- name: Initialize VPS hosts: "{{ chosen_host | default('sukaato') }}" remote_user: "{{ chosen_user | default('senpai') }}" vars_files: - vars/git_aliases.yml # REQUIRED - vars/vpn_server.yml # REQUIRED - vars/config@{{ inventory_hostname | default('vps') }}.yml tasks: - name: Installing requisite packages ansible.builtin.include_role: name: init-server tasks_from: userspace@install-pkgs handlers_from: userspace - name: Acquiring home of current user when: ansible_facts["system"] == "Linux" ansible.builtin.shell: cmd: "echo ~{{ ansible_user }}" register: ansible_user_home - name: Acquiring current user when: ansible_facts["system"] == "Linux" ansible.builtin.shell: cmd: "echo {{ ansible_user }}" register: current_user - name: Disabling root user shell login become: true ansible.builtin.user: name: root shell: /sbin/nologin tags: - disable_root_shell - name: Disable login for root user altogether become: true ansible.builtin.user: name: root password: "'*'" tags: - disable_root_login # - name: Debugging # ansible.builtin.debug: # msg: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}" # - name: Prematurely ending play # ansible.builtin.meta: end_play - name: Reorganizing userspace package groups into single list ansible.builtin.set_fact: all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}" - name: Reorganizing core package groups into single list ansible.builtin.set_fact: all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core', default='no_core') | list | flatten | reject('search', 'no_core') | list }}" - name: Configuring aliases for using git when: "'git' in all_core_pkgs" community.general.git_config: name: "alias.{{ item[0] }}" scope: global value: "{{ item[1] }}" loop: "{{ git_aliases }}" - name: Creating Wireguard VPS VPN service block: - name: Ensuring IP forwarding is allowed become: true ansible.posix.sysctl: name: "net.{{ item }}.conf.all.forwarding" value: "1" sysctl_set: true state: present loop: - ipv4 - ipv6 - name: Creating a directory to house VPN service client configurations ansible.builtin.file: path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d" recurse: true owner: "{{ ansible_user }}" group: "{{ ansible_user }}" mode: "755" state: directory - name: Get the current hostname of the machine ansible.builtin.shell: cmd: "echo $(hostname)" register: current_hostname - name: Starting DSNet-based Wireguard VPN service configuration when: vpn_server.driver.name == "dsnet" block: - name: Getting DSNet binary application become: true ansible.builtin.get_url: url: "https://github.com/naggie/dsnet/releases/download/{{ vpn_server.driver.version }}/dsnet-linux-amd64" dest: /usr/bin/dsnet owner: root group: root mode: "744" force: true backup: true - name: Initializing DSNet become: true ansible.builtin.command: cmd: dsnet init - name: Running DSNet VPN service interface become: true ansible.builtin.command: cmd: dsnet up - name: Adding peer device for DSNet VPN service interface become: true ansible.builtin.shell: cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ current_hostname.stdout }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf" loop: "{{ vpn_server.clients }}" loop_control: index_var: idx - name: Changing ownership of consequent DSNet VPN service client configurations become: true ansible.builtin.file: path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" owner: "{{ ansible_user }}" group: "{{ ansible_user }}" state: file loop: "{{ vpn_server.clients }}" loop_control: index_var: idx - name: Pausing to inquire about how to proceed ansible.builtin.pause: prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead" echo: true register: data_method - name: Presenting DSNet VPN service client configuration files to control node for copying when: data_method.user_input == "show" block: - name: Acquiring contents of DSNet VPN service client configuration files ansible.builtin.slurp: src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" loop: "{{ vpn_server.clients }}" loop_control: index_var: idx register: vpn_client_configs - name: Presenting contents of DSNet VPN service client configurations to control node ansible.builtin.debug: msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}" loop: "{{ vpn_client_configs.results }}" - name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files ansible.builtin.pause: - name: Providing DSNet VPN service client configuration files to control node machine when: data_method.user_input == "fetch" block: - name: Dupliciating DSNet VPN service client configuration files to control node ansible.builtin.fetch: src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf" dest: "/var/tmp/{{ inventory_hostname }}/wg/" flat: true loop: "{{ vpn_server.clients }}" loop_control: index_var: idx - name: Informing control node of acquired files ansible.builtin.debug: msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node." - name: Giving control node user time to read the aforementiioned message ansible.builtin.pause: seconds: 30 # @TODO create tasks for registering and presenting contents of just created files - name: Forwarding network traffic on certain ports to Wireguard VPS service interface become: true ansible.builtin.iptables: chain: FORWARD protocol: "{{ item[0][0] }}" source_port: "{{ item[0][1] }}" in_interface: "{{ item[1] }}" jump: ACCEPT loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}" - name: Forwarding network traffic on certain ports to Wireguard VPS service interface become: true ansible.builtin.iptables: table: nat chain: POSTROUTING out_interface: "{{ vpn_server.interface }}" jump: MASQUERADE