From 2fcc3600fdb2db2d9ff7e3c4901d0774be8ff58a Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Tue, 23 Aug 2016 17:03:27 -0400
Subject: [PATCH 1/3] Disable features in the Match block vs main config
---
roles/common/templates/sshd_config.j2 | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2
index af66436..8c08f0f 100644
--- a/roles/common/templates/sshd_config.j2
+++ b/roles/common/templates/sshd_config.j2
@@ -24,7 +24,6 @@ PubkeyAuthentication yes
AcceptEnv LANG LC_*
# Turn off a lot of features
-AllowAgentForwarding no
IgnoreRhosts yes
RhostsRSAAuthentication no
RSAAuthentication no
@@ -33,7 +32,6 @@ PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
UseDNS no
-X11Forwarding no
# Do not enable sftp
# If you DO enable it, use this line to log which files sftp users read/write
@@ -51,21 +49,16 @@ HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
-
-###
-
# TODO: I haven't seen anyone review these yet
# HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
-
# TODO: I haven't seen anyone review these yet
# PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
-# TODO: I think we want to enable tunnels but disable stream local fowarding?
-# PermitTunnel yes
-# AllowStreamLocalForwarding no
-
{% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %}
Match Group algo
AllowTcpForwarding remote
+ AllowAgentForwarding no
AllowStreamLocalForwarding no
+ PermitTunnel no
+ X11Forwarding no
{% endif %}
From 809b62cd338cade274583eae003c50cd5301a831 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 24 Aug 2016 09:03:29 +0200
Subject: [PATCH 2/3] daemon_reload is an option for systemd, not service
---
roles/vpn/handlers/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
index 0ed78a3..c5dcdc9 100644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@@ -1,5 +1,5 @@
- name: restart strongswan
- service: name=strongswan state=restarted daemon_reload=yes
+ service: name=strongswan state=restarted
- name: daemon-reload
shell: systemctl daemon-reload
From 27421070b9920c19e81705536425eb2e50ec6eb4 Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 24 Aug 2016 09:22:04 +0200
Subject: [PATCH 3/3] linting
---
digitalocean.yml | 39 +++++-----
ec2.yml | 113 ++++++++++++++--------------
gce.yml | 33 ++++----
non-cloud.yml | 77 +++++++++----------
roles/common/tasks/main.yml | 4 +-
roles/dns_adblocking/tasks/main.yml | 16 ++--
roles/proxy/handlers/main.yml | 4 +-
roles/proxy/tasks/main.yml | 20 ++---
roles/security/handlers/main.yml | 4 +-
roles/security/tasks/main.yml | 2 +-
roles/ssh_tunneling/tasks/main.yml | 10 +--
roles/vpn/handlers/main.yml | 5 ++
roles/vpn/tasks/main.yml | 24 +++---
13 files changed, 179 insertions(+), 172 deletions(-)
diff --git a/digitalocean.yml b/digitalocean.yml
index 7a7e40a..7d6ac8e 100644
--- a/digitalocean.yml
+++ b/digitalocean.yml
@@ -1,3 +1,4 @@
+# vim:ft=ansible:
- name: Configure the server and install required software
hosts: localhost
@@ -50,29 +51,29 @@
private: no
- name: "dns_enabled"
- prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
- default: "Y"
+ prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+ default: "y"
private: no
-
+
- name: "proxy_enabled"
- prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
- default: "Y"
- private: no
+ prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+ default: "y"
+ private: no
- name: "auditd_enabled"
- prompt: "Do you want to use auditd ? (Y or N):\n"
- default: "Y"
+ prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+ default: "y"
private: no
-
+
- name: "ssh_tunneling_enabled"
- prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
- default: "Y"
- private: no
-
+ prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+ default: "y"
+ private: no
+
- name: "easyrsa_p12_export_password"
- prompt: "Enter the password for p12 certificates:\n"
+ prompt: "Enter a password for p12 certificates:\n"
default: "vpn"
- private: yes
+ private: yes
roles:
- cloud-digitalocean
@@ -131,10 +132,10 @@
- common
- security
- vpn
- - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" }
- - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }
+ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+ - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
+ - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+ - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
handlers:
- name: reload eth0
diff --git a/ec2.yml b/ec2.yml
index c906031..891f267 100644
--- a/ec2.yml
+++ b/ec2.yml
@@ -21,66 +21,65 @@
"11": "sa-east-1"
vars_prompt:
+ - name: "aws_access_key"
+ prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
+ private: yes
- - name: "aws_access_key"
- prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
- private: yes
+ - name: "aws_secret_key"
+ prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
+ private: yes
- - name: "aws_secret_key"
- prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
- private: yes
+ - name: "region"
+ prompt: >
+ What region should the server be located in?
