initial commit

.gitignore

@@ -0,0 +1 @@
+.vault_pass

ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+inventory = inventory.yml
+vault_password_file = ~/.vault_pass
+host_key_checking = False
+interpreter_python = auto_silent

group_vars/all/vars.yml

@@ -0,0 +1,5 @@
+---
+vpn_subnets:
+  ocserv: "10.66.66.0/24"
+  wireguard: "10.66.67.0/24"
+

group_vars/all/vault.yml

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+62346466326631373565623766373933326137396239383535346132396433643062633164393939
+3935633736343630393138326135623431323765326265610a396136633564643937333665353739
+37356236663462386432363064323163353032393235356634303636623538626439636665383763
+3531383439643763320a376264666433303931656639653830663332393166623063616464623461
+37363266396436323930383662653330323738393463353664343134623634646234393233383935
+39646262396239626132336530613536393562363364396166323234636434323464326664373333
+36363366363566633837363238613238633539663133616562393236653536336534626566663664
+34346661656534316132

inventory.yml

@@ -0,0 +1,10 @@
+---
+all:
+  children:
+    vps:
+      hosts:
+        vps1:
+          ansible_host: "{{ vault_vps_ip }}"
+          ansible_user: root
+          ansible_ssh_pass: "{{ vault_root_password }}"
+

roles/base_system/tasks/main.yml

@@ -0,0 +1,54 @@
+---
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Upgrade all packages
+  apt:
+    upgrade: dist
+    force_apt_get: yes
+  environment:
+    UCF_FORCE_CONFFOLD: 1
+
+- name: Install basic packages
+  apt:
+    name:
+      - sudo
+      - neovim
+      - neofetch
+      - git
+      - curl
+      - wget
+      - tmux
+      - htop
+      - foot-terminfo
+      - kitty-terminfo
+      - build-essential
+      - certbot
+      - rsync
+      - aria2
+    state: present
+
+- name: Add Speedtest repository
+  shell: |
+    curl -s https://packagecloud.io/install/repositories/ookla/speedtest-cli/script.deb.sh | bash
+  args:
+    creates: /etc/apt/sources.list.d/ookla_speedtest-cli.list
+
+- name: Install Speedtest
+  apt:
+    name: speedtest
+    state: present
+    update_cache: yes
+
+- name: Setup Neovim config directory
+  file:
+    path: /root/.config/nvim
+    state: directory
+    mode: '0755'
+
+- name: Configure Neovim
+  copy:
+    content: "set tabstop=4 softtabstop=0 expandtab shiftwidth=4 smarttab"
+    dest: /root/.config/nvim/init.vim
+    mode: '0644'

roles/network/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+sysctl_settings:
+  net.ipv4.ip_forward: 1
+  net.core.default_qdisc: fq
+  net.ipv4.tcp_congestion_control: bbr
+
+fw_rules:
+  - {chain: "INPUT", jump: "ACCEPT", protocol: "tcp", dport: "22"} # SSH
+  - {chain: "INPUT", jump: "ACCEPT", protocol: "tcp", dport: "80"} # HTTP
+  - {chain: "INPUT", jump: "ACCEPT", protocol: "tcp", dport: "443"} #  HTTPS
+  - {chain: "INPUT", jump: "ACCEPT", protocol: "udp", dport: "443"} # ocserv
+  - {chain: "INPUT", jump: "ACCEPT", protocol: "udp", dport: "51820"} # Wireguard
+  - {chain: "INPUT", jump: "ACCEPT", protocol: "icmp", icmp_type: "any"} # Ping
+  - {chain: "INPUT", jump: "ACCEPT", in_interface: "lo"} # Loopback (localhost)

roles/network/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: reload sysctl
+  command: sysctl -p
+
+- name: save iptables
+  command: netfilter-persistent save
+

