From 8fe3eb25ab95db20e180adda2dfdcde9a94794c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 24 Mar 2023 09:58:39 +0100 Subject: [PATCH 1/5] feat: Add firezone VPN --- docs/services/firezone.md | 23 ++++++++++++++++ group_vars/mash_servers | 55 +++++++++++++++++++++++++++++++++++++++ requirements.yml | 4 +++ setup.yml | 2 ++ 4 files changed, 84 insertions(+) create mode 100644 docs/services/firezone.md diff --git a/docs/services/firezone.md b/docs/services/firezone.md new file mode 100644 index 0000000..6836003 --- /dev/null +++ b/docs/services/firezone.md @@ -0,0 +1,23 @@ +# Firezone + +[Firezone](https://www.firezone.dev/) is a self-hosted VPN server with Web UI. + +To enable Firezone add the following to your `vars.yml`: + +```yaml +############## +## FIREZONE ## +############## + +firezone_enabled: true +firezone_hostname: example.org + +firezone_default_admin_email: "user@invalid.org" +firezone_default_admin_password: "" + +# Generate this with `openssl rand -base64 32` +firezone_database_encryption_key: "" +``` + +Use `ansible-playbook -i inventory/hosts setup.yml --tags=firezone-create-or-reset-admin` to create the configured +admin account or reset the password to the password set in `vars.yml`. diff --git a/group_vars/mash_servers b/group_vars/mash_servers index 128a804..274c614 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -116,6 +116,8 @@ devture_systemd_service_manager_services_list_auto: | ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else []) + ([{'name': (hubsite_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'hubsite']}] if hubsite_enabled else []) + + + ([{'name': (firezone_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'firezone']}] if firezone_enabled else []) }} ######################################################################## @@ -194,6 +196,12 @@ devture_postgres_managed_databases_auto: | 'password': peertube_config_database_password, }] if peertube_enabled else []) + + ([{ + 'name': firezone_database_name, + 'username': firezone_database_user, + 'password': firezone_database_password, + }] if firezone_enabled else []) + + ([{ 'name': vaultwarden_database_name, 'username': vaultwarden_database_username, @@ -1256,3 +1264,50 @@ hubsite_service_list_auto: | # /hubsite # # # ######################################################################## + +######################################################################## +# # +# firezone # +# # +######################################################################## + +firezone_enabled: false + +firezone_identifier: "{{ mash_playbook_service_identifier_prefix }}firezone" + +firezone_base_path: "{{ mash_playbook_base_path }}/firezone" + +firezone_uid: "{{ mash_playbook_uid }}" +firezone_gid: "{{ mash_playbook_gid }}" +firezone_generic_secret: "{{ mash_playbook_generic_secret_key }}" + +firezone_database_host: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +firezone_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +firezone_database_name: "{{ firezone_identifier }}" +firezone_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'fz.db.user', rounds=655555) | to_uuid }}" +firezone_database_user: "{{ firezone_identifier }}" + +firezone_systemd_required_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and firezone_database_host == devture_postgres_identifier else []) + }} + +firezone_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and firezone_database_host == devture_postgres_identifier and firezone_container_network != devture_postgres_container_network else []) + }} + +firezone_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +firezone_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" +firezone_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" +firezone_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" + +######################################################################## +# # +# /firezone # +# # +######################################################################## diff --git a/requirements.yml b/requirements.yml index fc49968..ae21056 100644 --- a/requirements.yml +++ b/requirements.yml @@ -122,3 +122,7 @@ - src: git+https://github.com/moan0s/hubsite.git name: hubsite version: da6fed398a9dd0761db941cb903b53277c341cc6 + +- src: git+https://github.com/moan0s/role-firezone.git + name: firezone + version: 9916b11161b3cdf3485c6b3c475573fc90cd1823 diff --git a/setup.yml b/setup.yml index 8655ae9..8d241a3 100644 --- a/setup.yml +++ b/setup.yml @@ -60,6 +60,8 @@ - role: galaxy/docker_registry_browser - role: galaxy/docker_registry_purger + - role: galaxy/firezone + - role: galaxy/focalboard - role: galaxy/gitea From bb7bebeda8b02b6e266ff226481250e69ebb3712 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 24 Mar 2023 10:05:11 +0100 Subject: [PATCH 2/5] docs: Link the firezone role --- docs/services/firezone.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/services/firezone.md b/docs/services/firezone.md index 6836003..470ae90 100644 --- a/docs/services/firezone.md +++ b/docs/services/firezone.md @@ -1,6 +1,6 @@ # Firezone -[Firezone](https://www.firezone.dev/) is a self-hosted VPN server with Web UI. +[Firezone](https://www.firezone.dev/) is a self-hosted VPN server with Web UI that this playbook can install using the ansible role [moan0s/role-firezone](https://github.com/moan0s/role-firezone). To enable Firezone add the following to your `vars.yml`: From 5bc947858cdc5adc9f151a273204619b62a5f420 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 24 Mar 2023 10:34:25 +0100 Subject: [PATCH 3/5] docs: Prefer just command --- docs/services/firezone.