wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-04-11 19:57:09 +02:00
Code Issues Projects Releases Wiki Activity

Change default SSH port and introduce cloud-init support (#1636)

Browse source 
* Change default SSH port

* Iptables to ansible_ssh_port

* Add Scaleway

* permissions and groups fixes

* update firewall docs

* SSH fixes

* add missing cloudinit to cloud-azure

* remove ansible_ssh_user from the tests

* congrats message fix
This commit is contained in:
Jack Ivanov 2020-01-07 14:28:19 +01:00 committed by GitHub
parent b66c9f59aa
commit d635c76b50
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
25 changed files with 229 additions and 96 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -96,7 +96,7 @@ You can now set up clients to connect to your VPN. Proceed to [Configure the VPN
"# Local DNS resolver 172.16.0.1 #"
"# The p12 and SSH keys password for new users is XXXXXXXX #"
"# The CA key password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #"
"# Shell access: ssh -i configs/algo.pem root@xxx.xxx.xx.xx #"
"# Shell access: ssh -F configs/<server_ip>/ssh_config algo #"
```
## Configure the VPN Clients
@ -151,17 +151,17 @@ Depending on the platform, you may need one or multiple of the following files.
If you turned on the optional SSH tunneling role, then local user accounts will be created for each user in `config.cfg` and SSH authorized_key files for them will be in the `configs` directory (user.ssh.pem). SSH user accounts do not have shell access, cannot authenticate with a password, and only have limited tunneling options (e.g., `ssh -N` is required). This ensures that SSH users have the least access required to setup a tunnel and can perform no other actions on the Algo server.
Use the example command below to start an SSH tunnel by replacing `user` and `ip` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
Use the example command below to start an SSH tunnel by replacing `<user>` and `<ip>` with your own. Once the tunnel is setup, you can configure a browser or other application to use 127.0.0.1:1080 as a SOCKS proxy to route traffic through the Algo server.
`ssh -D 127.0.0.1:1080 -f -q -C -N user@ip -i configs/<server_ip>/ssh-tunnel/<user>.pem`
`ssh -D 127.0.0.1:1080 -f -q -C -N <user>@algo -i configs/<ip>/ssh-tunnel/<user>.pem -F configs/<ip>/ssh_config`
## SSH into Algo Server
Your Algo server is configured for key-only SSH access for administrative purposes. Open the Terminal app, `cd` into the `algo-master` directory where you originally downloaded Algo, and then use the command listed on the success message:
`ssh -i configs/algo.pem user@ip`
`ssh -F configs/<ip>/ssh_config algo`
where `user` is either `root` or `ubuntu` as listed on the success message, and `ip` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
where `<ip>` is the IP address of your Algo server. If you find yourself regularly logging into the server then it will be useful to load your Algo ssh key automatically. Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
`ssh-add ~/.ssh/algo > /dev/null 2>&1`

8
config.cfg
View file

@ -11,6 +11,10 @@ users:
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
# Change default SSH port for the cloud roles only
# It doesn't apply if you deploy to your existing Ubuntu Server
ssh_port: 4160
# Deploy StrongSwan to enable IPsec support
ipsec_enabled: true
@ -94,7 +98,7 @@ dns_servers:
# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
pki_in_tmpfs: true
# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
keys_clean_all: false
# StrongSwan log level
@ -134,7 +138,7 @@ congrats:
ca_key_pass: |
"# The CA key password is {{ CA_password|default(omit) }} #"
ssh_access: |
"# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #"
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config algo #"
SSH_keys:
comment: algo@ssh

2
docs/faq.md
View file

@ -81,7 +81,7 @@ No.
## What inbound ports are used?
You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
You should only need 4160/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
## How do I monitor user activity?

2
docs/firewalls.md
View file

@ -24,7 +24,7 @@ Any external firewall must be configured to pass the following incoming ports ov
