From 2ae144418baf108ba58af7497877e744abaaff0c Mon Sep 17 00:00:00 2001 From: Justus Grunow Date: Fri, 8 Nov 2024 17:43:56 -0500 Subject: [PATCH] Updated requirements --- ansible/assets/bastion/wg0.conf | 23 +++++++++++++++++ ansible/assets/bastion/wg0.conf.j2 | 22 ++++++++++++++++ ansible/{setup.yaml => buildHomelab.yaml} | 30 ++++++++++++++++++++-- ansible/inventory/group_vars/bastion/vars | 9 +++++++ ansible/inventory/group_vars/bastion/vault | 9 +++++++ ansible/inventory/hosts | 3 +++ requirements.txt | 4 +-- 7 files changed, 96 insertions(+), 4 deletions(-) create mode 100644 ansible/assets/bastion/wg0.conf create mode 100644 ansible/assets/bastion/wg0.conf.j2 rename ansible/{setup.yaml => buildHomelab.yaml} (78%) create mode 100644 ansible/inventory/group_vars/bastion/vars create mode 100644 ansible/inventory/group_vars/bastion/vault diff --git a/ansible/assets/bastion/wg0.conf b/ansible/assets/bastion/wg0.conf new file mode 100644 index 0000000..6a6a298 --- /dev/null +++ b/ansible/assets/bastion/wg0.conf @@ -0,0 +1,23 @@ +[Interface] +Address = 10.11.20.1/24 +#SaveConfig = true +ListenPort = 51820 +PrivateKey = uBjwOBqEeH/2V7qo5GLGQaX159I1YBztzxvYE9pXOnI= +#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination +PostUp = iptables -t nat -N Inbound +PostUp = iptables -t nat -A PREROUTING -d 51.222.155.202 -j Inbound +PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE +PostUp = iptables -t nat -A Inbound -p tcp --dport 22 -j RETURN +PostUp = iptables -t nat -A Inbound -p tcp --dport 51820 -j RETURN +PostUp = iptables -t nat -A Inbound -p udp --dport 51820 -j RETURN +PostUp = iptables -t nat -A Inbound -s 10.11.1.15 -j RETURN +PostUp = iptables -t nat -A Inbound -j DNAT --to-destination 10.11.1.15 -p tcp --dport 80 +PostUp = iptables -t nat -A Inbound -j DNAT --to-destination 10.11.1.15 -p tcp --dport 443 +PostDown = iptables -D PREROUTING -d 51.222.155.202 -j Inbound -t nat +PostDown = iptables -D POSTROUTING -o ens3 -j MASQUERADE -t nat +PostDown = iptables -F Inbound -t nat +PostDown = iptables -X Inbound -t nat + +[Peer] +PublicKey = 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo= +AllowedIPs = 10.11.20.2/32,10.11.1.15/32 diff --git a/ansible/assets/bastion/wg0.conf.j2 b/ansible/assets/bastion/wg0.conf.j2 new file mode 100644 index 0000000..0b87907 --- /dev/null +++ b/ansible/assets/bastion/wg0.conf.j2 @@ -0,0 +1,22 @@ +[Interface] +Address = {{ wg_interface_ip }} +ListenPort = 51820 +PrivateKey = {{ wg_private_key}} +#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination +PostUp = iptables -t nat -N Inbound +PostUp = iptables -t nat -A PREROUTING -d {{ public_ip }} -j Inbound +PostUp = iptables -t nat -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE +PostUp = iptables -t nat -A Inbound -p tcp --dport 22 -j RETURN +PostUp = iptables -t nat -A Inbound -p tcp --dport 51820 -j RETURN +PostUp = iptables -t nat -A Inbound -p udp --dport 51820 -j RETURN +PostUp = iptables -t nat -A Inbound -s {{ homeserver_private_ip }} -j RETURN +PostUp = iptables -t nat -A Inbound -j DNAT --to-destination {{ homeserver_private_ip }} -p tcp --dport 80 +PostUp = iptables -t nat -A Inbound -j DNAT --to-destination {{ homeserver_private_ip }} -p tcp --dport 443 +PostDown = iptables -D PREROUTING -d {{ public_ip }} -j Inbound -t nat +PostDown = iptables -D POSTROUTING -o {{ wan_interface }} -j MASQUERADE -t nat +PostDown = iptables -F Inbound -t nat +PostDown = iptables -X Inbound -t nat + +[Peer] +PublicKey = {{ homeserver_wg_public_key }} +AllowedIPs = {{ homeserver_wg_ip }}/32,{{ homeserver_private_ip }}/32 diff --git a/ansible/setup.yaml b/ansible/buildHomelab.yaml similarity index 78% rename from ansible/setup.yaml rename to ansible/buildHomelab.yaml index 1477dd6..8c7b1c8 100644 --- a/ansible/setup.yaml +++ b/ansible/buildHomelab.yaml @@ -1,6 +1,6 @@ --- -- name: Setup - hosts: all +- name: Setup pi + hosts: raspberrypi remote_user: root vars: @@ -86,3 +86,29 @@ args: chdir: /root/docker tags: wireguard,docker + +- name: Setup bastion + hosts: bastion + vars: + tags: + - bastion + + tasks: + - name: Enable IP forwarding + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: '^#?.*net\.ipv4\.ip_forward=' + line: 'net.ipv4.ip_forward=1' + - name: Install Wireguard + ansible.builtin.package: + name: wireguard + state: present + - name: Shutdown Wireguard (remove iptables rules) + ansible.builtin.shell: wg-quick down wg0 + ignore_errors: true + - name: Copy Wireguard config + ansible.builtin.template: + src: assets/bastion/wg0.conf.j2 + dest: /etc/wireguard/wg0.conf + - name: Enable Wireguard int + ansible.builtin.shell: wg-quick up wg0 diff --git a/ansible/inventory/group_vars/bastion/vars b/ansible/inventory/group_vars/bastion/vars new file mode 100644 index 0000000..a6ae81d --- /dev/null +++ b/ansible/inventory/group_vars/bastion/vars @@ -0,0 +1,9 @@ +--- +wg_private_key: "{{ vault_wg_private_key }}" +wg_interface_ip: 10.11.20.1/24 + +public_ip: 51.222.155.202 +wan_interface: ens3 +homeserver_private_ip: 10.11.1.15 +homeserver_wg_ip: 10.11.20.2 +homeserver_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo= diff --git a/ansible/inventory/group_vars/bastion/vault b/ansible/inventory/group_vars/bastion/vault new file mode 100644 index 0000000..68a415e --- /dev/null +++ b/ansible/inventory/group_vars/bastion/vault @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +33623432633737383766613431346364373766336334613365653731373962316330636635356363 +6438326536313065356662336363383438396338393039660a336466316632316262323763633233 +31643766313437366234656334326464363562356231386139333161373031363961333061356138 +3964393366633632640a333563313963356135323761383734373832323333353031343836613938 +65336334613835653564396639343537396463383432356334333538313131616436333664666433 +33666237333837323962646265363963386133646463343234383566313131346330353938396233 +35383434643534306135633161353031356139373137383335633561303539363465633565356462 +35623062316131316435 diff --git a/ansible/inventory/hosts b/ansible/inventory/hosts index 966bdc0..e3e6b32 100644 --- a/ansible/inventory/hosts +++ b/ansible/inventory/hosts @@ -1,2 +1,5 @@ [rasperrypi] basementpi.local ansible_host=10.11.1.10 ansible_ssh_user=root + +[bastion] +51.222.155.202 ansible_ssh_user=root diff --git a/requirements.txt b/requirements.txt index 0d48dfc..0618547 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ -ansible==7.1.0 -ansible-core==2.14.1 +ansible==8.7.0 +ansible-core==2.15.11 cffi==1.15.1 cryptography==39.0.0 Jinja2==3.1.2