Compare commits

..

No commits in common. "58a2a1526bec3e9efa37af82e27628f07ed6ed9f" and "70809c757366cca0e944a3a769b579bbf43475bc" have entirely different histories.

12 changed files with 2 additions and 156 deletions

View File

@ -16,7 +16,6 @@ The following services are managed completely automatically:
- [Paperless-ngx](https://docs.paperless-ngx.com/)
- [Exim](https://www.exim.org/) mail (internal use only)
- [Caddy](https://caddyserver.com/) reverse proxy
- [WireGuard](https://www.wireguard.com/) VPN server.
## misc features

View File

@ -26,18 +26,3 @@ form_secret: ""
# paperless secret key
paperless_secret: ""
wireguard_secret:
# server secret
# generate with `wg genkey`, available in the 'wireguard-tools' package
server_key: ""
# pipe the secret key (see secret_template in group_vars/) into `wg pubkey` to get this
server_pub_key: ""
# list of clients to generate configs for
peers:
# name of the client
- name: test_client
addr: "10.66.77.2"
priv_key: ""
pub_key: ""

View File

@ -62,9 +62,6 @@ all:
haproxy:
hosts:
your_bastion_host:
wireguard:
hosts:
your_bastion_host:
sshd:
hosts:
your_bastion_host:

View File

@ -61,11 +61,6 @@
proto: any
src: "{{ local_subnet }}"
- name: "wireguard"
port: "{{ wireguard.ip.port | default('51820') }}"
proto: udp
src: any
- name: Deny all ports by default
community.general.ufw:
state: enabled

View File

@ -9,4 +9,5 @@ $TTL 604800
ns IN A {{ local_ip }}
@ IN NS localhost.
@ IN A {{ local_ip }}
@ IN AAAA ::1
{{ dyndns_domain }} IN A {{ local_ip }}

View File

@ -1,12 +1,6 @@
// vim:set ts=4 sw=4 et:
acl internals {
127.0.0.0/8;
{{ local_subnet }};
{% if wireguard is defined %}
{{ wireguard.ip.cidr }};
{% endif %}
};
acl internals { 127.0.0.0/8; {{ local_subnet }}; };
options {
directory "/var/named";

View File

@ -1,24 +0,0 @@
---
# these are defaults
# change these in group/host vars
# NOTE: copy the *entire* wireguard config if you wish to override it (all or nothing)
# also see group_vars/all/00-secret-template.yml
wireguard:
dns_servers:
- "{{ dns_forward }}"
interface: "wg0"
ip:
# address for the server
address: "10.66.77.1/32"
# cidr range in tunnel
cidr: "10.66.77.0/24"
server_public: "www.{{ domain }}"
# UDP port
port: 51820
# place to output client configs
client_folder: "/tmp/wireguard-clients"

View File

@ -1,9 +0,0 @@
---
- name: Start wireguard
systemd:
name: "wg-quick@{{ wireguard.interface }}.service"
enabled: yes
daemon_reload: yes
state: restarted

View File

@ -1,57 +0,0 @@
---
- name: Install wireguard packages
community.general.pacman:
name:
- wireguard-tools
# for encoding .conf as a qr code
- qrencode
notify:
- Start wireguard
- name: Enable IP forwarding
sysctl:
name: net.ipv4.ip_forward
value: 1
state: present
reload: yes
- name: Setup UFW rules to accept VPN traffic
community.general.ufw:
rule: allow
direction: in
src: "{{ wireguard.ip.cidr }}"
dest: any
- name: Deploy wireguard server config
template:
src: server.conf.j2
dest: "/etc/wireguard/{{ wireguard.interface }}.conf"
owner: root
group: root
mode: 0600
lstrip_blocks: true
no_log: true
notify:
- Start wireguard
- name: Create wireguard client config output folder
file:
path: "{{ wireguard.client_folder }}"
owner: root
group: root
mode: 0700
state: directory
- name: Create wireguard client configs
template:
src: client.conf.j2
dest: "{{ wireguard.client_folder }}/wg-{{ item.name }}.conf"
owner: root
group: root
mode: 0600
lstrip_blocks: true
no_log: true
with_items: "{{ wireguard_secret.peers }}"
notify:
- Start wireguard

View File

@ -1,16 +0,0 @@
[Interface]
# device's address in the VPN
Address = {{ item.addr }}
# device privkey
PrivateKey = {{ item.priv_key }}
DNS = {{ wireguard.ip.address }}
[Peer]
# server stuff
PublicKey = {{ wireguard_secret.server_pub_key }}
Endpoint = {{ wireguard.ip.server_public }}:{{ wireguard.ip.port }}
# allow traffic for all subnets into the VPN
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

View File

@ -1,14 +0,0 @@
[Interface]
Address = {{ wireguard.ip.address }}
PrivateKey = {{ wireguard_secret.server_key }}
ListenPort = {{ wireguard.ip.port }}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
SaveConfig = false
{% for peer in wireguard_secret.peers %}
[Peer]
PublicKey = {{ peer.pub_key }}
AllowedIPs = {{ peer.addr }}
{% endfor %}

View File

@ -70,11 +70,6 @@
- haproxy
when: '"haproxy" in group_names'
- role: wireguard
tags:
- wireguard
when: '"wireguard" in group_names'
- role: synapse
tags:
- synapse