wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

Refactoring to support roles inclusion (#1365)

Browse source
This commit is contained in:
Jack Ivanov 2019-04-08 23:20:34 +03:00 committed by Dan Guido
parent 8af0efa623
commit c4ea88000b
25 changed files with 866 additions and 956 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ansible.cfg
View file

@ -4,7 +4,8 @@ pipelining = True
retry_files_enabled = False retry_files_enabled = False
host_key_checking = False host_key_checking = False
timeout = 60 timeout = 60
stdout_callback = full_skip stdout_callback = default
display_skipped_hosts = no
[paramiko_connection] [paramiko_connection]
record_host_keys = False record_host_keys = False

40
cloud.yml
View file

@ -2,48 +2,20 @@
- name: Provision the server - name: Provision the server
hosts: localhost hosts: localhost
tags: always tags: always
become: false
vars_files: vars_files:
- config.cfg - config.cfg
pre_tasks: tasks:
- block: - block:
- name: Local pre-tasks - name: Local pre-tasks
import_tasks: playbooks/cloud-pre.yml import_tasks: playbooks/cloud-pre.yml
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles: - name: Include a provisioning role
- role: cloud-digitalocean include_role:
when: algo_provider == "digitalocean" name: "{{ 'local' if algo_provider == 'local' else 'cloud-' + algo_provider }}"
- role: cloud-ec2
when: algo_provider == "ec2"
- role: cloud-vultr
when: algo_provider == "vultr"
- role: cloud-gce
when: algo_provider == "gce"
- role: cloud-azure
when: algo_provider == "azure"
- role: cloud-lightsail
when: algo_provider == "lightsail"
- role: cloud-scaleway
when: algo_provider == "scaleway"
- role: cloud-openstack
when: algo_provider == "openstack"
- role: local
when: algo_provider == "local"
post_tasks:
- block:
- name: Local post-tasks - name: Local post-tasks
import_tasks: playbooks/cloud-post.yml import_tasks: playbooks/cloud-post.yml
become: false
tags: cloud
rescue: rescue:
- debug: var=fail_hint - include_tasks: playbooks/rescue.yml
tags: always
- fail:
tags: always

22
config.cfg
View file

@ -25,6 +25,12 @@ ipsec_enabled: true
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2 strongswan_log_level: 2
# rightsourceip for ipsec
# ipv4
strongswan_network: 10.19.48.0/24
# ipv6
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
# Deploy WireGuard # Deploy WireGuard
wireguard_enabled: true wireguard_enabled: true
wireguard_port: 51820 wireguard_port: 51820
@ -33,6 +39,22 @@ wireguard_port: 51820
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 0 wireguard_PersistentKeepalive: 0
# WireGuard network configuration
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
# Reduce the MTU of the VPN tunnel # Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission # Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your # Unit) than the normal value of 1500 and if you don't reduce the MTU of your

195
input.yml
View file

@ -25,115 +25,118 @@
- config.cfg - config.cfg
tasks: tasks:
- pause:
prompt: |
What provider would you like to use?
{% for p in providers_map %}
{{ loop.index }}. {{ p['name']}}
{% endfor %}
Enter the number of your desired provider
register: _algo_provider
when: provider is undefined
- name: Set facts based on the input
set_fact:
algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
- pause:
prompt: |
Name the vpn server
[algo]
register: _algo_server_name
when:
- server_name is undefined
- algo_provider != "local"
- block: - block:
- pause: - pause:
prompt: | prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks? What provider would you like to use?
[y/N] {% for p in providers_map %}
register: _ondemand_cellular {{ loop.index }}. {{ p['name']}}
when: ondemand_cellular is undefined {% endfor %}
Enter the number of your desired provider
register: _algo_provider
when: provider is undefined
- name: Set facts based on the input
set_fact:
algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
- pause: - pause:
prompt: | prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi? Name the vpn server
[y/N] [algo]
register: _ondemand_wifi register: _algo_server_name
when: ondemand_wifi is undefined
- pause:
prompt: |
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
register: _ondemand_wifi_exclude
when: when:
- ondemand_wifi_exclude is undefined - server_name is undefined
- (ondemand_wifi|default(false)|bool) or - algo_provider != "local"
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false)) - block:
- pause:
prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
register: _ondemand_cellular
when: ondemand_cellular is undefined
- pause:
prompt: |
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
register: _ondemand_wifi
when: ondemand_wifi is undefined
- pause:
prompt: |
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
register: _ondemand_wifi_exclude
when:
- ondemand_wifi_exclude is undefined
- (ondemand_wifi|default(false)|bool) or
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
- pause:
prompt: |
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
register: _windows
when: windows is undefined
- pause:
prompt: |
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
register: _store_cakey
when: store_cakey is undefined
when: ipsec_enabled
- pause: - pause:
prompt: | prompt: |
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) Do you want to install an ad blocking DNS resolver on this VPN server?
[y/N] [y/N]
register: _windows register: _local_dns
when: windows is undefined when: local_dns is undefined
- pause: - pause:
prompt: | prompt: |
Do you want to retain the CA key? (required to add users in the future, but less secure) Do you want each user to have their own account for SSH tunneling?
[y/N] [y/N]
register: _store_cakey register: _ssh_tunneling
when: store_cakey is undefined when: ssh_tunneling is undefined
when: ipsec_enabled
- pause: - name: Set facts based on the input
prompt: | set_fact:
Do you want to install an ad blocking DNS resolver on this VPN server? algo_server_name: >-
[y/N] {% if server_name is defined %}{% set _server = server_name %}
register: _local_dns {%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input != "" %}{% set _server = _algo_server_name.user_input %}
when: local_dns is undefined {%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
{{ _server | regex_replace('(?!\.)(\W|_)', '-') }}
- pause: algo_ondemand_cellular: >-
prompt: | {% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
Do you want each user to have their own account for SSH tunneling? {%- elif _ondemand_cellular.user_input is defined and _ondemand_cellular.user_input != "" %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
[y/N] {%- else %}false{% endif %}
register: _ssh_tunneling algo_ondemand_wifi: >-
when: ssh_tunneling is undefined {% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }}
{%- elif _ondemand_wifi.user_input is defined and _ondemand_wifi.user_input != "" %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }}
- name: Set facts based on the input {%- else %}false{% endif %}
set_fact: algo_ondemand_wifi_exclude: >-
algo_server_name: >- {% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
{% if server_name is defined %}{% set _server = server_name %} {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input != "" %}{{ _ondemand_wifi_exclude.user_input | b64encode }}
{%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input != "" %}{% set _server = _algo_server_name.user_input %} {%- else %}{{ '_null' | b64encode }}{% endif %}
{%- else %}{% set _server = defaults['server_name'] %}{% endif -%} algo_local_dns: >-
{{ _server | regex_replace('(?!\.)(\W|_)', '-') }} {% if local_dns is defined %}{{ local_dns | bool }}
algo_ondemand_cellular: >- {%- elif _local_dns.user_input is defined and _local_dns.user_input != "" %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }}
{% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }} {%- else %}false{% endif %}
{%- elif _ondemand_cellular.user_input is defined and _ondemand_cellular.user_input != "" %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }} algo_ssh_tunneling: >-
{%- else %}false{% endif %} {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
algo_ondemand_wifi: >- {%- elif _ssh_tunneling.user_input is defined and _ssh_tunneling.user_input != "" %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}
{% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }} {%- else %}false{% endif %}
{%- elif _ondemand_wifi.user_input is defined and _ondemand_wifi.user_input != "" %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }} algo_windows: >-
{%- else %}false{% endif %} {% if windows is defined %}{{ windows | bool }}
algo_ondemand_wifi_exclude: >- {%- elif _windows.user_input is defined and _windows.user_input != "" %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }}
{% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }} {%- else %}false{% endif %}
{%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input != "" %}{{ _ondemand_wifi_exclude.user_input | b64encode }} algo_store_cakey: >-
{%- else %}{{ '_null' | b64encode }}{% endif %} {% if store_cakey is defined %}{{ store_cakey | bool }}
algo_local_dns: >- {%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
{% if local_dns is defined %}{{ local_dns | bool }} {%- else %}false{% endif %}
{%- elif _local_dns.user_input is defined and _local_dns.user_input != "" %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }} rescue:
{%- else %}false{% endif %} - include_tasks: playbooks/rescue.yml
algo_ssh_tunneling: >-
{% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
{%- elif _ssh_tunneling.user_input is defined and _ssh_tunneling.user_input != "" %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}
{%- else %}false{% endif %}
algo_windows: >-
{% if windows is defined %}{{ windows | bool }}
{%- elif _windows.user_input is defined and _windows.user_input != "" %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }}
{%- else %}false{% endif %}
algo_store_cakey: >-
{% if store_cakey is defined %}{{ store_cakey | bool }}
{%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
{%- else %}false{% endif %}

5
playbooks/rescue.yml Normal file
View file

@ -0,0 +1,5 @@
---
- debug:
var: fail_hint
- fail:

78
roles/cloud-azure/tasks/main.yml
View file

@ -1,47 +1,41 @@
--- ---
- name: Build python virtual environment
import_tasks: venv.yml
- block: - block:
- name: Build python virtual environment - name: Include prompts
import_tasks: venv.yml import_tasks: prompts.yml
- block: - set_fact:
- name: Include prompts algo_region: >-
import_tasks: prompts.yml {% if region is defined %}{{ region }}
{%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ azure_regions[_algo_region.user_input | int -1 ]['name'] }}
{%- else %}{{ azure_regions[default_region | int - 1]['name'] }}{% endif %}
- set_fact: - name: Create AlgoVPN Server
algo_region: >- azure_rm_deployment:
{% if region is defined %}{{ region }} state: present
{%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ azure_regions[_algo_region.user_input | int -1 ]['name'] }} deployment_name: "{{ algo_server_name }}"
{%- else %}{{ azure_regions[default_region | int - 1]['name'] }}{% endif %} template: "{{ lookup('file', 'deployment.json') }}"
secret: "{{ secret }}"
tenant: "{{ tenant }}"
client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}"
resource_group_name: "{{ algo_server_name }}"
location: "{{ algo_region }}"
parameters:
sshKeyData:
value: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
WireGuardPort:
value: "{{ wireguard_port }}"
vmSize:
value: "{{ cloud_providers.azure.size }}"
imageReferenceSku:
value: "{{ cloud_providers.azure.image }}"
register: azure_rm_deployment
- name: Create AlgoVPN Server - set_fact:
azure_rm_deployment: cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}"
state: present ansible_ssh_user: ubuntu
deployment_name: "{{ algo_server_name }}" environment:
template: "{{ lookup('file', 'deployment.json') }}" PYTHONPATH: "{{ azure_venv }}/lib/python2.7/site-packages/"
secret: "{{ secret }}"
tenant: "{{ tenant }}"
client_id: "{{ client_id }}"
subscription_id: "{{ subscription_id }}"
resource_group_name: "{{ algo_server_name }}"
location: "{{ algo_region }}"
parameters:
sshKeyData:
value: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
WireGuardPort:
value: "{{ wireguard_port }}"
vmSize:
value: "{{ cloud_providers.azure.size }}"
imageReferenceSku:
value: "{{ cloud_providers.azure.image }}"
register: azure_rm_deployment
- set_fact:
cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}"
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ azure_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

183
roles/cloud-digitalocean/tasks/main.yml
View file

@ -1,110 +1,105 @@
---
- name: Build python virtual environment
import_tasks: venv.yml
- block: - block:
- name: Build python virtual environment - name: Include prompts
import_tasks: venv.yml import_tasks: prompts.yml
- block: - name: Set additional facts
- name: Include prompts set_fact:
import_tasks: prompts.yml algo_do_region: >-
{% if region is defined %}{{ region }}
{%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ do_regions[_algo_region.user_input | int -1 ]['slug'] }}
{%- else %}{{ do_regions[default_region | int - 1]['slug'] }}{% endif %}
public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
- name: Set additional facts - block:
set_fact: - name: "Delete the existing Algo SSH keys"
algo_do_region: >-
{% if region is defined %}{{ region }}
{%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ do_regions[_algo_region.user_input | int -1 ]['slug'] }}
{%- else %}{{ do_regions[default_region | int - 1]['slug'] }}{% endif %}
public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
- block:
- name: "Delete the existing Algo SSH keys"
digital_ocean:
state: absent
command: ssh
api_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}"
register: ssh_keys
until: ssh_keys.changed != true
retries: 10
delay: 1
rescue:
- name: Collect the fail error
digital_ocean:
state: absent
command: ssh
api_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}"
register: ssh_keys
ignore_errors: yes
- debug: var=ssh_keys
- fail:
msg: "Please, ensure that your API token is not read-only."
- name: "Upload the SSH key"
digital_ocean: digital_ocean:
state: present state: absent
command: ssh command: ssh
ssh_pub_key: "{{ public_key }}"
api_token: "{{ algo_do_token }}" api_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}" name: "{{ SSH_keys.comment }}"
register: do_ssh_key register: ssh_keys
until: ssh_keys.changed != true
retries: 10
delay: 1
- name: "Creating a droplet..." rescue:
- name: Collect the fail error
digital_ocean: digital_ocean:
state: present state: absent
command: droplet command: ssh
name: "{{ algo_server_name }}"
region_id: "{{ algo_do_region }}"
size_id: "{{ cloud_providers.digitalocean.size }}"
image_id: "{{ cloud_providers.digitalocean.image }}"
ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
unique_name: yes
api_token: "{{ algo_do_token }}" api_token: "{{ algo_do_token }}"
ipv6: yes name: "{{ SSH_keys.comment }}"
register: do register: ssh_keys
ignore_errors: yes
- set_fact: - debug: var=ssh_keys
cloud_instance_ip: "{{ do.droplet.ip_address }}"
ansible_ssh_user: root
- name: Tag the droplet - fail:
digital_ocean_tag: msg: "Please, ensure that your API token is not read-only."
name: "Environment:Algo"
resource_id: "{{ do.droplet.id }}" - name: "Upload the SSH key"
digital_ocean:
state: present
command: ssh
ssh_pub_key: "{{ public_key }}"
api_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}"
register: do_ssh_key
- name: "Creating a droplet..."
digital_ocean:
state: present
command: droplet
name: "{{ algo_server_name }}"
region_id: "{{ algo_do_region }}"
size_id: "{{ cloud_providers.digitalocean.size }}"
image_id: "{{ cloud_providers.digitalocean.image }}"
ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
unique_name: yes
api_token: "{{ algo_do_token }}"
ipv6: yes
register: do
- set_fact:
cloud_instance_ip: "{{ do.droplet.ip_address }}"
ansible_ssh_user: root
- name: Tag the droplet
digital_ocean_tag:
name: "Environment:Algo"
resource_id: "{{ do.droplet.id }}"
api_token: "{{ algo_do_token }}"
state: present
- block:
- name: "Delete the new Algo SSH key"
digital_ocean:
state: absent
command: ssh
api_token: "{{ algo_do_token }}" api_token: "{{ algo_do_token }}"
state: present name: "{{ SSH_keys.comment }}"
register: ssh_keys
until: ssh_keys.changed != true
retries: 10
delay: 1
- block: rescue:
- name: "Delete the new Algo SSH key" - name: Collect the fail error
digital_ocean: digital_ocean:
state: absent state: absent
command: ssh command: ssh
api_token: "{{ algo_do_token }}" api_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}" name: "{{ SSH_keys.comment }}"
register: ssh_keys register: ssh_keys
until: ssh_keys.changed != true ignore_errors: yes
retries: 10
delay: 1
rescue: - debug: var=ssh_keys
- name: Collect the fail error
digital_ocean:
state: absent
command: ssh
api_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}"
register: ssh_keys
ignore_errors: yes
- debug: var=ssh_keys - fail:
msg: "Please, ensure that your API token is not read-only."
- fail: environment:
msg: "Please, ensure that your API token is not read-only." PYTHONPATH: "{{ digitalocean_venv }}/lib/python2.7/site-packages/"
environment:
PYTHONPATH: "{{ digitalocean_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

77
roles/cloud-ec2/tasks/main.yml
View file

@ -1,48 +1,43 @@
---
- name: Build python virtual environment
import_tasks: venv.yml
- block: - block:
- name: Build python virtual environment - name: Include prompts
import_tasks: venv.yml import_tasks: prompts.yml
- block: - set_fact:
- name: Include prompts algo_region: >-
import_tasks: prompts.yml {% if region is defined %}{{ region }}
{%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ aws_regions[_algo_region.user_input | int -1 ]['region_name'] }}
{%- else %}{{ aws_regions[default_region | int - 1]['region_name'] }}{% endif %}
stack_name: "{{ algo_server_name | replace('.', '-') }}"
- set_fact: - name: Locate official AMI for region
algo_region: >- ec2_ami_facts:
{% if region is defined %}{{ region }} aws_access_key: "{{ access_key }}"
{%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ aws_regions[_algo_region.user_input | int -1 ]['region_name'] }} aws_secret_key: "{{ secret_key }}"
{%- else %}{{ aws_regions[default_region | int - 1]['region_name'] }}{% endif %} owners: "{{ cloud_providers.ec2.image.owner }}"
stack_name: "{{ algo_server_name | replace('.', '-') }}" region: "{{ algo_region }}"
filters:
name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*"
register: ami_search
- name: Locate official AMI for region - import_tasks: encrypt_image.yml
ec2_ami_facts: when: encrypted
aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ secret_key }}"
owners: "{{ cloud_providers.ec2.image.owner }}"
region: "{{ algo_region }}"
filters:
name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*"
register: ami_search
- import_tasks: encrypt_image.yml - name: Set the ami id as a fact
when: encrypted set_fact:
ami_image: >-
{% if ami_search_encrypted.image_id is defined %}{{ ami_search_encrypted.image_id }}
{%- elif search_crypt.images is defined and search_crypt.images|length >= 1 %}{{ (search_crypt.images | sort(attribute='creation_date') | last)['image_id'] }}
{%- else %}{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}{% endif %}
- name: Set the ami id as a fact - name: Deploy the stack
set_fact: import_tasks: cloudformation.yml
ami_image: >-
{% if ami_search_encrypted.image_id is defined %}{{ ami_search_encrypted.image_id }}
{%- elif search_crypt.images is defined and search_crypt.images|length >= 1 %}{{ (search_crypt.images | sort(attribute='creation_date') | last)['image_id'] }}
{%- else %}{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}{% endif %}
- name: Deploy the stack - set_fact:
import_tasks: cloudformation.yml cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}"
ansible_ssh_user: ubuntu
- set_fact: environment:
cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}" PYTHONPATH: "{{ ec2_venv }}/lib/python2.7/site-packages/"
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ ec2_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

