diff --git a/roles/00-ubuntu-basic/tasks/main.yml b/roles/00-ubuntu-basic/tasks/main.yml index 043e160..3e24621 100644 --- a/roles/00-ubuntu-basic/tasks/main.yml +++ b/roles/00-ubuntu-basic/tasks/main.yml @@ -32,12 +32,12 @@ key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}" with_items: "{{ users }}" -- name: Allow 'wheel' group to have passwordless sudo +- name: Allow 'sudo' group to have passwordless sudo lineinfile: path: /etc/sudoers state: present - regexp: '^%wheel' - line: '%wheel ALL=(ALL) NOPASSWD: ALL' + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' validate: '/usr/sbin/visudo -cf %s' # Install basic packages for Ubuntu minimal Systems diff --git a/roles/01-vpn-offloader-setup/tasks/main.yml b/roles/01-vpn-offloader-setup/tasks/main.yml index c9bfac4..4655d7a 100644 --- a/roles/01-vpn-offloader-setup/tasks/main.yml +++ b/roles/01-vpn-offloader-setup/tasks/main.yml @@ -5,32 +5,24 @@ table: nat source: "{{ internal_network }}" jump: MASQUERADE + register: iptables -- ansible.posix.sysctl: +- name: Enable kernel panic reboots + ansible.posix.sysctl: name: kernel.panic value: '1' - sysctl_file: /etc/sysctl.conf -- ansible.posix.sysctl: +- name: Enable IPv4 forwarding + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' sysctl_set: true - state: present - reload: true -- ansible.posix.sysctl: +- name: Enable IPv6 forwarding + ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '1' sysctl_set: true - state: present - reload: true - -- ansible.posix.sysctl: - name: net.ipv6.conf.ens19.proxy_ndp - value: '1' - sysctl_set: true - state: present - reload: true - name: Create Routing Table 42 ansible.builtin.lineinfile: @@ -63,12 +55,22 @@ owner: root group: root mode: 755 + register: netplan_config - name: saveip6tables ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 + when: iptables.changed - name: saveip4tables ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4 + when: iptables.changed - name: Apply Netplan - ansible.builtin.shell: netplan apply \ No newline at end of file + ansible.builtin.shell: netplan apply + when: netplan_config.changed + +- name: Enable Proxy_NDP on interface ens19 + ansible.posix.sysctl: + name: net.ipv6.conf.ens19.proxy_ndp + value: '1' + sysctl_set: true \ No newline at end of file diff --git a/roles/21-docker/tasks/main.yml b/roles/21-docker/tasks/main.yml new file mode 100644 index 0000000..f9592fa --- /dev/null +++ b/roles/21-docker/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Install required system packages + apt: + name: + - apt-transport-https + - ca-certificates + - curl + - software-properties-common + state: latest + update_cache: true + +- name: Add Docker GPG apt Key + apt_key: + url: https://download.docker.com/linux/ubuntu/gpg + state: present + +- name: Add Docker Repository + apt_repository: + repo: deb https://download.docker.com/linux/ubuntu jammy stable + state: present + +- name: Update apt and install docker-ce + apt: + name: + - docker-ce + - docker-compose + state: latest + update_cache: true \ No newline at end of file diff --git a/roles/21-install-oitc/tasks/main.yml b/roles/21-install-oitc/tasks/main.yml index ba3dcde..c1b1a26 100644 --- a/roles/21-install-oitc/tasks/main.yml +++ b/roles/21-install-oitc/tasks/main.yml @@ -20,8 +20,10 @@ owner: root group: root mode: '0775' + register: openitcockpit_config - name: Restart service httpd, in all cases ansible.builtin.service: name: openitcockpit-agent state: restarted + when: openitcockpit_config.changed diff --git a/roles/21-install-wireguard/files/postup.sh b/roles/21-install-wireguard/files/postup.sh new file mode 100644 index 0000000..71d58cf --- /dev/null +++ b/roles/21-install-wireguard/files/postup.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +ip rule add fwmark 0x4 table 42 +iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 +routeExists=$(ip route show table 42 | grep '172.16.7.1') + +if [ -z "$routeExists" ]; then + ip route add default via 172.16.7.1 table 42 +fi diff --git a/roles/21-install-wireguard/handlers/main.yml b/roles/21-install-wireguard/handlers/main.yml index 8552c3d..9032ac1 100644 --- a/roles/21-install-wireguard/handlers/main.yml +++ b/roles/21-install-wireguard/handlers/main.yml @@ -1,20 +1,5 @@ --- -- name: restart wireguard +- name: reconfigure wireguard ansible.builtin.service: name: "wg-quick@vpn01" - state: "{{ item }}" - loop: - - stopped - - started - listen: "reconfigure wireguard" -- name: syncconf wireguard - ansible.builtin.shell: | - set -o errexit - set -o pipefail - set -o nounset - systemctl is-active wg-quick@vpn01 || systemctl start wg-quick@vpn01 - wg syncconf vpn01 <(wg-quick strip /etc/wireguard/vpn01.conf) - exit 0 - args: - executable: "/bin/bash" - listen: "reconfigure wireguard" \ No newline at end of file + state: restarted \ No newline at end of file diff --git a/roles/21-install-wireguard/tasks/main.yml b/roles/21-install-wireguard/tasks/main.yml index 13c7757..3924653 100644 --- a/roles/21-install-wireguard/tasks/main.yml +++ b/roles/21-install-wireguard/tasks/main.yml @@ -84,8 +84,18 @@ notify: - reconfigure wireguard +- name: Copy PostUp Script + ansible.builtin.copy: + src: postup.sh + dest: /etc/wireguard/postup.sh + mode: 755 + tags: + - wg-config + notify: + - reconfigure wireguard + - name: Start and enable WireGuard service ansible.builtin.service: name: "wg-quick@vpn01" - state: "started" - enabled: "yes" \ No newline at end of file + state: started + enabled: yes \ No newline at end of file diff --git a/roles/21-install-wireguard/templates/wg.conf.j2 b/roles/21-install-wireguard/templates/wg.conf.j2 index 6cfcd5c..68e57e5 100644 --- a/roles/21-install-wireguard/templates/wg.conf.j2 +++ b/roles/21-install-wireguard/templates/wg.conf.j2 @@ -9,7 +9,7 @@ PrivateKey = {{ wireguard_private_key }} ListenPort = {{ wireguard_port }} MTU = 1380 -PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42 +PostUp = /etc/wireguard/postup.sh PostDown = ip route del default via 172.16.7.1 table 42