-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
72b55a1
commit 35e627f
Showing
1 changed file
with
133 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| - name: Install Docker and deploy Wireguard | ||
| hosts: all | ||
| become: true | ||
|
|
||
| environment: | ||
| INSTANCE_TOKEN: "" | ||
| POST_STATE_URL: "" | ||
| POST_CONFIG_DATA_URL: "" | ||
| vars: | ||
| cfg_dir: "/.nocloud/nocloud-wireguard/conf" | ||
| temp_dir: "/tmp/nocloud-wireguard" | ||
| cont_name: "NCWG" | ||
| docker_compose_content: | | ||
| services: | ||
| wg-easy: | ||
| pull_policy: always | ||
| environment: | ||
| ACCESS_TOKEN: "{{ INSTANCE_TOKEN }}" | ||
| POST_STATE_URL: "{{ POST_STATE_URL }}" | ||
| POST_CONFIG_DATA_URL: "{{ POST_CONFIG_DATA_URL }}" | ||
| WG_HOST: "{{ host }}" | ||
| PASSWORD_HASH: "{{ hashed_password }}" | ||
| JWT_SECRET: "{{ jwt_secret }}" | ||
| image: ghcr.io/support-pl/wireguard-agent:latest | ||
| container_name: "{{ cont_name }}" | ||
| volumes: | ||
| - "{{ cfg_dir }}/:/etc/wireguard/" | ||
| ports: | ||
| - "51820:51820/udp" | ||
| - "51821:51821/tcp" | ||
| restart: always | ||
| cap_add: | ||
| - NET_ADMIN | ||
| - SYS_MODULE | ||
| sysctls: | ||
| - net.ipv4.ip_forward=1 | ||
| - net.ipv4.conf.all.src_valid_mark=1 | ||
| tasks: | ||
|
|
||
| - name: Fail if not running on linux | ||
| fail: msg="UNSUPPORTED_OS" | ||
| when: ansible_system != "Linux" | ||
|
|
||
| - name: Install required packages | ||
| ansible.builtin.package: | ||
| name: "{{ item }}" | ||
| state: present | ||
| loop: | ||
| - curl | ||
| - openssl | ||
| - apache2-utils | ||
|
|
||
| - name: Get the public IP address | ||
| uri: | ||
| url: https://api.ipify.org?format=text | ||
| return_content: yes | ||
| register: public_ip_response | ||
|
|
||
| - name: Set "host" to public_ip:51820 | ||
| set_fact: | ||
| host: "{{ public_ip_response.content }}:51820" | ||
|
|
||
| - name: Install Docker using the official script | ||
| ansible.builtin.shell: curl -fsSL https://get.docker.com/ | sh | ||
| args: | ||
| creates: /usr/bin/docker | ||
|
|
||
| - name: Verify Docker installation | ||
| command: docker --version && docker compose version | ||
| register: docker_version | ||
| changed_when: false | ||
| failed_when: docker_version.rc != 0 | ||
|
|
||
| - name: Generate random signing key | ||
| command: "openssl rand -base64 32" | ||
| register: jwt_key_output | ||
|
|
||
| - name: Store the JWT signing key in a variable | ||
| set_fact: | ||
| jwt_secret: "{{ jwt_key_output.stdout }}" | ||
|
|
||
| - name: Generate random password | ||
| ansible.builtin.shell: "openssl rand -base64 12" | ||
| register: generated_password | ||
|
|
||
| - name: Set the password variable | ||
| ansible.builtin.set_fact: | ||
| random_password: "{{ generated_password.stdout.strip() }}" | ||
|
|
||
| - name: Create bcrypt hash using htpasswd | ||
| ansible.builtin.shell: "htpasswd -bnBC 10 '' '{{ random_password }}' | tr -d ':\\n'" | ||
| register: bcrypt_hash_raw | ||
|
|
||
| - name: Escape $ characters in bcrypt hash | ||
| ansible.builtin.shell: "echo '{{ bcrypt_hash_raw.stdout.strip() }}' | sed 's/\\$/\\$\\$/g'" | ||
| register: escaped_bcrypt_hash | ||
|
|
||
| - name: Set the bcrypt_hash variable with escaped value | ||
| ansible.builtin.set_fact: | ||
| hashed_password: "{{ escaped_bcrypt_hash.stdout.strip() }}" | ||
|
|
||
| - name: Create temporary directory for Docker Compose file | ||
| ansible.builtin.file: | ||
| path: "{{ temp_dir }}" | ||
| state: directory | ||
| mode: '0755' | ||
|
|
||
| - name: Create Docker Compose file | ||
| ansible.builtin.copy: | ||
| dest: "{{ temp_dir }}/docker-compose.yml" | ||
| content: "{{ docker_compose_content }}" | ||
|
|
||
| - name: Send password back | ||
| shell: | | ||
| curl -X POST \ | ||
| -H "Content-Type: application/json" \ | ||
| -H "Authorization: Bearer {{ INSTANCE_TOKEN }}" \ | ||
| -d '{ "field": "wg_easy_password", "value": "{{ random_password }}" }' \ | ||
| https://{{ POST_CONFIG_DATA_URL }} | ||
| register: result | ||
|
|
||
| - name: Run Docker Compose | ||
| ansible.builtin.command: | ||
| cmd: docker compose up --pull always -d | ||
| chdir: "{{ temp_dir }}" | ||
| register: docker_compose_result | ||
| failed_when: docker_compose_result.rc != 0 | ||
|
|
||
| - name: Cleanup temporary Docker Compose file | ||
| ansible.builtin.file: | ||
| path: "{{ temp_dir }}" | ||
| state: absent |