107
roles/cloud-gce/tasks/main.yml
View file

@ -1,62 +1,57 @@
---
- name: Build python virtual environment
import_tasks: venv.yml
- block: - block:
- name: Build python virtual environment - name: Include prompts
import_tasks: venv.yml import_tasks: prompts.yml
- block: - name: Network configured
- name: Include prompts gce_net:
import_tasks: prompts.yml name: "{{ algo_server_name }}"
fwname: "{{ algo_server_name }}-fw"
allowed: "udp:500,4500,{{ wireguard_port }};tcp:22"
state: "present"
mode: auto
src_range: 0.0.0.0/0
service_account_email: "{{ service_account_email }}"
credentials_file: "{{ credentials_file_path }}"
project_id: "{{ project_id }}"
- name: Network configured - block:
gce_net: - name: External IP allocated
name: "{{ algo_server_name }}" gce_eip:
fwname: "{{ algo_server_name }}-fw" service_account_email: "{{ service_account_email }}"
allowed: "udp:500,4500,{{ wireguard_port }};tcp:22" credentials_file: "{{ credentials_file_path }}"
state: "present" project_id: "{{ project_id }}"
mode: auto name: "{{ algo_server_name }}"
src_range: 0.0.0.0/0 region: "{{ algo_region.split('-')[0:2] | join('-') }}"
service_account_email: "{{ service_account_email }}" state: present
credentials_file: "{{ credentials_file_path }}" register: gce_eip
project_id: "{{ project_id }}"
- block: - name: Set External IP as a fact
- name: External IP allocated set_fact:
gce_eip: external_ip: "{{ gce_eip.address }}"
service_account_email: "{{ service_account_email }}" when: cloud_providers.gce.external_static_ip
credentials_file: "{{ credentials_file_path }}"
project_id: "{{ project_id }}"
name: "{{ algo_server_name }}"
region: "{{ algo_region.split('-')[0:2] | join('-') }}"
state: present
register: gce_eip
- name: Set External IP as a fact - name: "Creating a new instance..."
set_fact: gce:
external_ip: "{{ gce_eip.address }}" instance_names: "{{ algo_server_name }}"
when: cloud_providers.gce.external_static_ip zone: "{{ algo_region }}"
external_ip: "{{ external_ip | default('ephemeral') }}"
machine_type: "{{ cloud_providers.gce.size }}"
image: "{{ cloud_providers.gce.image }}"
service_account_email: "{{ service_account_email }}"
credentials_file: "{{ credentials_file_path }}"
project_id: "{{ project_id }}"
metadata: '{"ssh-keys":"ubuntu:{{ ssh_public_key_lookup }}"}'
network: "{{ algo_server_name }}"
tags:
- "environment-algo"
register: google_vm
- name: "Creating a new instance..." - set_fact:
gce: cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}"
instance_names: "{{ algo_server_name }}" ansible_ssh_user: ubuntu
zone: "{{ algo_region }}" environment:
external_ip: "{{ external_ip | default('ephemeral') }}" PYTHONPATH: "{{ gce_venv }}/lib/python2.7/site-packages/"
machine_type: "{{ cloud_providers.gce.size }}"
image: "{{ cloud_providers.gce.image }}"
service_account_email: "{{ service_account_email }}"
credentials_file: "{{ credentials_file_path }}"
project_id: "{{ project_id }}"
metadata: '{"ssh-keys":"ubuntu:{{ ssh_public_key_lookup }}"}'
network: "{{ algo_server_name }}"
tags:
- "environment-algo"
register: google_vm
- set_fact:
cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}"
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ gce_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

88
roles/cloud-lightsail/tasks/main.yml
View file

@ -1,50 +1,44 @@
---
- name: Build python virtual environment
import_tasks: venv.yml
- block: - block:
- name: Build python virtual environment - name: Include prompts
import_tasks: venv.yml import_tasks: prompts.yml
- block: - name: Create an instance
- name: Include prompts lightsail:
import_tasks: prompts.yml aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ secret_key }}"
name: "{{ algo_server_name }}"
state: present
region: "{{ algo_region }}"
zone: "{{ algo_region }}a"
blueprint_id: "{{ cloud_providers.lightsail.image }}"
bundle_id: "{{ cloud_providers.lightsail.size }}"
wait_timeout: 300
open_ports:
- from_port: 4500
to_port: 4500
protocol: udp
- from_port: 500
to_port: 500
protocol: udp
- from_port: "{{ wireguard_port }}"
to_port: "{{ wireguard_port }}"
protocol: udp
user_data: |
#!/bin/bash
mkdir -p /home/ubuntu/.ssh/
echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" >> /home/ubuntu/.ssh/authorized_keys
chown -R ubuntu: /home/ubuntu/.ssh/
chmod 0700 /home/ubuntu/.ssh/
chmod 0600 /home/ubuntu/.ssh/*
test
register: algo_instance
- name: Create an instance - set_fact:
lightsail: cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}"
aws_access_key: "{{ access_key }}" ansible_ssh_user: ubuntu
aws_secret_key: "{{ secret_key }}" environment:
name: "{{ algo_server_name }}" PYTHONPATH: "{{ lightsail_venv }}/lib/python2.7/site-packages/"
state: present
region: "{{ algo_region }}"
zone: "{{ algo_region }}a"
blueprint_id: "{{ cloud_providers.lightsail.image }}"
bundle_id: "{{ cloud_providers.lightsail.size }}"
wait_timeout: 300
open_ports:
- from_port: 4500
to_port: 4500
protocol: udp
- from_port: 500
to_port: 500
protocol: udp
- from_port: "{{ wireguard_port }}"
to_port: "{{ wireguard_port }}"
protocol: udp
user_data: |
#!/bin/bash
mkdir -p /home/ubuntu/.ssh/
echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" >> /home/ubuntu/.ssh/authorized_keys
chown -R ubuntu: /home/ubuntu/.ssh/
chmod 0700 /home/ubuntu/.ssh/
chmod 0600 /home/ubuntu/.ssh/*
test
register: algo_instance
- set_fact:
cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}"
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ lightsail_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

141
roles/cloud-openstack/tasks/main.yml
View file

@ -3,87 +3,80 @@
msg: "OpenStack credentials are not set. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)" msg: "OpenStack credentials are not set. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)"
when: lookup('env', 'OS_AUTH_URL') == "" when: lookup('env', 'OS_AUTH_URL') == ""
- name: Build python virtual environment
import_tasks: venv.yml
- block: - block:
- name: Build python virtual environment - name: Security group created
import_tasks: venv.yml os_security_group:
state: "{{ state|default('present') }}"
name: "{{ algo_server_name }}-security_group"
description: AlgoVPN security group
register: os_security_group
- block: - name: Security rules created
- name: Security group created os_security_group_rule:
os_security_group: state: "{{ state|default('present') }}"
state: "{{ state|default('present') }}" security_group: "{{ os_security_group.id }}"
name: "{{ algo_server_name }}-security_group" protocol: "{{ item.proto }}"
description: AlgoVPN security group port_range_min: "{{ item.port_min }}"
register: os_security_group port_range_max: "{{ item.port_max }}"
remote_ip_prefix: "{{ item.range }}"
with_items:
- { proto: tcp, port_min: 22, port_max: 22, range: 0.0.0.0/0 }
- { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 }
- { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 }
- { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 }
- { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 }
- name: Security rules created - name: Keypair created
os_security_group_rule: os_keypair:
state: "{{ state|default('present') }}" state: "{{ state|default('present') }}"
security_group: "{{ os_security_group.id }}" name: "{{ SSH_keys.comment|regex_replace('@', '_') }}"
protocol: "{{ item.proto }}" public_key_file: "{{ SSH_keys.public }}"
port_range_min: "{{ item.port_min }}" register: os_keypair
port_range_max: "{{ item.port_max }}"
remote_ip_prefix: "{{ item.range }}"
with_items:
- { proto: tcp, port_min: 22, port_max: 22, range: 0.0.0.0/0 }
- { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 }
- { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 }
- { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 }
- { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 }
- name: Keypair created - name: Gather facts about flavors
os_keypair: os_flavor_facts:
state: "{{ state|default('present') }}" ram: "{{ cloud_providers.openstack.flavor_ram }}"
name: "{{ SSH_keys.comment|regex_replace('@', '_') }}"
public_key_file: "{{ SSH_keys.public }}"
register: os_keypair
- name: Gather facts about flavors - name: Gather facts about images
os_flavor_facts: os_image_facts:
ram: "{{ cloud_providers.openstack.flavor_ram }}" image: "{{ cloud_providers.openstack.image }}"
- name: Gather facts about images - name: Gather facts about public networks
os_image_facts: os_networks_facts:
image: "{{ cloud_providers.openstack.image }}"
- name: Gather facts about public networks - name: Set the network as a fact
os_networks_facts: set_fact:
public_network_id: "{{ item.id }}"
when:
- item['router:external']|default(omit)
- item['admin_state_up']|default(omit)
- item['status'] == 'ACTIVE'
with_items: "{{ openstack_networks }}"
- name: Set the network as a fact - name: Set facts
set_fact: set_fact:
public_network_id: "{{ item.id }}" flavor_id: "{{ (openstack_flavors | sort(attribute='ram'))[0]['id'] }}"
when: image_id: "{{ openstack_image['id'] }}"
- item['router:external']|default(omit) keypair_name: "{{ os_keypair.key.name }}"
- item['admin_state_up']|default(omit) security_group_name: "{{ os_security_group['secgroup']['name'] }}"
- item['status'] == 'ACTIVE'
with_items: "{{ openstack_networks }}"
- name: Set facts - name: Server created
set_fact: os_server:
flavor_id: "{{ (openstack_flavors | sort(attribute='ram'))[0]['id'] }}" state: "{{ state|default('present') }}"
image_id: "{{ openstack_image['id'] }}" name: "{{ algo_server_name }}"
keypair_name: "{{ os_keypair.key.name }}" image: "{{ image_id }}"
security_group_name: "{{ os_security_group['secgroup']['name'] }}" flavor: "{{ flavor_id }}"
key_name: "{{ keypair_name }}"
security_groups: "{{ security_group_name }}"
nics:
- net-id: "{{ public_network_id }}"
register: os_server
- name: Server created - set_fact:
os_server: cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}"
state: "{{ state|default('present') }}" ansible_ssh_user: ubuntu
name: "{{ algo_server_name }}" environment:
image: "{{ image_id }}" PYTHONPATH: "{{ openstack_venv }}/lib/python2.7/site-packages/"
flavor: "{{ flavor_id }}"
key_name: "{{ keypair_name }}"
security_groups: "{{ security_group_name }}"
nics:
- net-id: "{{ public_network_id }}"
register: os_server
- set_fact:
cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}"
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ openstack_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

243
roles/cloud-scaleway/tasks/main.yml
View file

@ -1,140 +1,133 @@
- block: - name: Include prompts
- name: Include prompts import_tasks: prompts.yml
import_tasks: prompts.yml
- name: Set disk size - name: Set disk size
set_fact: set_fact:
server_disk_size: 50000000000 server_disk_size: 50000000000
- name: Check server size - name: Check server size
set_fact: set_fact:
server_disk_size: 25000000000 server_disk_size: 25000000000
when: cloud_providers.scaleway.size == "START1-XS" when: cloud_providers.scaleway.size == "START1-XS"
- name: Check if server exists - name: Check if server exists
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers"
method: GET
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
register: scaleway_servers
- name: Set server id as a fact
set_fact:
server_id: "{{ item.id }}"
no_log: true
when: algo_server_name == item.name
with_items: "{{ scaleway_servers.json.servers }}"
- name: Create a server if it doesn't exist
block:
- name: Get the organization id
uri: uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers" url: https://account.cloud.online.net/organizations
method: GET method: GET
headers: headers:
Content-Type: 'application/json' Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}" X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200 status_code: 200
register: scaleway_servers register: scaleway_organizations
- name: Set organization id as a fact
set_fact:
organization_id: "{{ item.id }}"
no_log: true
when: algo_scaleway_org == item.name
with_items: "{{ scaleway_organizations.json.organizations }}"
- name: Get total count of images
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/images"
method: GET
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
register: scaleway_pages
- name: Get images
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/images?per_page=100&page={{ item }}"
method: GET
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
register: scaleway_images
with_sequence: start=1 end={{ ((scaleway_pages.x_total_count|int / 100)| round )|int }}
- name: Set image id as a fact
include_tasks: image_facts.yml
with_items: "{{ scaleway_images['results'] }}"
loop_control:
loop_var: outer_item
- name: Create a server
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers/"
method: POST
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
body:
organization: "{{ organization_id }}"
name: "{{ algo_server_name }}"
image: "{{ image_id }}"
commercial_type: "{{cloud_providers.scaleway.size }}"
enable_ipv6: true
boot_type: local
tags:
- Environment:Algo
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }}
status_code: 201
body_format: json
register: algo_instance
- name: Set server id as a fact - name: Set server id as a fact
set_fact: set_fact:
server_id: "{{ item.id }}" server_id: "{{ algo_instance.json.server.id }}"
no_log: true when: server_id is not defined
when: algo_server_name == item.name
with_items: "{{ scaleway_servers.json.servers }}"
- name: Create a server if it doesn't exist - name: Power on the server
block: uri:
- name: Get the organization id url: https://cp-{{ algo_region }}.scaleway.com/servers/{{ server_id }}/action
uri: method: POST
url: https://account.cloud.online.net/organizations headers:
method: GET Content-Type: application/json
headers: X-Auth-Token: "{{ algo_scaleway_token }}"
Content-Type: 'application/json' body:
X-Auth-Token: "{{ algo_scaleway_token }}" action: poweron
status_code: 200 status_code: 202
register: scaleway_organizations body_format: json
ignore_errors: true
no_log: true
- name: Set organization id as a fact - name: Wait for the server to become running
set_fact: uri:
organization_id: "{{ item.id }}" url: "https://cp-{{ algo_region }}.scaleway.com/servers/{{ server_id }}"
no_log: true method: GET
when: algo_scaleway_org == item.name headers:
with_items: "{{ scaleway_organizations.json.organizations }}" Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
until:
- algo_instance.json.server.state is defined
- algo_instance.json.server.state == "running"
retries: 20
delay: 30
register: algo_instance
- name: Get total count of images - set_fact:
uri: cloud_instance_ip: "{{ algo_instance['json']['server']['public_ip']['address'] }}"
url: "https://cp-{{ algo_region }}.scaleway.com/images" ansible_ssh_user: root
method: GET
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
register: scaleway_pages
- name: Get images
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/images?per_page=100&page={{ item }}"
method: GET
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
register: scaleway_images
with_sequence: start=1 end={{ ((scaleway_pages.x_total_count|int / 100)| round )|int }}
- name: Set image id as a fact
include_tasks: image_facts.yml
with_items: "{{ scaleway_images['results'] }}"
loop_control:
loop_var: outer_item
- name: Create a server
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers/"
method: POST
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
body:
organization: "{{ organization_id }}"
name: "{{ algo_server_name }}"
image: "{{ image_id }}"
commercial_type: "{{cloud_providers.scaleway.size }}"
enable_ipv6: true
boot_type: local
tags:
- Environment:Algo
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }}
status_code: 201
body_format: json
register: algo_instance
- name: Set server id as a fact
set_fact:
server_id: "{{ algo_instance.json.server.id }}"
when: server_id is not defined
- name: Power on the server
uri:
url: https://cp-{{ algo_region }}.scaleway.com/servers/{{ server_id }}/action
method: POST
headers:
Content-Type: application/json
X-Auth-Token: "{{ algo_scaleway_token }}"
body:
action: poweron
status_code: 202
body_format: json
ignore_errors: true
no_log: true
- name: Wait for the server to become running
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers/{{ server_id }}"
method: GET
headers:
Content-Type: 'application/json'
X-Auth-Token: "{{ algo_scaleway_token }}"
status_code: 200
until:
- algo_instance.json.server.state is defined
- algo_instance.json.server.state == "running"
retries: 20
delay: 30
register: algo_instance
- set_fact:
cloud_instance_ip: "{{ algo_instance['json']['server']['public_ip']['address'] }}"
ansible_ssh_user: root
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/cloud-vultr/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
- block: - block:
- name: Include prompts - name: Include prompts
import_tasks: prompts.yml import_tasks: prompts.yml
@ -29,8 +30,3 @@
environment: environment:
VULTR_API_CONFIG: "{{ algo_vultr_config }}" VULTR_API_CONFIG: "{{ algo_vultr_config }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

48
roles/common/tasks/main.yml
View file

@ -1,32 +1,26 @@
--- ---
- block: - name: Check the system
- name: Check the system raw: uname -a
raw: uname -a register: OS
register: OS tags:
tags: - update-users
- update-users
- include_tasks: ubuntu.yml - include_tasks: ubuntu.yml
when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout' when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout'
tags: tags:
- update-users - update-users
- include_tasks: freebsd.yml - include_tasks: freebsd.yml
when: '"FreeBSD" in OS.stdout' when: '"FreeBSD" in OS.stdout'
tags: tags:
- update-users - update-users
- name: Sysctl tuning - name: Sysctl tuning
sysctl: name="{{ item.item }}" value="{{ item.value }}" sysctl: name="{{ item.item }}" value="{{ item.value }}"
when: item.item != "" when: item.item != ""
with_items: with_items:
- "{{ sysctl|default([]) }}" - "{{ sysctl|default([]) }}"
tags: tags:
- always - always
- meta: flush_handlers - meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

4
roles/common/tasks/ubuntu.yml
View file

@ -97,11 +97,9 @@
- name: Install tools - name: Install tools
apt: apt:
name: "{{ item }}" name: "{{ tools|default([]) }}"
state: present state: present
update_cache: true update_cache: true
with_items:
- "{{ tools|default([]) }}"
- name: Install headers - name: Install headers
apt: apt:

4
roles/dns_adblocking/handlers/main.yml
View file

@ -3,3 +3,7 @@
- name: restart apparmor - name: restart apparmor
service: name=apparmor state=restarted service: name=apparmor state=restarted
- name: daemon-reload
systemd:
daemon_reload: true

78
roles/dns_adblocking/tasks/main.yml
View file

@ -1,52 +1,46 @@
--- ---
- block: - name: Dnsmasq installed
- name: Dnsmasq installed package: name=dnsmasq
package: name=dnsmasq
- name: The dnsmasq directory created - name: The dnsmasq directory created
file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- include_tasks: ubuntu.yml - include_tasks: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- include_tasks: freebsd.yml - include_tasks: freebsd.yml
when: ansible_distribution == 'FreeBSD' when: ansible_distribution == 'FreeBSD'
- name: Dnsmasq configured - name: Dnsmasq configured
template: template:
src: dnsmasq.conf.j2 src: dnsmasq.conf.j2
dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf" dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf"
notify: notify:
- restart dnsmasq - restart dnsmasq
- name: Adblock script created - name: Adblock script created
template: template:
src: adblock.sh.j2 src: adblock.sh.j2
dest: /usr/local/sbin/adblock.sh dest: /usr/local/sbin/adblock.sh
owner: root owner: root
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: 0755 mode: 0755
- name: Adblock script added to cron - name: Adblock script added to cron
cron: cron:
name: Adblock hosts update name: Adblock hosts update
minute: "{{ range(0, 60) | random }}" minute: "{{ range(0, 60) | random }}"
hour: "{{ range(0, 24) | random }}" hour: "{{ range(0, 24) | random }}"
job: /usr/local/sbin/adblock.sh job: /usr/local/sbin/adblock.sh
user: root user: root
- name: Update adblock hosts - name: Update adblock hosts
command: /usr/local/sbin/adblock.sh command: /usr/local/sbin/adblock.sh
- meta: flush_handlers - meta: flush_handlers
- name: Dnsmasq enabled and started - name: Dnsmasq enabled and started
service: service:
name: dnsmasq name: dnsmasq
state: started state: started
enabled: yes enabled: yes
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

11
roles/local/tasks/main.yml
View file

@ -1,10 +1,3 @@
--- ---
- block: - name: Include prompts
- name: Include prompts import_tasks: prompts.yml
import_tasks: prompts.yml
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

210
roles/ssh_tunneling/tasks/main.yml
View file

@ -1,120 +1,114 @@
--- ---
- name: Ensure that the sshd_config file has desired options
blockinfile:
dest: /etc/ssh/sshd_config
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
block: |
Match Group algo
AllowTcpForwarding local
AllowAgentForwarding no
AllowStreamLocalForwarding no
PermitTunnel no
X11Forwarding no
notify:
- restart ssh
- name: Ensure that the algo group exist
group: name=algo state=present
- name: Ensure that the jail directory exist
file:
path: /var/jail/
state: directory
mode: 0755
owner: root
group: "{{ root_group|default('root') }}"
- block: - block:
- name: Ensure that the sshd_config file has desired options - name: Ensure that the SSH users exist
blockinfile: user:
dest: /etc/ssh/sshd_config name: "{{ item }}"
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role' groups: algo
block: | home: '/var/jail/{{ item }}'
Match Group algo createhome: yes
AllowTcpForwarding local generate_ssh_key: false
AllowAgentForwarding no shell: /bin/false
AllowStreamLocalForwarding no state: present
PermitTunnel no append: yes
X11Forwarding no with_items: "{{ users }}"
notify:
- restart ssh
- name: Ensure that the algo group exist - block:
group: name=algo state=present - name: Clean up the ssh-tunnel directory
- name: Ensure that the jail directory exist
file: file:
path: /var/jail/ dest: "{{ ssh_tunnels_config_path }}"
state: absent
when: keys_clean_all|bool == True
- name: Ensure the config directories exist
file:
dest: "{{ ssh_tunnels_config_path }}"
state: directory state: directory
mode: 0755 recurse: yes
owner: root mode: '0700'
group: "{{ root_group|default('root') }}"
- block: - name: Check if the private keys exist
- name: Ensure that the SSH users exist stat:
user: path: "{{ ssh_tunnels_config_path }}/{{ item }}.pem"
name: "{{ item }}" register: privatekey
groups: algo with_items: "{{ users }}"
home: '/var/jail/{{ item }}'
createhome: yes
generate_ssh_key: false
shell: /bin/false
state: present
append: yes
with_items: "{{ users }}"
- block: - name: Build ssh private keys
- name: Clean up the ssh-tunnel directory openssl_privatekey:
file: path: "{{ ssh_tunnels_config_path }}/{{ item.item }}.pem"
dest: "{{ ssh_tunnels_config_path }}" passphrase: "{{ p12_export_password }}"
state: absent cipher: aes256
when: keys_clean_all|bool == True force: false
no_log: true
when: not item.stat.exists
with_items: "{{ privatekey.results }}"
register: openssl_privatekey
- name: Ensure the config directories exist - name: Build ssh public keys
file: openssl_publickey:
dest: "{{ ssh_tunnels_config_path }}" path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pub"
state: directory privatekey_path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pem"
recurse: yes privatekey_passphrase: "{{ p12_export_password }}"
mode: '0700' format: OpenSSH
force: true
no_log: true
when: item.changed
with_items: "{{ openssl_privatekey.results }}"
- name: Check if the private keys exist - name: Build the client ssh config
stat: template:
path: "{{ ssh_tunnels_config_path }}/{{ item }}.pem" src: ssh_config.j2
register: privatekey dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config"
with_items: "{{ users }}" mode: 0700
with_items: "{{ users }}"
delegate_to: localhost
become: false
- name: Build ssh private keys - name: The authorized keys file created
openssl_privatekey: authorized_key:
path: "{{ ssh_tunnels_config_path }}/{{ item.item }}.pem" user: "{{ item }}"
passphrase: "{{ p12_export_password }}" key: "{{ lookup('file', ssh_tunnels_config_path + '/' + item + '.pub') }}"
cipher: aes256 state: present
force: false manage_dir: true
no_log: true exclusive: true
when: not item.stat.exists with_items: "{{ users }}"
with_items: "{{ privatekey.results }}"
register: openssl_privatekey
- name: Build ssh public keys - name: Get active users
openssl_publickey: getent:
path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pub" database: group
privatekey_path: "{{ ssh_tunnels_config_path }}/{{ item.item.item }}.pem" key: algo
privatekey_passphrase: "{{ p12_export_password }}" split: ':'
format: OpenSSH
force: true
no_log: true
when: item.changed
with_items: "{{ openssl_privatekey.results }}"
- name: Build the client ssh config - name: Delete non-existing users
template: user:
src: ssh_config.j2 name: "{{ item }}"
dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config" state: absent
mode: 0700 remove: yes
with_items: "{{ users }}" force: yes
delegate_to: localhost when: item not in users
become: false with_items: "{{ getent_group['algo'][2].split(',') }}"
tags: update-users
- name: The authorized keys file created
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', ssh_tunnels_config_path + '/' + item + '.pub') }}"
state: present
manage_dir: true
exclusive: true
with_items: "{{ users }}"
- name: Get active users
getent:
database: group
key: algo
split: ':'
- name: Delete non-existing users
user:
name: "{{ item }}"
state: absent
remove: yes
force: yes
when: item not in users
with_items: "{{ getent_group['algo'][2].split(',') }}"
tags: update-users
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

2
roles/strongswan/defaults/main.yml
View file

@ -1,8 +1,6 @@
--- ---
ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/" ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/"
ipsec_pki_path: "{{ ipsec_config_path }}/.pki/" ipsec_pki_path: "{{ ipsec_config_path }}/.pki/"
strongswan_network: 10.19.48.0/24
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
strongswan_shell: /usr/sbin/nologin strongswan_shell: /usr/sbin/nologin
strongswan_home: /var/lib/strongswan strongswan_home: /var/lib/strongswan
BetweenClients_DROP: true BetweenClients_DROP: true

56
roles/strongswan/tasks/main.yml
View file

@ -1,37 +1,31 @@
--- ---
- block: - include_tasks: ubuntu.yml
- include_tasks: ubuntu.yml when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: Ensure that the strongswan user exist - name: Ensure that the strongswan user exist
user: user:
name: strongswan name: strongswan
group: nogroup group: nogroup
shell: "{{ strongswan_shell }}" shell: "{{ strongswan_shell }}"
home: "{{ strongswan_home }}" home: "{{ strongswan_home }}"
state: present state: present
- name: Install strongSwan - name: Install strongSwan
package: name=strongswan state=present package: name=strongswan state=present
- import_tasks: ipsec_configuration.yml - import_tasks: ipsec_configuration.yml
- import_tasks: openssl.yml - import_tasks: openssl.yml
tags: update-users tags: update-users
- import_tasks: distribute_keys.yml - import_tasks: distribute_keys.yml
- import_tasks: client_configs.yml - import_tasks: client_configs.yml
delegate_to: localhost delegate_to: localhost
become: no become: no
tags: update-users tags: update-users
- name: strongSwan started - name: strongSwan started
service: service:
name: strongswan name: strongswan
state: started state: started
enabled: true enabled: true
- meta: flush_handlers - meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

