From 78fa36f20a163f5bb570520e26581c3af8206c73 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Fri, 17 Jan 2020 22:31:50 +0000 Subject: [PATCH] Move variables to 1 place Much easier to manage --- ansible/group_vars/all/haproxy.yml | 12 +++++++ ansible/group_vars/all/hosts.yml | 2 ++ ansible/group_vars/all/wireguard.yml | 40 +++++++++++++++++++++ ansible/roles/gateway/files/haproxy.cfg | 10 +++--- ansible/roles/gateway/files/wireguard.conf | 14 ++++---- ansible/roles/gateway/tasks/haproxy.yml | 42 ++++++++++------------ ansible/roles/gateway/tasks/main.yml | 4 --- ansible/roles/gateway/tasks/wireguard.yml | 2 +- ansible/roles/gateway/vars/gateway.yml | 11 ------ ansible/roles/ssh-bastion/tasks/main.yml | 2 ++ ansible/vars/wireguard.yml | 26 -------------- 11 files changed, 89 insertions(+), 76 deletions(-) create mode 100644 ansible/group_vars/all/haproxy.yml create mode 100644 ansible/group_vars/all/hosts.yml create mode 100644 ansible/group_vars/all/wireguard.yml delete mode 100644 ansible/roles/gateway/vars/gateway.yml delete mode 100644 ansible/vars/wireguard.yml diff --git a/ansible/group_vars/all/haproxy.yml b/ansible/group_vars/all/haproxy.yml new file mode 100644 index 0000000..d248b04 --- /dev/null +++ b/ansible/group_vars/all/haproxy.yml @@ -0,0 +1,12 @@ +haproxy: + stats_pass: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 61356632383432353833616431393962613037646634656133316135363465313962663061633830 + 6564343466343965363233623138383961653733343834340a653563393039333764613131653735 + 30636333633137636664396566623831653831646562323232656233366563656464326333336339 + 3266363638356436370a323566326637356366373063643163613833636531373032313532336663 + 61633261633665626364343763313361656661393466373932363165306263303937306136303937 + 36626534393139353135383035383934633136363730643132333037393839373337396430333535 + 39386139353935663635346561616332356534373532643765646366373563323035306466626266 + 37303535663465363637653237343365333434663230356534316530376164306132613466303738 + 37666163616666626334363538343933313466313433353033613766653634646239 diff --git a/ansible/group_vars/all/hosts.yml b/ansible/group_vars/all/hosts.yml new file mode 100644 index 0000000..aa21c63 --- /dev/null +++ b/ansible/group_vars/all/hosts.yml @@ -0,0 +1,2 @@ +hosts: + casey_ip: 108.61.221.88 diff --git a/ansible/group_vars/all/wireguard.yml b/ansible/group_vars/all/wireguard.yml new file mode 100644 index 0000000..9021f08 --- /dev/null +++ b/ansible/group_vars/all/wireguard.yml @@ -0,0 +1,40 @@ +wireguard: + public_ip: "{{ hosts.casey_ip }}" + port: 51820 + server: + ip: "10.23.0.1" + public_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 38663861323433663733306266313862383538613562616531656262616665393130626564666539 + 6636666561663137623166383432396163653835346335650a616139306431363934383031353161 + 63656233623963316238663366613237613165663238343937313062616565333038326664373463 + 6463623861656362350a636564363163353736613032386533613163333039336637356433633037 + 66663563666263613737336235316565663337636339613933343939323563393034353431343932 + 6339386262333134373465616637613534333839333265613563 + private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39333362373534343265623337353037343238623365633863373333323166646562326234336633 + 3265653136326337306439623331393733346237326630340a346466316562643432656330313764 + 64303535663736356561623636366261343830366561343463653561343337353034626533306634 + 3334323935303734660a373961303535646336663637346137316337383132346665366336353139 + 34313137366239323361386136396666646362306538616661643164383166326335666638336230 + 6432363064313239656338356630626235336239356662326362 + clients: + intersect: + ip: "10.23.0.2" + public_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 36376136643534323433666161366363646630393165326264633266383535396362613461326631 + 3837323462643738633261666638306264666237313634350a363339396464373735366437346666 + 34393334626338653139653664656532343666376265343331613832646437643364643734383930 + 3139333464396561650a323164393361393261373135333834663961626337636662663433613339 + 31393961616535633763623839373463316336643835323762373837336366376232663333646532 + 6131636532623734633964393338626134616466613032306364 + private_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 32346134373364616630633466636666343261393338636534396465613361666639333433646461 + 3063373061313836303331613438303839333763393264610a636165616665383137643132383064 + 66383638636638346539303638653765623438616663636639333663326463306134343862646437 + 3334636537393863340a383665623363343761633438343838393562653335303437306139373035 + 31366135353861313064343562353163326238373630346631613734303732666235613332653431 + 3866663137353330666539373861633836303839386331363366 diff --git a/ansible/roles/gateway/files/haproxy.cfg b/ansible/roles/gateway/files/haproxy.cfg index a7b4c73..a5781c2 100644 --- a/ansible/roles/gateway/files/haproxy.cfg +++ b/ansible/roles/gateway/files/haproxy.cfg @@ -40,23 +40,23 @@ defaults listen https bind *:443 mode tcp - server default {{ wireguard.intersect_ip }}:443 check send-proxy + server default {{ wireguard.intersect.ip }}:443 check send-proxy listen http bind *:80 stats enable stats show-node stats uri /haproxy - stats auth stats:{{ haproxy_stats_pass }} - server default {{ wireguard.intersect_ip }}:80 check + stats auth stats:{{ haproxy.stats_pass }} + server default {{ wireguard.intersect.ip }}:80 check listen matrix bind *:8448 mode tcp - server default {{ wireguard.intersect_ip }}:8448 check + server default {{ wireguard.clients.intersect.ip }}:8448 check listen gitea bind *:3022 mode tcp - server default {{ wireguard.intersect_ip }}:3022 check + server default {{ wireguard.clients.intersect.ip }}:3022 check diff --git a/ansible/roles/gateway/files/wireguard.conf b/ansible/roles/gateway/files/wireguard.conf index 4cd3c56..6506a1f 100644 --- a/ansible/roles/gateway/files/wireguard.conf +++ b/ansible/roles/gateway/files/wireguard.conf @@ -1,9 +1,11 @@ [Interface] -Address = {{ wireguard.server_ip }} -PrivateKey = {{ wireguard.server_private_key }} -ListenPort = {{ wireguard.server_port }} +Address = {{ wireguard.server.ip }} +PrivateKey = {{ wireguard.server.private_key }} +ListenPort = {{ wireguard.port }} +{% for name, config in wireguard.clients.items() %} [Peer] -# intersect -PublicKey = {{ wireguard.intersect_public_key }} -AllowedIPs = {{ wireguard.intersect_ip }}/32 +# {{ name }} +PublicKey = {{ config.public_key }} +AllowedIPs = {{ config.ip }}/32 +{% endfor %} diff --git a/ansible/roles/gateway/tasks/haproxy.yml b/ansible/roles/gateway/tasks/haproxy.yml index be9269e..c3854a5 100644 --- a/ansible/roles/gateway/tasks/haproxy.yml +++ b/ansible/roles/gateway/tasks/haproxy.yml @@ -1,25 +1,21 @@ -- name: Install Haproxy - apt: - name: haproxy - become: true - become_user: root +# - name: Install Haproxy +# apt: +# name: haproxy +# become: true +# become_user: root -- name: Import vault - include_vars: - file: vars/gateway.yml +# - name: Haproxy config +# template: +# src: files/haproxy.cfg +# dest: /etc/haproxy/haproxy.cfg +# validate: /usr/sbin/haproxy -c -- %s +# backup: yes +# become: true +# become_user: root +# register: haproxy_config -- name: Haproxy config - template: - src: files/haproxy.cfg - dest: /etc/haproxy/haproxy.cfg - validate: /usr/sbin/haproxy -c -- %s - backup: yes - become: true - become_user: root - register: haproxy_config - -- name: Restart Haproxy - service: - name: haproxy - state: reloaded - when: haproxy_config.changed +# - name: Restart Haproxy +# service: +# name: haproxy +# state: reloaded +# when: haproxy_config.changed diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml index a81573e..65b7421 100644 --- a/ansible/roles/gateway/tasks/main.yml +++ b/ansible/roles/gateway/tasks/main.yml @@ -1,7 +1,3 @@ -- name: Import wireguard variables - include_vars: - file: vars/wireguard.yml - - name: Configure HAproxy include: haproxy.yml diff --git a/ansible/roles/gateway/tasks/wireguard.yml b/ansible/roles/gateway/tasks/wireguard.yml index a34a3b2..450698e 100644 --- a/ansible/roles/gateway/tasks/wireguard.yml +++ b/ansible/roles/gateway/tasks/wireguard.yml @@ -42,7 +42,7 @@ - name: Enable wireguard service: name: wg-quick@wg0 - state: reloaded + state: restarted enabled: true when: wireguard_conf.changed become: true diff --git a/ansible/roles/gateway/vars/gateway.yml b/ansible/roles/gateway/vars/gateway.yml deleted file mode 100644 index 701b541..0000000 --- a/ansible/roles/gateway/vars/gateway.yml +++ /dev/null @@ -1,11 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -33643130633631366239623166623161626335633438656130386638333764363531313238306339 -6438323233313136633065623933613463613065336639330a373365366566303164303232386362 -36333333396163343135383336653261343464323638373836623530323031353035653431363736 -6162333162653938640a363337356361643833383264323731343862366330333839653330663831 -63646638316165326430356661346539376365383231323233613533613866666533613635646339 -32346661333631383466363437653537373631393030316632363136613965343966313339613634 -37353138363538343934616539363366356466393663636161333739376137306364356261353130 -38643432303135333861623261626231373137303261313061386363313361313764316265343636 -30653234636333373464613864633065373633343132633435343664313861363032343133373534 -3363386232616333626635643462356362643363666133303463 diff --git a/ansible/roles/ssh-bastion/tasks/main.yml b/ansible/roles/ssh-bastion/tasks/main.yml index 81e06dd..5fb1b7a 100644 --- a/ansible/roles/ssh-bastion/tasks/main.yml +++ b/ansible/roles/ssh-bastion/tasks/main.yml @@ -24,3 +24,5 @@ name: sshd state: reloaded when: sshd_config.changed + become: true + become_user: root diff --git a/ansible/vars/wireguard.yml b/ansible/vars/wireguard.yml deleted file mode 100644 index a84d8ef..0000000 --- a/ansible/vars/wireguard.yml +++ /dev/null @@ -1,26 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -32306163623065373337346431363262336565326231316162383363346337616538616536383235 -3735316334343437373065386533366332303139353466340a633639643233356136383431653065 -37636637373562323561303235333733663164663037643632653562383461646561616238666331 -6433393062313035340a353535393737646538633563633639393061653634386231373663663461 -31323334363733393938616161666139356564626534613839626332653961363163346265333937 -63646133616430353264303636663034366630323861303666313234363134343462343235623734 -34306233663263383237626237363731343565303235303932353038353937303234386630383838 -65633266353539656533396133646664316561313732656131303561336339343835643638643035 -37663338363438353638663936353232623332623366356635313962303964633266613130386233 -62323764386535653637626637303562316234333239393435633234373437653232326361653638 -35613766656437306566343866663236333536323532646635613833383863336564613933666635 -30343036626637333330663030386135636538663361623134366336653762363965653234346561 -66633530326366313138376137306432376531333230383839376131366433636461393264353363 -38336231396237316262326132373032303938623762366465323139656438333466343230353137 -38656137383361316532353137663736303736323935323830376437313462623632303331363739 -61343037323663633830633638313032643165306365636630386237646266346139333664663437 -38323030363437386638363431623863346361636364396636383934663739303635316136323937 -30663034613665663236303936396164343430336536363538396234623663613837643737333733 -31393665626361343032303865376566633333333939373866323762663432623366313263613937 -31313139663131623366333532636137383563306233343139616562343163323337643362363237 -31623039363863613732633861323038366632643439376632386139653030643066643566646436 -65316430343561613332323665366332316332386563323963313638363266356237363461373762 -61656431666631633235633636393761653061356264333734643936306532333238356264306536 -64386230343065346330333061396639343937306530353831643365373038393361633334346633 -3964