diff options
| -rw-r--r-- | roles/common/tasks/main.yml | 16 | ||||
| -rw-r--r-- | roles/papermc/vars/main.yml | 11 | ||||
| -rw-r--r-- | roles/setup_security/files/doas.conf | 2 | ||||
| -rw-r--r-- | roles/setup_security/tasks/main.yml | 65 | ||||
| -rw-r--r-- | roles/setup_wireguard/tasks/main.yml | 22 | ||||
| -rw-r--r-- | roles/setup_znc/tasks/main.yml | 27 | ||||
| -rw-r--r-- | roles/setup_znc/vars/main.yml | 16 | ||||
| -rw-r--r-- | roles/ssh/templates/generate_dns.j2 | 2 | ||||
| -rw-r--r-- | roles/wireguard/tasks/generate.yml | 55 | ||||
| -rw-r--r-- | roles/wireguard/tasks/main.yml | 9 | ||||
| -rw-r--r-- | roles/wireguard/tasks/set_facts.yml | 13 | ||||
| -rw-r--r-- | roles/wireguard/templates/dcontroller.conf.j2 | 19 | ||||
| -rw-r--r-- | roles/wireguard/templates/host.conf.j2 | 15 | ||||
| -rw-r--r-- | roles/wireguard/templates/hostname.tun0.j2 | 9 |
14 files changed, 146 insertions, 135 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index cc959d9..acbcb1c 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -3,6 +3,13 @@ --- +- name: Setup repositories for Alpine + shell: | + echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories + echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories + echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories + when: "'alpine' in group_names" + - name: Check installation of package "{{ item }}" package: name: "{{ item }}" @@ -16,6 +23,8 @@ - "{{ packages.figlet }}" - "{{ packages.neovim }}" - "{{ packages.pip }}" + - util-linux + - shadow ignore_errors: yes @@ -23,7 +32,7 @@ - name: Copy zshrc configuration file copy: src: zshrc - dest: /etc/zshrc + dest: "{{ path_zshrc }}" owner: root group: "{{ group.root }}" mode: 0644 @@ -41,9 +50,12 @@ name: "{{ inventory_hostname }}" - name: Retrieve all valid users for zsh - shell: awk -F ":" '{ if($3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd + shell: awk -F ":" '{ if($3 == 0 || $3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd register: valid_users_shell +- debug: + var: valid_users_shell.stdout + - name: Change shell for all valid users to zsh user: name: "{{ item }}" diff --git a/roles/papermc/vars/main.yml b/roles/papermc/vars/main.yml new file mode 100644 index 0000000..9725e45 --- /dev/null +++ b/roles/papermc/vars/main.yml @@ -0,0 +1,11 @@ + +# papermc ~~ tasks/main.yml + +--- + +- name: Download latest java + package: + name: java + state: latest + +- name: Download latest papermc diff --git a/roles/setup_security/files/doas.conf b/roles/setup_security/files/doas.conf deleted file mode 100644 index cf3a9d0..0000000 --- a/roles/setup_security/files/doas.conf +++ /dev/null @@ -1,2 +0,0 @@ -permit keepenv nopass puffy as root -permit keepenv nopass root diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml deleted file mode 100644 index 36844c3..0000000 --- a/roles/setup_security/tasks/main.yml +++ /dev/null @@ -1,65 +0,0 @@ - -# =========================================================================== # -# __ _ __ -# _________ / /__ ________ _______ _______(_) /___ __ -# / ___/ __ \/ / _ \ / ___/ _ \/ ___/ / / / ___/ / __/ / / / -# / / / /_/ / / __/ (__ ) __/ /__/ /_/ / / / / /_/ /_/ / -# /_/ \____/_/\___(_) /____/\___/\___/\__,_/_/ /_/\__/\__, / -# /____/ -# -# =========================================================================== # - ---- -- name: Remove default user pi - user: - name: pi - state: absent - remove: yes - -- name: Remove default group pi - group: - name: pi - state: absent - -- name: Apply syspatch for system type = {{ ansible_distribution }} - syspatch: - apply: true - when: inventory_hostname in groups["openbsd"] - -- name: Add puffy account for system type = {{ ansible_distribution }} - user: - name: puffy - group: wheel - when: inventory_hostname in groups["openbsd"] - -- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }} - copy: - src: "{{ role_path }}/files/doas.conf" - dest: "/etc/doas.conf" - -- name: Copy ssh key for puffy account - authorized_key: - user: puffy - state: present - key: "{{ item }}" - with_file: - - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh" - -- name: Copy ssh key for root account - authorized_key: - user: root - state: present - key: "{{ item }}" - with_file: - - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh" - -- name: Disable password login in sshd_config - lineinfile: - path: /etc/ssh/sshd_config - regexp: "PasswordAuthentication" - line: "PasswordAuthentication no" - -- name: Restart sshd daemon - service: - name: sshd - state: restarted diff --git a/roles/setup_wireguard/tasks/main.yml b/roles/setup_wireguard/tasks/main.yml deleted file mode 100644 index b77129b..0000000 --- a/roles/setup_wireguard/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ - -# =========================================================================== # -# __ _ __ -# _________ / /__ _ __(_)_______ ____ ___ ______ __________/ / -# / ___/ __ \/ / _ \ | | /| / / / ___/ _ \/ __ `/ / / / __ `/ ___/ __ / -# / / / /_/ / / __/ | |/ |/ / / / / __/ /_/ / /_/ / /_/ / / / /_/ / -# /_/ \____/_/\___(_) |__/|__/_/_/ \___/\__, /\__,_/\__,_/_/ \__,_/ -# /____/ -# -# =========================================================================== # - ---- -- name: Check installation for wireguard - package: - name: wireguard-go wireguard-tools - state: present - -- name: Activate ipv4 forwarding for wg0 server - shell: sysctl net.inet.ip.forwarding=1 - -- name: Activate ipv6 forwarding for wg0 server - shell: sysctl net.inet6.ip6.forwarding=1 diff --git a/roles/setup_znc/tasks/main.yml b/roles/setup_znc/tasks/main.yml deleted file mode 100644 index 6ebbaa8..0000000 --- a/roles/setup_znc/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ - -# =========================================================================== # -# __ _ __ -# _________ / /__ ____ _(_) /_ -# / ___/ __ \/ / _ \ / __ `/ / __/ -# / / / /_/ / / __/ / /_/ / / /_ -# /_/ \____/_/\___(_) \__, /_/\__/ -# /____/ -# -# =========================================================================== # - ---- -- name: Check installation of znc - package: - name: znc - state: present - -- name: Add group "{{ znc_group }}" - user: - name: "{{ znc_group }}" - state: present - -- name: Add user "{{ znc_user }}" - user: - name: "{{ znc_user }}" - comment: "{{ znc_user_comment }}" - group: "{{ znc_group }}" diff --git a/roles/setup_znc/vars/main.yml b/roles/setup_znc/vars/main.yml deleted file mode 100644 index 2db1770..0000000 --- a/roles/setup_znc/vars/main.yml +++ /dev/null @@ -1,16 +0,0 @@ - -# =========================================================================== # -# _ __ -# _ ______ __________ ____ _(_) /_ -# | | / / __ `/ ___/ ___/ / __ `/ / __/ -# | |/ / /_/ / / (__ ) / /_/ / / /_ -# |___/\__,_/_/ /____(_) \__, /_/\__/ -# /____/ -# -# =========================================================================== # - ---- -znc_user: znc -znc_user_comment: IRC bouncer -znc_group: znc -znc_directory_path: /srv/znc diff --git a/roles/ssh/templates/generate_dns.j2 b/roles/ssh/templates/generate_dns.j2 index 58dc6d6..5d58ae9 100644 --- a/roles/ssh/templates/generate_dns.j2 +++ b/roles/ssh/templates/generate_dns.j2 @@ -10,7 +10,7 @@ {##} # {{ h.ansible_host }} -Match originalhost {{ h.ansible_host }} exec "systemctl is-active wg-quick@{{ _i.dcontroller }}.service" +Match originalhost {{ h.ansible_host }} exec "ls /sys/class/net/{{ _i.dcontroller }} && ! ping -c 1 -W 5 {{ h.ip.out }}" HostName {{ h.ip.in }} Port {{ _port }} diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml new file mode 100644 index 0000000..e3264ef --- /dev/null +++ b/roles/wireguard/tasks/generate.yml @@ -0,0 +1,55 @@ + +# wireguard ~~ tasks/generate.yml + +- stat: + path: "{{ wg_host_keys }}" + register: stat_host_keys + delegate_to: localhost + +- name: Generate domain keys + shell: | + umask 077 + wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}" + args: + chdir: "{{ wg_dir }}" + when: not stat_host_keys.stat.exists or force is defined and force + delegate_to: localhost + +- name: Create wireguard dir on remote host + file: + path: /etc/wireguard + owner: root + state: directory + mode: "0700" + ignore_unreachable: true + +- name: Generate client configuration + template: + src: templates/host.conf.j2 + dest: "{{ item.path }}" + mode: "0600" + when: ansible_host != _i.dcontroller + delegate_to: "{{ item.name }}" + loop: + - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } + - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } + ignore_unreachable: true + failed_when: 1 == 2 + +- name: Generate server configuration + template: + src: templates/dcontroller.conf.j2 + dest: "{{ item.path }}" + mode: "0600" + when: ansible_host == _i.dcontroller + delegate_to: "{{ item.name }}" + loop: + - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf } + - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" } + +- name: Generate server interface + template: + src: templates/hostname.tun0.j2 + dest: /etc/hostname.tun0 + when: ansible_host == _i.dcontroller + diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..be9e57c --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,9 @@ + +# wireguard ~~ tasks/main.yml + +--- + +- include: set_facts.yml + +- include: generate.yml + diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml new file mode 100644 index 0000000..933ca9d --- /dev/null +++ b/roles/wireguard/tasks/set_facts.yml @@ -0,0 +1,13 @@ + +# wireguard ~~ tasks/set_facts.yml + +--- + +- set_fact: + wg_dir: "{{ inventory_dir}}/files/wireguard" + +- set_fact: + wg_dcontroller_conf: "{{ wg_dir }}/{{ _i.dcontroller }}.conf" + wg_dcontroller_keys: "{{ wg_dir }}/{{ _i.dcontroller }}.keys" + wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf" + wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys" diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2 new file mode 100644 index 0000000..c1fd887 --- /dev/null +++ b/roles/wireguard/templates/dcontroller.conf.j2 @@ -0,0 +1,19 @@ + +# wireguard client configuration ~~ /etc/wireguard/*.conf +# managed by Ansible +{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %} + +[Interface] +#Address = {{ ip.in }}, fd00::1/128 +ListenPort = 53 +PrivateKey = {{ dcontroller_keys[0] }} + +{% for host in groups["all"] if hostvars[host].ansible_host != _i.dcontroller %} +{% set host = hostvars[host] %} +{% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %} +# {{ host.ansible_host }} +[Peer] +PublicKey = {{ host_keys[1] }} +AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128 + +{% endfor %} diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2 new file mode 100644 index 0000000..c25d937 --- /dev/null +++ b/roles/wireguard/templates/host.conf.j2 @@ -0,0 +1,15 @@ + +# wireguard client configuration ~~ /etc/wireguard/*.conf +# managed by Ansible +{% set host_keys = lookup("file", wg_host_keys).splitlines() %} +{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %} + +[Interface] +Address = {{ ip.in }} +PrivateKey = {{ host_keys[0] }} + +[Peer] +PublicKey = {{ dcontroller_keys[1] }} +Endpoint = {{ hostvars[_i.dcontroller].ip.out }}:53 +AllowedIPs = 0.0.0.0/0, ::/0 +PersistentKeepalive = 25 diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.tun0.j2 new file mode 100644 index 0000000..3903ccb --- /dev/null +++ b/roles/wireguard/templates/hostname.tun0.j2 @@ -0,0 +1,9 @@ +inet 10.10.0.1 255.255.255.0 +inet6 fd00:10:10::1 +!/usr/local/bin/wireguard-go -f tun0 & +!/bin/sleep 2 +!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ _i.dcontroller }}.conf +!/bin/sleep 2 +!/sbin/route add -inet 10.10.0.0/24 10.10.0.1 +!/bin/sleep 2 +!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1 |