diff --git a/Readme_Stefan.txt b/Readme_Stefan.txt new file mode 100644 index 0000000..8c561f1 --- /dev/null +++ b/Readme_Stefan.txt @@ -0,0 +1,98 @@ + _____ _ +| ___| __ ___ | |__ ___ +| |_ | '__/ _ \| '_ \ / _ \ +| _|| | | (_) | | | | __/ +|_| |_| \___/|_| |_|\___| + +__ __ _ _ _ _ _ +\ \ / /__(_) |__ _ __ __ _ ___| |__ | |_ ___ _ __ | | + \ \ /\ / / _ \ | '_ \| '_ \ / _` |/ __| '_ \| __/ _ \ '_ \| | + \ V V / __/ | | | | | | | (_| | (__| | | | || __/ | | |_| + \_/\_/ \___|_|_| |_|_| |_|\__,_|\___|_| |_|\__\___|_| |_(_) + + + +Lieber Iljas, + +Dein Weihnachtsgeschenk dieses Jahr ist mit Arbeit verbunden - Arbeit +Deinerseits wohlgemerkt ;-) + +Um es zu genießen mußt Du zuerst: +- dem mächtigen amazon Konzern noch weiter in die Hände spielen und Dir +einen aws Account einrichten +- auf Deinem nagelneuen AWS Account unter Sicherheit/IAM einen Benutzer +hinzufügen mit Zugriffstyp "Programmgesteuerter Zugriff" +- die dabei generierten Tokens Dir merken und z.B. in Deine .bashrc +eintragen als Umgebungsvariablen `AWS_ACCESS_KEY_ID` und `AWS_SECRET_ACCESS_KEY` +- Dir ansible installieren - und da Du wahrscheinlich verstehen willst was +passiert, ist das ansible lernen die eigentliche Arbeit ;-) +- das ansible-Playbook anschauen und ausführen, dass Stefan erstellt hat und +das unter wg-aws geclont ist +- Dir auf Deinen Geräten wireguard als VPN Software installieren +- die Konfigurationen, die das ansible Playbook erstellt hat auf Deinen +Geräten importieren (als Datei oder qrcode) +- Dich über Deinen neuen mini-Cloud-VPN-Server freuen auf dem Du auch sonst +alles machen kannst was Du magst +- mit der Inbetriebnahme den unten stehenden Gutschein bei uns einlösen +;-) - leider bietet aws nämlich kein Prepaid an ... + + _ _ _ ___ +__ _____ _ __ | | (_)_ __ __| | __ _ ( _ ) +\ \ / / _ \| '_ \ | | | | '_ \ / _` |/ _` | / _ \/\ + \ V / (_) | | | | | |___| | | | | (_| | (_| | | (_> < + \_/ \___/|_| |_| |_____|_|_| |_|\__,_|\__,_| \___/\/ + + ____ _ __ +/ ___|| |_ ___ / _| __ _ _ __ +\___ \| __/ _ \ |_ / _` | '_ \ + ___) | || __/ _| (_| | | | | +|____/ \__\___|_| \__,_|_| |_| + + + + + + +========================= X8 ================================ X8 ========== + + + + + + + ____ _ _ _ _ _ _ + / ___|_ _| |_ ___ ___| |__ ___(_)_ __ _ / | | | __ _| |__ _ __ +| | _| | | | __/ __|/ __| '_ \ / _ \ | '_ \(_) | | _ | |/ _` | '_ \| '__| +| |_| | |_| | |_\__ \ (__| | | | __/ | | | |_ | | | |_| | (_| | | | | | + \____|\__,_|\__|___/\___|_| |_|\___|_|_| |_(_) |_| \___/ \__,_|_| |_|_| + + ____ _ _ + / ___|_ __ __ ___ _(_) |_ ___ _ __ +| | _| '__/ _` \ \ / / | __/ _ \| '_ \ +| |_| | | | (_| |\ V /| | || (_) | | | | + \____|_| \__,_| \_/ |_|\__\___/|_| |_| + + _ _ _ ____ _ +| |_| || | __ _ _ __ __ _ _ __ ___ / ___| _ __ ___ | |_ +| __| || |_ / _` | | '_ \ / _` | '_ \ / _ \ \___ \| '_ \ / _ \| __| +| |_|__ _| (_| |_| | | | (_| | | | | (_) | ___) | |_) | (_) | |_ + \__| |_| \__, (_)_| |_|\__,_|_| |_|\___/ |____/| .__/ \___/ \__| + |___/ |_| + _ _ _ _ +(_)_ __ ___| |_ __ _ _ __ ___ ___ | |__ ___(_) +| | '_ \/ __| __/ _` | '_ \ / __/ _ \ | '_ \ / _ \ | +| | | | \__ \ || (_| | | | | (_| __/ | |_) | __/ | +|_|_| |_|___/\__\__,_|_| |_|\___\___| |_.