-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpb.yaml
143 lines (122 loc) · 4.26 KB
/
pb.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
- name: Install Docker and deploy Wireguard
hosts: all
become: true
environment:
INSTANCE_TOKEN: ""
POST_STATE_URL: ""
POST_CONFIG_DATA_URL: ""
vars:
cfg_dir: "/.nocloud/nocloud-wireguard/conf"
temp_dir: "/tmp/nocloud-wireguard"
cont_name: "NCWG"
docker_compose_content: |
services:
wg-easy:
pull_policy: always
environment:
ACCESS_TOKEN: "{{ INSTANCE_TOKEN }}"
POST_STATE_URL: "{{ POST_STATE_URL }}"
POST_CONFIG_DATA_URL: "{{ POST_CONFIG_DATA_URL }}"
WG_HOST: "{{ host }}"
PASSWORD_HASH: "{{ hashed_password }}"
JWT_SECRET: "{{ jwt_secret }}"
image: ghcr.io/support-pl/wireguard-agent:latest
container_name: "{{ cont_name }}"
volumes:
- "{{ cfg_dir }}/:/etc/wireguard/"
ports:
- "51820:51820/udp"
- "51821:51821/tcp"
restart: always
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
tasks:
- name: Fail if not running on linux
fail: msg="UNSUPPORTED_OS"
when: ansible_system != "Linux"
- name: Update and upgrade apt packages
become: true
apt:
upgrade: yes
update_cache: yes
cache_valid_time: 86400 #One day
- name: Install required packages
ansible.builtin.package:
name: "{{ item }}"
state: present
loop:
- curl
- openssl
- apache2-utils
- name: Get the public IP address
uri:
url: https://api.ipify.org?format=text
return_content: yes
register: public_ip_response
- name: Set "host" to public_ip:51820
set_fact:
host: "{{ public_ip_response.content }}:51820"
- name: Install Docker using the official script
ansible.builtin.shell: curl -fsSL https://get.docker.com/ | sh
args:
creates: /usr/bin/docker
- name: Verify Docker installation
command: docker --version && docker compose version
register: docker_version
changed_when: false
failed_when: docker_version.rc != 0
- name: Generate random signing key
command: "openssl rand -base64 32"
register: jwt_key_output
- name: Store the JWT signing key in a variable
set_fact:
jwt_secret: "{{ jwt_key_output.stdout }}"
- name: Generate random password
ansible.builtin.shell: "openssl rand -base64 12"
register: generated_password
- name: Set the password variable
ansible.builtin.set_fact:
random_password: "{{ generated_password.stdout.strip() }}"
- name: Create bcrypt hash using htpasswd
ansible.builtin.shell: "htpasswd -bnBC 10 '' '{{ random_password }}' | tr -d ':\\n'"
register: bcrypt_hash_raw
- name: Escape $ characters in bcrypt hash
ansible.builtin.shell: "echo '{{ bcrypt_hash_raw.stdout.strip() }}' | sed 's/\\$/\\$\\$/g'"
register: escaped_bcrypt_hash
- name: Set the bcrypt_hash variable with escaped value
ansible.builtin.set_fact:
hashed_password: "{{ escaped_bcrypt_hash.stdout.strip() }}"
- name: Create temporary directory for Docker Compose file
ansible.builtin.file:
path: "{{ temp_dir }}"
state: directory
mode: '0755'
- name: Create Docker Compose file
ansible.builtin.copy:
dest: "{{ temp_dir }}/docker-compose.yml"
content: "{{ docker_compose_content }}"
- name: Send password back
shell: |
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer {{ INSTANCE_TOKEN }}" \
-d '{ "field": "wg_easy_password", "value": "{{ random_password }}" }' \
https://{{ POST_CONFIG_DATA_URL }}
register: result
- name: Run Docker Compose
ansible.builtin.command:
cmd: docker compose up --pull always -d
chdir: "{{ temp_dir }}"
register: docker_compose_result
failed_when: docker_compose_result.rc != 0
retries: 5
delay: 10
until: docker_compose_result.rc == 0
- name: Cleanup temporary Docker Compose file
ansible.builtin.file:
path: "{{ temp_dir }}"
state: absent