Port | Protocol | Description | Related variables in `config.cfg`
---- | -------- | ----------- | ---------------------------------
22 | TCP | Secure Shell (SSH) | None
4160 | TCP | Secure Shell (SSH) | `ssh_port`
500 | UDP | IPsec IKEv2 | `ipsec_enabled`
4500 | UDP | IPsec NAT-T | `ipsec_enabled`
51820 | UDP | WireGuard | `wireguard_enabled`, `wireguard_port`

19
files/cloud-init/base.sh Normal file
View file

@ -0,0 +1,19 @@
#!/bin/bash
set -eux
apt-get update -y
apt-get install sudo -y
getent passwd algo || useradd -m -d /home/algo -s /bin/bash -G adm,netdev -p '!' algo
(umask 337 && echo "algo ALL=(ALL) NOPASSWD:ALL" >/etc/sudoers.d/10-algo-user)
cat <<EOF >/etc/ssh/sshd_config
{{ lookup('template', 'files/cloud-init/sshd_config') }}
EOF
test -d /home/algo/.ssh || (umask 077 && sudo -u algo mkdir -p /home/algo/.ssh/)
echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | (umask 177 && sudo -u algo tee /home/algo/.ssh/authorized_keys)
sudo apt-get remove -y --purge sshguard || true
systemctl restart sshd.service

29
files/cloud-init/base.yml Normal file
View file

@ -0,0 +1,29 @@
#cloud-config
output: {all: '| tee -a /var/log/cloud-init-output.log'}
package_update: true
package_upgrade: true
packages:
- sudo
users:
- default
- name: algo
homedir: /home/algo
sudo: ALL=(ALL) NOPASSWD:ALL
groups: adm,netdev
shell: /bin/bash
lock_passwd: true
ssh_authorized_keys:
- "{{ lookup('file', '{{ SSH_keys.public }}') }}"
write_files:
- path: /etc/ssh/sshd_config
content: |
{{ lookup('template', 'files/cloud-init/sshd_config') | indent(width=6) }}
runcmd:
- set -x
- sudo apt-get remove -y --purge sshguard || true
- systemctl restart sshd.service

10
files/cloud-init/sshd_config Normal file
View file

@ -0,0 +1,10 @@
Port {{ ssh_port }}
AllowGroups algo
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

13
playbooks/cloud-post.yml
View file

@ -8,7 +8,8 @@
name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}"
groups: vpn-host
ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}"
ansible_ssh_user: "{{ ansible_ssh_user }}"
ansible_ssh_user: "{{ ansible_ssh_user|default('root') }}"
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
ansible_python_interpreter: "/usr/bin/python3"
algo_provider: "{{ algo_provider }}"
algo_server_name: "{{ algo_server_name }}"
@ -19,6 +20,7 @@
algo_ssh_tunneling: "{{ algo_ssh_tunneling }}"
algo_store_pki: "{{ algo_store_pki }}"
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
cloudinit: "{{ cloudinit|default(false) }}"
- name: Additional variables for the server
add_host:
@ -28,7 +30,7 @@
- name: Wait until SSH becomes ready...
wait_for:
port: 22
port: "{{ ansible_ssh_port|default(22) }}"
host: "{{ cloud_instance_ip }}"
search_regex: "OpenSSH"
delay: 10
@ -47,6 +49,7 @@
- debug:
var: IP_subject_alt_name
- name: A short pause, in order to be sure the instance is ready
pause:
seconds: 20
- name: Wait 600 seconds for target connection to become reachable/usable
wait_for_connection:
delegate_to: "{{ item }}"
loop: "{{ groups['vpn-host'] }}"

15
roles/cloud-azure/files/deployment.json
View file

@ -13,6 +13,12 @@
},
"imageReferenceSku": {
"type": "string"
},
"SshPort": {
"type": "int"
},
"UserData": {
"type": "string"
}
},
"variables": {
@ -30,10 +36,10 @@
{
"name": "AllowSSH",
"properties": {
"description": "Locks inbound down to ssh default port 22.",
"description": "Allow SSH",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"destinationPortRange": "[parameters('SshPort')]",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
@ -160,13 +166,14 @@
},
"osProfile": {
"computerName": "[resourceGroup().name]",
"adminUsername": "ubuntu",
"customData": "[parameters('UserData')]",
"adminUsername": "algo",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "/home/ubuntu/.ssh/authorized_keys",
"path": "/home/algo/.ssh/authorized_keys",
"keyData": "[parameters('sshKeyData')]"
}
]

8
roles/cloud-azure/tasks/main.yml
View file

@ -31,8 +31,14 @@
value: "{{ cloud_providers.azure.size }}"
imageReferenceSku:
value: "{{ cloud_providers.azure.image }}"
SshPort:
value: "{{ ssh_port }}"
UserData:
value: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}"
