173 lines
8.3 KiB
YAML
173 lines
8.3 KiB
YAML
- name: Initialize VPS
|
|
hosts: "{{ chosen_host | default('sukaato') }}"
|
|
remote_user: "{{ chosen_user | default('senpai') }}"
|
|
vars_files:
|
|
- vars/git_aliases.yml # REQUIRED
|
|
- vars/vpn_server.yml # REQUIRED
|
|
- vars/config@{{ inventory_hostname | default('vps') }}.yml
|
|
tasks:
|
|
- name: Installing requisite packages
|
|
ansible.builtin.include_role:
|
|
name: init-server
|
|
tasks_from: userspace@install-pkgs
|
|
handlers_from: userspace
|
|
- name: Acquiring home of current user
|
|
when: ansible_facts["system"] == "Linux"
|
|
ansible.builtin.shell:
|
|
cmd: "echo ~{{ ansible_user }}"
|
|
register: ansible_user_home
|
|
- name: Acquiring current user
|
|
when: ansible_facts["system"] == "Linux"
|
|
ansible.builtin.shell:
|
|
cmd: "echo {{ ansible_user }}"
|
|
register: current_user
|
|
- name: Disabling root user shell login
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: root
|
|
shell: /sbin/nologin
|
|
tags:
|
|
- disable_root_shell
|
|
- name: Disable login for root user altogether
|
|
become: true
|
|
ansible.builtin.user:
|
|
name: root
|
|
password: "'*'"
|
|
tags:
|
|
- disable_root_login
|
|
# - name: Debugging
|
|
# ansible.builtin.debug:
|
|
# msg: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}"
|
|
# - name: Prematurely ending play
|
|
# ansible.builtin.meta: end_play
|
|
- name: Reorganizing userspace package groups into single list
|
|
ansible.builtin.set_fact:
|
|
all_userspace_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='userspace', default='no_userspace') | list | flatten | reject('search', 'no_userspace') | list }}"
|
|
- name: Reorganizing core package groups into single list
|
|
ansible.builtin.set_fact:
|
|
all_core_pkgs: "{{ pkgs | dict2items(key_name='pkg_group', value_name='pkgs') | map(attribute='pkgs') | list | map(attribute='core', default='no_core') | list | flatten | reject('search', 'no_core') | list }}"
|
|
- name: Configuring aliases for using git
|
|
when: "'git' in all_core_pkgs"
|
|
community.general.git_config:
|
|
name: "alias.{{ item[0] }}"
|
|
scope: global
|
|
value: "{{ item[1] }}"
|
|
loop: "{{ git_aliases }}"
|
|
- name: Creating Wireguard VPS VPN service
|
|
block:
|
|
- name: Ensuring IP forwarding is allowed
|
|
become: true
|
|
ansible.posix.sysctl:
|
|
name: "net.{{ item }}.conf.all.forwarding"
|
|
value: "1"
|
|
sysctl_set: true
|
|
state: present
|
|
loop:
|
|
- ipv4
|
|
- ipv6
|
|
- name: Creating a directory to house VPN service client configurations
|
|
ansible.builtin.file:
|
|
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d"
|
|
recurse: true
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
mode: "755"
|
|
state: directory
|
|
- name: Get the current hostname of the machine
|
|
ansible.builtin.shell:
|
|
cmd: "echo $(hostname)"
|
|
register: current_hostname
|
|
- name: Starting DSNet-based Wireguard VPN service configuration
|
|
when: vpn_server.driver.name == "dsnet"
|
|
block:
|
|
- name: Getting DSNet binary application
|
|
become: true
|
|
ansible.builtin.get_url:
|
|
url: "https://github.com/naggie/dsnet/releases/download/{{ vpn_server.driver.version }}/dsnet-linux-amd64"
|
|
dest: /usr/bin/dsnet
|
|
owner: root
|
|
group: root
|
|
mode: "744"
|
|
force: true
|
|
backup: true
|
|
- name: Initializing DSNet
|
|
become: true
|
|
ansible.builtin.command:
|
|
cmd: dsnet init
|
|
- name: Running DSNet VPN service interface
|
|
become: true
|
|
ansible.builtin.command:
|
|
cmd: dsnet up
|
|
- name: Adding peer device for DSNet VPN service interface
|
|
become: true
|
|
ansible.builtin.shell:
|
|
cmd: "dsnet add {{ item.name }}{{ idx }} --owner {{ current_user.stdout }} --description 'For {{ current_hostname.stdout }}--{{ item.desc }}' --confirm > {{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
|
|
creates: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ idx }}.conf"
|
|
loop: "{{ vpn_server.clients }}"
|
|
loop_control:
|
|
index_var: idx
|
|
- name: Changing ownership of consequent DSNet VPN service client configurations
|
|
become: true
|
|
ansible.builtin.file:
|
|
path: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
state: file
|
|
loop: "{{ vpn_server.clients }}"
|
|
loop_control:
|
|
index_var: idx
|
|
- name: Pausing to inquire about how to proceed
|
|
ansible.builtin.pause:
|
|
prompt: "Type \"fetch\" to get the DSNet VPN service client configuration files, or \"show\" to see their contents for manual copying instead"
|
|
echo: true
|
|
register: data_method
|
|
- name: Presenting DSNet VPN service client configuration files to control node for copying
|
|
when: data_method.user_input == "show"
|
|
block:
|
|
- name: Acquiring contents of DSNet VPN service client configuration files
|
|
ansible.builtin.slurp:
|
|
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
|
|
loop: "{{ vpn_server.clients }}"
|
|
loop_control:
|
|
index_var: idx
|
|
register: vpn_client_configs
|
|
- name: Presenting contents of DSNet VPN service client configurations to control node
|
|
ansible.builtin.debug:
|
|
msg: "Copy this client configuration of the DSNet VPN service:\n {{ item.content }}"
|
|
loop: "{{ vpn_client_configs.results }}"
|
|
- name: Giving opportunity to manually copy contents of DSNet VPN service client configuration files
|
|
ansible.builtin.pause:
|
|
- name: Providing DSNet VPN service client configuration files to control node machine
|
|
when: data_method.user_input == "fetch"
|
|
block:
|
|
- name: Dupliciating DSNet VPN service client configuration files to control node
|
|
ansible.builtin.fetch:
|
|
src: "{{ ansible_user_home.stdout }}/.wg/authorized_clients.d/{{ item.name }}{{ (idx | string) }}.conf"
|
|
dest: "/var/tmp/{{ inventory_hostname }}/wg/"
|
|
flat: true
|
|
loop: "{{ vpn_server.clients }}"
|
|
loop_control:
|
|
index_var: idx
|
|
- name: Informing control node of acquired files
|
|
ansible.builtin.debug:
|
|
msg: "The DSNet VPS service client configuration files have been duplicated to '/var/tmp/{{ inventory_hostname }}/wg/' at the control node."
|
|
- name: Giving control node user time to read the aforementiioned message
|
|
ansible.builtin.pause:
|
|
seconds: 30
|
|
# @TODO create tasks for registering and presenting contents of just created files
|
|
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
|
|
become: true
|
|
ansible.builtin.iptables:
|
|
chain: FORWARD
|
|
protocol: "{{ item[0][0] }}"
|
|
source_port: "{{ item[0][1] }}"
|
|
in_interface: "{{ item[1] }}"
|
|
jump: ACCEPT
|
|
loop: "{{ vpn_server.forwards | product([vpn_server.interface]) }}"
|
|
- name: Forwarding network traffic on certain ports to Wireguard VPS service interface
|
|
become: true
|
|
ansible.builtin.iptables:
|
|
table: nat
|
|
chain: POSTROUTING
|
|
out_interface: "{{ vpn_server.interface }}"
|
|
jump: MASQUERADE |