add wireguard credentials

ansible/Makefile

@@ -0,0 +1,46 @@
+hosts = $(wildcard host_vars/*.yml)
+
+logs = $(patsubst host_vars/%.yml, logs/%.json, $(hosts) )
+
+playbooks = $(wildcard playbooks/*.yml)
+plays = $(patsubst playbooks/%.yml, %, $(playbooks) )
+
+defaults += $(wildcard logs/*)
+
+###### Recipes ######
+
+.PHONY: help
+help: ## Print the help message.
+	@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z._-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) | \
+		column -s ':' -t
+
+.PHONY: lint
+lint: $(playbooks) | .ansible/ ## Check syntax and lint all playbooks
+	ansible-playbook --syntax-check $^
+	ansible-lint $^
+
+.PHONY: records
+records: $(logs) ## Current info on each host
+
+$(logs): logs/%.json: | logs/
+	ansible -m setup $(basename $(@F) ) > $@
+
+-include logs/play.mk
+
+make_play = printf '.PHONY: %s\n%s: %s \#\# %s\n\n' '$(notdir $(basename $1) )' '$(notdir $(basename $1) )' '$1' '$(shell grep -m1 -oP 'name: \K.*' $1)'
+
+logs/play.mk: playbooks/*.yml
+	@$(RM) $@
+	@$(foreach book, $^, \
+		$(call make_play, $(book), $@ )  >> $@ ; \
+		printf '\t%s\n\n' 'ansible-playbook $(book)' >> $@ ; \
+	)
+
+%/:
+	mkdir $@
+	echo '*' > $@.gitignore
+
+.PHONY: clean
+clean: ## Remove generated files.
+	$(RM) $(defaults)
+

ansible/ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+inventory      = hosts.yaml
+local_tmp      = .ansible
+cow_selection  = random
+vault_password_file = pass.sh
+interpreter_python = auto_silent
+

ansible/files/wireguard/server_private_key

@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+39653235613163636362653036663563383839313836643563323462616163353364323862313039
+6564656661323039393563636133303132626663366233390a343535383963353763383364376438
+36306435396461393132653161393238623562393465356166343764336661376434333335643863
+3865373732363761620a613236613963396638613831326332386530326239373062333933646239
+39313336383366636133646336653236303261346238306336663564373063383634313361356335
+6334353863363931643338663833333065343435333231623466

ansible/files/wireguard/server_public_key

@@ -0,0 +1 @@
+GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=

ansible/host_vars/nimbus.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+37363765623839666637633861353139353935323364343538356536653561373266336161353937
+3466653434666163313936393366613666393863616262320a643930663038326666653064613062
+62613661396538363539643938323033663932326362626335333438653865623038336136623030
+3735366564366431330a373061393766346631643434383364646431346231356466663737626435
+64303835343237383761633939643431333439643933636139666163393637363430633261633736
+34626631366163616439366534393031353063363138356638323634313430666330613833386661
+61346365313534353535633365626364303565363565353765353833363065343232633866633132
+63643930633266653765

ansible/hosts.yaml

@@ -0,0 +1,16 @@
+all:
+  vars:
+    username: dmz
+    locale: Europe/Belgrade
+    libc_locale: en_GB.UTF-8 UTF-8
+    var_locale: LANG=en_GB.UTF-8
+
+ungrouped:
+  hosts:
+    nimbus:
+cloud:
+  hosts:
+    nimbus:
+arch:
+  hosts:
+    nimbus:

ansible/pass.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+pass dmz/xecut/dmz_ansible

