From db63f5a6594fa3499f959e626b77270f6b3580ff Mon Sep 17 00:00:00 2001 From: jack Date: Sat, 5 Aug 2023 11:14:56 +0200 Subject: [PATCH 01/21] deprecated docker-compose folder --- playbook/docker-compose/docker-compose.yml | 22 ---------------------- playbook/templates/docker-compose.yml.j2 | 0 2 files changed, 22 deletions(-) delete mode 100644 playbook/docker-compose/docker-compose.yml create mode 100644 playbook/templates/docker-compose.yml.j2 diff --git a/playbook/docker-compose/docker-compose.yml b/playbook/docker-compose/docker-compose.yml deleted file mode 100644 index 46af77f..0000000 --- a/playbook/docker-compose/docker-compose.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -version: "3.2" - -services: - wg_vpn: - image: cybermint/wg-vpn:latest - container_name: wg-vpn - volumes: - - /etc/wireguard/:/etc/wireguard/ - - /home/wg-vpn/commandpipe:/home/wg-vpn/commandpipe - environment: - - WG_VPN_REGISTRATION_TOKEN=${WG_VPN_REGISTRATION_TOKEN} - - WG_VPN_ENDPOINT=${WG_VPN_ENDPOINT} - - WG_VPN_ALLOWED_IPS=${WG_VPN_ALLOWED_IPS} - - WG_VPN_SERVER_PUBLIC_KEY=${WG_VPN_SERVER_PUBLIC_KEY} - - WG_VPN_SERVER_INTERFACE=10.8.0.1 - - WG_VPN_PACKAGE_PATH=.wireguard - - WG_VPN_SERVER_HOST=${WG_VPN_SERVER_HOST} - restart: always - command: "uvicorn main:app --host 0.0.0.0 --port 8000" - ports: - - '127.0.0.1:8000:8000' diff --git a/playbook/templates/docker-compose.yml.j2 b/playbook/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..e69de29 From fe74623548fdf177fa5328071e82a907a7c54456 Mon Sep 17 00:00:00 2001 From: jack Date: Sat, 5 Aug 2023 11:15:07 +0200 Subject: [PATCH 02/21] added docker-compose template --- playbook/templates/docker-compose.yml.j2 | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/playbook/templates/docker-compose.yml.j2 b/playbook/templates/docker-compose.yml.j2 index e69de29..76245da 100644 --- a/playbook/templates/docker-compose.yml.j2 +++ b/playbook/templates/docker-compose.yml.j2 @@ -0,0 +1,22 @@ +--- +version: "3.2" + +services: + wg_vpn: + image: cybermint/wg-vpn:{{ vpn_version }} + container_name: wg-vpn + volumes: + - /etc/wireguard/:/etc/wireguard/ + - /home/wg-vpn/commandpipe:/home/wg-vpn/commandpipe + environment: + - WG_VPN_REGISTRATION_TOKEN={{ vpn_registration_token.stdout }} + - WG_VPN_ENDPOINT={{ vpn_endpoint }} + - WG_VPN_ALLOWED_IPS={{ vpn_allowed_ips }} + - WG_VPN_SERVER_PUBLIC_KEY={{ public_key['content'] | b64decode }} + - WG_VPN_SERVER_INTERFACE={{ vpn_server_interface_private_address }} + - WG_VPN_PACKAGE_PATH={{ vpn_package_path }} + - WG_VPN_SERVER_HOST={{ vpn_server_host }} + restart: always + command: "uvicorn main:app --host 0.0.0.0 --port 8000" + ports: + - '127.0.0.1:8000:8000' From bff220d1cdb5190984866f874a71adf2232d21e4 Mon Sep 17 00:00:00 2001 From: jack Date: Sat, 5 Aug 2023 11:15:19 +0200 Subject: [PATCH 03/21] Added presets and defaults to prod vars --- playbook/vars/prod.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/playbook/vars/prod.yml b/playbook/vars/prod.yml index 3055ef8..9f3a54c 100644 --- a/playbook/vars/prod.yml +++ b/playbook/vars/prod.yml @@ -2,25 +2,31 @@ vm_user: vagrant # Used on first_run playbook -vm_password: "{{ lookup('env', 'VM_PASSWORD') }}" +vm_password: "{{ lookup('ansible.builtin.env', 'VM_PASSWORD') }}" # Useful tools for sys admin sys_packages: ['curl', 'ufw', 'tree', 'wireguard', 'net-tools'] # Default docker version -vpn_version: "{{ lookup('env', 'VPN_VERSION') }}" +vpn_version: "{{ lookup('ansible.builtin.env', 'VPN_VERSION', default='latest') }}" # Endpoints / IPs your clients go through the VPN to -vpn_allowed_ips: "{{ lookup('env', 'VPN_ALLOWED_IPS') }}" +vpn_allowed_ips: "{{ lookup('ansible.builtin.env', 'VPN_ALLOWED_IPS') }}" # Your wireguard server's IP -vpn_endpoint: "{{ lookup('env', 'VPN_ENDPOINT') }}" +vpn_endpoint: "{{ lookup('ansible.builtin.env', 'VPN_ENDPOINT') }}" + +# Your wireguard package path for the peers. this folder is placed in the user's $HOME dir +vpn_package_path: ".wireguard" + +# Your wireguard server's private interface IP. Preset to 10.8.0.1 +vpn_server_interface_private_address: "10.8.0.1" # Used by letsencrypt, to obtain SSL certificates -vpn_server_name: "{{ lookup('env', 'VPN_SERVER_NAME') }}" +vpn_server_name: "{{ lookup('ansible.builtin.env', 'VPN_SERVER_NAME') }}" # Used to notify important info by Certbot. Set to administrator email address -vpn_webserver_email: "{{ lookup('env', 'VPN_WEBSERVER_EMAIL') }}" +vpn_webserver_email: "{{ lookup('ansible.builtin.env', 'VPN_WEBSERVER_EMAIL') }}" # Used by FASTAPI. The domain name and protocol of your server -vpn_server_host: "{{ lookup('env', 'VPN_SERVER_HOST') }}" +vpn_server_host: "{{ lookup('ansible.builtin.env', 'VPN_SERVER_HOST') }}" From 01025ac0fa7f9369b29a7f0daccd3d19108eb443 Mon Sep 17 00:00:00 2001 From: jack Date: Sat, 5 Aug 2023 11:16:45 +0200 Subject: [PATCH 04/21] updated local.yml vars file with defaults and presets --- playbook/vars/local.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/playbook/vars/local.yml b/playbook/vars/local.yml index ee71c16..e54c5a3 100644 --- a/playbook/vars/local.yml +++ b/playbook/vars/local.yml @@ -2,25 +2,31 @@ vm_user: vagrant # Used on first_run playbook -vm_password: "{{ lookup('env', 'VM_PASSWORD') }}" +vm_password: "{{ lookup('ansible.builtin.env', 'VM_PASSWORD') }}" # Useful tools for sys admin sys_packages: ['curl', 'ufw', 'tree', 'wireguard', 'net-tools'] # Default docker version -vpn_version: "{{ lookup('env', 'LOCAL_VPN_VERSION') }}" +vpn_version: "{{ lookup('ansible.builtin.env', 'LOCAL_VPN_VERSION', default='latest') }}" # Endpoints / IPs your clients go through the VPN to -vpn_allowed_ips: "{{ lookup('env', 'LOCAL_VPN_ALLOWED_IPS') }}" +vpn_allowed_ips: "{{ lookup('ansible.builtin.env', 'LOCAL_VPN_ALLOWED_IPS') }}" # Your wireguard server's IP -vpn_endpoint: "{{ lookup('env', 'LOCAL_VPN_ENDPOINT') }}" +vpn_endpoint: "{{ lookup('ansible.builtin.env', 'LOCAL_VPN_ENDPOINT') }}" + +# Your wireguard package path for the peers. this folder is placed in the user's $HOME dir +vpn_package_path: ".wireguard-local" + +# Your wireguard server's private interface IP. Preset to 10.8.0.1 +vpn_server_interface_private_address: "10.8.0.1" # Used by letsencrypt, to obtain SSL certificates -vpn_server_name: "{{ lookup('env', 'LOCAL_VPN_SERVER_NAME') }}" +vpn_server_name: "{{ lookup('ansible.builtin.env', 'LOCAL_VPN_SERVER_NAME') }}" # Used to notify important info by Certbot. Set to administrator email address -vpn_webserver_email: "{{ lookup('env', 'LOCAL_VPN_WEBSERVER_EMAIL') }}" +vpn_webserver_email: "{{ lookup('ansible.builtin.env', 'LOCAL_VPN_WEBSERVER_EMAIL') }}" # Used by FASTAPI. The domain name and protocol of your server -vpn_server_host: "{{ lookup('env', 'LOCAL_VPN_SERVER_HOST') }}" +vpn_server_host: "{{ lookup('ansible.builtin.env', 'LOCAL_VPN_SERVER_HOST') }}" From b1e407bd69bbaa7a56a22c00b5f01f3800908fb0 Mon Sep 17 00:00:00 2001 From: jack Date: Sat, 5 Aug 2023 11:31:23 +0200 Subject: [PATCH 05/21] Used ansible template instead of copt and replace --- playbook/roles/deploy/tasks/setup-compose.yml | 58 +++---------------- 1 file changed, 8 insertions(+), 50 deletions(-) diff --git a/playbook/roles/deploy/tasks/setup-compose.yml b/playbook/roles/deploy/tasks/setup-compose.yml index 3990261..b8edcd3 100644 --- a/playbook/roles/deploy/tasks/setup-compose.yml +++ b/playbook/roles/deploy/tasks/setup-compose.yml @@ -1,64 +1,22 @@ --- -- name: Copy over Backend Docker-compose file - become: true - ansible.builtin.copy: - src: docker-compose/docker-compose.yml - dest: /home/docker-compose.yml - owner: root - group: root - mode: '0644' - -- name: Generate wireguard server token +- name: Generate wireguard server token, and read into var ansible.builtin.shell: cmd: set -o pipefail && tr -dc A-Za-z0-9 {{ vpn_registration_token.stdout }} - -- name: Write WG_VPN_ENDPOINT to docker-compose - become: true - ansible.builtin.replace: - path: /home/docker-compose.yml - regexp: ^( - WG_VPN_ENDPOINT=).