sonny/debian-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add mobile configuration & load keys from paths

Browse source
This commit is contained in:
sonny 2021-12-31 19:16:00 +01:00
parent 16a979b04b
commit 56331232e6
13 changed files with 106 additions and 183 deletions
Download patch file Download diff file Expand all files Collapse all files

7
files/wireguard/mobile.key Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
38623135656135643331396434326663353731356164326664646236383031643330363965303862
3362643138666138386431616565646132306166396566310a313436336563643830353661323934
33363166363735356539303635663632313630326338306433326437616335656364363038373738
3866366666636131300a636265313164646232663135616638663430373933626365383536643763
65376530323763643534636631333335373431326636663339333037393262303433636137623030
6432663135386535333632303631633761623534316566306633

1
files/wireguard/mobile.pub Normal file
View file

@ -0,0 +1 @@
4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY=

0
files/wireguard/preshared-desktop.key → files/wireguard/preshared-desktop.psk
View file

0
files/wireguard/preshared-laptop.key → files/wireguard/preshared-laptop.psk
View file

7
files/wireguard/preshared-mobile.psk Normal file
View file

@ -0,0 +1,7 @@
$ANSIBLE_VAULT;1.1;AES256
63616561393263613761376535646565646165303439323633353637656537373132373137646139
3165366266366235643735343566363062326438613261330a333837393331313537393238633630
64393231363232393935353535633562353439356433663539333831353530343831643235636136
3866653465393437300a623363653161366466646239623836363561376165653238343261636565
32633231333338653738356431636433613537303435333034326461633861633361373564616538
3462653862383062626530636465353230386261316661616634

66
tasks/network.yml
View file

@ -1,3 +1,24 @@
- name: load private key into var
set_fact:
vpn_server_key: '{{ lookup("file", "files/wireguard/server.key" ) }}'
- name: load public key into var
set_fact:
vpn_server_public_key: '{{ lookup("file", "files/wireguard/server.pub" ) }}'
# this should eventually be replaced with using the
# PrivateKeyFile/PresharedKeyFile options
- name: load preshared keys into variables
set_fact:
vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"preshared_key": lookup("file", item.value.preshared_key_source_path )})})}}'
with_dict: '{{ vpn_peers }}'
- name: load mobile private_key
set_fact:
vpn_peers: '{{ vpn_peers | combine({item.key: item.value|combine({"private_key": lookup("file", item.value.private_key_source_path )})})}}'
with_dict: '{{ vpn_peers }}'
when: item.key == "mobile"
- name: copy network configuration files - name: copy network configuration files
become: true become: true
template: template:
@ -7,10 +28,7 @@
group: systemd-network group: systemd-network
mode: '0640' mode: '0640'
loop: loop:
- { - { src: 'templates/network/br0.netdev.j2', dest: '/etc/systemd/network/br0.netdev' }
src: 'templates/network/br0.netdev.j2',
dest: '/etc/systemd/network/br0.netdev',
}
- { - {
src: 'templates/network/br0.network.j2', src: 'templates/network/br0.network.j2',
dest: '/etc/systemd/network/br0.network', dest: '/etc/systemd/network/br0.network',
@ -19,15 +37,19 @@
src: 'templates/network/enp5s0.network.j2', src: 'templates/network/enp5s0.network.j2',
dest: '/etc/systemd/network/enp5s0.network', dest: '/etc/systemd/network/enp5s0.network',
} }
- { - { src: 'templates/network/wg0.netdev.j2', dest: '/etc/systemd/network/wg0.netdev' }
src: 'templates/network/wg0.netdev.j2',
dest: '/etc/systemd/network/wg0.netdev',
}
- { - {
src: 'templates/network/wg0.network.j2', src: 'templates/network/wg0.network.j2',
dest: '/etc/systemd/network/wg0.network', dest: '/etc/systemd/network/wg0.network',
} }
- name: copy mobile configuration
template:
src: 'mobile.wireguard.j2'
dest: '/tmp/mobile.wireguard.conf'
mode: '0600'
when: copy_mobile_conf
- name: create wireguard directories - name: create wireguard directories
become: true become: true
file: file:
@ -49,24 +71,30 @@
group: systemd-network group: systemd-network
mode: '0640' mode: '0640'
loop: loop:
- { - { src: 'files/wireguard/server.pub', dest: '{{ vpn_server_public_key_path }}' }
src: 'files/wireguard/server.pub', - { src: 'files/wireguard/server.key', dest: '{{ vpn_server_key_path }}' }
dest: '{{ vpn_server_public_key_path }}',
} - name: copy mobile wireguard credentials
- { become: true
src: 'files/wireguard/server.key', copy:
dest: '{{ vpn_server_key_path }}', src: '{{ item.src }}'
} dest: '{{ item.dest }}'
owner: root
group: systemd-network
mode: '0640'
loop:
- { src: 'files/wireguard/mobile.pub', dest: '{{ vpn_server_public_key_path }}' }
- { src: 'files/wireguard/mobile.key', dest: '{{ vpn_server_key_path }}' }
- name: copy wireguard preshared keys - name: copy wireguard preshared keys
become: true become: true
copy: copy:
src: '{{ item.preshared_key_source_path }}' src: '{{ item.value.preshared_key_source_path }}'
dest: '{{ item.preshared_key_path }}' dest: '{{ item.value.preshared_key_path }}'
owner: root owner: root
group: systemd-network group: systemd-network
mode: '0640' mode: '0640'
loop: '{{ vpn_peers }}' with_dict: '{{ vpn_peers }}'
- name: restart systemd-networkd - name: restart systemd-networkd
become: true become: true

