diff --git a/cloud.yml b/cloud.yml index 3a4e299f..671c7765 100644 --- a/cloud.yml +++ b/cloud.yml @@ -1,7 +1,7 @@ --- - name: Provision the server hosts: localhost - tags: algo + tags: always vars_files: - config.cfg diff --git a/input.yml b/input.yml index aeb53192..18534518 100644 --- a/input.yml +++ b/input.yml @@ -1,7 +1,7 @@ --- - name: Ask user for the input hosts: localhost - tags: algo + tags: always vars: defaults: server_name: algo diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml index 8182cf20..29ee3f55 100644 --- a/roles/common/tasks/facts.yml +++ b/roles/common/tasks/facts.yml @@ -23,4 +23,8 @@ - set_fact: CA_password: "{{ CA_password.stdout }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}" + +- name: Set IPv6 support as a fact + set_fact: ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" + tags: always diff --git a/roles/dns_encryption/files/rc.dnscrypt-proxy.sh b/roles/dns_encryption/files/rc.dnscrypt-proxy.sh deleted file mode 100644 index da35d896..00000000 --- a/roles/dns_encryption/files/rc.dnscrypt-proxy.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -# PROVIDE: dnscrypt-proxy -# REQUIRE: LOGIN -# BEFORE: securelevel -# KEYWORD: shutdown - -# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy': -# -# dnscrypt_proxy_enable="YES" -# dnscrypt_proxy_flags="" -# -# See rsync(1) for rsyncd_flags -# - -. /etc/rc.subr - -name="dnscrypt-proxy" -rcvar=dnscrypt_proxy_enable -load_rc_config "$name" -pidfile="/var/run/$name.pid" -start_cmd=dnscrypt_proxy_start -stop_postcmd=dnscrypt_proxy_stop - -: ${dnscrypt_proxy_enable="NO"} -: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"} - -dnscrypt_proxy_start() { - echo "Starting dnscrypt-proxy..." - touch ${pidfile} - /usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags} -} - -dnscrypt_proxy_stop() { - [ -f ${pidfile} ] && rm ${pidfile} -} - -run_rc_command "$1" diff --git a/roles/dns_encryption/tasks/freebsd.yml b/roles/dns_encryption/tasks/freebsd.yml index 30e0186c..bdada6fe 100644 --- a/roles/dns_encryption/tasks/freebsd.yml +++ b/roles/dns_encryption/tasks/freebsd.yml @@ -1,51 +1,10 @@ --- -- name: FreeBSD | Ensure that the required directories exist - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/" - - /usr/dnscrypt-proxy/ - -- name: Required tools installed +- name: Install dnscrypt-proxy package: - name: gtar + name: dnscrypt-proxy2 -- name: FreeBSD | Retrive the latest versions - uri: - url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest - register: dnscrypt_proxy_latest - ignore_errors: true - -- name: FreeBSD | Set default dnscrypt-proxy assets - set_fact: - dnscrypt_proxy_latest: - json: - assets: - - name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" - browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" - when: dnscrypt_proxy_latest.failed - -- name: FreeBSD | Download the latest archive - get_url: - url: "{{ item['browser_download_url'] }}" - dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" - mode: '0755' - force: true - with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}" - no_log: true - when: '"freebsd_amd64" in item.name and not item.name.endswith("minisig")' - notify: restart dnscrypt-proxy - -- name: FreeBSD | Extract the latest archive - unarchive: - remote_src: true - src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz - dest: /usr/dnscrypt-proxy - -- name: FreeBSD | Configure rc script - copy: - src: rc.dnscrypt-proxy.sh - dest: /usr/local/etc/rc.d/dnscrypt-proxy - mode: "0755" - notify: restart dnscrypt-proxy +- name: Enable mac_portacl + lineinfile: + path: /etc/rc.conf + line: 'dnscrypt_proxy_mac_portacl_enable="YES"' + when: listen_port|int == 53 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index 18a8bebb..aba1919e 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -151,7 +151,7 @@ tls_disable_session_tickets = true ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1. -fallback_resolver = '127.0.0.53:53' +fallback_resolver = '{% if ansible_distribution == "FreeBSD" %}{{ ansible_dns.nameservers.0 }}:53{% else %}127.0.0.53:53{% endif %}' ## Never try to use the system DNS settings; unconditionally use the diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index de3a9f1d..2a7a90b2 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,11 +1,5 @@ --- - block: - - name: Include WireGuard role - include_role: - name: wireguard - tags: wireguard - when: wireguard_enabled and ansible_distribution == 'Ubuntu' - - name: Ensure that the strongswan group exist group: name=strongswan state=present diff --git a/roles/wireguard/files/wireguard.sh b/roles/wireguard/files/wireguard.sh new file mode 100644 index 00000000..efcde0e3 --- /dev/null +++ b/roles/wireguard/files/wireguard.