* - replace: \g<1>{{ vpn_endpoint }} - -- name: Write WG_VPN_ALLOWED_IPS to docker-compose - become: true - ansible.builtin.replace: - path: /home/docker-compose.yml - regexp: ^( - WG_VPN_ALLOWED_IPS=).* - replace: \g<1>{{ vpn_allowed_ips }} - - name: Read remote Public key into var become: true ansible.builtin.slurp: src: /etc/wireguard/public.key register: public_key -- name: Write WG_VPN_SERVER_PUBLIC_KEY to docker-compose - become: true - ansible.builtin.replace: - path: /home/docker-compose.yml - regexp: ^( - WG_VPN_SERVER_PUBLIC_KEY=).* - replace: \g<1>{{ public_key['content'] | b64decode }} - -- name: Write WG_VPN_SERVER_HOST to docker-compose - become: true - ansible.builtin.replace: - path: /home/docker-compose.yml - regexp: ^( - WG_VPN_SERVER_HOST=).* - replace: \g<1>{{ vpn_server_host }} - -- name: Write WG_VPN_VERSION to docker-compose +- name: Copy over Backend Docker-compose file become: true - ansible.builtin.replace: - path: /home/docker-compose.yml - regexp: 'WG_VPN_VERSION' - replace: '{{ vpn_version }}' + ansible.builtin.template: + src: templates/docker-compose.yml.j2 + dest: /home/docker-compose.yml + owner: root + group: root + mode: '0644' From 19374b1f266ea4dcc86a9add67a29c6a82b384ae Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 11:24:21 +0200 Subject: [PATCH 06/21] updated pip packages --- backend/src/requirements.txt | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/backend/src/requirements.txt b/backend/src/requirements.txt index ac56821..0ff0326 100644 --- a/backend/src/requirements.txt +++ b/backend/src/requirements.txt @@ -1,7 +1,7 @@ -fastapi==0.99.1 -jinja2==3.1.2 -pydantic==1.10.11 +fastapi==0.109.2 +Jinja2==3.1.3 +pydantic==2.6.1 requests==2.31.0 -typing_extensions==4.7.1 -urllib3==2.0.3 -uvicorn==0.22.0 +typing_extensions==4.9.0 +urllib3==2.2.0 +uvicorn==0.27.0.post1 From 9bbdf6d3b2fc3c2fc893fbc8e001e412b5fc4854 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 11:24:31 +0200 Subject: [PATCH 07/21] updated docker-compose file --- backend/quickstart/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/quickstart/docker-compose.yml b/backend/quickstart/docker-compose.yml index 7f9312d..4676e95 100644 --- a/backend/quickstart/docker-compose.yml +++ b/backend/quickstart/docker-compose.yml @@ -11,8 +11,8 @@ services: - /home/wg-vpn/commandpipe:/home/wg-vpn/commandpipe environment: - WG_VPN_REGISTRATION_TOKEN=${WG_VPN_REGISTRATION_TOKEN} - - WG_VPN_ENDPOINT=${WG_VPN_ENDPOINT} - - WG_VPN_ALLOWED_IPS=${WG_VPN_ALLOWED_IPS} + - WG_VPN_ENDPOINT=${WG_VPN_ENDPOINT:-127.0.0.1} # Used for building client wg0.conf files + - WG_VPN_ALLOWED_IPS=${WG_VPN_ALLOWED_IPS} # Used for building client wg0.conf files - WG_VPN_SERVER_PUBLIC_KEY=${WG_VPN_SERVER_PUBLIC_KEY} - WG_VPN_SERVER_INTERFACE=10.8.0.1 - WG_VPN_PACKAGE_PATH=.wireguard From 629ea338cf92d484c9763857f79c112b87676d88 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 11:42:45 +0200 Subject: [PATCH 08/21] updated docker python version to 3.12 --- backend/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index e7965c9..33885eb 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -1,5 +1,5 @@ # Build from Python 3.10 -FROM python:3.10-alpine +FROM python:3.12-alpine # Set working directory to /code/ WORKDIR /code From a59f914edd60667992f09980a09c3d9b8a6a951f Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 11:43:01 +0200 Subject: [PATCH 09/21] used docker-compose v1 in ./test quickstart script --- backend/quickstart/test.