From 5511a2d50e99dd6439b5260e22aa24996538a3a4 Mon Sep 17 00:00:00 2001 From: shapiro125 Date: Thu, 9 Jan 2020 12:13:07 -0500 Subject: [PATCH] Initial commits --- config.cfg | 19 +- input.yml | 13 +- roles/adguard/defaults/main.yml | 15 ++ roles/adguard/files/AdGuardHome.yaml | 198 ++++++++++++++++++ roles/adguard/handlers/main.yml | 5 + roles/adguard/meta/main.yml | 25 +++ roles/adguard/tasks/adguard_home.yml | 69 ++++++ roles/adguard/tasks/main.yml | 3 + .../adguard/templates/adguard-home.service.j2 | 15 ++ roles/common/tasks/facts.yml | 2 +- roles/common/tasks/ubuntu.yml | 8 - roles/common/tasks/unattended-upgrades.yml | 2 +- .../common/templates/50unattended-upgrades.j2 | 128 +++++++---- roles/wireguard/defaults/main.yml | 8 +- roles/wireguard/tasks/ubuntu.yml | 48 +++-- roles/wireguard/templates/client.conf.j2 | 2 +- .../templates/wireguard-updater.sh.j2 | 13 ++ server.yml | 5 +- 18 files changed, 485 insertions(+), 93 deletions(-) create mode 100644 roles/adguard/defaults/main.yml create mode 100644 roles/adguard/files/AdGuardHome.yaml create mode 100644 roles/adguard/handlers/main.yml create mode 100644 roles/adguard/meta/main.yml create mode 100644 roles/adguard/tasks/adguard_home.yml create mode 100644 roles/adguard/tasks/main.yml create mode 100644 roles/adguard/templates/adguard-home.service.j2 create mode 100644 roles/wireguard/templates/wireguard-updater.sh.j2 diff --git a/config.cfg b/config.cfg index 547b364..57af849 100644 --- a/config.cfg +++ b/config.cfg @@ -5,9 +5,10 @@ # You can generate up to 250 users at one time. # Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123". users: - - phone - - laptop - - desktop + - phone-dns + - phone-full + - laptop-dns + - laptop-full ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed. @@ -16,7 +17,7 @@ users: ssh_port: 4160 # Deploy StrongSwan to enable IPsec support -ipsec_enabled: true +ipsec_enabled: false # Deploy WireGuard # WireGuard will listen on 51820/UDP. You might need to change to another port @@ -46,7 +47,7 @@ adblock_lists: # Enable DNS encryption. # If 'false', 'dns_servers' should be specified below. # DNS encryption can not be disabled if DNS adblocking is enabled -dns_encryption: true +dns_encryption: false # Block traffic between connected clients. Change this to false to enable # connected clients to reach each other, as well as other computers on the @@ -66,7 +67,7 @@ block_netbios: true # which case a reboot will take place if necessary at the time specified (as # HH:MM) in the time zone of your Algo server. The default time zone is UTC. unattended_reboot: - enabled: false + enabled: true time: 06:00 ### Advanced users only below this line ### @@ -114,7 +115,7 @@ strongswan_network_ipv6: 'fd9d:bc11:4020::/48' # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. # This option will keep the "connection" open in the eyes of NAT. # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence -wireguard_PersistentKeepalive: 0 +wireguard_PersistentKeepalive: 25 # WireGuard network configuration wireguard_network_ipv4: 10.19.49.0/24 @@ -165,8 +166,8 @@ cloud_providers: owner: "099720109477" gce: size: f1-micro - image: ubuntu-1904 - external_static_ip: false + image: debian-10 + external_static_ip: true lightsail: size: nano_1_0 image: ubuntu_18_04 diff --git a/input.yml b/input.yml index 8dd5ae7..86fe351 100644 --- a/input.yml +++ b/input.yml @@ -89,14 +89,6 @@ when: store_pki is undefined when: ipsec_enabled - - name: DNS adblocking prompt - pause: - prompt: | - Do you want to enable DNS ad blocking on this VPN server? - [y/N] - register: _dns_adblocking - when: dns_adblocking is undefined - - name: SSH tunneling prompt pause: prompt: | @@ -126,10 +118,7 @@ {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input|length > 0 -%} {{ _ondemand_wifi_exclude.user_input | b64encode }} {%- else %}{{ '_null' | b64encode }}{% endif %} - algo_dns_adblocking: >- - {% if dns_adblocking is defined %}{{ dns_adblocking | bool }} - {%- elif _dns_adblocking.user_input is defined %}{{ booleans_map[_dns_adblocking.user_input] | default(defaults['dns_adblocking']) }} - {%- else %}false{% endif %} + algo_dns_adblocking: false algo_ssh_tunneling: >- {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }} {%- elif _ssh_tunneling.user_input is defined %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }} diff --git a/roles/adguard/defaults/main.yml b/roles/adguard/defaults/main.yml new file mode 100644 index 0000000..f6d9b84 --- /dev/null +++ b/roles/adguard/defaults/main.yml @@ -0,0 +1,15 @@ +--- +adguard_home_version: '0.98.1' + +adguard_home_base_path: /opt/AdGuardHome +adguard_home_user: root + +adguard_home_path: "{{ adguard_home_base_path }}/AdGuardHome" +adguard_home_executable: "{{ adguard_home_path }}/AdGuardHome" +adguard_home_group: "{{ adguard_home_user }}" +adguard_home_host: "{{ ansible_default_ipv4.address }}" +adguard_home_arch: "{{ (ansible_architecture == 'x86_64') | ternary('amd64', 'arm') }}" +adguard_home_archive: "AdGuardHome_linux_{{ adguard_home_arch }}.tar.gz" +adguard_home_download_url: "https://static.adguard.com/adguardhome/release/AdGuardHome_linux_{{ adguard_home_arch }}.tar.gz" + +adguard_home_tmp_path: /tmp/ diff --git a/roles/adguard/files/AdGuardHome.yaml b/roles/adguard/files/AdGuardHome.yaml new file mode 100644 index 0000000..8f781cf --- /dev/null +++ b/roles/adguard/files/AdGuardHome.yaml @@ -0,0 +1,198 @@ +bind_host: 0.0.0.0 +bind_port: 80 +users: [] +language: "" +rlimit_nofile: 0 +web_session_ttl: 720 +dns: + bind_host: 0.0.0.0 + port: 53 + statistics_interval: 1 + querylog_enabled: true + querylog_interval: 1 + querylog_memsize: 0 + protection_enabled: true + blocking_mode: nxdomain + blocking_ipv4: "" + blocking_ipv6: "" + blocked_response_ttl: 10 + ratelimit: 20 + ratelimit_whitelist: [] + refuse_any: true + bootstrap_dns: + - 8.8.8.8:53 + - 8.8.4.4:53 + all_servers: false + edns_client_subnet: true + allowed_clients: [] + disallowed_clients: [] + blocked_hosts: [] + parental_block_host: family-block.dns.adguard.com + safebrowsing_block_host: standard-block.dns.adguard.com + cache_size: 4194304 + upstream_dns: + - https://dns.google/dns-query + - tls://8.8.8.8 + - tls://8.8.4.4 + - https://dns.cloudflare.com/dns-query + - tls://1.1.1.1 + - tls://1.0.0.1 + filtering_enabled: true + filters_update_interval: 24 + parental_sensitivity: 0 + parental_enabled: false + safesearch_enabled: false + safebrowsing_enabled: false + safebrowsing_cache_size: 1048576 + safesearch_cache_size: 1048576 + parental_cache_size: 1048576 + cache_time: 30 + rewrites: [] + blocked_services: [] +tls: + enabled: false + server_name: "" + force_https: false + port_https: 443 + port_dns_over_tls: 853 + allow_unencrypted_doh: false + certificate_chain: "" + private_key: "" + certificate_path: "" + private_key_path: "" +filters: +- enabled: true + url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt + name: AdGuard Simplified Domain Names filter + id: 1 +- enabled: true + url: https://adaway.org/hosts.txt + name: AdAway + id: 2 +- enabled: true + url: https://hosts-file.net/ad_servers.txt + name: hpHosts - Ad and Tracking servers only + id: 3 +- enabled: true + url: https://www.malwaredomainlist.com/hostslist/hosts.txt + name: MalwareDomainList.com Hosts List + id: 4 +- enabled: true + url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + name: Steven Black Hosts + id: 5 +- enabled: true + url: http://sysctl.org/cameleon/hosts + name: Cameleon + id: 6 +- enabled: true + url: https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt + name: Disconnect Simple Tracking + id: 7 +- enabled: true + url: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt + name: Disconnect Simple Ads + id: 8 +- enabled: true + url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=0&mimetype=plaintext + name: Peter Lowe's list + id: 9 +- enabled: true + url: https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts + name: Minimal Hosts + id: 10 +- enabled: true + url: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt + name: Anudeep ND + id: 11 +- enabled: true + url: https://someonewhocares.org/hosts/hosts + name: Dan Pollock's list + id: 12 +- enabled: true + url: https://www.squidblacklist.org/downloads/dg-ads.acl + name: Squid Blacklist + id: 13 +- enabled: true + url: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt + name: Disconnect Simple Malvertising + id: 15 +- enabled: true + url: https://zerodot1.gitlab.io/CoinBlockerLists/hosts + name: Coinblocker + id: 16 +- enabled: true + url: https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Formats/GoodbyeAds-AdBlock-Filter.txt + name: Goodbye Ads + id: 1576635076 +- enabled: true + url: https://raw.githubusercontent.com/Strappazzon/filterlists/master/Filterlists/Tracking.txt + name: Strappazzon's Tracking list + id: 1576779870 +- enabled: true + url: https://raw.githubusercontent.com/rodeodomino/Scripts/master/Filters/AdGuardHome.txt + name: Personal filters + id: 1577993820 +user_rules: +- "" +dhcp: + enabled: false + interface_name: "" + gateway_ip: "" + subnet_mask: "" + range_start: "" + range_end: "" + lease_duration: 86400 + icmp_timeout_msec: 1000 +clients: +- name: Phone - Full + ids: + - 10.19.49.4 + - fd9d:bc11:4021::4 + use_global_settings: true + filtering_enabled: false + parental_enabled: false + safebrowsing_enabled: false + safesearch_enabled: false + use_global_blocked_services: true + blocked_services: [] + upstreams: [] +- name: Laptop - Full + ids: + - 10.19.49.5 + - fd9d:bc11:4021::5 + use_global_settings: true + filtering_enabled: false + parental_enabled: false + safebrowsing_enabled: false + safesearch_enabled: false + use_global_blocked_services: true + blocked_services: [] + upstreams: [] +- name: Phone - DNS Only + ids: + - 10.19.49.2 + - fd9d:bc11:4021::2 + use_global_settings: true + filtering_enabled: false + parental_enabled: false + safebrowsing_enabled: false + safesearch_enabled: false + use_global_blocked_services: true + blocked_services: [] + upstreams: [] +- name: Laptop - DNS Only + ids: + - 10.19.49.3 + - fd9d:bc11:4021::3 + use_global_settings: true + filtering_enabled: false + parental_enabled: false + safebrowsing_enabled: false + safesearch_enabled: false + use_global_blocked_services: true + blocked_services: [] + upstreams: [] +log_file: "" +verbose: false +schema_version: 6 diff --git a/roles/adguard/handlers/main.yml b/roles/adguard/handlers/main.yml new file mode 100644 index 0000000..0b7714f --- /dev/null +++ b/roles/adguard/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart adguard-home + service: + name: adguard-home + state: restarted diff --git a/roles/adguard/meta/main.yml b/roles/adguard/meta/main.yml new file mode 100644 index 0000000..d99dd64 --- /dev/null +++ b/roles/adguard/meta/main.yml @@ -0,0 +1,25 @@ +--- +dependencies: [] + +galaxy_info: + min_ansible_version: 2.1 + author: WoodenDoors + description: "Ansible role to install the ad-blocking DNS-server Adguard Home (https://github.com/AdguardTeam/AdGuardHome)." + license: MIT + platforms: + - name: Debian + versions: + - jessie + - stretch + - name: Ubuntu + versions: + - xenial + - yakkety + - zesty + - artful + - bionic + galaxy_tags: + - adguard + - dns + - adblocking + - networking diff --git a/roles/adguard/tasks/adguard_home.yml b/roles/adguard/tasks/adguard_home.yml new file mode 100644 index 0000000..0e58cd5 --- /dev/null +++ b/roles/adguard/tasks/adguard_home.yml @@ -0,0 +1,69 @@ +--- +- name: ensure user exists + user: + name: "{{ adguard_home_user }}" + state: present + +- name: ensure base directory exists + file: + dest: "{{ adguard_home_base_path }}" + owner: "{{ adguard_home_user }}" + group: "{{ adguard_home_group }}" + recurse: yes + state: directory + +- name: check if adguard is already installed + stat: + path: "{{ adguard_home_executable }}" + register: adguard_home_executable_stat + +- name: check adguard version if it is already installed + command: "{{ adguard_home_executable }} --help" + register: adguard_home_version_exists_check + check_mode: no + changed_when: adguard_home_version_exists_check.stderr.find('version v' + adguard_home_version) == -1 + failed_when: adguard_home_version_exists_check.rc != 64 + when: adguard_home_executable_stat.stat.exists + +- name: download adguard-home archive + get_url: + url: "{{ adguard_home_download_url }}" + dest: "{{ adguard_home_tmp_path }}" + checksum: "{{ adguard_home_checksum | default(omit, true) }}" + when: > + (not adguard_home_executable_stat.stat.exists) + or (adguard_home_version_exists_check | changed) + +- name: unarchive adguard-home + unarchive: + copy: no + src: "{{ adguard_home_tmp_path }}/{{ adguard_home_archive }}" + dest: "{{ adguard_home_base_path }}" + owner: "{{ adguard_home_user }}" + group: "{{ adguard_home_group }}" + become: yes + become_user: "{{ adguard_home_user }}" + when: > + (not adguard_home_executable_stat.stat.exists) + or (adguard_home_version_exists_check | changed) + +- name: Restore AdGuard settings + copy: + src: AdGuardHome.yaml + dest: "{{ adguard_home_base_path }}/AdGuardHome.yaml" + owner: root + group: root + mode: 0644 + force: yes + +- name: Install AdGuardHome + command: "sudo {{ adguard_home_base_path }}/AdGuardHome -s install" + changed_when: false + +- name: Start AdGuardHome + command: "sudo {{ adguard_home_base_path }}/AdGuardHome -s start" + changed_when: false + +- name: Set AdGuardHome permissions + command: "sudo setcap CAP_NET_BIND_SERVICE=+eip {{ adguard_home_base_path }}/AdGuardHome" + changed_when: false diff --git a/roles/adguard/tasks/main.yml b/roles/adguard/tasks/main.yml new file mode 100644 index 0000000..0534a17 --- /dev/null +++ b/roles/adguard/tasks/main.yml @@ -0,0 +1,3 @@ +--- +- include: adguard_home.yml + tags: adguard_home diff --git a/roles/adguard/templates/adguard-home.service.j2 b/roles/adguard/templates/adguard-home.service.j2 new file mode 100644 index 0000000..8c4c317 --- /dev/null +++ b/roles/adguard/templates/adguard-home.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=AdGuard Home +After=syslog.target +After=network.target + +[Service] +Type=simple +User={{ adguard_home_user }} +Group={{ adguard_home_group }} +WorkingDirectory={{ adguard_home_path }} +ExecStart={{ adguard_home_executable }} --host {{ adguard_home_host }} +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml index 02e88ed..f910333 100644 --- a/roles/common/tasks/facts.yml +++ b/roles/common/tasks/facts.yml @@ -11,7 +11,7 @@ - name: Set IPv6 support as a fact set_fact: - ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" + ipv6_support: true tags: always - name: Check size of MTU diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index 97c8616..a37627c 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -45,13 +45,6 @@ - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } -- name: Loopback for services configured - template: - src: 10-algo-lo100.network.j2 - dest: /etc/systemd/network/10-algo-lo100.network - notify: - - restart systemd-networkd - - name: systemd services enabled and started systemd: name: "{{ item }}" @@ -107,7 +100,6 @@ - name: Install headers apt: name: - - linux-headers-generic - "linux-headers-{{ ansible_kernel }}" state: present when: install_headers diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml index da7c2fb..c0a4b97 100644 --- a/roles/common/tasks/unattended-upgrades.yml +++ b/roles/common/tasks/unattended-upgrades.yml @@ -15,7 +15,7 @@ - name: Periodic upgrades configured template: src: 10periodic.j2 - dest: /etc/apt/apt.conf.d/10periodic + dest: /etc/apt/apt.conf.d/20auto-upgrades owner: root group: root mode: 0644 diff --git a/roles/common/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2 index 87c4b07..2d9a510 100644 --- a/roles/common/templates/50unattended-upgrades.j2 +++ b/roles/common/templates/50unattended-upgrades.j2 @@ -1,31 +1,67 @@ -// Automatically upgrade packages from these (origin:archive) pairs +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. // -// Note that in Ubuntu security updates may pull in new dependencies -// from non-security sources (e.g. chromium). By allowing the release -// pocket these get automatically pulled in. -Unattended-Upgrade::Allowed-Origins { - "${distro_id}:${distro_codename}-security"; - // Extended Security Maintenance; doesn't necessarily exist for - // every release and this system may not have it installed, but if - // available, the policy for updates is such that unattended-upgrades - // should also install from here by default. - "${distro_id}ESM:${distro_codename}"; - "${distro_id}:${distro_codename}-updates"; - // "${distro_id}:${distro_codename}-proposed"; - // "${distro_id}:${distro_codename}-backports"; +// Lines below have the format format is "keyword=value,...". A +// package will be upgraded only if the values in its metadata match +// all the supplied keywords in a line. (In other words, omitted +// keywords are wild cards.) The keywords originate from the Release +// file, but several aliases are accepted. The accepted keywords are: +// a,archive,suite (eg, "stable") +// c,component (eg, "main", "contrib", "non-free") +// l,label (eg, "Debian", "Debian-Security") +// o,origin (eg, "Debian", "Unofficial Multimedia Packages") +// n,codename (eg, "jessie", "jessie-updates") +// site (eg, "http.debian.net") +// The available values on the system are printed by the command +// "apt-cache policy", and can be debugged by running +// "unattended-upgrades -d" and looking at the log file. +// +// Within lines unattended-upgrades allows 2 macros whose values are +// derived from /etc/debian_version: +// ${distro_id} Installed origin. +// ${distro_codename} Installed codename (eg, "buster") +Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). + // Software will be the latest available for the named release, + // but the Debian release itself will not be automatically upgraded. + "origin=Debian,codename=${distro_codename}-updates"; +// "origin=Debian,codename=${distro_codename}-proposed-updates"; + "origin=Debian,codename=${distro_codename},label=Debian"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). +// "o=Debian,a=stable"; +// "o=Debian,a=stable-updates"; +// "o=Debian,a=proposed-updates"; +// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; }; -// List of packages to not update (regexp are supported) +// Python regular expressions, matching packages to exclude from upgrading Unattended-Upgrade::Package-Blacklist { -// "vim"; -// "libc6"; -// "libc6-dev"; -// "libc6-i686"; -}; + // The following matches all packages starting with linux- +// "linux-"; -// This option will controls whether the development