Merge branch 'master' into add-virtualenv-information

2025-09-04 19:13:04 +02:00 · 2017-02-26 20:31:57 +03:00 · 2017-02-26 20:31:57 +03:00 · 1e80f03d4c
commit 1e80f03d4c
parent 485e7e34dd 8eb208c5b7
6 changed files with 27 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -35,7 +35,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua

 macOS: `sudo easy_install pip`

- Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y`
+ Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip python-setuptools build-essential libssl-dev libffi-dev python-dev -y`

 Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md)

--- a/roles/cloud-digitalocean/tasks/main.yml
+++ b/roles/cloud-digitalocean/tasks/main.yml
@ -14,7 +14,19 @@
      until: ssh_keys.changed != true
      retries: 10
      delay: 1
+
  rescue:
+    - name: Collect the fail error
+      digital_ocean:
+        state: absent
+        command: ssh
+        api_token: "{{ do_access_token }}"
+        name: "{{ SSH_keys.comment }}"
+      register: ssh_keys
+      ignore_errors: yes
+
+    - debug: var=ssh_keys
+
    - fail:
        msg: "Please, ensure that your API token is not read-only."

@ -51,7 +63,7 @@
    do_access_token: "{{ do_access_token }}"
    do_droplet_id: "{{ do.droplet.id }}"
    cloud_provider: digitalocean
-    ipv6_support: yes
+    ipv6_support: true

 - set_fact:
    cloud_instance_ip: "{{ do.droplet.ip_address }}"
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -31,8 +31,8 @@
    createhome: yes
    generate_ssh_key: yes
    shell: /bin/false
-    ssh_key_type: rsa
-    ssh_key_bits: 2048
+    ssh_key_type: ecdsa
+    ssh_key_bits: 256
    ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
    ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
    state: present
@ -41,7 +41,7 @@

 - name: The authorized keys file created
  file:
-    src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
+    src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
    dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
    owner: "{{ item }}"
    group: "{{ item }}"
@ -57,7 +57,7 @@
  template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts

 - name: Fetch users SSH private keys
-  fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
+  fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
  with_items: "{{ users }}"

 - name: Change mode for SSH private keys
--- a/roles/vpn/tasks/iptables.yml
+++ b/roles/vpn/tasks/iptables.yml
@ -9,7 +9,7 @@

 - name: Iptables configured
  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
-  when: ipv6_support is defined and ipv6_support == "yes"
+  when: ipv6_support is defined and ipv6_support == true
  with_items:
    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
  notify:
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -1,6 +1,11 @@
 - name: Gather Facts
  setup:

+- name: Enable IPv6
+  set_fact:
+    ipv6_support: true
+  when: ansible_default_ipv6.gateway is defined
+
 - name: Generate password for the CA key
  shell: >
    < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-12};echo;
@ -17,7 +22,7 @@
  when: Win10_Enabled is defined and Win10_Enabled == "Y"

 - name: Install StrongSwan
-  apt: name=strongswan state=latest update_cache=yes
+  apt: name=strongswan state=latest update_cache=yes install_recommends=yes

 - name: Enforcing ipsec with apparmor
  shell: aa-enforce "{{ item }}"
@ -46,9 +51,8 @@

 - name: Configure ip6tables so IPSec traffic can traverse the tunnel
  iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
-  when: ((security_enabled is not defined) or
-        (security_enabled is defined and security_enabled != "y")) and
-        ipv6_support is defined and ipv6_support == "yes"
+  when: ((security_enabled is not defined) or (security_enabled is defined and security_enabled != "y")) and
+        (ipv6_support is defined and ipv6_support == true)
  notify:
    - save iptables

--- a/users.yml
+++ b/users.yml
@ -196,11 +196,6 @@
      when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
      with_items: "{{ valid_users.stdout_lines | default('null') }}"

-    - name: SSH | Fetch users SSH private keys
-      fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
-      when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
-      with_items: "{{ users }}"
-
  post_tasks:
    - debug:
        msg: