From b4e25a5a9afa7b8cf304163016a5a9d77598f467 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 28 Aug 2016 23:04:59 +0300 Subject: [PATCH 01/16] new tags --- config.cfg | 2 + deploy.yml | 39 +++++++ digitalocean.yml | 147 ------------------------ playbooks/common.yml | 5 + playbooks/digitalocean.yml | 114 ++++++++++++++++++ roles/cloud-digitalocean/tasks/main.yml | 7 +- roles/security/tasks/main.yml | 1 - 7 files changed, 161 insertions(+), 154 deletions(-) create mode 100644 deploy.yml delete mode 100644 digitalocean.yml create mode 100644 playbooks/common.yml create mode 100644 playbooks/digitalocean.yml diff --git a/config.cfg b/config.cfg index c8178b58..cd827f35 100644 --- a/config.cfg +++ b/config.cfg @@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 +easyrsa_p12_export_password: vpnpws + # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 00000000..d69ed68b --- /dev/null +++ b/deploy.yml @@ -0,0 +1,39 @@ +- name: Configure the server and install required software + hosts: localhost + vars_files: + - config.cfg + + roles: + - { role: cloud-digitalocean, tags: ['digitalocean'] } + - { role: cloud-ec2, tags: ['ec2'] } + - { role: cloud-gce, tags: ['gce'] } + +- name: Post-provisioning tasks + hosts: vpn-host + gather_facts: false + become: true + vars_files: + - config.cfg + + pre_tasks: + - name: Common pre-tasks + include: playbooks/common.yml + tags: [ 'digitalocean', 'ec2', 'gce' ] + + - name: DigitalOcean pre-tasks + include: playbooks/digitalocean.yml + tags: [ 'digitalocean', 'ec2', 'gce' ] + + roles: + - { role: common, tags: [ 'vpn' ] } + - { role: security, tags: [ 'security' ] } + - { role: proxy, tags: [ 'proxy', 'adblock' ] } + - { role: dns_adblocking, tags: ['dns', 'adblock' ] } + - { role: logging, tags: [ 'logging' ] } + - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } + - { role: vpn, tags: [ 'vpn' ] } + + + handlers: + - name: reload eth0 + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' \ No newline at end of file diff --git a/digitalocean.yml b/digitalocean.yml deleted file mode 100644 index fad6b34c..00000000 --- a/digitalocean.yml +++ /dev/null @@ -1,147 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - - vars: - regions: - "1": "ams2" - "2": "ams3" - "3": "fra1" - "4": "lon1" - "5": "nyc1" - "6": "nyc2" - "7": "nyc3" - "8": "sfo1" - "9": "sfo2" - "10": "sgp1" - "11": "tor1" - "12": "blr1" - - vars_prompt: - - name: "do_access_token" - prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" - private: yes - - - name: "do_ssh_name" - prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" - private: no - - - name: "do_region" - prompt: > - What region should the server be located in? - 1. Amsterdam (Datacenter 2) - 2. Amsterdam (Datacenter 3) - 3. Frankfurt - 4. London - 5. New York (Datacenter 1) - 6. New York (Datacenter 2) - 7. New York (Datacenter 3) - 8. San Francisco (Datacenter 1) - 9. San Francisco (Datacenter 2) - 10. Singapore - 11. Toronto - 12. Bangalore - Enter the number of your desired region: - default: "7" - private: no - - - name: "do_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-digitalocean - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - - name: Enable IPv6 on the droplet - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" - method: POST - body: - type: enable_ipv6 - body_format: json - status_code: 201 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - - - name: Get Droplet networks - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" - method: GET - status_code: 200 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - register: droplet_info - - - name: IPv6 configured - template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 - with_items: "{{ droplet_info.json.droplet.networks.v6 }}" - notify: - - reload eth0 - - - name: IPv6 included into the network config - lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present - notify: - - reload eth0 - - - meta: flush_handlers - - - name: Wait for SSH to become available - local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" - become: false - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn - - handlers: - - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' diff --git a/playbooks/common.yml b/playbooks/common.yml new file mode 100644 index 00000000..1cf52830 --- /dev/null +++ b/playbooks/common.yml @@ -0,0 +1,5 @@ +- name: Install prerequisites + raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + +- name: Configure defaults + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml new file mode 100644 index 00000000..89734472 --- /dev/null +++ b/playbooks/digitalocean.yml @@ -0,0 +1,114 @@ + #vars: + #regions: + #"1": "ams2" + #"2": "ams3" + #"3": "fra1" + #"4": "lon1" + #"5": "nyc1" + #"6": "nyc2" + #"7": "nyc3" + #"8": "sfo1" + #"9": "sfo2" + #"10": "sgp1" + #"11": "tor1" + #"12": "blr1" + + #vars_prompt: + #- name: "do_access_token" + #prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" + #private: yes + + #- name: "do_ssh_name" + #prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" + #private: no + + #- name: "do_region" + #prompt: > + #What region should the server be located in? + #1. Amsterdam (Datacenter 2) + #2. Amsterdam (Datacenter 3) + #3. Frankfurt + #4. London + #5. New York (Datacenter 1) + #6. New York (Datacenter 2) + #7. New York (Datacenter 3) + #8. San Francisco (Datacenter 1) + #9. San Francisco (Datacenter 2) + #10. Singapore + #11. Toronto + #12. Bangalore + #Enter the number of your desired region: + #default: "7" + #private: no + + #- name: "do_server_name" + #prompt: "Name the vpn server:\n" + #default: "algo.local" + #private: no + + #- name: "dns_enabled" + #prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + #default: "y" + #private: no + + #- name: "proxy_enabled" + #prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + #default: "y" + #private: no + + #- name: "auditd_enabled" + #prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + #default: "y" + #private: no + + #- name: "ssh_tunneling_enabled" + #prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + #default: "y" + #private: no + + #- name: "security_enabled" + #prompt: "Do you want to enable the security role? (y/n):\n" + #default: "y" + #private: no + + #- name: "easyrsa_p12_export_password" + #prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + #default: "vpnpw" + #private: yes + +- name: Enable IPv6 on the droplet + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" + method: POST + body: + type: enable_ipv6 + body_format: json + status_code: 201 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + +- name: Get Droplet networks + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" + method: GET + status_code: 200 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + register: droplet_info + +- name: IPv6 configured + template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 + with_items: "{{ droplet_info.json.droplet.networks.v6 }}" + notify: + - reload eth0 + +- name: IPv6 included into the network config + lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present + notify: + - reload eth0 + +- meta: flush_handlers + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" + become: false \ No newline at end of file diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index ca8d7de9..06bfba17 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -15,7 +15,7 @@ state: present command: droplet name: "{{ do_server_name }}" - region_id: "{{ regions[do_region] }}" + region_id: "{{ do_region }}" size_id: "512mb" image_id: "ubuntu-16-04-x64" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" @@ -31,11 +31,6 @@ ansible_python_interpreter: "/usr/bin/python2.7" do_access_token: "{{ do_access_token }}" do_droplet_id: "{{ do.droplet.id }}" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean ipv6_support: yes diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 7046e2c5..6ad36c56 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -9,7 +9,6 @@ - name: Periodic upgrades configured template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 -# Using a two-pass approach for checking directories in order to support symlinks. - name: Find directories for minimizing access stat: path: "{{ item }}" From e29e7061e0b18f339c002f66b01c21762b6744fa Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 28 Aug 2016 23:19:41 +0300 Subject: [PATCH 02/16] additional functions --- deploy.yml | 1 - roles/cloud-ec2/tasks/main.yml | 5 ----- roles/cloud-gce/tasks/main.yml | 5 ----- roles/dns_adblocking/meta/main.yml | 4 ++++ roles/logging/meta/main.yml | 4 ++++ roles/proxy/meta/main.yml | 4 ++++ roles/security/meta/main.yml | 4 ++++ roles/ssh_tunneling/meta/main.yml | 4 ++++ roles/vpn/handlers/main.yml | 3 +++ roles/vpn/meta/main.yml | 4 ++++ 10 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 roles/dns_adblocking/meta/main.yml create mode 100644 roles/logging/meta/main.yml create mode 100644 roles/proxy/meta/main.yml create mode 100644 roles/security/meta/main.yml create mode 100644 roles/ssh_tunneling/meta/main.yml create mode 100644 roles/vpn/meta/main.yml diff --git a/deploy.yml b/deploy.yml index d69ed68b..e6bcc9d7 100644 --- a/deploy.yml +++ b/deploy.yml @@ -25,7 +25,6 @@ tags: [ 'digitalocean', 'ec2', 'gce' ] roles: - - { role: common, tags: [ 'vpn' ] } - { role: security, tags: [ 'security' ] } - { role: proxy, tags: [ 'proxy', 'adblock' ] } - { role: dns_adblocking, tags: ['dns', 'adblock' ] } diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 1bfb382a..6e1a9b0e 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -69,11 +69,6 @@ groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: ec2 ipv6_support: no diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index f96690d9..07ce08ba 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -20,11 +20,6 @@ groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" - security_enabled: "{{ security_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: gce ipv6_support: no diff --git a/roles/dns_adblocking/meta/main.yml b/roles/dns_adblocking/meta/main.yml new file mode 100644 index 00000000..325ccd93 --- /dev/null +++ b/roles/dns_adblocking/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/logging/meta/main.yml b/roles/logging/meta/main.yml new file mode 100644 index 00000000..325ccd93 --- /dev/null +++ b/roles/logging/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/proxy/meta/main.yml b/roles/proxy/meta/main.yml new file mode 100644 index 00000000..325ccd93 --- /dev/null +++ b/roles/proxy/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/security/meta/main.yml b/roles/security/meta/main.yml new file mode 100644 index 00000000..325ccd93 --- /dev/null +++ b/roles/security/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/ssh_tunneling/meta/main.yml b/roles/ssh_tunneling/meta/main.yml new file mode 100644 index 00000000..325ccd93 --- /dev/null +++ b/roles/ssh_tunneling/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index a3c10f7d..a8e921a4 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -6,6 +6,9 @@ - name: restart apparmor service: name=apparmor state=restarted + +- name: save iptables + shell: service netfilter-persistent save - name: congrats debug: diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml new file mode 100644 index 00000000..325ccd93 --- /dev/null +++ b/roles/vpn/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file From 3d0e8964f3ec304ecec1dbb07da94c5afa91a6d0 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 29 Aug 2016 00:05:20 +0300 Subject: [PATCH 03/16] global tags --- deploy.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy.yml b/deploy.yml index e6bcc9d7..dd5b131a 100644 --- a/deploy.yml +++ b/deploy.yml @@ -1,5 +1,6 @@ - name: Configure the server and install required software hosts: localhost + tags: algo vars_files: - config.cfg @@ -11,6 +12,7 @@ - name: Post-provisioning tasks hosts: vpn-host gather_facts: false + tags: algo become: true vars_files: - config.cfg @@ -35,4 +37,5 @@ handlers: - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' \ No newline at end of file + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' + \ No newline at end of file From b4b2fd9d5db21b22bb1fe00545a93f9a9bc3b671 Mon Sep 17 00:00:00 2001 From: jack Date: Sun, 18 Sep 2016 13:10:38 +0300 Subject: [PATCH 04/16] remove unused files --- README.md | 2 +- ec2.yml | 112 ------------------------------------------------------ gce.yml | 110 ----------------------------------------------------- 3 files changed, 1 insertion(+), 223 deletions(-) delete mode 100644 ec2.yml delete mode 100644 gce.yml diff --git a/README.md b/README.md index d72329fe..7896c9a2 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ I would, but I don't know of any [suitable ones](https://github.com/trailofbits/ ### Why aren't you using OpenVPN? -OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of [TLS](https://tools.ietf.org/html/rfc7457), both the protocol and its implementations, and we simply trust the server less due to [past security incidents](https://www.exploit-db.com/exploits/34879/). +OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to [update](https://www.exploit-db.com/exploits/34037/) and [maintain](https://www.exploit-db.com/exploits/20485/) the software themselves. OpenVPN depends on the security of [TLS](https://tools.ietf.org/html/rfc7457), both the [protocol](http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites/) and its [implementations](http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/), and we simply trust the server less due to past [security](https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin/blob/master/README.md) [incidents](https://www.exploit-db.com/exploits/34879/). ### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD? diff --git a/ec2.yml b/ec2.yml deleted file mode 100644 index 884e6433..00000000 --- a/ec2.yml +++ /dev/null @@ -1,112 +0,0 @@ -# vim:ft=ansible: -- name: Create a sandbox instance - hosts: localhost - gather_facts: False - vars_files: - - config.cfg - vars: - instance_type: t2.nano - security_group: vpn-secgroup - regions: - "1": "us-east-1" - "2": "us-west-1" - "3": "us-west-2" - "4": "ap-south-1" - "5": "ap-northeast-2" - "6": "ap-southeast-1" - "7": "ap-southeast-2" - "8": "ap-northeast-1" - "9": "eu-central-1" - "10": "eu-west-1" - "11": "sa-east-1" - - vars_prompt: - - name: "aws_access_key" - prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "aws_secret_key" - prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "region" - prompt: > - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) - default: "1" - private: no - - - name: "aws_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-ec2 - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/gce.yml b/gce.yml deleted file mode 100644 index 599855ff..00000000 --- a/gce.yml +++ /dev/null @@ -1,110 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - gather_facts: false - - vars: - zones: - "1": "us-central1-a" - "2": "us-central1-b" - "3": "us-central1-c" - "4": "us-central1-f" - "5": "us-east1-b" - "6": "us-east1-c" - "7": "us-east1-d" - "8": "europe-west1-b" - "9": "europe-west1-c" - "10": "europe-west1-d" - "11": "asia-east1-a" - "12": "asia-east1-b" - "13": "asia-east1-c" - - vars_prompt: - - name: "credentials_file" - prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "zone" - prompt: > - What zone should the server be located in? - 1. Central US (Iowa A) - 2. Central US (Iowa B) - 3. Central US (Iowa C) - 4. Central US (Iowa F) - 5. Eastern US (South Carolina B) - 6. Eastern US (South Carolina C) - 7. Eastern US (South Carolina D) - 8. Western Europe (Belgium B) - 9. Western Europe (Belgium C) - 10. Western Europe (Belgium D) - 11. East Asia (Taiwan A) - 12. East Asia (Taiwan B) - 13. East Asia (Taiwan C) - Please choose the number of your zone. Press enter for default (#8) zone. - default: "8" - private: no - - - name: "server_name" - prompt: "Name the vpn server:\n" - default: "algo" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-gce - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn From d292b45c4e20a2b96038143ddd6c2826d0f84f65 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:11:10 +0300 Subject: [PATCH 05/16] DO roles to tags --- roles/cloud-digitalocean/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index 06bfba17..5a28f8f7 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -1,6 +1,6 @@ - name: Set the DigitalOcean Access Token fact set_fact: - do_token: "{{ do_access_token | default( lookup('env', 'DIGITALOCEAN_API_KEY') ) }}" + do_token: "{{ do_access_token }}" - name: "Getting your SSH key ID on Digital Ocean..." digital_ocean: From b3f403f24eb850c2d3cfcb1b575563223842fc7e Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:11:22 +0300 Subject: [PATCH 06/16] ec2 role to tags --- roles/cloud-ec2/tasks/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 6e1a9b0e..4f25e1b0 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -7,7 +7,7 @@ sort: name sort_order: descending sort_end: 1 - region: "{{ regions[region] }}" + region: "{{ region }}" register: ami_search - set_fact: @@ -18,7 +18,7 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" name: VPNKEY - region: "{{ regions[region] }}" + region: "{{ region }}" key_material: "{{ item }}" with_file: "{{ ssh_public_key }}" register: keypair @@ -27,9 +27,9 @@ ec2_group: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" - name: "{{ security_group }}" + name: vpn-secgroup description: Security group for VPN servers - region: "{{ regions[region] }}" + region: "{{ region }}" rules: - proto: udp from_port: 4500 @@ -54,11 +54,11 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" keypair: "VPNKEY" - group: "{{ security_group }}" - instance_type: "{{ instance_type }}" + group: vpn-secgroup + instance_type: t2.nano image: "{{ ami_image }}" wait: true - region: "{{ regions[region] }}" + region: "{{ region }}" instance_tags: name: "{{ aws_server_name }}" register: ec2 From 50fd767069bfa767c22b549475b6df7ee35b61b6 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:11:30 +0300 Subject: [PATCH 07/16] gce role to tags --- roles/cloud-gce/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 07ce08ba..9c12f479 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -5,7 +5,7 @@ - name: "Creating a new instance..." gce: instance_names: "{{ server_name }}" - zone: "{{ zones[zone] }}" + zone: "{{ zone }}" machine_type: n1-standard-1 image: ubuntu-1604 service_account_email: "{{ credentials_file_lookup.client_email }}" From fd33496b15e45e2efaf01f1ba1e3eab665ac5bfb Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:12:17 +0300 Subject: [PATCH 08/16] move to tags #80 --- deploy.yml | 9 ++++----- roles/vpn/meta/main.yml | 3 ++- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy.yml b/deploy.yml index dd5b131a..bca20ee3 100644 --- a/deploy.yml +++ b/deploy.yml @@ -20,11 +20,11 @@ pre_tasks: - name: Common pre-tasks include: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce' ] + tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml - tags: [ 'digitalocean', 'ec2', 'gce' ] + tags: [ 'digitalocean' ] roles: - { role: security, tags: [ 'security' ] } @@ -32,10 +32,9 @@ - { role: dns_adblocking, tags: ['dns', 'adblock' ] } - { role: logging, tags: [ 'logging' ] } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } - - { role: vpn, tags: [ 'vpn' ] } - + - { role: vpn, tags: [ 'vpn' ] } handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - \ No newline at end of file + diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml index 325ccd93..149a6fbf 100644 --- a/roles/vpn/meta/main.yml +++ b/roles/vpn/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: - - { role: common } \ No newline at end of file + - { role: common } + From 86df8fda37f2701417c6bdd5f758fef4c6a8cee4 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:14:32 +0300 Subject: [PATCH 09/16] extend README to use roles --- README.md | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 83 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7896c9a2..22924520 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,86 @@ Ansible scripts are organized into roles. The roles used by Algo are described i * SHell or BASH * libselinux-python (for RedHat based distros) +### Roles and Tags +**Cloud roles:** +- role: cloud-digitalocean, tags: digitalocean +- role: cloud-ec2, tags: ec2 +- role: cloud-gce, tags: gce + +**Server roles:** +- role: vpn, tags: vpn +- role: dns_adblocking, tags: dns, adblock +- role: proxy, tags: proxy, adblock +- role: logging, tags: logging +- role: security, tags: security +- role: ssh_tunneling, tags: ssh_tunneling + +### Cloud Providers + +**digitalocean** +*Requirement variables:* +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +*Possible regions:* +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +**gce** +*Requirement variables:* +- credentials_file +- server_name +- ssh_public_key +- zone + +*Possible zones:* +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +**ec2** +*Requirement variables:* +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +*Possible regions:* +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + ### Cloud Deployment To install the dependencies on OS X or Linux: @@ -84,10 +164,11 @@ sudo pip install -r requirements.txt Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. -Start the deploy and follow the instructions: +Start the deploy with extra variables and tags that you need. +Example for DigitalOcean: ``` -./algo +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' ``` When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user. From 90b5e0aad102af7ae3c3e3621cd0f4da1a5c5a4a Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:40:46 +0300 Subject: [PATCH 10/16] DO prompts --- algo | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/algo b/algo index 8283b3c3..5ad4e95f 100755 --- a/algo +++ b/algo @@ -2,6 +2,57 @@ set -e +digitalocean () { + read -p " +Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens): +: " -rs do_access_token + + read -p " +Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security): +: " -r do_ssh_name + + read -p " +Name the vpn server: +[algo.local]: " -r do_server_name + do_server_name=${do_server_name:-algo.local} + + read -p " + What region should the server be located in? + 1. Amsterdam (Datacenter 2) + 2. Amsterdam (Datacenter 3) + 3. Frankfurt + 4. London + 5. New York (Datacenter 1) + 6. New York (Datacenter 2) + 7. New York (Datacenter 3) + 8. San Francisco (Datacenter 1) + 9. San Francisco (Datacenter 2) + 10. Singapore + 11. Toronto + 12. Bangalore +Enter the number of your desired region: +[7]: " -r region + region=${region:-1} + + case "$region" in + 1) do_region="ams2" ;; + 2) do_region="ams3" ;; + 3) do_region="fra1" ;; + 4) do_region="lon1" ;; + 5) do_region="nyc1" ;; + 6) do_region="nyc2" ;; + 7) do_region="nyc3" ;; + 8) do_region="sfo1" ;; + 9) do_region="sfo2" ;; + 10) do_region="sgp1" ;; + 11) do_region="tor1" ;; + 12) do_region="blr1" ;; + esac + +ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" + +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -16,7 +67,7 @@ Enter the number of your desired provider read -r N case "$N" in - 1) CLOUD="digitalocean" ;; + 1) digitalocean; ;; 2) CLOUD="ec2" ;; 3) CLOUD="gce" ;; 4) CLOUD="non-cloud" ;; From 32be2d218345715f5d019fa09a42606ff4bd9f48 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:52:49 +0300 Subject: [PATCH 11/16] EC2 prompts --- algo | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 56 insertions(+), 4 deletions(-) diff --git a/algo b/algo index 5ad4e95f..fd5a012a 100755 --- a/algo +++ b/algo @@ -32,7 +32,7 @@ Name the vpn server: 12. Bangalore Enter the number of your desired region: [7]: " -r region - region=${region:-1} + region=${region:-7} case "$region" in 1) do_region="ams2" ;; @@ -53,6 +53,59 @@ ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_t } +ec2 () { + read -p " +Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +: " -rs aws_access_key + + read -p " +Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +: " -rs aws_secret_key + + read -p " +Enter the local path to your SSH public key: +: " -r ssh_public_key + + read -p " +Name the vpn server: +[algo.local]: " -r aws_server_name + aws_server_name=${aws_server_name:-algo.local} + + read -p " + What region should the server be located in? + 1. us-east-1 US East (N. Virginia) + 2. us-west-1 US West (N. California) + 3. us-west-2 US West (Oregon) + 4. ap-south-1 Asia Pacific (Mumbai) + 5. ap-northeast-2 Asia Pacific (Seoul) + 6. ap-southeast-1 Asia Pacific (Singapore) + 7. ap-southeast-2 Asia Pacific (Sydney) + 8. ap-northeast-1 Asia Pacific (Tokyo) + 9. eu-central-1 EU (Frankfurt) + 10. eu-west-1 EU (Ireland) + 11. sa-east-1 South America (São Paulo) +Enter the number of your desired region: +[1]: " -r aws_region + aws_region=${aws_region:-1} + + case "$aws_region" in + 1) region="us-east-1" ;; + 2) region="us-west-1" ;; + 3) region="us-west-2" ;; + 4) region="ap-south-1" ;; + 5) region="ap-northeast-2" ;; + 6) region="ap-southeast-1" ;; + 7) region="ap-southeast-2" ;; + 8) region="ap-northeast-1" ;; + 9) region="eu-central-1" ;; + 10) region="eu-west-1" ;; + 11) region="sa-east-1" ;; + esac + +ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" + +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -68,13 +121,12 @@ Enter the number of your desired provider case "$N" in 1) digitalocean; ;; - 2) CLOUD="ec2" ;; + 2) ec2; ;; 3) CLOUD="gce" ;; 4) CLOUD="non-cloud" ;; *) exit 1 ;; esac - - ansible-playbook "${CLOUD}.yml" + } user_management () { From beb3d8593b949488410a781bca5d47ba8d123fa6 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 14:03:20 +0300 Subject: [PATCH 12/16] GCE prompts --- algo | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/algo b/algo index fd5a012a..66fc1767 100755 --- a/algo +++ b/algo @@ -68,8 +68,8 @@ Enter the local path to your SSH public key: read -p " Name the vpn server: -[algo.local]: " -r aws_server_name - aws_server_name=${aws_server_name:-algo.local} +[algo]: " -r aws_server_name + aws_server_name=${aws_server_name:-algo} read -p " What region should the server be located in? @@ -106,6 +106,59 @@ ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_se } +gce () { + read -p " +Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): +: " -r credentials_file + + read -p " +Enter the local path to your SSH public key: +: " -r ssh_public_key + + read -p " +Name the vpn server: +[algo]: " -r server_name + server_name=${server_name:-algo} + + read -p " + What zone should the server be located in? + 1. Central US (Iowa A) + 2. Central US (Iowa B) + 3. Central US (Iowa C) + 4. Central US (Iowa F) + 5. Eastern US (South Carolina B) + 6. Eastern US (South Carolina C) + 7. Eastern US (South Carolina D) + 8. Western Europe (Belgium B) + 9. Western Europe (Belgium C) + 10. Western Europe (Belgium D) + 11. East Asia (Taiwan A) + 12. East Asia (Taiwan B) + 13. East Asia (Taiwan C) +Please choose the number of your zone. Press enter for default (#8) zone. +[8]: " -r region + region=${region:-8} + + case "$region" in + 1) zone="us-central1-a" ;; + 2) zone="us-central1-b" ;; + 3) zone="us-central1-c" ;; + 4) zone="us-central1-f" ;; + 5) zone="us-east1-b" ;; + 6) zone="us-east1-c" ;; + 7) zone="us-east1-d" ;; + 8) zone="europe-west1-b" ;; + 9) zone="europe-west1-c" ;; + 10) zone="europe-west1-d" ;; + 11) zone="asia-east1-a" ;; + 12) zone="asia-east1-b" ;; + 13) zone="asia-east1-c" ;; + esac + +ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" + +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -122,7 +175,7 @@ Enter the number of your desired provider case "$N" in 1) digitalocean; ;; 2) ec2; ;; - 3) CLOUD="gce" ;; + 3) gce; ;; 4) CLOUD="non-cloud" ;; *) exit 1 ;; esac From 18351270b0d18d49063742075313adeefd9b96c4 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 19:54:45 +0300 Subject: [PATCH 13/16] role for local installation --- algo | 19 +++++++- deploy.yml | 3 +- non-cloud.yml | 89 ---------------------------------- roles/cloud-gce/tasks/main.yml | 2 +- roles/local/handlers/main.yml | 0 roles/local/tasks/main.yml | 12 +++++ 6 files changed, 33 insertions(+), 92 deletions(-) delete mode 100644 non-cloud.yml create mode 100644 roles/local/handlers/main.yml create mode 100644 roles/local/tasks/main.yml diff --git a/algo b/algo index 66fc1767..d5302b40 100755 --- a/algo +++ b/algo @@ -159,6 +159,23 @@ ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file se } +non_cloud () { + read -p " +Enter IP address of your server: (use localhost for local installation) +: " -r server_ip + + read -p " +What user should we use to login on the server? (ignore if you're deploying to localhost) +[root]: " -r server_user + server_user=${server_user:-root} + + read -p " +Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) +: " -r IP_subject + + ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject=$IP_subject" +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -176,7 +193,7 @@ Enter the number of your desired provider 1) digitalocean; ;; 2) ec2; ;; 3) gce; ;; - 4) CLOUD="non-cloud" ;; + 4) non_cloud; ;; *) exit 1 ;; esac diff --git a/deploy.yml b/deploy.yml index bca20ee3..81c6d845 100644 --- a/deploy.yml +++ b/deploy.yml @@ -7,7 +7,8 @@ roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } - { role: cloud-ec2, tags: ['ec2'] } - - { role: cloud-gce, tags: ['gce'] } + - { role: cloud-gce, tags: ['gce'] } + - { role: local, tags: ['local'] } - name: Post-provisioning tasks hosts: vpn-host diff --git a/non-cloud.yml b/non-cloud.yml deleted file mode 100644 index 8f5a33eb..00000000 --- a/non-cloud.yml +++ /dev/null @@ -1,89 +0,0 @@ -# vim:ft=ansible: -- hosts: localhost - gather_facts: False - vars_files: - - config.cfg - - vars_prompt: - - name: "server_ip" - prompt: "Enter IP address of your server: (use localhost for local installation)\n" - default: localhost - private: no - - - name: "server_user" - prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" - default: "root" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - - name: "IP_subject" - prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" - private: no - - tasks: - - name: Add the server to the vpn-host group - add_host: - hostname: "{{ server_ip }}" - groupname: vpn-host - ansible_ssh_user: "{{ server_user }}" - ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" - IP_subject: "{{ IP_subject }}" - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - set_fact: - IP_subject_alt_name: "{{ IP_subject }}" - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 9c12f479..959ec6f0 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -16,7 +16,7 @@ - name: Add the instance to an inventory group add_host: - name: "{{ google_vm.instance_data[0].public_ip}}" + name: "{{ google_vm.instance_data[0].public_ip }}" groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" diff --git a/roles/local/handlers/main.yml b/roles/local/handlers/main.