Roxedus/Infra
1
0
Fork 0
Code Issues 1 Pull Requests 6 Projects Releases Wiki Activity

try usg stuff

Browse Source
This commit is contained in:
Roxedus 2022-10-18 22:04:13 +02:00
parent 39b0938d27
commit cdbe3750d5
Signed by: Roxedus
GPG Key ID: 9B4E311961C63639
6 changed files with 114 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
ansible/group_vars/cloud_key.yml Normal file
View File

@ -0,0 +1,72 @@
unifi_site: default
unifi_gateway_config:
firewall:
name:
WAN_LOCAL:
rule:
20:
action: accept
description: WireGuard
destination:
port: "{{ wireguard.usg.wg0.listen_port }}"
protocol: udp
group:
network-group:
remote_user_vpn_network:
description: Remote User VPN subnets
network:
- 10.253.1.0/24
address-group:
RougeDns:
description: IoT
address: 10.0.0.210-10.0.0.230
service:
nat:
rule:
1:
description: Redirect DNS queries to pihole
destination:
address: "!10.0.0.31"
port: "53"
inbound-interface: eth1
inside-address:
address: "10.0.0.31"
port: "53"
log: enable
protocol: tcp_udp
type: destination
source:
group:
address-group: RougeDns
5002:
description: Translate reply back
destination:
address: 10.0.0.31
port: "53"
outbound-interface: eth0
protocol: tcp_udp
type: masquerade
interfaces:
wireguard:
wg0:
address: "{{ wireguard.usg.wg0.address }}"
firewall:
in:
name: LAN_IN
local:
name: LAN_LOCAL
out:
name: LAN_OUT
listen-port: "{{ wireguard.usg.wg0.listen_port }}"
mtu: "1500"
peer:
- key: "{{ wireguard.usg.wg0.peers.phone.public }}"
allowed-ips: "{{ wireguard.usg.wg0.peers.phone.allowed_ips }}"
persistent-keepalive: "{{ wireguard.usg.wg0.persistent_keepalive }}"
endpoint: "{{ wireguard.usg.wg0.endpoint }}:{{ wireguard.usg.wg0.listen_port }}"
- key: "{{ wireguard.usg.wg0.peers.travel.public }}"
allowed-ips: "{{ wireguard.usg.wg0.peers.travel.allowed_ips }}"
persistent-keepalive: "{{ wireguard.usg.wg0.persistent_keepalive }}"
endpoint: "{{ wireguard.usg.wg0.endpoint }}:{{ wireguard.usg.wg0.listen_port }}"
private-key: /config/auth/wireguard/wg.key
route-allowed-ips: "true"

2
ansible/roles/cloud_key/defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
unifi_site: default
unifi_gateway_config:

17
ansible/roles/cloud_key/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
- name: Ensure folder for site exists
ansible.builtin.file:
path: "/srv/unifi/data/sites/{{ unifi_site }}"
state: directory
mode: "0755"
owner: unifi
group: unifi
- name: Place config.gateway.json
ansible.builtin.template:
src: config.gateway.json.j2
dest: "/srv/unifi/data/sites/{{ unifi_site }}/config.gateway.json"
owner: unifi
group: unifi
mode: "0644"
validate: python -m json.tool %s
backup: yes

11
ansible/roles/cloud_key/templates/config.gateway.json.j2 Normal file
View File

@ -0,0 +1,11 @@
{% set copy_=unifi_gateway_config -%}
{% for inf in unifi_gateway_config.interfaces.wireguard %}
{%- set p=[] -%}
{% for peer in unifi_gateway_config.interfaces.wireguard[inf].peer %}
{%- set m=peer.key -%}
{%- set x=peer.pop("key") -%}
{%- set x=(p.append({m: peer})) -%}
{% endfor %}
{%- set x=(unifi_gateway_config.interfaces.wireguard[inf].__setitem__("peer", p)) -%}
{% endfor %}
{{- copy_ | to_json(indent=4) }}

1
ansible/roles/usg/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
unifi_wg_priv:

11
ansible/roles/usg/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
- name: Ensure folder for wireguard
ansible.builtin.file:
path: /config/auth/wireguard
state: directory
mode: "0755"
- name: Place wg.key
ansible.builtin.copy:
content: "{{ unifi_wg_priv }}\n"
dest: /config/auth/wireguard/wg.key
mode: "0644"