Bugfixing and tidying up some things
This commit is contained in:
parent
6eaacaf2a8
commit
68d49c65b0
@ -32,12 +32,12 @@
|
||||
key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
|
||||
with_items: "{{ users }}"
|
||||
|
||||
- name: Allow 'wheel' group to have passwordless sudo
|
||||
- name: Allow 'sudo' group to have passwordless sudo
|
||||
lineinfile:
|
||||
path: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%wheel'
|
||||
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
|
||||
regexp: '^%sudo'
|
||||
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
|
||||
# Install basic packages for Ubuntu minimal Systems
|
||||
|
@ -5,32 +5,24 @@
|
||||
table: nat
|
||||
source: "{{ internal_network }}"
|
||||
jump: MASQUERADE
|
||||
register: iptables
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
- name: Enable kernel panic reboots
|
||||
ansible.posix.sysctl:
|
||||
name: kernel.panic
|
||||
value: '1'
|
||||
sysctl_file: /etc/sysctl.conf
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
- name: Enable IPv4 forwarding
|
||||
ansible.posix.sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: '1'
|
||||
sysctl_set: true
|
||||
state: present
|
||||
reload: true
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
- name: Enable IPv6 forwarding
|
||||
ansible.posix.sysctl:
|
||||
name: net.ipv6.conf.all.forwarding
|
||||
value: '1'
|
||||
sysctl_set: true
|
||||
state: present
|
||||
reload: true
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
name: net.ipv6.conf.ens19.proxy_ndp
|
||||
value: '1'
|
||||
sysctl_set: true
|
||||
state: present
|
||||
reload: true
|
||||
|
||||
- name: Create Routing Table 42
|
||||
ansible.builtin.lineinfile:
|
||||
@ -63,12 +55,22 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: 755
|
||||
register: netplan_config
|
||||
|
||||
- name: saveip6tables
|
||||
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
|
||||
when: iptables.changed
|
||||
|
||||
- name: saveip4tables
|
||||
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
|
||||
when: iptables.changed
|
||||
|
||||
- name: Apply Netplan
|
||||
ansible.builtin.shell: netplan apply
|
||||
ansible.builtin.shell: netplan apply
|
||||
when: netplan_config.changed
|
||||
|
||||
- name: Enable Proxy_NDP on interface ens19
|
||||
ansible.posix.sysctl:
|
||||
name: net.ipv6.conf.ens19.proxy_ndp
|
||||
value: '1'
|
||||
sysctl_set: true
|
28
roles/21-docker/tasks/main.yml
Normal file
28
roles/21-docker/tasks/main.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
- name: Install required system packages
|
||||
apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- ca-certificates
|
||||
- curl
|
||||
- software-properties-common
|
||||
state: latest
|
||||
update_cache: true
|
||||
|
||||
- name: Add Docker GPG apt Key
|
||||
apt_key:
|
||||
url: https://download.docker.com/linux/ubuntu/gpg
|
||||
state: present
|
||||
|
||||
- name: Add Docker Repository
|
||||
apt_repository:
|
||||
repo: deb https://download.docker.com/linux/ubuntu jammy stable
|
||||
state: present
|
||||
|
||||
- name: Update apt and install docker-ce
|
||||
apt:
|
||||
name:
|
||||
- docker-ce
|
||||
- docker-compose
|
||||
state: latest
|
||||
update_cache: true
|
@ -20,8 +20,10 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0775'
|
||||
register: openitcockpit_config
|
||||
|
||||
- name: Restart service httpd, in all cases
|
||||
ansible.builtin.service:
|
||||
name: openitcockpit-agent
|
||||
state: restarted
|
||||
when: openitcockpit_config.changed
|
||||
|
9
roles/21-install-wireguard/files/postup.sh
Normal file
9
roles/21-install-wireguard/files/postup.sh
Normal file
@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
ip rule add fwmark 0x4 table 42
|
||||
iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
|
||||
routeExists=$(ip route show table 42 | grep '172.16.7.1')
|
||||
|
||||
if [ -z "$routeExists" ]; then
|
||||
ip route add default via 172.16.7.1 table 42
|
||||
fi
|
@ -1,20 +1,5 @@
|
||||
---
|
||||
- name: restart wireguard
|
||||
- name: reconfigure wireguard
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@vpn01"
|
||||
state: "{{ item }}"
|
||||
loop:
|
||||
- stopped
|
||||
- started
|
||||
listen: "reconfigure wireguard"
|
||||
- name: syncconf wireguard
|
||||
ansible.builtin.shell: |
|
||||
set -o errexit
|
||||
set -o pipefail
|
||||
set -o nounset
|
||||
systemctl is-active wg-quick@vpn01 || systemctl start wg-quick@vpn01
|
||||
wg syncconf vpn01 <(wg-quick strip /etc/wireguard/vpn01.conf)
|
||||
exit 0
|
||||
args:
|
||||
executable: "/bin/bash"
|
||||
listen: "reconfigure wireguard"
|
||||
state: restarted
|
@ -84,8 +84,18 @@
|
||||
notify:
|
||||
- reconfigure wireguard
|
||||
|
||||
- name: Copy PostUp Script
|
||||
ansible.builtin.copy:
|
||||
src: postup.sh
|
||||
dest: /etc/wireguard/postup.sh
|
||||
mode: 755
|
||||
tags:
|
||||
- wg-config
|
||||
notify:
|
||||
- reconfigure wireguard
|
||||
|
||||
- name: Start and enable WireGuard service
|
||||
ansible.builtin.service:
|
||||
name: "wg-quick@vpn01"
|
||||
state: "started"
|
||||
enabled: "yes"
|
||||
state: started
|
||||
enabled: yes
|
@ -9,7 +9,7 @@ PrivateKey = {{ wireguard_private_key }}
|
||||
ListenPort = {{ wireguard_port }}
|
||||
MTU = 1380
|
||||
|
||||
PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
|
||||
PostUp = /etc/wireguard/postup.sh
|
||||
PostDown = ip route del default via 172.16.7.1 table 42
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user