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/quickstart/test.sh b/backend/quickstart/test.sh index e76b683..2cf79a8 100755 --- a/backend/quickstart/test.sh +++ b/backend/quickstart/test.sh @@ -13,7 +13,7 @@ sigterm_handler() { trap 'trap " " SIGINT SIGTERM SIGHUP; kill 0; wait; sigterm_handler' SIGINT SIGTERM SIGHUP # Bring down containers in compose file -docker compose down --remove-orphans +docker-compose down --remove-orphans # Bring up containers in compose file -docker compose up --build +docker-compose up --build From b89207c78f91d733e0c39614f89a8c5dce262eae Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 11:43:38 +0200 Subject: [PATCH 10/21] patched backward compat for pydantic version upgrade with pydantic-settings package --- backend/src/requirements.txt | 1 + backend/src/settings.py | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/backend/src/requirements.txt b/backend/src/requirements.txt index 0ff0326..d072520 100644 --- a/backend/src/requirements.txt +++ b/backend/src/requirements.txt @@ -1,6 +1,7 @@ fastapi==0.109.2 Jinja2==3.1.3 pydantic==2.6.1 +pydantic-settings==2.1.0 requests==2.31.0 typing_extensions==4.9.0 urllib3==2.2.0 diff --git a/backend/src/settings.py b/backend/src/settings.py index d39fe9f..dbd5a9e 100644 --- a/backend/src/settings.py +++ b/backend/src/settings.py @@ -1,13 +1,14 @@ import os import logging -import pydantic +from pydantic_settings import BaseSettings + logging.config.fileConfig('logging.conf', disable_existing_loggers=False) logger = logging.getLogger(__name__) -class Settings(pydantic.BaseSettings): +class Settings(BaseSettings): WG_VPN_REGISTRATION_TOKEN: str = os.getenv('WG_VPN_REGISTRATION_TOKEN') WG_VPN_ENDPOINT: str = os.getenv('WG_VPN_ENDPOINT') WG_VPN_ALLOWED_IPS: str = os.getenv('WG_VPN_ALLOWED_IPS') From 399c52529ac1280a65d1959d44c9cf0166a6bd53 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 11:43:49 +0200 Subject: [PATCH 11/21] fixed local favicon issue --- backend/src/templates/index.html | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/src/templates/index.html b/backend/src/templates/index.html index 76f43a8..d0b4458 100644 --- a/backend/src/templates/index.html +++ b/backend/src/templates/index.html @@ -5,6 +5,7 @@ VPN Server +
From ed4ed570dc2bd6c11c6bbf71369821304b9b2cf2 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:08:47 +0200 Subject: [PATCH 12/21] fixed spelling mistake in index.html --- backend/src/templates/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/templates/index.html b/backend/src/templates/index.html index d0b4458..f623467 100644 --- a/backend/src/templates/index.html +++ b/backend/src/templates/index.html @@ -22,7 +22,7 @@
WireGuard-VPN
- A no-nosense self-provisioning VPN server for dev teams + A no-nonsense self-provisioning VPN server for dev teams
From 46dbfb60f079bc7395d1cfd24aa0b8e1738f1a6e Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:08:57 +0200 Subject: [PATCH 13/21] updated styles of front end page --- backend/src/static/styles.css | 2 ++ 1 file changed, 2 insertions(+) diff --git a/backend/src/static/styles.css b/backend/src/static/styles.css index 66f0d0e..09a4095 100644 --- a/backend/src/static/styles.css +++ b/backend/src/static/styles.css @@ -112,6 +112,7 @@ body { height: 30px; background-color: #999999; padding: 0 20px; + border-radius: 5px; color: white; font-size: 15px; } @@ -156,6 +157,7 @@ body { font-size: 15px; padding: 0 20px; display: flex; + border-radius: 5px; align-items: center; } From d0f97765e13ed22c7e9541087abcc7890086f844 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:17:39 +0200 Subject: [PATCH 14/21] Added new custom 404 page --- backend/src/templates/404_error_page.html | 49 +++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 backend/src/templates/404_error_page.html diff --git a/backend/src/templates/404_error_page.html b/backend/src/templates/404_error_page.html new file mode 100644 index 0000000..baa6ce3 --- /dev/null +++ b/backend/src/templates/404_error_page.html @@ -0,0 +1,49 @@ + + + + + + VPN Server + + + + +
+
+ The token you provided was incorrect! Try again. + × +
+
+
+
+
+ wg-logo +
+
+
WireGuard-VPN
+
+ A no-nonsense self-provisioning VPN server for dev teams +
+
+

Page not found

+
+
+
+
+
+
+
+ github + https://github.com/cyber-mint/wg-vpn +
+
+ Copyright © 2023, Cyber-Mint (Pty) Ltd, Provided under MIT + License + cyber-mint +
+
+
+ + From 027bd4266072eb112b50073b6a181a41287f58d6 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:17:56 +0200 Subject: [PATCH 15/21] set 404 responses to 404 error page --- backend/src/main.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/backend/src/main.py b/backend/src/main.py index 8273126..1bf1f3a 100644 --- a/backend/src/main.py +++ b/backend/src/main.py @@ -210,3 +210,23 @@ async def validation_exception_handler(request, exc): return templates.TemplateResponse( "400_error_message.html", context={"request": request}, headers=headers ) + + +@app.exception_handler(404) +async def custom_http_exception_handler(request, exc): + """ + Exception handler for HTTPException. + + Args: + request: The incoming request object. + exc: The raised HTTPException. + + Returns: + TemplateResponse: A template response rendering the error message with the appropriate headers and status code. + + """ + headers = getattr(exc, "headers", None) + return templates.TemplateResponse( + "404_error_page.html", context={"request": request}, headers=headers, status_code=exc.status_code + ) + From e17a96f25bc7e0744a09ed3692599a0be66fe4f9 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:25:17 +0200 Subject: [PATCH 16/21] updated html href opener for github link --- backend/src/templates/404_error_page.html | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/backend/src/templates/404_error_page.html b/backend/src/templates/404_error_page.html index baa6ce3..e48f9a9 100644 --- a/backend/src/templates/404_error_page.html +++ b/backend/src/templates/404_error_page.html @@ -34,9 +34,14 @@

Page not found

github - https://github.com/cyber-mint/wg-vpn + https://github.com/cyber-mint/wg-vpn +
Copyright © 2023, Cyber-Mint (Pty) Ltd, Provided under MIT From 1fa1359f7fa3d8536a4c7e2dd57b684a697ef05e Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:41:26 +0200 Subject: [PATCH 17/21] separated linting CICD jobs in Circleci config --- .circleci/config.yml | 62 ++++++++++++++++++++++++++++++++------------ 1 file changed, 45 insertions(+), 17 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ef30759..6b31905 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -91,19 +91,41 @@ jobs: command: | docker run -v ~/repo:/path zricethezav/gitleaks:latest detect --source="/path" -v - linting: + flake8: docker: - image: python@sha256:364ee1a9e029fb7b60102ae56ff52153ccc929ceab9aa387402fe738432d24cc resource_class: small working_directory: ~/repo steps: - checkout + - restore_cache: + key: deps1-{{ .Environment.CACHE_VERSION }} - run: - name: Install Ubuntu packages + name: Install Python command: | - export DEBIAN_FRONTEND='noninteractive' - apt-get update - apt-get install -y yamllint + python3 -m venv .venv + . .venv/bin/activate + pip install flake8 + - save_cache: + key: deps1-{{ .Environment.CACHE_VERSION }} + paths: + - ".venv" + - run: + name: Lint BackEnd with flake8 + command: | + python3 -m venv .venv + . .venv/bin/activate + cd ~/repo/backend/src + flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + + ansible-lint: + docker: + - image: python@sha256:364ee1a9e029fb7b60102ae56ff52153ccc929ceab9aa387402fe738432d24cc + resource_class: small + working_directory: ~/repo + steps: + - checkout - restore_cache: key: deps1-{{ .Environment.CACHE_VERSION }} - run: @@ -111,7 +133,7 @@ jobs: command: | python3 -m venv .venv . .venv/bin/activate - pip install ansible ansible-lint flake8 + pip install ansible ansible-lint - save_cache: key: deps1-{{ .Environment.CACHE_VERSION }} paths: @@ -119,23 +141,27 @@ jobs: - run: name: Lint playbook with ansible lint command: | - python3 -m venv .venv . .venv/bin/activate - ansible-lint --version cd ~/repo/playbook/ ansible-lint + + yamllint: + docker: + - image: python@sha256:364ee1a9e029fb7b60102ae56ff52153ccc929ceab9aa387402fe738432d24cc + resource_class: small + working_directory: ~/repo + steps: + - checkout - run: - name: Lint repo with yamllint + name: Install Ubuntu packages command: | - yamllint -c .yamllint.conf . + export DEBIAN_FRONTEND='noninteractive' + apt-get update + apt-get install -y yamllint - run: - name: Lint BackEnd with flake8 + name: Lint repo with yamllint command: | - python3 -m venv .venv - . .venv/bin/activate - cd ~/repo/backend/src - flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + yamllint -c .yamllint.conf . publish-wg-vpn: machine: @@ -161,7 +187,9 @@ workflows: version: 2 untagged_build_test: jobs: - - linting + - ansible-lint + - flake8 + - yamllint - integration-tests - git-leaks - checkov From 390a1fab332b1d51457c63a5bd1f7cfb998cb15c Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:51:19 +0200 Subject: [PATCH 18/21] used ansible template instead of copy and replace for nginx config file --- playbook/roles/nginx/tasks/main.yml | 11 +----- playbook/templates/nginx.conf.j2 | 58 +++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 9 deletions(-) create mode 100644 playbook/templates/nginx.conf.j2 diff --git a/playbook/roles/nginx/tasks/main.yml b/playbook/roles/nginx/tasks/main.yml index 99756de..2756895 100644 --- a/playbook/roles/nginx/tasks/main.yml +++ b/playbook/roles/nginx/tasks/main.yml @@ -7,20 +7,13 @@ - name: Copy nginx config to server become: true - ansible.builtin.copy: - src: templates/nginx.conf + ansible.builtin.template: + src: templates/nginx.conf.j2 dest: /etc/nginx/sites-available/default owner: www-data group: www-data mode: '0644' -- name: Replace 'VPN_SERVER_NAME' in conf with domain name - become: true - ansible.builtin.replace: - path: /home/docker-compose.yml - regexp: 'VPN_SERVER_NAME' - replace: '{{ vpn_server_name }}' - - name: Create a folder for custom error pages become: true ansible.builtin.file: diff --git a/playbook/templates/nginx.conf.j2 b/playbook/templates/nginx.conf.j2 new file mode 100644 index 0000000..be2d8be --- /dev/null +++ b/playbook/templates/nginx.conf.j2 @@ -0,0 +1,58 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + root /var/www/html; + index index.html index.htm index.nginx-debian.html; + server_name _; + location / { + try_files $uri $uri/ =404; + } +} + +server { + server_name {{ vpn_server_name }}; + server_tokens on; + client_max_body_size 10M; + error_log /var/log/nginx/error.log; + + location /favicon.ico { + root /home/static; + } + + location /static { + sendfile on; + sendfile_max_chunk 1m; + alias /home/static; + } + + location / { + proxy_pass http://127.0.0.1:8000/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Client-Verify SUCCESS; + proxy_set_header X-Client-DN $ssl_client_s_dn; + proxy_set_header X-SSL-Subject $ssl_client_s_dn; + proxy_set_header X-SSL-Issuer $ssl_client_i_dn; + proxy_read_timeout 1800; + proxy_connect_timeout 1800; + proxy_buffering off; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header X-Content-Type-Options nosniff; + proxy_set_header Content-Type application/json; + proxy_set_header Referrer-Policy same-origin; + proxy_set_header Permissions-Policy "geolocation 'none'; camera 'none';"; + } +} + +server { + server_name www.