Updated requirements

2024-11-08 17:43:56 -05:00 · 2024-11-08 17:43:56 -05:00 · 2ae144418b
commit 2ae144418b
parent ef8d865b2d
7 changed files with 96 additions and 4 deletions
--- a/ansible/assets/bastion/wg0.conf
+++ b/ansible/assets/bastion/wg0.conf
@ -0,0 +1,23 @@
+[Interface]
+Address = 10.11.20.1/24
+#SaveConfig = true
+ListenPort = 51820
+PrivateKey = uBjwOBqEeH/2V7qo5GLGQaX159I1YBztzxvYE9pXOnI=
+#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination
+PostUp = iptables -t nat -N Inbound
+PostUp = iptables -t nat -A PREROUTING -d 51.222.155.202 -j Inbound
+PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
+PostUp = iptables -t nat -A Inbound -p tcp --dport 22 -j RETURN
+PostUp = iptables -t nat -A Inbound -p tcp --dport 51820 -j RETURN
+PostUp = iptables -t nat -A Inbound -p udp --dport 51820 -j RETURN
+PostUp = iptables -t nat -A Inbound -s 10.11.1.15 -j RETURN
+PostUp = iptables -t nat -A Inbound -j DNAT --to-destination 10.11.1.15 -p tcp --dport 80
+PostUp = iptables -t nat -A Inbound -j DNAT --to-destination 10.11.1.15 -p tcp --dport 443
+PostDown = iptables -D PREROUTING -d 51.222.155.202 -j Inbound -t nat
+PostDown = iptables -D POSTROUTING -o ens3 -j MASQUERADE -t nat
+PostDown = iptables -F Inbound -t nat
+PostDown = iptables -X Inbound -t nat
+
+[Peer]
+PublicKey = 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
+AllowedIPs = 10.11.20.2/32,10.11.1.15/32
--- a/ansible/assets/bastion/wg0.conf.j2
+++ b/ansible/assets/bastion/wg0.conf.j2
@ -0,0 +1,22 @@
+[Interface]
+Address = {{ wg_interface_ip }}
+ListenPort = 51820
+PrivateKey = {{ wg_private_key}}
+#https://serverfault.com/questions/1162475/iptables-exclude-a-specific-port-from-being-forwarded-to-the-destination
+PostUp = iptables -t nat -N Inbound
+PostUp = iptables -t nat -A PREROUTING -d {{ public_ip }} -j Inbound
+PostUp = iptables -t nat -A POSTROUTING -o {{ wan_interface }} -j MASQUERADE
+PostUp = iptables -t nat -A Inbound -p tcp --dport 22 -j RETURN
+PostUp = iptables -t nat -A Inbound -p tcp --dport 51820 -j RETURN
+PostUp = iptables -t nat -A Inbound -p udp --dport 51820 -j RETURN
+PostUp = iptables -t nat -A Inbound -s {{ homeserver_private_ip }} -j RETURN
+PostUp = iptables -t nat -A Inbound -j DNAT --to-destination {{ homeserver_private_ip }} -p tcp --dport 80
+PostUp = iptables -t nat -A Inbound -j DNAT --to-destination {{ homeserver_private_ip }} -p tcp --dport 443
+PostDown = iptables -D PREROUTING -d {{ public_ip }} -j Inbound -t nat
+PostDown = iptables -D POSTROUTING -o {{ wan_interface }} -j MASQUERADE -t nat
+PostDown = iptables -F Inbound -t nat
+PostDown = iptables -X Inbound -t nat
+
+[Peer]
+PublicKey = {{ homeserver_wg_public_key }}
+AllowedIPs = {{ homeserver_wg_ip }}/32,{{ homeserver_private_ip }}/32
--- a/ansible/buildHomelab.yaml
+++ b/ansible/buildHomelab.yaml
@ -1,6 +1,6 @@
 ---
- name: Setup
-  hosts: all
+- name: Setup pi
+  hosts: raspberrypi
  remote_user: root
  vars:

@ -86,3 +86,29 @@
      args:
        chdir: /root/docker
      tags: wireguard,docker
+
+- name: Setup bastion
+  hosts: bastion
+  vars:
+  tags:
+    - bastion
+
+  tasks:
+    - name: Enable IP forwarding
+      ansible.builtin.lineinfile:
+        path: /etc/sysctl.conf
+        regexp: '^#?.*net\.ipv4\.ip_forward='
+        line: 'net.ipv4.ip_forward=1'
+    - name: Install Wireguard
+      ansible.builtin.package:
+        name: wireguard
+        state: present
+    - name: Shutdown Wireguard (remove iptables rules)
+      ansible.builtin.shell: wg-quick down wg0
+      ignore_errors: true
+    - name: Copy Wireguard config
+      ansible.builtin.template:
+        src: assets/bastion/wg0.conf.j2
+        dest: /etc/wireguard/wg0.conf
+    - name: Enable Wireguard int
+      ansible.builtin.shell: wg-quick up wg0
--- a/ansible/inventory/group_vars/bastion/vars
+++ b/ansible/inventory/group_vars/bastion/vars
@ -0,0 +1,9 @@
+---
+wg_private_key: "{{ vault_wg_private_key }}"
+wg_interface_ip: 10.11.20.1/24
+
+public_ip: 51.222.155.202
+wan_interface: ens3
+homeserver_private_ip: 10.11.1.15
+homeserver_wg_ip: 10.11.20.2 
+homeserver_wg_public_key: 84ITOv/sB0f/h7fIY+uLQeTmMDgTCjvVzIQmEsLAZmo=
--- a/ansible/inventory/group_vars/bastion/vault
+++ b/ansible/inventory/group_vars/bastion/vault
@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+33623432633737383766613431346364373766336334613365653731373962316330636635356363
+6438326536313065356662336363383438396338393039660a336466316632316262323763633233
+31643766313437366234656334326464363562356231386139333161373031363961333061356138
+3964393366633632640a333563313963356135323761383734373832323333353031343836613938
+65336334613835653564396639343537396463383432356334333538313131616436333664666433
+33666237333837323962646265363963386133646463343234383566313131346330353938396233
+35383434643534306135633161353031356139373137383335633561303539363465633565356462
+35623062316131316435
--- a/ansible/inventory/hosts
+++ b/ansible/inventory/hosts
@ -1,2 +1,5 @@
 [rasperrypi]
 basementpi.local ansible_host=10.11.1.10 ansible_ssh_user=root
+
+[bastion]
+51.222.155.202 ansible_ssh_user=root
--- a/requirements.txt
+++ b/requirements.txt
@ -1,5 +1,5 @@
-ansible==7.1.0
-ansible-core==2.14.1
+ansible==8.7.0
+ansible-core==2.15.11
 cffi==1.15.1
 cryptography==39.0.0
 Jinja2==3.1.2