Compare commits
26 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
3ab9170c8f
|
|||
|
875304f58b
|
|||
| 5bc955d5ef | |||
|
49f91ac87f
|
|||
|
3494008084
|
|||
| 7497629b6d | |||
| a830ad508c | |||
|
4db6fa5078
|
|||
|
78d0aa9e0a
|
|||
|
905b6c030f
|
|||
|
7548252912
|
|||
|
11fb74e01c
|
|||
|
b227be06d6
|
|||
|
5daa23e0d9
|
|||
|
26e1300bfd
|
|||
|
ee834c735d
|
|||
|
afca3b3f39
|
|||
|
004e59f708
|
|||
|
ccdb380b50
|
|||
|
29a2aa6da9
|
|||
|
17a45fe9d3
|
|||
|
38d7dda164
|
|||
|
26ff19a57b
|
|||
|
9bfb100e2c
|
|||
|
56546c3824
|
|||
|
d602a43fea
|
8
Makefile
8
Makefile
@@ -8,13 +8,21 @@ help: ## Print the help message
|
||||
sort | \
|
||||
column -s ':' -t
|
||||
|
||||
include wg.mk
|
||||
|
||||
.PHONY: check
|
||||
check: ## Check you have all dependencies
|
||||
@command -v graph-easy >/dev/null || { echo "Install perl-graph-easy" && exit 1 ;}
|
||||
@command -v ansible >/dev/null || { echo "Install ansible" && exit 1 ;}
|
||||
@command -v recsel >/dev/null || { echo "Install recutils" && exit 1 ;}
|
||||
@command -v wg >/dev/null || { echo "Install wireguard" && exit 1 ;}
|
||||
@command -v lowdown >/dev/null || { echo "Install lowdown" && exit 1 ;}
|
||||
@echo "All dependencies installed"
|
||||
|
||||
%/:
|
||||
mkdir $@
|
||||
echo '*' > $@.gitignore
|
||||
|
||||
########## Network Map ##########
|
||||
|
||||
graph_program != type graph-easy > /dev/null && printf graph-easy || printf dot
|
||||
|
||||
46
ansible/Makefile
Normal file
46
ansible/Makefile
Normal file
@@ -0,0 +1,46 @@
|
||||
hosts = $(wildcard host_vars/*.yml)
|
||||
|
||||
logs = $(patsubst host_vars/%.yml, logs/%.json, $(hosts) )
|
||||
|
||||
playbooks = $(wildcard playbooks/*.yml)
|
||||
plays = $(patsubst playbooks/%.yml, %, $(playbooks) )
|
||||
|
||||
defaults += $(wildcard logs/*)
|
||||
|
||||
###### Recipes ######
|
||||
|
||||
.PHONY: help
|
||||
help: ## Print the help message.
|
||||
@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
|
||||
column -s ':' -t
|
||||
|
||||
.PHONY: lint
|
||||
lint: $(playbooks) | .ansible/ ## Check syntax and lint all playbooks
|
||||
ansible-playbook --syntax-check $^
|
||||
ansible-lint $^
|
||||
|
||||
.PHONY: records
|
||||
records: $(logs) ## Current info on each host
|
||||
|
||||
$(logs): logs/%.json: | logs/
|
||||
ansible -m setup $(basename $(@F) ) > $@
|
||||
|
||||
-include logs/play.mk
|
||||
|
||||
make_play = printf '.PHONY: %s\n%s: %s \#\# %s\n\n' '$(notdir $(basename $1) )' '$(notdir $(basename $1) )' '$1' '$(shell grep -m1 -oP 'name: \K.*' $1)'
|
||||
|
||||
logs/play.mk: playbooks/*.yml
|
||||
@$(RM) $@
|
||||
@$(foreach book, $^, \
|
||||
$(call make_play, $(book), $@ ) >> $@ ; \
|
||||
printf '\t%s\n\n' 'ansible-playbook $(book)' >> $@ ; \
|
||||
)
|
||||
|
||||
%/:
|
||||
mkdir $@
|
||||
echo '*' > $@.gitignore
|
||||
|
||||
.PHONY: clean
|
||||
clean: ## Remove generated files.
