From e31f10da6da939a92b839b25d2205169ef5eecc9 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 23 Feb 2017 18:25:46 +0300 Subject: [PATCH 1/7] Fixes #255 --- roles/cloud-digitalocean/tasks/main.yml | 2 +- roles/vpn/tasks/main.yml | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index b60a913e..e4563748 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -51,7 +51,7 @@ do_access_token: "{{ do_access_token }}" do_droplet_id: "{{ do.droplet.id }}" cloud_provider: digitalocean - ipv6_support: yes + ipv6_support: true - set_fact: cloud_instance_ip: "{{ do.droplet.ip_address }}" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index dfd31eb4..ca8ef886 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -46,9 +46,8 @@ - name: Configure ip6tables so IPSec traffic can traverse the tunnel iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE - when: ((security_enabled is not defined) or - (security_enabled is defined and security_enabled != "y")) and - ipv6_support is defined and ipv6_support == "yes" + when: ((security_enabled is not defined) or (security_enabled is defined and security_enabled != "y")) and + (ipv6_support is defined and ipv6_support == true) notify: - save iptables From 2a7dd88a3c3e6ac8cbb33ad844f016e99ef932b8 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 23 Feb 2017 18:44:30 +0300 Subject: [PATCH 2/7] Changed to ECDSA #102 --- roles/ssh_tunneling/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index ba0baf29..9ade7e33 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -31,8 +31,8 @@ createhome: yes generate_ssh_key: yes shell: /bin/false - ssh_key_type: rsa - ssh_key_bits: 2048 + ssh_key_type: ecdsa + ssh_key_bits: 256 ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' ssh_key_passphrase: "{{ easyrsa_p12_export_password }}" state: present @@ -41,7 +41,7 @@ - name: The authorized keys file created file: - src: '/var/jail/{{ item }}/.ssh/id_rsa.pub' + src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub' dest: '/var/jail/{{ item }}/.ssh/authorized_keys' owner: "{{ item }}" group: "{{ item }}" @@ -57,7 +57,7 @@ template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts - name: Fetch users SSH private keys - fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes + fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes with_items: "{{ users }}" - name: Change mode for SSH private keys From b8f3d43eee28d25b30bd6d1afd2056634a18efe0 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 23 Feb 2017 19:22:18 +0300 Subject: [PATCH 3/7] enable some additional debug info --- roles/cloud-digitalocean/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index e4563748..a4002bd7 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -14,7 +14,19 @@ until: ssh_keys.changed != true retries: 10 delay: 1 + rescue: + - name: Collect the fail error + digital_ocean: + state: absent + command: ssh + api_token: "{{ do_access_token }}" + name: "{{ SSH_keys.comment }}" + register: ssh_keys + ignore_errors: yes + + - debug: var=ssh_keys + - fail: msg: "Please, ensure that your API token is not read-only." From 43c2f5c31a56c0e8bee5f0765adf084c894873e0 Mon Sep 17 00:00:00 2001 From: Craig Date: Sat, 25 Feb 2017 10:07:32 -0800 Subject: [PATCH 4/7] Installs the recommended packages with strongswan, because we need the OpenSSL (#260) plugin from libstrongswan-standard-plugins for ECDH to work. --- roles/vpn/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index ca8ef886..f98b4c6b 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -17,7 +17,7 @@ when: Win10_Enabled is defined and Win10_Enabled == "Y" - name: Install StrongSwan - apt: name=strongswan state=latest update_cache=yes + apt: name=strongswan state=latest update_cache=yes install_recommends=yes - name: Enforcing ipsec with apparmor shell: aa-enforce "{{ item }}" From 79f66b7fda1638903417bdfd9225754afc31d0ab Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sat, 25 Feb 2017 21:17:48 +0300 Subject: [PATCH 5/7] Update README.md. Fixes #259 `python-setuptools` is a recommended packages for which will be installed automatically for `python-pip` on a clean ubuntu 16.04 Updated README in order to avoid skipping the packages with `--no-install-recommends` --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 041c4fbb..721e211b 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ The easiest way to get an Algo server running is to let it set up a _new_ virtua macOS: `sudo easy_install pip && sudo pip install --ignore-install -r requirements.txt` - Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt` + Linux (deb-based): `sudo apt-get update && sudo apt-get install python-pip python-setuptools build-essential libssl-dev libffi-dev python-dev -y && sudo pip install -r requirements.txt` Linux (rpm-based): See the [Pre-Install Documentation for RedHat/CentOS 6.x](docs/pre-install_redhat_centos_6.x.md) From 98558c43d264560e174841843410e1c9abc88547 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 26 Feb 2017 12:15:22 +0300 Subject: [PATCH 6/7] disable unneeded task --- users.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/users.yml b/users.yml index 5958522b..48d6d0e5 100644 --- a/users.yml +++ b/users.yml @@ -196,11 +196,6 @@ when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" with_items: "{{ valid_users.stdout_lines | default('null') }}" - - name: SSH | Fetch users SSH private keys - fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes - when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" - with_items: "{{ users }}" - post_tasks: - debug: msg: From 8eb208c5b7154277ba6b2faa4d2575246dd9ab86 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 26 Feb 2017 20:17:12 +0300 Subject: [PATCH 7/7] enable ipv6 if the default gateway is defined. Fixes #244 --- roles/vpn/tasks/iptables.yml | 2 +- roles/vpn/tasks/main.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/vpn/tasks/iptables.yml b/roles/vpn/tasks/iptables.yml index 0088a6d4..fc065c37 100644 --- a/roles/vpn/tasks/iptables.yml +++ b/roles/vpn/tasks/iptables.yml @@ -9,7 +9,7 @@ - name: Iptables configured template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 - when: ipv6_support is defined and ipv6_support == "yes" + when: ipv6_support is defined and ipv6_support == true with_items: - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } notify: diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index f98b4c6b..9aec6045 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,6 +1,11 @@ - name: Gather Facts setup: +- name: Enable IPv6 + set_fact: + ipv6_support: true + when: ansible_default_ipv6.gateway is defined + - name: Generate password for the CA key shell: > < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-12};echo;