diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index bbf6792..acc340d 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -5,6 +5,12 @@ server: ssh_port: 22 work_dir: /mnt/test backup_dir: /mnt/btest + vpn: + subnet: 192.168.1.0/24 + ip: 192.168.1.254 + port: 22 + peers: test + acme: email: test@test.fr debug: true diff --git a/playbook.yml b/playbook.yml index 7bc28a2..9b29603 100644 --- a/playbook.yml +++ b/playbook.yml @@ -5,6 +5,7 @@ roles: - { role: docker, tags: ["docker"] } - { role: ssh, tags: ["ssh"] } + - { role: wireguard, tags: ["wireguard"] } - { role: traefik, tags: ["traefik"] } - { role: whoami, tags: ["whoami"] } - { role: protonmail, tags: ["protonmail"] } diff --git a/roles/iptables/templates/firewall.j2 b/roles/iptables/templates/firewall.j2 index bb32de5..bf1a25f 100755 --- a/roles/iptables/templates/firewall.j2 +++ b/roles/iptables/templates/firewall.j2 @@ -83,3 +83,6 @@ /sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16 /sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 /sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 + +# VPN +/sbin/iptables -A INPUT -p udp --dport {{ server.vpn.port }} -j ACCEPT diff --git a/roles/wireguard/tasks/base.yml b/roles/wireguard/tasks/base.yml new file mode 100644 index 0000000..064a402 --- /dev/null +++ b/roles/wireguard/tasks/base.yml @@ -0,0 +1,22 @@ +--- + +- name: Check wireguard directory exist + ansible.builtin.file: + path: wireguard + state: directory + +- name: Copy template conf + ansible.builtin.template: + src: "{{ item.src }}" + dest: "wireguard/{{ item.dest }}" + loop: + - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' } + register: wireguard_copy_templates_results + +- name: Update and restart container + community.docker.docker_compose: + project_src: wireguard + state: present + pull: true + restarted: "{{ wireguard_copy_templates_results.changed }}" + become: true diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 0000000..29353b6 --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- ansible.builtin.import_tasks: network.yml + name: network + +- ansible.builtin.import_tasks: base.yml + name: base + diff --git a/roles/wireguard/tasks/network.yml b/roles/wireguard/tasks/network.yml new file mode 100644 index 0000000..4151bf1 --- /dev/null +++ b/roles/wireguard/tasks/network.yml @@ -0,0 +1,9 @@ +--- + +- name: Create vpn network + community.docker.docker_network: + name: vpn + ipam_config: + - subnet: "{{ server.vpn.subnet }}" + state: present + become: true \ No newline at end of file diff --git a/roles/wireguard/templates/docker-compose.yml.j2 b/roles/wireguard/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..0200bb6 --- /dev/null +++ b/roles/wireguard/templates/docker-compose.yml.j2 @@ -0,0 +1,34 @@ +version: '3' + +services: + wireguard: + image: lscr.io/linuxserver/wireguard:latest + container_name: wireguard + cap_add: + - NET_ADMIN + - SYS_MODULE + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Paris + - SERVERURL=vpn.mrdev023.fr + - SERVERPORT={{ server.vpn.port }} + - ALLOWEDIPS={{ server.vpn.subnet }} + - PEERDNS=8.8.8.8 + - PEERS={{ server.vpn.peers }} + - LOG_CONFS=false + volumes: + - {{ server.work_dir }}/wireguard/base:/config + - /lib/modules:/lib/modules + ports: + - {{ server.vpn.port }}:{{ server.vpn.port }}/udp + networks: + vpn: + ipv4_address: {{ server.vpn.ip }} + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + restart: unless-stopped + +networks: + vpn: + external: true