ansible/playbooks/wireguard.yml

@@ -0,0 +1,106 @@
+---
+- name: Install Wireguard on Server
+  hosts: nimbus
+  become: true
+
+  tasks:
+    - name: Install wireguard tools and dig
+      ansible.builtin.package:
+        name:
+          - wireguard-tools
+          - bind
+
+    - name: Copy keys to server
+      ansible.builtin.copy:
+        src: wireguard/
+        dest: /etc/wireguard/server_public_key
+
+    - name: Remember the public key
+      ansible.builtin.command: cat /etc/wireguard/server_public_key
+      register: wireguard_public_key
+
+    - name: Get server public IP
+      ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
+      register: wireguard_public_ip
+
+    - name: Allow ipv4 forwarding
+      ansible.builtin.lineinfile:
+        path: /etc/sysctl.d/wg.conf
+        line: net.ipv4.ip_forward=1
+        create: yes
+
+    - name: Start the wireguard service
+      ansible.builtin.service:
+        name: wg-quick@wg0
+        enabled: yes
+
+- name: Install Wireguard on Host
+  hosts: localhost
+  become: true
+
+  tasks:
+    - name: Install wireguard tools
+      ansible.builtin.package:
+        name:
+          - wireguard-tools
+
+    - name: Create private key
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/dmz_public_key
+        cmd: "wg genkey | tee dmz_private_key | wg pubkey > dmz_public_key"
+
+    - name: Remember the public key
+      ansible.builtin.command: cat /etc/wireguard/dmz_public_key
+      register: client_public_key
+
+- name: Generate Server Config
+  hosts: nimbus
+  become: true
+
+  tasks:
+
+    - name: Create wg0 configuration
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/wg0.conf
+        cmd: |
+          echo "
+          [Interface]
+          Address = 10.0.0.1/24
+          SaveConfig = true
+          PrivateKey = $(cat server_private_key)
+          ListenPort = 51900
+          
+          PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+          PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+          
+          [Peer]
+          PublicKey = {{ hostvars['localhost']['client_public_key']['stdout'] }}
+          AllowedIPs = 10.0.0.2/32
+          " > /etc/wireguard/wg0.conf
+
+
+- name: Generate Client Config
+  hosts: localhost
+  become: true
+
+  tasks:
+
+    - name: Create wg0 client configuration
+      ansible.builtin.shell:
+        chdir: /etc/wireguard/
+        creates: /etc/wireguard/wg0-client.conf
+        cmd: |
+          echo "
+          [Interface]
+          Address = 10.0.0.2/32
+          PrivateKey = $(cat dmz_private_key)
+          DNS = 9.9.9.9
+
+          [Peer]
+          PublicKey = {{ hostvars['nimbus']['wireguard_public_key']['stdout'] }}
+          Endpoint = space.xecut.me:51900
+          AllowedIPs = 10.0.0.1/32
+          " > /etc/wireguard/wg0-client.conf
+

ansible/templates/wireguard/wg0.conf

@@ -0,0 +1,14 @@
+
+[Interface]
+Address = 10.0.0.1/24
+SaveConfig = true
+PrivateKey = {{ wg_private_key }}
+ListenPort = 51900
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wg_public_key }}
+AllowedIPs = 10.0.0.2/32
+

network.rec

@@ -5,6 +5,10 @@ name: ISP Router
 location: kralizec
 ISP: Orion
 
+name: ISP Router
+location: krov
+ISP: Yettel
+
 %rec: host
 %doc: These are the real machines, most of which run VMs or containters.
 %key: name
@@ -13,10 +17,8 @@ name: moxx
 location: kralizec
 local_access: 192.168.1.200:8006
 
-name: nimbus
-location: xecut
-description: raspberry pi
-os: Arch Linux Aarm
+name: Serverko
+location: krov
 
 %rec: lxc
 %doc: A container, usually on a Proxmox host.
@@ -88,3 +90,4 @@ host: Serverko
 
 name: tor12
 host: nginx
+

sumadija/sumadijamoxx/README.md

@@ -1,29 +0,0 @@
-# List of containers
-
-## sumadijamoxx
-
-ip is the same as a container ID
-example
-101 ssh12  -> 192.168.7.101
-
-VMID Name  
-101  ssh12  
-102  nginxproxymanager12  
-103  searxng12  
-104  homepage12  
-105  privatebin13  
-106  librespeed-rust12
-107  tor13
-200  wireguard12
-
-
-##### Legend
-
-12 -> debian 12
-13 -> debian 13
-
-## Forwareded ports
-
-192.168.7.243:443 -> 80
-192.168.7.101:22 -> 22
-

sumadija/sumadijamoxx/nginxproxymanager12/README.md

@@ -1,9 +0,0 @@
----
-VMID: 102
----
-
-NgniX proxy manager built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=nginxproxymanager)
-
-Forwarded to port 80
-
-

sumadija/sumadijamoxx/pastebin13/README.md

@@ -1,7 +0,0 @@
----
-VMID: 105
----
-
-PrivateBin instance built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=privatebin)
-
-Not yet public/forwarded

sumadija/sumadijamoxx/router/README.md

@@ -1,3 +0,0 @@
-TP Link (hopefully openWRT in future)
-
-Router is inside the existing network for further forwarding, contact coja (best on xmpp)

sumadija/sumadijamoxx/searxng12/README.md

@@ -1,8 +0,0 @@
----
-VMID: 102
----
-
-SearXNG instance built with [script](https://community-scripts.github.io/ProxmoxVE/scripts?id=searxng)
-
-
-Not yet public/forwarded

sumadija/sumadijamoxx/ssh12/README.md

@@ -1,9 +0,0 @@
----
-VMID: 101
----
-
-SSH port from this container should be forwarded to sumadija.dmz.rs
-SSH access to other containers is done through this one with ssh jump, passwords are disabled, so only keys verification is used. 
-
-[wiki page](https://wiki.dmz.rs/en/sysadmin/ssh)
-

sumadija/sumadijamoxx/tor13/README.md

@@ -1,9 +0,0 @@
----
-VMID: 107
----
-
-In this container hosts the tor onion service, used for remote access to the proxmox, through tor. Credentatials are in the password manager
-
-
-ssh12 -> port 22
-smoxx -> 8006

sumadija/sumadijamoxx/wireguard12/README.md

@@ -1,5 +0,0 @@
----
-VMID: 200
----
-
-Wireguard server for VPN access to sumadija network