register: azure_rm_deployment
- set_fact:
cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}"
ansible_ssh_user: ubuntu
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

15
roles/cloud-cloudstack/tasks/main.yml
View file

@ -26,38 +26,33 @@
end_port: "{{ item.end_port }}"
cidr: "{{ item.range }}"
with_items:
- { proto: tcp, start_port: 22, end_port: 22, range: 0.0.0.0/0 }
- { proto: tcp, start_port: '{{ ssh_port }}', end_port: '{{ ssh_port }}', range: 0.0.0.0/0 }
- { proto: udp, start_port: 4500, end_port: 4500, range: 0.0.0.0/0 }
- { proto: udp, start_port: 500, end_port: 500, range: 0.0.0.0/0 }
- { proto: udp, start_port: "{{ wireguard_port }}", end_port: "{{ wireguard_port }}", range: 0.0.0.0/0 }
- name: Keypair created
cs_sshkeypair:
name: "{{ SSH_keys.comment|regex_replace('@', '_') }}"
public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
register: cs_keypair
- name: Set facts
set_fact:
image_id: "{{ cloud_providers.cloudstack.image }}"
size: "{{ cloud_providers.cloudstack.size }}"
disk: "{{ cloud_providers.cloudstack.disk }}"
keypair_name: "{{ cs_keypair.name }}"
- name: Server created
cs_instance:
name: "{{ algo_server_name }}"
root_disk_size: "{{ disk }}"
template: "{{ image_id }}"
ssh_key: "{{ keypair_name }}"
security_groups: "{{ cs_security_group.name }}"
zone: "{{ algo_region }}"
service_offering: "{{ size }}"
user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
register: cs_server
- set_fact:
cloud_instance_ip: "{{ cs_server.default_ip }}"
ansible_ssh_user: ubuntu
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true
environment:
CLOUDSTACK_CONFIG: "{{ algo_cs_config }}"
CLOUDSTACK_REGION: "{{ algo_cs_region }}"

5
roles/cloud-digitalocean/tasks/main.yml
View file

@ -21,10 +21,13 @@
unique_name: true
ipv6: true
ssh_keys: "{{ do_ssh_key.data.ssh_key.id }}"
user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
tags:
- Environment:Algo
register: digital_ocean_droplet
- set_fact:
cloud_instance_ip: "{{ digital_ocean_droplet.data.ip_address }}"
ansible_ssh_user: root
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

28
roles/cloud-ec2/files/stack.yaml
View file

@ -16,6 +16,10 @@ Parameters:
Default: ''
EbsEncrypted:
Type: String
UserData:
Type: String
SshPort:
Type: String
Conditions:
AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
@ -123,8 +127,8 @@ Resources:
GroupDescription: Enable SSH and IPsec
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
FromPort: !Ref SshPort
ToPort: !Ref SshPort
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: '500'
@ -148,16 +152,6 @@ Resources:
- SubnetIPv6
- Subnet
- InstanceSecurityGroup
Metadata:
AWS::CloudFormation::Init:
config:
files:
/home/ubuntu/.ssh/authorized_keys:
content:
Ref: PublicSSHKeyParameter
mode: "000644"
owner: "ubuntu"
group: "ubuntu"
Properties:
InstanceType:
Ref: InstanceTypeParameter
@ -174,15 +168,7 @@ Resources:
Ref: ImageIdParameter
SubnetId: !Ref Subnet
Ipv6AddressCount: 1
UserData:
"Fn::Base64":
!Sub |
#!/bin/bash -xe
apt-get update
apt-get -y install python-pip
pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
cfn-init -v --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
UserData: !Ref UserData
Tags:
- Key: Name
Value: !Ref AWS::StackName

2
roles/cloud-ec2/tasks/cloudformation.yml
View file

@ -14,6 +14,8 @@
WireGuardPort: "{{ wireguard_port }}"
UseThisElasticIP: "{{ existing_eip }}"
EbsEncrypted: "{{ encrypted }}"
UserData: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}"
SshPort: "{{ ssh_port }}"
tags:
Environment: Algo
register: stack

4
roles/cloud-ec2/tasks/main.yml
View file

@ -24,4 +24,6 @@
- set_fact:
cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}"
ansible_ssh_user: ubuntu
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

12
roles/cloud-gce/tasks/main.yml
View file

@ -32,7 +32,7 @@
- '{{ wireguard_port|string }}'
- ip_protocol: tcp
ports:
- '22'
- '{{ ssh_port }}'
- ip_protocol: icmp
- block:
@ -64,10 +64,8 @@
initialize_params:
source_image: "projects/ubuntu-os-cloud/global/images/family/{{ cloud_providers.gce.image }}"
metadata:
ssh-keys: "ubuntu:{{ ssh_public_key_lookup }}"
user-data: |
#!/bin/bash
sudo apt-get remove -y --purge sshguard
ssh-keys: "algo:{{ ssh_public_key_lookup }}"