roles/network/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+- name: Configure sysctl
+  sysctl:
+    name: "{{ item }}"
+    value: "{{ sysctl_settings[item] }}"
+    sysctl_file: /etc/sysctl.conf
+    reload: yes
+  with_items: "{{ sysctl_settings.keys() | list }}"
+  notify: reload sysctl
+
+- name: Install iptables-persistent
+  debconf:
+    name: iptables-persistent
+    question: "{{ item }}"
+    value: "true"
+    vtype: boolean
+  loop:
+    - iptables-persistent/autosave_v4
+    - iptables-persistent/autosave_v6
+
+- name: Ensure iptables-persistent package
+  apt:
+    name: iptables-persistent
+    state: present
+
+- name: Configure NAT rules
+  iptables:
+    table: nat
+    chain: POSTROUTING
+    jump: MASQUERADE
+    source: "{{ item.value }}"
+    out_interface: eth0
+  with_dict: "{{ vpn_subnets }}"
+
+- name: Allow established connections
+  iptables:
+    chain: INPUT
+    jump: ACCEPT
+    ctstate: ESTABLISHED,RELATED
+
+- name: Configure firewall rules
+  iptables:
+    chain: "{{ item.chain }}"
+    jump: "{{ item.jump }}"
+    protocol: "{{ item.protocol | default(omit) }}"
+    destination_port: "{{ item.dport | default(omit) }}"
+    in_interface: "{{ item.in_interface | default(omit) }}"
+    icmp_type: "{{ item.icmp_type | default(omit) }}"
+  with_items: "{{ fw_rules }}"
+  notify: save iptables
+
+- name: Set default policies
+  iptables:
+    chain: "{{ item.chain }}"
+    policy: "{{ item.policy }}"
+  loop:
+    - {chain: "FORWARD", policy: "ACCEPT"}
+    - {chain: "OUTPUT", policy: "ACCEPT"}
+    - {chain: "INPUT", policy: "DROP"}
+  notify: save iptables

roles/ocserv/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+ocserv_version: "1.3.0"
+ocserv_url: "https://www.infradead.org/ocserv/download/ocserv-{{ ocserv_version }}.tar.xz"
+ocserv_build_dir: "/tmp/ocserv-build"
+

roles/ocserv/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart ocserv
+  systemd:
+    name: ocserv
+    state: restarted
+

roles/ocserv/tasks/main.yml

@@ -0,0 +1,84 @@
+---
+- name: Install required packages
+  apt:
+    name:
+      - sudo
+      - build-essential
+      - libgnutls28-dev
+      - libev-dev
+      - pkg-config
+      - libreadline-dev
+      - libprotobuf-c-dev
+      - protobuf-c-compiler
+      - libhttp-parser-dev
+      - gperf
+    state: present
+    update_cache: yes
+
+- name: Check if ocserv is installed
+  command: which ocserv
+  register: ocserv_check
+  ignore_errors: true
+  changed_when: false
+
+- name: Create build directory
+  file:
+    path: "{{ ocserv_build_dir }}"
+    state: directory
+  when: ocserv_check.rc != 0
+
+- name: Download ocserv source
+  get_url:
+    url: "{{ ocserv_url }}"
+    dest: "{{ ocserv_build_dir }}/ocserv-{{ ocserv_version }}.tar.xz"
+  when: ocserv_check.rc != 0
+
+- name: Extract ocserv source
+  unarchive:
+    src: "{{ ocserv_build_dir }}/ocserv-{{ ocserv_version }}.tar.xz"
+    dest: "{{ ocserv_build_dir }}"
+    remote_src: yes
+  when: ocserv_check.rc != 0
+
+- name: Compile and install ocserv
+  shell: |
+    cd {{ ocserv_build_dir }}/ocserv-{{ ocserv_version }}
+    ./configure
+    make
+    make install
+  when: ocserv_check.rc != 0
+
+- name: Create ocserv user
+  user:
+    name: ocserv
+    groups: sudo
+    create_home: yes
+    system: yes
+
+- name: Create ocserv config directory
+  file:
+    path: /etc/ocserv
+    state: directory
+
+- name: Template ocserv config
+  template:
+    src: ocserv.conf.j2
+    dest: /etc/ocserv/ocserv.conf
+  notify: restart ocserv
+
+- name: Template systemd service
+  template:
+    src: ocserv.service.j2
+    dest: /etc/systemd/system/ocserv.service
+  notify: restart ocserv
+
+- name: Manage ocserv users
+  include_tasks: manage_users.yml
+
+- name: Enable and start ocserv service
+  systemd:
+    name: ocserv
+    enabled: yes
+    state: started
+    daemon_reload: yes
+

roles/ocserv/tasks/manage_users.yml

@@ -0,0 +1,7 @@
+---
+- name: Add ocserv users
+  command: "ocpasswd -c /etc/ocserv/ocpasswd {{ item.username }}"
+  input: "{{ item.password }}\n{{ item.password }}"
+  with_items: "{{ ocserv_users }}"
+  no_log: true
+

site.yml

@@ -0,0 +1,22 @@
+---
+- name: Configure VPS
+  hosts: vps
+  become: yes
+  gather_facts: yes
+
+  pre_tasks:
+    - name: Check OS version
+      debug:
+        msg: "Running on Debian {{ ansible_distribution_version }}"
+      when: ansible_distribution == "Debian" and ansible_distribution_version | float >= 12.0
+
+    - name: Verify Debian 12 or higher
+      fail:
+        msg: "This playbook requires Debian 12 (Bookworm) or higher"
+      when: >
+        ansible_distribution != "Debian" or 
+        ansible_distribution_version | float < 12.0
+
+  roles:
+    - base_system
+    - network