hosting/mash-playbook
1
0
Fork 0
Code Pull requests Activity

Merge pull request #16 from moan0s/firezone

Browse source 
feat: Add firezone VPN
This commit is contained in:
Slavi Pantaleev 2023-03-24 12:05:36 +02:00 committed by GitHub
commit a324c1a447
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 110 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
docs/services/firezone.md Normal file
View file

@ -0,0 +1,49 @@
# Firezone
[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with Web UI that this playbook can install, powered by the [moan0s/role-firezone](https://github.com/moan0s/role-firezone) Ansible role.
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# firezone #
# #
########################################################################
firezone_enabled: true
firezone_hostname: vpn.example.org
firezone_default_admin_email: "user@invalid.org"
firezone_default_admin_password: "<securepassword>"
# Generate this with `openssl rand -base64 32`
firezone_database_encryption_key: "<secret>"
########################################################################
# #
# /firezone #
# #
########################################################################
```
After installation, you can use `just run-tags firezone-create-or-reset-admin` any time to:
- create the configured admin account
- or, reset the password to the current password configured in `vars.yml`
### Networking
By default, the following ports will be exposed by the container on **all network interfaces**:
- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections
Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it.
### Usage
After [installing](../installing.md), you can login at the URL specified in `firezone_hostname`, with the credentials set in `firezone_default_admin_email` and `firezone_default_admin_password`.
Refer to the [official documentation](https://www.firezone.dev/docs/user-guides/add-devices/) to figure out how to add devices, etc.

55
group_vars/mash_servers
View file

@ -118,6 +118,8 @@ devture_systemd_service_manager_services_list_auto: |
([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
+
([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else [])
+
([{'name': (firezone_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'firezone']}] if firezone_enabled else [])
}}
########################################################################
@ -196,6 +198,12 @@ devture_postgres_managed_databases_auto: |
'password': peertube_config_database_password,
}] if peertube_enabled else [])
+
([{
'name': firezone_database_name,
'username': firezone_database_user,
'password': firezone_database_password,
}] if firezone_enabled else [])
+
([{
'name': vaultwarden_database_name,
'username': vaultwarden_database_username,
@ -1293,3 +1301,50 @@ hubsite_service_list_auto: |
# /hubsite #
# #
########################################################################
########################################################################
# #
# firezone #
# #
########################################################################
firezone_enabled: false
firezone_identifier: "{{ mash_playbook_service_identifier_prefix }}firezone"
firezone_base_path: "{{ mash_playbook_base_path }}/firezone"
firezone_uid: "{{ mash_playbook_uid }}"
firezone_gid: "{{ mash_playbook_gid }}"
firezone_generic_secret: "{{ mash_playbook_generic_secret_key }}"
firezone_database_host: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
firezone_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
firezone_database_name: "{{ firezone_identifier }}"
firezone_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'fz.db.user', rounds=655555) | to_uuid }}"
firezone_database_user: "{{ firezone_identifier }}"
firezone_systemd_required_services_list: |
{{
(['docker.service'])
+
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and firezone_database_host == devture_postgres_identifier else [])
}}
firezone_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and firezone_database_host == devture_postgres_identifier and firezone_container_network != devture_postgres_container_network else [])
}}
firezone_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
firezone_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
firezone_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
firezone_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
########################################################################
# #
# /firezone #
# #
########################################################################

4
requirements.yml
View file

@ -126,3 +126,7 @@
- src: git+https://github.com/moan0s/hubsite.git
name: hubsite
version: da6fed398a9dd0761db941cb903b53277c341cc6
- src: git+https://github.com/moan0s/role-firezone.git
name: firezone
version: 9916b11161b3cdf3485c6b3c475573fc90cd1823

2
setup.yml
View file

@ -60,6 +60,8 @@
- role: galaxy/docker_registry_browser
- role: galaxy/docker_registry_purger
- role: galaxy/firezone
- role: galaxy/focalboard
- role: galaxy/gitea