Changed ZM config permissions

Added wireguard config

Signed-off-by: TuDatTr <tuan-dat.tran@tudattr.dev>

README.md

@@ -1,4 +1,5 @@
 # TuDatTr IaC
+
 ## Backups
 Backup for aya01 and raspberry are in a backblaze b2, which gets encrypted on the clientside by rclone.
 but first of all we need to create the buckets and provide ansible with the needed information.
@@ -81,7 +82,64 @@ Host mikrotik
      IdentityFile /mnt/veracrypt1/mikrotik_rsa
 ```
 
+### wireguard
+thanks to [mikrotik](https://www.medo64.com/2022/04/wireguard-on-mikrotik-routeros-7/)0
+quick code
+```
+# add wiregurad interface
+interface/wireguard/add listen-port=51820 name=wg1
+# get public key
+interface/wireguard/print
+$ > public-key: <mikrotik_public_key>
+# add network/ip for wireguard interface
+ip/address/add address=192.168.200.1/24 network=192.168.200.0 interface=wg1
+# add firewall rule for wireguard (maybe specify to be from pppoe-wan)
+/ip/firewall/filter/add chain=input protocol=udp dst-port=51820 action=accept 
+# routing for wg1 clients and rest of the network
+> <insert forward for routing between wg1 and other networks>
+# enable internet for wg1 clients (may have to add to enable internet list
+/ip/firewall/nat/add chain=srcnat src-address=192.168.200.0/24 out-interface=pppoe-wan action=masquerade
+```
+add peer
+```
+/interface/wireguard/peers/add interface=wg1 allowed-address=<untaken_ipv4>/24 public-key="<client_public_key"
+```
+
+Keygeneragion on archlinux `wg genkey | (umask 0077 && tee wireguard.key) | wg pubkey > peer_A.pub`
+Wireguard config on archlinux at `/etc/wireguard/wg0.conf`:
+```
+[Interface]
+PrivateKey = <client_private_key>
+Address = 192.168.200.250/24
+
+[Peer]
+PublicKey = <mikrotik public key>
+Endpoint = tudattr.dev:51820
+AllowedIPs = 0.0.0.0/0
+```
+used ipv4: 
+- genesis: 192.168.200.250
+- xiaomi: 192.168.200.249
+
+#### notes
+- wireguard->add
+  name: wg_tunnel01
+  listen port: 51820
+  [save]
+- wireguard->peers->add
+  interface: wg_tunnel01
+  endpoint port: 51820
+  allowed address: ::/0
+  psk: <password>
+  persistent keepalive: 25
+- ip->address->address list->add
+  address:192.168.200.1/24
+  network: 192.168.200.0
+  interface: wg_tunnel01
+
+## troubleshooting
+when problems with docker: `docker system prune -a`
+
 ## Todo
-- Role to setup backup
 - Role to load customization/configurations from backup to servers
-- aya01 fstab
+- split docker containers to different composes

aya01.yml

@@ -4,6 +4,6 @@
   gather_facts: yes
   roles:
     - role: common
-    - role: backblaze
+    # - role: backblaze
     - role: power_management
     - role: docker

infra.yml

@@ -1 +0,0 @@
----

pi.yml

@@ -4,6 +4,6 @@
   gather_facts: yes
   roles:
     - common
-    - backblaze
+    # - backblaze
     - docker
     

roles/docker/tasks/aya01_compose.yml

@@ -1,15 +1,31 @@
 ---
-- name: Create Zoneminder directories
+- name: Create zonminder user
+  user:
+    name: zm
+    uid: 911
+    shell: /bin/false
+  become: true
+    
+- name: Create Zoneminder config directory
   file:
     path: "{{ item }}"
-    owner: 1000
+    owner: 911
     mode: '700'
     state: directory
   loop:
-    - "{{ zoneminder_data }}"
     - "{{ zoneminder_config }}"
   become: true
 
+- name: Create Zoneminder data directory
+  file:
+    path: "{{ item }}"
+    owner: 911
+    mode: '766'
+    state: directory
+  loop:
+    - "{{ zoneminder_data }}"
+  become: true
+
 # Todo, check if docker compose is running
 # - name: Shut down docker
 #   shell:

roles/docker/templates/aya01/compose.yaml

@@ -51,7 +51,7 @@ networks:
   net:
     driver: bridge
     ipam:
-#      driver: default
+      driver: default
       config:
         - subnet: 172.16.69.0/24
           ip_range: 172.28.69.0/24