Add support for WireGuard Easy

2023-04-29 09:30:26 +03:00 · 2023-04-29 09:30:26 +03:00 · 29f1a4a44a
commit 29f1a4a44a
parent 772f29b418
6 changed files with 142 additions and 3 deletions
--- a/docs/services/firezone.md
+++ b/docs/services/firezone.md
@ -1,6 +1,8 @@
 # Firezone

-[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role.
+[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role.
+
+A more-lightweigth alternative for a self-hosted WireGuard VPN server which is more compatible with various ARM devices is [WireGuard Easy](wg-easy.md).

 ## Configuration

@ -38,7 +40,7 @@ After installation, you can use `just run-tags firezone-create-or-reset-admin` a

 By default, the following ports will be exposed by the container on **all network interfaces**:

- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections
+- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections

 Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.

--- a/docs/services/wg-easy.md
+++ b/docs/services/wg-easy.md
@ -0,0 +1,96 @@
+# WireGuard Easy
+
+[WireGuard Easy](https://github.com/WeeJeWel/wg-easy) is the easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI.
+
+Another more powerful alternative for a self-hosted WireGuard VPN server is [Firezone](firezone.md). WireGuard Easy is easier, lighter and more compatible with various ARM devices.
+
+
+## Dependencies
+
+This service requires the following other services:
+
+- a [Traefik](traefik.md) reverse-proxy server
+- a modern Linux kernel which supports WireGuard
+
+
+## Configuration
+
+To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
+
+```yaml
+########################################################################
+#                                                                      #
+# wg-easy                                                              #
+#                                                                      #
+########################################################################
+
+wg_easy_enabled: true
+
+wg_easy_hostname: mash.example.com
+
+wg_easy_path_prefix: /wg-easy
+
+wg_easy_environment_variables_additional_variable_wg_host: mash.example.com
+
+# Put a strong password below, generated with `pwgen -s 64 1` or in another way
+wg_easy_environment_variables_additional_variable_password: ''
+
+# The default WireGuard port is 51820.
+# Uncomment and change the lines below to use another one.
+#
+# The port that wg-easy advertises for WireGuard connectivity in profile files.
+# wg_easy_environment_variables_additional_variable_wg_port: 51820
+#
+# The port that is actually published from the container.
+# wg_easy_container_wireguard_bind_port: 51820
+
+# The default DNS is 1.1.1.1.
+# Uncomment and change the line below to use another one.
+# wg_easy_environment_variables_additional_variable_wg_default_dns: 1.1.1.1
+
+########################################################################
+#                                                                      #
+# /wg-easy                                                             #
+#                                                                      #
+########################################################################
+```
+
+### URL
+
+In the example configuration above, we configure the service to be hosted at `https://mash.example.com/wg-easy`.
+
+You can remove the `wg_easy_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
+
+
+### Networking
+
+**In addition** to ports `80` and `443` exposed by the [Traefik](traefik.md) reverse-proxy, the following ports will be exposed by the WireGuard containers on **all network interfaces**:
+
+- `51820` over **UDP**, controlled by `wg_easy_environment_variables_additional_variable_wg_port` and `wg_easy_container_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections
+
+Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
+
+### Additional configuration
+
+For additional configuration options, see the upstream documentation's [Options](https://github.com/WeeJeWel/wg-easy#options) section.
+
+You can inject additional environment variables with this additional configuration:
+
+```yaml
+wg_easy_environment_variables_additional_variables: |
+  WG_DEFAULT_ADDRESS: 10.6.0.x
+  WG_MTU: 1420
+```
+
+## Usage
+
+After installation, you can go to the WireGuard Easy URL, as defined in `wg_easy_hostname` and `wg_easy_path_prefix`.
+
+You can authenticate with the password set in `wg_easy_environment_variables_additional_variable_password`.
+
+You can then create various Clients and import the configuration for them onto your devices - either by downloading a file or by scanning a QR code.
+
+
+## Recommended other services
+
+- [AdGuard Home](adguard-home.md) - A network-wide DNS software for blocking ads & tracking
--- a/docs/supported-services.md
+++ b/docs/supported-services.md
@ -12,7 +12,7 @@
 | [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) |
 | [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) |
 | [Focalboard](https://www.focalboard.com/) | An open source, self-hosted alternative to [Trello](https://trello.com/), [Notion](https://www.notion.so/), and [Asana](https://asana.com/). | [Link](services/focalboard.md) |
-| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with a Web UI | [Link](services/firezone.md) |
+| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with a Web UI | [Link](services/firezone.md) |
 | [Funkwhale](https://funkwhale.audio/) | Listen and share music with a selfhosted streaming server.| [Link](services/funkwhale.md) |
 | [Gitea](https://gitea.io/) | A painless self-hosted [Git](https://git-scm.com/) service. | [Link](services/gitea.md) |
 | [GoToSocial](https://gotosocial.org/) | A self-hosted [ActivityPub](https://activitypub.rocks/) social network server | [Link](services/gotosocial.md) |
@ -43,6 +43,7 @@
 | [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) |
 | [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
 | [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
+| [WireGuard Easy](https://github.com/WeeJeWel/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) |
 | [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
 | System-related | A collection of various system-related components | [Link](services/system.md) |

--- a/group_vars/mash_servers
+++ b/group_vars/mash_servers
@ -178,6 +178,8 @@ devture_systemd_service_manager_services_list_auto: |
    ([{'name': (vaultwarden_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}] if vaultwarden_enabled else [])
    +
    ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
+    +
+    ([{'name': (wg_easy_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'wg-easy']}] if wg_easy_enabled else [])
  }}

 ########################################################################
@ -2113,6 +2115,39 @@ uptime_kuma_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certR



+########################################################################
+#                                                                      #
+# wg-easy                                                              #
+#                                                                      #
+########################################################################
+
+wg_easy_enabled: false
+
+wg_easy_identifier: "{{ mash_playbook_service_identifier_prefix }}wg-easy"
+
+wg_easy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}wg-easy"
+
+wg_easy_uid: "{{ mash_playbook_uid }}"
+wg_easy_gid: "{{ mash_playbook_gid }}"
+
+wg_easy_container_additional_networks_auto: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+  }}
+
+wg_easy_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
+wg_easy_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
+wg_easy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+wg_easy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+########################################################################
+#                                                                      #
+# /wg-easy                                                             #
+#                                                                      #
+########################################################################
+
+
+
 ########################################################################
 #                                                                      #
 # woodpecker-ci-server                                                 #
--- a/requirements.yml
+++ b/requirements.yml
@ -137,3 +137,6 @@
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
  version: v1.28.1-0
  name: vaultwarden
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-wg-easy.git
+  version: v7-0
+  name: wg_easy
--- a/setup.yml
+++ b/setup.yml
@ -122,6 +122,8 @@

    - role: galaxy/uptime_kuma

+    - role: galaxy/wg_easy
+
    - role: galaxy/com.devture.ansible.role.woodpecker_ci_server
    - role: galaxy/com.devture.ansible.role.woodpecker_ci_agent