|
||||
$(RM) $(defaults)
|
||||
|
||||
7
ansible/ansible.cfg
Normal file
7
ansible/ansible.cfg
Normal file
@@ -0,0 +1,7 @@
|
||||
[defaults]
|
||||
inventory = hosts.yaml
|
||||
local_tmp = .ansible
|
||||
cow_selection = random
|
||||
vault_password_file = pass.sh
|
||||
interpreter_python = auto_silent
|
||||
|
||||
9
ansible/host_vars/wireguard.yml
Normal file
9
ansible/host_vars/wireguard.yml
Normal file
@@ -0,0 +1,9 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
37363765623839666637633861353139353935323364343538356536653561373266336161353937
|
||||
3466653434666163313936393366613666393863616262320a643930663038326666653064613062
|
||||
62613661396538363539643938323033663932326362626335333438653865623038336136623030
|
||||
3735366564366431330a373061393766346631643434383364646431346231356466663737626435
|
||||
64303835343237383761633939643431333439643933636139666163393637363430633261633736
|
||||
34626631366163616439366534393031353063363138356638323634313430666330613833386661
|
||||
61346365313534353535633365626364303565363565353765353833363065343232633866633132
|
||||
63643930633266653765
|
||||
13
ansible/hosts.yaml
Normal file
13
ansible/hosts.yaml
Normal file
@@ -0,0 +1,13 @@
|
||||
all:
|
||||
vars:
|
||||
username: dmz
|
||||
locale: Europe/Belgrade
|
||||
libc_locale: en_GB.UTF-8 UTF-8
|
||||
var_locale: LANG=en_GB.UTF-8
|
||||
|
||||
wireguard:
|
||||
hosts:
|
||||
192.168.10.93:
|
||||
arch:
|
||||
hosts:
|
||||
10.0.0.1:
|
||||
3
ansible/pass.sh
Executable file
3
ansible/pass.sh
Executable file
@@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
|
||||
pass dmz/xecut/dmz_ansible
|
||||
26
ansible/playbooks/files/wireguard/server_head
Normal file
26
ansible/playbooks/files/wireguard/server_head
Normal file
@@ -0,0 +1,26 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33343563633965306633313265643038646236633465353133386365346663336163646430333962
|
||||
6165663662663065623232383636336236376363623762640a633139343330646532333631396639
|
||||
39323432323636626166636561383539353161646636666131623833396138666531616366633032
|
||||
3064646331643732660a613562343637393134323830643263393464363332663664623761636636
|
||||
38343638623539636134633735313161353233333936396638653066346163613335353266343334
|
||||
39313062633261393038636131313665653631333039633533363236636131323337633031386436
|
||||
38366435386334303366636231643565383931373936313365363165666464636236376262363336
|
||||
31363664336535343363646231306237383739326239356232343761623937666533663131323266
|
||||
30323138663666666538353063623566333961326233646533323831363433653764323566333564
|
||||
37633865313966336164336433306663343435653062396533633037333430366266376465613039
|
||||
35373762306363393534373861633839353736373463346638613838636466383762336562386434
|
||||
37666133666662633331313863636161343031666438363638356538623164343764353431373566
|
||||
35653662326134366366323835623265663530323132313138393566653063376163366132326232
|
||||
62653337383336396466386631393739633164646433373231656664376463306333643663393061
|
||||
32303535323336313364343131333633633261313761326566643733646564313432396165316532
|
||||
62303539653763343963343865626135633738666331366334353530393961623337363035333662
|
||||
38396533376166363164623531396238356632336534386636363364646263623334336666343834
|
||||
37396235346431393033303834323163646561643162646135383162623034343366613431366563
|
||||
66386330323933363035393330326539336134616364303037633230663664373335663739343361
|
||||
36653533333139336331393239626335623337663133393538343361303431636661316666383733
|
||||
64343234306336353163323235633031343138643661333863373965623666336331636339653862
|
||||
61616431366439643063313336336530383164313639646130383362643339386264333264376236
|
||||
63333531616561636638376635623738623933363933663439373137396334623361656233616236
|
||||
64386638653336616366653836663762306334363065356162353431633332633537623362643363
|
||||
3265
|
||||
7
ansible/playbooks/files/wireguard/server_private_key
Normal file
7
