From 65892db2ee987e54e9940c675a731394e9618b1e Mon Sep 17 00:00:00 2001 From: "tom.chivert" Date: Thu, 26 Oct 2023 14:42:56 +0200 Subject: [PATCH 1/3] Add wiregaurd deployment with wg-easy --- README.md | 15 +++++++---- handlers/main.yml | 9 ++++++- tasks/wireguard.yml | 16 ++++++++++++ templates/compose/wireguard.yml.j2 | 41 ++++++++++++++++++++++++++++++ 4 files changed, 75 insertions(+), 6 deletions(-) create mode 100644 tasks/wireguard.yml create mode 100644 templates/compose/wireguard.yml.j2 diff --git a/README.md b/README.md index 3716a42..850770a 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ Available services - cadvisor - Redisinsight - Gitlab + - [Wireguard](https://github.com/wg-easy/wg-easy) Role variables --------------- @@ -57,6 +58,7 @@ Example variables - cadvisor - redisinsight - gitlab + - wireguard traefik_domain: 'example.com' traefik_letsencrypt_email: 'cert@example.com' @@ -66,14 +68,19 @@ Example variables redisinsight_domain: 'redisinsight.example.com' redisinsight_whitelist: - - 192.168.1.0/24 - - 31.15.24.XX - - 37.58.179.XX + - 192.168.1.0/24 + - 31.15.24.XX + - 37.58.179.XX gitlab_version: 'latest' gitlab_root_password: 'vault-this-thingy' gitlab_domain: gitlab.example.com gitlab_registry_domain: registry.example.com + + wireguard_version: 'latest' + # wg-easy webui access: + wireguard_domain: 'wg.example.com' + wireguard_password: 'please-vault-this-too' ``` TODO @@ -94,8 +101,6 @@ TODO - needs to be implemented - Promtail - needs to be implemented -- Gitlab - - needs to be implemented License ------- diff --git a/handlers/main.yml b/handlers/main.yml index 37e2fba..867a26f 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -48,9 +48,16 @@ ignore_errors: '{{ ansible_check_mode }}' tags: ['docker_gitlab'] -- name: 'gitlab-runner-restart' +- name: gitlab-runner-restart systemd: name: docker-compose@gitlab-runner state: restarted ignore_errors: '{{ ansible_check_mode }}' tags: ['docker_gitlab-runner'] + +- name: wireguard-restart + systemd: + name: docker-compose@wireguard + state: restarted + ignore_errors: '{{ ansible_check_mode }}' + tags: ['docker_wireguard'] diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml new file mode 100644 index 0000000..a665025 --- /dev/null +++ b/tasks/wireguard.yml @@ -0,0 +1,16 @@ +--- +- name: wireguard | check vars are defined + assert: + that: + - wireguard_domain is defined + tags: ['docker_wireguard'] + +- include_tasks: base.yml + tags: ['docker_wireguard'] + +- name: 'wireguard | create docker volumes' + docker_volume: + name: '{{ item }}' + with_items: + - 'wireguard__etc_wireguard' + tags: ['docker_wireguard'] diff --git a/templates/compose/wireguard.yml.j2 b/templates/compose/wireguard.yml.j2 new file mode 100644 index 0000000..86237d3 --- /dev/null +++ b/templates/compose/wireguard.yml.j2 @@ -0,0 +1,41 @@ +version: '3.7' + +networks: + traefik: + external: true + +volumes: + wireguard__etc_wireguard: + external: true + +services: + wireguard: + container_name: wireguard + image: weejewel/wg-easy:{{ wireguard_version | default("latest") }} + restart: unless-stopped + ports: + - "51820:51820/udp" + volumes: + - 'wireguard__etc_wireguard:/etc/wireguard' + cap_add: + - NET_ADMIN + - SYS_MODULE + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 + - net.ipv4.ip_forward=1 + environment: + - WG_HOST={{ wireguard_domain }} + - PASSWORD={{ wireguard_password }} + labels: + traefik.enable: true + traefik.docker.network: traefik + traefik.http.routers.wireguard.rule: Host(`{{ wireguard_domain }}`) + traefik.http.routers.wireguard.tls: true + traefik.http.routers.wireguard.tls.certresolver: letsencrypt + traefik.http.routers.wireguard.entrypoints: websecure +{% if traefik_ipwhitelist is defined %} + traefik.http.routers.wireguard.middlewares: "clientips@docker" +{% endif %} + traefik.http.services.wireguard.loadbalancer.server.port: 51821 + networks: + - traefik -- 2.47.1 From ffd6b8380b6b9621308b89ee19fb7ea97c472a1f Mon Sep 17 00:00:00 2001 From: "tom.chivert" Date: Thu, 26 Oct 2023 18:16:30 +0200 Subject: [PATCH 2/3] Add a wireguard_port variable --- templates/compose/wireguard.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/compose/wireguard.yml.j2 b/templates/compose/wireguard.yml.j2 index 86237d3..97fcbb0 100644 --- a/templates/compose/wireguard.yml.j2 +++ b/templates/compose/wireguard.yml.j2 @@ -14,7 +14,7 @@ services: image: weejewel/wg-easy:{{ wireguard_version | default("latest") }} restart: unless-stopped ports: - - "51820:51820/udp" + - "{{ wireguard_port | default("51820") }}:51820/udp" volumes: - 'wireguard__etc_wireguard:/etc/wireguard' cap_add: -- 2.47.1 From 1c5962ec78c7df25efdc16b5be5b8accc64d8b92 Mon Sep 17 00:00:00 2001 From: "tom.chivert" Date: Thu, 26 Oct 2023 18:17:33 +0200 Subject: [PATCH 3/3] Remove a weird character --- templates/compose/wireguard.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/compose/wireguard.yml.j2 b/templates/compose/wireguard.yml.j2 index 97fcbb0..59f58c2 100644 --- a/templates/compose/wireguard.yml.j2 +++ b/templates/compose/wireguard.yml.j2 @@ -14,7 +14,7 @@ services: image: weejewel/wg-easy:{{ wireguard_version | default("latest") }} restart: unless-stopped ports: - - "{{ wireguard_port | default("51820") }}:51820/udp" + - "{{ wireguard_port | default("51820") }}:51820/udp" volumes: - 'wireguard__etc_wireguard:/etc/wireguard' cap_add: -- 2.47.1