Add support for WireGuard Easy
This commit is contained in:
parent
772f29b418
commit
29f1a4a44a
6 changed files with 142 additions and 3 deletions
|
@ -1,6 +1,8 @@
|
||||||
# Firezone
|
# Firezone
|
||||||
|
|
||||||
[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role.
|
[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with Web UI that this playbook can install, powered by the [mother-of-all-self-hosting/ansible-role-firezone](https://github.com/mother-of-all-self-hosting/ansible-role-firezone) Ansible role.
|
||||||
|
|
||||||
|
A more-lightweigth alternative for a self-hosted WireGuard VPN server which is more compatible with various ARM devices is [WireGuard Easy](wg-easy.md).
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
|
@ -38,7 +40,7 @@ After installation, you can use `just run-tags firezone-create-or-reset-admin` a
|
||||||
|
|
||||||
By default, the following ports will be exposed by the container on **all network interfaces**:
|
By default, the following ports will be exposed by the container on **all network interfaces**:
|
||||||
|
|
||||||
- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections
|
- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections
|
||||||
|
|
||||||
Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
|
Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
|
||||||
|
|
||||||
|
|
96
docs/services/wg-easy.md
Normal file
96
docs/services/wg-easy.md
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
# WireGuard Easy
|
||||||
|
|
||||||
|
[WireGuard Easy](https://github.com/WeeJeWel/wg-easy) is the easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI.
|
||||||
|
|
||||||
|
Another more powerful alternative for a self-hosted WireGuard VPN server is [Firezone](firezone.md). WireGuard Easy is easier, lighter and more compatible with various ARM devices.
|
||||||
|
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
This service requires the following other services:
|
||||||
|
|
||||||
|
- a [Traefik](traefik.md) reverse-proxy server
|
||||||
|
- a modern Linux kernel which supports WireGuard
|
||||||
|
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# wg-easy #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
wg_easy_enabled: true
|
||||||
|
|
||||||
|
wg_easy_hostname: mash.example.com
|
||||||
|
|
||||||
|
wg_easy_path_prefix: /wg-easy
|
||||||
|
|
||||||
|
wg_easy_environment_variables_additional_variable_wg_host: mash.example.com
|
||||||
|
|
||||||
|
# Put a strong password below, generated with `pwgen -s 64 1` or in another way
|
||||||
|
wg_easy_environment_variables_additional_variable_password: ''
|
||||||
|
|
||||||
|
# The default WireGuard port is 51820.
|
||||||
|
# Uncomment and change the lines below to use another one.
|
||||||
|
#
|
||||||
|
# The port that wg-easy advertises for WireGuard connectivity in profile files.
|
||||||
|
# wg_easy_environment_variables_additional_variable_wg_port: 51820
|
||||||
|
#
|
||||||
|
# The port that is actually published from the container.
|
||||||
|
# wg_easy_container_wireguard_bind_port: 51820
|
||||||
|
|
||||||
|
# The default DNS is 1.1.1.1.
|
||||||
|
# Uncomment and change the line below to use another one.
|
||||||
|
# wg_easy_environment_variables_additional_variable_wg_default_dns: 1.1.1.1
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /wg-easy #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
```
|
||||||
|
|
||||||
|
### URL
|
||||||
|
|
||||||
|
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/wg-easy`.
|
||||||
|
|
||||||
|
You can remove the `wg_easy_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
|
||||||
|
|
||||||
|
|
||||||
|
### Networking
|
||||||
|
|
||||||
|
**In addition** to ports `80` and `443` exposed by the [Traefik](traefik.md) reverse-proxy, the following ports will be exposed by the WireGuard containers on **all network interfaces**:
|
||||||
|
|
||||||
|
- `51820` over **UDP**, controlled by `wg_easy_environment_variables_additional_variable_wg_port` and `wg_easy_container_wireguard_bind_port` - used for [Wireguard](https://www.wireguard.com/) connections
|
||||||
|
|
||||||
|
Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
|
||||||
|
|
||||||
|
### Additional configuration
|
||||||
|
|
||||||
|
For additional configuration options, see the upstream documentation's [Options](https://github.com/WeeJeWel/wg-easy#options) section.
|
||||||
|
|
||||||
|
You can inject additional environment variables with this additional configuration:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
wg_easy_environment_variables_additional_variables: |
|
||||||
|
WG_DEFAULT_ADDRESS: 10.6.0.x
|
||||||
|
WG_MTU: 1420
|
||||||
|
```
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
After installation, you can go to the WireGuard Easy URL, as defined in `wg_easy_hostname` and `wg_easy_path_prefix`.
|
||||||
|
|
||||||
|
You can authenticate with the password set in `wg_easy_environment_variables_additional_variable_password`.
|
||||||
|
|
||||||
|
You can then create various Clients and import the configuration for them onto your devices - either by downloading a file or by scanning a QR code.