ansible/playbooks/files/wireguard/server_private_key
Normal file
@@ -0,0 +1,7 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
39653235613163636362653036663563383839313836643563323462616163353364323862313039
|
||||
6564656661323039393563636133303132626663366233390a343535383963353763383364376438
|
||||
36306435396461393132653161393238623562393465356166343764336661376434333335643863
|
||||
3865373732363761620a613236613963396638613831326332386530326239373062333933646239
|
||||
39313336383366636133646336653236303261346238306336663564373063383634313361356335
|
||||
6334353863363931643338663833333065343435333231623466
|
||||
1
ansible/playbooks/files/wireguard/server_public_key
Normal file
1
ansible/playbooks/files/wireguard/server_public_key
Normal file
@@ -0,0 +1 @@
|
||||
GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
|
||||
38
ansible/playbooks/wireguard.yml
Normal file
38
ansible/playbooks/wireguard.yml
Normal file
@@ -0,0 +1,38 @@
|
||||
---
|
||||
- name: Install Wireguard on Server
|
||||
hosts: wireguard
|
||||
user: root
|
||||
|
||||
tasks:
|
||||
- name: Install wireguard tools and dig
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- wireguard-tools
|
||||
- bind
|
||||
|
||||
- name: Copy keys to server
|
||||
ansible.builtin.copy:
|
||||
src: wireguard/wg0.conf
|
||||
dest: /etc/wireguard/wg0.conf
|
||||
notify: Reload systemd daemon
|
||||
|
||||
- name: Get server public IP
|
||||
ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
|
||||
register: wireguard_public_ip
|
||||
|
||||
- name: Allow ipv4 forwarding
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/sysctl.d/wg.conf
|
||||
line: net.ipv4.ip_forward=1
|
||||
create: yes
|
||||
|
||||
- name: Start the wireguard service
|
||||
ansible.builtin.service:
|
||||
name: wg-quick@wg0
|
||||
enabled: yes
|
||||
|
||||
handlers:
|
||||
- name: Reload systemd daemon
|
||||
ansible.builtin.command:
|
||||
cmd: systemctl daemon-reload
|
||||
|
||||
14
ansible/templates/wireguard/wg0.conf.j2
Normal file
14
ansible/templates/wireguard/wg0.conf.j2
Normal file
@@ -0,0 +1,14 @@
|
||||
|
||||
[Interface]
|
||||
Address = 10.0.0.1/24
|
||||
SaveConfig = true
|
||||
PrivateKey = {{ wg_private_key }}
|
||||
ListenPort = 51900
|
||||
|
||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ wg_public_key }}
|
||||
AllowedIPs = 10.0.0.2/32
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
# List of containers
|
||||
|
||||
## sumadijamoxx
|
||||
|
||||
ip is the same as a container ID
|
||||
example
|
||||
101 ssh12 -> 192.168.7.101
|
||||
|
||||
VMID Name
|
||||
101 ssh12
|
||||
102 nginxproxymanager12
|
||||
103 searxng12
|
||||
104 homepage12
|
||||
105 privatebin13
|
||||
106 librespeed-rust12
|
||||
107 tor13
|
||||
200 wireguard12
|
||||
|
||||
|
||||
##### Legend
|
||||
|
||||
12 -> debian 12
|
||||
13 -> debian 13
|
||||
|
||||
## Forwareded ports
|
||||
|
||||
192.168.7.243:443 -> 80
|
||||
192.168.7.101:22 -> 22
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
VMID: 102
|
||||
---
|
||||
|
||||
NgniX proxy manager built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager)
|
||||
|
||||
Forwarded to port 80
|
||||
|
||||
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
VMID: 105
|
||||
---
|
||||
|
||||
PrivateBin instance built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=privatebin)
|
||||
|
||||
Not yet public/forwarded
|
||||
@@ -1,3 +0,0 @@
|
||||
TP Link (hopefully openWRT in future)
|
||||
|
||||
Router is inside the existing network for further forwarding, contact coja (best on xmpp)
|
||||
@@ -1,8 +0,0 @@
|
||||
---
|
||||
VMID: 102
|
||||
---
|
||||
|
||||
SearXNG instance built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=searxng)
|
||||
|
||||
|
||||
Not yet public/forwarded
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
VMID: 101
|
||||
---
|
||||
|
||||
SSH port from this container should be forwarded to sumadija.dmz.rs
|
||||
SSH access to other containers is done through this one with ssh jump, passwords are disabled, so only keys verification is used.
|
||||
|
||||
[wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
VMID: 107
|
||||
---
|
||||
|
||||
In this container hosts the tor onion service, used for remote access to the proxmox, through tor. Credentatials are in the password manager
|
||||
|
||||
|
||||
ssh12 -> port 22
|
||||
smoxx -> 8006
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
VMID: 200
|
||||
---
|
||||
|
||||
Wireguard server for VPN access to sumadija network
|
||||
54
wg.mk
Normal file
54
wg.mk
Normal file
@@ -0,0 +1,54 @@
|
||||
public_key = $(shell cat /etc/wireguard/dmz_public_key)
|
||||
name := $(shell git config list | grep user.nam | cut -d= -f2)
|
||||
|
||||
|
||||
# Local keys
|
||||
|
||||
wireguard/dmz_private_key: | /bin/wg wireguard/
|
||||
wg genkey > $@
|
||||
chmod 700 $@
|
||||
|
||||
wireguard/dmz_public_key: wireguard/dmz_private_key | /bin/wg
|
||||
$| pubkey < $< > $@
|
||||
|
||||
##############################
|
||||
|
||||
wgkeys.rec: wireguard/dmz_public_key
|
||||
$(info Adding wireguard key as '$(name)')
|
||||
recins --verbose $@ -t $(basename $@) -f name -v '$(name)' -f pubkey -v '$(shell cat $<)'
|
||||
git add $@
|
||||
git commit -m"add wireguard key for $(name)"
|
||||
$(info Remember to git push)
|
||||
|
||||
wireguard/dmz.conf: wireguard/dmz_bare.conf | wireguard/dmz_private_key
|
||||
sed 's#PRIVATE_KEY#$(shell cat $|)#' $< > $@
|
||||
|
||||
wireguard/dmz_bare.conf: wgkeys.rec | xecut/nimbus/dmz.conf
|
||||
recsel $< -t $(basename $<) -e 'name = "$(name)"' | recfmt -f $| > $@
|
||||
|
||||
###### Wireguard configuration #####
|
||||
|
||||
wireguard/wg_peers.txt: wgkeys.rec | xecut/nimbus/wg_peer.fmt
|
||||
recsel $< -t $(basename $<) | recfmt -f $| > $@
|
||||
|
||||
ignored += ansible/playbooks/files/wireguard/wg0.conf
|
||||
|
||||
ansible/playbooks/files/wireguard/wg0.conf: wireguard/wg_peers.txt | ansible/playbooks/files/wireguard/server_head
|
||||
cd ansible && ansible-vault view playbooks/files/wireguard/server_head > playbooks/files/wireguard/wg0.conf
|
||||
cat $< >> $@
|
||||
cd ansible && ansible-vault encrypt playbooks/files/wireguard/wg0.conf
|
||||
|
||||
|
||||
##### Installing Wireguard Client #####
|
||||
|
||||
.PHONY: wg-create
|
||||
wg-create: wireguard/dmz.conf ## Set up wireguard keys (do this before installing)
|
||||
|
||||
.PHONY: wg-install
|
||||
wg-install: /etc/wireguard/dmz.conf ## Install wireguard keys (use sudo)
|
||||
/etc/wireguard/dmz.conf: wireguard/dmz.conf | /bin/wg
|
||||
cp $< $@
|
||||
|
||||
.PHONY: wg-setup
|
||||
wg-setup: ansible/playbooks/files/wireguard/wg0.conf ## Renew the wireguard config
|
||||
make -C ansible wireguard
|
||||
19
wgkeys.rec
Normal file
19
wgkeys.rec
Normal file
@@ -0,0 +1,19 @@
|
||||
%rec: wgkeys
|
||||
%key: id
|
||||
%type: name,pubkey line
|
||||
%type: id int
|
||||
%auto: id
|
||||
%mandatory: name
|
||||
+ pubkey
|
||||
|
||||
id: 2
|
||||
name: Malin Freeborn
|
||||
pubkey: loNnXRalD0ZyOLadSWm31rqOuRfEbgtX9O4/z7eSIho=
|
||||
|
||||
id: 3
|
||||
name: coja
|
||||
pubkey: snfw8r1hIAtTABGd7K9xIZ9RH62qMEK4fRqVm4EbniQ=
|
||||
|
||||
id: 4
|
||||
name: netstat
|
||||
pubkey: Z8bk25hHo6oadOX7KtoLUDXGW9r+thMiR320aiGmQAQ=
|
||||
11
xecut/nimbus/dmz.conf
Normal file
11
xecut/nimbus/dmz.conf
Normal file
@@ -0,0 +1,11 @@
|
||||
# Client configuration for wireguard to nimbus at xecut.
|
||||
|
||||
[Interface]
|
||||
Address = 10.0.0.{{id}}/32
|
||||
PrivateKey = PRIVATE_KEY
|
||||
|
||||
[Peer]
|
||||
PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
|
||||
Endpoint = space.xecut.me:51900
|
||||
AllowedIPs = 10.0.0.1/24
|
||||
|
||||
4
xecut/nimbus/wg_peer.fmt
Normal file
4
xecut/nimbus/wg_peer.fmt
Normal file
@@ -0,0 +1,4 @@
|
||||
[Peer]
|
||||
PublicKey = {{pubkey}}
|
||||
AllowedIPs = 10.0.0.{{id}}/32
|
||||
|
||||
14
xecut/nimbus/wireguard_client.conf
Normal file
14
xecut/nimbus/wireguard_client.conf
Normal file
@@ -0,0 +1,14 @@
|
||||
|
||||
[Interface]
|
||||
Address = 10.0.0.1/24
|
||||
SaveConfig = true
|
||||
PrivateKey = PRIVATE_KEY
|
||||
ListenPort = 51900
|
||||
|
||||
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
||||
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
||||
|
||||
[Peer]
|
||||
PublicKey = GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
|
||||
AllowedIPs = 10.0.0.2/32
|
||||
|
||||
Reference in New Issue
Block a user