notthebee · notthebee · Oct 15, 2023 · Oct 15, 2023 · Dec 10, 2023 · Dec 10, 2023
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -118,27 +118,8 @@ jobs:
       - name: Set the username and password outputs
         id: random_username
         run: |
-          case $INDEX in
-            "1")
-            echo "EASYVPN_USERNAME_1=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
-            echo "EASYVPN_PASSWORD_1=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
-            ;;
-            "2")
-            echo "EASYVPN_USERNAME_2=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
-            echo "EASYVPN_PASSWORD_2=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
-            ;;
-            "3")
-            echo "EASYVPN_USERNAME_3=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
-            echo "EASYVPN_PASSWORD_3=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
-            ;;
-            "4")
-            echo "EASYVPN_USERNAME_4=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
-            echo "EASYVPN_PASSWORD_4=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
-            ;;
-            *)
-            exit 1
-            ;;
-          esac
+            echo "EASYVPN_USERNAME_$INDEX=$EASYVPN_USERNAME" >> $GITHUB_OUTPUT
+            echo "EASYVPN_PASSWORD_$INDEX=$EASYVPN_PASSWORD" >> $GITHUB_OUTPUT
         env:
           INDEX: ${{ matrix.index }}
 
@@ -161,8 +142,6 @@ jobs:
       - name: Install git and expect (Debian-based)
         run: ssh root@$SERVER_IPV4 apt install -y git expect wamerican
 
-
-
       - uses: infraway/[email protected]
         with:
           type: "A"
@@ -229,8 +208,6 @@ jobs:
         with:
           ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
 
-
-
       - name: Regsiter the private key with the ssh-agent
         run: expect -c "spawn ssh-add $HOME/.ssh/id_vpn; expect -re \"Enter passphrase.*\"; send -- \"$EASYVPN_PASSWORD\r\"; expect -re \"Identity added.*\""
 
@@ -251,46 +228,17 @@ jobs:
         env:
           LETSENCRYPT_STAGING: ${{ needs.matrix_prep.outputs.letsencrypt_staging }}
 
-      - name: Sleep forever
-        run: sleep infinity
-        if: inputs.manual_mode
-
-      - name: Archive the private SSH key (Matrix 1)
-        if: ${{ matrix.index == '1' }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: "private-ssh-key-1"
-          path: "id_vpn"
-
-      - name: Archive the private SSH key (Matrix 2)
-        if: ${{ matrix.index == '2' }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: "private-ssh-key-2"
-          path: "id_vpn"
-
-      - name: Archive the private SSH key (Matrix 3)
-        if: ${{ matrix.index == '3' }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: "private-ssh-key-3"
-          path: "id_vpn"
+      - name: Add the personal SSH key for debugging
+        run: >-
+          curl https://github.com/notthebee.keys > notthebee.pub && 
+          ssh-copy-id -f -i notthebee.pub $EASYVPN_USERNAME@$SERVER_IPV4
 
-      - name: Archive the private SSH key (Matrix 4)
-        if: ${{ matrix.index == '4' }}
+      - name: Archive the private SSH key
         uses: actions/upload-artifact@v3
         with:
-          name: "private-ssh-key-4"
+          name: "private-ssh-key-${{ matrix.index }}"
           path: "id_vpn"
 
-
-
-
-
-
-
-
-
     outputs:
       EASYVPN_USERNAME_1: "${{ steps.random_username.outputs.EASYVPN_USERNAME_1 }}"
       EASYVPN_USERNAME_2: "${{ steps.random_username.outputs.EASYVPN_USERNAME_2 }}"
@@ -301,6 +249,22 @@ jobs:
       EASYVPN_PASSWORD_3: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_3 }}"
       EASYVPN_PASSWORD_4: "${{ steps.random_username.outputs.EASYVPN_PASSWORD_4 }}"
 
+
+  debug:
+    runs-on: ubuntu-latest
+    environment: cicd
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJson(needs.matrix_prep.outputs.matrix)}}
+    needs:
+      - matrix_prep
+      - build
+    steps:
+      - name: Wait for the server to reboot
+        if: inputs.manual_mode
+        run: >-
+          sleep infinity
+
   fetch_config:
     runs-on: ubuntu-latest
     environment: cicd
@@ -309,6 +273,7 @@ jobs:
       matrix: ${{fromJson(needs.matrix_prep.outputs.matrix)}}
     needs:
       - matrix_prep
+      - debug
       - build
     steps:
       - name: Check out this repo
@@ -327,36 +292,12 @@ jobs:
         run: >-
           mkdir /home/runner/.ssh
 
-      - name: Get the private SSH key artifact (Matrix 1)
-        if: matrix.index == '1'
+      - name: Get the private SSH key artifact
         uses: actions/download-artifact@v3
         with:
-          name: "private-ssh-key-1"
+          name: "private-ssh-key-${{ matrix.index }}"
           path: /home/runner/.ssh
 
-      - name: Get the private SSH key artifact (Matrix 2)
-        if: matrix.index == '2'
-        uses: actions/download-artifact@v3
-        with:
-          name: "private-ssh-key-2"
-          path: /home/runner/.ssh
-
-      - name: Get the private SSH key artifact (Matrix 3)
-        if: matrix.index == '3'
-        uses: actions/download-artifact@v3
-        with:
-          name: "private-ssh-key-3"
-          path: /home/runner/.ssh
-
-      - name: Get the private SSH key artifact (Matrix 4)
-        if: matrix.index == '4'
-        uses: actions/download-artifact@v3
-        with:
-          name: "private-ssh-key-4"
-          path: /home/runner/.ssh
-
-
-
       - name: Set the correct permissions for the SSH key
         run: |
           chmod 700 $HOME/.ssh
@@ -401,8 +342,14 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: "Screenshots"
-          path: "screenshots/"
+          name: "Screenshots-${{ matrix.index }}"
+          path: "/home/runner/screenshots/*"
+
+      - name: Archive the Wireguard config
+        uses: actions/upload-artifact@v3
+        with:
+          name: "wireguard-${{ matrix.index }}.conf"
+          path: "*.conf"
 
   destroy:
     runs-on: ubuntu-latest
@@ -414,6 +361,7 @@ jobs:
     needs:
       - matrix_prep
       - build
+      - debug
       - fetch_config
     steps:
       - name: Destroy the Hetzner instances
@@ -428,16 +376,14 @@ jobs:
           SERVER_NAME: ansible-easy-vpn-${{ needs.build.outputs[format('EASYVPN_USERNAME_{0}', matrix.index)] }}
 
       - name: Delete all Cloudflare domains
-        run: >-
-          curl -s -X GET https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records?per_page=500
-          -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
-          -H "Content-Type: application/json" |
-          jq .result[].id |
-          tr -d '"' |
-          ( while read id; do curl -s -X DELETE
-          https://api.cloudflare.com/client/v4/zones/5420f91fefac252d89d9495a8d35ae73/dns_records/${id}
-          -H "Authorization: Bearer $CLOUDFLARE_TOKEN"
-          -H "Content-Type: application/json";   done;   )
+        run: |
+          curl --silent "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?per_page=50000" \
+          --header "Authorization: Bearer $CLOUDFLARE_TOKEN" \
+          | jq --raw-output '.result[].id' | while read id
+          do
+            curl --silent --request DELETE "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$id" \
+          --header "Authorization: Bearer $CLOUDFLARE_TOKEN"
+          done
         env:
           CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_TOKEN }}
           ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE }}
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ secret.yml
 .vscode
 .venv
 .ansible
+venv*
diff --git a/roles/bunkerweb/tasks/main.yml b/roles/bunkerweb/tasks/main.yml
@@ -26,7 +26,7 @@
     name: "bunkerweb"
     image: "bunkerity/bunkerweb:{{ bunkerweb_version }}"
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080"]
+      test: ["CMD", "curl", "-f", "http://localhost:80"]
       start_period: 10s
     networks:
       - name: wg_network

diff --git a/roles/dns/files/adguard-unbound/Dockerfile b/roles/dns/files/adguard-unbound/Dockerfile
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
@@ -5,7 +5,7 @@
     state: directory
     owner: "{{ username }}"
     group: "{{ username }}"
-    mode: 0755
+    mode: "0755"
   loop:
     - adguard-unbound-doh
     - adguard-unbound-doh/adguard
@@ -22,6 +22,14 @@
     rsync_opts:
       - "--ignore-existing"
 
+- name: Template the Adguard Dockerfile
+  ansible.builtin.template:
+    src: Dockerfile
+    dest: "{{ docker_dir }}/adguard-unbound-doh/build/Dockerfile"
+    owner: "{{ username }}"
+    group: "{{ username }}"
+    mode: "0775"
+
 - name: Build the adguard-unbound Docker image
   community.docker.docker_image:
     name: adguard-unbound-doh

diff --git a/roles/dns/templates/Dockerfile b/roles/dns/templates/Dockerfile
@@ -1,19 +1,20 @@
 
-FROM alpine:3.15
+FROM alpine:3.18
 
 RUN apk add --no-cache \
         libcap \
-        unbound=1.13.2-r2 \
+        unbound=1.19.3-r0 \
         dnscrypt-proxy
 
 WORKDIR /tmp
 
-RUN wget https://www.internic.net/domain/named.root -qO- >> /etc/unbound/root.hints
+RUN echo "nameserver 1.1.1.1" > /etc/resolv.conf && \ 
+    wget https://www.internic.net/domain/named.root -qO- >> /etc/unbound/root.hints
 
 COPY files/ /opt/
 
 # AdGuardHome
-RUN wget https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.107.16/AdGuardHome_linux_{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz >/dev/null 2>&1 \
+RUN wget https://github.com/AdguardTeam/AdGuardHome/releases/download/v0.107.46/AdGuardHome_linux_{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz >/dev/null 2>&1 \
         && mkdir -p /opt/adguardhome/conf /opt/adguardhome/work \
         && tar xf AdGuardHome_linux_{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}.tar.gz ./AdGuardHome/AdGuardHome  --strip-components=2 -C /opt/adguardhome \
         && /bin/ash /opt/adguardhome \

diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
@@ -1,8 +1,9 @@
 ---
 - name: Install fail2ban
-  ansible.builtin.package:
-    name: fail2ban
-    state: present
+  ansible.builtin.apt:
+    name:
+      - fail2ban
+      - python3-systemd
 
 - name: Disable e-mail notifications on jail stop and start
   ansible.builtin.copy:

diff --git a/roles/fail2ban/templates/jail.local.j2 b/roles/fail2ban/templates/jail.local.j2
@@ -1,14 +1,15 @@
 [DEFAULT]
-banaction = iptables-allports
-bantime  = -1
-findtime  = 600
-maxretry = 5
-ignoreip = 127.0.0.1/8 ::1
-action = %(action_mwl)s
-destemail = {{ email }}
-sender = {{ email }}
+banaction=iptables-allports
+bantime=-1
+findtime=600
+maxretry=5
+ignoreip=127.0.0.1/8 ::1
+action=%(action_mwl)s
+destemail={{ email }}
+sender={{ email }}
 
 [sshd]
-enabled = true
-port = {{ ssh_port }}
-filter = sshd
+backend=systemd
+enabled=true
+port={{ ssh_port }}
+filter=sshd
diff --git a/roles/system/handlers/main.yml b/roles/system/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart iptables
+  ansible.builtin.service:
+    name: iptables
+    state: restarted
diff --git a/roles/system/tasks/firewall.yml b/roles/system/tasks/firewall.yml
@@ -15,6 +15,7 @@
     cmd: "which iptables-restore"
 
 - name: Template the iptables systemd service
+  notify: Restart iptables
   ansible.builtin.template:
     src: systemd/iptables.service.j2
     dest: /etc/systemd/system/iptables.service
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,3 +3,4 @@ secret.yml @@
     .vscode
     .venv
     .ansible
+    venv*