From 670ad78d443f410acb2cc5128842304b14345a77 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Tue, 23 Apr 2024 22:19:57 +0100
Subject: [PATCH] Add wireguard config for glinet router

---
 ansible/main.yml                           |  1 +
 ansible/roles/glinet_vpn/files/client.conf | 10 +++++++
 ansible/roles/glinet_vpn/files/server.conf | 14 +++++++++
 ansible/roles/glinet_vpn/handlers/main.yml |  5 ++++
 ansible/roles/glinet_vpn/tasks/main.yml    | 34 ++++++++++++++++++++++
 ansible/roles/glinet_vpn/vars/main.yml     |  8 +++++
 ansible/roles/glinet_vpn/vars/vault.yml    | 19 ++++++++++++
 terraform/casey_vps.tf                     |  9 ------
 8 files changed, 91 insertions(+), 9 deletions(-)
 create mode 100644 ansible/roles/glinet_vpn/files/client.conf
 create mode 100644 ansible/roles/glinet_vpn/files/server.conf
 create mode 100644 ansible/roles/glinet_vpn/handlers/main.yml
 create mode 100644 ansible/roles/glinet_vpn/tasks/main.yml
 create mode 100644 ansible/roles/glinet_vpn/vars/main.yml
 create mode 100644 ansible/roles/glinet_vpn/vars/vault.yml

diff --git a/ansible/main.yml b/ansible/main.yml
index c73c4f9..2879a38 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -17,6 +17,7 @@
     - fail2ban_ssh
     - restic
     - artis3n.tailscale
+    - glinet_vpn
 
 - hosts:
     - pve
diff --git a/ansible/roles/glinet_vpn/files/client.conf b/ansible/roles/glinet_vpn/files/client.conf
new file mode 100644
index 0000000..2d6b9aa
--- /dev/null
+++ b/ansible/roles/glinet_vpn/files/client.conf
@@ -0,0 +1,10 @@
+[Interface]
+Address = {{ client_cidr }}
+PrivateKey = {{ client_private_key }}
+
+[Peer]
+PublicKey = {{ server_public_key }}
+Endpoint = {{ server_public_ip }}:53
+AllowedIPs = 0.0.0.0/0 ::/0
+
+PersistentKeepalive = 25
diff --git a/ansible/roles/glinet_vpn/files/server.conf b/ansible/roles/glinet_vpn/files/server.conf
new file mode 100644
index 0000000..2ecd4bc
--- /dev/null
+++ b/ansible/roles/glinet_vpn/files/server.conf
@@ -0,0 +1,14 @@
+[Interface]
+Address = {{ server_ip }}
+PrivateKey = {{ server_private_key }}
+ListenPort = 53
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ client_public_key }}
+AllowedIPs = {{ client_cidr }}
diff --git a/ansible/roles/glinet_vpn/handlers/main.yml b/ansible/roles/glinet_vpn/handlers/main.yml
new file mode 100644
index 0000000..271a823
--- /dev/null
+++ b/ansible/roles/glinet_vpn/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: restart wireguard
+  service:
+    name: wg-quick@glinet
+    state: restarted
+  become: true
diff --git a/ansible/roles/glinet_vpn/tasks/main.yml b/ansible/roles/glinet_vpn/tasks/main.yml
new file mode 100644
index 0000000..84c3bda
--- /dev/null
+++ b/ansible/roles/glinet_vpn/tasks/main.yml
@@ -0,0 +1,34 @@
+- name: Include vault
+  include_vars: vault.yml
+
+- name: Install wireguard tools
+  package:
+    name: "{{ item }}"
+  become: true
+  loop:
+    - wireguard-tools
+    - qrencode
+
+- name: Wireguard server config
+  template:
+    src: files/server.conf
+    dest: /etc/wireguard/glinet.conf
+    mode: "0600"
+    backup: true
+  become: true
+  notify: restart wireguard
+
+- name: Wireguard client config
+  template:
+    src: files/client.conf
+    dest: "{{ me.home }}/glinet-vpn.conf"
+    mode: "0600"
+    owner: "{{ me.user }}"
+  become: true
+  notify: restart wireguard
+
+- name: Enable wireguard
+  service:
+    name: wg-quick@glinet
+    enabled: true
+  become: true
diff --git a/ansible/roles/glinet_vpn/vars/main.yml b/ansible/roles/glinet_vpn/vars/main.yml
new file mode 100644
index 0000000..c3a2553
--- /dev/null
+++ b/ansible/roles/glinet_vpn/vars/main.yml
@@ -0,0 +1,8 @@
+client_public_key: "{{ vault_client_public_key }}"
+client_private_key: "{{ vault_client_private_key }}"
+client_cidr: 10.23.4.2/24
+
+server_public_key: "{{ vault_server_public_key }}"
+server_private_key: "{{ vault_server_private_key }}"
+server_public_ip: "{{ ansible_default_ipv4.address }}"
+server_ip: 10.23.4.1
diff --git a/ansible/roles/glinet_vpn/vars/vault.yml b/ansible/roles/glinet_vpn/vars/vault.yml
new file mode 100644
index 0000000..c6d44cd
--- /dev/null
+++ b/ansible/roles/glinet_vpn/vars/vault.yml
@@ -0,0 +1,19 @@
+$ANSIBLE_VAULT;1.1;AES256
+35366163656631633636333937333238346539653236323463316333356637623263326436623130
+3333616234643935306337386165623734333265663237610a326538636532643835373137316333
+30363133343035353235616639613637353435303863393130396261623063633836383430326530
+3634313639353264310a393266313230646132656561393737363834646566313765633235343139
+36303834353039303134393061386634373735316135656564386464363863376265633239313037
+62616535313239353233376163343437303933346264323266386533336138656135663664356164
+65643262303436343164613133333361393438616234616566336131636461383538326130623264
+62313134386430636665646539306661383039323339373838346164653836326536386332616634
+34313331623166356137363131356130623863313339663938386138643538323666616239656662
+36313534323237306631663931633830346565616139313864333762356330643131343630653535
+62323939376163363436336633386433323435316535623462353138386430333332653966383262
+33636534346466326631333362343638616332633163623533613364326665376565643739666261
+34646533613133313034366636623134613336623134356562393335313337336336623634336633
+66623365353866396564386536386330353537383866616665373762306530356333643265326537
+38353138626331623433643636623130613766616638343034633536306232316133303133356463
+36616665643264396137336234316466306238303461363531653461623834376361653334326235
+31366530636565383062313562663639393534373737363465656538393266363936333136636161
+3239303565613865633433313237393932306632633633373261
diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf
index cdcf20f..67fb02f 100644
--- a/terraform/casey_vps.tf
+++ b/terraform/casey_vps.tf
@@ -101,15 +101,6 @@ resource "linode_firewall" "casey" {
     ipv4     = ["0.0.0.0/0"]
     ipv6     = ["::/0"]
   }
-
-  inbound {
-    label    = "allow-inbound-tailscale"
-    action   = "ACCEPT"
-    protocol = "UDP"
-    ports    = "41641"
-    ipv4     = ["0.0.0.0/0"]
-    ipv6     = ["::/0"]
-  }
 }
 
 resource "linode_rdns" "casey_reverse_ipv4" {