diff --git a/README.md b/README.md index f7424c2..9d74e9e 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,10 @@ Algo (short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhere * python >= 2.6 * [dopy=0.3.5](https://github.com/Wiredcraft/dopy) * [boto](https://github.com/boto/boto) +* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python) +* [apache-libcloud](https://github.com/apache/libcloud) +* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS) +* [six](https://github.com/JioCloud/python-six) * SHell or BASH * libselinux-python (for RedHat based distros) diff --git a/algo b/algo index 781ee17..01523c0 100755 --- a/algo +++ b/algo @@ -5,17 +5,19 @@ algo_provisioning () { What provider would you like to use? 1. DigitalOcean 2. Amazon EC2 - 3. Local installation (non-cloud or a server already deployed) + 3. Google-cloud + 0. Local installation (non-cloud or a server already deployed) - Enter the number of your desired provider - : " +Enter the number of your desired provider +: " read N case "$N" in 1) CLOUD="digitalocean" ;; 2) CLOUD="ec2" ;; - 3) CLOUD="non-cloud" ;; + 3) CLOUD="google_cloud" ;; + 0) CLOUD="non-cloud" ;; *) exit 1 ;; esac diff --git a/azure.yml b/azure.yml new file mode 100644 index 0000000..5e35b77 --- /dev/null +++ b/azure.yml @@ -0,0 +1,99 @@ +- name: Configure the server and install required software + hosts: localhost + gather_facts: false + + vars: + regions: + "1": "East US" + "2": "West US" + "3": "South Central US" + "4": "North Europe" + "5": "East Asia" + "6": "Japan East" + "7": "West Europe" + "8": "Southeast Asia" + "9": "Japan West" + "10": "North Central US" + "11": "Central US" + "12": "Brazil South" + "13": "East US 2" + "14": "Australia Southeast" + "15": "Australia East" + + #vars_prompt: + #- name: "azure_subscription_id" + #prompt: "Enter your subscription ID (https://blogs.msdn.microsoft.com/mschray/2015/05/13/getting-your-azure-guid-subscription-id/):\n" + #private: yes + + #- name: "management_cert_path" + #prompt: "Enter the local path to your management cert [ex: ~/.ssh/id_rsa.pub] (https://azure.microsoft.com/en-us/documentation/articles/azure-api-management-certs/):\n" + #private: no + + #- name: "ssh_public_key" + #prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n" + #private: no + + #- name: "region" + #prompt: > + #What region should the server be located in? + #1. East US + #2. West US + #3. South Central US + #4. North Europe + #5. East Asia + #6. Japan East + #7. West Europe + #8. Southeast Asia + #9. Japan West + #10. North Central US + #11. Central US + #12. Brazil South + #13. East US 2 + #14. Australia Southeast + #15. Australia East + #Enter the number of your desired region: + #default: "7" + #private: no + + #- name: "azure_server_name" + #prompt: "Name the vpn server:\n" + #default: "algo.local" + #private: no + + #- name: "dns_enabled" + #prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" + #default: "Y" + #private: no + + #- name: "auditd_enabled" + #prompt: "Do you want to use auditd ? (Y or N):\n" + #default: "Y" + #private: no + + roles: + - azure + +- name: Post-provisioning tasks + hosts: vpn-host + gather_facts: false + become: true + vars_files: + - config.cfg + + pre_tasks: + - name: Install prerequisites + raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + - name: Configure defaults + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + + roles: + - common + - security + - features + - vpn + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + + + + + diff --git a/config.cfg b/config.cfg index bfd3aa2..c17bbf4 100644 --- a/config.cfg +++ b/config.cfg @@ -30,6 +30,3 @@ users: # auditd options # email for auditd actions: auditd_action_mail_acct: email@example.com - - - diff --git a/digitalocean.yml b/digitalocean.yml index 51bf1f2..ecd6262 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -94,7 +94,7 @@ register: droplet_info - name: IPv6 configured - template: src=20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 + template: src=roles/digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 with_items: "{{ droplet_info.json.droplet.networks.v6 }}" notify: - reload eth0 diff --git a/google_cloud.yml b/google_cloud.yml new file mode 100644 index 0000000..504f82f --- /dev/null +++ b/google_cloud.yml @@ -0,0 +1,91 @@ +- name: Configure the server and install required software + hosts: localhost + gather_facts: false + + vars: + zones: + "1": "us-central1-a" + "2": "us-central1-b" + "3": "us-central1-c" + "4": "us-central1-f" + "5": "us-east1-b" + "6": "us-east1-c" + "7": "us-east1-d" + "8": "europe-west1-b" + "9": "europe-west1-c" + "10": "europe-west1-d" + "11": "asia-east1-a" + "12": "asia-east1-b" + "13": "asia-east1-c" + + vars_prompt: + - name: "credentials_file" + prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n" + private: no + + - name: "ssh_public_key" + prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n" + private: no + + - name: "zone" + prompt: > + What zone should the server be located in? + 1. Central US (Iowa A) + 2. Central US (Iowa B) + 3. Central US (Iowa C) + 4. Central US (Iowa F) + 5. Eastern US (South Carolina B) + 6. Eastern US (South Carolina C) + 7. Eastern US (South Carolina D) + 8. Western Europe (Belgium B) + 9. Western Europe (Belgium C) + 10. Western Europe (Belgium D) + 11. East Asia (Taiwan A) + 12. East Asia (Taiwan B) + 13. East Asia (Taiwan C) + Please choose the number of your zone. Press enter for default (#8) zone. + default: "8" + private: no + + - name: "server_name" + prompt: "Name the vpn server:\n" + default: "algo" + private: no + + - name: "dns_enabled" + prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" + default: "Y" + private: no + + - name: "auditd_enabled" + prompt: "Do you want to use auditd ? (Y or N):\n" + default: "Y" + private: no + + roles: + - google_cloud + +- name: Post-provisioning tasks + hosts: vpn-host + gather_facts: false + become: true + vars_files: + - config.cfg + + pre_tasks: + - name: Install prerequisites + raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + - name: Configure defaults + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + + roles: + - common + - security + - features + - vpn + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + + + + + diff --git a/roles/azure/handlers/main.yml b/roles/azure/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/azure/tasks/main.yml b/roles/azure/tasks/main.yml new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/roles/azure/tasks/main.yml @@ -0,0 +1 @@ + diff --git a/templates/10periodic.j2 b/roles/common/templates/10periodic.j2 similarity index 100% rename from templates/10periodic.j2 rename to roles/common/templates/10periodic.j2 diff --git a/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2 similarity index 100% rename from templates/50unattended-upgrades.j2 rename to roles/common/templates/50unattended-upgrades.j2 diff --git a/templates/20-ipv6.cfg.j2 b/roles/digitalocean/templates/20-ipv6.cfg.j2 similarity index 100% rename from templates/20-ipv6.cfg.j2 rename to roles/digitalocean/templates/20-ipv6.cfg.j2 diff --git a/roles/features/tasks/main.yml b/roles/features/tasks/main.yml index b305b80..8045981 100644 --- a/roles/features/tasks/main.yml +++ b/roles/features/tasks/main.yml @@ -93,7 +93,7 @@ - restart dnsmasq - name: Adblock script created - copy: src=templates/adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755 + template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755 when: dns_enabled is defined and dns_enabled == "Y" - name: Adblock script added to cron diff --git a/templates/000-default.conf.j2 b/roles/features/templates/000-default.conf.j2 similarity index 100% rename from templates/000-default.conf.j2 rename to roles/features/templates/000-default.conf.j2 diff --git a/templates/10-loopback-services.cfg.j2 b/roles/features/templates/10-loopback-services.cfg.j2 similarity index 100% rename from templates/10-loopback-services.cfg.j2 rename to roles/features/templates/10-loopback-services.cfg.j2 diff --git a/templates/adblock.sh b/roles/features/templates/adblock.sh similarity index 100% rename from templates/adblock.sh rename to roles/features/templates/adblock.sh diff --git a/templates/dnsmasq.conf.j2 b/roles/features/templates/dnsmasq.conf.j2 similarity index 100% rename from templates/dnsmasq.conf.j2 rename to roles/features/templates/dnsmasq.conf.j2 diff --git a/templates/pagespeed.conf.j2 b/roles/features/templates/pagespeed.conf.j2 similarity index 100% rename from templates/pagespeed.conf.j2 rename to roles/features/templates/pagespeed.conf.j2 diff --git a/templates/ports.conf.j2 b/roles/features/templates/ports.conf.j2 similarity index 100% rename from templates/ports.conf.j2 rename to roles/features/templates/ports.conf.j2 diff --git a/templates/privoxy_config.j2 b/roles/features/templates/privoxy_config.j2 similarity index 100% rename from templates/privoxy_config.j2 rename to roles/features/templates/privoxy_config.j2 diff --git a/templates/usr.sbin.dnsmasq.j2 b/roles/features/templates/usr.sbin.dnsmasq.j2 similarity index 100% rename from templates/usr.sbin.dnsmasq.j2 rename to roles/features/templates/usr.sbin.dnsmasq.j2 diff --git a/templates/usr.sbin.privoxy.j2 b/roles/features/templates/usr.sbin.privoxy.j2 similarity index 100% rename from templates/usr.sbin.privoxy.j2 rename to roles/features/templates/usr.sbin.privoxy.j2 diff --git a/roles/google_cloud/handlers/main.yml b/roles/google_cloud/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/google_cloud/tasks/main.yml b/roles/google_cloud/tasks/main.yml new file mode 100644 index 0000000..dbe5c6c --- /dev/null +++ b/roles/google_cloud/tasks/main.yml @@ -0,0 +1,43 @@ +- set_fact: + credentials_file_lookup: "{{ lookup('file', '{{ credentials_file }}') }}" + ssh_public_key_lookup: "{{ lookup('file', '{{ ssh_public_key }}') }}" + +- name: "Creating a droplet..." + gce: + instance_names: "{{ server_name }}" + zone: "{{ zones[zone] }}" + machine_type: n1-standard-1 + image: ubuntu-1604 + service_account_email: "{{ credentials_file_lookup.client_email }}" + credentials_file: "{{ credentials_file }}" + project_id: "{{ credentials_file_lookup.project_id }}" + metadata: '{"sshKeys":"root:{{ ssh_public_key_lookup }}"}' + register: google_vm + +- name: Add the droplet to an inventory group + add_host: + name: "{{ google_vm.instance_data[0].public_ip}}" + groups: vpn-host + ansible_ssh_user: ubuntu + ansible_python_interpreter: "/usr/bin/python2.7" + dns_enabled: "{{ dns_enabled }}" + auditd_enabled: " {{ auditd_enabled }}" + +- name: Firewall configured + local_action: + module: gce_net + name: "{{ google_vm.instance_data[0].network }}" + fwname: "algo-ikev2" + allowed: "udp:500,4500;tcp:22" + state: "present" + src_range: 0.0.0.0/0 + service_account_email: "{{ credentials_file_lookup.client_email }}" + credentials_file: "{{ credentials_file }}" + project_id: "{{ credentials_file_lookup.project_id }}" + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ google_vm.instance_data[0].public_ip }} timeout=320" + + + + diff --git a/templates/audit.rules.j2 b/roles/logging/templates/audit.rules.j2 similarity index 100% rename from templates/audit.rules.j2 rename to roles/logging/templates/audit.rules.j2 diff --git a/templates/auditd.conf.j2 b/roles/logging/templates/auditd.conf.j2 similarity index 100% rename from templates/auditd.conf.j2 rename to roles/logging/templates/auditd.conf.j2 diff --git a/templates/CIS.conf.j2 b/roles/security/templates/CIS.conf.j2 similarity index 100% rename from templates/CIS.conf.j2 rename to roles/security/templates/CIS.conf.j2 diff --git a/templates/rsyslog.conf.j2 b/roles/security/templates/rsyslog.conf.j2 similarity index 100% rename from templates/rsyslog.conf.j2 rename to roles/security/templates/rsyslog.conf.j2 diff --git a/templates/easy-rsa.vars.j2 b/roles/vpn/templates/easy-rsa.vars.j2 similarity index 100% rename from templates/easy-rsa.vars.j2 rename to roles/vpn/templates/easy-rsa.vars.j2 diff --git a/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 similarity index 100% rename from templates/ipsec.conf.j2 rename to roles/vpn/templates/ipsec.conf.j2 diff --git a/templates/ipsec.secrets.j2 b/roles/vpn/templates/ipsec.secrets.j2 similarity index 100% rename from templates/ipsec.secrets.j2 rename to roles/vpn/templates/ipsec.secrets.j2 diff --git a/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 similarity index 100% rename from templates/mobileconfig.j2 rename to roles/vpn/templates/mobileconfig.j2 diff --git a/users.yml b/users.yml index f995cd4..e2060a4 100644 --- a/users.yml +++ b/users.yml @@ -82,7 +82,7 @@ register: PayloadContentCA - name: Build the mobileconfigs - template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 + template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 with_together: - "{{ users }}" - "{{ PayloadContent.results }}"