florian.richer/myserver-configuration
1
0
Fork 0
Code Activity

Add wireguard

Browse source
This commit is contained in:
Florian RICHER 2023-09-24 12:28:25 +02:00
parent 2a36002124
commit a259572a20
7 changed files with 83 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
group_vars/all.yml.sample
View file

@ -5,6 +5,12 @@ server:
ssh_port: 22 ssh_port: 22
work_dir: /mnt/test work_dir: /mnt/test
backup_dir: /mnt/btest backup_dir: /mnt/btest
vpn:
subnet: 192.168.1.0/24
ip: 192.168.1.254
port: 22
peers: test
acme: acme:
email: test@test.fr email: test@test.fr
debug: true debug: true

1
playbook.yml
View file

@ -5,6 +5,7 @@
roles: roles:
- { role: docker, tags: ["docker"] } - { role: docker, tags: ["docker"] }
- { role: ssh, tags: ["ssh"] } - { role: ssh, tags: ["ssh"] }
- { role: wireguard, tags: ["wireguard"] }
- { role: traefik, tags: ["traefik"] } - { role: traefik, tags: ["traefik"] }
- { role: whoami, tags: ["whoami"] } - { role: whoami, tags: ["whoami"] }
- { role: protonmail, tags: ["protonmail"] } - { role: protonmail, tags: ["protonmail"] }

3
roles/iptables/templates/firewall.j2
View file

@ -83,3 +83,6 @@
/sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16 /sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16
/sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 /sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24
/sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 /sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24
# VPN
/sbin/iptables -A INPUT -p udp --dport {{ server.vpn.port }} -j ACCEPT

22
roles/wireguard/tasks/base.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: Check wireguard directory exist
ansible.builtin.file:
path: wireguard
state: directory
- name: Copy template conf
ansible.builtin.template:
src: "{{ item.src }}"
dest: "wireguard/{{ item.dest }}"
loop:
- { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' }
register: wireguard_copy_templates_results
- name: Update and restart container
community.docker.docker_compose:
project_src: wireguard
state: present
pull: true
restarted: "{{ wireguard_copy_templates_results.changed }}"
become: true

8
roles/wireguard/tasks/main.yml Normal file
View file

@ -0,0 +1,8 @@
---
- ansible.builtin.import_tasks: network.yml
name: network
- ansible.builtin.import_tasks: base.yml
name: base

9
roles/wireguard/tasks/network.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Create vpn network
community.docker.docker_network:
name: vpn
ipam_config:
- subnet: "{{ server.vpn.subnet }}"
state: present
become: true

34
roles/wireguard/templates/docker-compose.yml.j2 Normal file
View file

@ -0,0 +1,34 @@
version: '3'
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Paris
- SERVERURL=vpn.mrdev023.fr
- SERVERPORT={{ server.vpn.port }}
- ALLOWEDIPS={{ server.vpn.subnet }}
- PEERDNS=8.8.8.8
- PEERS={{ server.vpn.peers }}
- LOG_CONFS=false
volumes:
- {{ server.work_dir }}/wireguard/base:/config
- /lib/modules:/lib/modules
ports:
- {{ server.vpn.port }}:{{ server.vpn.port }}/udp
networks:
vpn:
ipv4_address: {{ server.vpn.ip }}
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
networks:
vpn:
external: true