+ 1. us-east-1 US East (N. Virginia)
+ 2. us-west-1 US West (N. California)
+ 3. us-west-2 US West (Oregon)
+ 4. ap-south-1 Asia Pacific (Mumbai)
+ 5. ap-northeast-2 Asia Pacific (Seoul)
+ 6. ap-southeast-1 Asia Pacific (Singapore)
+ 7. ap-southeast-2 Asia Pacific (Sydney)
+ 8. ap-northeast-1 Asia Pacific (Tokyo)
+ 9. eu-central-1 EU (Frankfurt)
+ 10. eu-west-1 EU (Ireland)
+ 11. sa-east-1 South America (São Paulo)
+ default: "1"
+ private: no
- - name: "region"
- prompt: >
- What region should the server be located in?
- 1. us-east-1 US East (N. Virginia)
- 2. us-west-1 US West (N. California)
- 3. us-west-2 US West (Oregon)
- 4. ap-south-1 Asia Pacific (Mumbai)
- 5. ap-northeast-2 Asia Pacific (Seoul)
- 6. ap-southeast-1 Asia Pacific (Singapore)
- 7. ap-southeast-2 Asia Pacific (Sydney)
- 8. ap-northeast-1 Asia Pacific (Tokyo)
- 9. eu-central-1 EU (Frankfurt)
- 10. eu-west-1 EU (Ireland)
- 11. sa-east-1 South America (São Paulo)
- default: "1"
- private: no
+ - name: "aws_server_name"
+ prompt: "Name the vpn server:\n"
+ default: "algo.local"
+ private: no
- - name: "aws_server_name"
- prompt: "Name the vpn server:\n"
- default: "algo.local"
- private: no
+ - name: "ssh_public_key"
+ prompt: "Enter the local path to your SSH public key:\n"
+ default: "~/.ssh/id_rsa.pub"
+ private: no
- - name: "ssh_public_key"
- prompt: "Enter the local path to your SSH public key:\n"
- default: "~/.ssh/id_rsa.pub"
- private: no
+ - name: "dns_enabled"
+ prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+ default: "y"
+ private: no
- - name: "dns_enabled"
- prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
- default: "Y"
- private: no
-
- - name: "proxy_enabled"
- prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
- default: "Y"
- private: no
+ - name: "proxy_enabled"
+ prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+ default: "y"
+ private: no
- - name: "auditd_enabled"
- prompt: "Do you want to use auditd ? (Y or N):\n"
- default: "Y"
- private: no
-
- - name: "ssh_tunneling_enabled"
- prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
- default: "Y"
- private: no
-
- - name: "easyrsa_p12_export_password"
- prompt: "Enter the password for p12 certificates:\n"
- default: "vpn"
- private: yes
+ - name: "auditd_enabled"
+ prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+ default: "y"
+ private: no
+
+ - name: "ssh_tunneling_enabled"
+ prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+ default: "y"
+ private: no
+
+ - name: "easyrsa_p12_export_password"
+ prompt: "Enter a password for p12 certificates:\n"
+ default: "vpn"
+ private: yes
roles:
- cloud-ec2
@@ -102,7 +101,7 @@
- common
- security
- vpn
- - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }
+ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+ - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+ - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+ - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
diff --git a/gce.yml b/gce.yml
index ff1c5e9..b44ce86 100644
--- a/gce.yml
+++ b/gce.yml
@@ -1,3 +1,4 @@
+# vim:ft=ansible:
- name: Configure the server and install required software
hosts: localhost
gather_facts: false
@@ -54,27 +55,27 @@
private: no
- name: "dns_enabled"
- prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
- default: "Y"
+ prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+ default: "y"
private: no
-
+
- name: "proxy_enabled"
- prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
- default: "Y"
+ prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+ default: "y"
private: no
- name: "auditd_enabled"
- prompt: "Do you want to use auditd ? (Y or N):\n"
- default: "Y"
+ prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+ default: "y"
private: no
-
+
- name: "ssh_tunneling_enabled"
- prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
- default: "Y"
+ prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+ default: "y"
private: no
-
+
- name: "easyrsa_p12_export_password"
- prompt: "Enter the password for p12 certificates:\n"
+ prompt: "Enter a password for p12 certificates:\n"
default: "vpn"
private: yes
@@ -98,7 +99,7 @@
- common
- security
- vpn
- - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }
+ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+ - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+ - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+ - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
diff --git a/non-cloud.yml b/non-cloud.yml
index 4ed42df..a823cca 100644
--- a/non-cloud.yml
+++ b/non-cloud.yml
@@ -1,47 +1,48 @@
+# vim:ft=ansible:
- hosts: localhost
gather_facts: False
vars_files:
- config.cfg
+
vars_prompt:
+ - name: "server_ip"
+ prompt: "Enter IP address of your server: (use localhost for local installation)\n"
+ default: localhost
+ private: no
- - name: "server_ip"
- prompt: "Enter IP address of your server: (use localhost for local installation)\n"
- default: localhost
- private: no
+ - name: "server_user"
+ prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
+ default: "root"
+ private: no
- - name: "server_user"
- prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
- default: "root"
- private: no
+ - name: "dns_enabled"
+ prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
+ default: "y"
+ private: no
- - name: "dns_enabled"
- prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n"
- default: "Y"
- private: no
-
- - name: "proxy_enabled"
- prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n"
- default: "Y"
- private: no
+ - name: "proxy_enabled"
+ prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
+ default: "y"
+ private: no
- - name: "auditd_enabled"
- prompt: "Do you want to use auditd ? (Y or N):\n"
- default: "Y"
- private: no
+ - name: "auditd_enabled"
+ prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
+ default: "y"
+ private: no
+
+ - name: "ssh_tunneling_enabled"
+ prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
+ default: "y"
+ private: no
+
+ - name: "easyrsa_p12_export_password"
+ prompt: "Enter a password for p12 certificates:\n"
+ default: "vpn"
+ private: yes
- - name: "ssh_tunneling_enabled"
- prompt: "Do you want to use SSH tunneling ? (Y or N):\n"
- default: "Y"
- private: no
-
- - name: "easyrsa_p12_export_password"
- prompt: "Enter the password for p12 certificates:\n"
- default: "vpn"
- private: yes
-
- - name: "IP_subject"
- prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
- private: no
+ - name: "IP_subject"
+ prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
+ private: no
tasks:
- name: Add the server to the vpn-host group
@@ -76,7 +77,7 @@
- common
- security
- vpn
- - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" }
- - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" }
- - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" }
+ - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
+ - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
+ - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
+ - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 9752cc8..dc17b89 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -33,7 +33,7 @@
- name: SSH config
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
notify:
- - restart ssh
+ - restart ssh
- name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
@@ -70,7 +70,7 @@
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
notify:
- restart loopback
-
+
- meta: flush_handlers
- name: Enable packet forwarding for IPv4
diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml
index df0fc37..a37bf9c 100644
--- a/roles/dns_adblocking/tasks/main.yml
+++ b/roles/dns_adblocking/tasks/main.yml
@@ -8,24 +8,24 @@
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
notify:
- restart dnsmasq
-
+
- name: The dnsmasq directory created
- file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup
+ file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq
- name: Ensure that the dnsmasq service directory exist
file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755 owner=root group=root
-
+
- name: Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
notify:
- - daemon-reload
+ - daemon-reload
- restart dnsmasq
-
-- meta: flush_handlers
-
+
+- meta: flush_handlers
+
- name: Dnsmasq configured
template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
notify:
@@ -35,7 +35,7 @@
template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755
- name: Adblock script added to cron
- cron:
+ cron:
name: Adblock hosts update
minute: 10
hour: 2
diff --git a/roles/proxy/handlers/main.yml b/roles/proxy/handlers/main.yml
index bea23c7..a31941b 100644
--- a/roles/proxy/handlers/main.yml
+++ b/roles/proxy/handlers/main.yml
@@ -1,8 +1,8 @@
- name: restart privoxy
service: name=privoxy state=restarted
-
+
- name: daemon-reload
- shell: systemctl daemon-reload
+ shell: systemctl daemon-reload
- name: restart apparmor
service: name=apparmor state=restarted
diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 1157a97..81dbcab 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -16,17 +16,17 @@
