Added VPN and SSH connection to master-deploy.yml

takttusur · Jul 18, 2023 · 65daf6a · 65daf6a
1 parent 3380dad
commit 65daf6a
Showing 1 changed file with 187 additions and 10 deletions.
diff --git a/.github/workflows/master-deploy.yml b/.github/workflows/master-deploy.yml
@@ -7,11 +7,34 @@ on:
         type: environment
         required: true
     secrets:
-      #AWS_ACCESS_KEY_ID:
-      #  required: true
-      #AWS_SECRET_ACCESS_KEY:
-      #  required: true
-
+      VPN_ENDPOINT:
+        description: Endpoint in the HOST:PORT format
+        required: true
+      VPN_ENDPOINT_PUBLIC_KEY:
+        description: Public key of the endpoint
+        required: true
+      VPN_PRIVATE_KEY:
+        description: Private key
+        required: true
+      VPN_PRESHARED_KEY:
+        description: Preshared key
+        required: false
+      VPN_IPS:
+        description: Comma-separated list of IP addresses
+        required: true
+      VPN_ALLOWED_IPS:
+        description: Comma-separated list of netmasks
+        required: true
+      SSH_HOST:
+        description: Host IP address for SSH connection
+        required: true
+      SSH_USER:
+        description: User for SSH connection
+        required: true
+      SSH_KEY:
+        description: The key for SSH connection
+        required: true
+
 concurrency:
   group: deploy
   cancel-in-progress: false
@@ -24,10 +47,164 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  connect:
-    runs-on: ubuntu-latest
+  deploy:
+    runs-on: debian-latest
+    using: composite
+    shell: bash
     steps:
-      - name: "Connect to "
-        run: "echo 'test' && echo ${{ inputs.environment }}" 
+        - name: Using VPN connection
+          run: |
+            set -o errexit -o pipefail -o nounset
+  
+            ifname="wg$( openssl rand -hex 4 )"
+            readonly ifname
+            port="$( shuf "--input-range=$minport-$maxport" --head-count=1 )"
+            readonly port
+
+            via_systemd() {
+            local netdev_path
+            netdev_path="/etc/systemd/network/$ifname.netdev"
+            local network_path
+            network_path="/etc/systemd/network/$ifname.network"
+
+            local netdev_contents
+            netdev_contents="
+            [ NetDev ]
+            Name=$ifname
+            Kind=wireguard
+            Description=WireGuard tunnel $ifname
+
+            [WireGuard]
+            ListenPort=$port
+            PrivateKey=$private_key
+
+            [WireGuardPeer]
+            Endpoint=$endpoint
+            PublicKey=$endpoint_public_key
+            AllowedIPs = $allowed_ips"
+
+            if [ -n "$preshared_key" ]; then
+            netdev_contents="$netdev_contents
+            PresharedKey=$preshared_key"
+            fi
+
+            if [ -n "$keepalive" ]; then
+            netdev_contents="$netdev_contents
+            PersistentKeepalive=$keepalive"
+            fi
+
+            local network_contents
+            network_contents="
+            [Match]
+            Name=$ifname
+
+            [Network]"
+
+            local delim=,
+            local ip
+            while IFS= read -d "$delim" -r ip; do
+            network_contents="$network_contents
+            Address=$ip"
+            done < <( printf -- "%s$delim\\0" "$ips" )
+
+            sudo touch -- "$netdev_path"
+            sudo chown -- root:systemd-network "$netdev_path"
+            sudo chmod -- 0640 "$netdev_path"
+            sudo touch -- "$network_path"
+            echo "$netdev_contents" | sudo tee -- "$netdev_path" > /dev/null
+            echo "$network_contents" | sudo tee -- "$network_path" > /dev/null
+
+            sudo systemctl restart systemd-networkd
+            sudo systemctl status systemd-networkd
+            }
+
+            install_wg_tools() {
+              sudo apt-get update
+              sudo DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends wireguard-tools
+            }
+
+            readonly private_key_path=/tmp/private.key
+            readonly preshared_key_path=/tmp/preshared.key
+
+            wg_tools_cleanup() {
+              rm -f -- "$private_key_path"
+              rm -f -- "$preshared_key_path"
+            }
+
+            via_wg_tools() {
+              install_wg_tools
+              trap wg_tools_cleanup EXIT
+
+              (
+              set -o errexit -o nounset -o pipefail
+              umask 0077
+              echo "$private_key" > "$private_key_path"
+              if [ -n "$preshared_key" ]; then
+              echo "$preshared_key" > "$preshared_key_path"
+              fi
+              )
+
+              sudo ip link add dev "$ifname" type wireguard
+
+              local delim=,
+              local ip
+              while IFS= read -d "$delim" -r ip; do
+              sudo ip addr add "$ip" dev "$ifname"
+              done < <( printf -- "%s$delim\\0" "$ips" )
+
+              sudo wg set "$ifname" \
+              listen-port "$port" \
+              private-key "$private_key_path"
+
+              additional_wg_args=()
+
+              if [ -n "$preshared_key" ]; then
+              additional_wg_args+=(preshared-key "${preshared_key_path}")
+              fi
+
+              if [ -n "$keepalive" ]; then
+              additional_wg_args+=(persistent-keepalive "${keepalive}")
+              fi
+
+              sudo wg set "$ifname" \
+              peer "$endpoint_public_key" \
+              endpoint "$endpoint" \
+              allowed-ips "$allowed_ips" \
+              ${additional_wg_args[@]+"${additional_wg_args[@]}"}
+
+              sudo ip link set "$ifname" up
+
+              for i in ${allowed_ips//,/ }; do sudo ip route replace "$i" dev "$ifname"; done
+            }
+
+            via_wg_tools
+          env:
+            endpoint: ${{ secrets.VPN_ENDPOINT }}
+            endpoint_public_key: ${{ secrets.VPN_ENDPOINT_PUBLIC_KEY }}
+            private_key: ${{ secrets.VPN_PRIVATE_KEY }}
+            preshared_key: ${{ secrets.VPN_PRESHARED_KEY }}
+            ips: ${{ secrets.VPN_IPS }}
+            allowed_ips: ${{ secrets.VPN_ALLOWED_IPS }}
+            keepalive: 30
+            minport: 51000
+            maxport: 51999
+        - name: Connecting by SSH 
+          run: |
+            mkdir -p ~/.ssh/
+            echo "$SSH_KEY" > ~/.ssh/myhost.key
+            chmod 600 ~/.ssh/myhost.key
+            cat >>~/.ssh/config <<END
+            Host myhost
+              HostName $SSH_HOST
+              User $SSH_USER
+              IdentityFile ~/.ssh/myhost.key
+              StrictHostKeyChecking no
+            END
+          env:
+            SSH_USER: ${{ secrets.SSH_HOST }}
+            SSH_KEY: ${{ secrets.SSH_USER }}
+            SSH_HOST: ${{ secrets.SSH_KEY }}
+        - name: Make test file
+          run: ssh myhost 'touch test-takt-gihub.txt'
 
-
+