{{ vpn_server_name }}; + server_tokens on; + client_max_body_size 10M; + error_log /var/log/nginx/access.log; + return 302 https://{{ vpn_server_name }}$request_uri; +} From 9f82f295c994d05603ce79ac8e56e73cda6d0745 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:51:37 +0200 Subject: [PATCH 19/21] removed Certbot added code from nginx config template --- playbook/templates/nginx.conf | 101 ---------------------------------- 1 file changed, 101 deletions(-) delete mode 100644 playbook/templates/nginx.conf diff --git a/playbook/templates/nginx.conf b/playbook/templates/nginx.conf deleted file mode 100644 index 8c1f28b..0000000 --- a/playbook/templates/nginx.conf +++ /dev/null @@ -1,101 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - root /var/www/html; - - index index.html index.htm index.nginx-debian.html; - - server_name _; - - location / { - try_files $uri $uri/ =404; - } -} - -server { - server_name VPN_SERVER_NAME; - server_tokens on; - client_max_body_size 10M; - error_log /var/log/nginx/error.log; - - location /favicon.ico { - root /home/static; - } - - location /static { - sendfile on; - sendfile_max_chunk 1m; - alias /home/static; - } - - location / { - proxy_pass http://127.0.0.1:8000/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Client-Verify SUCCESS; - proxy_set_header X-Client-DN $ssl_client_s_dn; - proxy_set_header X-SSL-Subject $ssl_client_s_dn; - proxy_set_header X-SSL-Issuer $ssl_client_i_dn; - proxy_read_timeout 1800; - proxy_connect_timeout 1800; - proxy_buffering off; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_set_header X-Content-Type-Options nosniff; - proxy_set_header Content-Type application/json; - proxy_set_header Referrer-Policy same-origin; - proxy_set_header Permissions-Policy "geolocation 'none'; camera 'none';"; - } - - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/VPN_SERVER_NAME/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/VPN_SERVER_NAME/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - -} -server { - server_name www.VPN_SERVER_NAME; - server_tokens on; - client_max_body_size 10M; - error_log /var/log/nginx/access.log; - return 302 https://VPN_SERVER_NAME$request_uri; -} -# server { -# server_name www.VPN_SERVER_NAME; -# server_tokens on; -# client_max_body_size 10M; -# listen 443 ssl default_server; -# error_log /var/log/nginx/access.log; -# return 302 https://VPN_SERVER_NAME$request_uri; -# } - -server { - if ($host = VPN_SERVER_NAME) { - return 301 https://$host$request_uri; - } # managed by Certbot - - server_name VPN_SERVER_NAME; - listen 80; - return 404; # managed by Certbot - -} - -server { - if ($host = VPN_SERVER_NAME) { - return 301 https://$host$request_uri; - } # managed by Certbot - - - server_name VPN_SERVER_NAME; - listen 80; - return 404; # managed by Certbot - - -} From 8cdf12ab7be863777a4c5e51eb4f84a09cdb3983 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 12:51:47 +0200 Subject: [PATCH 20/21] updated vars files --- playbook/vars/local.yml | 2 +- playbook/vars/prod.