27
tasks/nginx.yml
View file

@ -7,26 +7,15 @@
group: root group: root
mode: '0644' mode: '0644'
loop: loop:
- { - { src: 'templates/nginx/default.j2', dest: '/etc/nginx/sites-available/default' }
src: 'templates/nginx/default.j2', - { src: 'templates/nginx/gitlab.j2', dest: '/etc/nginx/sites-available/gitlab' }
dest: '/etc/nginx/sites-available/default', - { src: 'templates/nginx/sentry.j2', dest: '/etc/nginx/sites-available/sentry' }
} - { src: 'templates/nginx/vpn.j2', dest: '/etc/nginx/sites-available/vpn' }
- {
src: 'templates/nginx/gitlab.j2',
dest: '/etc/nginx/sites-available/gitlab',
}
- {
src: 'templates/nginx/sentry.j2',
dest: '/etc/nginx/sites-available/sentry',
}
- {
src: 'templates/nginx/vpn.j2',
dest: '/etc/nginx/sites-available/vpn',
}
- { - {
src: 'templates/nginx/newsreader.j2', src: 'templates/nginx/newsreader.j2',
dest: '/etc/nginx/sites-available/newsreader', dest: '/etc/nginx/sites-available/newsreader',
} }
notify: restart nginx
- name: create configuration links - name: create configuration links
become: true become: true
@ -47,12 +36,8 @@
src: '/etc/nginx/sites-available/sentry', src: '/etc/nginx/sites-available/sentry',
dest: '/etc/nginx/sites-enabled/sentry', dest: '/etc/nginx/sites-enabled/sentry',
} }
- { - { src: '/etc/nginx/sites-available/vpn', dest: '/etc/nginx/sites-enabled/vpn' }
src: '/etc/nginx/sites-available/vpn',
dest: '/etc/nginx/sites-enabled/vpn',
}
- { - {
src: '/etc/nginx/sites-available/newsreader', src: '/etc/nginx/sites-available/newsreader',
dest: '/etc/nginx/sites-enabled/newsreader', dest: '/etc/nginx/sites-enabled/newsreader',
} }
notify: restart nginx