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/services/firezone.md b/docs/services/firezone.md index 470ae90..df231e8 100644 --- a/docs/services/firezone.md +++ b/docs/services/firezone.md @@ -19,5 +19,5 @@ firezone_default_admin_password: "" firezone_database_encryption_key: "" ``` -Use `ansible-playbook -i inventory/hosts setup.yml --tags=firezone-create-or-reset-admin` to create the configured +Use `just run-tags firezone-create-or-reset-admin` to create the configured admin account or reset the password to the password set in `vars.yml`. From 90b146b7d1987c0bf3d8bbb4f5d39ff2e007fa75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Fri, 24 Mar 2023 10:51:48 +0100 Subject: [PATCH 4/5] docs: Add networking and usage section --- docs/services/firezone.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/services/firezone.md b/docs/services/firezone.md index df231e8..3b3e574 100644 --- a/docs/services/firezone.md +++ b/docs/services/firezone.md @@ -10,7 +10,7 @@ To enable Firezone add the following to your `vars.yml`: ############## firezone_enabled: true -firezone_hostname: example.org +firezone_hostname: vpn.example.org firezone_default_admin_email: "user@invalid.org" firezone_default_admin_password: "" @@ -21,3 +21,16 @@ firezone_database_encryption_key: "" Use `just run-tags firezone-create-or-reset-admin` to create the configured admin account or reset the password to the password set in `vars.yml`. + +### Networking + +By default, the following ports will be exposed by the container on **all network interfaces**: + +- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for your wireguard connections + +Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it. + +### Usage + +After you started the service you can login at vpn.example.org with the credentials set in `firezone_default_admin_email/password`. +After that refer to the [official documentation](https://www.firezone.dev/docs/user-guides/add-devices/) to add devices and more. From b0c0a315274053ad959de71a13df8a7836c1635f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 24 Mar 2023 12:05:24 +0200 Subject: [PATCH 5/5] Update firezone.md --- docs/services/firezone.md | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/docs/services/firezone.md b/docs/services/firezone.md index 3b3e574..707313f 100644 --- a/docs/services/firezone.md +++ b/docs/services/firezone.md @@ -1,15 +1,20 @@ # Firezone -[Firezone](https://www.firezone.dev/) is a self-hosted VPN server with Web UI that this playbook can install using the ansible role [moan0s/role-firezone](https://github.com/moan0s/role-firezone). +[Firezone](https://www.firezone.dev/) is a self-hosted VPN server (based on [WireGuard](https://en.wikipedia.org/wiki/WireGuard)) with Web UI that this playbook can install, powered by the [moan0s/role-firezone](https://github.com/moan0s/role-firezone) Ansible role. -To enable Firezone add the following to your `vars.yml`: +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: ```yaml -############## -## FIREZONE ## -############## +######################################################################## +# # +# firezone # +# # +######################################################################## firezone_enabled: true + firezone_hostname: vpn.example.org firezone_default_admin_email: "user@invalid.org" @@ -17,20 +22,28 @@ firezone_default_admin_password: "" # Generate this with `openssl rand -base64 32` firezone_database_encryption_key: "" + +######################################################################## +# # +# /firezone # +# # +######################################################################## ``` -Use `just run-tags firezone-create-or-reset-admin` to create the configured -admin account or reset the password to the password set in `vars.yml`. +After installation, you can use `just run-tags firezone-create-or-reset-admin` any time to: +- create the configured admin account +- or, reset the password to the current password configured in `vars.yml` ### Networking By default, the following ports will be exposed by the container on **all network interfaces**: -- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for your wireguard connections +- `51820` over **UDP**, controlled by `firezone_wireguard_bind_port` - used for [Wireguard](https://en.wikipedia.org/wiki/WireGuard) connections Docker automatically opens these ports in the server's firewall, so you **likely don't need to do anything**. If you use another firewall in front of the server, you may need to adjust it. ### Usage -After you started the service you can login at vpn.example.org with the credentials set in `firezone_default_admin_email/password`. -After that refer to the [official documentation](https://www.firezone.dev/docs/user-guides/add-devices/) to add devices and more. +After [installing](../installing.md), you can login at the URL specified in `firezone_hostname`, with the credentials set in `firezone_default_admin_email` and `firezone_default_admin_password`. + +Refer to the [official documentation](https://www.firezone.dev/docs/user-guides/add-devices/) to figure out how to add devices, etc.