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbook/vars/local.yml b/playbook/vars/local.yml index e54c5a3..e1047f8 100644 --- a/playbook/vars/local.yml +++ b/playbook/vars/local.yml @@ -4,7 +4,7 @@ vm_user: vagrant # Used on first_run playbook vm_password: "{{ lookup('ansible.builtin.env', 'VM_PASSWORD') }}" -# Useful tools for sys admin +# Necessary packages, and useful tools for system admins sys_packages: ['curl', 'ufw', 'tree', 'wireguard', 'net-tools'] # Default docker version diff --git a/playbook/vars/prod.yml b/playbook/vars/prod.yml index 9f3a54c..9ab4e1f 100644 --- a/playbook/vars/prod.yml +++ b/playbook/vars/prod.yml @@ -4,7 +4,7 @@ vm_user: vagrant # Used on first_run playbook vm_password: "{{ lookup('ansible.builtin.env', 'VM_PASSWORD') }}" -# Useful tools for sys admin +# Necessary packages, and useful tools for system admins sys_packages: ['curl', 'ufw', 'tree', 'wireguard', 'net-tools'] # Default docker version From f86f553edf493e1a200027d7ef72556606f900e6 Mon Sep 17 00:00:00 2001 From: Jack Date: Sun, 11 Feb 2024 13:18:13 +0200 Subject: [PATCH 21/21] made wg0.conf a jinja template instead of copy and replace in ansible --- .../deploy/tasks/setup-wireguard-conf.yml | 34 +++++-------------- playbook/templates/{wg0.conf => wg0.conf.j2} | 10 +++--- 2 files changed, 13 insertions(+), 31 deletions(-) rename playbook/templates/{wg0.conf => wg0.conf.j2} (51%) diff --git a/playbook/roles/deploy/tasks/setup-wireguard-conf.yml b/playbook/roles/deploy/tasks/setup-wireguard-conf.yml index 62c7ff4..b6a0b9e 100644 --- a/playbook/roles/deploy/tasks/setup-wireguard-conf.yml +++ b/playbook/roles/deploy/tasks/setup-wireguard-conf.yml @@ -1,8 +1,14 @@ --- +- name: Read remote Private key into var + become: true + ansible.builtin.slurp: + src: /etc/wireguard/private.key + register: private_key + - name: Copy Wireguard config file to server become: true - ansible.builtin.copy: - src: templates/wg0.conf + ansible.builtin.template: + src: templates/wg0.conf.j2 dest: /etc/wireguard/wg0.conf owner: root group: root @@ -16,27 +22,3 @@ sysctl_set: true state: present reload: true - -- name: Display default interface name to use - ansible.builtin.debug: - var: ansible_default_ipv4.interface - -- name: Replace '[default_interface]' in wg0.conf with default interface var - become: true - ansible.builtin.replace: - path: /etc/wireguard/wg0.conf - regexp: '\[default_interface\]' - replace: "{{ ansible_default_ipv4.interface }}" - -- name: Read remote Private key into var - become: true - ansible.builtin.slurp: - src: /etc/wireguard/private.key - register: private_key - -- name: Replace '[wireguard_private_key]' in wg0.conf - become: true - ansible.builtin.replace: - path: /etc/wireguard/wg0.conf - regexp: '\[wireguard_private_key\]' - replace: "{{ private_key['content'] | b64decode }}" diff --git a/playbook/templates/wg0.conf b/playbook/templates/wg0.conf.j2 similarity index 51% rename from playbook/templates/wg0.conf rename to playbook/templates/wg0.conf.j2 index db0410e..ed4aefd 100644 --- a/playbook/templates/wg0.conf +++ b/playbook/templates/wg0.conf.j2 @@ -5,11 +5,11 @@ # ---------------------------------------------------------------------------------- [Interface] -PrivateKey = [wireguard_private_key] +PrivateKey = {{ private_key['content'] | b64decode }} Address = 10.8.0.1/24 ListenPort = 51820 SaveConfig = false -PostUp = ufw route allow in on wg0 out on [default_interface] -PostUp = iptables -t nat -I POSTROUTING -o [default_interface] -j MASQUERADE -PreDown = ufw route delete allow in on wg0 out on [default_interface] -PreDown = iptables -t nat -D POSTROUTING -o [default_interface] -j MASQUERADE +PostUp = ufw route allow in on wg0 out on {{ ansible_default_ipv4.interface }} +PostUp = iptables -t nat -I POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE +PreDown = ufw route delete allow in on wg0 out on {{ ansible_default_ipv4.interface }} +PreDown = iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE