wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 06:33:56 +02:00
Code Issues Projects Releases Wiki Activity

Refactoring to support roles inclusion (#1365)

Browse source
This commit is contained in:
Jack Ivanov 2019-04-08 23:20:34 +03:00 committed by Dan Guido
parent 8af0efa623
commit c4ea88000b
25 changed files with 866 additions and 956 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ansible.cfg
View file

@ -4,7 +4,8 @@ pipelining = True
retry_files_enabled = False
host_key_checking = False
timeout = 60
stdout_callback = full_skip
stdout_callback = default
display_skipped_hosts = no
[paramiko_connection]
record_host_keys = False

40
cloud.yml
View file

@ -2,48 +2,20 @@
- name: Provision the server
hosts: localhost
tags: always
become: false
vars_files:
- config.cfg
pre_tasks:
tasks:
- block:
- name: Local pre-tasks
import_tasks: playbooks/cloud-pre.yml
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- role: cloud-digitalocean
when: algo_provider == "digitalocean"
- role: cloud-ec2
when: algo_provider == "ec2"
- role: cloud-vultr
when: algo_provider == "vultr"
- role: cloud-gce
when: algo_provider == "gce"
- role: cloud-azure
when: algo_provider == "azure"
- role: cloud-lightsail
when: algo_provider == "lightsail"
- role: cloud-scaleway
when: algo_provider == "scaleway"
- role: cloud-openstack
when: algo_provider == "openstack"
- role: local
when: algo_provider == "local"
- name: Include a provisioning role
include_role:
name: "{{ 'local' if algo_provider == 'local' else 'cloud-' + algo_provider }}"
post_tasks:
- block:
- name: Local post-tasks
import_tasks: playbooks/cloud-post.yml
become: false
tags: cloud
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml

22
config.cfg
View file

@ -25,6 +25,12 @@ ipsec_enabled: true
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2
# rightsourceip for ipsec
# ipv4
strongswan_network: 10.19.48.0/24
# ipv6
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
# Deploy WireGuard
wireguard_enabled: true
wireguard_port: 51820
@ -33,6 +39,22 @@ wireguard_port: 51820
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 0
# WireGuard network configuration
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your

3
input.yml
View file

@ -25,6 +25,7 @@
- config.cfg
tasks:
- block:
- pause:
prompt: |
What provider would you like to use?
@ -137,3 +138,5 @@
{% if store_cakey is defined %}{{ store_cakey | bool }}
{%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
{%- else %}false{% endif %}
rescue:
- include_tasks: playbooks/rescue.yml

5
playbooks/rescue.yml Normal file
View file

@ -0,0 +1,5 @@
---
- debug:
var: fail_hint
- fail:

6
roles/cloud-azure/tasks/main.yml
View file

@ -1,5 +1,4 @@
---
- block:
- name: Build python virtual environment
import_tasks: venv.yml
@ -40,8 +39,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ azure_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/cloud-digitalocean/tasks/main.yml
View file

@ -1,4 +1,4 @@
- block:
---
- name: Build python virtual environment
import_tasks: venv.yml
@ -103,8 +103,3 @@
msg: "Please, ensure that your API token is not read-only."
environment:
PYTHONPATH: "{{ digitalocean_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/cloud-ec2/tasks/main.yml
View file

@ -1,4 +1,4 @@
- block:
---
- name: Build python virtual environment
import_tasks: venv.yml
@ -41,8 +41,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ ec2_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/cloud-gce/tasks/main.yml
View file

@ -1,4 +1,4 @@
- block:
---
- name: Build python virtual environment
import_tasks: venv.yml
@ -55,8 +55,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ gce_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

8
roles/cloud-lightsail/tasks/main.yml
View file

@ -1,4 +1,4 @@
- block:
---
- name: Build python virtual environment
import_tasks: venv.yml
@ -42,9 +42,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ lightsail_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/cloud-openstack/tasks/main.yml
View file

@ -3,7 +3,6 @@
msg: "OpenStack credentials are not set. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)"
when: lookup('env', 'OS_AUTH_URL') == ""
- block:
- name: Build python virtual environment
import_tasks: venv.yml
@ -81,9 +80,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ openstack_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/cloud-scaleway/tasks/main.yml
View file

@ -1,4 +1,3 @@
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -132,9 +131,3 @@
- set_fact:
cloud_instance_ip: "{{ algo_instance['json']['server']['public_ip']['address'] }}"
ansible_ssh_user: root
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/cloud-vultr/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -29,8 +30,3 @@
environment:
VULTR_API_CONFIG: "{{ algo_vultr_config }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/common/tasks/main.yml
View file

