Bugfixing and tidying up some things

This commit is contained in:
Stefan Hoffmann 2023-04-16 17:35:22 +02:00
parent 6eaacaf2a8
commit 68d49c65b0
Signed by: stefan
GPG Key ID: 8EFC7042BF8D5CDD
8 changed files with 75 additions and 39 deletions

View File

@ -32,12 +32,12 @@
key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
with_items: "{{ users }}"
- name: Allow 'wheel' group to have passwordless sudo
- name: Allow 'sudo' group to have passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: '/usr/sbin/visudo -cf %s'
# Install basic packages for Ubuntu minimal Systems

View File

@ -5,32 +5,24 @@
table: nat
source: "{{ internal_network }}"
jump: MASQUERADE
register: iptables
- ansible.posix.sysctl:
- name: Enable kernel panic reboots
ansible.posix.sysctl:
name: kernel.panic
value: '1'
sysctl_file: /etc/sysctl.conf
- ansible.posix.sysctl:
- name: Enable IPv4 forwarding
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: true
state: present
reload: true
- ansible.posix.sysctl:
- name: Enable IPv6 forwarding
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '1'
sysctl_set: true
state: present
reload: true
- ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true
state: present
reload: true
- name: Create Routing Table 42
ansible.builtin.lineinfile:
@ -63,12 +55,22 @@
owner: root
group: root
mode: 755
register: netplan_config
- name: saveip6tables
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
when: iptables.changed
- name: saveip4tables
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
when: iptables.changed
- name: Apply Netplan
ansible.builtin.shell: netplan apply
ansible.builtin.shell: netplan apply
when: netplan_config.changed
- name: Enable Proxy_NDP on interface ens19
ansible.posix.sysctl:
name: net.ipv6.conf.ens19.proxy_ndp
value: '1'
sysctl_set: true

View File

@ -0,0 +1,28 @@
---
- name: Install required system packages
apt:
name:
- apt-transport-https
- ca-certificates
- curl
- software-properties-common
state: latest
update_cache: true
- name: Add Docker GPG apt Key
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
state: present
- name: Add Docker Repository
apt_repository:
repo: deb https://download.docker.com/linux/ubuntu jammy stable
state: present
- name: Update apt and install docker-ce
apt:
name:
- docker-ce
- docker-compose
state: latest
update_cache: true

View File

@ -20,8 +20,10 @@
owner: root
group: root
mode: '0775'
register: openitcockpit_config
- name: Restart service httpd, in all cases
ansible.builtin.service:
name: openitcockpit-agent
state: restarted
when: openitcockpit_config.changed

View File

@ -0,0 +1,9 @@
#!/bin/sh
ip rule add fwmark 0x4 table 42
iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
routeExists=$(ip route show table 42 | grep '172.16.7.1')
if [ -z "$routeExists" ]; then
ip route add default via 172.16.7.1 table 42
fi

View File

@ -1,20 +1,5 @@
---
- name: restart wireguard
- name: reconfigure wireguard
ansible.builtin.service:
name: "wg-quick@vpn01"
state: "{{ item }}"
loop:
- stopped
- started
listen: "reconfigure wireguard"
- name: syncconf wireguard
ansible.builtin.shell: |
set -o errexit
set -o pipefail
set -o nounset
systemctl is-active wg-quick@vpn01 || systemctl start wg-quick@vpn01
wg syncconf vpn01 <(wg-quick strip /etc/wireguard/vpn01.conf)
exit 0
args:
executable: "/bin/bash"
listen: "reconfigure wireguard"
state: restarted

View File

@ -84,8 +84,18 @@
notify:
- reconfigure wireguard
- name: Copy PostUp Script
ansible.builtin.copy:
src: postup.sh
dest: /etc/wireguard/postup.sh
mode: 755
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Start and enable WireGuard service
ansible.builtin.service:
name: "wg-quick@vpn01"
state: "started"
enabled: "yes"
state: started
enabled: yes

View File

@ -9,7 +9,7 @@ PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }}
MTU = 1380
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
PostUp = /etc/wireguard/postup.sh
PostDown = ip route del default via 172.16.7.1 table 42