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +# PROVIDE: wireguard +# REQUIRE: LOGIN +# BEFORE: securelevel +# KEYWORD: shutdown + +. /etc/rc.subr + +name="wg" +rcvar=wg_enable + +command="/usr/local/bin/wg-quick" +start_cmd=wg_up +stop_cmd=wg_down +status_cmd=wg_status +pidfile="/var/run/$name.pid" +load_rc_config "$name" + +: ${wg_enable="NO"} +: ${wg_interface="wg0"} + +wg_up() { + echo "Starting WireGuard..." + /usr/sbin/daemon -cS -p ${pidfile} ${command} up ${wg_interface} +} + +wg_down() { + echo "Stopping WireGuard..." + ${command} down ${wg_interface} +} + +wg_status () { + not_running () { + echo "WireGuard is not running on $wg_interface" && exit 1 + } + /usr/local/bin/wg show wg0 && echo "WireGuard is running on $wg_interface" || not_running +} + +run_rc_command "$1" diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml index 1063f5e6..d13ee31c 100644 --- a/roles/wireguard/handlers/main.yml +++ b/roles/wireguard/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart wireguard service: - name: "wg-quick@{{ wireguard_interface }}" + name: "{{ service_name }}" state: restarted diff --git a/roles/wireguard/tasks/freebsd.yml b/roles/wireguard/tasks/freebsd.yml new file mode 100644 index 00000000..63e7b48c --- /dev/null +++ b/roles/wireguard/tasks/freebsd.yml @@ -0,0 +1,16 @@ +--- +- name: BSD | WireGuard installed + package: + name: wireguard + state: present + +- set_fact: + service_name: wireguard + tags: always + +- name: BSD | Configure rc script + copy: + src: wireguard.sh + dest: /usr/local/etc/rc.d/wireguard + mode: "0755" + notify: restart wireguard diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml index b38ab1fb..33434081 100644 --- a/roles/wireguard/tasks/keys.yml +++ b/roles/wireguard/tasks/keys.yml @@ -1,7 +1,7 @@ --- - name: Delete the lock files file: - dest: "/etc/wireguard/private_{{ item }}.lock" + dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock" state: absent when: keys_clean_all|bool == True with_items: @@ -12,7 +12,7 @@ command: wg genkey register: wg_genkey args: - creates: "/etc/wireguard/private_{{ item }}.lock" + creates: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock" with_items: - "{{ users }}" - "{{ IP_subject_alt_name }}" @@ -31,7 +31,7 @@ - name: Touch the lock file file: - dest: "/etc/wireguard/private_{{ item }}.lock" + dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock" state: touch with_items: - "{{ users }}" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 232d080c..3621754c 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -1,27 +1,4 @@ --- -- name: WireGuard repository configured - apt_repository: - repo: ppa:wireguard/wireguard - state: present - register: result - until: result is succeeded - retries: 10 - delay: 3 - -- name: WireGuard installed - apt: - name: wireguard - state: present - update_cache: true - -- name: Configure unattended-upgrades - copy: - src: 50-wireguard-unattended-upgrades - dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades - owner: root - group: root - mode: 0644 - - name: Ensure the required directories exist file: dest: "{{ wireguard_config_path }}/{{ item }}" @@ -33,6 +10,16 @@ delegate_to: localhost become: false +- name: Include tasks for Ubuntu + include_tasks: ubuntu.yml + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + tags: always + +- name: Include tasks for FreeBSD + include_tasks: freebsd.yml + when: ansible_distribution == 'FreeBSD' + tags: always + - name: Generate keys import_tasks: keys.yml tags: update-users @@ -40,16 +27,11 @@ - name: WireGuard configured template: src: server.conf.j2 - dest: "/etc/wireguard/{{ wireguard_interface }}.conf" + dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf" mode: "0600" notify: restart wireguard tags: update-users -- name: WireGuard reload-module-on-update - file: - dest: /etc/wireguard/.reload-module-on-update - state: touch - - name: WireGuard users config generated template: src: client.conf.j2 @@ -62,7 +44,7 @@ - name: WireGuard enabled and started service: - name: "wg-quick@{{ wireguard_interface }}" + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml new file mode 100644 index 00000000..c75b8a7b --- /dev/null +++ b/roles/wireguard/tasks/ubuntu.yml @@ -0,0 +1,32 @@ +--- +- name: WireGuard repository configured + apt_repository: + repo: ppa:wireguard/wireguard + state: present + register: result + until: result is succeeded + retries: 10 + delay: 3 + +- name: WireGuard installed + apt: + name: wireguard + state: present + update_cache: true + +- name: WireGuard reload-module-on-update + file: + dest: /etc/wireguard/.reload-module-on-update + state: touch + +- name: Configure unattended-upgrades + copy: + src: 50-wireguard-unattended-upgrades + dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades + owner: root + group: root + mode: 0644 + +- set_fact: + service_name: "wg-quick@{{ wireguard_interface }}" + tags: always diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 index f75f0f43..6432e0ad 100644 --- a/roles/wireguard/templates/client.conf.j2 +++ b/roles/wireguard/templates/client.conf.j2 @@ -9,3 +9,4 @@ DNS = {{ wireguard_dns_servers }} PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + IP_subject_alt_name) }} AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }} +PersistentKeepalive = 25 diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index d9468de4..adda0bed 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -5,7 +5,6 @@ Address = {{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['pre ListenPort = {{ wireguard_port }} PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} SaveConfig = false -Table = off {% for u in users %} diff --git a/server.yml b/server.yml index e7e4ad2a..4f8ad7cd 100644 --- a/server.yml +++ b/server.yml @@ -9,6 +9,7 @@ roles: - role: common + tags: common - role: dns_encryption when: dns_encryption tags: dns_encryption @@ -18,6 +19,9 @@ - role: ssh_tunneling when: algo_ssh_tunneling tags: ssh_tunneling + - role: wireguard + when: wireguard_enabled + tags: wireguard - role: vpn tags: vpn