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml new file mode 100644 index 00000000..de8de4c0 --- /dev/null +++ b/roles/local/tasks/main.yml @@ -0,0 +1,12 @@ +- name: Add the instance to an inventory group + add_host: + name: "{{ server_ip }}" + groups: vpn-host + ansible_ssh_user: "{{ server_user }}" + ansible_python_interpreter: "/usr/bin/python2.7" + easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: local + +- name: Waiting for SSH to become available + local_action: "wait_for port=22 host={{ server_ip }} timeout=320" + when: server_ip != "localhost" From ebec884e739c2f9bde37f23fc320a6fa2e6a69dc Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 19:59:45 +0300 Subject: [PATCH 14/16] some README fixes --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 22924520..2dfc9774 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,12 @@ Ansible scripts are organized into roles. The roles used by Algo are described i - eu-west-1 - sa-east-1 +**local installation** +*Requirement variables:* +- server_ip +- server_user +- IP_subject + ### Cloud Deployment To install the dependencies on OS X or Linux: From 7456f4cdf536496f096492bf77dc894b1b192348 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 20:02:25 +0300 Subject: [PATCH 15/16] README fixes --- ADVANCED.md | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 77 ++------------------------------------------------ 2 files changed, 83 insertions(+), 75 deletions(-) create mode 100644 ADVANCED.md diff --git a/ADVANCED.md b/ADVANCED.md new file mode 100644 index 00000000..a9384f16 --- /dev/null +++ b/ADVANCED.md @@ -0,0 +1,81 @@ +### Cloud Providers + +**digitalocean** +*Requirement variables:* +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +*Possible regions:* +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +**gce** +*Requirement variables:* +- credentials_file +- server_name +- ssh_public_key +- zone + +*Possible zones:* +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +**ec2** +*Requirement variables:* +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +*Possible regions:* +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + +**local installation** +*Requirement variables:* +- server_ip +- server_user +- IP_subject + +### Deployment + +Start the deploy with extra variables and tags that you need. +Example for DigitalOcean: + +``` +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +``` + diff --git a/README.md b/README.md index 2dfc9774..5cb7148f 100644 --- a/README.md +++ b/README.md @@ -87,78 +87,6 @@ Ansible scripts are organized into roles. The roles used by Algo are described i - role: security, tags: security - role: ssh_tunneling, tags: ssh_tunneling -### Cloud Providers - -**digitalocean** -*Requirement variables:* -- do_access_token -- do_ssh_name -- do_server_name -- do_region - -*Possible regions:* -- ams2 -- ams3 -- fra1 -- lon1 -- nyc1 -- nyc2 -- nyc3 -- sfo1 -- sfo2 -- sgp1 -- tor1 -- blr1 - -**gce** -*Requirement variables:* -- credentials_file -- server_name -- ssh_public_key -- zone - -*Possible zones:* -- us-central1-a -- us-central1-b -- us-central1-c -- us-central1-f -- us-east1-b -- us-east1-c -- us-east1-d -- europe-west1-b -- europe-west1-c -- europe-west1-d -- asia-east1-a -- asia-east1-b -- asia-east1-c - -**ec2** -*Requirement variables:* -- aws_access_key -- aws_secret_key -- aws_server_name -- ssh_public_key -- region - -*Possible regions:* -- us-east-1 -- us-west-1 -- us-west-2 -- ap-south-1 -- ap-northeast-2 -- ap-southeast-1 -- ap-southeast-2 -- ap-northeast-1 -- eu-central-1 -- eu-west-1 -- sa-east-1 - -**local installation** -*Requirement variables:* -- server_ip -- server_user -- IP_subject - ### Cloud Deployment To install the dependencies on OS X or Linux: @@ -170,11 +98,10 @@ sudo pip install -r requirements.txt Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. -Start the deploy with extra variables and tags that you need. -Example for DigitalOcean: +Start the deploy and follow the instructions: ``` -ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +./algo ``` When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user. From 98cfa18b9963d65267dc72c3ad985457999d9815 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 20:18:27 +0300 Subject: [PATCH 16/16] linting --- deploy.yml | 18 ++++---- playbooks/common.yml | 2 +- playbooks/digitalocean.yml | 80 +---------------------------------- roles/logging/tasks/main.yml | 4 +- roles/security/tasks/main.yml | 4 +- roles/vpn/handlers/main.yml | 2 +- roles/vpn/meta/main.yml | 2 +- 7 files changed, 17 insertions(+), 95 deletions(-) diff --git a/deploy.yml b/deploy.yml index 81c6d845..4e6ca209 100644 --- a/deploy.yml +++ b/deploy.yml @@ -3,26 +3,26 @@ tags: algo vars_files: - config.cfg - + roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } - - { role: cloud-ec2, tags: ['ec2'] } - - { role: cloud-gce, tags: ['gce'] } + - { role: cloud-ec2, tags: ['ec2'] } + - { role: cloud-gce, tags: ['gce'] } - { role: local, tags: ['local'] } - + - name: Post-provisioning tasks hosts: vpn-host gather_facts: false - tags: algo + tags: algo become: true vars_files: - config.cfg - pre_tasks: + pre_tasks: - name: Common pre-tasks include: playbooks/common.yml tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] - + - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml tags: [ 'digitalocean' ] @@ -33,9 +33,9 @@ - { role: dns_adblocking, tags: ['dns', 'adblock' ] } - { role: logging, tags: [ 'logging' ] } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } - - { role: vpn, tags: [ 'vpn' ] } + - { role: vpn, tags: [ 'vpn' ] } handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - + diff --git a/playbooks/common.yml b/playbooks/common.yml index 1cf52830..d84a6eb0 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -1,5 +1,5 @@ - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - + - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml index 89734472..703e5d05 100644 --- a/playbooks/digitalocean.yml +++ b/playbooks/digitalocean.yml @@ -1,81 +1,3 @@ - #vars: - #regions: - #"1": "ams2" - #"2": "ams3" - #"3": "fra1" - #"4": "lon1" - #"5": "nyc1" - #"6": "nyc2" - #"7": "nyc3" - #"8": "sfo1" - #"9": "sfo2" - #"10": "sgp1" - #"11": "tor1" - #"12": "blr1" - - #vars_prompt: - #- name: "do_access_token" - #prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" - #private: yes - - #- name: "do_ssh_name" - #prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" - #private: no - - #- name: "do_region" - #prompt: > - #What region should the server be located in? - #1. Amsterdam (Datacenter 2) - #2. Amsterdam (Datacenter 3) - #3. Frankfurt - #4. London - #5. New York (Datacenter 1) - #6. New York (Datacenter 2) - #7. New York (Datacenter 3) - #8. San Francisco (Datacenter 1) - #9. San Francisco (Datacenter 2) - #10. Singapore - #11. Toronto - #12. Bangalore - #Enter the number of your desired region: - #default: "7" - #private: no - - #- name: "do_server_name" - #prompt: "Name the vpn server:\n" - #default: "algo.local" - #private: no - - #- name: "dns_enabled" - #prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - #default: "y" - #private: no - - #- name: "proxy_enabled" - #prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - #default: "y" - #private: no - - #- name: "auditd_enabled" - #prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - #default: "y" - #private: no - - #- name: "ssh_tunneling_enabled" - #prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - #default: "y" - #private: no - - #- name: "security_enabled" - #prompt: "Do you want to enable the security role? (y/n):\n" - #default: "y" - #private: no - - #- name: "easyrsa_p12_export_password" - #prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - #default: "vpnpw" - #private: yes - - name: Enable IPv6 on the droplet uri: url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" @@ -111,4 +33,4 @@ - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" - become: false \ No newline at end of file + become: false diff --git a/roles/logging/tasks/main.yml b/roles/logging/tasks/main.yml index 48ed4796..13b07391 100644 --- a/roles/logging/tasks/main.yml +++ b/roles/logging/tasks/main.yml @@ -15,7 +15,7 @@ - name: Enable services service: name=auditd enabled=yes - + # Rsyslog - name: Rsyslog configured @@ -29,4 +29,4 @@ - restart rsyslog - name: Enable services - service: name=rsyslog enabled=yes + service: name=rsyslog enabled=yes diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 6ad36c56..f9516169 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -2,12 +2,12 @@ apt: name="{{ item }}" state=latest with_items: - unattended-upgrades - + - name: Configure unattended-upgrades template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644 - name: Periodic upgrades configured - template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 + template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 - name: Find directories for minimizing access stat: diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index a8e921a4..fae797fb 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -6,7 +6,7 @@ - name: restart apparmor service: name=apparmor state=restarted - + - name: save iptables shell: service netfilter-persistent save diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml index 149a6fbf..4b583d69 100644 --- a/roles/vpn/meta/main.yml +++ b/roles/vpn/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - { role: common } - +