Changed ZM config permissions

Added wireguard config Signed-off-by: TuDatTr <tuan-dat.tran@tudattr.dev>
2022-12-08 23:12:56 +01:00 · 2022-12-08 23:12:56 +01:00 · 271a596004
parent 378ba0b233
commit 271a596004
6 changed files with 82 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # TuDatTr IaC
+
 ## Backups
 Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone.
 but first of all we need to create the buckets and provide ansible with the needed information.
@ -81,7 +82,64 @@ Host mikrotik
     IdentityFile /mnt/veracrypt1/mikrotik_rsa
 ```

+### wireguard
+thanks to [mikrotik](https://www.medo64.com/2022/04/wireguard-on-mikrotik-routeros-7/)0
+quick code
+```
+# add wiregurad interface
+interface/wireguard/add listen-port=51820 name=wg1
+# get public key
+interface/wireguard/print
+$ > public-key: <mikrotik_public_key>
+# add network/ip for wireguard interface
+ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1
+# add firewall rule for wireguard (maybe specify to be from pppoe-wan)
+/ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept 
+# routing for wg1 clients and rest of the network
+> <insert forward for routing between wg1 and other networks>
+# enable internet for wg1 clients (may have to add to enable internet list
+/ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade
+```
+add peer
+```
+/interface/wireguard/peers/add interface=wg1 allowed-address=<untaken_ipv4>/24 public-key="<client_public_key"
+```
+
+Keygeneragion on archlinux `wg genkey | (umask 0077 && tee wireguard.key) | wg pubkey > peer_A.pub`
+Wireguard config on archlinux at `/etc/wireguard/wg0.conf`:
+```
+[Interface]
+PrivateKey = <client_private_key>
+Address = 192.168.200.250/24
+
+[Peer]
+PublicKey = <mikrotik public key>
+Endpoint = tudattr.dev:51820
+AllowedIPs = 0.0.0.0/0
+```
+used ipv4: 
+- genesis: 192.168.200.250
+- xiaomi: 192.168.200.249
+
+#### notes
+- wireguard->add
+  name: wg_tunnel01
+  listen port: 51820
+  [save]
+- wireguard->peers->add
+  interface: wg_tunnel01
+  endpoint port: 51820
+  allowed address: ::/0
+  psk: <password>
+  persistent keepalive: 25
+- ip->address->address list->add
+  address:192.168.200.1/24
+  network: 192.168.200.0
+  interface: wg_tunnel01
+
+## troubleshooting
+when problems with docker: `docker system prune -a`
+
 ## Todo
- Role to setup backup
 - Role to load customization/configurations from backup to servers
- aya01 fstab
+- split docker containers to different composes
--- a/aya01.yml
+++ b/aya01.yml
@ -4,6 +4,6 @@
  gather_facts: yes
  roles:
    - role: common
-    - role: backblaze
+    # - role: backblaze
    - role: power_management
    - role: docker
--- a/infra.yml
+++ b/infra.yml
@ -1 +0,0 @@
---
--- a/pi.yml
+++ b/pi.yml
@ -4,6 +4,6 @@
  gather_facts: yes
  roles:
    - common
-    - backblaze
+    # - backblaze
    - docker
    
--- a/roles/docker/tasks/aya01_compose.yml
+++ b/roles/docker/tasks/aya01_compose.yml
@ -1,15 +1,31 @@
 ---
- name: Create Zoneminder directories
+- name: Create zonminder user
+  user:
+    name: zm
+    uid: 911
+    shell: /bin/false
+  become: true
+    
+- name: Create Zoneminder config directory
  file:
    path: "{{ item }}"
-    owner: 1000
+    owner: 911
    mode: '700'
    state: directory
  loop:
-    - "{{ zoneminder_data }}"
    - "{{ zoneminder_config }}"
  become: true

+- name: Create Zoneminder data directory
+  file:
+    path: "{{ item }}"
+    owner: 911
+    mode: '766'
+    state: directory
+  loop:
+    - "{{ zoneminder_data }}"
+  become: true
+
 # Todo, check if docker compose is running
 # - name: Shut down docker
 #   shell:
--- a/roles/docker/templates/aya01/compose.yaml
+++ b/roles/docker/templates/aya01/compose.yaml
@ -51,7 +51,7 @@ networks:
  net:
    driver: bridge
    ipam:
-#      driver: default
+      driver: default
      config:
        - subnet: 172.16.69.0/24
          ip_range: 172.28.69.0/24