release of Ubuntu will be -// upgraded automatically. -Unattended-Upgrade::DevRelease "false"; + // Use $ to explicitely define the end of a package name. Without + // the $, "libc6" would match all of them. +// "libc6$"; +// "libc6-dev$"; +// "libc6-i686$"; + + // Special characters need escaping +// "libstdc\+\+6$"; + + // The following matches packages like xen-system-amd64, xen-utils-4.1, + // xenstore-utils and libxenstore3.0 +// "(lib)?xen(store)?"; + + // For more information about Python regular expressions, see + // https://docs.python.org/3/howto/regex.html +}; // This option allows you to control if on a unclean dpkg exit // unattended-upgrades will automatically run @@ -39,37 +75,50 @@ Unattended-Upgrade::AutoFixInterruptedDpkg "true"; // is running is possible (with a small delay) Unattended-Upgrade::MinimalSteps "true"; -// Install all unattended-upgrades when the machine is shutting down -// instead of doing it in the background while the machine is running -// This will (obviously) make shutdown slower -//Unattended-Upgrade::InstallOnShutdown "true"; +// Install all updates when the machine is shutting down +// instead of doing it in the background while the machine is running. +// This will (obviously) make shutdown slower. +// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. +// This allows more time for unattended-upgrades to shut down gracefully +// or even install a few packages in InstallOnShutdown mode, but is still a +// big step back from the 30 minutes allowed for InstallOnShutdown previously. +// Users enabling InstallOnShutdown mode are advised to increase +// InhibitDelayMaxSec even further, possibly to 30 minutes. +//Unattended-Upgrade::InstallOnShutdown "false"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" -//Unattended-Upgrade::Mail "root"; +//Unattended-Upgrade::Mail ""; // Set this value to "true" to get emails only on errors. Default // is to always send a mail if Unattended-Upgrade::Mail is set -//Unattended-Upgrade::MailOnlyOnError "true"; +//Unattended-Upgrade::MailOnlyOnError "false"; // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; -// Do automatic removal of new unused dependencies after the upgrade +// Do automatic removal of newly unused dependencies after the upgrade +Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; + +// Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; -// Automatically reboot *WITHOUT CONFIRMATION* -// if the file /var/run/reboot-required is found after the upgrade -Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}"; +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "true"; + +// Automatically reboot even if there are users currently logged in +// when Unattended-Upgrade::Automatic-Reboot is set to true +//Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" -Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot.time }}"; +Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec @@ -89,8 +138,9 @@ Unattended-Upgrade::SyslogEnable "true"; // (i.e. skip or gracefully stop updates on a metered connection) // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; -// Keep the custom conffile when upgrading -Dpkg::Options { - "--force-confdef"; - "--force-confold"; -}; +// Verbose logging +// Unattended-Upgrade::Verbose "false"; + +// Print debugging information both in unattended-upgrades and +// in unattended-upgrade-shutdown +// Unattended-Upgrade::Debug "false"; diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index 030511f..524c0b1 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -7,14 +7,12 @@ wireguard_port_avoid: 53 wireguard_port_actual: 51820 keys_clean_all: false wireguard_dns_servers: >- - {% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %} - {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} - {% else %} - {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} - {% endif %} + {{ wireguard_network_ipv4 | ipaddr('1') }} + {{ ',' + wireguard_network_ipv6 | ipaddr('1') if ipv6_support else '' }} wireguard_client_ip: >- {{ wireguard_network_ipv4 | ipaddr(index|int+2) }} {{ ',' + wireguard_network_ipv6 | ipaddr(index|int+2) if ipv6_support else '' }} wireguard_server_ip: >- {{ wireguard_network_ipv4 | ipaddr('1') }} {{ ',' + wireguard_network_ipv6 | ipaddr('1') if ipv6_support else '' }} +dns_allowed_ips: "{{ wireguard_network_ipv4 | ipaddr(1) }}{{ ', ' + wireguard_network_ipv6 | ipaddr(1) if ipv6_support else '' }}" diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml index 603c065..d755dc8 100644 --- a/roles/wireguard/tasks/ubuntu.yml +++ b/roles/wireguard/tasks/ubuntu.yml @@ -1,12 +1,28 @@ --- -- name: WireGuard repository configured +- name: Install wireguard repo (Debian) apt_repository: - repo: ppa:wireguard/wireguard - state: present - register: result - until: result is succeeded - retries: 10 - delay: 3 + filename: unstable + repo: 'deb http://deb.debian.org/debian/ unstable main' + update_cache: yes + when: ansible_distribution == 'Debian' + +- name: Configure wireguard repo (Debian) + blockinfile: + path: /etc/apt/preferences.d/limit-unstable + create: yes + block: |- + Package: * + Pin: release a=unstable + Pin-Priority: 90 + +- name: Configure wireguard repo (Debian) + blockinfile: + path: /etc/apt/preferences.d/wireguard + create: yes + block: |- + Package: /wireguard/ + Pin: release a=unstable + Pin-Priority: 500 - name: WireGuard installed apt: @@ -19,13 +35,19 @@ dest: /etc/wireguard/.reload-module-on-update state: touch -- name: Configure unattended-upgrades - copy: - src: 50-wireguard-unattended-upgrades - dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades +- name: Wireguard updater + template: + src: wireguard-updater.sh.j2 + dest: /usr/local/sbin/wireguard-updater.sh owner: root - group: root - mode: 0644 + group: "{{ root_group|default('root') }}" + mode: 0755 + +- name: Add Wireguard updater to cron + cron: + name: "Update Wireguard" + special_time: daily + job: "/usr/local/sbin/wireguard_update.sh >/dev/null 2>&1" - name: Set OS specific facts set_fact: diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 index 409ec18..2b123cf 100644 --- a/roles/wireguard/templates/client.conf.j2 +++ b/roles/wireguard/templates/client.conf.j2 @@ -8,6 +8,6 @@ DNS = {{ wireguard_dns_servers }} [Peer] PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }} PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }} -AllowedIPs = 0.0.0.0/0,::/0 +AllowedIPs = {% if item.1 is search("dns") %}{{ dns_allowed_ips }}{% else %}0.0.0.0/0{{ ', ::/0' if ipv6_support else '' }}{% endif %}{{''}} Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }} {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }} diff --git a/roles/wireguard/templates/wireguard-updater.sh.j2 b/roles/wireguard/templates/wireguard-updater.sh.j2 new file mode 100644 index 0000000..4737270 --- /dev/null +++ b/roles/wireguard/templates/wireguard-updater.sh.j2 @@ -0,0 +1,13 @@ +#!/bin/sh +VERSION_OLD="$(cat /sys/module/wireguard/version)" +sudo apt-get install wireguard +VERSION_NEW="$(cat /sys/module/wireguard/version)" +#Check if wireguard updated +if [ "$VERSION_OLD" = "$VERSION_NEW" ] +then + echo "No reboot needed" +else + echo "Rebooting" + sudo reboot +fi +exit 0 diff --git a/server.yml b/server.yml index 12d6175..191501e 100644 --- a/server.yml +++ b/server.yml @@ -43,10 +43,7 @@ tags: common - import_role: - name: dns - when: - - algo_dns_adblocking or - dns_encryption + name: adguard tags: dns - import_role: