From 98afd559fcf70b332487425a7b247fb475c1ece6 Mon Sep 17 00:00:00 2001 From: sonny Date: Wed, 5 Mar 2025 22:57:45 +0100 Subject: [PATCH 1/2] Fix vpn setup --- tasks/wireguard.yml | 6 +++--- tasks/wireguard_media.yml | 6 +++--- vars/main.yml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml index a187b69..dd39333 100644 --- a/tasks/wireguard.yml +++ b/tasks/wireguard.yml @@ -19,13 +19,13 @@ path: '{{ item }}' owner: root group: systemd-network - mode: '0640' + mode: '0750' state: directory recurse: true loop: - '{{ vpn_config_dir }}' - - '{{ vpn_media_server_public_key_path | dirname }}' - - '{{ vpn_media_server_key_path | dirname }}' + - '{{ vpn_server_public_key_path | dirname }}' + - '{{ vpn_server_key_path | dirname }}' - name: Copy Wireguard server credentials become: true diff --git a/tasks/wireguard_media.yml b/tasks/wireguard_media.yml index 24039ae..17d9b26 100644 --- a/tasks/wireguard_media.yml +++ b/tasks/wireguard_media.yml @@ -19,13 +19,13 @@ path: '{{ item }}' owner: root group: systemd-network - mode: '0640' + mode: '0750' state: directory recurse: true loop: - '{{ vpn_config_dir }}' - - '{{ vpn_server_public_key_path | dirname }}' - - '{{ vpn_server_private_key_path | dirname }}' + - '{{ vpn_media_server_public_key_path | dirname }}' + - '{{ vpn_media_server_key_path | dirname }}' - name: Copy Wireguard server media credentials become: true diff --git a/vars/main.yml b/vars/main.yml index 455a55f..c2275cf 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -12,4 +12,4 @@ packages: - certbot - unattended-upgrades -vpn_config_dir: '/etc/wireguard/keys' +vpn_config_dir: '/etc/wireguard' From 8d8ae8f89233d3ae0b5f790a474f2d678bc42905 Mon Sep 17 00:00:00 2001 From: sonny Date: Thu, 6 Mar 2025 02:49:11 +0100 Subject: [PATCH 2/2] DNS related changes - Added hostname provisioning - Added nsswitch.conf provisioning - Added systemd-resolved provisioning --- playbook.yml | 4 +- tasks/mpd.yml | 1 + tasks/network.yml | 48 +++++++++++++------ tasks/radicale.yml | 1 + tasks/setup.yml | 10 ++-- tasks/syncthing.yml | 1 + templates/{ => network}/hosts.j2 | 6 ++- templates/network/resolved.j2 | 37 ++++++++++++++ .../wireguard/default/mobile.wireguard.j2 | 1 + .../wireguard/media/mobile_1.wireguard.j2 | 1 + .../wireguard/media/mobile_2.wireguard.j2 | 1 + .../network/wireguard/media/tv.wireguard.j2 | 1 + templates/nftables.j2 | 8 ++++ templates/nsswitch.j2 | 20 ++++++++ vars/main.yml | 2 + vars/nginx.yml | 1 - vars/vpn.yml | 1 + vars/vpn_media.yml | 1 + 18 files changed, 120 insertions(+), 25 deletions(-) rename templates/{ => network}/hosts.j2 (53%) create mode 100644 templates/network/resolved.j2 create mode 100644 templates/nsswitch.j2 diff --git a/playbook.yml b/playbook.yml index bf4b85d..68d4a1a 100644 --- a/playbook.yml +++ b/playbook.yml @@ -53,10 +53,10 @@ ansible.builtin.import_tasks: 'handlers.yml' vars_files: - 'vars/main.yml' - - 'vars/nginx.yml' - - 'vars/network.yml' - 'vars/vpn.yml' - 'vars/vpn_media.yml' + - 'vars/network.yml' + - 'vars/nginx.yml' - 'vars/transmission.yml' - 'vars/syncthing.yml' - 'vars/mpd.yml' diff --git a/tasks/mpd.yml b/tasks/mpd.yml index 07f9d02..61c69ab 100644 --- a/tasks/mpd.yml +++ b/tasks/mpd.yml @@ -1,3 +1,4 @@ +# TODO: use docker setup - name: create mpd directories become: true file: diff --git a/tasks/network.yml b/tasks/network.yml index 166d982..4a60382 100644 --- a/tasks/network.yml +++ b/tasks/network.yml @@ -1,29 +1,49 @@ -- name: copy network configuration files +- name: Copy network configuration files become: true - template: + ansible.builtin.template: src: '{{ item.src }}' dest: '{{ item.dest }}' owner: root group: systemd-network mode: '0640' loop: - - { - src: 'templates/network/link1.link.j2', - dest: '/etc/systemd/network/98-link1.link' - } - - { - src: 'templates/network/link1.network.j2', - dest: '/etc/systemd/network/98-link1.network', - } + - src: 'templates/network/link1.link.j2' + dest: '/etc/systemd/network/98-link1.link' + + - src: 'templates/network/link1.network.j2' + dest: '/etc/systemd/network/98-link1.network' notify: - restart