stefan/wg-aws
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Checkin der ewig schon herumliegenden Daten, keine Ahnung mehr was ich

Browse Source 
alles gemacht hatte...
This commit is contained in:
Stefan Märkle 2021-11-22 11:56:24 +01:00
parent 6f82b3518b
commit 7b1197b4f5
11 changed files with 275 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
Readme_Stefan.txt Normal file
View File

@ -0,0 +1,98 @@
_____ _
| ___| __ ___ | |__ ___
| |_ | '__/ _ \| '_ \ / _ \
| _|| | | (_) | | | | __/
|_| |_| \___/|_| |_|\___|
__ __ _ _ _ _ _
\ \ / /__(_) |__ _ __ __ _ ___| |__ | |_ ___ _ __ | |
\ \ /\ / / _ \ | '_ \| '_ \ / _` |/ __| '_ \| __/ _ \ '_ \| |
\ V V / __/ | | | | | | | (_| | (__| | | | || __/ | | |_|
\_/\_/ \___|_|_| |_|_| |_|\__,_|\___|_| |_|\__\___|_| |_(_)
Lieber Iljas,
Dein Weihnachtsgeschenk dieses Jahr ist mit Arbeit verbunden - Arbeit
Deinerseits wohlgemerkt ;-)
Um es zu genießen mußt Du zuerst:
- dem mächtigen amazon Konzern noch weiter in die Hände spielen und Dir
einen aws Account einrichten
- auf Deinem nagelneuen AWS Account unter Sicherheit/IAM einen Benutzer
hinzufügen mit Zugriffstyp "Programmgesteuerter Zugriff"
- die dabei generierten Tokens Dir merken und z.B. in Deine .bashrc
eintragen als Umgebungsvariablen `AWS_ACCESS_KEY_ID` und `AWS_SECRET_ACCESS_KEY`
- Dir ansible installieren - und da Du wahrscheinlich verstehen willst was
passiert, ist das ansible lernen die eigentliche Arbeit ;-)
- das ansible-Playbook anschauen und ausführen, dass Stefan erstellt hat und
das unter wg-aws geclont ist
- Dir auf Deinen Geräten wireguard als VPN Software installieren
- die Konfigurationen, die das ansible Playbook erstellt hat auf Deinen
Geräten importieren (als Datei oder qrcode)
- Dich über Deinen neuen mini-Cloud-VPN-Server freuen auf dem Du auch sonst
alles machen kannst was Du magst
- mit der Inbetriebnahme den unten stehenden Gutschein bei uns einlösen
;-) - leider bietet aws nämlich kein Prepaid an ...
_ _ _ ___
__ _____ _ __ | | (_)_ __ __| | __ _ ( _ )
\ \ / / _ \| '_ \ | | | | '_ \ / _` |/ _` | / _ \/\
\ V / (_) | | | | | |___| | | | | (_| | (_| | | (_> <
\_/ \___/|_| |_| |_____|_|_| |_|\__,_|\__,_| \___/\/
____ _ __
/ ___|| |_ ___ / _| __ _ _ __
\___ \| __/ _ \ |_ / _` | '_ \
___) | || __/ _| (_| | | | |
|____/ \__\___|_| \__,_|_| |_|
========================= X8 ================================ X8 ==========
____ _ _ _ _ _ _
/ ___|_ _| |_ ___ ___| |__ ___(_)_ __ _ / | | | __ _| |__ _ __
| | _| | | | __/ __|/ __| '_ \ / _ \ | '_ \(_) | | _ | |/ _` | '_ \| '__|
| |_| | |_| | |_\__ \ (__| | | | __/ | | | |_ | | | |_| | (_| | | | | |
\____|\__,_|\__|___/\___|_| |_|\___|_|_| |_(_) |_| \___/ \__,_|_| |_|_|
____ _ _
/ ___|_ __ __ ___ _(_) |_ ___ _ __
| | _| '__/ _` \ \ / / | __/ _ \| '_ \
| |_| | | | (_| |\ V /| | || (_) | | | |
\____|_| \__,_| \_/ |_|\__\___/|_| |_|
_ _ _ ____ _
| |_| || | __ _ _ __ __ _ _ __ ___ / ___| _ __ ___ | |_
| __| || |_ / _` | | '_ \ / _` | '_ \ / _ \ \___ \| '_ \ / _ \| __|
| |_|__ _| (_| |_| | | | (_| | | | | (_) | ___) | |_) | (_) | |_
\__| |_| \__, (_)_| |_|\__,_|_| |_|\___/ |____/| .__/ \___/ \__|
|___/ |_|
_ _ _ _
(_)_ __ ___| |_ __ _ _ __ ___ ___ | |__ ___(_)
| | '_ \/ __| __/ _` | '_ \ / __/ _ \ | '_ \ / _ \ |
| | | | \__ \ || (_| | | | | (_| __/ | |_) | __/ |
|_|_| |_|___/\__\__,_|_| |_|\___\___| |_.__/ \___|_|
_
__ _ _ __ ___ __ _ _______ _ __ __ _____| |__
/ _` | '_ ` _ \ / _` |_ / _ \| '_ \ \ \ /\ / / _ \ '_ \
| (_| | | | | | | (_| |/ / (_) | | | | \ V V / __/ |_) |
\__,_|_| |_| |_|\__,_/___\___/|_| |_| \_/\_/ \___|_.__/
_
___ ___ _ ____ _(_) ___ ___
/ __|/ _ \ '__\ \ / / |/ __/ _ \
\__ \ __/ | \ V /| | (_| __/
|___/\___|_| \_/ |_|\___\___|

14
create_aws_wireguard_server.yml
View File

@ -3,8 +3,6 @@
- name: provisions a graviton server as aws spot instance
hosts: localhost
connection: local
vars:
ansible_python_interpreter: /usr/bin/python3
vars_prompt:
- name: ssh_pub_key_file
prompt: Location of your public ssh key
@ -12,11 +10,11 @@
private: no
- name: aws_region
prompt: AWS Region to use for instance
default: "us-east-1"
default: "eu-central-1"
private: no
- name: aws_ami
prompt: Disk image to use for instance (default is debian buster arm64)
default: "ami-08b2293fdd2deba2a"
default: "ami-0e70ab85b58b23a77"
private: no
- name: aws_type
prompt: Instance type to request
@ -27,13 +25,19 @@
default: ""
private: no
vars:
- dns_zone_name: "{{ dns_name | regex_replace('^[\\w-]+\\.', '') }}"
dns_zone_name: "{{ dns_name | regex_replace('^[\\w-]+\\.', '') }}"
ansible_python_interpreter: /usr/bin/python3
roles:
- aws_graviton_nano_spot
- name: include playbook for pihole
import_playbook: pihole.yml
<<<<<<< HEAD
- name: Include playbook to install wireguard
import_playbook: wireguard.yml
=======
- name: include playbook for wireguard server
import_playbook: wireguard_pihole_only.yml
>>>>>>> 268d550 (Checkin der ewig schon herumliegenden Daten, keine Ahnung mehr was ich)

3
roles/aws_graviton_nano_spot/tasks/main.yml
View File

@ -1,5 +1,6 @@
- name: copy ssh public key
amazon.aws.ec2_key:
region: "{{ aws_region }}"
name: vpn_key
key_material: "{{ lookup('file', '{{ ssh_pub_key_file }}') }}"
region: "{{ aws_region }}"
@ -30,8 +31,6 @@
image: "{{ aws_ami }}"
wait: yes
instance_initiated_shutdown_behavior: terminate
vpc_subnet_id: "subnet-3df70f5a"
assign_public_ip: yes
register: graviton
- name: generate route53 dns entry for the instance

108
roles/pihole/templates/pihole-FTL Normal file
View File

@ -0,0 +1,108 @@
#!/usr/bin/env bash
### BEGIN INIT INFO
# Provides: pihole-FTL
# Required-Start: $remote_fs $syslog $network
# Required-Stop: $remote_fs $syslog $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: pihole-FTL daemon
# Description: Enable service provided by pihole-FTL daemon
### END INIT INFO
FTLUSER=pihole
PIDFILE=/run/pihole-FTL.pid
is_running() {
pgrep -o "pihole-FTL" > /dev/null 2>&1
}
# Start the service
start() {
if is_running; then
echo "pihole-FTL is already running"
else
# Touch files to ensure they exist (create if non-existing, preserve if existing)
touch /var/log/pihole-FTL.log /var/log/pihole.log
touch /run/pihole-FTL.pid /run/pihole-FTL.port
touch /etc/pihole/dhcp.leases
mkdir -p /run/pihole
mkdir -p /var/log/pihole
chown pihole:pihole /run/pihole /var/log/pihole
# Remove possible leftovers from previous pihole-FTL processes
rm -f /dev/shm/FTL-* 2> /dev/null
rm /run/pihole/FTL.sock 2> /dev/null
# Ensure that permissions are set so that pihole-FTL can edit all necessary files
chown pihole:pihole /run/pihole-FTL.pid /run/pihole-FTL.port
chown pihole:pihole /etc/pihole /etc/pihole/dhcp.leases 2> /dev/null
chown pihole:pihole /var/log/pihole-FTL.log /var/log/pihole.log
chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log
# Chown database files to the user FTL runs as. We ignore errors as the files may not (yet) exist
chown pihole:pihole /etc/pihole/pihole-FTL.db /etc/pihole/gravity.db 2> /dev/null
if setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_NICE+eip "$(which pihole-FTL)"; then
su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER"
else
echo "Warning: Starting pihole-FTL as root because setting capabilities is not supported on this system"
pihole-FTL
fi
echo
fi
}
# Stop the service
stop() {
if is_running; then
pkill -o pihole-FTL
for i in {1..5}; do
if ! is_running; then
break
fi
echo -n "."
sleep 1
done
echo
if is_running; then
echo "Not stopped; may still be shutting down or shutdown may have failed, killing now"
pkill -o -9 pihole-FTL
exit 1
else
echo "Stopped"
fi
else
echo "Not running"
fi
echo
}
# Indicate the service status
status() {
if is_running; then
echo "[ ok ] pihole-FTL is running"
exit 0
else
echo "[ ] pihole-FTL is not running"
exit 1
fi
}
### main logic ###
case "$1" in
stop)
stop
;;
status)
status
;;
start|restart|reload|condrestart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac
exit 0

1
roles/pihole/templates/pihole-FTL.conf Normal file
View File

@ -0,0 +1 @@
PRIVACYLEVEL=0

15
roles/wireguard_server/tasks/main.yml
View File

@ -65,7 +65,18 @@
owner: root
group: root
mode: 0600
with_indexed_items: "{{ vpn_client_private_keys.results }}"
with_sequence: start=1 end={{ vpn_clients }}
when: use_pihole_templates != true
- name: generate client configs for pihole setup
template:
src: "wg0-client-pihole.conf"
dest: "~/wg/client_{{ item }}/wg0-client.conf"
owner: root
group: root
mode: 0600
with_sequence: start=1 end={{ vpn_clients }}
when: use_pihole_templates == true
- name: generate qr codes for client configs
shell: umask 077; qrencode --type=PNG --output=/root/wg/{{ item }}/wg0-client.png < ~/wg/{{ item }}/wg0-client.conf
@ -105,4 +116,4 @@
src: "~/wg/{{item}}/wg0-client.png"
dest: "wireguard_profiles/{{ ansible_ssh_host }}/{{item}}/"
flat: yes
with_items: "{{ vpn_client_names }}"
with_sequence: start=1 end={{ vpn_clients }}

11
roles/wireguard_server/templates/wg0-client-pihole.conf Normal file
View File

@ -0,0 +1,11 @@
[Interface]
Address = {{ vpn_network }}.{{item|int + 1}}/32
DNS = 10.100.100.1
PrivateKey = {{ private_key_files.results[item|int].stdout }}
MTU = 1500
[Peer]
PublicKey = {{ public_key_files.results[0].stdout }}
AllowedIPs = 0.0.0.0/0
Endpoint = {{ ansible_ssh_host }}:{{ vpn_port }}
PersistentKeepalive = 0

7
roles/wireguard_server/templates/wg0-client.conf
View File

@ -1,7 +1,8 @@
[Interface]
Address = {{ vpn_network }}.{{item.0 + 2}}/32
DNS = {{ dns_for_clients }}
PrivateKey = {{ item.1.stdout }}
Address = {{ vpn_network }}.{{item|int + 1}}/32
DNS = 9.9.9.9
PrivateKey = {{ private_key_files.results[item|int].stdout }}
MTU = 1500
[Peer]
PublicKey = {{ vpn_server_public_key.stdout }}

1
roles/wireguard_server/templates/wg0.conf
View File

@ -5,6 +5,7 @@ ListenPort = {{ vpn_port }}
PrivateKey = {{ vpn_server_private_key.stdout }}
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens5 -j MASQUERADE
MTU = 1500
{% for i in vpn_client_public_keys.results %}
# {{ i.item }}

11
roles/wireguard_server/wg0-client.conf Normal file
View File

@ -0,0 +1,11 @@
[Interface]
Address = 10.100.100.2/32
DNS = 10.100.100.1
PrivateKey = yMIV+Rpg1KVbmpev3fPBipArnhmKyGA0bX3a0i0/C1s=
MTU = 1500
[Peer]
PublicKey = vBZjf26R0ZMyh8YZ2a257XQq28bfse5YOvTfIPENZFQ=
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 10.100.100.0/24, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4
Endpoint = 3.83.185.242:58172
PersistentKeepalive = 0

18
wireguard_pihole_only.yml Normal file
View File

@ -0,0 +1,18 @@
---
# INstall wireguard to comply with pihole dns proxy
- name: Install wireguard server on launched hosts
hosts: launched
remote_user: admin
become: true
vars_prompt:
- name: vpn_clients
prompt: Number of vpn clients to be generated
default: 10
private: no
vars:
vpn_network: '10.100.100'
vpn_port: '58172'
use_pihole_templates: true
roles:
- wireguard_server