Bugfixing and tidying up some things

2023-04-16 17:35:22 +02:00 · 2023-04-16 17:35:22 +02:00 · 68d49c65b0
commit 68d49c65b0
parent 6eaacaf2a8
8 changed files with 75 additions and 39 deletions
--- a/roles/00-ubuntu-basic/tasks/main.yml
+++ b/roles/00-ubuntu-basic/tasks/main.yml
@ -32,12 +32,12 @@
    key: "{{ lookup('file', 'files/'+ item + '.key.pub') }}"
  with_items: "{{ users }}"

- name: Allow 'wheel' group to have passwordless sudo
+- name: Allow 'sudo' group to have passwordless sudo
  lineinfile:
    path: /etc/sudoers
    state: present
-    regexp: '^%wheel'
-    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
    validate: '/usr/sbin/visudo -cf %s'

 # Install basic packages for Ubuntu minimal Systems
--- a/roles/01-vpn-offloader-setup/tasks/main.yml
+++ b/roles/01-vpn-offloader-setup/tasks/main.yml
@ -5,32 +5,24 @@
    table: nat
    source: "{{ internal_network }}"
    jump: MASQUERADE
+  register: iptables

- ansible.posix.sysctl:
+- name: Enable kernel panic reboots
+  ansible.posix.sysctl:
    name: kernel.panic
    value: '1'
-    sysctl_file: /etc/sysctl.conf

- ansible.posix.sysctl:
+- name: Enable IPv4 forwarding
+  ansible.posix.sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: true
-    state: present
-    reload: true

- ansible.posix.sysctl:
+- name: Enable IPv6 forwarding
+  ansible.posix.sysctl:
    name: net.ipv6.conf.all.forwarding
    value: '1'
    sysctl_set: true
-    state: present
-    reload: true
-
- ansible.posix.sysctl:
-    name: net.ipv6.conf.ens19.proxy_ndp
-    value: '1'
-    sysctl_set: true
-    state: present
-    reload: true

 - name: Create Routing Table 42
  ansible.builtin.lineinfile:
@ -63,12 +55,22 @@
    owner: root
    group: root
    mode: 755
+  register: netplan_config

 - name: saveip6tables
  ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
+  when: iptables.changed

 - name: saveip4tables
  ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
+  when: iptables.changed
  
 - name: Apply Netplan
  ansible.builtin.shell: netplan apply
+  when: netplan_config.changed
+
+- name: Enable Proxy_NDP on interface ens19
+  ansible.posix.sysctl:
+    name: net.ipv6.conf.ens19.proxy_ndp
+    value: '1'
+    sysctl_set: true
--- a/roles/21-docker/tasks/main.yml
+++ b/roles/21-docker/tasks/main.yml
@ -0,0 +1,28 @@
+---
+- name: Install required system packages
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - software-properties-common
+    state: latest
+    update_cache: true
+
+- name: Add Docker GPG apt Key
+  apt_key:
+    url: https://download.docker.com/linux/ubuntu/gpg
+    state: present
+
+- name: Add Docker Repository
+  apt_repository:
+    repo: deb https://download.docker.com/linux/ubuntu jammy stable
+    state: present
+
+- name: Update apt and install docker-ce
+  apt:
+    name: 
+      - docker-ce
+      - docker-compose
+    state: latest
+    update_cache: true
--- a/roles/21-install-oitc/tasks/main.yml
+++ b/roles/21-install-oitc/tasks/main.yml
@ -20,8 +20,10 @@
    owner: root
    group: root
    mode: '0775'
+  register: openitcockpit_config

 - name: Restart service httpd, in all cases
  ansible.builtin.service:
    name: openitcockpit-agent
    state: restarted
+  when: openitcockpit_config.changed
--- a/roles/21-install-wireguard/files/postup.sh
+++ b/roles/21-install-wireguard/files/postup.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+ip rule add fwmark 0x4 table 42
+iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4
+routeExists=$(ip route show table 42 | grep '172.16.7.1')
+
+if [ -z "$routeExists" ]; then
+    ip route add default via 172.16.7.1 table 42
+fi
--- a/roles/21-install-wireguard/handlers/main.yml
+++ b/roles/21-install-wireguard/handlers/main.yml
@ -1,20 +1,5 @@
 ---
- name: restart wireguard
+- name: reconfigure wireguard
  ansible.builtin.service:
    name: "wg-quick@vpn01"
-    state: "{{ item }}"
-  loop:
-    - stopped
-    - started
-  listen: "reconfigure wireguard"
- name: syncconf wireguard
-  ansible.builtin.shell: |
-    set -o errexit
-    set -o pipefail
-    set -o nounset
-    systemctl is-active wg-quick@vpn01 || systemctl start wg-quick@vpn01
-    wg syncconf vpn01 <(wg-quick strip /etc/wireguard/vpn01.conf)
-    exit 0
-  args:
-    executable: "/bin/bash"
-  listen: "reconfigure wireguard"
+    state: restarted
--- a/roles/21-install-wireguard/tasks/main.yml
+++ b/roles/21-install-wireguard/tasks/main.yml
@ -84,8 +84,18 @@
  notify:
    - reconfigure wireguard

+- name: Copy PostUp Script
+  ansible.builtin.copy:
+    src: postup.sh
+    dest: /etc/wireguard/postup.sh
+    mode: 755
+  tags:
+    - wg-config
+  notify:
+    - reconfigure wireguard
+
 - name: Start and enable WireGuard service
  ansible.builtin.service:
    name: "wg-quick@vpn01"
-    state: "started"
-    enabled: "yes"
+    state: started
+    enabled: yes
--- a/roles/21-install-wireguard/templates/wg.conf.j2
+++ b/roles/21-install-wireguard/templates/wg.conf.j2
@ -9,7 +9,7 @@ PrivateKey = {{ wireguard_private_key }}
 ListenPort = {{ wireguard_port }}
 MTU = 1380

-PostUp = ip rule add fwmark 0x4 table 42 && iptables -t mangle -A PREROUTING -s 10.255.0.0/16 ! -d 10.0.0.0/8 -j MARK --set-mark 4 && ip route add default via 172.16.7.1 table 42
+PostUp = /etc/wireguard/postup.sh
 PostDown = ip route del default via 172.16.7.1 table 42