From d58a7b484d412ec4f2da29ca198931d7689fe9ad Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Sat, 30 Jul 2016 13:26:30 -0400 Subject: [PATCH] miscelllaneous cleanups --- cloud.yml | 12 +++++++----- common.yml | 6 +++--- config.cfg | 5 ----- inventory_users | 2 +- security.yml | 4 ++-- users.yml | 4 ++-- vpn.yml | 2 +- 7 files changed, 16 insertions(+), 19 deletions(-) diff --git a/cloud.yml b/cloud.yml index db10f15..50b1e48 100644 --- a/cloud.yml +++ b/cloud.yml @@ -11,8 +11,9 @@ "6": "nyc2" "7": "nyc3" "8": "sfo1" - "9": "sgp1" - "10": "tor1" + "9": "sfo2" + "10": "sgp1" + "11": "tor1" vars_prompt: - name: "do_access_token" @@ -33,9 +34,10 @@ 5. New York (Datacenter 1) 6. New York (Datacenter 2) 7. New York (Datacenter 3) - 8. San Francisco - 9. Singapore - 10. Toronto + 8. San Francisco (Datacenter 1) + 9. San Francisco (Datacenter 2) + 10. Singapore + 11. Toronto Please choose the number of your region. Press enter for default (#7) region. default: "7" private: no diff --git a/common.yml b/common.yml index a567270..2947b16 100644 --- a/common.yml +++ b/common.yml @@ -49,9 +49,9 @@ - { regexp: '^PasswordAuthentication.*', line: 'PasswordAuthentication no', file: '/etc/ssh/sshd_config' } - { regexp: '^PermitRootLogin.*', line: 'PermitRootLogin without-password', file: '/etc/ssh/sshd_config' } - { regexp: '^UseDNS.*', line: 'UseDNS no', file: '/etc/ssh/sshd_config' } - - { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr', file: '/etc/ssh/sshd_config' } - - { regexp: '^MACs', line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160', file: '/etc/ssh/sshd_config' } - - { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1', file: '/etc/ssh/sshd_config' } + - { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' } + - { regexp: '^MACs', line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256', file: '/etc/ssh/sshd_config' } + - { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1', file: '/etc/ssh/sshd_config' } notify: - restart ssh diff --git a/config.cfg b/config.cfg index c423361..e69a907 100644 --- a/config.cfg +++ b/config.cfg @@ -1,10 +1,5 @@ --- -# -# IKEv2 currently supports only the following three curves: -# prime256v1 -# secp384r1 -# secp521r1 easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 diff --git a/inventory_users b/inventory_users index 0c0dd27..cafed48 100644 --- a/inventory_users +++ b/inventory_users @@ -1 +1 @@ -[users-management] +[user-management] diff --git a/security.yml b/security.yml index 449645a..d509940 100644 --- a/security.yml +++ b/security.yml @@ -101,12 +101,12 @@ notify: - flush routing cache - - name: Enable Bad Error Message Protection (Scored) + - name: Enable Bad Error Message Protection sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present notify: - flush routing cache - - name: Enable RFC-recommended Source Route Validation (Scored) + - name: Enable RFC-recommended Source Route Validation sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present with_items: - net.ipv4.conf.all.rp_filter diff --git a/users.yml b/users.yml index 2b68ad9..06789b1 100644 --- a/users.yml +++ b/users.yml @@ -1,7 +1,7 @@ --- -- name: Users management - hosts: users-management +- name: User management + hosts: user-management gather_facts: false remote_user: root vars_files: diff --git a/vpn.yml b/vpn.yml index 6abd9f1..0913faf 100644 --- a/vpn.yml +++ b/vpn.yml @@ -52,7 +52,7 @@ - name: Build the pki enviroments shell: > ./easyrsa init-pki && - touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized' + touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'