wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 07:33:52 +02:00
Code Issues Projects Releases Wiki Activity

linting

Browse source
This commit is contained in:
Jack Ivanov 2016-08-25 23:59:16 +03:00
parent ac2446dd21
commit 8c5f80bf8f
2 changed files with 21 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
roles/ssh_tunneling/tasks/main.yml
View file

@ -21,29 +21,27 @@
state: present state: present
append: yes append: yes
with_items: "{{ users }}" with_items: "{{ users }}"
- name: The authorized keys file created - name: The authorized keys file created
file: file:
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub' src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
dest: '/var/jail/{{ item }}/.ssh/authorized_keys' dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
owner: "{{ item }}" owner: "{{ item }}"
group: "{{ item }}" group: "{{ item }}"
state: link state: link
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Generate SSH fingerprints - name: Generate SSH fingerprints
shell: > shell: >
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints register: ssh_fingerprints
- name: The known_hosts file created - name: The known_hosts file created
template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts
- name: Fetch users SSH private keys - name: Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Fetch the known_hosts file - name: Fetch the known_hosts file
fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}_known_hosts flat=yes

32
users.yml
View file

@ -14,17 +14,17 @@
- name: "server_user" - name: "server_user"
prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
default: "root" default: "root"
private: no private: no
- name: "ssh_tunneling_enabled" - name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y" default: "y"
private: no private: no
- name: "easyrsa_p12_export_password" - name: "easyrsa_p12_export_password"
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpnpw" default: "vpnpw"
private: yes private: yes
- name: "IP_subject" - name: "IP_subject"
prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
@ -51,7 +51,7 @@
become: true become: true
vars_files: vars_files:
- config.cfg - config.cfg
pre_tasks: pre_tasks:
- set_fact: - set_fact:
IP_subject_alt_name: "{{ IP_subject }}" IP_subject_alt_name: "{{ IP_subject }}"
@ -66,7 +66,7 @@
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Build the client's p12 - name: Build the client's p12
shell: > shell: >
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} && openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
@ -84,7 +84,7 @@
- name: Revoke non-existing users - name: Revoke non-existing users
shell: > shell: >
ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der && ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
./easyrsa revoke {{ item }} && ./easyrsa revoke {{ item }} &&
ipsec rereadcrls ipsec rereadcrls
args: args:
@ -117,12 +117,12 @@
- name: Fetch users mobileconfig - name: Fetch users mobileconfig
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
with_items: "{{ users }}" with_items: "{{ users }}"
- name: Fetch server CA certificate - name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
# SSH # SSH
- name: SSH | Ensure that the system users exist - name: SSH | Ensure that the system users exist
user: user:
name: "{{ item }}" name: "{{ item }}"
@ -138,10 +138,10 @@
state: present state: present
append: yes append: yes
with_items: "{{ users }}" with_items: "{{ users }}"
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
- name: SSH | The authorized keys file created - name: SSH | The authorized keys file created
file: file:
src: '/var/jail/{{ item }}/.ssh/id_rsa.pub' src: '/var/jail/{{ item }}/.ssh/id_rsa.pub'
dest: '/var/jail/{{ item }}/.ssh/authorized_keys' dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
owner: "{{ item }}" owner: "{{ item }}"
@ -160,11 +160,11 @@
user: user:
name: "{{ item }}" name: "{{ item }}"
state: absent state: absent
remove: yes remove: yes
force: yes force: yes
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
with_items: "{{ valid_users.stdout_lines }}" with_items: "{{ valid_users.stdout_lines }}"
- name: SSH | Fetch users SSH private keys - name: SSH | Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}" with_items: "{{ users }}"