wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-06 15:13:56 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'tags' #80

Browse source
This commit is contained in:
Jack Ivanov 2016-09-19 20:22:51 +03:00
commit dbeb7a13e8
25 changed files with 413 additions and 495 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
ADVANCED.md Normal file
View file

@ -0,0 +1,81 @@
### Cloud Providers
**digitalocean**
*Requirement variables:*
- do_access_token
- do_ssh_name
- do_server_name
- do_region
*Possible regions:*
- ams2
- ams3
- fra1
- lon1
- nyc1
- nyc2
- nyc3
- sfo1
- sfo2
- sgp1
- tor1
- blr1
**gce**
*Requirement variables:*
- credentials_file
- server_name
- ssh_public_key
- zone
*Possible zones:*
- us-central1-a
- us-central1-b
- us-central1-c
- us-central1-f
- us-east1-b
- us-east1-c
- us-east1-d
- europe-west1-b
- europe-west1-c
- europe-west1-d
- asia-east1-a
- asia-east1-b
- asia-east1-c
**ec2**
*Requirement variables:*
- aws_access_key
- aws_secret_key
- aws_server_name
- ssh_public_key
- region
*Possible regions:*
- us-east-1
- us-west-1
- us-west-2
- ap-south-1
- ap-northeast-2
- ap-southeast-1
- ap-southeast-2
- ap-northeast-1
- eu-central-1
- eu-west-1
- sa-east-1
**local installation**
*Requirement variables:*
- server_ip
- server_user
- IP_subject
### Deployment
Start the deploy with extra variables and tags that you need.
Example for DigitalOcean:
```
ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2'
```

14
README.md
View file

@ -73,6 +73,20 @@ Ansible scripts are organized into roles. The roles used by Algo are described i
* SHell or BASH
* libselinux-python (for RedHat based distros)
### Roles and Tags
**Cloud roles:**
- role: cloud-digitalocean, tags: digitalocean
- role: cloud-ec2, tags: ec2
- role: cloud-gce, tags: gce
**Server roles:**
- role: vpn, tags: vpn
- role: dns_adblocking, tags: dns, adblock
- role: proxy, tags: proxy, adblock
- role: logging, tags: logging
- role: security, tags: security
- role: ssh_tunneling, tags: ssh_tunneling
### Cloud Deployment
To install the dependencies on OS X or Linux:

185
algo
View file

@ -2,6 +2,180 @@
set -e
digitalocean () {
read -p "
Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):
: " -rs do_access_token
read -p "
Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):
: " -r do_ssh_name
read -p "
Name the vpn server:
[algo.local]: " -r do_server_name
do_server_name=${do_server_name:-algo.local}
read -p "
What region should the server be located in?
1. Amsterdam (Datacenter 2)
2. Amsterdam (Datacenter 3)
3. Frankfurt
4. London
5. New York (Datacenter 1)
6. New York (Datacenter 2)
7. New York (Datacenter 3)
8. San Francisco (Datacenter 1)
9. San Francisco (Datacenter 2)
10. Singapore
11. Toronto
12. Bangalore
Enter the number of your desired region:
[7]: " -r region
region=${region:-7}
case "$region" in
1) do_region="ams2" ;;
2) do_region="ams3" ;;
3) do_region="fra1" ;;
4) do_region="lon1" ;;
5) do_region="nyc1" ;;
6) do_region="nyc2" ;;
7) do_region="nyc3" ;;
8) do_region="sfo1" ;;
9) do_region="sfo2" ;;
10) do_region="sgp1" ;;
11) do_region="tor1" ;;
12) do_region="blr1" ;;
esac
ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region"
}
ec2 () {
read -p "
Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
: " -rs aws_access_key
read -p "
Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
: " -rs aws_secret_key
read -p "
Enter the local path to your SSH public key:
: " -r ssh_public_key
read -p "
Name the vpn server:
[algo]: " -r aws_server_name
aws_server_name=${aws_server_name:-algo}
read -p "
What region should the server be located in?
1. us-east-1 US East (N. Virginia)
2. us-west-1 US West (N. California)
3. us-west-2 US West (Oregon)
4. ap-south-1 Asia Pacific (Mumbai)
5. ap-northeast-2 Asia Pacific (Seoul)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ap-northeast-1 Asia Pacific (Tokyo)
9. eu-central-1 EU (Frankfurt)
10. eu-west-1 EU (Ireland)
11. sa-east-1 South America (São Paulo)
Enter the number of your desired region:
[1]: " -r aws_region
aws_region=${aws_region:-1}
case "$aws_region" in
1) region="us-east-1" ;;
2) region="us-west-1" ;;
3) region="us-west-2" ;;
4) region="ap-south-1" ;;
5) region="ap-northeast-2" ;;
6) region="ap-southeast-1" ;;
7) region="ap-southeast-2" ;;
8) region="ap-northeast-1" ;;
9) region="eu-central-1" ;;
10) region="eu-west-1" ;;
11) region="sa-east-1" ;;
esac
ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
}
gce () {
read -p "
Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):
: " -r credentials_file
read -p "
Enter the local path to your SSH public key:
: " -r ssh_public_key
read -p "
Name the vpn server:
[algo]: " -r server_name
server_name=${server_name:-algo}
read -p "
What zone should the server be located in?
1. Central US (Iowa A)
2. Central US (Iowa B)
3. Central US (Iowa C)
4. Central US (Iowa F)
5. Eastern US (South Carolina B)
6. Eastern US (South Carolina C)
7. Eastern US (South Carolina D)
8. Western Europe (Belgium B)
9. Western Europe (Belgium C)
10. Western Europe (Belgium D)
11. East Asia (Taiwan A)
12. East Asia (Taiwan B)
13. East Asia (Taiwan C)
Please choose the number of your zone. Press enter for default (#8) zone.
[8]: " -r region
region=${region:-8}
case "$region" in
1) zone="us-central1-a" ;;
2) zone="us-central1-b" ;;
3) zone="us-central1-c" ;;
4) zone="us-central1-f" ;;
5) zone="us-east1-b" ;;
6) zone="us-east1-c" ;;
7) zone="us-east1-d" ;;
8) zone="europe-west1-b" ;;
9) zone="europe-west1-c" ;;
10) zone="europe-west1-d" ;;
11) zone="asia-east1-a" ;;
12) zone="asia-east1-b" ;;
13) zone="asia-east1-c" ;;
esac
ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone"
}
non_cloud () {
read -p "
Enter IP address of your server: (use localhost for local installation)
: " -r server_ip
read -p "
What user should we use to login on the server? (ignore if you're deploying to localhost)
[root]: " -r server_user
server_user=${server_user:-root}
read -p "
Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
: " -r IP_subject
ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject=$IP_subject"
}
algo_provisioning () {
echo -n "
What provider would you like to use?
@ -16,14 +190,13 @@ Enter the number of your desired provider
read -r N
case "$N" in
1) CLOUD="digitalocean" ;;
2) CLOUD="ec2" ;;
3) CLOUD="gce" ;;
4) CLOUD="non-cloud" ;;
1) digitalocean; ;;
2) ec2; ;;
3) gce; ;;
4) non_cloud; ;;
*) exit 1 ;;
esac
ansible-playbook "${CLOUD}.yml"
}
user_management () {

2
config.cfg
View file

@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com
easyrsa_dir: /opt/easy-rsa-ipsec
easyrsa_ca_expire: 3650
easyrsa_cert_expire: 3650
easyrsa_p12_export_password: vpnpws
# If True re-init all existing certificates. (True or False)
easyrsa_reinit_existent: False

41
deploy.yml Normal file
View file

@ -0,0 +1,41 @@
- name: Configure the server and install required software
hosts: localhost
tags: algo
vars_files:
- config.cfg
roles:
- { role: cloud-digitalocean, tags: ['digitalocean'] }
- { role: cloud-ec2, tags: ['ec2'] }
- { role: cloud-gce, tags: ['gce'] }
- { role: local, tags: ['local'] }
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
tags: algo
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Common pre-tasks
include: playbooks/common.yml
tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ]
- name: DigitalOcean pre-tasks
include: playbooks/digitalocean.yml
tags: [ 'digitalocean' ]
roles:
- { role: security, tags: [ 'security' ] }
- { role: proxy, tags: [ 'proxy', 'adblock' ] }
- { role: dns_adblocking, tags: ['dns', 'adblock' ] }
- { role: logging, tags: [ 'logging' ] }
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
- { role: vpn, tags: [ 'vpn' ] }
handlers:
- name: reload eth0
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'

147
digitalocean.yml
View file

@ -1,147 +0,0 @@
# vim:ft=ansible:
- name: Configure the server and install required software
hosts: localhost
vars:
regions:
"1": "ams2"
"2": "ams3"
"3": "fra1"
"4": "lon1"
"5": "nyc1"
"6": "nyc2"
"7": "nyc3"
"8": "sfo1"
"9": "sfo2"
"10": "sgp1"
"11": "tor1"
"12": "blr1"
vars_prompt:
- name: "do_access_token"
prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
private: yes
- name: "do_ssh_name"
prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
private: no
- name: "do_region"
prompt: >
What region should the server be located in?
1. Amsterdam (Datacenter 2)
2. Amsterdam (Datacenter 3)
3. Frankfurt
4. London
5. New York (Datacenter 1)
6. New York (Datacenter 2)
7. New York (Datacenter 3)
8. San Francisco (Datacenter 1)
9. San Francisco (Datacenter 2)
10. Singapore
11. Toronto
12. Bangalore
Enter the number of your desired region:
default: "7"
private: no
- name: "do_server_name"
prompt: "Name the vpn server:\n"
default: "algo.local"
private: no
- name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "y"
private: no
- name: "proxy_enabled"
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no
- name: "security_enabled"
prompt: "Do you want to enable the security role? (y/n):\n"
default: "y"
private: no
- name: "easyrsa_p12_export_password"
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpnpw"
private: yes
roles:
- cloud-digitalocean
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
- name: Enable IPv6 on the droplet
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
method: POST
body:
type: enable_ipv6
body_format: json
status_code: 201
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
- name: Get Droplet networks
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
method: GET
status_code: 200
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
register: droplet_info
- name: IPv6 configured
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
notify:
- reload eth0
- name: IPv6 included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
notify:
- reload eth0
- meta: flush_handlers
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
become: false
roles:
- common
- { role: security, when: security_enabled is defined and security_enabled == "y" }
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn
handlers:
- name: reload eth0
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'

112
ec2.yml
View file

@ -1,112 +0,0 @@
# vim:ft=ansible:
- name: Create a sandbox instance
hosts: localhost
gather_facts: False
vars_files:
- config.cfg
vars:
instance_type: t2.nano
security_group: vpn-secgroup
regions:
"1": "us-east-1"
"2": "us-west-1"
"3": "us-west-2"
"4": "ap-south-1"
"5": "ap-northeast-2"
"6": "ap-southeast-1"
"7": "ap-southeast-2"
"8": "ap-northeast-1"
"9": "eu-central-1"
"10": "eu-west-1"
"11": "sa-east-1"
vars_prompt:
- name: "aws_access_key"
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes
- name: "aws_secret_key"
prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes
- name: "region"
prompt: >
What region should the server be located in?
1. us-east-1 US East (N. Virginia)
2. us-west-1 US West (N. California)
3. us-west-2 US West (Oregon)
4. ap-south-1 Asia Pacific (Mumbai)
5. ap-northeast-2 Asia Pacific (Seoul)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ap-northeast-1 Asia Pacific (Tokyo)
9. eu-central-1 EU (Frankfurt)
10. eu-west-1 EU (Ireland)
11. sa-east-1 South America (São Paulo)
default: "1"
private: no
- name: "aws_server_name"
prompt: "Name the vpn server:\n"
default: "algo.local"
private: no
- name: "ssh_public_key"
prompt: "Enter the local path to your SSH public key:\n"
default: "~/.ssh/id_rsa.pub"
private: no
- name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "y"
private: no
- name: "proxy_enabled"
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no
- name: "security_enabled"
prompt: "Do you want to enable the security role? (y/n):\n"
default: "y"
private: no
- name: "easyrsa_p12_export_password"
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpnpw"
private: yes
roles:
- cloud-ec2
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- { role: security, when: security_enabled is defined and security_enabled == "y" }
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn

110
gce.yml
View file

@ -1,110 +0,0 @@
# vim:ft=ansible:
- name: Configure the server and install required software
hosts: localhost
gather_facts: false
vars:
zones:
"1": "us-central1-a"
"2": "us-central1-b"
"3": "us-central1-c"
"4": "us-central1-f"
"5": "us-east1-b"
"6": "us-east1-c"
"7": "us-east1-d"
"8": "europe-west1-b"
"9": "europe-west1-c"
"10": "europe-west1-d"
"11": "asia-east1-a"
"12": "asia-east1-b"
"13": "asia-east1-c"
vars_prompt:
- name: "credentials_file"
prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n"
private: no
- name: "ssh_public_key"
prompt: "Enter the local path to your SSH public key:\n"
default: "~/.ssh/id_rsa.pub"
private: no
- name: "zone"
prompt: >
What zone should the server be located in?
1. Central US (Iowa A)
2. Central US (Iowa B)
3. Central US (Iowa C)
4. Central US (Iowa F)
5. Eastern US (South Carolina B)
6. Eastern US (South Carolina C)
7. Eastern US (South Carolina D)
8. Western Europe (Belgium B)
9. Western Europe (Belgium C)
10. Western Europe (Belgium D)
11. East Asia (Taiwan A)
12. East Asia (Taiwan B)
13. East Asia (Taiwan C)
Please choose the number of your zone. Press enter for default (#8) zone.
default: "8"
private: no
- name: "server_name"
prompt: "Name the vpn server:\n"
default: "algo"
private: no
- name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "y"
private: no
- name: "proxy_enabled"
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no
- name: "security_enabled"
prompt: "Do you want to enable the security role? (y/n):\n"
default: "y"
private: no
- name: "easyrsa_p12_export_password"
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpnpw"
private: yes
roles:
- cloud-gce
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- { role: security, when: security_enabled is defined and security_enabled == "y" }
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn

89
non-cloud.yml
View file

@ -1,89 +0,0 @@
# vim:ft=ansible:
- hosts: localhost
gather_facts: False
vars_files:
- config.cfg
vars_prompt:
- name: "server_ip"
prompt: "Enter IP address of your server: (use localhost for local installation)\n"
default: localhost
private: no
- name: "server_user"
prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
default: "root"
private: no
- name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "y"
private: no
- name: "proxy_enabled"
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no
- name: "security_enabled"
prompt: "Do you want to enable the security role? (y/n):\n"
default: "y"
private: no
- name: "easyrsa_p12_export_password"
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpnpw"
private: yes
- name: "IP_subject"
prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
private: no
tasks:
- name: Add the server to the vpn-host group
add_host:
hostname: "{{ server_ip }}"
groupname: vpn-host
ansible_ssh_user: "{{ server_user }}"
ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
security_enabled: "{{ security_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
IP_subject: "{{ IP_subject }}"
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
- set_fact:
IP_subject_alt_name: "{{ IP_subject }}"
roles:
- common
- { role: security, when: security_enabled is defined and security_enabled == "y" }
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn

5
playbooks/common.yml Normal file
View file

@ -0,0 +1,5 @@
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1

36
playbooks/digitalocean.yml Normal file
View file

@ -0,0 +1,36 @@
- name: Enable IPv6 on the droplet
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
method: POST
body:
type: enable_ipv6
body_format: json
status_code: 201
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
- name: Get Droplet networks
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
method: GET
status_code: 200
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
register: droplet_info
- name: IPv6 configured
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
notify:
- reload eth0
- name: IPv6 included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
notify:
- reload eth0
- meta: flush_handlers
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
become: false

9
roles/cloud-digitalocean/tasks/main.yml
View file

@ -1,6 +1,6 @@
- name: Set the DigitalOcean Access Token fact
set_fact:
do_token: "{{ do_access_token | default( lookup('env', 'DIGITALOCEAN_API_KEY') ) }}"
do_token: "{{ do_access_token }}"
- name: "Getting your SSH key ID on Digital Ocean..."
digital_ocean:
@ -15,7 +15,7 @@
state: present
command: droplet
name: "{{ do_server_name }}"
region_id: "{{ regions[do_region] }}"
region_id: "{{ do_region }}"
size_id: "512mb"
image_id: "ubuntu-16-04-x64"
ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
@ -31,11 +31,6 @@
ansible_python_interpreter: "/usr/bin/python2.7"
do_access_token: "{{ do_access_token }}"
do_droplet_id: "{{ do.droplet.id }}"
dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
security_enabled: "{{ security_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: digitalocean
ipv6_support: yes

19
roles/cloud-ec2/tasks/main.yml
View file

@ -7,7 +7,7 @@
sort: name
sort_order: descending
sort_end: 1
region: "{{ regions[region] }}"
region: "{{ region }}"
register: ami_search
- set_fact:
@ -18,7 +18,7 @@
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
name: VPNKEY
region: "{{ regions[region] }}"
region: "{{ region }}"
key_material: "{{ item }}"
with_file: "{{ ssh_public_key }}"
register: keypair
@ -27,9 +27,9 @@
ec2_group:
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
name: "{{ security_group }}"
name: vpn-secgroup
description: Security group for VPN servers
region: "{{ regions[region] }}"
region: "{{ region }}"
rules:
- proto: udp
from_port: 4500
@ -54,11 +54,11 @@
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
keypair: "VPNKEY"
group: "{{ security_group }}"
instance_type: "{{ instance_type }}"
group: vpn-secgroup
instance_type: t2.nano
image: "{{ ami_image }}"
wait: true
region: "{{ regions[region] }}"
region: "{{ region }}"
instance_tags:
name: "{{ aws_server_name }}"
register: ec2
@ -69,11 +69,6 @@
groupname: vpn-host
ansible_ssh_user: ubuntu
ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
security_enabled: "{{ security_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: ec2
ipv6_support: no

9
roles/cloud-gce/tasks/main.yml
View file

@ -5,7 +5,7 @@
- name: "Creating a new instance..."
gce:
instance_names: "{{ server_name }}"
zone: "{{ zones[zone] }}"
zone: "{{ zone }}"
machine_type: n1-standard-1
image: ubuntu-1604
service_account_email: "{{ credentials_file_lookup.client_email }}"
@ -16,15 +16,10 @@
- name: Add the instance to an inventory group
add_host:
name: "{{ google_vm.instance_data[0].public_ip}}"
name: "{{ google_vm.instance_data[0].public_ip }}"
groups: vpn-host
ansible_ssh_user: ubuntu
ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
security_enabled: "{{ security_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: gce
ipv6_support: no

4
roles/dns_adblocking/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: common }

0
roles/local/handlers/main.yml Normal file
View file

12
roles/local/tasks/main.yml Normal file
View file

@ -0,0 +1,12 @@
- name: Add the instance to an inventory group
add_host:
name: "{{ server_ip }}"
groups: vpn-host
ansible_ssh_user: "{{ server_user }}"
ansible_python_interpreter: "/usr/bin/python2.7"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: local
- name: Waiting for SSH to become available
local_action: "wait_for port=22 host={{ server_ip }} timeout=320"
when: server_ip != "localhost"

4
roles/logging/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: common }

4
roles/logging/tasks/main.yml
View file

@ -15,7 +15,7 @@
- name: Enable services
service: name=auditd enabled=yes
# Rsyslog
- name: Rsyslog installed
@ -32,4 +32,4 @@
- restart rsyslog
- name: Enable services
service: name=rsyslog enabled=yes
service: name=rsyslog enabled=yes

4
roles/proxy/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: common }

4
roles/security/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: common }

5
roles/security/tasks/main.yml
View file

@ -2,14 +2,13 @@
apt: name="{{ item }}" state=latest
with_items:
- unattended-upgrades
- name: Configure unattended-upgrades
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
- name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
# Using a two-pass approach for checking directories in order to support symlinks.
- name: Find directories for minimizing access
stat:
path: "{{ item }}"

4
roles/ssh_tunneling/meta/main.yml Normal file
View file

@ -0,0 +1,4 @@
---
dependencies:
- { role: common }

3
roles/vpn/handlers/main.yml
View file

@ -10,6 +10,9 @@
- name: save iptables
shell: service netfilter-persistent save
- name: save iptables
shell: service netfilter-persistent save
- name: congrats
debug:
msg:

5
roles/vpn/meta/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
dependencies:
- { role: common }