- name: Enforce the privoxy AppArmor policy
shell: aa-enforce usr.sbin.privoxy
-
+
- name: Ensure that the privoxy service directory exist
file: path=/etc/systemd/system/privoxy.service.d/ state=directory mode=0755 owner=root group=root
-
+
- name: Setup the cgroup limitations for the privoxy daemon
template: src=privoxy_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/privoxy.service.d/100-CustomLimitations.conf
notify:
- - daemon-reload
+ - daemon-reload
- restart privoxy
-
-- meta: flush_handlers
+
+- meta: flush_handlers
- name: Privoxy enabled and started
service: name=privoxy state=started enabled=yes
@@ -70,14 +70,14 @@
template: src=ports.conf.j2 dest=/etc/apache2/ports.conf
notify:
- restart apache2
-
+
- name: Ensure that the apache2 service directory exist
file: path=/etc/systemd/system/apache2.service.d/ state=directory mode=0755 owner=root group=root
-
+
- name: Setup the cgroup limitations for the apache2 daemon
template: src=apache2_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/apache2.service.d/100-CustomLimitations.conf
notify:
- - daemon-reload
+ - daemon-reload
- restart apache2
-
-- meta: flush_handlers
+
+- meta: flush_handlers
diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml
index f5fb1c9..ad1168b 100644
--- a/roles/security/handlers/main.yml
+++ b/roles/security/handlers/main.yml
@@ -1,8 +1,8 @@
- name: restart rsyslog
service: name=rsyslog state=restarted
-
+
- name: restart iptables
service: name=netfilter-persistent state=restarted
-
+
- name: flush routing cache
shell: echo 1 > /proc/sys/net/ipv4/route/flush
diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
index 10d31eb..a528896 100644
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@@ -97,6 +97,6 @@
template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
with_items:
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
- - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
+ - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
notify:
- restart iptables
diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml
index 7d87c7e..b78b19b 100644
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@@ -2,12 +2,12 @@
- name: Ensure that the algo group exist
group: name=algo state=present
-
+
- name: Ensure that the jail directory exist
- file: path=/var/jail/ state=directory mode=0755 owner=root group=root
-
+ file: path=/var/jail/ state=directory mode=0755 owner=root group=root
+
- name: Ensure that the SSH users exist
- user:
+ user:
name: "{{ item }}"
group: algo
home: '/var/jail/{{ item }}'
@@ -17,5 +17,5 @@
ssh_key_type: ecdsa
ssh_key_bits: 521
ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
- state: present
+ state: present
with_items: "{{ users }}"
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
index c5dcdc9..3e1a70e 100644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@@ -1,6 +1,11 @@
- name: restart strongswan
+<<<<<<< Updated upstream
service: name=strongswan state=restarted
+=======
+ service: name=strongswan state=restartedo
+
+>>>>>>> Stashed changes
- name: daemon-reload
shell: systemctl daemon-reload
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 1592db4..1fe08b9 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -1,6 +1,6 @@
- name: Gather Facts
setup:
-
+
- name: Install StrongSwan
apt: name=strongswan state=latest update_cache=yes
@@ -19,28 +19,28 @@
- apparmor
- strongswan
- netfilter-persistent
-
+
- name: Ensure that the strongswan group exist
group: name=strongswan state=present
-
+
- name: Ensure that the strongswan user exist
user: name=strongswan group=strongswan state=present
-
+
- name: Ensure that the strongswan service directory exist
file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root
-
+
- name: Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
notify:
- - daemon-reload
+ - daemon-reload
- restart strongswan
-
-- meta: flush_handlers
-
+
+- meta: flush_handlers
+
- name: Setup the strongswan.conf file from our template
template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644
notify:
- - restart strongswan
+ - restart strongswan
- name: Setup the ipsec.conf file from our template
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
@@ -148,11 +148,11 @@
- name: Fetch users mobileconfig
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
with_items: "{{ users }}"
-
+
- name: Restrict permissions
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
with_items:
- - /etc/ipsec.d/private
+ - /etc/ipsec.d/private
- name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes