From 43f6820f4a3b6b342802d8dd42f3c6fca53b7553 Mon Sep 17 00:00:00 2001
From: Mike Conrad <mike@enxo.co>
Date: Tue, 24 Sep 2024 19:44:31 -0400
Subject: [PATCH] Initial commit

---
 main.tf      | 29 +++++++++++++++++++++++++
 setup.sh     | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 terraform.tf | 13 +++++++++++
 variables.tf |  4 ++++
 4 files changed, 107 insertions(+)
 create mode 100644 main.tf
 create mode 100644 setup.sh
 create mode 100644 terraform.tf
 create mode 100644 variables.tf

diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..c2ef460
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,29 @@
+# Create a new SSH key
+resource "digitalocean_ssh_key" "default" {
+  name       = "Terraform Example"
+  public_key = file("~/.ssh/id_rsa.pub")
+}
+
+# Create a new Web Droplet in the nyc2 region
+resource "digitalocean_droplet" "web" {
+  image    = "ubuntu-22-04-x64"
+  name     = "wireguard"
+  region   = "nyc1"
+  size     = "s-2vcpu-4gb"
+  ssh_keys = [digitalocean_ssh_key.default.fingerprint]
+  user_data = file("setup.sh")
+  connection {
+    host = digitalocean_droplet.web.ipv4_address
+    type = "ssh"
+    user = "root"
+    private_key = "${file("~/.ssh/id_rsa.pem")}"
+  }
+
+  provisioner "remote-exec" {
+    inline = [ "cat /root/wireguard-config/client-config.conf" ]
+  }
+}
+
+output "droplet_output" {
+  value = digitalocean_droplet.web.ipv4_address
+}
\ No newline at end of file
diff --git a/setup.sh b/setup.sh
new file mode 100644
index 0000000..31f3d47
--- /dev/null
+++ b/setup.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+apt update
+
+# Install wireguard
+apt install -y wireguard
+
+LISTENPORT=51820
+umask 077
+# Generate public and private key
+mkdir /root/wireguard-conf
+cd /root/wireguard-conf
+
+wg genkey > privatekey
+wg pubkey < privatekey > publickey
+mkdir client
+
+wg genkey > client/privatekey
+wg pubkey < client/privatekey > client/publickey
+
+
+echo "[Interface]
+Address = 10.66.66.1/24,fd42:42:42::1/64
+ListenPort = $LISTENPORT
+PrivateKey = $(cat privatekey)
+
+### Client mike-home
+[Peer]
+PublicKey = $(cat client/publickey)
+AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128
+" > /etc/wireguard/do.conf
+
+wg-quick up do
+
+echo "[Interface]
+PrivateKey = $(cat client/privatekey)
+Address = 10.66.66.2/32,fd42:42:42::2/128
+DNS = 1.1.1.1,1.0.0.1
+
+[Peer]
+PublicKey = $(cat publickey)
+Endpoint = $(curl icanhazip.com):$LISTENPORT
+AllowedIPs = 0.0.0.0/0,::/0
+" > client-config.conf
+
+# Add iptables rules to forward internet traffic through this box
+# We are assuming our Wireguard interface is called do and our
+# primary public facing interface is called eth0.
+iptables -I INPUT -p udp --dport 51820 -j ACCEPT
+iptables -I FORWARD -i eth0 -o do -j ACCEPT
+iptables -I FORWARD -i do -j ACCEPT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+ip6tables -I FORWARD -i do -j ACCEPT
+ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+
+# Enable routing on the server
+echo "net.ipv4.ip_forward = 1
+      net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf
+sysctl --system
+
+
+cat client-config.conf
\ No newline at end of file
diff --git a/terraform.tf b/terraform.tf
new file mode 100644
index 0000000..a33c03c
--- /dev/null
+++ b/terraform.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "2.41.0"
+    }
+  }
+}
+
+provider "digitalocean" {
+  token = var.do_token
+}
+
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..0068de8
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,4 @@
+variable "do_token" {
+  type        = string
+  description = "Digital Ocean API token"
+}