wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-17 02:03:03 +02:00
Code Issues Projects Releases Wiki Activity

WireGuard BSD

Browse source
This commit is contained in:
Jack Ivanov 2018-07-17 14:50:08 +03:00
parent 76a8fe35db
commit a84308ef3a
12 changed files with 115 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cloud.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Provision the server - name: Provision the server
hosts: localhost hosts: localhost
tags: algo tags: always
vars_files: vars_files:
- config.cfg - config.cfg

2
input.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Ask user for the input - name: Ask user for the input
hosts: localhost hosts: localhost
tags: algo tags: always
vars: vars:
defaults: defaults:
server_name: algo server_name: algo

4
roles/common/tasks/facts.yml
View file

@ -23,4 +23,8 @@
- set_fact: - set_fact:
CA_password: "{{ CA_password.stdout }}" CA_password: "{{ CA_password.stdout }}"
IP_subject_alt_name: "{{ IP_subject_alt_name }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Set IPv6 support as a fact
set_fact:
ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}"
tags: always

2
roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
View file

@ -151,7 +151,7 @@ tls_disable_session_tickets = true
## People in China may need to use 114.114.114.114:53 here. ## People in China may need to use 114.114.114.114:53 here.
## Other popular options include 8.8.8.8 and 1.1.1.1. ## Other popular options include 8.8.8.8 and 1.1.1.1.
fallback_resolver = '127.0.0.53:53' fallback_resolver = '{% if ansible_distribution == "FreeBSD" %}{{ ansible_dns.nameservers.0 }}:53{% else %}127.0.0.53:53{% endif %}'
## Never try to use the system DNS settings; unconditionally use the ## Never try to use the system DNS settings; unconditionally use the

6
roles/vpn/tasks/main.yml
View file

@ -1,11 +1,5 @@
--- ---
- block: - block:
- name: Include WireGuard role
include_role:
name: wireguard
tags: wireguard
when: wireguard_enabled and ansible_distribution == 'Ubuntu'
- name: Ensure that the strongswan group exist - name: Ensure that the strongswan group exist
group: name=strongswan state=present group: name=strongswan state=present

40
roles/wireguard/files/wireguard.sh Normal file
View file

@ -0,0 +1,40 @@
#!/bin/sh
# PROVIDE: wireguard
# REQUIRE: LOGIN
# BEFORE: securelevel
# KEYWORD: shutdown
. /etc/rc.subr
name="wg"
rcvar=wg_enable
command="/usr/local/bin/wg-quick"
start_cmd=wg_up
stop_cmd=wg_down
status_cmd=wg_status
pidfile="/var/run/$name.pid"
load_rc_config "$name"
: ${wg_enable="NO"}
: ${wg_interface="wg0"}
wg_up() {
echo "Starting WireGuard..."
/usr/sbin/daemon -cS -p ${pidfile} ${command} up ${wg_interface}
}
wg_down() {
echo "Stopping WireGuard..."
${command} down ${wg_interface}
}
wg_status () {
not_running () {
echo "WireGuard is not running on $wg_interface" && exit 1
}
/usr/local/bin/wg show wg0 && echo "WireGuard is running on $wg_interface" || not_running
}
run_rc_command "$1"

2
roles/wireguard/handlers/main.yml
View file

@ -1,5 +1,5 @@
--- ---
- name: restart wireguard - name: restart wireguard
service: service:
name: "wg-quick@{{ wireguard_interface }}" name: "{{ service_name }}"
state: restarted state: restarted

16
roles/wireguard/tasks/freebsd.yml Normal file
View file

@ -0,0 +1,16 @@
---
- name: BSD | WireGuard installed
package:
name: wireguard
state: present
- set_fact:
service_name: wireguard
tags: always
- name: BSD | Configure rc script
copy:
src: wireguard.sh
dest: /usr/local/etc/rc.d/wireguard
mode: "0755"
notify: restart wireguard

6
roles/wireguard/tasks/keys.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Delete the lock files - name: Delete the lock files
file: file:
dest: "/etc/wireguard/private_{{ item }}.lock" dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock"
state: absent state: absent
when: keys_clean_all|bool == True when: keys_clean_all|bool == True
with_items: with_items:
@ -12,7 +12,7 @@
command: wg genkey command: wg genkey
register: wg_genkey register: wg_genkey
args: args:
creates: "/etc/wireguard/private_{{ item }}.lock" creates: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock"
with_items: with_items:
- "{{ users }}" - "{{ users }}"
- "{{ IP_subject_alt_name }}" - "{{ IP_subject_alt_name }}"
@ -31,7 +31,7 @@
- name: Touch the lock file - name: Touch the lock file
file: file:
dest: "/etc/wireguard/private_{{ item }}.lock" dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock"
state: touch state: touch
with_items: with_items:
- "{{ users }}" - "{{ users }}"

42
roles/wireguard/tasks/main.yml
View file

@ -1,27 +1,4 @@
--- ---
- name: WireGuard repository configured
apt_repository:
repo: ppa:wireguard/wireguard
state: present
register: result
until: result is succeeded
retries: 10
delay: 3
- name: WireGuard installed
apt:
name: wireguard
state: present
update_cache: true
- name: Configure unattended-upgrades
copy:
src: 50-wireguard-unattended-upgrades
dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
owner: root
group: root
mode: 0644
- name: Ensure the required directories exist - name: Ensure the required directories exist
file: file:
dest: "{{ wireguard_config_path }}/{{ item }}" dest: "{{ wireguard_config_path }}/{{ item }}"
@ -33,6 +10,16 @@
delegate_to: localhost delegate_to: localhost
become: false become: false
- name: Include tasks for Ubuntu
include_tasks: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
tags: always
- name: Include tasks for FreeBSD
include_tasks: freebsd.yml
when: ansible_distribution == 'FreeBSD'
tags: always
- name: Generate keys - name: Generate keys
import_tasks: keys.yml import_tasks: keys.yml
tags: update-users tags: update-users
@ -40,16 +27,11 @@
- name: WireGuard configured - name: WireGuard configured
template: template:
src: server.conf.j2 src: server.conf.j2
dest: "/etc/wireguard/{{ wireguard_interface }}.conf" dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf"
mode: "0600" mode: "0600"
notify: restart wireguard notify: restart wireguard
tags: update-users tags: update-users
- name: WireGuard reload-module-on-update
file:
dest: /etc/wireguard/.reload-module-on-update
state: touch
- name: WireGuard users config generated - name: WireGuard users config generated
template: template:
src: client.conf.j2 src: client.conf.j2
@ -62,7 +44,7 @@
- name: WireGuard enabled and started - name: WireGuard enabled and started
service: service:
name: "wg-quick@{{ wireguard_interface }}" name: "{{ service_name }}"
state: started state: started
enabled: true enabled: true

32
roles/wireguard/tasks/ubuntu.yml Normal file
View file

@ -0,0 +1,32 @@
---
- name: WireGuard repository configured
apt_repository:
repo: ppa:wireguard/wireguard
state: present
register: result
until: result is succeeded
retries: 10
delay: 3
- name: WireGuard installed
apt:
name: wireguard
state: present
update_cache: true
- name: WireGuard reload-module-on-update
file:
dest: /etc/wireguard/.reload-module-on-update
state: touch
- name: Configure unattended-upgrades
copy:
src: 50-wireguard-unattended-upgrades
dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
owner: root
group: root
mode: 0644
- set_fact:
service_name: "wg-quick@{{ wireguard_interface }}"
tags: always

4
server.yml
View file

@ -9,6 +9,7 @@
roles: roles:
- role: common - role: common
tags: common
- role: dns_encryption - role: dns_encryption
when: dns_encryption when: dns_encryption
tags: dns_encryption tags: dns_encryption
@ -18,6 +19,9 @@
- role: ssh_tunneling - role: ssh_tunneling
when: algo_ssh_tunneling when: algo_ssh_tunneling
tags: ssh_tunneling tags: ssh_tunneling
- role: wireguard
when: wireguard_enabled
tags: wireguard
- role: vpn - role: vpn
tags: vpn tags: vpn