justus/Homelab-Ansible
1
0
Fork 0
Code Issues 4 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Updated requirements

Browse Source
This commit is contained in:
Justus Grunow 2024-11-08 17:43:56 -05:00
parent ef8d865b2d
commit 2ae144418b
7 changed files with 96 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ansible/assets/bastion/wg0.conf Normal file
View File

@ -0,0 +1,23 @@
[Interface]
Address = 10.11.20.1/24
#SaveConfig = true
ListenPort = 51820
PrivateKey = uBjwOBqEeH/2V7qo5GLGQaX159I1YBztzxvYE9pXOnI=
#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination
PostUp = iptables -t nat -N Inbound
PostUp = iptables -t nat -A PREROUTING -d 51.222.155.202 -j Inbound
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -A Inbound -p tcp --dport 22 -j RETURN
PostUp = iptables -t nat -A Inbound -p tcp --dport 51820 -j RETURN
PostUp = iptables -t nat -A Inbound -p udp --dport 51820 -j RETURN
PostUp = iptables -t nat -A Inbound -s 10.11.1.15 -j RETURN
PostUp = iptables -t nat -A Inbound -j DNAT --to-destination 10.11.1.15 -p tcp --dport 80
PostUp = iptables -t nat -A Inbound -j DNAT --to-destination 10.11.1.15 -p tcp --dport 443
PostDown = iptables -D PREROUTING -d 51.222.155.202 -j Inbound -t nat
PostDown = iptables -D POSTROUTING -o ens3 -j MASQUERADE -t nat
PostDown = iptables -F Inbound -t nat
PostDown = iptables -X Inbound -t nat
[Peer]
PublicKey = 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
AllowedIPs = 10.11.20.2/32,10.11.1.15/32

22
ansible/assets/bastion/wg0.conf.j2 Normal file
View File

@ -0,0 +1,22 @@
[Interface]
Address = {{ wg_interface_ip }}
ListenPort = 51820
PrivateKey = {{ wg_private_key}}
#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination
PostUp = iptables -t nat -N Inbound
PostUp = iptables -t nat -A PREROUTING -d {{ public_ip }} -j Inbound
PostUp = iptables -t nat -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
PostUp = iptables -t nat -A Inbound -p tcp --dport 22 -j RETURN
PostUp = iptables -t nat -A Inbound -p tcp --dport 51820 -j RETURN
PostUp = iptables -t nat -A Inbound -p udp --dport 51820 -j RETURN
PostUp = iptables -t nat -A Inbound -s {{ homeserver_private_ip }} -j RETURN
PostUp = iptables -t nat -A Inbound -j DNAT --to-destination {{ homeserver_private_ip }} -p tcp --dport 80
PostUp = iptables -t nat -A Inbound -j DNAT --to-destination {{ homeserver_private_ip }} -p tcp --dport 443
PostDown = iptables -D PREROUTING -d {{ public_ip }} -j Inbound -t nat
PostDown = iptables -D POSTROUTING -o {{ wan_interface }} -j MASQUERADE -t nat
PostDown = iptables -F Inbound -t nat
PostDown = iptables -X Inbound -t nat
[Peer]
PublicKey = {{ homeserver_wg_public_key }}
AllowedIPs = {{ homeserver_wg_ip }}/32,{{ homeserver_private_ip }}/32

30
ansible/setup.yaml → ansible/buildHomelab.yaml
View File

@ -1,6 +1,6 @@
--- ---
- name: Setup - name: Setup pi
hosts: all hosts: raspberrypi
remote_user: root remote_user: root
vars: vars:
@ -86,3 +86,29 @@
args: args:
chdir: /root/docker chdir: /root/docker
tags: wireguard,docker tags: wireguard,docker
- name: Setup bastion
hosts: bastion
vars:
tags:
- bastion
tasks:
- name: Enable IP forwarding
ansible.builtin.lineinfile:
path: /etc/sysctl.conf
regexp: '^#?.*net\.ipv4\.ip_forward='
line: 'net.ipv4.ip_forward=1'
- name: Install Wireguard
ansible.builtin.package:
name: wireguard
state: present
- name: Shutdown Wireguard (remove iptables rules)
ansible.builtin.shell: wg-quick down wg0
ignore_errors: true
- name: Copy Wireguard config
ansible.builtin.template:
src: assets/bastion/wg0.conf.j2
dest: /etc/wireguard/wg0.conf
- name: Enable Wireguard int
ansible.builtin.shell: wg-quick up wg0

9
ansible/inventory/group_vars/bastion/vars Normal file
View File

@ -0,0 +1,9 @@
---
wg_private_key: "{{ vault_wg_private_key }}"
wg_interface_ip: 10.11.20.1/24
public_ip: 51.222.155.202
wan_interface: ens3
homeserver_private_ip: 10.11.1.15
homeserver_wg_ip: 10.11.20.2
homeserver_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=

9
ansible/inventory/group_vars/bastion/vault Normal file
View File

@ -0,0 +1,9 @@
$ANSIBLE_VAULT;1.1;AES256
33623432633737383766613431346364373766336334613365653731373962316330636635356363
6438326536313065356662336363383438396338393039660a336466316632316262323763633233
31643766313437366234656334326464363562356231386139333161373031363961333061356138
3964393366633632640a333563313963356135323761383734373832323333353031343836613938
65336334613835653564396639343537396463383432356334333538313131616436333664666433
33666237333837323962646265363963386133646463343234383566313131346330353938396233
35383434643534306135633161353031356139373137383335633561303539363465633565356462
35623062316131316435

3
ansible/inventory/hosts
View File

@ -1,2 +1,5 @@
[rasperrypi] [rasperrypi]
basementpi.local ansible_host=10.11.1.10 ansible_ssh_user=root basementpi.local ansible_host=10.11.1.10 ansible_ssh_user=root
[bastion]
51.222.155.202 ansible_ssh_user=root

4
requirements.txt
View File

@ -1,5 +1,5 @@
ansible==7.1.0 ansible==8.7.0
ansible-core==2.14.1 ansible-core==2.15.11
cffi==1.15.1 cffi==1.15.1
cryptography==39.0.0 cryptography==39.0.0
Jinja2==3.1.2 Jinja2==3.1.2