@ -1,5 +1,4 @@
---
- block:
- name: Check the system
raw: uname -a
register: OS
@ -25,8 +24,3 @@
- always
- meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

4
roles/common/tasks/ubuntu.yml
View file

@ -97,11 +97,9 @@
- name: Install tools
apt:
name: "{{ item }}"
name: "{{ tools|default([]) }}"
state: present
update_cache: true
with_items:
- "{{ tools|default([]) }}"
- name: Install headers
apt:

4
roles/dns_adblocking/handlers/main.yml
View file

@ -3,3 +3,7 @@
- name: restart apparmor
service: name=apparmor state=restarted
- name: daemon-reload
systemd:
daemon_reload: true

6
roles/dns_adblocking/tasks/main.yml
View file

@ -1,5 +1,4 @@
---
- block:
- name: Dnsmasq installed
package: name=dnsmasq
@ -45,8 +44,3 @@
name: dnsmasq
state: started
enabled: yes
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/local/tasks/main.yml
View file

@ -1,10 +1,3 @@
---
- block:
- name: Include prompts
import_tasks: prompts.yml
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/ssh_tunneling/tasks/main.yml
View file

@ -1,5 +1,4 @@
---
- block:
- name: Ensure that the sshd_config file has desired options
blockinfile:
dest: /etc/ssh/sshd_config
@ -113,8 +112,3 @@
when: item not in users
with_items: "{{ getent_group['algo'][2].split(',') }}"
tags: update-users
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

2
roles/strongswan/defaults/main.yml
View file

@ -1,8 +1,6 @@
---
ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/"
ipsec_pki_path: "{{ ipsec_config_path }}/.pki/"
strongswan_network: 10.19.48.0/24
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
strongswan_shell: /usr/sbin/nologin
strongswan_home: /var/lib/strongswan
BetweenClients_DROP: true

6
roles/strongswan/tasks/main.yml
View file

@ -1,5 +1,4 @@
---
- block:
- include_tasks: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
@ -30,8 +29,3 @@
enabled: true
- meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

14
roles/wireguard/defaults/main.yml
View file

@ -3,20 +3,6 @@ wireguard_PersistentKeepalive: 0
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
wireguard_interface: wg0
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
keys_clean_all: false
wireguard_dns_servers: >-
{% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %}

1
roles/wireguard/tasks/main.yml
View file

@ -75,7 +75,6 @@
notify: restart wireguard
tags: update-users
- name: WireGuard enabled and started
service:
name: "{{ service_name }}"

34
server.yml
View file

@ -2,31 +2,40 @@
- name: Configure the server and install required software
hosts: vpn-host
gather_facts: false
tags: algo
become: true
vars_files:
- config.cfg
roles:
- role: common
tasks:
- block:
- import_role:
name: common
tags: common
- role: dns_encryption
- import_role:
name: dns_encryption
when: dns_encryption
tags: dns_encryption
- role: dns_adblocking
- import_role:
name: dns_adblocking
when: algo_local_dns
tags: dns_adblocking
- role: wireguard
- import_role:
name: wireguard
when: wireguard_enabled
tags: wireguard
- role: strongswan
- import_role:
name: strongswan
when: ipsec_enabled
tags: ipsec
- role: ssh_tunneling
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
post_tasks:
- block:
- name: Delete the CA key
local_action:
@ -79,7 +88,4 @@
- " {{ congrats.ssh_access if algo_provider != 'local' else ''}}"
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml

36
users.yml
View file

@ -47,10 +47,7 @@
ansible_python_interpreter: "/usr/bin/python3"
CA_password: "{{ CA_password }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml
- name: User management
hosts: vpn-host
@ -60,37 +57,32 @@
- config.cfg
- "configs/{{ inventory_hostname }}/.config.yml"
pre_tasks:
tasks:
- block:
- name: Local pre-tasks
import_tasks: playbooks/cloud-pre.yml
become: false
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- role: common
- role: wireguard
tags: [ 'vpn', 'wireguard' ]
- import_role:
name: common
- import_role:
name: wireguard
when: wireguard_enabled
- role: strongswan
- import_role:
name: strongswan
when: ipsec_enabled
tags: ipsec
- role: ssh_tunneling
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
post_tasks:
- block:
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {% if p12.changed %}{{ congrats.p12_pass }}{% endif %}"
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml