker_warpapi, tags: warpapi,
         servicename: "warpapi",
+        basedir: /srv/warpapi, 
         domain: "api.warpzone.ms"
       }
     - { 
         role: webserver/docker_wordpress, tags: wordpress,
         servicename: "wordpress",
+        basedir: /srv/wordpress, 
         domain: "www.warpzone.ms"
       }
     - { 
         role: webserver/docker_workadventure, tags: workadventure,
         servicename: "workadventure",
+        basedir: /srv/workadventure, 
         domain: "workadventure.warpzone.ms"
       }
 

webserver/docker_vpnserver/tasks/main.yml

+---
+
+- include_tasks: ../functions/get_secret.yml
+  with_items:
+    - { path: "{{ basedir }}/wg_admin_pass",  length: 32 }
+    - { path: "{{ basedir }}/wg_private_key",  length: -1 } # 'wg genkey'
+
+
+- name: create folder struct for keycloak
+  file:
+    path: "{{ item }}"
+    state: "directory"
+  with_items:
+    - "{{ basedir }}"
+    - "{{ basedir }}/data"
+
+
+- name: "copy {{ servicename }} config files"
+  template:
+    src: "{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - docker-compose.yml
+  register: config
+
+
+- name: "stop {{ servicename }} docker"
+  docker_compose:
+    project_src: "{{ basedir }}"
+    state: absent
+  when: config.changed
+
+
+- name: "start {{ servicename }} docker"
+  docker_compose:
+    project_src: "{{ basedir }}"
+    state: present

webserver/docker_vpnserver/templates/docker-compose.yml

+version: "3"
+
+services:
+
+  app:
+    image: ghcr.io/freifunkmuc/wg-access-server:v0.8.2
+    restart: always
+    cap_add:
+      - NET_ADMIN
+    sysctls:
+      net.ipv6.conf.all.disable_ipv6: 0
+      net.ipv6.conf.all.forwarding: 1
+    volumes:
+      - "{{ basedir }}/data:/data"
+    #   - "{{ basedir }}/config.yaml:/config.yaml" # if you have a custom config file
+    ports:
+    #  - "8000:8000/tcp"
+      - "51820:51820/udp"
+    devices:
+      - "/dev/net/tun:/dev/net/tun"
+    environment:
+      - "WG_ADMIN_USERNAME=vpnadmin"
+      - "WG_ADMIN_PASSWORD={{ wg_admin_pass }}"
+      - "WG_WIREGUARD_PRIVATE_KEY={{ wg_private_key }}"
+      - "WG_VPN_CIDRV6=0" # to disable IPv6
+      - "WG_EXTERNAL_HOST={{ domain }}"
+      - "WG_DNS_ENABLED=true"
+      - "WG_DNS_UPSTREAM=10.0.0.1"
+      - "WG_LOG_LEVEL=info"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=8000
+    networks:
+      - default
+      - web
+
+
+networks:
+  web:
+    external: true