sinibaldi
/
SSE-Lab
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sinibaldi:main
Branches Tags
sinibaldi:main
sinibaldi:sifi
sinibaldi:nextcloud_aio
sinibaldi:ansible_init
sinibaldi:ftpd
sinibaldi:PKI
sinibaldi:simple_site
..
compare: sinibaldi:nextcloud_aio
Branches Tags
sinibaldi:main
sinibaldi:sifi
sinibaldi:nextcloud_aio
sinibaldi:ansible_init
sinibaldi:ftpd
sinibaldi:PKI
sinibaldi:simple_site

No commits in common. "main" and "nextcloud_aio" have entirely different histories.
main ... nextcloud_

19 changed files with 3 additions and 555 deletions
Show Stats Expand all files Collapse all files

3
ansible/ansible.cfg
View File

@ -54,8 +54,7 @@ fact_caching_timeout=86400
# (pathspec) Colon-separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``. # (pathspec) Colon-separated paths in which Ansible will search for collections content. Collections must be in nested *subdirectories*, not directly in these directories. For example, if ``COLLECTIONS_PATHS`` includes ``'{{ ANSIBLE_HOME ~ "/collections" }}'``, and you want to add ``my.collection`` to that directory, it must be saved as ``'{{ ANSIBLE_HOME} ~ "/collections/ansible_collections/my/collection" }}'``.
collections_path=/Users/fabioisti/.ansible/collections:/usr/share/ansible/collections ;collections_path=/Users/fabioisti/.ansible/collections:/usr/share/ansible/collections
# (boolean) A boolean to enable or disable scanning the sys.path for installed collections. # (boolean) A boolean to enable or disable scanning the sys.path for installed collections.
;collections_scan_sys_path=True ;collections_scan_sys_path=True

117
ansible/inventories/group_vars/nameserver/sifi.yaml
View File

@ -1,117 +0,0 @@
bind_allow_query:
- "any"
bind_listen:
ipv4:
- port: 53
addresses:
- "127.0.0.1"
- "146.48.108.51"
- port: 5353
addresses:
- "127.0.1.1"
bind_zones:
- name: 'sifi.isti.cnr.it'
# default: primary [primary, secondary, forward]
# type: primary
# create_forward_zones: true
# Skip creation of reverse zones
# create_reverse_zones: false
# fpr type: secondary
primaries:
- 146.48.108.51
networks:
- '146.48.108'
#ipv6_networks:
# - '2001:db9::/48'
name_servers:
- ns1.sifi.isti.cnr.it.
# hostmaster_email: admin
#
#allow_updates:
# - "10.0.1.2"
# - 'key "external-dns"'
#allow_transfers:
# - 'key "external-dns"'
hosts:
- name: ns1
ip: 146.48.108.51
- name: bigbrain
ip: 146.48.108.14
- name: wireguarder
ip: 146.48.108.13
#ipv6: '2001:db9::1'
#mail_servers:
# - name: mail001
# preference: 10
bind_logging:
enable: true
channels:
- channel: general
file: "data/general.log"
versions: 3
size: 10M
print_time: true # true | false
print_category: true
print_severity: true
severity: dynamic # critical | error | warning | notice | info | debug [level] | dynamic
- channel: query
file: "data/query.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: dnssec
file: "data/dnssec.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: notify
file: "data/notify.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: transfers
file: "data/transfers.log"
versions: 5
size: 10M
print_time: "" # true | false
severity: info #
- channel: slog
syslog: security # kern | user | mail | daemon | auth | syslog | lpr |
# news | uucp | cron | authpriv | ftp |
# local0 | local1 | local2 | local3 |
# local4 | local5 | local6 | local7
# file: "data/transfers.log"
#versions: 5
#size: 10M
print_time: "" # true | false
severity: info #
categories:
"xfer-out":
- transfers
- slog
"xfer-in":
- transfers
- slog
notify:
- notify
"lame-servers":
- general
config:
- general
default:
- general
security:
- general
- slog
dnssec:
- dnssec
queries:
- query

79
ansible/inventories/group_vars/sifi/SIFI_CA.pem
View File

@ -1,79 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIELzCCAxegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
DTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBp
c3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYTAeFw0yNjA0MjAxMjU3MjVaFw0y
ODA3MjMxMjU3MjVaMIGKMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHVHVzY2FueTEN
MAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTENMAsGA1UECwwEU0lGSTEqMCgG
CSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlzdGkuY25yLml0MRAwDgYDVQQD
DAdyb290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq1A22Q0X
nJAwlbbkFr5/L6THhkquWakWs8/AJx5iIYZEXI7BkxU2R1qtUdfMp36ifwb4nmVZ
6WCzl9WzYqZqSZN79dtzENT5Y+Kwy9cGCHcEK6jZ//5w+Uqlad3wwnQq3UubN4m6
cmolg8pY6xqVjOK2AptrEIGc557JX3kujFci2n0Db3yzDtOJh7cTV7d/duCgX8el
zZBGLB47HXsVpy2cb70iyqC/CWGgCuYmXDNujzrhabboi8HA88IbqnY4jx5T1d0f
R7IuWXX+fG0D8fEiL/wqTNFk+rAGfTAyx3JPGtDhfHn+sXeUirh8n694sMU5WRWW
jd3b64/JaDdXBwIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5zZSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBShuiplNRfk
tfYS+JhEaZlrc2zWaTAfBgNVHSMEGDAWgBShuiplNRfktfYS+JhEaZlrc2zWaTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOC
AQEAWV2VrUz8Gl2QjZNNKaovWpAboJXzqlhLyQncRm5Pb5iZ9IbEUVhb68L65QYm
POFeetUyef1OgPqZ1cr8+ihiqTb6IXZqOhtOTZWBiyD+RX8UmvBN86uX7jkbvbQL
AteTdm9K2n0DKhjjk12D3FK+6WUO2NiwfMBL8EDzt9vzf3SxTRgPCc9A4Wud35Y1
MErGUfrGoq3QzQtNevfQ3+qopLF+tCbNdfKpXEFRPfDbzEIlzIPfc8uRKq5XueW9
RVFUgoXJ0bJlcvncyGEBCjrPYUCld/i2oKvE+50qEkCWgci3cEDev6/p5W7dDiA2
BKjq45LlfNj/1ZBQDE8U2QLIBA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
DTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBp
c3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYTAeFw0yNjA0MjAxMzAwMjhaFw0y
ODA3MjMxMzAwMjhaMIGDMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHVHVzY2FueTEN
MAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEqMCgGCSqGSIb3DQEJARYbZmFi
aW8uc2luaWJhbGRpQGlzdGkuY25yLml0MRgwFgYDVQQDDA9pbnRlcm1lZGlhdGUt
Y2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJssRmE4uoIBTp7j7L
XStVzuO4vuBwTWVlQy+5CJVG7Yt4tkKZ1pkkn3xBbdpSbHxleDmUfP7eKXUe6cWo
Jv1aCQ4DbZMGOseo6OXQ3fBIjbp+f9pYtEEQkUCFz6PV3CwFnzFIjjKxjsPN6gXE
ZtAe/zo9zAc/fqySFVxYgBvBYz8UhMJ7VzU+sna84ojbYSleF3CzPKrN6dmWj0uq
o6o7EWLxUPVEnNlSpYfWp9SO1Hcouu9Fj15BSVUZFZLdsxI7S9UnraqFwXxf0eBl
/0zm97DSkOwdj2BmXaeGvrOZmfwln7vO5HRUZq1/VFcu81hUgr6H9zVTwRJbrbdO
42y1AgMBAAGjgZ0wgZowNwYJYIZIAYb4QgENBCoWKE9QTnNlbnNlIEdlbmVyYXRl
ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCAPopFmSzDWL0TM+aS9
Oxr/Df2QMB8GA1UdIwQYMBaAFKG6KmU1F+S19hL4mERpmWtzbNZpMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCJId+d
X6IbDzguLM3nSBGwvTSVtvNHXAnZQxqXW7DQCF12i8rvGXndMgZ2JwxA8p3Ljcyf
eZoxBKDp1ftehtWxipIguX0DSC8R3SwsFBr7yBbmpMHDGlGqWtQnDpv6bSDRtCAp
f13B+6AVx8XtT6MNJuOAGue/4kzwi/xkWWMJVNXoKFSw6qOH5IhOiJnYWpasx7LK
nJ/O8Q8fKIVp/Ganmc4NdCArM9dHipt8HXAiqYNW02RSLOrCp6E7pQRLB3R8TZoj
NXvDjwKXb3CXwZRLbytm+egu+Oml6Bdb9wC7y4QHLV6JBIKvMMI/6aOhgLeFVI7v
K9idaANxrsZPFQ7i
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCSVQx
EDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkx
KjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmliYWxkaUBpc3RpLmNuci5pdDEYMBYG
A1UEAwwPaW50ZXJtZWRpYXRlLWNhMB4XDTI2MDQyNDA5MjA1OVoXDTI3MDUyNjA5
MjA1OVowaTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcM
BFBpc2ExDTALBgNVBAoMBElTVEkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlvLnNpbmli
YWxkaUBpc3RpLmNuci5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK74AA1JuHvsT60jCWp+Rp2inBBdlzWlXIS7eAjEmFWr3TApbUZ9W0HPgQ+WuUsA
9I/iiQedGHlaaCjeYGH/kTPkWhpZpCJ3rB+cIcWUlU5UPg+U1E3mwNEFEkJxJ8iB
SN1Fpt+RZemhnZJpZqSKRiQku3XNq56WBfnR0oQ63CJmPsH3+1WJsU5PxHvymcNN
ci3ISvU9rSKtziX61L08Yt20NMd6/HTcORpZZBNS8vSa/2Yk5BMBgrZUXk7/lS0+
hkzgt0omCTU9q7hYXg29Ihdp1YKLOjO+4aM/9POliBn+sIYyBcbY9Y5lqQ0KdsAP
3VofycDNJFJ9JhrANFlqYP8CAwEAAaOCAV0wggFZMAkGA1UdEwQCMAAwEQYJYIZI
AYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVPUE5zZW5zZSBHZW5lcmF0ZWQg
U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSHLdstzVl5xCb+XT5sj39TGhUS
ADCBtwYDVR0jBIGvMIGsgBQgD6KRZksw1i9EzPmkvTsa/w39kKGBkKSBjTCBijEL
MAkGA1UEBhMCSVQxEDAOBgNVBAgMB1R1c2NhbnkxDTALBgNVBAcMBFBpc2ExDTAL
BgNVBAoMBElTVEkxDTALBgNVBAsMBFNJRkkxKjAoBgkqhkiG9w0BCQEWG2ZhYmlv
LnNpbmliYWxkaUBpc3RpLmNuci5pdDEQMA4GA1UEAwwHcm9vdC1jYYIBAjAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUIAgIwCwYDVR0PBAQDAgWgMA0GCSqGSIb3
DQEBCwUAA4IBAQCsbDfFqTr2+p5cpV7KxAyIqQtT6fo0f0rvJeAglJ38rWSne4Sn
LDfTQmx/bKSf79E/TuoxGoTjsL9TceqPoDbt8TXgxPALBbON2XAah7JFAotAB6dG
kOMbmBiKOghDMPMDriU+zQAFQ/OtjuhzHD0GpciRKyVgC14iDBmeyEgSOEBqH4sp
lxKCJDNjWC2THv8dqLlaE4QlRNcprEiUNJhbxNg39A+PjYKHp5O5epfdMAVpzqC6
wgDww95xKM9xG4YZzpmoUn8sziJ2XTWWiLj9HHSaGcHx3H/QPpSiXM802tEs3gHr
rZI3EjNgrdhHxS7HZuAixXtTDeK4bfuk9n4L
-----END CERTIFICATE-----