__/ \___|_| + + _ + __ _ _ __ ___ __ _ _______ _ __ __ _____| |__ + / _` | '_ ` _ \ / _` |_ / _ \| '_ \ \ \ /\ / / _ \ '_ \ +| (_| | | | | | | (_| |/ / (_) | | | | \ V V / __/ |_) | + \__,_|_| |_| |_|\__,_/___\___/|_| |_| \_/\_/ \___|_.__/ + + _ + ___ ___ _ ____ _(_) ___ ___ +/ __|/ _ \ '__\ \ / / |/ __/ _ \ +\__ \ __/ | \ V /| | (_| __/ +|___/\___|_| \_/ |_|\___\___| + diff --git a/create_aws_wireguard_server.yml b/create_aws_wireguard_server.yml index 454e2de..9d98337 100644 --- a/create_aws_wireguard_server.yml +++ b/create_aws_wireguard_server.yml @@ -3,8 +3,6 @@ - name: provisions a graviton server as aws spot instance hosts: localhost connection: local - vars: - ansible_python_interpreter: /usr/bin/python3 vars_prompt: - name: ssh_pub_key_file prompt: Location of your public ssh key @@ -12,11 +10,11 @@ private: no - name: aws_region prompt: AWS Region to use for instance - default: "us-east-1" + default: "eu-central-1" private: no - name: aws_ami prompt: Disk image to use for instance (default is debian buster arm64) - default: "ami-08b2293fdd2deba2a" + default: "ami-0e70ab85b58b23a77" private: no - name: aws_type prompt: Instance type to request @@ -27,13 +25,19 @@ default: "" private: no vars: - - dns_zone_name: "{{ dns_name | regex_replace('^[\\w-]+\\.', '') }}" + dns_zone_name: "{{ dns_name | regex_replace('^[\\w-]+\\.', '') }}" + ansible_python_interpreter: /usr/bin/python3 roles: - aws_graviton_nano_spot - name: include playbook for pihole import_playbook: pihole.yml +<<<<<<< HEAD - name: Include playbook to install wireguard import_playbook: wireguard.yml +======= +- name: include playbook for wireguard server + import_playbook: wireguard_pihole_only.yml +>>>>>>> 268d550 (Checkin der ewig schon herumliegenden Daten, keine Ahnung mehr was ich) diff --git a/roles/aws_graviton_nano_spot/tasks/main.yml b/roles/aws_graviton_nano_spot/tasks/main.yml index a7ea098..7afc50e 100644 --- a/roles/aws_graviton_nano_spot/tasks/main.yml +++ b/roles/aws_graviton_nano_spot/tasks/main.yml @@ -1,5 +1,6 @@ - name: copy ssh public key amazon.aws.ec2_key: + region: "{{ aws_region }}" name: vpn_key key_material: "{{ lookup('file', '{{ ssh_pub_key_file }}') }}" region: "{{ aws_region }}" @@ -30,8 +31,6 @@ image: "{{ aws_ami }}" wait: yes instance_initiated_shutdown_behavior: terminate - vpc_subnet_id: "subnet-3df70f5a" - assign_public_ip: yes register: graviton - name: generate route53 dns entry for the instance diff --git a/roles/pihole/templates/pihole-FTL b/roles/pihole/templates/pihole-FTL new file mode 100644 index 0000000..f0743b4 --- /dev/null +++ b/roles/pihole/templates/pihole-FTL @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +### BEGIN INIT INFO +# Provides: pihole-FTL +# Required-Start: $remote_fs $syslog $network +# Required-Stop: $remote_fs $syslog $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: pihole-FTL daemon +# Description: Enable service provided by pihole-FTL daemon +### END INIT INFO + +FTLUSER=pihole +PIDFILE=/run/pihole-FTL.pid + +is_running() { + pgrep -o "pihole-FTL" > /dev/null 2>&1 +} + + +# Start the service +start() { + if is_running; then + echo "pihole-FTL is already running" + else + # Touch files to ensure they exist (create if non-existing, preserve if existing) + touch /var/log/pihole-FTL.log /var/log/pihole.log + touch /run/pihole-FTL.pid /run/pihole-FTL.port + touch /etc/pihole/dhcp.leases + mkdir -p /run/pihole + mkdir -p /var/log/pihole + chown pihole:pihole /run/pihole /var/log/pihole + # Remove possible leftovers from previous pihole-FTL processes + rm -f /dev/shm/FTL-* 2> /dev/null + rm /run/pihole/FTL.sock 2> /dev/null + # Ensure that permissions are set so that pihole-FTL can edit all necessary files + chown pihole:pihole /run/pihole-FTL.pid /run/pihole-FTL.port + chown pihole:pihole /etc/pihole /etc/pihole/dhcp.leases 2> /dev/null + chown pihole:pihole /var/log/pihole-FTL.log /var/log/pihole.log + chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log + # Chown database files to the user FTL runs as. We ignore errors as the files may not (yet) exist + chown pihole:pihole /etc/pihole/pihole-FTL.db /etc/pihole/gravity.db 2> /dev/null + if setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_NICE+eip "$(which pihole-FTL)"; then + su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER" + else + echo "Warning: Starting pihole-FTL as root because setting capabilities is not supported on this system" + pihole-FTL + fi + echo + fi +} + +# Stop the service +stop() { + if is_running; then + pkill -o pihole-FTL + for i in {1..5}; do + if ! is_running; then + break + fi + + echo -n "." + sleep 1 + done + echo + + if is_running; then + echo "Not stopped; may still be shutting down or shutdown may have failed, killing now" + pkill -o -9 pihole-FTL + exit 1 + else + echo "Stopped" + fi + else + echo "Not running" + fi + echo +} + +# Indicate the service status +status() { + if is_running; then + echo "[ ok ] pihole-FTL is running" + exit 0 + else + echo "[ ] pihole-FTL is not running" + exit 1 + fi +} + + +### main logic ### +case "$1" in + stop) + stop + ;; + status) + status + ;; + start|restart|reload|condrestart) + stop + start + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|status}" + exit 1 +esac + +exit 0 diff --git a/roles/pihole/templates/pihole-FTL.conf b/roles/pihole/templates/pihole-FTL.conf new file mode 100644 index 0000000..21e5a5f --- /dev/null +++ b/roles/pihole/templates/pihole-FTL.conf @@ -0,0 +1 @@ +PRIVACYLEVEL=0 diff --git a/roles/wireguard_server/tasks/main.yml b/roles/wireguard_server/tasks/main.yml index 932cef2..0633b94 100644 --- a/roles/wireguard_server/tasks/main.yml +++ b/roles/wireguard_server/tasks/main.yml @@ -65,7 +65,18 @@ owner: root group: root mode: 0600 - with_indexed_items: "{{ vpn_client_private_keys.results }}" + with_sequence: start=1 end={{ vpn_clients }} + when: use_pihole_templates != true + +- name: generate client configs for pihole setup + template: + src: "wg0-client-pihole.conf" + dest: "~/wg/client_{{ item }}/wg0-client.conf" + owner: root + group: root + mode: 0600 + with_sequence: start=1 end={{ vpn_clients }} + when: use_pihole_templates == true - name: generate qr codes for client configs shell: umask 077; qrencode --type=PNG --output=/root/wg/{{ item }}/wg0-client.png < ~/wg/{{ item }}/wg0-client.conf @@ -105,4 +116,4 @@ src: "~/wg/{{item}}/wg0-client.png" dest: "wireguard_profiles/{{ ansible_ssh_host }}/{{item}}/" flat: yes - with_items: "{{ vpn_client_names }}" + with_sequence: start=1 end={{ vpn_clients }} diff --git a/roles/wireguard_server/templates/wg0-client-pihole.conf b/roles/wireguard_server/templates/wg0-client-pihole.conf new file mode 100644 index 0000000..5abd6c4 --- /dev/null +++ b/roles/wireguard_server/templates/wg0-client-pihole.conf @@ -0,0 +1,11 @@ +[Interface] +Address = {{ vpn_network }}.{{item|int + 1}}/32 +DNS = 10.100.100.1 +PrivateKey = {{ private_key_files.results[item|int].stdout }} +MTU = 1500 + +[Peer] +PublicKey = {{ public_key_files.results[0].stdout }} +AllowedIPs = 0.0.0.0/0 +Endpoint = {{ ansible_ssh_host }}:{{ vpn_port }} +PersistentKeepalive = 0 diff --git a/roles/wireguard_server/templates/wg0-client.conf b/roles/wireguard_server/templates/wg0-client.conf index 90ea3ff..f6977ea 100644 --- a/roles/wireguard_server/templates/wg0-client.conf +++ b/roles/wireguard_server/templates/wg0-client.conf @@ -1,7 +1,8 @@ [Interface] -Address = {{ vpn_network }}.{{item.0 + 2}}/32 -DNS = {{ dns_for_clients }} -PrivateKey = {{ item.1.stdout }} +Address = {{ vpn_network }}.{{item|int + 1}}/32 +DNS = 9.9.9.9 +PrivateKey = {{ private_key_files.results[item|int].stdout }} +MTU = 1500 [Peer] PublicKey = {{ vpn_server_public_key.stdout }} diff --git a/roles/wireguard_server/templates/wg0.conf b/roles/wireguard_server/templates/wg0.conf index 87d6413..37294d4 100644 --- a/roles/wireguard_server/templates/wg0.conf +++ b/roles/wireguard_server/templates/wg0.conf @@ -5,6 +5,7 @@ ListenPort = {{ vpn_port }} PrivateKey = {{ vpn_server_private_key.stdout }} PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE +MTU = 1500 {% for i in vpn_client_public_keys.results %} # {{ i.item }} diff --git a/roles/wireguard_server/wg0-client.conf b/roles/wireguard_server/wg0-client.conf new file mode 100644 index 0000000..4bbf66e --- /dev/null +++ b/roles/wireguard_server/wg0-client.conf @@ -0,0 +1,11 @@ +[Interface] +Address = 10.100.100.2/32 +DNS = 10.100.100.1 +PrivateKey = yMIV+Rpg1KVbmpev3fPBipArnhmKyGA0bX3a0i0/C1s= +MTU = 1500 + +[Peer] +PublicKey = vBZjf26R0ZMyh8YZ2a257XQq28bfse5YOvTfIPENZFQ= +AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 10.100.100.0/24, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4 +Endpoint = 3.83.185.242:58172 +PersistentKeepalive = 0 diff --git a/wireguard_pihole_only.yml b/wireguard_pihole_only.yml new file mode 100644 index 0000000..b802069 --- /dev/null +++ b/wireguard_pihole_only.yml @@ -0,0 +1,18 @@ +--- +# INstall wireguard to comply with pihole dns proxy +- name: Install wireguard server on launched hosts + hosts: launched + remote_user: admin + become: true + vars_prompt: + - name: vpn_clients + prompt: Number of vpn clients to be generated + default: 10 + private: no + vars: + vpn_network: '10.100.100' + vpn_port: '58172' + use_pihole_templates: true + roles: + - wireguard_server +