Simple server installation done
parent
cab2d08327
commit
aa317319ea
|
@ -0,0 +1 @@
|
|||
.venv/*
|
37
README.md
37
README.md
|
@ -0,0 +1,37 @@
|
|||
# Wireguard automated install with vagrant and asnible provision
|
||||
|
||||
|
||||
## Dependencies:
|
||||
System:
|
||||
|
||||
```bash
|
||||
# apt install python3 python3-pip python3-venv
|
||||
```
|
||||
|
||||
Python:
|
||||
|
||||
```bash
|
||||
python3 -m venv .venv
|
||||
source ./.venv/bin/activate
|
||||
pip install -r requirements.txt
|
||||
```
|
||||
Ansible:
|
||||
|
||||
```bash
|
||||
ansible-galaxy install -r requirements.yml
|
||||
```
|
||||
|
||||
|
||||
## Start
|
||||
```bash
|
||||
./virsh_network/start.sh
|
||||
cd vg && vagrant up --provider=libvirt --no-parallel
|
||||
```
|
||||
|
||||
|
||||
## Destroy the environment
|
||||
```bash
|
||||
vagrant destroy
|
||||
./virsh_network/destroy.sh
|
||||
```
|
||||
|
|
@ -0,0 +1 @@
|
|||
ansible==7.3.0
|
|
@ -0,0 +1,4 @@
|
|||
# ansible-galaxy collection list
|
||||
collections:
|
||||
- name: community.general
|
||||
version: '5.6.0'
|
|
@ -0,0 +1 @@
|
|||
.vagrant/*
|
|
@ -0,0 +1,46 @@
|
|||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
config.vm.box = "generic/ubuntu2004"
|
||||
|
||||
config.vm.provider :libvirt do |libvirt|
|
||||
libvirt.qemu_use_session = false
|
||||
end
|
||||
|
||||
config.vm.define "kp-root-node" do |rootNode|
|
||||
rootNode.vm.hostname = "kp-root-node"
|
||||
rootNode.vm.network :private_network, ip: "192.168.123.10", :libvirt_network_mage => "kp_wg_network"
|
||||
rootNode.vm.provider :kvm do | kvm, override |
|
||||
kvm.memory_size = '2048m'
|
||||
end
|
||||
rootNode.vm.provider :libvirt do |libvirt, override|
|
||||
libvirt.memory = 2048
|
||||
libvirt.nested = true
|
||||
libvirt.cpus = 2
|
||||
end
|
||||
|
||||
# Ansible provisioning
|
||||
rootNode.vm.provision "server_init", type:'ansible' do |ansible|
|
||||
ansible.playbook = "playbooks/server_init.yml"
|
||||
ansible.become = true
|
||||
ansible.host_key_checking = false
|
||||
ansible.verbose = "v"
|
||||
end
|
||||
end
|
||||
|
||||
(1..3).each do |i|
|
||||
config.vm.define "kp-client#{i}" do |client|
|
||||
client.vm.hostname = "kp-client#{i}"
|
||||
client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network"
|
||||
client.vm.provider :kvm do | kvm, override |
|
||||
kvm.memory_size = '2048m'
|
||||
end
|
||||
client.vm.provider :libvirt do |libvirt, override|
|
||||
libvirt.memory = 1024
|
||||
libvirt.nested = true
|
||||
libvirt.cpus = 1
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,83 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Install wireguard and ufw
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- wireguard
|
||||
- ufw
|
||||
state: present
|
||||
|
||||
- name: Generate a wireguard server privatekey
|
||||
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
|
||||
|
||||
- name: Read privatekey from the wireguard folder
|
||||
ansible.builtin.shell: "cat /etc/wireguard/private.key"
|
||||
register: server_private_key_stdout
|
||||
|
||||
- name: Set the file content to a variable
|
||||
ansible.builtin.set_fact:
|
||||
server_private_key: "{{ server_private_key_stdout.stdout }}"
|
||||
|
||||
- name: Get the default public interface
|
||||
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
|
||||
register: server_public_interface_stdout
|
||||
|
||||
- name: Set the stdout of the public interface to a variable
|
||||
ansible.builtin.set_fact:
|
||||
server_public_interface: "{{ server_public_interface_stdout.stdout }}"
|
||||
|
||||
- name: Protect the privatekey by allowing only the root user to read
|
||||
ansible.builtin.file:
|
||||
path: "/etc/wireguard/private.key"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '077'
|
||||
|
||||
- name: Generate a wireguard server pubkey
|
||||
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key"
|
||||
|
||||
- name: Protect the privatekey by allowing only the root user to read
|
||||
ansible.builtin.file:
|
||||
path: "/etc/wireguard/public.key"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install the server wireguard template to the server
|
||||
ansible.builtin.template:
|
||||
src: "server_wg0.conf"
|
||||
dest: "/etc/wireguard/wg0.conf"
|
||||
|
||||
- name: Ensure that the permissions to the config are not too open
|
||||
ansible.builtin.file:
|
||||
path: "/etc/wireguard/wg0.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '077'
|
||||
|
||||
- name: Allow everything and enable UFW
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
policy: allow
|
||||
|
||||
- name: Set logging for the ufw
|
||||
community.general.ufw:
|
||||
logging: 'on'
|
||||
|
||||
- name: Allow all access to port 22
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '22'
|
||||
|
||||
- name: Allow all access to wireguard port (udp)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: '51820'
|
||||
proto: udp
|
||||
|
||||
- name: Start the wireguard service
|
||||
ansible.builtin.service:
|
||||
name: wg-quick@wg0.service
|
||||
enabled: yes
|
||||
state: started
|
|
@ -0,0 +1,10 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ server_private_key }}
|
||||
Address = 10.6.0.1/24
|
||||
ListenPort = 51820
|
||||
SaveConfig = true
|
||||
|
||||
PostUp = ufw route allow in on wg0 out on {{ server_public_interface }}
|
||||
PostUp = iptables -t nat -I POSTROUTING -o {{ server_public_interface }} -j MASQUERADE
|
||||
PreDown = ufw route delete allow in on wg0 out on {{ server_public_interface }}
|
||||
PreDown = iptables -t nat -D POSTROUTING -o {{ server_public_interface }} -j MASQUERADE
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -eux
|
||||
|
||||
NETWORK_NAME="kp_wg_network"
|
||||
|
||||
sudo virsh net-destroy $NETWORK_NAME
|
||||
sudo virsh net-undefine $NETWORK_NAME
|
|
@ -0,0 +1,14 @@
|
|||
<network>
|
||||
<name>kp_wg_network</name>
|
||||
<forward mode="nat">
|
||||
<nat>
|
||||
<port start='1024' end='65535'/>
|
||||
</nat>
|
||||
</forward>
|
||||
<bridge name="kp_wg_network" stp='on' delay='0'/>
|
||||
<ip address="192.168.123.1" netmask="255.255.255.0">
|
||||
<dhcp>
|
||||
<range start="192.168.123.2" end="192.168.123.254"/>
|
||||
</dhcp>
|
||||
</ip>
|
||||
</network>
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -eux
|
||||
|
||||
NETWORK_NAME="kp_wg_network"
|
||||
|
||||
sudo virsh net-define "${NETWORK_NAME}.xml"
|
||||
sudo virsh net-start $NETWORK_NAME
|
||||
sudo virsh net-autostart $NETWORK_NAME
|
||||
|
||||
sudo virsh net-list --all
|
Loading…
Reference in New Issue