CIS + inital

2026-01-26 21:22:41 -05:00
parent 5b6e1567f9
commit 28db1d2104
65 changed files with 4555 additions and 2 deletions
@@ -0,0 +1,41 @@
+---
+# WireGuard Server Role - Default Variables
+
+# WireGuard interface configuration
+wg_interface: wg0
+wg_port: 51820
+wg_network: "10.100.0.0/24"
+wg_server_ip: "10.100.0.1"
+
+# DNS servers for VPN clients
+wg_dns_servers:
+  - "1.1.1.1"
+  - "1.0.0.1"
+
+# WireGuard users/peers
+# Format:
+# wg_peers:
+#   - name: user1
+#     ip: 10.100.0.10
+#   - name: user2
+#     ip: 10.100.0.11
+wg_peers: []
+
+# Automatic peer IP allocation
+wg_auto_allocate_ips: true
+wg_ip_start: 10  # Start allocating from 10.100.0.10
+
+# Key management
+wg_keys_dir: "/etc/wireguard/keys"
+wg_config_dir: "/etc/wireguard"
+wg_client_configs_dir: "/root/wireguard-client-configs"
+
+# Post-up and post-down rules for NAT
+wg_postup: "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+wg_postdown: "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+
+# Keepalive
+wg_persistent_keepalive: 25
+
+# MTU
+wg_mtu: 1420
@@ -0,0 +1,7 @@
+---
+# WireGuard Server Role - Handlers
+
+- name: restart wireguard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+    state: restarted
@@ -0,0 +1,25 @@
+---
+galaxy_info:
+  role_name: wireguard_server
+  author: Security Infrastructure Team
+  description: WireGuard VPN server installation and configuration
+  company: Your Organization
+  license: MIT
+  min_ansible_version: "2.15"
+  platforms:
+    - name: Ubuntu
+      versions:
+        - noble  # 24.04
+        - jammy  # 22.04
+  galaxy_tags:
+    - wireguard
+    - vpn
+    - security
+    - networking
+
+dependencies:
+  - role: system_hardening
+
+collections:
+  - ansible.posix
+  - ansible.utils
@@ -0,0 +1,34 @@
+---
+# WireGuard Configuration Tasks
+
+- name: Configure WireGuard server
+  ansible.builtin.template:
+    src: wg0.conf.j2
+    dest: "{{ wg_config_dir }}/{{ wg_interface }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart wireguard
+
+- name: Enable IP forwarding (if not already enabled by sysctl)
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    state: present
+    sysctl_set: yes
+    reload: yes
+
+- name: Enable WireGuard service
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+    enabled: yes
+    state: started
+
+- name: Get WireGuard service status
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ wg_interface }}"
+  register: wg_service_status
+
+- name: Display WireGuard status
+  ansible.builtin.debug:
+    msg: "WireGuard service is {{ wg_service_status.status.ActiveState }}"
@@ -0,0 +1,59 @@
+---
+# WireGuard Installation Tasks
+
+- name: Install WireGuard
+  ansible.builtin.apt:
+    name:
+      - wireguard
+      - wireguard-tools
+      - qrencode
+    state: present
+    update_cache: yes
+
+- name: Create WireGuard directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+  loop:
+    - "{{ wg_config_dir }}"
+    - "{{ wg_keys_dir }}"
+    - "{{ wg_client_configs_dir }}"
+
+- name: Check if server private key exists
+  ansible.builtin.stat:
+    path: "{{ wg_keys_dir }}/server_private.key"
+  register: server_private_key
+
+- name: Generate server private key
+  ansible.builtin.shell: wg genkey > {{ wg_keys_dir }}/server_private.key
+  when: not server_private_key.stat.exists
+
+- name: Set server private key permissions
+  ansible.builtin.file:
+    path: "{{ wg_keys_dir }}/server_private.key"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Generate server public key
+  ansible.builtin.shell: cat {{ wg_keys_dir }}/server_private.key | wg pubkey > {{ wg_keys_dir }}/server_public.key
+  args:
+    creates: "{{ wg_keys_dir }}/server_public.key"
+
+- name: Read server private key
+  ansible.builtin.slurp:
+    src: "{{ wg_keys_dir }}/server_private.key"
+  register: server_private_key_content
+
+- name: Read server public key
+  ansible.builtin.slurp:
+    src: "{{ wg_keys_dir }}/server_public.key"
+  register: server_public_key_content
+
+- name: Set server keys as facts
+  ansible.builtin.set_fact:
+    wg_server_private_key: "{{ server_private_key_content['content'] | b64decode | trim }}"
+    wg_server_public_key: "{{ server_public_key_content['content'] | b64decode | trim }}"
@@ -0,0 +1,12 @@
+---
+# WireGuard Server Role - Main Tasks
+
+- name: Include installation tasks
+  ansible.builtin.include_tasks: install.yml
+
+- name: Include configuration tasks
+  ansible.builtin.include_tasks: configure.yml
+
+- name: Include user management tasks
+  ansible.builtin.include_tasks: users.yml
+  when: wg_peers | length > 0
@@ -0,0 +1,73 @@
+---
+# WireGuard User Management Tasks
+
+- name: Auto-allocate IPs if enabled
+  ansible.builtin.set_fact:
+    wg_peers_with_ips: "{{ wg_peers_with_ips | default([]) + [item | combine({'ip': wg_network | ansible.utils.ipaddr(wg_ip_start + idx) | ansible.utils.ipaddr('address')})] }}"
+  loop: "{{ wg_peers }}"
+  loop_control:
+    index_var: idx
+  when:
+    - wg_auto_allocate_ips | bool
+    - item.ip is not defined
+
+- name: Use provided IPs if auto-allocation disabled
+  ansible.builtin.set_fact:
+    wg_peers_with_ips: "{{ wg_peers }}"
+  when: not (wg_auto_allocate_ips | bool)
+
+- name: Generate client private keys
+  ansible.builtin.shell: wg genkey > {{ wg_keys_dir }}/{{ item.name }}_private.key
+  args:
+    creates: "{{ wg_keys_dir }}/{{ item.name }}_private.key"
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Set client private key permissions
+  ansible.builtin.file:
+    path: "{{ wg_keys_dir }}/{{ item.name }}_private.key"
+    owner: root
+    group: root
+    mode: '0600'
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Generate client public keys
+  ansible.builtin.shell: cat {{ wg_keys_dir }}/{{ item.name }}_private.key | wg pubkey > {{ wg_keys_dir }}/{{ item.name }}_public.key
+  args:
+    creates: "{{ wg_keys_dir }}/{{ item.name }}_public.key"
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Read client keys
+  ansible.builtin.shell: |
+    echo "private=$(cat {{ wg_keys_dir }}/{{ item.name }}_private.key)"
+    echo "public=$(cat {{ wg_keys_dir }}/{{ item.name }}_public.key)"
+  register: client_keys
+  loop: "{{ wg_peers_with_ips }}"
+  changed_when: false
+
+- name: Generate client configurations
+  ansible.builtin.template:
+    src: client.conf.j2
+    dest: "{{ wg_client_configs_dir }}/{{ item.item.name }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+  loop: "{{ client_keys.results }}"
+  vars:
+    client_name: "{{ item.item.name }}"
+    client_ip: "{{ item.item.ip }}"
+    client_private_key: "{{ item.stdout_lines[0].split('=')[1] }}"
+    client_public_key: "{{ item.stdout_lines[1].split('=')[1] }}"
+
+- name: Generate QR codes for mobile clients
+  ansible.builtin.shell: qrencode -t ansiutf8 < {{ wg_client_configs_dir }}/{{ item.name }}.conf > {{ wg_client_configs_dir }}/{{ item.name }}_qr.txt
+  args:
+    creates: "{{ wg_client_configs_dir }}/{{ item.name }}_qr.txt"
+  loop: "{{ wg_peers_with_ips }}"
+
+- name: Create summary file
+  ansible.builtin.template:
+    src: summary.md.j2
+    dest: "{{ wg_client_configs_dir }}/README.md"
+    owner: root
+    group: root
+    mode: '0644'
@@ -0,0 +1,11 @@
+[Interface]
+PrivateKey = {{ client_private_key }}
+Address = {{ client_ip }}/{{ wg_network | ansible.utils.ipaddr('prefix') }}
+DNS = {{ wg_dns_servers | join(', ') }}
+MTU = {{ wg_mtu }}
+
+[Peer]
+PublicKey = {{ wg_server_public_key }}
+Endpoint = {{ ansible_default_ipv4.address }}:{{ wg_port }}
+AllowedIPs = 0.0.0.0/0, ::/0
+PersistentKeepalive = {{ wg_persistent_keepalive }}
@@ -0,0 +1,49 @@
+# WireGuard VPN Client Configurations
+
+**Server**: {{ inventory_hostname }}  
+**Server IP**: {{ ansible_default_ipv4.address }}  
+**VPN Network**: {{ wg_network }}  
+**Server Public Key**: {{ wg_server_public_key }}
+
+## Client Configurations
+
+{% for peer in wg_peers_with_ips | default([]) %}
+### {{ peer.name }}
+- **IP Address**: {{ peer.ip }}
+- **Config File**: `{{ peer.name }}.conf`
+- **QR Code**: `{{ peer.name }}_qr.txt`
+
+{% endfor %}
+
+## Installation Instructions
+
+### Desktop (Linux/macOS/Windows)
+
+1. Install WireGuard: https://www.wireguard.com/install/
+2. Copy the `.conf` file to your device
+3. Import configuration:
+   - Linux: `sudo wg-quick up /path/to/config.conf`
+   - macOS/Windows: Import via WireGuard GUI
+4. Connect
+
+### Mobile (iOS/Android)
+
+1. Install WireGuard app from App Store/Play Store
+2. View QR code: `cat <username>_qr.txt`
+3. Scan QR code in WireGuard app
+4. Connect
+
+## Testing
+
+After connecting, verify your IP:
+```bash
+curl https://ifconfig.me
+```
+
+Should show: {{ ansible_default_ipv4.address }}
+
+## Troubleshooting
+
+- Ensure port {{ wg_port }}/udp is open in firewall
+- Check server status: `sudo wg show`
+- Check logs: `sudo journalctl -u wg-quick@{{ wg_interface }}`
@@ -0,0 +1,17 @@
+[Interface]
+Address = {{ wg_server_ip }}/{{ wg_network | ansible.utils.ipaddr('prefix') }}
+ListenPort = {{ wg_port }}
+PrivateKey = {{ wg_server_private_key }}
+MTU = {{ wg_mtu }}
+
+PostUp = {{ wg_postup }}
+PostDown = {{ wg_postdown }}
+
+{% for peer in wg_peers_with_ips | default([]) %}
+# {{ peer.name }}
+[Peer]
+PublicKey = {{ lookup('file', wg_keys_dir + '/' + peer.name + '_public.key') }}
+AllowedIPs = {{ peer.ip }}/32
+PersistentKeepalive = {{ wg_persistent_keepalive }}
+
+{% endfor %}