Add Watchtower for automatic updates, fix iptables-restore, other fix…

…es (#261)
notthebee · Dec 31, 2023 · 146c32c · 146c32c
1 parent de1dfa3
commit 146c32c
Show file tree

Hide file tree

Showing 11 changed files with 82 additions and 11 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,6 +24,12 @@ on:
         type: boolean
         default: false
 
+      only_debian_12:
+        description: "Only run on Debian 12"
+        required: false
+        type: boolean
+        default: false
+
       manual_mode:
         description: "Don't destroy the server after the setup is complete"
         required: false
@@ -70,6 +76,9 @@ jobs:
           elif [[ ${ONLY_DEBIAN_11} == 'true' ]]; then
             # Only deploy on Debian 11, don't use Letsencrypt Staging
             matrix=$(jq 'map(. | select((.os=="debian-11")) )' .github/workflows/matrix_includes.json)
+          elif [[ ${ONLY_DEBIAN_12} == 'true' ]]; then
+            # Only deploy on Debian 11, don't use Letsencrypt Staging
+            matrix=$(jq 'map(. | select((.os=="debian-12")) )' .github/workflows/matrix_includes.json)
           else
             # Deploy on all supported OSes, use Letsencrypt Staging to avoid rate-limiting
             matrix=$(jq 'map(.)' .github/workflows/matrix_includes.json)
@@ -80,6 +89,7 @@ jobs:
           ONLY_UBUNTU_22: ${{ inputs.only_ubuntu_22 }}
           ONLY_UBUNTU_20: ${{ inputs.only_ubuntu_20 }}
           ONLY_DEBIAN_11: ${{ inputs.only_debian_11 }}
+          ONLY_DEBIAN_12: ${{ inputs.only_debian_12 }}
 
   build:
     runs-on: ubuntu-latest
@@ -121,6 +131,10 @@ jobs:
             echo "EASYVPN_USERNAME_3=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
             echo "EASYVPN_PASSWORD_3=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
             ;;
+            "4")
+            echo "EASYVPN_USERNAME_4=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
+            echo "EASYVPN_PASSWORD_4=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
+            ;;
             *)
             exit 1
             ;;
@@ -262,6 +276,15 @@ jobs:
           name: "private-ssh-key-3"
           path: "id_vpn"
 
+      - name: Archive the private SSH key (Matrix 4)
+        if: ${{ matrix.index == '4' }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: "private-ssh-key-4"
+          path: "id_vpn"
+
+
+
 
 
 
@@ -272,9 +295,11 @@ jobs:
       EASYVPN_USERNAME_1: "${{ steps.random_username.outputs.EASYVPN_USERNAME_1 }}"
       EASYVPN_USERNAME_2: "${{ steps.random_username.outputs.EASYVPN_USERNAME_2 }}"
       EASYVPN_USERNAME_3: "${{ steps.random_username.outputs.EASYVPN_USERNAME_3 }}"
+      EASYVPN_USERNAME_4: "${{ steps.random_username.outputs.EASYVPN_USERNAME_4 }}"
       EASYVPN_PASSWORD_1: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_1 }}"
       EASYVPN_PASSWORD_2: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_2 }}"
       EASYVPN_PASSWORD_3: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_3 }}"
+      EASYVPN_PASSWORD_4: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_4 }}"
 
   fetch_config:
     runs-on: ubuntu-latest
@@ -323,6 +348,15 @@ jobs:
           name: "private-ssh-key-3"
           path: /home/runner/.ssh
 
+      - name: Get the private SSH key artifact (Matrix 4)
+        if: matrix.index == '4'
+        uses: actions/download-artifact@v3
+        with:
+          name: "private-ssh-key-4"
+          path: /home/runner/.ssh
+
+
+
       - name: Set the correct permissions for the SSH key
         run: |
           chmod 700 $HOME/.ssh
@@ -363,6 +397,13 @@ jobs:
           EASYVPN_PASSWORD: "${{ needs.build.outputs[format('EASYVPN_PASSWORD_{0}', matrix.index)] }}"
           DOMAIN: "${{ needs.build.outputs[format('EASYVPN_USERNAME_{0}', matrix.index)] }}.${{ secrets.CLOUDFLARE_DOMAIN }}"
 
+      - name: Upload Selenium testing screenshots 
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: "Screenshots"
+          path: "screenshots/"
+
   destroy:
     runs-on: ubuntu-latest
     environment: cicd

diff --git a/.github/workflows/matrix_includes.json b/.github/workflows/matrix_includes.json
@@ -10,5 +10,10 @@
     {
         "os":"debian-11",
         "index":3
+    },
+    {
+        "os":"debian-12",
+        "index":4
     }
+
 ]
diff --git a/roles/authelia/defaults/main.yml b/roles/authelia/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-authelia_version: "4.36"
+authelia_version: "latest"
diff --git a/roles/dns/files/AdGuardHome.yaml b/roles/dns/files/AdGuardHome.yaml
@@ -14,11 +14,11 @@ dns:
     - 0.0.0.0
   port: 53
   statistics_interval: 1
-  querylog_enabled: true
-  querylog_file_enabled: true
+  querylog_enabled: false
+  querylog_file_enabled: false
   querylog_interval: 2160h
   querylog_size_memory: 1000
-  anonymize_client_ip: false
+  anonymize_client_ip: true
   protection_enabled: true
   blocking_mode: default
   blocking_ipv4: ""

diff --git a/roles/system/tasks/firewall.yml b/roles/system/tasks/firewall.yml
@@ -7,9 +7,16 @@
     group: root
     mode: "0644"
 
-- name: Copy the iptables systemd service
-  ansible.builtin.copy:
-    src: files/iptables.service
+- name: Check the location of iptables-restore
+  register: "iptables_restore"
+  changed_when: no
+  failed_when: "iptables_restore.stdout | length == 0"
+  ansible.builtin.command:
+    cmd: "which iptables-restore"
+
+- name: Template the iptables systemd service
+  ansible.builtin.template:
+    src: systemd/iptables.service.j2
     dest: /etc/systemd/system/iptables.service
     owner: root
     group: root

diff --git a/roles/system/files/iptables.service → ...tem/templates/systemd/iptables.service.j2 b/roles/system/files/iptables.service → ...tem/templates/systemd/iptables.service.j2
@@ -4,7 +4,7 @@ Before=network-pre.target
 
 [Service]
 Type=oneshot
-ExecStart=/sbin/iptables-restore -n /etc/iptables.conf
+ExecStart={{ iptables_restore.stdout }} -n /etc/iptables.conf
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/watchtower/tasks/main.yml b/roles/watchtower/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Make sure Watchtower is created and running
+  register: watchtower_result
+  retries: 5
+  until: watchtower_result is succeeded
+  community.general.docker_container:
+    name: "watchtower"
+    image: "containrrr/watchtower"
+    pull: yes
+    state: "started"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock"
+    restart_policy: unless-stopped
diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-wg_easy_version: "7"
+wg_easy_version: "latest"
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
@@ -27,7 +27,7 @@
   until: wireguard_result is succeeded
   community.general.docker_container:
     name: "wg-easy"
-    image: "weejewel/wg-easy:{{ wg_easy_version }}"
+    image: "ghcr.io/wg-easy/wg-easy:{{ wg_easy_version }}"
     pull: yes
     networks:
       - name: wg_network

diff --git a/run.yml b/run.yml
@@ -41,6 +41,10 @@
       tags:
         - dns
 
+    - role: watchtower
+      tags:
+        - watchtower
+
     - role: authelia
       tags:
         - authelia

diff --git a/testing/selenium/acceptance.py b/testing/selenium/acceptance.py
@@ -7,6 +7,7 @@
 from selenium.webdriver.common.action_chains import ActionChains
 from time import sleep
 
+from os import mkdir
 import argparse
 import logging
 import pyotp
@@ -46,7 +47,7 @@
 
 
 def register_2fa(driver, base_url, username, password, ssh_agent):
-    logger.debug(f"Fetching {base_url}")
+    logger.debug(f"Fetching wg.{base_url}")
     driver.get(f"https://wg.{base_url}")
     sleep(0.5)
     logger.debug(f"Filling out the username field with {username}")