9 files changed, 96 insertions, 44 deletions

diff --git a/files/resolv.conf b/files/resolv.conf
new file mode 100644
index 0000000..0b030bf
--- /dev/null
+++ b/files/resolv.conf
@@ -0,0 +1,2 @@
+nameserver 1.1.1.1
+nameserver 1.0.0.1
diff --git a/tasks/preflight.yaml b/tasks/preflight.yaml
index aef9dcf..6c67ae7 100644
--- a/tasks/preflight.yaml
+++ b/tasks/preflight.yaml
@@ -1,17 +1,17 @@
 - name: ensure script is run as root
-  ansible.builtin.assert:
+  assert:
     that:
       - ansible_effective_user_id == 0
     fail_msg: "this playbook must be run as root"
 
 - name: check if system is debian-based
-  ansible.builtin.command: dpkg -l
+  command: dpkg -l
   register: dpkg_check
   changed_when: false
   failed_when: false
 
 - name: fail if not debian-based
-  ansible.builtin.fail:
+  fail:
     msg: "distribution not Debian-based"
   when: dpkg_check.rc != 0
 
diff --git a/tasks/pve_configure.yaml b/tasks/pve_configure.yaml
index 0f769e8..757c7b4 100644
--- a/tasks/pve_configure.yaml
+++ b/tasks/pve_configure.yaml
@@ -32,10 +32,17 @@
     block: |
       *nat
       :POSTROUTING ACCEPT [0:0]
-      -A POSTROUTING -s {{ nat_subnet }} -o {{ public_interface }} -j MASQUERADE
+      -A POSTROUTING -s {{ nat_subnet }} -o vmbr0 -j MASQUERADE
       COMMIT
     marker: "# {mark} ANSIBLE MANAGED NAT MASQUERADE RULE"
 
+- name: set DEFAULT_FORWARD_POLICY to ACCEPT
+  lineinfile:
+    path: /etc/default/ufw
+    regexp: '^DEFAULT_FORWARD_POLICY='
+    line: 'DEFAULT_FORWARD_POLICY="ACCEPT"'
+    backrefs: yes
+
 - name: enable ipv4 forwarding persistently
   sysctl:
     name: net.ipv4.ip_forward
@@ -58,6 +65,21 @@
     enabled: true
   when: ansible_service_mgr == 'systemd'
 
+- name: allow pve port 
+  ufw:
+    rule: allow
+    port: 8006
+    proto: tcp
+
+- name: deploy static /etc/resolv.conf
+  copy:
+    src: files/resolv.conf
+    dest: /etc/resolv.conf
+    mode: '0644'
+
+- name: make /etc/resolv.conf immutable with chattr
+  command: chattr +i /etc/resolv.conf
+
 - name: generate secure 32-character password
   set_fact:
     pve_admin_user: "pveadmin@pve"
diff --git a/tasks/pve_setup.yaml b/tasks/pve_setup.yaml
index 9fcea47..88a92c3 100644
--- a/tasks/pve_setup.yaml
+++ b/tasks/pve_setup.yaml
@@ -54,13 +54,13 @@
   environment:
     DEBIAN_FRONTEND: noninteractive
 
-- name: reboot to activate proxmox ve kernel
-  reboot:
-    msg: "rebooting to activate proxmox ve kernel"
-    connect_timeout: 10
-    reboot_timeout: 600
-    pre_reboot_delay: 5
-    post_reboot_delay: 10
+        #- name: reboot to activate proxmox ve kernel
+        #  reboot:
+        #    msg: "rebooting to activate proxmox ve kernel"
+        #    connect_timeout: 10
+        #    reboot_timeout: 600
+        #    pre_reboot_delay: 5
+        #    post_reboot_delay: 10
 
 - name: install pve packages
   apt:
diff --git a/tasks/wg_setup.yaml b/tasks/wg_setup.yaml
index 9557a79..abe818f 100644
--- a/tasks/wg_setup.yaml
+++ b/tasks/wg_setup.yaml
@@ -18,44 +18,44 @@
 
 - name: create wireguard server directory
   file:
-    path: "{{ wireguard_server_home }}"
+    path: "{{ wg_server_home }}"
     state: directory
     mode: "0700"
 
 - name: create wireguard peers directory
   file:
-    path: "{{ wireguard_peers_home }}"
+    path: "{{ wg_peers_home }}"
     state: directory
     mode: "0700"
 
 - name: generate wireguard server keys
   shell:
     cmd: |
-      wg genpsk > "{{ wireguard_server_home }}/psk.key"
-      wg genkey > "{{ wireguard_server_home }}/server.key"
-    creates: "{{ wireguard_server_home }}/server.key"
+      wg genpsk > "{{ wg_server_home }}/psk.key"
+      wg genkey > "{{ wg_server_home }}/server.key"
+    creates: "{{ wg_server_home }}/server.key"
   args:
-    chdir: "{{ wireguard_server_home }}"
+    chdir: "{{ wg_server_home }}"
 
 - name: get server public key
   shell:
-    cmd: wg pubkey < "{{ wireguard_server_home }}/server.key"
+    cmd: wg pubkey < "{{ wg_server_home }}/server.key"
   register: server_pubkey
   changed_when: false
 
 - name: read wireguard server.key from remote host
   slurp:
-    src: "{{ wireguard_server_home }}/server.key"
+    src: "{{ wg_server_home }}/server.key"
   register: wg_key
 
 - name: set private key from remote file
   set_fact:
     private_key: "{{ wg_key.content | b64decode }}"
 
-- name: deploy {{ wireguard_server_home }}/wg0.conf
+- name: deploy {{ wg_server_home }}/wg0.conf
   template:
     src: wg0.conf.j2
-    dest: "{{ wireguard_server_home }}/wg0.conf"
+    dest: "{{ wg_server_home }}/wg0.conf"
     mode: "0600"
 
 - name: deploy manage_wg_peers.sh
@@ -70,3 +70,22 @@
     state: restarted
     enabled: true
   when: ansible_service_mgr == 'systemd'
+
+- name: allow wg port 
+  ufw:
+    rule: allow
+    port: "{{ wg_port }}"
+    proto: udp
+
+- name: set wg-only pveproxy config
+  template:
+    src: pveproxy
+    dest: /etc/default/pveproxy
+    mode: '0644'
+
+- name: restart pveproxy
+  systemd:
+    name: pveproxy
+    state: restarted
+    enabled: true
+  when: ansible_service_mgr == 'systemd'
diff --git a/templates/manage_wg_peers.sh.j2 b/templates/manage_wg_peers.sh.j2
index ed2f800..fd27370 100644
--- a/templates/manage_wg_peers.sh.j2
+++ b/templates/manage_wg_peers.sh.j2
@@ -1,11 +1,12 @@
 #!/bin/bash
 set -e
 
-WG_SERVER_HOME="{{ wireguard_server_home }}"
-WG_PEERS_HOME="${WG_SERVER_HOME}/peers.d"
-IP_FILE="${WG_SERVER_HOME}/ips.txt"
-SUBNET_PREFIX="{{ wireguard_subnet_prefix }}"
-DEFAULT_PORT="{{ wireguard_port }}"
+WG_SERVER_HOME="{{ wg_server_home }}"
+WG_PEERS_HOME="{{ wg_peers_home }}"
+IP_FILE="{{ wg_ip_file }}"
+WIREGUARD_SUBNET_PREFIX="{{ wg_subnet_prefix }}"
+NAT_SUBNET="{{ nat_subnet }}"
+DEFAULT_PORT="{{ wg_port }}"
 DEFAULT_DNS="8.8.8.8"
 
 test "${EUID}" -ne 0 && printf "%s\n" "run as root" && exit 1
@@ -62,14 +63,14 @@ function get_next_available_ip() {
         flock -x 200
         touch "${IP_FILE}"
         for i in {2..254}; do
-            ip="${SUBNET_PREFIX}.${i}"
+            ip="${WIREGUARD_SUBNET_PREFIX}.${i}"
             if ! grep -q "${ip}" "${IP_FILE}"; then
                 printf "%s\n" "${ip}"
                 printf "%s\n" "${ip}" >> "${IP_FILE}"
                 exit 0
             fi
         done
-        printf "%s\n" "[err] no available ips in range ${SUBNET_PREFIX}.2 - ${SUBNET_PREFIX}.254"
+        printf "%s\n" "[err] no available ips in range ${WIREGUARD_SUBNET_PREFIX}.2 - ${WIREGUARD_SUBNET_PREFIX}.254"
         exit 1
     ) 200>"${IP_FILE}.lock"
 }
@@ -102,7 +103,7 @@ DNS        = ${dns}
 PublicKey           = $(wg pubkey < "${WG_SERVER_HOME}/server.key")
 PresharedKey        = $(cat "${WG_SERVER_HOME}/psk.key")
 Endpoint            = ${server}:${port}
-AllowedIPs          = 0.0.0.0/0
+AllowedIPs          = ${WIREGUARD_SUBNET_PREFIX}.0/24, ${NAT_SUBNET}
 PersistentKeepalive = 25
 EOF
         printf "%s\n" \
diff --git a/templates/pveproxy b/templates/pveproxy
new file mode 100644
index 0000000..01a7955
--- /dev/null
+++ b/templates/pveproxy
@@ -0,0 +1 @@
+LISTEN_IP="{{ wg_subnet_prefix }}.1"
diff --git a/templates/wg0.conf.j2 b/templates/wg0.conf.j2
index 6b0aa34..10e3bc9 100644
--- a/templates/wg0.conf.j2
+++ b/templates/wg0.conf.j2
@@ -1,12 +1,18 @@
 [Interface]
 PrivateKey = {{ private_key }}
-Address    = {{ wireguard_subnet_prefix}}.1/24
-ListenPort = {{ wireguard_port }}
+Address    = {{ wg_subnet_prefix }}.1/24
+ListenPort = {{ wg_port }}
 PostUp     = sysctl -w net.ipv4.ip_forward=1
-PostUp     = iptables -A FORWARD -i {{ wireguard_interface }} -o %i -j ACCEPT
-PostUp     = iptables -A FORWARD -i %i -j ACCEPT
-PostUp     = iptables -t nat -A POSTROUTING -o {{ wireguard_interface }} -j MASQUERADE
+PostUp     = iptables -A FORWARD -i wg0 -o vmbr0 -j ACCEPT
+PostUp     = iptables -A FORWARD -i vmbr0 -o wg0 -j ACCEPT
+PostUp     = iptables -A FORWARD -i wg0 -o vmbr1 -j ACCEPT
+PostUp     = iptables -A FORWARD -i vmbr1 -o wg0 -j ACCEPT
+PostUp     = iptables -t nat -A POSTROUTING -s {{ wg_subnet }} -o vmbr0 -j MASQUERADE
+PostUp     = iptables -t nat -A POSTROUTING -s {{ wg_subnet }} -o vmbr1 -j MASQUERADE
 PostDown   = sysctl -w net.ipv4.ip_forward=0
-PostDown   = iptables -D FORWARD -i {{ wireguard_interface }} -o %i -j ACCEPT
-PostDown   = iptables -D FORWARD -i %i -j ACCEPT
-PostDown   = iptables -t nat -D POSTROUTING -o {{ wireguard_interface }} -j MASQUERADE
+PostDown   = iptables -D FORWARD -i wg0 -o vmbr0 -j ACCEPT
+PostDown   = iptables -D FORWARD -i vmbr0 -o wg0 -j ACCEPT
+PostDown   = iptables -D FORWARD -i wg0 -o vmbr1 -j ACCEPT
+PostDown   = iptables -D FORWARD -i vmbr1 -o wg0 -j ACCEPT
+PostDown   = iptables -t nat -D POSTROUTING -s {{ wg_subnet }} -o vmbr0 -j MASQUERADE
+PostDown   = iptables -t nat -D POSTROUTING -s {{ wg_subnet }} -o vmbr1 -j MASQUERADE
diff --git a/vars/main.yaml b/vars/main.yaml
index bd079ca..4212f03 100644
--- a/vars/main.yaml
+++ b/vars/main.yaml
@@ -14,7 +14,11 @@ pve_packages:
   - chrony
 
 apt_packages_to_remove:
+  - openresolv
   - os-prober
+  - rdnssd
+  - resolvconf
+  - systemd-resolved
 
 wireguard_packages:
   - wireguard
@@ -23,10 +27,7 @@ wireguard_packages:
   - iproute2
 
 fail2ban_jail_dir: /etc/fail2ban/jail.d
-wireguard_server_home: /etc/wireguard
-wireguard_peers_home: "{{ wireguard_server_home }}/peers.d"
-wireguard_ip_file: "{{ wireguard_server_home }}/ips.txt"
-wireguard_subnet: "{{ wg_subnet }}"
-wireguard_subnet_prefix: "{{ wg_subnet.split('.')[0:3] | join('.') }}"
-wireguard_port: "{{ wg_port }}"
-wireguard_interface: "{{ ansible_default_ipv4.interface }}"
+wg_server_home: /etc/wireguard
+wg_peers_home: "{{ wg_server_home }}/peers.d"
+wg_ip_file: "{{ wg_server_home }}/ips.txt"
+wg_subnet_prefix: "{{ wg_subnet.split('.')[0:3] | join('.') }}"