From 97a00699b7d8b47c783bc86d177ec22cec711e41 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 28 Aug 2016 23:04:59 +0300 Subject: [PATCH] new tags --- config.cfg | 2 + deploy.yml | 39 +++++++ digitalocean.yml | 147 ------------------------ playbooks/common.yml | 5 + playbooks/digitalocean.yml | 114 ++++++++++++++++++ roles/cloud-digitalocean/tasks/main.yml | 7 +- roles/security/tasks/main.yml | 1 - 7 files changed, 161 insertions(+), 154 deletions(-) create mode 100644 deploy.yml delete mode 100644 digitalocean.yml create mode 100644 playbooks/common.yml create mode 100644 playbooks/digitalocean.yml diff --git a/config.cfg b/config.cfg index c8178b5..cd827f3 100644 --- a/config.cfg +++ b/config.cfg @@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 +easyrsa_p12_export_password: vpnpws + # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..d69ed68 --- /dev/null +++ b/deploy.yml @@ -0,0 +1,39 @@ +- name: Configure the server and install required software + hosts: localhost + vars_files: + - config.cfg + + roles: + - { role: cloud-digitalocean, tags: ['digitalocean'] } + - { role: cloud-ec2, tags: ['ec2'] } + - { role: cloud-gce, tags: ['gce'] } + +- name: Post-provisioning tasks + hosts: vpn-host + gather_facts: false + become: true + vars_files: + - config.cfg + + pre_tasks: + - name: Common pre-tasks + include: playbooks/common.yml + tags: [ 'digitalocean', 'ec2', 'gce' ] + + - name: DigitalOcean pre-tasks + include: playbooks/digitalocean.yml + tags: [ 'digitalocean', 'ec2', 'gce' ] + + roles: + - { role: common, tags: [ 'vpn' ] } + - { role: security, tags: [ 'security' ] } + - { role: proxy, tags: [ 'proxy', 'adblock' ] } + - { role: dns_adblocking, tags: ['dns', 'adblock' ] } + - { role: logging, tags: [ 'logging' ] } + - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } + - { role: vpn, tags: [ 'vpn' ] } + + + handlers: + - name: reload eth0 + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' \ No newline at end of file diff --git a/digitalocean.yml b/digitalocean.yml deleted file mode 100644 index fad6b34..0000000 --- a/digitalocean.yml +++ /dev/null @@ -1,147 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - - vars: - regions: - "1": "ams2" - "2": "ams3" - "3": "fra1" - "4": "lon1" - "5": "nyc1" - "6": "nyc2" - "7": "nyc3" - "8": "sfo1" - "9": "sfo2" - "10": "sgp1" - "11": "tor1" - "12": "blr1" - - vars_prompt: - - name: "do_access_token" - prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" - private: yes - - - name: "do_ssh_name" - prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" - private: no - - - name: "do_region" - prompt: > - What region should the server be located in? - 1. Amsterdam (Datacenter 2) - 2. Amsterdam (Datacenter 3) - 3. Frankfurt - 4. London - 5. New York (Datacenter 1) - 6. New York (Datacenter 2) - 7. New York (Datacenter 3) - 8. San Francisco (Datacenter 1) - 9. San Francisco (Datacenter 2) - 10. Singapore - 11. Toronto - 12. Bangalore - Enter the number of your desired region: - default: "7" - private: no - - - name: "do_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-digitalocean - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - - name: Enable IPv6 on the droplet - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" - method: POST - body: - type: enable_ipv6 - body_format: json - status_code: 201 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - - - name: Get Droplet networks - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" - method: GET - status_code: 200 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - register: droplet_info - - - name: IPv6 configured - template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 - with_items: "{{ droplet_info.json.droplet.networks.v6 }}" - notify: - - reload eth0 - - - name: IPv6 included into the network config - lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present - notify: - - reload eth0 - - - meta: flush_handlers - - - name: Wait for SSH to become available - local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" - become: false - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn - - handlers: - - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' diff --git a/playbooks/common.yml b/playbooks/common.yml new file mode 100644 index 0000000..1cf5283 --- /dev/null +++ b/playbooks/common.yml @@ -0,0 +1,5 @@ +- name: Install prerequisites + raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + +- name: Configure defaults + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml new file mode 100644 index 0000000..8973447 --- /dev/null +++ b/playbooks/digitalocean.yml @@ -0,0 +1,114 @@ + #vars: + #regions: + #"1": "ams2" + #"2": "ams3" + #"3": "fra1" + #"4": "lon1" + #"5": "nyc1" + #"6": "nyc2" + #"7": "nyc3" + #"8": "sfo1" + #"9": "sfo2" + #"10": "sgp1" + #"11": "tor1" + #"12": "blr1" + + #vars_prompt: + #- name: "do_access_token" + #prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" + #private: yes + + #- name: "do_ssh_name" + #prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" + #private: no + + #- name: "do_region" + #prompt: > + #What region should the server be located in? + #1. Amsterdam (Datacenter 2) + #2. Amsterdam (Datacenter 3) + #3. Frankfurt + #4. London + #5. New York (Datacenter 1) + #6. New York (Datacenter 2) + #7. New York (Datacenter 3) + #8. San Francisco (Datacenter 1) + #9. San Francisco (Datacenter 2) + #10. Singapore + #11. Toronto + #12. Bangalore + #Enter the number of your desired region: + #default: "7" + #private: no + + #- name: "do_server_name" + #prompt: "Name the vpn server:\n" + #default: "algo.local" + #private: no + + #- name: "dns_enabled" + #prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + #default: "y" + #private: no + + #- name: "proxy_enabled" + #prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + #default: "y" + #private: no + + #- name: "auditd_enabled" + #prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + #default: "y" + #private: no + + #- name: "ssh_tunneling_enabled" + #prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + #default: "y" + #private: no + + #- name: "security_enabled" + #prompt: "Do you want to enable the security role? (y/n):\n" + #default: "y" + #private: no + + #- name: "easyrsa_p12_export_password" + #prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + #default: "vpnpw" + #private: yes + +- name: Enable IPv6 on the droplet + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" + method: POST + body: + type: enable_ipv6 + body_format: json + status_code: 201 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + +- name: Get Droplet networks + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" + method: GET + status_code: 200 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + register: droplet_info + +- name: IPv6 configured + template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 + with_items: "{{ droplet_info.json.droplet.networks.v6 }}" + notify: + - reload eth0 + +- name: IPv6 included into the network config + lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present + notify: + - reload eth0 + +- meta: flush_handlers + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" + become: false \ No newline at end of file diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index ca8d7de..06bfba1 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -15,7 +15,7 @@ state: present command: droplet name: "{{ do_server_name }}" - region_id: "{{ regions[do_region] }}" + region_id: "{{ do_region }}" size_id: "512mb" image_id: "ubuntu-16-04-x64" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" @@ -31,11 +31,6 @@ ansible_python_interpreter: "/usr/bin/python2.7" do_access_token: "{{ do_access_token }}" do_droplet_id: "{{ do.droplet.id }}" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean ipv6_support: yes diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 7046e2c..6ad36c5 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -9,7 +9,6 @@ - name: Periodic upgrades configured template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 -# Using a two-pass approach for checking directories in order to support symlinks. - name: Find directories for minimizing access stat: path: "{{ item }}"