systemd-networkd - regenerate initramfs # copies the files into the initramfs for when udev needs them -- name: copy /etc/hosts template +- name: Set hostname become: true - template: - src: 'hosts.j2' + ansible.builtin.hostname: + name: '{{ hostname }}' + use: systemd + +- name: Copy hosts file + become: true + ansible.builtin.template: + src: 'network/hosts.j2' dest: '/etc/hosts' mode: '0644' owner: root - notify: restart systemd-networkd + +- name: Copy resolved.conf configuration + become: true + ansible.builtin.template: + src: 'network/resolved.j2' + dest: '/etc/systemd/resolved.conf' + mode: '0644' + owner: root + +- name: Copy firewall template + become: true + ansible.builtin.template: + src: 'templates/nftables.j2' + dest: '/etc/nftables.conf' + owner: root + group: root + mode: '0644' + notify: restart nftables diff --git a/tasks/radicale.yml b/tasks/radicale.yml index de50a16..dd28f6c 100644 --- a/tasks/radicale.yml +++ b/tasks/radicale.yml @@ -1,3 +1,4 @@ +# TODO: use docker setup # TODO: update collection path, see https://radicale.org/3.0.html#tutorials/running-as-a-service - name: add radicale user diff --git a/tasks/setup.yml b/tasks/setup.yml index dcbe180..547af4a 100644 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -1,12 +1,10 @@ -- name: Copy firewall template +- name: Copy nsswitch file become: true ansible.builtin.template: - src: 'templates/nftables.j2' - dest: '/etc/nftables.conf' - owner: root - group: root + src: 'nsswitch.j2' + dest: '/etc/nsswitch.conf' mode: '0644' - notify: restart nftables + owner: root - name: Copy ssh template become: true diff --git a/tasks/syncthing.yml b/tasks/syncthing.yml index 40d48e1..615d823 100644 --- a/tasks/syncthing.yml +++ b/tasks/syncthing.yml @@ -1,3 +1,4 @@ +# TODO: use docker setup - name: create syncthing directory file: path: '{{ ansible_env.HOME }}/.config/syncthing' diff --git a/templates/hosts.j2 b/templates/network/hosts.j2 similarity index 53% rename from templates/hosts.j2 rename to templates/network/hosts.j2 index 70f3e67..3e3c6cd 100644 --- a/templates/hosts.j2 +++ b/templates/network/hosts.j2 @@ -1,8 +1,10 @@ # {{ ansible_managed }} 127.0.0.1 localhost -127.0.1.1 zeus -{{ lan_ip }} {{ domain_name }} +127.0.1.1 {{ hostname }} +{{ lan_ip }} {{ domain_name }} {{ hostname }} +{{ vpn_listen_address }} {{ vpn_domain }} +{{ vpn_media_listen_address }} {{ vpn_media_domain }} # The following lines are desirable for IPv6 capable hosts #::1 localhost ip6-localhost ip6-loopback diff --git a/templates/network/resolved.j2 b/templates/network/resolved.j2 new file mode 100644 index 0000000..1d87caf --- /dev/null +++ b/templates/network/resolved.j2 @@ -0,0 +1,37 @@ +# {{ ansible_managed }} +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Entries in this file show the compile time defaults. Local configuration +# should be created by either modifying this file, or by creating "drop-ins" in +# the resolved.conf.d/ subdirectory. The latter is generally recommended. +# Defaults can be restored by simply deleting this file and all drop-ins. +# +# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. +# +# See resolved.conf(5) for details. + +[Resolve] +# Some examples of DNS servers which may be used for DNS= and FallbackDNS=: +# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com +# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google +# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net +#DNS= +#FallbackDNS= +#Domains= +#DNSSEC=no +#DNSOverTLS=no +#MulticastDNS=yes +#LLMNR=yes +#Cache=yes +#CacheFromLocalhost=no +#DNSStubListener=yes +DNSStubListenerExtra={{ vpn_listen_address }} +DNSStubListenerExtra={{ vpn_media_listen_address }} +#ReadEtcHosts=yes +#ResolveUnicastSingleLabel=no diff --git a/templates/network/wireguard/default/mobile.wireguard.j2 b/templates/network/wireguard/default/mobile.wireguard.j2 index 2f9773b..65ab6c1 100644 --- a/templates/network/wireguard/default/mobile.wireguard.j2 +++ b/templates/network/wireguard/default/mobile.wireguard.j2 @@ -2,6 +2,7 @@ [Interface] Address={{ vpn_peers.mobile.ip }}/24 +DNS={{ vpn_listen_address }} PrivateKey={{ lookup("file", vpn_peers.mobile.private_key_source_path) }} [Peer] diff --git a/templates/network/wireguard/media/mobile_1.wireguard.j2 b/templates/network/wireguard/media/mobile_1.wireguard.j2 index f0bbc55..fc6459d 100644 --- a/templates/network/wireguard/media/mobile_1.