wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 06:33:56 +02:00
Code Issues Projects Releases Wiki Activity

Refactoring to support roles inclusion (#1365)

Browse source
This commit is contained in:
Jack Ivanov 2019-04-08 23:20:34 +03:00 committed by Dan Guido
parent 8af0efa623
commit c4ea88000b
25 changed files with 866 additions and 956 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ansible.cfg
View file

@ -4,7 +4,8 @@ pipelining = True
retry_files_enabled = False
host_key_checking = False
timeout = 60
stdout_callback = full_skip
stdout_callback = default
display_skipped_hosts = no
[paramiko_connection]
record_host_keys = False

40
cloud.yml
View file

@ -2,48 +2,20 @@
- name: Provision the server
hosts: localhost
tags: always
become: false
vars_files:
- config.cfg
pre_tasks:
tasks:
- block:
- name: Local pre-tasks
import_tasks: playbooks/cloud-pre.yml
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- role: cloud-digitalocean
when: algo_provider == "digitalocean"
- role: cloud-ec2
when: algo_provider == "ec2"
- role: cloud-vultr
when: algo_provider == "vultr"
- role: cloud-gce
when: algo_provider == "gce"
- role: cloud-azure
when: algo_provider == "azure"
- role: cloud-lightsail
when: algo_provider == "lightsail"
- role: cloud-scaleway
when: algo_provider == "scaleway"
- role: cloud-openstack
when: algo_provider == "openstack"
- role: local
when: algo_provider == "local"
- name: Include a provisioning role
include_role:
name: "{{ 'local' if algo_provider == 'local' else 'cloud-' + algo_provider }}"
post_tasks:
- block:
- name: Local post-tasks
import_tasks: playbooks/cloud-post.yml
become: false
tags: cloud
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml

22
config.cfg
View file

@ -25,6 +25,12 @@ ipsec_enabled: true
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2
# rightsourceip for ipsec
# ipv4
strongswan_network: 10.19.48.0/24
# ipv6
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
# Deploy WireGuard
wireguard_enabled: true
wireguard_port: 51820
@ -33,6 +39,22 @@ wireguard_port: 51820
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 0
# WireGuard network configuration
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your

3
input.yml
View file

@ -25,6 +25,7 @@
- config.cfg
tasks:
- block:
- pause:
prompt: |
What provider would you like to use?
@ -137,3 +138,5 @@
{% if store_cakey is defined %}{{ store_cakey | bool }}
{%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
{%- else %}false{% endif %}
rescue:
- include_tasks: playbooks/rescue.yml

5
playbooks/rescue.yml Normal file
View file

@ -0,0 +1,5 @@
---
- debug:
var: fail_hint
- fail:

10
roles/cloud-azure/tasks/main.yml
View file

@ -1,9 +1,8 @@
---
- block:
- name: Build python virtual environment
- name: Build python virtual environment
import_tasks: venv.yml
- block:
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -40,8 +39,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ azure_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

11
roles/cloud-digitalocean/tasks/main.yml
View file

@ -1,8 +1,8 @@
- block:
- name: Build python virtual environment
---
- name: Build python virtual environment
import_tasks: venv.yml
- block:
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -103,8 +103,3 @@
msg: "Please, ensure that your API token is not read-only."
environment:
PYTHONPATH: "{{ digitalocean_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

11
roles/cloud-ec2/tasks/main.yml
View file

@ -1,8 +1,8 @@
- block:
- name: Build python virtual environment
---
- name: Build python virtual environment
import_tasks: venv.yml
- block:
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -41,8 +41,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ ec2_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

11
roles/cloud-gce/tasks/main.yml
View file

@ -1,8 +1,8 @@
- block:
- name: Build python virtual environment
---
- name: Build python virtual environment
import_tasks: venv.yml
- block:
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -55,8 +55,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ gce_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

12
roles/cloud-lightsail/tasks/main.yml
View file

@ -1,8 +1,8 @@
- block:
- name: Build python virtual environment
---
- name: Build python virtual environment
import_tasks: venv.yml
- block:
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -42,9 +42,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ lightsail_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

11
roles/cloud-openstack/tasks/main.yml
View file

@ -3,11 +3,10 @@
msg: "OpenStack credentials are not set. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)"
when: lookup('env', 'OS_AUTH_URL') == ""
- block:
- name: Build python virtual environment
- name: Build python virtual environment
import_tasks: venv.yml
- block:
- block:
- name: Security group created
os_security_group:
state: "{{ state|default('present') }}"
@ -81,9 +80,3 @@
ansible_ssh_user: ubuntu
environment:
PYTHONPATH: "{{ openstack_venv }}/lib/python2.7/site-packages/"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

