stefan/wg-aws
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Compare commits

base: stefan:bc1801a5d7d2819dd904d3f7801f840811271bcd
Branches Tags
stefan:master
stefan:features/ipv6
..
compare: stefan:66cdd276c20b53d500843d8879269db00c8b49b0
Branches Tags
stefan:master
stefan:features/ipv6

No commits in common. "bc1801a5d7d2819dd904d3f7801f840811271bcd" and "66cdd276c20b53d500843d8879269db00c8b49b0" have entirely different histories.
bc1801a5d7 ... 66cdd276c2

8 changed files with 125 additions and 174 deletions
Show Stats Expand all files Collapse all files

98
Readme_Stefan.txt Normal file
View File

@ -0,0 +1,98 @@
_____ _
| ___| __ ___ | |__ ___
| |_ | '__/ _ \| '_ \ / _ \
| _|| | | (_) | | | | __/
|_| |_| \___/|_| |_|\___|
__ __ _ _ _ _ _
\ \ / /__(_) |__ _ __ __ _ ___| |__ | |_ ___ _ __ | |
\ \ /\ / / _ \ | '_ \| '_ \ / _` |/ __| '_ \| __/ _ \ '_ \| |
\ V V / __/ | | | | | | | (_| | (__| | | | || __/ | | |_|
\_/\_/ \___|_|_| |_|_| |_|\__,_|\___|_| |_|\__\___|_| |_(_)
Lieber Iljas,
Dein Weihnachtsgeschenk dieses Jahr ist mit Arbeit verbunden - Arbeit
Deinerseits wohlgemerkt ;-)
Um es zu genießen mußt Du zuerst:
- dem mächtigen amazon Konzern noch weiter in die Hände spielen und Dir
einen aws Account einrichten
- auf Deinem nagelneuen AWS Account unter Sicherheit/IAM einen Benutzer
hinzufügen mit Zugriffstyp "Programmgesteuerter Zugriff"
- die dabei generierten Tokens Dir merken und z.B. in Deine .bashrc
eintragen als Umgebungsvariablen `AWS_ACCESS_KEY_ID` und `AWS_SECRET_ACCESS_KEY`
- Dir ansible installieren - und da Du wahrscheinlich verstehen willst was
passiert, ist das ansible lernen die eigentliche Arbeit ;-)
- das ansible-Playbook anschauen und ausführen, dass Stefan erstellt hat und
das unter wg-aws geclont ist
- Dir auf Deinen Geräten wireguard als VPN Software installieren
- die Konfigurationen, die das ansible Playbook erstellt hat auf Deinen
Geräten importieren (als Datei oder qrcode)
- Dich über Deinen neuen mini-Cloud-VPN-Server freuen auf dem Du auch sonst
alles machen kannst was Du magst
- mit der Inbetriebnahme den unten stehenden Gutschein bei uns einlösen
;-) - leider bietet aws nämlich kein Prepaid an ...
_ _ _ ___
__ _____ _ __ | | (_)_ __ __| | __ _ ( _ )
\ \ / / _ \| '_ \ | | | | '_ \ / _` |/ _` | / _ \/\
\ V / (_) | | | | | |___| | | | | (_| | (_| | | (_> <
\_/ \___/|_| |_| |_____|_|_| |_|\__,_|\__,_| \___/\/
____ _ __
/ ___|| |_ ___ / _| __ _ _ __
\___ \| __/ _ \ |_ / _` | '_ \
___) | || __/ _| (_| | | | |
|____/ \__\___|_| \__,_|_| |_|
========================= X8 ================================ X8 ==========
____ _ _ _ _ _ _
/ ___|_ _| |_ ___ ___| |__ ___(_)_ __ _ / | | | __ _| |__ _ __
| | _| | | | __/ __|/ __| '_ \ / _ \ | '_ \(_) | | _ | |/ _` | '_ \| '__|
| |_| | |_| | |_\__ \ (__| | | | __/ | | | |_ | | | |_| | (_| | | | | |
\____|\__,_|\__|___/\___|_| |_|\___|_|_| |_(_) |_| \___/ \__,_|_| |_|_|
____ _ _
/ ___|_ __ __ ___ _(_) |_ ___ _ __
| | _| '__/ _` \ \ / / | __/ _ \| '_ \
| |_| | | | (_| |\ V /| | || (_) | | | |
\____|_| \__,_| \_/ |_|\__\___/|_| |_|
_ _ _ ____ _
| |_| || | __ _ _ __ __ _ _ __ ___ / ___| _ __ ___ | |_
| __| || |_ / _` | | '_ \ / _` | '_ \ / _ \ \___ \| '_ \ / _ \| __|
| |_|__ _| (_| |_| | | | (_| | | | | (_) | ___) | |_) | (_) | |_
\__| |_| \__, (_)_| |_|\__,_|_| |_|\___/ |____/| .__/ \___/ \__|
|___/ |_|
_ _ _ _
(_)_ __ ___| |_ __ _ _ __ ___ ___ | |__ ___(_)
| | '_ \/ __| __/ _` | '_ \ / __/ _ \ | '_ \ / _ \ |
| | | | \__ \ || (_| | | | | (_| __/ | |_) | __/ |
|_|_| |_|___/\__\__,_|_| |_|\___\___| |_.__/ \___|_|
_
__ _ _ __ ___ __ _ _______ _ __ __ _____| |__
/ _` | '_ ` _ \ / _` |_ / _ \| '_ \ \ \ /\ / / _ \ '_ \
| (_| | | | | | | (_| |/ / (_) | | | | \ V V / __/ |_) |
\__,_|_| |_| |_|\__,_/___\___/|_| |_| \_/\_/ \___|_.__/
_
___ ___ _ ____ _(_) ___ ___
/ __|/ _ \ '__\ \ / / |/ __/ _ \
\__ \ __/ | \ V /| | (_| __/
|___/\___|_| \_/ |_|\___\___|

22
create_aws_wireguard_server.yml
View File

@ -12,20 +12,26 @@
prompt: AWS Region to use for instance prompt: AWS Region to use for instance
default: "eu-central-1" default: "eu-central-1"
private: no private: no
- name: aws_ami
prompt: Disk image to use for instance (default is debian buster arm64)
default: "ami-0e70ab85b58b23a77"
private: no
- name: aws_type
prompt: Instance type to request
default: "t4g.nano"
private: no
- name: dns_name - name: dns_name
prompt: Which hostname shall be registered for the host (Empty = no dns, Zone needs to be route53 managed)? prompt: Which hostname shall be registered for the host (Empty = no dns, Zone needs to be route53 managed)?
default: "" default: ""
private: no private: no
vars: vars:
dns_zone_name: "{{ dns_name | regex_replace('^[\\w-]+\\.', '') }}" dns_zone_name: "{{ dns_name | regex_replace('^[\\w-]+\\.', '') }}"
ansible_python_interpreter: /usr/bin/python3
roles: roles:
- aws_graviton_nano - aws_graviton_nano_spot
- name: include playbook for pihole# - name: include playbook for pihole
import_playbook: headscale-server.yml import_playbook: pihole.yml
#- name: include playbook for pihole# - name: include playbook for wireguard server
# import_playbook: pihole.yml import_playbook: wireguard_pihole_only.yml
#- name: include playbook for wireguard server
# import_playbook: wireguard_pihole_only.yml

15
headscale-server.yml
View File

@ -1,15 +0,0 @@
---
# Install headscale
- name: Install headscale
hosts: launched
remote_user: admin
become: true
vars_prompt:
- name: install_headscale
prompt: Shall the headscale server software be installed (Defaults to false)?
default: false
private: no
roles:
- role: headscale-server
when: install_headscale

2
inv
View File

@ -1,2 +0,0 @@
[launched]
headscale.wolkige.abgruen.de

45
roles/aws_graviton_nano/tasks/main.yml → roles/aws_graviton_nano_spot/tasks/main.yml
View File

@ -19,41 +19,22 @@
- proto: all - proto: all
cidr_ip: 0.0.0.0/0 cidr_ip: 0.0.0.0/0
register: security_group register: security_group
- name: find arm64 ami for debian - name: create graviton spot instance
amazon.aws.ec2_ami_info: amazon.aws.ec2:
region: "{{ aws_region }}"
owners: amazon
filters:
name: "debian-11-arm64-20*"
architecture: "arm64"
register: amis
- name: Extract the most recently created AMI from the list
ansible.builtin.set_fact:
aws_ami: "{{ amis.images[-1].image_id }}"
- name: debug
debug:
var: aws_ami
- name: create graviton instance
amazon.aws.ec2_instance:
region: "{{ aws_region }}" region: "{{ aws_region }}"
spot_type: persistent
spot_wait_timeout: 120
key_name: vpn_key key_name: vpn_key
name: "{{ dns_name }}" group_id: "{{ security_group.group_id }}"
security_group: "{{ security_group.group_id }}" instance_type: "{{ aws_type }}"
instance_type: "t4g.nano" image: "{{ aws_ami }}"
image_id: "{{ aws_ami }}" wait: yes
instance_initiated_shutdown_behavior: terminate instance_initiated_shutdown_behavior: terminate
network:
assign_public_ip: true
wait: true
state: running
register: graviton register: graviton
- name: generate route53 dns entry for the instance - name: generate route53 dns entry for the instance
amazon.aws.route53: route53:
command: create command: create
overwrite: yes overwrite: yes
zone: "{{ dns_zone_name }}" zone: "{{ dns_zone_name }}"
@ -63,7 +44,7 @@
value: "{{ item.public_dns_name }}" value: "{{ item.public_dns_name }}"
loop: "{{ graviton.instances }}" loop: "{{ graviton.instances }}"
when: dns_name != "" when: dns_name != ""
- name: Wait for SSH to come up - name: Wait for SSH to come up
delegate_to: "{{ item.public_dns_name }}" delegate_to: "{{ item.public_dns_name }}"
wait_for_connection: wait_for_connection:
@ -73,11 +54,11 @@
- name: Add new instance to host group - name: Add new instance to host group
add_host: add_host:
hostname: "{{ item.public_ip_address }}" hostname: "{{ item.public_ip }}"
groupname: launched groupname: launched
loop: "{{ graviton.instances }}" loop: "{{ graviton.instances }}"
- name: Print public IP of this server - name: Print public IP of this server
debug: debug:
msg: Your instance has th public IP address {{ item.public_ip_address }} msg: Your instance has th public IP address {{ item.public_ip }}
loop: "{{ graviton.instances }}" loop: "{{ graviton.instances }}"

14
roles/common-server/tasks/main.yml
View File

@ -1,14 +0,0 @@
---
- name: Update APT package cache
apt:
update_cache: true
upgrade: dist
- name: Install debian packages
apt:
name: "{{ item }}"
state: present
with_items:
- "unattended-upgrades"
- "joe"
- "fail2ban"

58
roles/headscale-server/tasks/main.yml
View File

@ -1,58 +0,0 @@
---
- name: Update APT package cache
apt:
update_cache: true
upgrade: dist
- name: Install debian packages
apt:
name: "{{ item }}"
state: present
with_items:
- "unattended-upgrades"
- "joe"
- "fail2ban"
#- name: Download headscale .deb
# get_url:
# url="https://github.com/juanfont/headscale/releases/download/v0.22.3/headscale_0.22.3_linux_arm64.deb"
# dest="/tmp/headscale.deb"
#- name: Install my_package
# apt: deb="/tmp/headscale.deb"
- name: determine name of host
ansible.builtin.set_fact:
headscale_hostname: "{{ inventory_hostname }}"
- name: determine name of network
ansible.builtin.set_fact:
headscale_base_domain: "{{ headscale_hostname | regex_replace('^[\\w-]+\\.', '') }}"
- name: generate config
template:
src: "config.yaml"
dest: "/etc/headscale/config.yaml"
- name: ensure directories are present
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: '0755'
with_items:
- /var/lib/headscale
- /var/lib/headscale/cache
- name: Enable systemd service
ansible.builtin.systemd:
name: headscale.service
state: started
enabled: true
# Exit node:
# curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
# curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
# apt-get update
# apt-get install tailscale
# tailscale up --advertise-exit-node --login-server https://headscale.wolkige.abgruen.de
#

45
roles/headscale-server/templates/config.yaml
View File

@ -1,45 +0,0 @@
---
# Headscale configuration
# addresses. ports and paths
server_url: "https://{{ headscale_hostname }}"
listen_addr: 0.0.0.0:443
metrics_listen_addr: 127.0.0.1:9090
grpc_listen_addr: 127.0.0.1:50443
grpc_allow_insecure: false
private_key_path: /var/lib/headscale/private.key
noise:
private_key_path: /var/lib/headscale/noise_private.key
# IP ranges & dns
ip_prefixes:
- fd7a:115c:a1e0::/48
- 10.13.100.0/24
dns_config:
override_local_dns: true
nameservers:
- 1.1.1.1
magic_dns: true
base_domain: {{ headscale_base_domain }}
# DERP
derp:
server:
enabled: true
region_id: 999
region_code: "aws-headscale-maecki"
region_name: "aws-headscale-maecki"
stun_listen_addr: "0.0.0.0:3478"
paths: []
auto_update_enabled: false
update_frequency: 24h
# DB
db_type: sqlite3
db_path: /var/lib/headscale/db.sqlite
# TLS
acme_url: https://acme-v02.api.letsencrypt.org/directory
acme_email: ""
tls_letsencrypt_hostname: "{{ headscale_hostname }}"
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_listen: ":http"