diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4c95d26..88fe2a78 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,6 +24,12 @@ on: type: boolean default: false + only_debian_12: + description: "Only run on Debian 12" + required: false + type: boolean + default: false + manual_mode: description: "Don't destroy the server after the setup is complete" required: false @@ -70,6 +76,9 @@ jobs: elif [[ ${ONLY_DEBIAN_11} == 'true' ]]; then # Only deploy on Debian 11, don't use Letsencrypt Staging matrix=$(jq 'map(. | select((.os=="debian-11")) )' .github/workflows/matrix_includes.json) + elif [[ ${ONLY_DEBIAN_12} == 'true' ]]; then + # Only deploy on Debian 11, don't use Letsencrypt Staging + matrix=$(jq 'map(. | select((.os=="debian-12")) )' .github/workflows/matrix_includes.json) else # Deploy on all supported OSes, use Letsencrypt Staging to avoid rate-limiting matrix=$(jq 'map(.)' .github/workflows/matrix_includes.json) @@ -80,6 +89,7 @@ jobs: ONLY_UBUNTU_22: ${{ inputs.only_ubuntu_22 }} ONLY_UBUNTU_20: ${{ inputs.only_ubuntu_20 }} ONLY_DEBIAN_11: ${{ inputs.only_debian_11 }} + ONLY_DEBIAN_12: ${{ inputs.only_debian_12 }} build: runs-on: ubuntu-latest @@ -121,6 +131,10 @@ jobs: echo "EASYVPN_USERNAME_3=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT echo "EASYVPN_PASSWORD_3=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT ;; + "4") + echo "EASYVPN_USERNAME_4=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT + echo "EASYVPN_PASSWORD_4=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT + ;; *) exit 1 ;; @@ -262,6 +276,15 @@ jobs: name: "private-ssh-key-3" path: "id_vpn" + - name: Archive the private SSH key (Matrix 4) + if: ${{ matrix.index == '4' }} + uses: actions/upload-artifact@v3 + with: + name: "private-ssh-key-4" + path: "id_vpn" + + + @@ -272,9 +295,11 @@ jobs: EASYVPN_USERNAME_1: "${{ steps.random_username.outputs.EASYVPN_USERNAME_1 }}" EASYVPN_USERNAME_2: "${{ steps.random_username.outputs.EASYVPN_USERNAME_2 }}" EASYVPN_USERNAME_3: "${{ steps.random_username.outputs.EASYVPN_USERNAME_3 }}" + EASYVPN_USERNAME_4: "${{ steps.random_username.outputs.EASYVPN_USERNAME_4 }}" EASYVPN_PASSWORD_1: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_1 }}" EASYVPN_PASSWORD_2: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_2 }}" EASYVPN_PASSWORD_3: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_3 }}" + EASYVPN_PASSWORD_4: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_4 }}" fetch_config: runs-on: ubuntu-latest @@ -323,6 +348,15 @@ jobs: name: "private-ssh-key-3" path: /home/runner/.ssh + - name: Get the private SSH key artifact (Matrix 4) + if: matrix.index == '4' + uses: actions/download-artifact@v3 + with: + name: "private-ssh-key-4" + path: /home/runner/.ssh + + + - name: Set the correct permissions for the SSH key run: | chmod 700 $HOME/.ssh @@ -363,6 +397,13 @@ jobs: EASYVPN_PASSWORD: "${{ needs.build.outputs[format('EASYVPN_PASSWORD_{0}', matrix.index)] }}" DOMAIN: "${{ needs.build.outputs[format('EASYVPN_USERNAME_{0}', matrix.index)] }}.${{ secrets.CLOUDFLARE_DOMAIN }}" + - name: Upload Selenium testing screenshots + if: always() + uses: actions/upload-artifact@v4 + with: + name: "Screenshots" + path: "screenshots/" + destroy: runs-on: ubuntu-latest environment: cicd diff --git a/.github/workflows/matrix_includes.json b/.github/workflows/matrix_includes.json index fc997b1b..bff1f738 100644 --- a/.github/workflows/matrix_includes.json +++ b/.github/workflows/matrix_includes.json @@ -10,5 +10,10 @@ { "os":"debian-11", "index":3 + }, + { + "os":"debian-12", + "index":4 } + ] diff --git a/roles/authelia/defaults/main.yml b/roles/authelia/defaults/main.yml index d08fcb95..a297232d 100644 --- a/roles/authelia/defaults/main.yml +++ b/roles/authelia/defaults/main.yml @@ -1,2 +1,2 @@ --- -authelia_version: "4.36" +authelia_version: "latest" diff --git a/roles/dns/files/AdGuardHome.yaml b/roles/dns/files/AdGuardHome.yaml index 305346df..7f773968 100644 --- a/roles/dns/files/AdGuardHome.yaml +++ b/roles/dns/files/AdGuardHome.yaml @@ -14,11 +14,11 @@ dns: - 0.0.0.0 port: 53 statistics_interval: 1 - querylog_enabled: true - querylog_file_enabled: true + querylog_enabled: false + querylog_file_enabled: false querylog_interval: 2160h querylog_size_memory: 1000 - anonymize_client_ip: false + anonymize_client_ip: true protection_enabled: true blocking_mode: default blocking_ipv4: "" diff --git a/roles/system/tasks/firewall.yml b/roles/system/tasks/firewall.yml index f28cac44..f9bbf197 100644 --- a/roles/system/tasks/firewall.yml +++ b/roles/system/tasks/firewall.yml @@ -7,9 +7,16 @@ group: root mode: "0644" -- name: Copy the iptables systemd service - ansible.builtin.copy: - src: files/iptables.service +- name: Check the location of iptables-restore + register: "iptables_restore" + changed_when: no + failed_when: "iptables_restore.stdout | length == 0" + ansible.builtin.command: + cmd: "which iptables-restore" + +- name: Template the iptables systemd service + ansible.builtin.template: + src: systemd/iptables.service.j2 dest: /etc/systemd/system/iptables.service owner: root group: root diff --git a/roles/system/files/iptables.service b/roles/system/templates/systemd/iptables.service.j2 similarity index 69% rename from roles/system/files/iptables.service rename to roles/system/templates/systemd/iptables.service.j2 index 2e9b9183..5eb81608 100644 --- a/roles/system/files/iptables.service +++ b/roles/system/templates/systemd/iptables.service.j2 @@ -4,7 +4,7 @@ Before=network-pre.target [Service] Type=oneshot -ExecStart=/sbin/iptables-restore -n /etc/iptables.conf +ExecStart={{ iptables_restore.stdout }} -n /etc/iptables.conf [Install] WantedBy=multi-user.target diff --git a/roles/watchtower/tasks/main.yml b/roles/watchtower/tasks/main.yml new file mode 100644 index 00000000..6b0b9cdc --- /dev/null +++ b/roles/watchtower/tasks/main.yml @@ -0,0 +1,13 @@ +--- +- name: Make sure Watchtower is created and running + register: watchtower_result + retries: 5 + until: watchtower_result is succeeded + community.general.docker_container: + name: "watchtower" + image: "containrrr/watchtower" + pull: yes + state: "started" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + restart_policy: unless-stopped diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index 74565252..cfb664c2 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -1,2 +1,2 @@ --- -wg_easy_version: "7" +wg_easy_version: "latest" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 076636c0..4b00c531 100755 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -27,7 +27,7 @@ until: wireguard_result is succeeded community.general.docker_container: name: "wg-easy" - image: "weejewel/wg-easy:{{ wg_easy_version }}" + image: "ghcr.io/wg-easy/wg-easy:{{ wg_easy_version }}" pull: yes networks: - name: wg_network diff --git a/run.yml b/run.yml index 252afdec..4e4d50cf 100755 --- a/run.yml +++ b/run.yml @@ -41,6 +41,10 @@ tags: - dns + - role: watchtower + tags: + - watchtower + - role: authelia tags: - authelia diff --git a/testing/selenium/acceptance.py b/testing/selenium/acceptance.py index 371dda5a..598fd20a 100755 --- a/testing/selenium/acceptance.py +++ b/testing/selenium/acceptance.py @@ -7,6 +7,7 @@ from selenium.webdriver.common.action_chains import ActionChains from time import sleep +from os import mkdir import argparse import logging import pyotp @@ -46,7 +47,7 @@ def register_2fa(driver, base_url, username, password, ssh_agent): - logger.debug(f"Fetching {base_url}") + logger.debug(f"Fetching wg.{base_url}") driver.get(f"https://wg.{base_url}") sleep(0.5) logger.debug(f"Filling out the username field with {username}")