12
ansible/inventories/group_vars/wireguard_server/sifi.yaml
View File

@ -1,12 +0,0 @@
---
wg_interface: wg0
wg_port: 51820
#wg_server_public_interface: eth0
wg_server_address: 192.168.99.1/32
#wg_server_private_key: "{{ wg_server_private_key }}"
wg_peers:
- name: fabio_test
publicKey: "dzODOKndtafZSf2GqvClFdxrpwyNJnZ/AsZkNl+ovEE="
allowedIP: "192.168.99.4/32"

23
ansible/inventories/sifi.yaml
View File

@ -1,23 +0,0 @@
---
# SIFI
sifi:
children:
opn:
hosts:
sifi_opnsense.sifi.isti.cnr.it:
# ns1.sifi.isti.cnr.it:
# ansible_host: 146.48.108.51 #[WAN public ip]
# ansible_host: 10.20.30.111
wireguard_server:
hosts:
wireguarder.sifi.isti.cnr.it:
# ansible_host: 146.48.108.13
nameserver:
hosts:
ns1.sifi.isti.cnr.it:
ansible_host: 146.48.108.51
# dns1.internal.sifi.isti.cnr.it:
# ansible_host: 10.11.12.11
workers:
hosts:
worker1.internal.sifi.isti.cnr.it:

19
ansible/playbooks/bootstrap.yml
View File

@ -1,6 +1,6 @@
- hosts: all - hosts: all
become: yes become: yes
#debugger: on_failed debugger: on_failed
tasks: tasks:
- name: Add the ansible group - name: Add the ansible group
group: group:
@ -32,23 +32,6 @@
mode: 0440 mode: 0440
- name: Init cache directory
ansible.builtin.file:
path: /var/cache/ansible
owner: ansible
group: ansible
state: directory
mode: u=rwx,g=rw,o=r
- name: Init etc directory
ansible.builtin.file:
path: /etc/ansible
owner: ansible
group: ansible
state: directory
mode: u=rwx,g=rw,o=r
# Inserts public keys of allowed externals users to log in as ansible # Inserts public keys of allowed externals users to log in as ansible
# e.g. fabio # e.g. fabio

19
ansible/playbooks/nameserver.yaml
View File

@ -1,19 +0,0 @@
---
- name: Configure Nameserver
hosts: nameserver
collections:
- bodsch.dns
tasks:
- name: Import role Bind
ansible.builtin.import_role:
name: bind
- name: Start a service
become: True
ansible.builtin.systemd:
name: named
state: restarted

28
ansible/playbooks/opnsense.yaml
View File

@ -1,28 +0,0 @@
---
# Usese oxlorg.opnsense
# Check documentation @ https://ansible-opnsense.oxl.app/usage/2_basic.html#prerequisites
- name: Configure OPNSense
hosts: opn
connection: local #executes on controller
gather_facts: false
collections:
- oxlorg.opnsense
module_defaults:
oxlorg.opnsense.alias:
api_credential_file: '/Users/fabioisti/Keys/ns1.sifi.isti.cnr.it_fabio_apikey.txt'
firewall: "{{ ansible_host}}"
ssl_verify: true
ssl_ca_file: '/Users/fabioisti/git/SSE-LAB/ansible/inventories/group_vars/sifi/SIFI_CA.pem'
tasks:
- name : Check libs
script: /Users/fabioisti/test_httpx.py
args:
executable: python3
- name: Test
oxlorg.opnsense.alias:
name: 'ANSIBLE_TEST1'
content: ['1.1.1.1']

24
ansible/playbooks/requirements.yml
View File

@ -1,24 +0,0 @@
# requirements.yml
---
roles:
# - name: bodsch.dns.bind
# version:
# - name: nginx
# src: git@github.com:myorg/ansible-role-nginx.git
# scm: git
# version: v2.0.0
collections:
- name: bodsch.dns
source: https://github.com/bodsch/ansible-collection-dns.git
type: git
version: 1.4.1
# - name: community.postgresql
# version: "3.2.0"
# - name: ansible.posix
# version: "1.5.4"
# - name: myorg.infrastructure
# source: https://hub.internal.com/api/galaxy/
# version: "1.0.0"