25
roles/cloud-scaleway/tasks/main.yml
View file

@ -1,17 +1,16 @@
- block:
- name: Include prompts
- name: Include prompts
import_tasks: prompts.yml
- name: Set disk size
- name: Set disk size
set_fact:
server_disk_size: 50000000000
- name: Check server size
- name: Check server size
set_fact:
server_disk_size: 25000000000
when: cloud_providers.scaleway.size == "START1-XS"
- name: Check if server exists
- name: Check if server exists
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers"
method: GET
@ -21,14 +20,14 @@
status_code: 200
register: scaleway_servers
- name: Set server id as a fact
- name: Set server id as a fact
set_fact:
server_id: "{{ item.id }}"
no_log: true
when: algo_server_name == item.name
with_items: "{{ scaleway_servers.json.servers }}"
- name: Create a server if it doesn't exist
- name: Create a server if it doesn't exist
block:
- name: Get the organization id
uri:
@ -100,7 +99,7 @@
server_id: "{{ algo_instance.json.server.id }}"
when: server_id is not defined
- name: Power on the server
- name: Power on the server
uri:
url: https://cp-{{ algo_region }}.scaleway.com/servers/{{ server_id }}/action
method: POST
@ -114,7 +113,7 @@
ignore_errors: true
no_log: true
- name: Wait for the server to become running
- name: Wait for the server to become running
uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers/{{ server_id }}"
method: GET
@ -129,12 +128,6 @@
delay: 30
register: algo_instance
- set_fact:
- set_fact:
cloud_instance_ip: "{{ algo_instance['json']['server']['public_ip']['address'] }}"
ansible_ssh_user: root
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/cloud-vultr/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
- block:
- name: Include prompts
import_tasks: prompts.yml
@ -29,8 +30,3 @@
environment:
VULTR_API_CONFIG: "{{ algo_vultr_config }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

16
roles/common/tasks/main.yml
View file

@ -1,22 +1,21 @@
---
- block:
- name: Check the system
- name: Check the system
raw: uname -a
register: OS
tags:
- update-users
- include_tasks: ubuntu.yml
- include_tasks: ubuntu.yml
when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout'
tags:
- update-users
- include_tasks: freebsd.yml
- include_tasks: freebsd.yml
when: '"FreeBSD" in OS.stdout'
tags:
- update-users
- name: Sysctl tuning
- name: Sysctl tuning
sysctl: name="{{ item.item }}" value="{{ item.value }}"
when: item.item != ""
with_items:
@ -24,9 +23,4 @@
tags:
- always
- meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- meta: flush_handlers

4
roles/common/tasks/ubuntu.yml
View file

@ -97,11 +97,9 @@
- name: Install tools
apt:
name: "{{ item }}"
name: "{{ tools|default([]) }}"
state: present
update_cache: true
with_items:
- "{{ tools|default([]) }}"
- name: Install headers
apt:

4
roles/dns_adblocking/handlers/main.yml
View file

@ -3,3 +3,7 @@
- name: restart apparmor
service: name=apparmor state=restarted
- name: daemon-reload
systemd:
daemon_reload: true

26
roles/dns_adblocking/tasks/main.yml
View file

@ -1,25 +1,24 @@
---
- block:
- name: Dnsmasq installed
- name: Dnsmasq installed
package: name=dnsmasq
- name: The dnsmasq directory created
- name: The dnsmasq directory created
file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- include_tasks: ubuntu.yml
- include_tasks: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- include_tasks: freebsd.yml
- include_tasks: freebsd.yml
when: ansible_distribution == 'FreeBSD'
- name: Dnsmasq configured
- name: Dnsmasq configured
template:
src: dnsmasq.conf.j2
dest: "{{ config_prefix|default('/') }}etc/dnsmasq.conf"
notify:
- restart dnsmasq
- name: Adblock script created
- name: Adblock script created
template:
src: adblock.sh.j2
dest: /usr/local/sbin/adblock.sh
@ -27,7 +26,7 @@
group: "{{ root_group|default('root') }}"
mode: 0755
- name: Adblock script added to cron
- name: Adblock script added to cron
cron:
name: Adblock hosts update
minute: "{{ range(0, 60) | random }}"
@ -35,18 +34,13 @@
job: /usr/local/sbin/adblock.sh
user: root
- name: Update adblock hosts
- name: Update adblock hosts
command: /usr/local/sbin/adblock.sh
- meta: flush_handlers
- meta: flush_handlers
- name: Dnsmasq enabled and started
- name: Dnsmasq enabled and started
service:
name: dnsmasq
state: started
enabled: yes
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

9
roles/local/tasks/main.yml
View file

@ -1,10 +1,3 @@
---
- block:
- name: Include prompts
- name: Include prompts
import_tasks: prompts.yml
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

14
roles/ssh_tunneling/tasks/main.yml
View file

@ -1,6 +1,5 @@
---
- block:
- name: Ensure that the sshd_config file has desired options
- name: Ensure that the sshd_config file has desired options
blockinfile:
dest: /etc/ssh/sshd_config
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
@ -14,10 +13,10 @@
notify:
- restart ssh
- name: Ensure that the algo group exist
- name: Ensure that the algo group exist
group: name=algo state=present
- name: Ensure that the jail directory exist
- name: Ensure that the jail directory exist
file:
path: /var/jail/
state: directory
@ -25,7 +24,7 @@
owner: root
group: "{{ root_group|default('root') }}"
- block:
- block:
- name: Ensure that the SSH users exist
user:
name: "{{ item }}"
@ -113,8 +112,3 @@
when: item not in users
with_items: "{{ getent_group['algo'][2].split(',') }}"
tags: update-users
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

2
roles/strongswan/defaults/main.yml
View file

@ -1,8 +1,6 @@
---
ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/"
ipsec_pki_path: "{{ ipsec_config_path }}/.pki/"
strongswan_network: 10.19.48.0/24
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
strongswan_shell: /usr/sbin/nologin
strongswan_home: /var/lib/strongswan
BetweenClients_DROP: true

24
roles/strongswan/tasks/main.yml
View file

@ -1,9 +1,8 @@
---
- block:
- include_tasks: ubuntu.yml
- include_tasks: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- name: Ensure that the strongswan user exist
- name: Ensure that the strongswan user exist
user:
name: strongswan
group: nogroup
@ -11,27 +10,22 @@
home: "{{ strongswan_home }}"
state: present
- name: Install strongSwan
- name: Install strongSwan
package: name=strongswan state=present
- import_tasks: ipsec_configuration.yml
- import_tasks: openssl.yml
- import_tasks: ipsec_configuration.yml
- import_tasks: openssl.yml
tags: update-users
- import_tasks: distribute_keys.yml
- import_tasks: client_configs.yml
- import_tasks: distribute_keys.yml
- import_tasks: client_configs.yml
delegate_to: localhost
become: no
tags: update-users
- name: strongSwan started
- name: strongSwan started
service:
name: strongswan
state: started
enabled: true
- meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- meta: flush_handlers

14
roles/wireguard/defaults/main.yml
View file

@ -3,20 +3,6 @@ wireguard_PersistentKeepalive: 0
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
wireguard_interface: wg0
_wireguard_network_ipv4:
subnet: 10.19.49.0
prefix: 24
gateway: 10.19.49.1
clients_range: 10.19.49
clients_start: 2
_wireguard_network_ipv6:
subnet: 'fd9d:bc11:4021::'
prefix: 48
gateway: 'fd9d:bc11:4021::1'
clients_range: 'fd9d:bc11:4021::'
clients_start: 2
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
keys_clean_all: false
wireguard_dns_servers: >-
{% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %}

1
roles/wireguard/tasks/main.yml
View file

@ -75,7 +75,6 @@
notify: restart wireguard
tags: update-users
- name: WireGuard enabled and started
service:
name: "{{ service_name }}"

34
server.yml
View file

@ -2,31 +2,40 @@
- name: Configure the server and install required software
hosts: vpn-host
gather_facts: false
tags: algo
become: true
vars_files:
- config.cfg
roles:
- role: common
tasks:
- block:
- import_role:
name: common
tags: common
- role: dns_encryption
- import_role:
name: dns_encryption
when: dns_encryption
tags: dns_encryption
- role: dns_adblocking
- import_role:
name: dns_adblocking
when: algo_local_dns
tags: dns_adblocking
- role: wireguard
- import_role:
name: wireguard
when: wireguard_enabled
tags: wireguard
- role: strongswan
- import_role:
name: strongswan
when: ipsec_enabled
tags: ipsec
- role: ssh_tunneling
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
tags: ssh_tunneling
post_tasks:
- block:
- name: Delete the CA key
local_action:
@ -79,7 +88,4 @@
- " {{ congrats.ssh_access if algo_provider != 'local' else ''}}"
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml

36
users.yml
View file

@ -47,10 +47,7 @@
ansible_python_interpreter: "/usr/bin/python3"
CA_password: "{{ CA_password }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml
- name: User management
hosts: vpn-host
@ -60,37 +57,32 @@
- config.cfg
- "configs/{{ inventory_hostname }}/.config.yml"
pre_tasks:
tasks:
- block:
- name: Local pre-tasks
import_tasks: playbooks/cloud-pre.yml
become: false
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- role: common
- role: wireguard
tags: [ 'vpn', 'wireguard' ]
- import_role:
name: common
- import_role:
name: wireguard
when: wireguard_enabled
- role: strongswan
- import_role:
name: strongswan
when: ipsec_enabled
tags: ipsec
- role: ssh_tunneling
- import_role:
name: ssh_tunneling
when: algo_ssh_tunneling
post_tasks:
- block:
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {% if p12.changed %}{{ congrats.p12_pass }}{% endif %}"
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- include_tasks: playbooks/rescue.yml