95 lines
2.7 KiB
YAML
95 lines
2.7 KiB
YAML
---
|
|
- name: Preparation
|
|
hosts: vpn
|
|
pre_tasks:
|
|
- name: Verify only one embassy
|
|
ansible.builtin.assert:
|
|
that: >
|
|
groups['embassy'] | length == 1 and
|
|
groups['vpn_server'] | length == 1 and
|
|
groups['vpn_server'] | intersect(groups['embassy']) | length == 1
|
|
msg: Expected only one embassy host
|
|
|
|
- name: Verify ipv6_subnet is set
|
|
when: inventory_hostname == groups['embassy'][0]
|
|
ansible.builtin.assert:
|
|
that: ipv6_subnet is defined
|
|
msg: >
|
|
Expected ipv6_subnet to be defined.
|
|
This should have been done in Terraform or otherwise.
|
|
|
|
|
|
tasks:
|
|
# As mentioned in the other file, if I set this statically on group_vars,
|
|
# things seem to break.
|
|
- set_fact:
|
|
public_ipv6_subnet: "{{ hostvars[groups['embassy'][0]].ipv6_subnet }}"
|
|
|
|
- when: inventory_hostname == groups['embassy'][0]
|
|
name: Disable password-based authentication
|
|
become: true
|
|
lineinfile:
|
|
path: "/etc/ssh/sshd_config"
|
|
regexp: '^()PasswordAuthentication yes()$'
|
|
line: 'PasswordAuthentication no'
|
|
register: passwordauthentication
|
|
|
|
- when: inventory_hostname == groups['embassy'][0]
|
|
name: Enable public key authentication in SSH
|
|
become: true
|
|
lineinfile:
|
|
path: "/etc/ssh/sshd_config"
|
|
regexp: '^()PubkeyAuthentication()$'
|
|
line: 'PubkeyAuthentication yes'
|
|
register: publickeyauthentication
|
|
|
|
- when: inventory_hostname == groups['embassy'][0] and (passwordauthentication.changed or publickeyauthentication.changed)
|
|
name: Restart SSH
|
|
become: true
|
|
service:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Set up VPN
|
|
hosts: vpn
|
|
become: true
|
|
roles:
|
|
- githubixx.ansible_role_wireguard
|
|
|
|
# We should really try to get this in upstream, this is so jank.
|
|
- name: Patch VPN server settings
|
|
hosts: vpn_server
|
|
become: true
|
|
tasks:
|
|
- shell:
|
|
cmd: |
|
|
sed -i \
|
|
'/PublicKey/a PersistentKeepalive = {{ wireguard_persistent_keepalive }}' \
|
|
/etc/wireguard/wg0.conf
|
|
- service:
|
|
name: wg-quick@wg0
|
|
state: "{{ 'restarted' if wireguard_service_state != 'stopped' else 'stopped' }}"
|
|
enabled: "{{ wireguard_service_enabled }}"
|
|
|
|
- name: Install wings
|
|
hosts: moirai_wings
|
|
remote_user: ubuntu
|
|
# Don't forget to create a new disk if creating new wings. This is
|
|
# purposefully manual to give more fine-grained control
|
|
vars:
|
|
pv_disks:
|
|
- /dev/sda
|
|
vg_name: vg1
|
|
lv_name: pvs
|
|
lv_size: +100%FREE
|
|
fs_type: ext4
|
|
mount_path: /var/lib/pterodactyl
|
|
extra_docker_daemon_options: |
|
|
"dns": ["10.0.123.123"],
|
|
roles:
|
|
- dns-client
|
|
- lvm
|
|
- docker
|
|
- wings
|
|
|