112
tasks/openvpn.yml
View file

@ -1,112 +0,0 @@
- name: create openvpn server directory
become: true
file:
path: '{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
owner: root
group: root
loop:
- {
path: '/etc/openvpn/server',
mode: '0744',
}
- {
path: '/etc/openvpn/client',
mode: '0744'
}
- {
path: '/etc/openvpn/easy-rsa',
mode: '0744',
}
- {
path: '/etc/openvpn/easy-rsa/keys',
mode: '0700',
}
- name: copy openvpn credentials
become: true
copy:
src: '{{ item.src }}'
dest: '{{ item.dest }}'
mode: '{{ item.mode }}'
owner: root
group: root
loop:
- {
src: 'files/openvpn/ca.crt',
dest: '/etc/openvpn/easy-rsa/keys/ca.crt',
mode: '0644'
}
- {
src: 'files/openvpn/server.crt',
dest: '/etc/openvpn/easy-rsa/keys/server.crt',
mode: '0644'
}
- {
src: 'files/openvpn/server.csr',
dest: '/etc/openvpn/easy-rsa/keys/server.csr',
mode: '0644'
}
- {
src: 'files/openvpn/server.key',
dest: '/etc/openvpn/easy-rsa/keys/server.key',
mode: '0600'
}
- {
src: 'files/openvpn/dh2048.pem',
dest: '/etc/openvpn/easy-rsa/keys/dh2048.pem',
mode: '0644'
}
- {
src: 'files/openvpn/ta.key',
dest: '/etc/openvpn/easy-rsa/keys/ta.key',
mode: '0600'
}
- name: copy openvpn configuration files
become: true
template:
src: '{{ item.src }}'
dest: '{{ item.dest }}'
owner: root
group: root
loop:
- {
src: 'templates/openvpn/server-lan.j2',
dest: '/etc/openvpn/server/server-lan.conf',
}
- {
src: 'templates/openvpn/server-mobile.j2',
dest: '/etc/openvpn/server/server-mobile.conf',
}
- name: link openvpn configuration files
become: true
file:
src: '{{ item.src }}'
dest: '{{ item.dest }}'
state: link
loop:
- {
src: '/etc/openvpn/server/server-lan.conf',
dest: '/etc/openvpn/server-lan.conf',
}
- {
src: '/etc/openvpn/server/server-mobile.conf',
dest: '/etc/openvpn/server-mobile.conf',
}
- name: restart openvpn lan server
become: true
systemd:
name: openvpn@server-lan
state: restarted
enabled: true
- name: restart openvpn mobile server
become: true
systemd:
name: openvpn@server-mobile
state: restarted
enabled: true

11
templates/mobile.wireguard.j2 Normal file
View file

@ -0,0 +1,11 @@
# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
[Interface]
Address={{ vpn_peers.mobile.ip }}/24
PrivateKey={{ vpn_peers.mobile.private_key }}
[Peer]
PublicKey={{ vpn_server_public_key }}
PresharedKey={{ vpn_peers.mobile.preshared_key }}
AllowedIPs={{ vpn_listen_address }}/32
Endpoint={{ wan_ip_address }}:{{ vpn_port }}

6
templates/mpd.j2
View file

@ -93,11 +93,11 @@ input {
# blocks. Setting this block is optional, though the server will only attempt # blocks. Setting this block is optional, though the server will only attempt
# autodetection for one sound card. # autodetection for one sound card.
# #
{% for peer in vpn_peers %} {% for peer, properties in vpn_peers.items() %}
audio_output { audio_output {
type "pulse" type "pulse"
name "Pulse remote {{ peer.name }}" name "Pulse remote {{ peer }}"
server "{{ peer.ip }}" server "{{ properties.ip }}"
} }
{% endfor %} {% endfor %}

8
templates/network/wg0.netdev.j2
View file

@ -9,11 +9,11 @@ Description=WireGuard tunnel wg0
ListenPort={{ vpn_port }} ListenPort={{ vpn_port }}
PrivateKey={{ vpn_server_key }} PrivateKey={{ vpn_server_key }}
{% for peer in vpn_peers %} {% for peer, properties in vpn_peers.items() %}
[WireGuardPeer] [WireGuardPeer]
PublicKey={{ peer.public_key }} PublicKey={{ properties.public_key }}
PresharedKey={{ peer.preshared_key }} PresharedKey={{ properties.preshared_key }}
AllowedIPs={{ peer.ip }}/32 AllowedIPs={{ properties.ip }}/32
{% if not loop.last %} {% if not loop.last %}
{% endif %} {% endif %}

2
vars/network.yml
View file

@ -1,7 +1,9 @@
bridge_interface: 'br0' bridge_interface: 'br0'
bridge_source_interface: 'enp5s0' bridge_source_interface: 'enp5s0'
bridge_mac: '70:85:c2:5a:ce:91' bridge_mac: '70:85:c2:5a:ce:91'
lan_ip_address: '192.168.178.185' lan_ip_address: '192.168.178.185'
wan_ip_address: '178.85.119.159'
http_port: 80 http_port: 80
https_port: 443 https_port: 443

42
vars/vpn.yml
View file

@ -9,29 +9,23 @@ vpn_destination_range: '10.0.0.1/32'
vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub' vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub'
vpn_server_key_path: '/etc/wireguard/keys/private/server.key' vpn_server_key_path: '/etc/wireguard/keys/private/server.key'
vpn_server_key: !vault |
$ANSIBLE_VAULT;1.1;AES256 copy_mobile_conf: false
36316631633737623637633465336534323661346562326361616561326262373930376539633264
6438653132356266353037666466373833643633343338380a373964646339663965306332393361
63393630653931336430333639326364666131346437666638383738323537656632346131616436
3137656634316632340a326139373963626364653934303830653466356533636664396161643734
30383661393361336561666366663637333166323732326664376431363463346132656335306436
3163386561623765396236316263616631323134626537383839
vpn_peers: vpn_peers:
- { laptop:
name: 'desktop', ip: '10.0.0.2'
ip: '10.0.0.3', public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw='
public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=', preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.psk'
preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.key', preshared_key_source_path: 'files/wireguard/preshared-laptop.psk'
preshared_key_source_path: 'files/wireguard/preshared-desktop.key', desktop:
preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n613030653137313136613864613432613261303064373562313863353736656562343333333639323736656634663861373236353934653335643630633061340a643063633439383435316230633164666161386530373839393934643137313735353031306264663237626665356561356261306230376365643830633532370a343037393832386332323962626434303034393561373664306630623465306138646661386562306131343633323134393437393235636563346435383366373566333038396233383437656562613066383232333466623130333635303136" ip: '10.0.0.3'
} public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4='
- { preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.psk'
name: 'laptop', preshared_key_source_path: 'files/wireguard/preshared-desktop.psk'
ip: '10.0.0.2', mobile:
public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=', ip: '10.0.0.4'
preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.key', public_key: '4aBHRiglCOE7qEDLqeFgQ5PMMsKczpPoL4bx4jyAEDY='
preshared_key_source_path: 'files/wireguard/preshared-laptop.key', preshared_key_path: '/etc/wireguard/keys/private/preshared-mobile.psk'
preshared_key: !vault "$ANSIBLE_VAULT;1.1;AES256\r\n336435613338343639663239376633313631363439663837633832656331323039653638343366316630346137336665646461633437643066653164623537390a633862383165613032626434633063333564636662376635353638313435356530303430356336336533343137313061343637363465663436363465663664390a643832643133656330666661646535343034303235623464383532313431363035636530643966333532376236623239393363666266316363303061376565343263396433613339383661393130326562323766643135313365613766663063" preshared_key_source_path: 'files/wireguard/preshared-mobile.psk'
} private_key_source_path: 'files/wireguard/mobile.key'