5
ansible/playbooks/roles/wireguard_server/handlers/main.yaml
View File

@ -1,5 +0,0 @@
---
- name: Restart WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wg_interface }}"
state: restarted

31
ansible/playbooks/roles/wireguard_server/tasks/configure_server.yaml
View File

@ -1,31 +0,0 @@
# wireguard_server.yml - Configure WireGuard VPN server
---
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: wg_server_private_key
args:
chdir: /etc/wireguard
- name: Deploy WireGuard server configuration
ansible.builtin.template:
src: templates/wireguard_server.jinja
dest: "/etc/wireguard/{{ wg_interface }}.conf"
owner: root
group: root
mode: '0600'
notify: Restart WireGuard
- name: Enable and start WireGuard
ansible.builtin.systemd:
name: "wg-quick@{{ wg_interface }}"
state: started
enabled: true
- name: Open WireGuard port in firewall
community.general.ufw:
rule: allow
port: "{{ wg_port }}"
proto: udp
comment: "WireGuard VPN"
ignore_errors: true

49
ansible/playbooks/roles/wireguard_server/tasks/generate_keys.yaml
View File

@ -1,49 +0,0 @@
# generate_keys.yml - Generate WireGuard key pairs
---
- name: Create WireGuard directory
ansible.builtin.file:
path: /etc/wireguard
state: directory
mode: '0700'
- name: Check if private key already exists
ansible.builtin.stat:
path: /etc/wireguard/privatekey
register: privkey_file
- name: Generate private key
ansible.builtin.command: wg genkey
register: wg_private_key
when: not privkey_file.stat.exists
changed_when: true
- name: Save private key
ansible.builtin.copy:
content: "{{ wg_private_key.stdout }}"
dest: /etc/wireguard/privatekey
owner: root
group: root
mode: '0600'
when: not privkey_file.stat.exists
- name: Read private key
ansible.builtin.slurp:
src: /etc/wireguard/privatekey
register: private_key_content
- name: Generate public key from private key
ansible.builtin.shell: echo "{{ private_key_content.content | b64decode | trim }}" | wg pubkey
register: wg_public_key
changed_when: false
- name: Save public key
ansible.builtin.copy:
content: "{{ wg_public_key.stdout }}"
dest: /etc/wireguard/publickey
owner: root
group: root
mode: '0644'
- name: Display public key for reference
ansible.builtin.debug:
msg: "Public key for {{ inventory_hostname }}: {{ wg_public_key.stdout }}"

25
ansible/playbooks/roles/wireguard_server/tasks/install_wireguard.yaml
View File

@ -1,25 +0,0 @@
# install_wireguard.yml - Install WireGuard on Linux hosts
---
- name: Install WireGuard on Debian/Ubuntu
ansible.builtin.apt:
name:
- wireguard
- wireguard-tools
state: present
update_cache: true
when: ansible_os_family == "Debian"
- name: Install WireGuard on RHEL/CentOS 8+
ansible.builtin.yum:
name:
- wireguard-tools
state: present
when: ansible_os_family == "RedHat"
- name: Enable IP forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true

4
ansible/playbooks/roles/wireguard_server/tasks/main.yaml
View File

@ -1,4 +0,0 @@
---
- include_tasks: install_wireguard.yaml
- include_tasks: generate_keys.yaml
- include_tasks: configure_server.yaml

62
ansible/playbooks/roles/wireguard_server/tasks/main.yaml___back
View File

@ -1,62 +0,0 @@
---
- name: Install Wireguard Server
apt:
pkg:
- wireguard
state: latest
update_cache: true
- name: Create directory for wg keys
ansible.builtin.file:
path: /etc/wireguard/keys
state: directory
mode: '0755'
- name: Creating server privatekey and publickey
shell: wg genkey | tee privatekey | wg pubkey > publickey
args:
chdir: /etc/wireguard/keys
- name: Get Private Key [privatekey => var_privatekey]
shell: cat privatekey
register: var_privatekey
args:
chdir: /etc/wireguard/keys
#- name: Add WireGuard interface
# command: ip link add dev wg0 type wireguard
- name: Updating configuration
template:
src: wireguard_server.jinja
dest: /etc/wireguard/wg0.conf
#- name: Activating link
# command: ip link set up dev wg0
- name: Starting wg service
systemd:
state: started
name: wg-quick@wg0
enabled: yes
- name: Getting public key
shell: cat publickey
register: var_publickey
args:
chdir: /etc/wireguard/keys
- name: Check server public IP
shell: curl https://ipinfo.io/ip
register: var_server_ip
- name: Printing public key
debug:
msg: "Server {{ ansible_hostname }} reachable @{{var_server_ip}}. Public key is {{ var_publickey }}"

0
ansible/playbooks/roles/wireguard_server/templates/wireguard_client.jinja
View File

27
ansible/playbooks/roles/wireguard_server/templates/wireguard_server.jinja
View File

@ -1,27 +0,0 @@
# templates/wireguard-server.conf.j2 - WireGuard server configuration
# Managed by Ansible - do not edit manually
[Interface]
Address = {{ wg_server_address }}
ListenPort = {{ wg_port }}
PrivateKey = {{ wg_server_private_key.stdout }}
# IP forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1
# IP masquerading
PreUp = iptables -t mangle -A PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i {{wg_interface}} -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o {{wg_interface}} -m mark --mark 0x30 -j MASQUERADE
{% for peer in wg_peers %}
# {{ peer.name }}
[Peer]
PublicKey = {{ peer.publicKey }}
AllowedIPs = {{ peer.allowedIP }}
{% if peer.persistent_keepalive is defined %}
PersistentKeepalive = {{ peer.persistent_keepalive }}
{% endif %}
{% endfor %}

6
ansible/playbooks/vpn_server.yaml
View File

@ -1,6 +0,0 @@
---
- name: Configure VPN Server
hosts: wireguard_server
become: true
roles:
- wireguard_server

25
ansible/readme.md
View File

@ -8,9 +8,6 @@ Playbooks run Roles against node groups.
Roles define set of Tasks. Roles define set of Tasks.
### Install both roles and collections
`ansible-galaxy install -r requirements.yml`
## Playbooks ## Playbooks
@ -19,8 +16,7 @@ Launch playbooks from present folder in order to use [default config file](ansib
**Site** playbook launches them all. **Site** playbook launches them all.
**Bootstrap** is to be run first on new installations. **Bootstrap** is to be run first on new installations.
**NameServer** configures a BIND DNS
**OPNSense** configure a OPNSense edge node
### Site ### Site
This playbook recalls all the following playbooks in the stated order. This playbook recalls all the following playbooks in the stated order.
@ -44,21 +40,6 @@ Creates sudoer user ansible, necessitates of sudoer user.
Use `ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K` Use `ansible-playbook -i inventories playbooks/bootstrap.yml -l [TARGET_HOST] -e 'ansible_user=[REMOTE_USER]' -K`
### NameServer ###
Configures a BIND DNS. Uses collection bodsch.dns.
NB DNS configuration comes from variable file.
### OPNSense ###
Configures a OPNSense edge node features :
- BIND DNS
- FIREWALL
- Wireguard VPN
NB runs locally so python intepreter needs to be specified
E.g. `ansible-playbook -i inventories/sifi.yaml playbooks/opnsense.yaml --extra-vars="ansible_python_interpreter=$(which python)"
`
## Inventories ## Inventories
### Main Lab ### Main Lab
@ -73,10 +54,6 @@ Management of production services, beware!
Hosts are commented by default Hosts are commented by default
### Sifi
Macchine per il gruppo di lavoro Sistemi Fiscali
### Prox1_lab ### Prox1_lab
Prox mox laboratory Prox mox laboratory