user-data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
network_interfaces:
- network: "{{ gcp_compute_network }}"
access_configs:
@ -81,4 +79,6 @@
- set_fact:
cloud_instance_ip: "{{ gcp_compute_instance.networkInterfaces[0].accessConfigs[0].natIP }}"
ansible_ssh_user: ubuntu
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

5
roles/cloud-hetzner/tasks/main.yml
View file

@ -22,10 +22,13 @@
state: present
api_token: "{{ algo_hcloud_token }}"
ssh_keys: "{{ hcloud_ssh_key.hcloud_ssh_key.name }}"
user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
labels:
Environment: algo
register: hcloud_server
- set_fact:
cloud_instance_ip: "{{ hcloud_server.hcloud_server.ipv4_address }}"
ansible_ssh_user: root
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

15
roles/cloud-lightsail/tasks/main.yml
View file

@ -17,6 +17,9 @@
bundle_id: "{{ cloud_providers.lightsail.size }}"
wait_timeout: "300"
open_ports:
- from_port: "{{ ssh_port }}"
to_port: "{{ ssh_port }}"
protocol: tcp
- from_port: 4500
to_port: 4500
protocol: udp
@ -27,15 +30,11 @@
to_port: "{{ wireguard_port }}"
protocol: udp
user_data: |
#!/bin/bash
mkdir -p /home/ubuntu/.ssh/
echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" >> /home/ubuntu/.ssh/authorized_keys
chown -R ubuntu: /home/ubuntu/.ssh/
chmod 0700 /home/ubuntu/.ssh/
chmod 0600 /home/ubuntu/.ssh/*
test
{{ lookup('template', 'files/cloud-init/base.sh') }}
register: algo_instance
- set_fact:
cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}"
ansible_ssh_user: ubuntu
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

26
roles/cloud-openstack/tasks/main.yml
View file

@ -22,26 +22,26 @@
port_range_max: "{{ item.port_max }}"
remote_ip_prefix: "{{ item.range }}"
with_items:
- { proto: tcp, port_min: 22, port_max: 22, range: 0.0.0.0/0 }
- { proto: tcp, port_min: '{{ ssh_port }}', port_max: '{{ ssh_port }}', range: 0.0.0.0/0 }
- { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 }
- { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 }
- { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 }
- { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 }
- name: Keypair created
os_keypair:
state: "{{ state|default('present') }}"
name: "{{ SSH_keys.comment|regex_replace('@', '_') }}"
public_key_file: "{{ SSH_keys.public }}"
register: os_keypair
- name: Gather facts about flavors
os_flavor_facts:
ram: "{{ cloud_providers.openstack.flavor_ram }}"
- name: Gather facts about images
os_image_facts:
image: "{{ cloud_providers.openstack.image }}"
- name: Set image as a fact
set_fact:
image_id: "{{ item.id }}"
loop: "{{ openstack_image }}"
when:
- item.name == cloud_providers.openstack.image
- item.status == "active"
- name: Gather facts about public networks
os_networks_facts:
@ -58,8 +58,6 @@
- name: Set facts
set_fact:
flavor_id: "{{ (openstack_flavors | sort(attribute='ram'))[0]['id'] }}"
image_id: "{{ openstack_image['id'] }}"
keypair_name: "{{ os_keypair.key.name }}"
security_group_name: "{{ os_security_group['secgroup']['name'] }}"
- name: Server created
@ -68,12 +66,14 @@
name: "{{ algo_server_name }}"
image: "{{ image_id }}"
flavor: "{{ flavor_id }}"
key_name: "{{ keypair_name }}"
security_groups: "{{ security_group_name }}"
userdata: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
nics:
- net-id: "{{ public_network_id }}"
register: os_server
- set_fact:
cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}"
ansible_ssh_user: ubuntu
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

31
roles/cloud-scaleway/tasks/main.yml
View file

@ -21,6 +21,33 @@
{%- endfor -%}]
- name: Create a server
scaleway_compute:
name: "{{ algo_server_name }}"
enable_ipv6: true
public_ip: dynamic
boot_type: local
state: present
image: "{{ images[0] }}"
organization: "{{ organization_id }}"
region: "{{ algo_region }}"
commercial_type: "{{ cloud_providers.scaleway.size }}"
wait: true
tags:
- Environment:Algo
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }}
register: scaleway_compute
- name: Patch the cloud-init
uri:
url: "https://cp-{{ region }}.scaleway.com/servers/{{ scaleway_compute.msg.id }}/user_data/cloud-init"
method: PATCH
body: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