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_1.wireguard.j2 @@ -2,6 +2,7 @@ [Interface] Address={{ vpn_media_peers.mobile_peer_1.ip }}/24 +DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_1.private_key_source_path) }} [Peer] diff --git a/templates/network/wireguard/media/mobile_2.wireguard.j2 b/templates/network/wireguard/media/mobile_2.wireguard.j2 index 4550c5c..1c88376 100644 --- a/templates/network/wireguard/media/mobile_2.wireguard.j2 +++ b/templates/network/wireguard/media/mobile_2.wireguard.j2 @@ -2,6 +2,7 @@ [Interface] Address={{ vpn_media_peers.mobile_peer_2.ip }}/24 +DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_2.private_key_source_path) }} [Peer] diff --git a/templates/network/wireguard/media/tv.wireguard.j2 b/templates/network/wireguard/media/tv.wireguard.j2 index 3506780..104bd16 100644 --- a/templates/network/wireguard/media/tv.wireguard.j2 +++ b/templates/network/wireguard/media/tv.wireguard.j2 @@ -2,6 +2,7 @@ [Interface] Address={{ vpn_media_peers.tv.ip }}/24 +DNS={{ vpn_media_listen_address }} PrivateKey={{ lookup('file', vpn_media_peers.tv.private_key_source_path) }} [Peer] diff --git a/templates/nftables.j2 b/templates/nftables.j2 index 90151be..4014dad 100644 --- a/templates/nftables.j2 +++ b/templates/nftables.j2 @@ -27,6 +27,10 @@ table ip filter { iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard" iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media" + # TODO: create combined rule + iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP" + iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP" + iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS" iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web" iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing" @@ -35,6 +39,10 @@ table ip filter { iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream" iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream" + # TODO: create combined rule + iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP" + iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP" + iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP" iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery" iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery" diff --git a/templates/nsswitch.j2 b/templates/nsswitch.j2 new file mode 100644 index 0000000..c02078d --- /dev/null +++ b/templates/nsswitch.j2 @@ -0,0 +1,20 @@ +# {{ ansible_managed }} +# +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. +# See /usr/share/libc-bin/nsswitch.conf for an example of a configuration file. + +passwd: files +group: files +shadow: files +gshadow: files + +hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis diff --git a/vars/main.yml b/vars/main.yml index c2275cf..8ee9bb3 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,3 +13,5 @@ packages: - unattended-upgrades vpn_config_dir: '/etc/wireguard' + +hostname: 'fudiggity' diff --git a/vars/nginx.yml b/vars/nginx.yml index 273534f..6b1ed93 100644 --- a/vars/nginx.yml +++ b/vars/nginx.yml @@ -1,4 +1,3 @@ -domain_name: 'fudiggity.nl' forgejo_domain: 'forgejo.fudiggity.nl' woodpecker_domain: 'woodpecker.fudiggity.nl' glitchtip_domain: 'glitchtip.fudiggity.nl' diff --git a/vars/vpn.yml b/vars/vpn.yml index 2ac4ae4..c170ddf 100644 --- a/vars/vpn.yml +++ b/vars/vpn.yml @@ -1,4 +1,5 @@ vpn_listen_address: '10.0.0.1' +vpn_domain: 'vpn.{{ domain_name }}' vpn_subnet: '24' vpn_port: '51902' vpn_interface: 'wg0' diff --git a/vars/vpn_media.yml b/vars/vpn_media.yml index 6631508..03ce582 100644 --- a/vars/vpn_media.yml +++ b/vars/vpn_media.yml @@ -1,4 +1,5 @@ vpn_media_listen_address: '10.0.1.1' +vpn_media_domain: 'media-vpn.{{ domain_name }}' vpn_media_subnet: '24' vpn_media_port: '51903' vpn_media_interface: 'wg1'