Initial commit: Ansible role for Hysteria2 VPN server deployment.

Includes install/update/uninstall playbooks, Makefile, vault-based SSH credentials, per-server and global HTML export with QR codes.
This commit is contained in:
Sergey Antropoff
2026-07-01 02:02:58 +03:00
commit 6f96a26bed
28 changed files with 2027 additions and 0 deletions
+113
View File
@@ -0,0 +1,113 @@
# ═══════════════════════════════════════════════════════════════════════════════
# Hysteria2 Ansible — Makefile
# ═══════════════════════════════════════════════════════════════════════════════
SHELL := /bin/bash
.DEFAULT_GOAL := help
ANSIBLE ?= ansible-playbook
ANSIBLE_ADHOC ?= ansible
INVENTORY ?= inventory/hosts.yml
LIMIT ?=
EXTRA_VARS ?=
TAGS ?=
ASK_PASS ?=
# vault: .vault_pass или интерактивный ввод
VAULT_FILE := .vault_pass
VAULT_ARGS := $(if $(wildcard $(VAULT_FILE)),--vault-password-file $(VAULT_FILE),)
ANSIBLE_OPTS := $(VAULT_ARGS) \
$(if $(LIMIT),--limit $(LIMIT),) \
$(if $(EXTRA_VARS),--extra-vars "$(EXTRA_VARS)",) \
$(if $(ASK_BECOME_PASS),--ask-become-pass,) \
$(if $(ASK_PASS),--ask-pass,)
CYAN := \033[0;36m
GREEN := \033[0;32m
YELLOW := \033[1;33m
BOLD := \033[1m
NC := \033[0m
.PHONY: help init check ping status \
install update export uninstall \
vault-init vault-encrypt vault-edit vault-view
help: ## Показать справку
@echo ""
@echo "$(BOLD)Hysteria2 Ansible$(NC)"
@echo ""
@grep -E '^[a-zA-Z0-9_-]+:.*##' $(MAKEFILE_LIST) | \
awk 'BEGIN {FS = ":.*## "}; {printf " $(CYAN)%-16s$(NC) %s\n", $$1, $$2}'
@echo ""
@echo " $(YELLOW)Примеры:$(NC)"
@echo " make init"
@echo " make vault-init && make vault-encrypt"
@echo " make install"
@echo " make install LIMIT=vps-de"
@echo " make update LIMIT=vps-nl"
@echo " make uninstall LIMIT=vps-de EXTRA_VARS='hysteria2_uninstall_remove_local_output=true'"
@echo ""
init: ## Создать inventory, group_vars и .vault_pass из примеров
@test -f inventory/hosts.yml || cp inventory/hosts.yml.example inventory/hosts.yml
@test -f group_vars/all.yml || cp group_vars/all.yml.example group_vars/all.yml
@test -f group_vars/hysteria2_servers/vars.yml || cp group_vars/hysteria2_servers/vars.yml.example group_vars/hysteria2_servers/vars.yml
@test -f group_vars/hysteria2_servers/vault.yml || cp group_vars/hysteria2_servers/vault.yml.example group_vars/hysteria2_servers/vault.yml
@test -f .vault_pass || (openssl rand -base64 32 > .vault_pass && chmod 600 .vault_pass)
@grep -q 'vault_password_file' ansible.cfg || \
(echo "" >> ansible.cfg && echo "vault_password_file = .vault_pass" >> ansible.cfg)
@echo "$(GREEN)Готово. Отредактируйте:$(NC)"
@echo " inventory/hosts.yml"
@echo " group_vars/all.yml"
@echo " group_vars/hysteria2_servers/vault.yml → затем: make vault-encrypt"
check: ## Проверить синтаксис playbook
$(ANSIBLE) playbook.yml --syntax-check $(VAULT_ARGS)
$(ANSIBLE) playbook-uninstall.yml --syntax-check $(VAULT_ARGS)
ping: ## Проверить SSH-доступ ко всем VPS
$(ANSIBLE_ADHOC) hysteria2_servers -m ping $(ANSIBLE_OPTS)
status: ## Статус hysteria-server на VPS
$(ANSIBLE_ADHOC) hysteria2_servers -m shell \
-a "systemctl status hysteria-server --no-pager || systemctl status hysteria2 --no-pager" \
-b $(VAULT_ARGS) $(if $(LIMIT),--limit $(LIMIT),)
install: check ## Установить Hysteria2 на VPS (+ URL и QR локально)
$(ANSIBLE) playbook.yml --tags install $(ANSIBLE_OPTS)
update: check ## Обновить бинарник, перекатить конфиг, перевыпустить URL/QR
$(ANSIBLE) playbook.yml --tags update --extra-vars "hysteria2_wait_for_acme=false hysteria2_upgrade_system=false" $(ANSIBLE_OPTS)
export: check ## Только перевыпустить URL и QR (без изменений на сервере)
$(ANSIBLE) playbook.yml --tags export $(ANSIBLE_OPTS)
uninstall: ## Удалить Hysteria2 с VPS
@echo "$(YELLOW)Будет выполнено удаление Hysteria2$(NC) $(if $(LIMIT),на $(LIMIT),на всех серверах)"
@read -p "Продолжить? [y/N] " c; [[ "$$c" =~ ^[Yy]$$ ]] || exit 1
$(ANSIBLE) playbook-uninstall.yml --tags uninstall $(ANSIBLE_OPTS)
vault-init: ## Создать .vault_pass и включить vault_password_file в ansible.cfg
@test -f .vault_pass || (openssl rand -base64 32 > .vault_pass && chmod 600 .vault_pass)
@if ! grep -q '^vault_password_file' ansible.cfg; then \
sed -i.bak 's/# vault_password_file/vault_password_file/' ansible.cfg; \
rm -f ansible.cfg.bak; \
fi
@echo "$(GREEN).vault_pass готов$(NC)"
vault-encrypt: vault-init ## Зашифровать group_vars/hysteria2_servers/vault.yml
@if [ ! -f group_vars/hysteria2_servers/vault.yml ]; then \
echo "$(YELLOW)Сначала: make init$(NC)"; exit 1; \
fi
@if grep -q 'ANSIBLE_VAULT' group_vars/hysteria2_servers/vault.yml 2>/dev/null; then \
echo "vault.yml уже зашифрован"; \
else \
ansible-vault encrypt group_vars/hysteria2_servers/vault.yml --vault-password-file $(VAULT_FILE); \
fi
vault-edit: vault-init ## Редактировать зашифрованный vault
ansible-vault edit group_vars/hysteria2_servers/vault.yml --vault-password-file $(VAULT_FILE)
vault-view: vault-init ## Показать содержимое vault (расшифровка)
ansible-vault view group_vars/hysteria2_servers/vault.yml --vault-password-file $(VAULT_FILE)