From 125ec09c8fe9d041ba0ba01429c0f08969fe406f Mon Sep 17 00:00:00 2001 From: Alex Tavarez Date: Fri, 19 Jun 2026 19:04:54 -0400 Subject: [PATCH] migrated DSNet tasks to own task file in role, as opposed to having it in relevant playbook --- .../tasks/contingent/pkg/dsnet.yml | 147 ++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 roles/init-server/tasks/contingent/pkg/dsnet.yml diff --git a/roles/init-server/tasks/contingent/pkg/dsnet.yml b/roles/init-server/tasks/contingent/pkg/dsnet.yml new file mode 100644 index 0000000..e7fb4a8 --- /dev/null +++ b/roles/init-server/tasks/contingent/pkg/dsnet.yml @@ -0,0 +1,147 @@ +- name: Acquiring home of current user + when: ansible_facts["system"] == "Linux" + ansible.builtin.shell: + cmd: "echo ~{{ ansible_user }}" + register: ansible_user_home +- name: Acquiring current user + when: ansible_facts["system"] == "Linux" + ansible.builtin.shell: + cmd: "echo {{ ansible_user }}" + register: current_user +- name: Initializing DSNet + become: true + ansible.builtin.command: + cmd: dsnet init +- name: Running DSNet VPN service interface + become: true + ansible.builtin.command: + cmd: dsnet up +- name: Creating a directory to house VPN service client configurations + ansible.builtin.file: + path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d" + recurse: true + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: "755" + state: directory +- name: Adding peer device for DSNet VPN service interface + become: true + ansible.builtin.shell: + cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ item.name }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf" + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx +- name: Changing ownership of consequent DSNet VPN service client configurations + ansible.builtin.file: + path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + state: file + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx +- name: Pausing to inquire about how to proceed + ansible.builtin.pause: + prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead" + echo: true + register: data_method +- name: Presenting DSNet VPN service client configuration files to control node for copying + when: data_method.user_input == "show" + block: + - name: Acquiring contents of DSNet VPN service client configuration files + ansible.builtin.slurp: + src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx + register: vpn_client_configs + - name: Presenting contents of DSNet VPN service client configurations to control node + ansible.builtin.debug: + msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}" + loop: "{{ vpn_client_configs.results }}" + - name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files + ansible.builtin.pause: +- name: Providing DSNet VPN service client configuration files to control node machine + when: data_method.user_input == "fetch" + block: + - name: Dupliciating DSNet VPN service client configuration files to control node + ansible.builtin.fetch: + src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" + dest: "./.tmp/{{ inventory_hostname }}-dsnet/wg/" + flat: true + loop: "{{ vpn_server.clients }}" + loop_control: + index_var: idx + - name: Informing control node of acquired files + ansible.builtin.debug: + msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node." + - name: Giving control node user time to read the aforementiioned message + ansible.builtin.pause: + seconds: 30 +- name: Ensuring IP forwarding is allowed + become: true + ansible.posix.sysctl: + name: "net.{{ item }}.ip_forward" + value: "1" + sysctl_set: true + state: present + loop: + - ipv4 + # - ipv6 +- name: Creating SystemD unit for placing up DSNet interface + become: true + ansible.builtin.copy: + src: systemd/system/dsnet.service + dest: /etc/systemd/system/dsnet.service + owner: root + group: root + force: true + backup: true +- name: Reloading SystemD and enabling DSNet interface + become: true + ansible.builtin.systemd_service: + name: dsnet + enabled: true + daemon_reload: true +- name: Copying script for DSNet iptables rules + become: true + ansible.builtin.copy: + src: usr/local/bin/dsnet-forward.sh + dest: /usr/local/bin/ + owner: root + group: root + mode: "744" + force: true + backup: true +- name: Creating SystemD unit for DSNet iptables rules + become: true + ansible.builtin.copy: + src: systemd/system/thrunet.service + dest: /etc/systemd/system/thrunet.service + owner: root + group: root + force: true + backup: true +- name: Reloading SystemD and enabling iptables rules SystemD unit + become: true + ansible.builtin.systemd_service: + name: thrunet + enabled: true + daemon_reload: true +- name: Forwarding network traffic on certain ports to Wireguard VPS service interface + become: true + ansible.builtin.iptables: + chain: FORWARD + protocol: "{{ item[0][0] }}" + source_port: "{{ item[0][1] }}" + in_interface: "{{ item[1] }}" + jump: ACCEPT + loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}" +- name: Forwarding network traffic on certain ports to Wireguard VPS service interface + become: true + ansible.builtin.iptables: + table: nat + chain: POSTROUTING + out_interface: "{{ vpn_server.interface }}" + jump: MASQUERADE \ No newline at end of file