14
roles/wireguard/defaults/main.yml
View file

@ -3,20 +3,6 @@ wireguard_PersistentKeepalive: 0
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/" wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
wireguard_pki_path: "{{ wireguard_config_path }}/.pki/" wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
wireguard_interface: wg0 wireguard_interface: wg0
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
keys_clean_all: false keys_clean_all: false
wireguard_dns_servers: >- wireguard_dns_servers: >-
{% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %} {% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %}

1
roles/wireguard/tasks/main.yml
View file

@ -75,7 +75,6 @@
notify: restart wireguard notify: restart wireguard
tags: update-users tags: update-users
- name: WireGuard enabled and started - name: WireGuard enabled and started
service: service:
name: "{{ service_name }}" name: "{{ service_name }}"

152
server.yml
View file

@ -2,84 +2,90 @@
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: vpn-host hosts: vpn-host
gather_facts: false gather_facts: false
tags: algo
become: true become: true
vars_files: vars_files:
- config.cfg - config.cfg
tasks:
roles:
- role: common
tags: common
- role: dns_encryption
when: dns_encryption
tags: dns_encryption
- role: dns_adblocking
when: algo_local_dns
tags: dns_adblocking
- role: wireguard
when: wireguard_enabled
tags: wireguard
- role: strongswan
when: ipsec_enabled
tags: ipsec
- role: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
post_tasks:
- block: - block:
- name: Delete the CA key - import_role:
local_action: name: common
module: file tags: common
path: "{{ ipsec_pki_path }}/private/cakey.pem"
state: absent
become: false
when:
- ipsec_enabled
- not algo_store_cakey
- name: Dump the configuration - import_role:
local_action: name: dns_encryption
module: copy when: dns_encryption
dest: "configs/{{ IP_subject_alt_name }}/.config.yml" tags: dns_encryption
content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }}
{% if algo_provider != "local" %}
ansible_ssh_private_key_file: {{ ansible_ssh_private_key_file|default(SSH_keys.private) }}
{% endif %}
algo_provider: {{ algo_provider }}
algo_server_name: {{ algo_server_name }}
algo_ondemand_cellular: {{ algo_ondemand_cellular }}
algo_ondemand_wifi: {{ algo_ondemand_wifi }}
algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }}
algo_local_dns: {{ algo_local_dns }}
algo_ssh_tunneling: {{ algo_ssh_tunneling }}
algo_windows: {{ algo_windows }}
algo_store_cakey: {{ algo_store_cakey }}
IP_subject_alt_name: {{ IP_subject_alt_name }}
ipsec_enabled: {{ ipsec_enabled }}
wireguard_enabled: {{ wireguard_enabled }}
{% if tests|default(false)|bool %}ca_password: {{ CA_password }}{% endif %}
become: false
- name: Create a symlink if deploying to localhost - import_role:
file: name: dns_adblocking
src: "{{ IP_subject_alt_name }}" when: algo_local_dns
dest: configs/localhost tags: dns_adblocking
state: link
force: true
when: inventory_hostname == 'localhost'
- debug: - import_role:
msg: name: wireguard
- "{{ congrats.common.split('\n') }}" when: wireguard_enabled
- " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}" tags: wireguard
- " {{ congrats.ca_key_pass if algo_store_cakey and ipsec_enabled else '' }}"
- " {{ congrats.ssh_access if algo_provider != 'local' else ''}}" - import_role:
tags: always name: strongswan
when: ipsec_enabled
tags: ipsec
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
- block:
- name: Delete the CA key
local_action:
module: file
path: "{{ ipsec_pki_path }}/private/cakey.pem"
state: absent
become: false
when:
- ipsec_enabled
- not algo_store_cakey
- name: Dump the configuration
local_action:
module: copy
dest: "configs/{{ IP_subject_alt_name }}/.config.yml"
content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }}
{% if algo_provider != "local" %}
ansible_ssh_private_key_file: {{ ansible_ssh_private_key_file|default(SSH_keys.private) }}
{% endif %}
algo_provider: {{ algo_provider }}
algo_server_name: {{ algo_server_name }}
algo_ondemand_cellular: {{ algo_ondemand_cellular }}
algo_ondemand_wifi: {{ algo_ondemand_wifi }}
algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }}
algo_local_dns: {{ algo_local_dns }}
algo_ssh_tunneling: {{ algo_ssh_tunneling }}
algo_windows: {{ algo_windows }}
algo_store_cakey: {{ algo_store_cakey }}
IP_subject_alt_name: {{ IP_subject_alt_name }}
ipsec_enabled: {{ ipsec_enabled }}
wireguard_enabled: {{ wireguard_enabled }}
{% if tests|default(false)|bool %}ca_password: {{ CA_password }}{% endif %}
become: false
- name: Create a symlink if deploying to localhost
file:
src: "{{ IP_subject_alt_name }}"
dest: configs/localhost
state: link
force: true
when: inventory_hostname == 'localhost'
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"
- " {{ congrats.ca_key_pass if algo_store_cakey and ipsec_enabled else '' }}"
- " {{ congrats.ssh_access if algo_provider != 'local' else ''}}"
tags: always
rescue: rescue:
- debug: var=fail_hint - include_tasks: playbooks/rescue.yml
tags: always
- fail:
tags: always

54
users.yml
View file

@ -47,10 +47,7 @@
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: "/usr/bin/python3"
CA_password: "{{ CA_password }}" CA_password: "{{ CA_password }}"
rescue: rescue:
- debug: var=fail_hint - include_tasks: playbooks/rescue.yml
tags: always
- fail:
tags: always
- name: User management - name: User management
hosts: vpn-host hosts: vpn-host
@ -60,37 +57,32 @@
- config.cfg - config.cfg
- "configs/{{ inventory_hostname }}/.config.yml" - "configs/{{ inventory_hostname }}/.config.yml"
pre_tasks: tasks:
- block: - block:
- name: Local pre-tasks - name: Local pre-tasks
import_tasks: playbooks/cloud-pre.yml import_tasks: playbooks/cloud-pre.yml
become: false become: false
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles: - import_role:
- role: common name: common
- role: wireguard
tags: [ 'vpn', 'wireguard' ]
when: wireguard_enabled
- role: strongswan
when: ipsec_enabled
tags: ipsec
- role: ssh_tunneling
when: algo_ssh_tunneling
post_tasks: - import_role:
- block: name: wireguard
- debug: when: wireguard_enabled
msg:
- "{{ congrats.common.split('\n') }}" - import_role:
- " {% if p12.changed %}{{ congrats.p12_pass }}{% endif %}" name: strongswan
tags: always when: ipsec_enabled
tags: ipsec
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {% if p12.changed %}{{ congrats.p12_pass }}{% endif %}"
tags: always
rescue: rescue:
- debug: var=fail_hint - include_tasks: playbooks/rescue.yml
tags: always
- fail:
tags: always