|
||||||
|
|
||||||
|
|
||||||
|
## Recommended other services
|
||||||
|
|
||||||
|
- [AdGuard Home](adguard-home.md) - A network-wide DNS software for blocking ads & tracking
|
|
@ -12,7 +12,7 @@
|
||||||
| [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) |
|
| [Docker Registry Browser](https://github.com/klausmeyer/docker-registry-browser) | Web Interface for the Docker Registry HTTP API V2 written in Ruby on Rails | [Link](services/docker-registry-browser.md) |
|
||||||
| [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) |
|
| [Docker Registry Purger](https://github.com/devture/docker-registry-purger) | A small tool used for purging a private Docker Registry's old tags | [Link](services/docker-registry-purger.md) |
|
||||||
| [Focalboard](https://www.focalboard.com/) | An open source, self-hosted alternative to [Trello](https://trello.com/), [Notion](https://www.notion.so/), and [Asana](https://asana.com/). | [Link](services/focalboard.md) |
|
| [Focalboard](https://www.focalboard.com/) | An open source, self-hosted alternative to [Trello](https://trello.com/), [Notion](https://www.notion.so/), and [Asana](https://asana.com/). | [Link](services/focalboard.md) |
|
||||||
| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with a Web UI | [Link](services/firezone.md) |
|
| [Firezone](https://www.firezone.dev/) | A self-hosted VPN server (based on [WireGuard](https://www.wireguard.com/)) with a Web UI | [Link](services/firezone.md) |
|
||||||
| [Funkwhale](https://funkwhale.audio/) | Listen and share music with a selfhosted streaming server.| [Link](services/funkwhale.md) |
|
| [Funkwhale](https://funkwhale.audio/) | Listen and share music with a selfhosted streaming server.| [Link](services/funkwhale.md) |
|
||||||
| [Gitea](https://gitea.io/) | A painless self-hosted [Git](https://git-scm.com/) service. | [Link](services/gitea.md) |
|
| [Gitea](https://gitea.io/) | A painless self-hosted [Git](https://git-scm.com/) service. | [Link](services/gitea.md) |
|
||||||
| [GoToSocial](https://gotosocial.org/) | A self-hosted [ActivityPub](https://activitypub.rocks/) social network server | [Link](services/gotosocial.md) |
|
| [GoToSocial](https://gotosocial.org/) | A self-hosted [ActivityPub](https://activitypub.rocks/) social network server | [Link](services/gotosocial.md) |
|
||||||
|
@ -43,6 +43,7 @@
|
||||||
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) |
|
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](services/traefik.md) |
|
||||||
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
|
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](services/vaultwarden.md) |
|
||||||
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
|
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](services/uptime-kuma.md) |
|
||||||
|
| [WireGuard Easy](https://github.com/WeeJeWel/wg-easy) | The easiest way to run [WireGuard](https://www.wireguard.com/) VPN + Web-based Admin UI. | [Link](services/wg-easy.md) |
|
||||||
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
|
| [Woodpecker CI](https://woodpecker-ci.org/) | A simple Continuous Integration (CI) engine with great extensibility. | [Link](services/woodpecker-ci.md) |
|
||||||
| System-related | A collection of various system-related components | [Link](services/system.md) |
|
| System-related | A collection of various system-related components | [Link](services/system.md) |
|
||||||
|
|
||||||
|
|
|
@ -178,6 +178,8 @@ devture_systemd_service_manager_services_list_auto: |
|
||||||
([{'name': (vaultwarden_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}] if vaultwarden_enabled else [])
|
([{'name': (vaultwarden_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}] if vaultwarden_enabled else [])
|
||||||
+
|
+
|
||||||
([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
|
([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
|
||||||
|
+
|
||||||
|
([{'name': (wg_easy_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'wg-easy']}] if wg_easy_enabled else [])
|
||||||
}}
|
}}
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
|
@ -2113,6 +2115,39 @@ uptime_kuma_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certR
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# wg-easy #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
wg_easy_enabled: false
|
||||||
|
|
||||||
|
wg_easy_identifier: "{{ mash_playbook_service_identifier_prefix }}wg-easy"
|
||||||
|
|
||||||
|
wg_easy_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}wg-easy"
|
||||||
|
|
||||||
|
wg_easy_uid: "{{ mash_playbook_uid }}"
|
||||||
|
wg_easy_gid: "{{ mash_playbook_gid }}"
|
||||||
|
|
||||||
|
wg_easy_container_additional_networks_auto: |
|
||||||
|
{{
|
||||||
|
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
|
||||||
|
}}
|
||||||
|
|
||||||
|
wg_easy_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
|
||||||
|
wg_easy_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
|
||||||
|
wg_easy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
|
||||||
|
wg_easy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
|
||||||
|
|
||||||
|
########################################################################
|
||||||
|
# #
|
||||||
|
# /wg-easy #
|
||||||
|
# #
|
||||||
|
########################################################################
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
########################################################################
|
########################################################################
|
||||||
# #
|
# #
|
||||||
# woodpecker-ci-server #
|
# woodpecker-ci-server #
|
||||||
|
|
|
@ -137,3 +137,6 @@
|
||||||
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
|
||||||
version: v1.28.1-0
|
version: v1.28.1-0
|
||||||
name: vaultwarden
|
name: vaultwarden
|
||||||
|
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-wg-easy.git
|
||||||
|
version: v7-0
|
||||||
|
name: wg_easy
|
||||||
|
|
|
@ -122,6 +122,8 @@
|
||||||
|
|
||||||
- role: galaxy/uptime_kuma
|
- role: galaxy/uptime_kuma
|
||||||
|
|
||||||
|
- role: galaxy/wg_easy
|
||||||
|
|
||||||
- role: galaxy/com.devture.ansible.role.woodpecker_ci_server
|
- role: galaxy/com.devture.ansible.role.woodpecker_ci_server
|
||||||
- role: galaxy/com.devture.ansible.role.woodpecker_ci_agent
|
- role: galaxy/com.devture.ansible.role.woodpecker_ci_agent
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue