wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

Support for Ubuntu 19.04 (#1405)

Browse source 
* Ubuntu 19.04

* Azure to 19.04
This commit is contained in:
Jack Ivanov 2019-05-30 20:57:47 +02:00 committed by GitHub
parent 71c9c16ffe
commit a2fdc509e1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 103 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
.travis.yml
View file

@ -51,56 +51,73 @@ custom_scripts:
- sudo env "PATH=$PATH" ./tests/ipsec-client.sh - sudo env "PATH=$PATH" ./tests/ipsec-client.sh
- sudo ./tests/ssh-tunnel.sh - sudo ./tests/ssh-tunnel.sh
stages:
- &tests-and-linters
stage: Tests
name: code checks and linters
addons:
apt:
packages:
- shellcheck
script:
- pip install ansible-lint
- shellcheck algo install.sh
- ansible-playbook main.yml --syntax-check
- ansible-lint -v *.yml
- &deploy-local
stage: Deploy
name: local deployment from docker
addons:
apt:
sources: *default_sources
packages: *default_packages
before_install: *provisioning
before_script:
- docker build -t travis/algo .
- ./tests/local-deploy.sh
- ./tests/update-users.sh
script: *tests
- &deploy-cloudinit
stage: Deploy
name: cloud-init deployment
addons:
apt:
sources: *default_sources
packages: *default_packages
env: DEPLOY=cloud-init
before_install: *provisioning
before_script:
- until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done
- ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & )
- |
until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do
echo 'Cloud init is not finished. Sleep for 30 seconds';
sleep 30;
done
- sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml
- sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ .
- sudo lxc file pull algo/root/algo-configs.tar ./
- sudo tar -C ./configs -zxf algo-configs.tar
script: *tests
matrix: matrix:
fast_finish: true fast_finish: true
include: include:
- stage: Tests - <<: *tests-and-linters
name: code checks and linters - <<: *deploy-local
addons: name: 'Ubuntu 18.04: local deployment from docker'
apt: env: DEPLOY=docker UBUNTU_VERSION=18.04
packages: - <<: *deploy-local
- shellcheck name: 'Ubuntu 19.04: local deployment from docker'
script: env: DEPLOY=docker UBUNTU_VERSION=19.04
- pip install ansible-lint - <<: *deploy-cloudinit
- shellcheck algo install.sh name: 'Ubuntu 18.04: cloud-init deployment'
- ansible-playbook main.yml --syntax-check env: DEPLOY=cloud-init UBUNTU_VERSION=18.04
- ansible-lint -v roles/*/*/*.yml playbooks/*.yml *.yml - <<: *deploy-cloudinit
name: 'Ubuntu 19.04: cloud-init deployment'
- stage: Deploy env: DEPLOY=cloud-init UBUNTU_VERSION=19.04
name: local deployment from docker
addons:
apt:
sources: *default_sources
packages: *default_packages
env: DEPLOY=docker
before_install: *provisioning
before_script:
- docker build -t travis/algo .
- ./tests/local-deploy.sh
- ./tests/update-users.sh
script: *tests
- stage: Deploy
name: cloud-init deployment
addons:
apt:
sources: *default_sources
packages: *default_packages
env: DEPLOY=cloud-init
before_install: *provisioning
before_script:
- until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done
- ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & )
- |
until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do
echo 'Cloud init is not finished. Sleep for 30 seconds';
sleep 30;
done
- sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml
- sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ .
- sudo lxc file pull algo/root/algo-configs.tar ./
- sudo tar -C ./configs -zxf algo-configs.tar
script: *tests
notifications: notifications:
email: false email: false

4
README.md
View file

@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC
* Blocks ads with a local DNS resolver (optional) * Blocks ads with a local DNS resolver (optional)
* Sets up limited SSH users for tunneling traffic (optional) * Sets up limited SSH users for tunneling traffic (optional)
* Based on current versions of Ubuntu and strongSwan * Based on current versions of Ubuntu and strongSwan
* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu 18.04 LTS server * Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu server
## Anti-features ## Anti-features
@ -122,7 +122,7 @@ Network Manager does not support AES-GCM. In order to support Linux Desktop clie
Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
#### Ubuntu Server 18.04 example #### Ubuntu Server example
1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan 1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan
2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.crt` 2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.crt`

10
config.cfg
View file

@ -126,10 +126,10 @@ SSH_keys:
cloud_providers: cloud_providers:
azure: azure:
size: Basic_A0 size: Basic_A0
image: 18.04-LTS image: 19.04
digitalocean: digitalocean:
size: s-1vcpu-1gb size: s-1vcpu-1gb
image: "ubuntu-18-04-x64" image: "ubuntu-19-04-x64"
ec2: ec2:
# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest. # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
# Warning: the Algo script will take approximately 6 minutes longer to complete. # Warning: the Algo script will take approximately 6 minutes longer to complete.
@ -139,11 +139,11 @@ cloud_providers:
use_existing_eip: false use_existing_eip: false
size: t2.micro size: t2.micro
image: image:
name: "ubuntu-bionic-18.04" name: "ubuntu-disco-19.04"
owner: "099720109477" owner: "099720109477"
gce: gce:
size: f1-micro size: f1-micro
image: ubuntu-1804 image: ubuntu-1904
external_static_ip: false external_static_ip: false
lightsail: lightsail:
size: nano_1_0 size: nano_1_0
@ -156,7 +156,7 @@ cloud_providers:
flavor_ram: ">=512" flavor_ram: ">=512"
image: Ubuntu-18.04 image: Ubuntu-18.04
vultr: vultr:
os: Ubuntu 18.04 x64 os: Ubuntu 19.04 x64
size: 1024 MB RAM,25 GB SSD,1.00 TB BW size: 1024 MB RAM,25 GB SSD,1.00 TB BW
local: local:

2
docs/cloud-do.md
View file

@ -34,7 +34,7 @@ What provider would you like to use?
6. Google Compute Engine 6. Google Compute Engine
7. Scaleway 7. Scaleway
8. OpenStack (DreamCompute optimised) 8. OpenStack (DreamCompute optimised)
9. Install to existing Ubuntu 18.04 server (Advanced) 9. Install to existing Ubuntu server (Advanced)
Enter the number of your desired provider Enter the number of your desired provider
: :

2
docs/deploy-to-ubuntu.md
View file

@ -4,7 +4,7 @@ You can use Algo to configure a local server as an AlgoVPN rather than create an
Install the Algo scripts on your server and follow the normal installation instructions, then choose: Install the Algo scripts on your server and follow the normal installation instructions, then choose:
``` ```
Install to existing Ubuntu 18.04 server (Advanced) Install to existing Ubuntu 18.04 or 19.04 server (Advanced)
``` ```
Make sure your server is running the operating system specified. Make sure your server is running the operating system specified.

2
docs/deploy-to-unsupported-cloud.md
View file

@ -2,7 +2,7 @@
Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support: Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support:
1. the base operating system image that Algo uses (Ubuntu 18.04), and 1. the base operating system image that Algo uses (Ubuntu 18.04, 19.04), and
2. a minimum of certain kernel modules required for the strongSwan IPsec server. 2. a minimum of certain kernel modules required for the strongSwan IPsec server.
Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider. Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.

2
docs/index.md
View file

@ -22,7 +22,7 @@
- Configure [Vultr](cloud-vultr.md) - Configure [Vultr](cloud-vultr.md)
* Advanced Deployment * Advanced Deployment
- Deploy to your own [FreeBSD](deploy-to-freebsd.md) server - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
- Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server
- Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md) - Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
* [FAQ](faq.md) * [FAQ](faq.md)
* [Firewalls](firewalls.md) * [Firewalls](firewalls.md)

2
input.yml
View file

@ -20,7 +20,7 @@
- { name: Google Compute Engine, alias: gce } - { name: Google Compute Engine, alias: gce }
- { name: Scaleway, alias: scaleway} - { name: Scaleway, alias: scaleway}
- { name: OpenStack (DreamCompute optimised), alias: openstack } - { name: OpenStack (DreamCompute optimised), alias: openstack }
- { name: Install to existing Ubuntu 18.04 server (Advanced), alias: local } - { name: Install to existing Ubuntu 18.04 or 19.04 server (Advanced), alias: local }
vars_files: vars_files:
- config.cfg - config.cfg

2
roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy
View file

@ -1,6 +1,6 @@
#include <tunables/global> #include <tunables/global>
/usr/bin/dnscrypt-proxy flags=(attach_disconnected) { /usr/{s,}bin/dnscrypt-proxy flags=(attach_disconnected) {
#include <abstractions/base> #include <abstractions/base>
#include <abstractions/nameservice> #include <abstractions/nameservice>
#include <abstractions/openssl> #include <abstractions/openssl>

3
roles/dns_encryption/tasks/ubuntu.yml
View file

@ -2,8 +2,9 @@
- name: Add the repository - name: Add the repository
apt_repository: apt_repository:
state: present state: present
codename: bionic codename: "{{ ansible_distribution_release }}"
repo: ppa:shevchuk/dnscrypt-proxy repo: ppa:shevchuk/dnscrypt-proxy
when: ansible_distribution_version is version_compare('19.04', '<')
register: result register: result
until: result is succeeded until: result is succeeded
retries: 10 retries: 10

29
roles/strongswan/tasks/ubuntu.yml
View file

@ -10,17 +10,26 @@
update_cache: yes update_cache: yes
install_recommends: yes install_recommends: yes
- name: Ubuntu | Enforcing ipsec with apparmor - block:
command: aa-enforce "{{ item }}" # https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238
- name: Ubuntu | Charon profile for apparmor configured
copy:
dest: /etc/apparmor.d/local/usr.lib.ipsec.charon
content: ' capability setpcap,'
owner: root
group: root
mode: 0644
notify: restart strongswan
- name: Ubuntu | Enforcing ipsec with apparmor
command: aa-enforce "{{ item }}"
changed_when: false
with_items:
- /usr/lib/ipsec/charon
- /usr/lib/ipsec/lookip
- /usr/lib/ipsec/stroke
tags: apparmor
when: apparmor_enabled|default(false)|bool when: apparmor_enabled|default(false)|bool
changed_when: false
with_items:
- /usr/lib/ipsec/charon
- /usr/lib/ipsec/lookip
- /usr/lib/ipsec/stroke
notify:
- restart apparmor
tags: ['apparmor']
- name: Ubuntu | Enable services - name: Ubuntu | Enable services
service: name={{ item }} enabled=yes service: name={{ item }} enabled=yes

2
tests/pre-deploy.sh
View file

@ -19,7 +19,7 @@ systemctl restart lxd-bridge.service lxd-containers.service lxd.service
lxc profile set default raw.lxc lxc.aa_profile=unconfined lxc profile set default raw.lxc lxc.aa_profile=unconfined
lxc profile set default security.privileged true lxc profile set default security.privileged true
lxc profile show default lxc profile show default
lxc launch ubuntu:18.04 algo lxc launch ubuntu:${UBUNTU_VERSION} algo
ip addr ip addr