aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/common/tasks/main.yml16
-rw-r--r--roles/papermc/vars/main.yml11
-rw-r--r--roles/setup_security/files/doas.conf2
-rw-r--r--roles/setup_security/tasks/main.yml65
-rw-r--r--roles/setup_wireguard/tasks/main.yml22
-rw-r--r--roles/setup_znc/tasks/main.yml27
-rw-r--r--roles/setup_znc/vars/main.yml16
-rw-r--r--roles/ssh/templates/generate_dns.j22
-rw-r--r--roles/wireguard/tasks/generate.yml55
-rw-r--r--roles/wireguard/tasks/main.yml9
-rw-r--r--roles/wireguard/tasks/set_facts.yml13
-rw-r--r--roles/wireguard/templates/dcontroller.conf.j219
-rw-r--r--roles/wireguard/templates/host.conf.j215
-rw-r--r--roles/wireguard/templates/hostname.tun0.j29
14 files changed, 146 insertions, 135 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index cc959d9..acbcb1c 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -3,6 +3,13 @@
---
+- name: Setup repositories for Alpine
+ shell: |
+ echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/main/" > /etc/apk/repositories
+ echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/community/" >> /etc/apk/repositories
+ echo "https://mirror.ungleich.ch/mirror/packages/alpine/edge/releases/" >> /etc/apk/repositories
+ when: "'alpine' in group_names"
+
- name: Check installation of package "{{ item }}"
package:
name: "{{ item }}"
@@ -16,6 +23,8 @@
- "{{ packages.figlet }}"
- "{{ packages.neovim }}"
- "{{ packages.pip }}"
+ - util-linux
+ - shadow
ignore_errors: yes
@@ -23,7 +32,7 @@
- name: Copy zshrc configuration file
copy:
src: zshrc
- dest: /etc/zshrc
+ dest: "{{ path_zshrc }}"
owner: root
group: "{{ group.root }}"
mode: 0644
@@ -41,9 +50,12 @@
name: "{{ inventory_hostname }}"
- name: Retrieve all valid users for zsh
- shell: awk -F ":" '{ if($3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd
+ shell: awk -F ":" '{ if($3 == 0 || $3 > 999 && $3 < 16000) { print $1 }}' /etc/passwd
register: valid_users_shell
+- debug:
+ var: valid_users_shell.stdout
+
- name: Change shell for all valid users to zsh
user:
name: "{{ item }}"
diff --git a/roles/papermc/vars/main.yml b/roles/papermc/vars/main.yml
new file mode 100644
index 0000000..9725e45
--- /dev/null
+++ b/roles/papermc/vars/main.yml
@@ -0,0 +1,11 @@
+
+# papermc ~~ tasks/main.yml
+
+---
+
+- name: Download latest java
+ package:
+ name: java
+ state: latest
+
+- name: Download latest papermc
diff --git a/roles/setup_security/files/doas.conf b/roles/setup_security/files/doas.conf
deleted file mode 100644
index cf3a9d0..0000000
--- a/roles/setup_security/files/doas.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-permit keepenv nopass puffy as root
-permit keepenv nopass root
diff --git a/roles/setup_security/tasks/main.yml b/roles/setup_security/tasks/main.yml
deleted file mode 100644
index 36844c3..0000000
--- a/roles/setup_security/tasks/main.yml
+++ /dev/null
@@ -1,65 +0,0 @@
-
-# =========================================================================== #
-# __ _ __
-# _________ / /__ ________ _______ _______(_) /___ __
-# / ___/ __ \/ / _ \ / ___/ _ \/ ___/ / / / ___/ / __/ / / /
-# / / / /_/ / / __/ (__ ) __/ /__/ /_/ / / / / /_/ /_/ /
-# /_/ \____/_/\___(_) /____/\___/\___/\__,_/_/ /_/\__/\__, /
-# /____/
-#
-# =========================================================================== #
-
----
-- name: Remove default user pi
- user:
- name: pi
- state: absent
- remove: yes
-
-- name: Remove default group pi
- group:
- name: pi
- state: absent
-
-- name: Apply syspatch for system type = {{ ansible_distribution }}
- syspatch:
- apply: true
- when: inventory_hostname in groups["openbsd"]
-
-- name: Add puffy account for system type = {{ ansible_distribution }}
- user:
- name: puffy
- group: wheel
- when: inventory_hostname in groups["openbsd"]
-
-- name: Copy doas.conf to /etc/doas.conf for system type = {{ ansible_distribution }}
- copy:
- src: "{{ role_path }}/files/doas.conf"
- dest: "/etc/doas.conf"
-
-- name: Copy ssh key for puffy account
- authorized_key:
- user: puffy
- state: present
- key: "{{ item }}"
- with_file:
- - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
-
-- name: Copy ssh key for root account
- authorized_key:
- user: root
- state: present
- key: "{{ item }}"
- with_file:
- - "{{ playbook_dir }}/files/pub_ssh/rgoncalves.pub.ssh"
-
-- name: Disable password login in sshd_config
- lineinfile:
- path: /etc/ssh/sshd_config
- regexp: "PasswordAuthentication"
- line: "PasswordAuthentication no"
-
-- name: Restart sshd daemon
- service:
- name: sshd
- state: restarted
diff --git a/roles/setup_wireguard/tasks/main.yml b/roles/setup_wireguard/tasks/main.yml
deleted file mode 100644
index b77129b..0000000
--- a/roles/setup_wireguard/tasks/main.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-
-# =========================================================================== #
-# __ _ __
-# _________ / /__ _ __(_)_______ ____ ___ ______ __________/ /
-# / ___/ __ \/ / _ \ | | /| / / / ___/ _ \/ __ `/ / / / __ `/ ___/ __ /
-# / / / /_/ / / __/ | |/ |/ / / / / __/ /_/ / /_/ / /_/ / / / /_/ /
-# /_/ \____/_/\___(_) |__/|__/_/_/ \___/\__, /\__,_/\__,_/_/ \__,_/
-# /____/
-#
-# =========================================================================== #
-
----
-- name: Check installation for wireguard
- package:
- name: wireguard-go wireguard-tools
- state: present
-
-- name: Activate ipv4 forwarding for wg0 server
- shell: sysctl net.inet.ip.forwarding=1
-
-- name: Activate ipv6 forwarding for wg0 server
- shell: sysctl net.inet6.ip6.forwarding=1
diff --git a/roles/setup_znc/tasks/main.yml b/roles/setup_znc/tasks/main.yml
deleted file mode 100644
index 6ebbaa8..0000000
--- a/roles/setup_znc/tasks/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-
-# =========================================================================== #
-# __ _ __
-# _________ / /__ ____ _(_) /_
-# / ___/ __ \/ / _ \ / __ `/ / __/
-# / / / /_/ / / __/ / /_/ / / /_
-# /_/ \____/_/\___(_) \__, /_/\__/
-# /____/
-#
-# =========================================================================== #
-
----
-- name: Check installation of znc
- package:
- name: znc
- state: present
-
-- name: Add group "{{ znc_group }}"
- user:
- name: "{{ znc_group }}"
- state: present
-
-- name: Add user "{{ znc_user }}"
- user:
- name: "{{ znc_user }}"
- comment: "{{ znc_user_comment }}"
- group: "{{ znc_group }}"
diff --git a/roles/setup_znc/vars/main.yml b/roles/setup_znc/vars/main.yml
deleted file mode 100644
index 2db1770..0000000
--- a/roles/setup_znc/vars/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-# =========================================================================== #
-# _ __
-# _ ______ __________ ____ _(_) /_
-# | | / / __ `/ ___/ ___/ / __ `/ / __/
-# | |/ / /_/ / / (__ ) / /_/ / / /_
-# |___/\__,_/_/ /____(_) \__, /_/\__/
-# /____/
-#
-# =========================================================================== #
-
----
-znc_user: znc
-znc_user_comment: IRC bouncer
-znc_group: znc
-znc_directory_path: /srv/znc
diff --git a/roles/ssh/templates/generate_dns.j2 b/roles/ssh/templates/generate_dns.j2
index 58dc6d6..5d58ae9 100644
--- a/roles/ssh/templates/generate_dns.j2
+++ b/roles/ssh/templates/generate_dns.j2
@@ -10,7 +10,7 @@
{##}
# {{ h.ansible_host }}
-Match originalhost {{ h.ansible_host }} exec "systemctl is-active wg-quick@{{ _i.dcontroller }}.service"
+Match originalhost {{ h.ansible_host }} exec "ls /sys/class/net/{{ _i.dcontroller }} && ! ping -c 1 -W 5 {{ h.ip.out }}"
HostName {{ h.ip.in }}
Port {{ _port }}
diff --git a/roles/wireguard/tasks/generate.yml b/roles/wireguard/tasks/generate.yml
new file mode 100644
index 0000000..e3264ef
--- /dev/null
+++ b/roles/wireguard/tasks/generate.yml
@@ -0,0 +1,55 @@
+
+# wireguard ~~ tasks/generate.yml
+
+- stat:
+ path: "{{ wg_host_keys }}"
+ register: stat_host_keys
+ delegate_to: localhost
+
+- name: Generate domain keys
+ shell: |
+ umask 077
+ wg genkey | tee "{{ wg_host_keys }}" | wg pubkey >> "{{ wg_host_keys }}"
+ args:
+ chdir: "{{ wg_dir }}"
+ when: not stat_host_keys.stat.exists or force is defined and force
+ delegate_to: localhost
+
+- name: Create wireguard dir on remote host
+ file:
+ path: /etc/wireguard
+ owner: root
+ state: directory
+ mode: "0700"
+ ignore_unreachable: true
+
+- name: Generate client configuration
+ template:
+ src: templates/host.conf.j2
+ dest: "{{ item.path }}"
+ mode: "0600"
+ when: ansible_host != _i.dcontroller
+ delegate_to: "{{ item.name }}"
+ loop:
+ - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+ - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+ ignore_unreachable: true
+ failed_when: 1 == 2
+
+- name: Generate server configuration
+ template:
+ src: templates/dcontroller.conf.j2
+ dest: "{{ item.path }}"
+ mode: "0600"
+ when: ansible_host == _i.dcontroller
+ delegate_to: "{{ item.name }}"
+ loop:
+ - { name: "{{ ansible_host }}", path: /etc/wireguard/dcontroller.conf }
+ - { name: localhost, path: "{{ wg_dir }}/{{ ansible_host}}.conf" }
+
+- name: Generate server interface
+ template:
+ src: templates/hostname.tun0.j2
+ dest: /etc/hostname.tun0
+ when: ansible_host == _i.dcontroller
+
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000..be9e57c
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,9 @@
+
+# wireguard ~~ tasks/main.yml
+
+---
+
+- include: set_facts.yml
+
+- include: generate.yml
+
diff --git a/roles/wireguard/tasks/set_facts.yml b/roles/wireguard/tasks/set_facts.yml
new file mode 100644
index 0000000..933ca9d
--- /dev/null
+++ b/roles/wireguard/tasks/set_facts.yml
@@ -0,0 +1,13 @@
+
+# wireguard ~~ tasks/set_facts.yml
+
+---
+
+- set_fact:
+ wg_dir: "{{ inventory_dir}}/files/wireguard"
+
+- set_fact:
+ wg_dcontroller_conf: "{{ wg_dir }}/{{ _i.dcontroller }}.conf"
+ wg_dcontroller_keys: "{{ wg_dir }}/{{ _i.dcontroller }}.keys"
+ wg_host_conf: "{{ wg_dir }}/{{ ansible_host }}.conf"
+ wg_host_keys: "{{ wg_dir }}/{{ ansible_host }}.keys"
diff --git a/roles/wireguard/templates/dcontroller.conf.j2 b/roles/wireguard/templates/dcontroller.conf.j2
new file mode 100644
index 0000000..c1fd887
--- /dev/null
+++ b/roles/wireguard/templates/dcontroller.conf.j2
@@ -0,0 +1,19 @@
+
+# wireguard client configuration ~~ /etc/wireguard/*.conf
+# managed by Ansible
+{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
+
+[Interface]
+#Address = {{ ip.in }}, fd00::1/128
+ListenPort = 53
+PrivateKey = {{ dcontroller_keys[0] }}
+
+{% for host in groups["all"] if hostvars[host].ansible_host != _i.dcontroller %}
+{% set host = hostvars[host] %}
+{% set host_keys = lookup("file", wg_dir + "/" + host.ansible_host + ".keys").splitlines() %}
+# {{ host.ansible_host }}
+[Peer]
+PublicKey = {{ host_keys[1] }}
+AllowedIPs = {{ host.ip.in }}/32, fd00:10:10::{{ host.ip.in.split('.')[3] }}/128
+
+{% endfor %}
diff --git a/roles/wireguard/templates/host.conf.j2 b/roles/wireguard/templates/host.conf.j2
new file mode 100644
index 0000000..c25d937
--- /dev/null
+++ b/roles/wireguard/templates/host.conf.j2
@@ -0,0 +1,15 @@
+
+# wireguard client configuration ~~ /etc/wireguard/*.conf
+# managed by Ansible
+{% set host_keys = lookup("file", wg_host_keys).splitlines() %}
+{% set dcontroller_keys = lookup("file", wg_dcontroller_keys).splitlines() %}
+
+[Interface]
+Address = {{ ip.in }}
+PrivateKey = {{ host_keys[0] }}
+
+[Peer]
+PublicKey = {{ dcontroller_keys[1] }}
+Endpoint = {{ hostvars[_i.dcontroller].ip.out }}:53
+AllowedIPs = 0.0.0.0/0, ::/0
+PersistentKeepalive = 25
diff --git a/roles/wireguard/templates/hostname.tun0.j2 b/roles/wireguard/templates/hostname.tun0.j2
new file mode 100644
index 0000000..3903ccb
--- /dev/null
+++ b/roles/wireguard/templates/hostname.tun0.j2
@@ -0,0 +1,9 @@
+inet 10.10.0.1 255.255.255.0
+inet6 fd00:10:10::1
+!/usr/local/bin/wireguard-go -f tun0 &
+!/bin/sleep 2
+!/usr/local/bin/wg setconf tun0 /etc/wireguard/{{ _i.dcontroller }}.conf
+!/bin/sleep 2
+!/sbin/route add -inet 10.10.0.0/24 10.10.0.1
+!/bin/sleep 2
+!/sbin/route add -inet6 fd00:10:10::/64 fd00:10:10::1
remember that computers suck.