status_code: 204
headers:
Content-Type: "text/plain"
X-Auth-Token: "{{ algo_scaleway_token }}"
- name: Start the server
scaleway_compute:
name: "{{ algo_server_name }}"
enable_ipv6: true
@ -44,4 +71,6 @@
- set_fact:
cloud_instance_ip: "{{ algo_instance.msg.public_ip.address }}"
ansible_ssh_user: root
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true

24
roles/cloud-vultr/tasks/main.yml
View file

@ -3,12 +3,6 @@
import_tasks: prompts.yml
- block:
- name: Upload the SSH key
vultr_ssh_key:
name: "{{ SSH_keys.comment }}"
ssh_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
register: ssh_key
- name: Creating a firewall group
vultr_firewall_group:
name: "{{ algo_server_name }}"
@ -21,8 +15,8 @@
ip_version: "{{ item.ip }}"
cidr: "{{ item.cidr }}"
with_items:
- { protocol: tcp, port: 22, ip: v4, cidr: "0.0.0.0/0" }
- { protocol: tcp, port: 22, ip: v6, cidr: "::/0" }
- { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: "0.0.0.0/0" }
- { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" }
- { protocol: udp, port: 500, ip: v4, cidr: "0.0.0.0/0" }
- { protocol: udp, port: 500, ip: v6, cidr: "::/0" }
- { protocol: udp, port: 4500, ip: v4, cidr: "0.0.0.0/0" }
@ -30,9 +24,18 @@
- { protocol: udp, port: "{{ wireguard_port }}", ip: v4, cidr: "0.0.0.0/0" }
- { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" }
- name: Upload the startup script
vultr_startup_script:
name: algo-startup
script: |
{{ lookup('template', 'files/cloud-init/base.sh') }}
mkdir -p /var/lib/cloud/data/ || true
touch /var/lib/cloud/data/result.json
- name: Creating a server
vultr_server:
name: "{{ algo_server_name }}"
startup_script: algo-startup
hostname: "{{ algo_server_name }}"
os: "{{ cloud_providers.vultr.os }}"
plan: "{{ cloud_providers.vultr.size }}"
@ -40,7 +43,6 @@
firewall_group: "{{ algo_server_name }}"
state: started
tag: Environment:Algo
ssh_key: "{{ ssh_key.vultr_ssh_key.name }}"
ipv6_enabled: true
auto_backup_enabled: false
notify_activate: false
@ -48,7 +50,9 @@
- set_fact:
cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}"
ansible_ssh_user: root
ansible_ssh_user: algo
ansible_ssh_port: "{{ ssh_port }}"
cloudinit: true
environment:
VULTR_API_CONFIG: "{{ algo_vultr_config }}"

4
roles/common/templates/rules.v4.j2
View file

@ -64,8 +64,8 @@ COMMIT
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
# Allow new traffic to port 22 (SSH)
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
{% if ipsec_enabled %}
# Allow any traffic from the IPsec VPN

4
roles/common/templates/rules.v6.j2
View file

@ -70,8 +70,8 @@ COMMIT
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
# Allow new traffic to port 22 (SSH)
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
# Accept properly formatted Neighbor Discovery Protocol packets
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT

32
server.yml
View file

@ -7,6 +7,37 @@
- config.cfg
tasks:
- block:
- name: Wait until the cloud-init completed
wait_for:
path: /var/lib/cloud/data/result.json
delay: 10
timeout: 600
state: present
become: false
when: cloudinit
- block:
- name: Ensure the config directory exists
file:
dest: "configs/{{ IP_subject_alt_name }}"
state: directory
mode: "0700"
- name: Dump the ssh config
copy:
dest: "configs/{{ IP_subject_alt_name }}/ssh_config"
mode: "0600"
content: |
Host {{ IP_subject_alt_name }} algo
HostName {{ IP_subject_alt_name }}
User {{ ansible_ssh_user }}
Port {{ ansible_ssh_port }}
IdentityFile {{ SSH_keys.private }}
KeepAlive yes
ServerAliveInterval 30
become: false
delegate_to: localhost
- import_role:
name: common
tags: common
@ -40,6 +71,7 @@
content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }}
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
{% if algo_provider != "local" %}
ansible_ssh_private_key_file: {{ SSH_keys.private }}
{% endif %}

2
tests/ssh-tunnel.sh
View file

@ -6,7 +6,7 @@ PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}')
ssh-keygen -p -P ${PASS} -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem
ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem
ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config
git config --global http.proxy 'socks5://127.0.0.1:1080'