From 97a00699b7d8b47c783bc86d177ec22cec711e41 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 28 Aug 2016 23:04:59 +0300 Subject: [PATCH 01/16] new tags --- config.cfg | 2 + deploy.yml | 39 +++++++ digitalocean.yml | 147 ------------------------ playbooks/common.yml | 5 + playbooks/digitalocean.yml | 114 ++++++++++++++++++ roles/cloud-digitalocean/tasks/main.yml | 7 +- roles/security/tasks/main.yml | 1 - 7 files changed, 161 insertions(+), 154 deletions(-) create mode 100644 deploy.yml delete mode 100644 digitalocean.yml create mode 100644 playbooks/common.yml create mode 100644 playbooks/digitalocean.yml diff --git a/config.cfg b/config.cfg index c8178b5..cd827f3 100644 --- a/config.cfg +++ b/config.cfg @@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 +easyrsa_p12_export_password: vpnpws + # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..d69ed68 --- /dev/null +++ b/deploy.yml @@ -0,0 +1,39 @@ +- name: Configure the server and install required software + hosts: localhost + vars_files: + - config.cfg + + roles: + - { role: cloud-digitalocean, tags: ['digitalocean'] } + - { role: cloud-ec2, tags: ['ec2'] } + - { role: cloud-gce, tags: ['gce'] } + +- name: Post-provisioning tasks + hosts: vpn-host + gather_facts: false + become: true + vars_files: + - config.cfg + + pre_tasks: + - name: Common pre-tasks + include: playbooks/common.yml + tags: [ 'digitalocean', 'ec2', 'gce' ] + + - name: DigitalOcean pre-tasks + include: playbooks/digitalocean.yml + tags: [ 'digitalocean', 'ec2', 'gce' ] + + roles: + - { role: common, tags: [ 'vpn' ] } + - { role: security, tags: [ 'security' ] } + - { role: proxy, tags: [ 'proxy', 'adblock' ] } + - { role: dns_adblocking, tags: ['dns', 'adblock' ] } + - { role: logging, tags: [ 'logging' ] } + - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } + - { role: vpn, tags: [ 'vpn' ] } + + + handlers: + - name: reload eth0 + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' \ No newline at end of file diff --git a/digitalocean.yml b/digitalocean.yml deleted file mode 100644 index fad6b34..0000000 --- a/digitalocean.yml +++ /dev/null @@ -1,147 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - - vars: - regions: - "1": "ams2" - "2": "ams3" - "3": "fra1" - "4": "lon1" - "5": "nyc1" - "6": "nyc2" - "7": "nyc3" - "8": "sfo1" - "9": "sfo2" - "10": "sgp1" - "11": "tor1" - "12": "blr1" - - vars_prompt: - - name: "do_access_token" - prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" - private: yes - - - name: "do_ssh_name" - prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" - private: no - - - name: "do_region" - prompt: > - What region should the server be located in? - 1. Amsterdam (Datacenter 2) - 2. Amsterdam (Datacenter 3) - 3. Frankfurt - 4. London - 5. New York (Datacenter 1) - 6. New York (Datacenter 2) - 7. New York (Datacenter 3) - 8. San Francisco (Datacenter 1) - 9. San Francisco (Datacenter 2) - 10. Singapore - 11. Toronto - 12. Bangalore - Enter the number of your desired region: - default: "7" - private: no - - - name: "do_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-digitalocean - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - - name: Enable IPv6 on the droplet - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" - method: POST - body: - type: enable_ipv6 - body_format: json - status_code: 201 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - - - name: Get Droplet networks - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" - method: GET - status_code: 200 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - register: droplet_info - - - name: IPv6 configured - template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 - with_items: "{{ droplet_info.json.droplet.networks.v6 }}" - notify: - - reload eth0 - - - name: IPv6 included into the network config - lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present - notify: - - reload eth0 - - - meta: flush_handlers - - - name: Wait for SSH to become available - local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" - become: false - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn - - handlers: - - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' diff --git a/playbooks/common.yml b/playbooks/common.yml new file mode 100644 index 0000000..1cf5283 --- /dev/null +++ b/playbooks/common.yml @@ -0,0 +1,5 @@ +- name: Install prerequisites + raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + +- name: Configure defaults + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml new file mode 100644 index 0000000..8973447 --- /dev/null +++ b/playbooks/digitalocean.yml @@ -0,0 +1,114 @@ + #vars: + #regions: + #"1": "ams2" + #"2": "ams3" + #"3": "fra1" + #"4": "lon1" + #"5": "nyc1" + #"6": "nyc2" + #"7": "nyc3" + #"8": "sfo1" + #"9": "sfo2" + #"10": "sgp1" + #"11": "tor1" + #"12": "blr1" + + #vars_prompt: + #- name: "do_access_token" + #prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" + #private: yes + + #- name: "do_ssh_name" + #prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" + #private: no + + #- name: "do_region" + #prompt: > + #What region should the server be located in? + #1. Amsterdam (Datacenter 2) + #2. Amsterdam (Datacenter 3) + #3. Frankfurt + #4. London + #5. New York (Datacenter 1) + #6. New York (Datacenter 2) + #7. New York (Datacenter 3) + #8. San Francisco (Datacenter 1) + #9. San Francisco (Datacenter 2) + #10. Singapore + #11. Toronto + #12. Bangalore + #Enter the number of your desired region: + #default: "7" + #private: no + + #- name: "do_server_name" + #prompt: "Name the vpn server:\n" + #default: "algo.local" + #private: no + + #- name: "dns_enabled" + #prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + #default: "y" + #private: no + + #- name: "proxy_enabled" + #prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + #default: "y" + #private: no + + #- name: "auditd_enabled" + #prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + #default: "y" + #private: no + + #- name: "ssh_tunneling_enabled" + #prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + #default: "y" + #private: no + + #- name: "security_enabled" + #prompt: "Do you want to enable the security role? (y/n):\n" + #default: "y" + #private: no + + #- name: "easyrsa_p12_export_password" + #prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" + #default: "vpnpw" + #private: yes + +- name: Enable IPv6 on the droplet + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" + method: POST + body: + type: enable_ipv6 + body_format: json + status_code: 201 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + +- name: Get Droplet networks + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" + method: GET + status_code: 200 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + register: droplet_info + +- name: IPv6 configured + template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 + with_items: "{{ droplet_info.json.droplet.networks.v6 }}" + notify: + - reload eth0 + +- name: IPv6 included into the network config + lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present + notify: + - reload eth0 + +- meta: flush_handlers + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" + become: false \ No newline at end of file diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index ca8d7de..06bfba1 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -15,7 +15,7 @@ state: present command: droplet name: "{{ do_server_name }}" - region_id: "{{ regions[do_region] }}" + region_id: "{{ do_region }}" size_id: "512mb" image_id: "ubuntu-16-04-x64" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" @@ -31,11 +31,6 @@ ansible_python_interpreter: "/usr/bin/python2.7" do_access_token: "{{ do_access_token }}" do_droplet_id: "{{ do.droplet.id }}" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean ipv6_support: yes diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 7046e2c..6ad36c5 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -9,7 +9,6 @@ - name: Periodic upgrades configured template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 -# Using a two-pass approach for checking directories in order to support symlinks. - name: Find directories for minimizing access stat: path: "{{ item }}" From 91688324ce8804eb253bc47b3e27e8e8f1ae5ee1 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 28 Aug 2016 23:19:41 +0300 Subject: [PATCH 02/16] additional functions --- deploy.yml | 1 - roles/cloud-ec2/tasks/main.yml | 5 ----- roles/cloud-gce/tasks/main.yml | 5 ----- roles/dns_adblocking/meta/main.yml | 4 ++++ roles/logging/meta/main.yml | 4 ++++ roles/proxy/meta/main.yml | 4 ++++ roles/security/meta/main.yml | 4 ++++ roles/ssh_tunneling/meta/main.yml | 4 ++++ roles/vpn/handlers/main.yml | 3 +++ roles/vpn/meta/main.yml | 4 ++++ 10 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 roles/dns_adblocking/meta/main.yml create mode 100644 roles/logging/meta/main.yml create mode 100644 roles/proxy/meta/main.yml create mode 100644 roles/security/meta/main.yml create mode 100644 roles/ssh_tunneling/meta/main.yml create mode 100644 roles/vpn/meta/main.yml diff --git a/deploy.yml b/deploy.yml index d69ed68..e6bcc9d 100644 --- a/deploy.yml +++ b/deploy.yml @@ -25,7 +25,6 @@ tags: [ 'digitalocean', 'ec2', 'gce' ] roles: - - { role: common, tags: [ 'vpn' ] } - { role: security, tags: [ 'security' ] } - { role: proxy, tags: [ 'proxy', 'adblock' ] } - { role: dns_adblocking, tags: ['dns', 'adblock' ] } diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 1bfb382..6e1a9b0 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -69,11 +69,6 @@ groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: ec2 ipv6_support: no diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index f96690d..07ce08b 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -20,11 +20,6 @@ groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" - security_enabled: "{{ security_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: gce ipv6_support: no diff --git a/roles/dns_adblocking/meta/main.yml b/roles/dns_adblocking/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/dns_adblocking/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/logging/meta/main.yml b/roles/logging/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/logging/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/proxy/meta/main.yml b/roles/proxy/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/proxy/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/security/meta/main.yml b/roles/security/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/security/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/ssh_tunneling/meta/main.yml b/roles/ssh_tunneling/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/ssh_tunneling/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index a3c10f7..a8e921a 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -6,6 +6,9 @@ - name: restart apparmor service: name=apparmor state=restarted + +- name: save iptables + shell: service netfilter-persistent save - name: congrats debug: diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/vpn/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file From 9804df37281b948b1743f41a024a426b97bb821e Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 29 Aug 2016 00:05:20 +0300 Subject: [PATCH 03/16] global tags --- deploy.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy.yml b/deploy.yml index e6bcc9d..dd5b131 100644 --- a/deploy.yml +++ b/deploy.yml @@ -1,5 +1,6 @@ - name: Configure the server and install required software hosts: localhost + tags: algo vars_files: - config.cfg @@ -11,6 +12,7 @@ - name: Post-provisioning tasks hosts: vpn-host gather_facts: false + tags: algo become: true vars_files: - config.cfg @@ -35,4 +37,5 @@ handlers: - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' \ No newline at end of file + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' + \ No newline at end of file From 1feb1dd93746c54d5b312576f5b812bb81917b43 Mon Sep 17 00:00:00 2001 From: jack Date: Sun, 18 Sep 2016 13:10:38 +0300 Subject: [PATCH 04/16] remove unused files --- README.md | 2 +- ec2.yml | 112 ------------------------------------------------------ gce.yml | 110 ----------------------------------------------------- 3 files changed, 1 insertion(+), 223 deletions(-) delete mode 100644 ec2.yml delete mode 100644 gce.yml diff --git a/README.md b/README.md index d72329f..7896c9a 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ I would, but I don't know of any [suitable ones](https://github.com/trailofbits/ ### Why aren't you using OpenVPN? -OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of [TLS](https://tools.ietf.org/html/rfc7457), both the protocol and its implementations, and we simply trust the server less due to [past security incidents](https://www.exploit-db.com/exploits/34879/). +OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to [update](https://www.exploit-db.com/exploits/34037/) and [maintain](https://www.exploit-db.com/exploits/20485/) the software themselves. OpenVPN depends on the security of [TLS](https://tools.ietf.org/html/rfc7457), both the [protocol](http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites/) and its [implementations](http://arstechnica.com/security/2014/04/confirmed-nasty-heartbleed-bug-exposes-openvpn-private-keys-too/), and we simply trust the server less due to past [security](https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin/blob/master/README.md) [incidents](https://www.exploit-db.com/exploits/34879/). ### Why aren't you using Alpine Linux, OpenBSD, or HardenedBSD? diff --git a/ec2.yml b/ec2.yml deleted file mode 100644 index 884e643..0000000 --- a/ec2.yml +++ /dev/null @@ -1,112 +0,0 @@ -# vim:ft=ansible: -- name: Create a sandbox instance - hosts: localhost - gather_facts: False - vars_files: - - config.cfg - vars: - instance_type: t2.nano - security_group: vpn-secgroup - regions: - "1": "us-east-1" - "2": "us-west-1" - "3": "us-west-2" - "4": "ap-south-1" - "5": "ap-northeast-2" - "6": "ap-southeast-1" - "7": "ap-southeast-2" - "8": "ap-northeast-1" - "9": "eu-central-1" - "10": "eu-west-1" - "11": "sa-east-1" - - vars_prompt: - - name: "aws_access_key" - prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "aws_secret_key" - prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "region" - prompt: > - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) - default: "1" - private: no - - - name: "aws_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-ec2 - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/gce.yml b/gce.yml deleted file mode 100644 index 599855f..0000000 --- a/gce.yml +++ /dev/null @@ -1,110 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - gather_facts: false - - vars: - zones: - "1": "us-central1-a" - "2": "us-central1-b" - "3": "us-central1-c" - "4": "us-central1-f" - "5": "us-east1-b" - "6": "us-east1-c" - "7": "us-east1-d" - "8": "europe-west1-b" - "9": "europe-west1-c" - "10": "europe-west1-d" - "11": "asia-east1-a" - "12": "asia-east1-b" - "13": "asia-east1-c" - - vars_prompt: - - name: "credentials_file" - prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "zone" - prompt: > - What zone should the server be located in? - 1. Central US (Iowa A) - 2. Central US (Iowa B) - 3. Central US (Iowa C) - 4. Central US (Iowa F) - 5. Eastern US (South Carolina B) - 6. Eastern US (South Carolina C) - 7. Eastern US (South Carolina D) - 8. Western Europe (Belgium B) - 9. Western Europe (Belgium C) - 10. Western Europe (Belgium D) - 11. East Asia (Taiwan A) - 12. East Asia (Taiwan B) - 13. East Asia (Taiwan C) - Please choose the number of your zone. Press enter for default (#8) zone. - default: "8" - private: no - - - name: "server_name" - prompt: "Name the vpn server:\n" - default: "algo" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-gce - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn From 97ea00056df01d5882dd2b8b4398d731ccab9f6a Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:11:10 +0300 Subject: [PATCH 05/16] DO roles to tags --- roles/cloud-digitalocean/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index 06bfba1..5a28f8f 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -1,6 +1,6 @@ - name: Set the DigitalOcean Access Token fact set_fact: - do_token: "{{ do_access_token | default( lookup('env', 'DIGITALOCEAN_API_KEY') ) }}" + do_token: "{{ do_access_token }}" - name: "Getting your SSH key ID on Digital Ocean..." digital_ocean: From cf5a0f41d3aa05320991e6773fe2834e1195b3ab Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:11:22 +0300 Subject: [PATCH 06/16] ec2 role to tags --- roles/cloud-ec2/tasks/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 6e1a9b0..4f25e1b 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -7,7 +7,7 @@ sort: name sort_order: descending sort_end: 1 - region: "{{ regions[region] }}" + region: "{{ region }}" register: ami_search - set_fact: @@ -18,7 +18,7 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" name: VPNKEY - region: "{{ regions[region] }}" + region: "{{ region }}" key_material: "{{ item }}" with_file: "{{ ssh_public_key }}" register: keypair @@ -27,9 +27,9 @@ ec2_group: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" - name: "{{ security_group }}" + name: vpn-secgroup description: Security group for VPN servers - region: "{{ regions[region] }}" + region: "{{ region }}" rules: - proto: udp from_port: 4500 @@ -54,11 +54,11 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" keypair: "VPNKEY" - group: "{{ security_group }}" - instance_type: "{{ instance_type }}" + group: vpn-secgroup + instance_type: t2.nano image: "{{ ami_image }}" wait: true - region: "{{ regions[region] }}" + region: "{{ region }}" instance_tags: name: "{{ aws_server_name }}" register: ec2 From aa4dcc31d454dbcdc64a46867f1bb3776ae5fb96 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:11:30 +0300 Subject: [PATCH 07/16] gce role to tags --- roles/cloud-gce/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 07ce08b..9c12f47 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -5,7 +5,7 @@ - name: "Creating a new instance..." gce: instance_names: "{{ server_name }}" - zone: "{{ zones[zone] }}" + zone: "{{ zone }}" machine_type: n1-standard-1 image: ubuntu-1604 service_account_email: "{{ credentials_file_lookup.client_email }}" From d9441b236a70036881d17f5ed484683ffbb030e1 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:12:17 +0300 Subject: [PATCH 08/16] move to tags #80 --- deploy.yml | 9 ++++----- roles/vpn/meta/main.yml | 3 ++- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy.yml b/deploy.yml index dd5b131..bca20ee 100644 --- a/deploy.yml +++ b/deploy.yml @@ -20,11 +20,11 @@ pre_tasks: - name: Common pre-tasks include: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce' ] + tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml - tags: [ 'digitalocean', 'ec2', 'gce' ] + tags: [ 'digitalocean' ] roles: - { role: security, tags: [ 'security' ] } @@ -32,10 +32,9 @@ - { role: dns_adblocking, tags: ['dns', 'adblock' ] } - { role: logging, tags: [ 'logging' ] } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } - - { role: vpn, tags: [ 'vpn' ] } - + - { role: vpn, tags: [ 'vpn' ] } handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - \ No newline at end of file + diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml index 325ccd9..149a6fb 100644 --- a/roles/vpn/meta/main.yml +++ b/roles/vpn/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: - - { role: common } \ No newline at end of file + - { role: common } + From b41a8d58cdfb142d022097bb5cb9ec8e806eafb2 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:14:32 +0300 Subject: [PATCH 09/16] extend README to use roles --- README.md | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 83 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7896c9a..2292452 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,86 @@ Ansible scripts are organized into roles. The roles used by Algo are described i * SHell or BASH * libselinux-python (for RedHat based distros) +### Roles and Tags +**Cloud roles:** +- role: cloud-digitalocean, tags: digitalocean +- role: cloud-ec2, tags: ec2 +- role: cloud-gce, tags: gce + +**Server roles:** +- role: vpn, tags: vpn +- role: dns_adblocking, tags: dns, adblock +- role: proxy, tags: proxy, adblock +- role: logging, tags: logging +- role: security, tags: security +- role: ssh_tunneling, tags: ssh_tunneling + +### Cloud Providers + +**digitalocean** +*Requirement variables:* +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +*Possible regions:* +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +**gce** +*Requirement variables:* +- credentials_file +- server_name +- ssh_public_key +- zone + +*Possible zones:* +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +**ec2** +*Requirement variables:* +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +*Possible regions:* +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + ### Cloud Deployment To install the dependencies on OS X or Linux: @@ -84,10 +164,11 @@ sudo pip install -r requirements.txt Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. -Start the deploy and follow the instructions: +Start the deploy with extra variables and tags that you need. +Example for DigitalOcean: ``` -./algo +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' ``` When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user. From 4efca40675cd4a8f3ae41e6bc51daa1b25109835 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:40:46 +0300 Subject: [PATCH 10/16] DO prompts --- algo | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/algo b/algo index 8283b3c..5ad4e95 100755 --- a/algo +++ b/algo @@ -2,6 +2,57 @@ set -e +digitalocean () { + read -p " +Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens): +: " -rs do_access_token + + read -p " +Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security): +: " -r do_ssh_name + + read -p " +Name the vpn server: +[algo.local]: " -r do_server_name + do_server_name=${do_server_name:-algo.local} + + read -p " + What region should the server be located in? + 1. Amsterdam (Datacenter 2) + 2. Amsterdam (Datacenter 3) + 3. Frankfurt + 4. London + 5. New York (Datacenter 1) + 6. New York (Datacenter 2) + 7. New York (Datacenter 3) + 8. San Francisco (Datacenter 1) + 9. San Francisco (Datacenter 2) + 10. Singapore + 11. Toronto + 12. Bangalore +Enter the number of your desired region: +[7]: " -r region + region=${region:-1} + + case "$region" in + 1) do_region="ams2" ;; + 2) do_region="ams3" ;; + 3) do_region="fra1" ;; + 4) do_region="lon1" ;; + 5) do_region="nyc1" ;; + 6) do_region="nyc2" ;; + 7) do_region="nyc3" ;; + 8) do_region="sfo1" ;; + 9) do_region="sfo2" ;; + 10) do_region="sgp1" ;; + 11) do_region="tor1" ;; + 12) do_region="blr1" ;; + esac + +ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" + +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -16,7 +67,7 @@ Enter the number of your desired provider read -r N case "$N" in - 1) CLOUD="digitalocean" ;; + 1) digitalocean; ;; 2) CLOUD="ec2" ;; 3) CLOUD="gce" ;; 4) CLOUD="non-cloud" ;; From 6bc9e9a1801056063829741ad1f7b9a8c9444bc4 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 13:52:49 +0300 Subject: [PATCH 11/16] EC2 prompts --- algo | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 56 insertions(+), 4 deletions(-) diff --git a/algo b/algo index 5ad4e95..fd5a012 100755 --- a/algo +++ b/algo @@ -32,7 +32,7 @@ Name the vpn server: 12. Bangalore Enter the number of your desired region: [7]: " -r region - region=${region:-1} + region=${region:-7} case "$region" in 1) do_region="ams2" ;; @@ -53,6 +53,59 @@ ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_t } +ec2 () { + read -p " +Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +: " -rs aws_access_key + + read -p " +Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +: " -rs aws_secret_key + + read -p " +Enter the local path to your SSH public key: +: " -r ssh_public_key + + read -p " +Name the vpn server: +[algo.local]: " -r aws_server_name + aws_server_name=${aws_server_name:-algo.local} + + read -p " + What region should the server be located in? + 1. us-east-1 US East (N. Virginia) + 2. us-west-1 US West (N. California) + 3. us-west-2 US West (Oregon) + 4. ap-south-1 Asia Pacific (Mumbai) + 5. ap-northeast-2 Asia Pacific (Seoul) + 6. ap-southeast-1 Asia Pacific (Singapore) + 7. ap-southeast-2 Asia Pacific (Sydney) + 8. ap-northeast-1 Asia Pacific (Tokyo) + 9. eu-central-1 EU (Frankfurt) + 10. eu-west-1 EU (Ireland) + 11. sa-east-1 South America (São Paulo) +Enter the number of your desired region: +[1]: " -r aws_region + aws_region=${aws_region:-1} + + case "$aws_region" in + 1) region="us-east-1" ;; + 2) region="us-west-1" ;; + 3) region="us-west-2" ;; + 4) region="ap-south-1" ;; + 5) region="ap-northeast-2" ;; + 6) region="ap-southeast-1" ;; + 7) region="ap-southeast-2" ;; + 8) region="ap-northeast-1" ;; + 9) region="eu-central-1" ;; + 10) region="eu-west-1" ;; + 11) region="sa-east-1" ;; + esac + +ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" + +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -68,13 +121,12 @@ Enter the number of your desired provider case "$N" in 1) digitalocean; ;; - 2) CLOUD="ec2" ;; + 2) ec2; ;; 3) CLOUD="gce" ;; 4) CLOUD="non-cloud" ;; *) exit 1 ;; esac - - ansible-playbook "${CLOUD}.yml" + } user_management () { From a470bf071e3a0bcbe9bd24428274aee6361f1d9f Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Sun, 18 Sep 2016 14:03:20 +0300 Subject: [PATCH 12/16] GCE prompts --- algo | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/algo b/algo index fd5a012..66fc176 100755 --- a/algo +++ b/algo @@ -68,8 +68,8 @@ Enter the local path to your SSH public key: read -p " Name the vpn server: -[algo.local]: " -r aws_server_name - aws_server_name=${aws_server_name:-algo.local} +[algo]: " -r aws_server_name + aws_server_name=${aws_server_name:-algo} read -p " What region should the server be located in? @@ -106,6 +106,59 @@ ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_se } +gce () { + read -p " +Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): +: " -r credentials_file + + read -p " +Enter the local path to your SSH public key: +: " -r ssh_public_key + + read -p " +Name the vpn server: +[algo]: " -r server_name + server_name=${server_name:-algo} + + read -p " + What zone should the server be located in? + 1. Central US (Iowa A) + 2. Central US (Iowa B) + 3. Central US (Iowa C) + 4. Central US (Iowa F) + 5. Eastern US (South Carolina B) + 6. Eastern US (South Carolina C) + 7. Eastern US (South Carolina D) + 8. Western Europe (Belgium B) + 9. Western Europe (Belgium C) + 10. Western Europe (Belgium D) + 11. East Asia (Taiwan A) + 12. East Asia (Taiwan B) + 13. East Asia (Taiwan C) +Please choose the number of your zone. Press enter for default (#8) zone. +[8]: " -r region + region=${region:-8} + + case "$region" in + 1) zone="us-central1-a" ;; + 2) zone="us-central1-b" ;; + 3) zone="us-central1-c" ;; + 4) zone="us-central1-f" ;; + 5) zone="us-east1-b" ;; + 6) zone="us-east1-c" ;; + 7) zone="us-east1-d" ;; + 8) zone="europe-west1-b" ;; + 9) zone="europe-west1-c" ;; + 10) zone="europe-west1-d" ;; + 11) zone="asia-east1-a" ;; + 12) zone="asia-east1-b" ;; + 13) zone="asia-east1-c" ;; + esac + +ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" + +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -122,7 +175,7 @@ Enter the number of your desired provider case "$N" in 1) digitalocean; ;; 2) ec2; ;; - 3) CLOUD="gce" ;; + 3) gce; ;; 4) CLOUD="non-cloud" ;; *) exit 1 ;; esac From fc162728d3af40459dd59ac77e82770a6e2f9028 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 19:54:45 +0300 Subject: [PATCH 13/16] role for local installation --- algo | 19 +++++++- deploy.yml | 3 +- non-cloud.yml | 89 ---------------------------------- roles/cloud-gce/tasks/main.yml | 2 +- roles/local/handlers/main.yml | 0 roles/local/tasks/main.yml | 12 +++++ 6 files changed, 33 insertions(+), 92 deletions(-) delete mode 100644 non-cloud.yml create mode 100644 roles/local/handlers/main.yml create mode 100644 roles/local/tasks/main.yml diff --git a/algo b/algo index 66fc176..d5302b4 100755 --- a/algo +++ b/algo @@ -159,6 +159,23 @@ ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file se } +non_cloud () { + read -p " +Enter IP address of your server: (use localhost for local installation) +: " -r server_ip + + read -p " +What user should we use to login on the server? (ignore if you're deploying to localhost) +[root]: " -r server_user + server_user=${server_user:-root} + + read -p " +Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) +: " -r IP_subject + + ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject=$IP_subject" +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -176,7 +193,7 @@ Enter the number of your desired provider 1) digitalocean; ;; 2) ec2; ;; 3) gce; ;; - 4) CLOUD="non-cloud" ;; + 4) non_cloud; ;; *) exit 1 ;; esac diff --git a/deploy.yml b/deploy.yml index bca20ee..81c6d84 100644 --- a/deploy.yml +++ b/deploy.yml @@ -7,7 +7,8 @@ roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } - { role: cloud-ec2, tags: ['ec2'] } - - { role: cloud-gce, tags: ['gce'] } + - { role: cloud-gce, tags: ['gce'] } + - { role: local, tags: ['local'] } - name: Post-provisioning tasks hosts: vpn-host diff --git a/non-cloud.yml b/non-cloud.yml deleted file mode 100644 index 8f5a33e..0000000 --- a/non-cloud.yml +++ /dev/null @@ -1,89 +0,0 @@ -# vim:ft=ansible: -- hosts: localhost - gather_facts: False - vars_files: - - config.cfg - - vars_prompt: - - name: "server_ip" - prompt: "Enter IP address of your server: (use localhost for local installation)\n" - default: localhost - private: no - - - name: "server_user" - prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" - default: "root" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - - name: "IP_subject" - prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" - private: no - - tasks: - - name: Add the server to the vpn-host group - add_host: - hostname: "{{ server_ip }}" - groupname: vpn-host - ansible_ssh_user: "{{ server_user }}" - ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" - IP_subject: "{{ IP_subject }}" - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - set_fact: - IP_subject_alt_name: "{{ IP_subject }}" - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 9c12f47..959ec6f 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -16,7 +16,7 @@ - name: Add the instance to an inventory group add_host: - name: "{{ google_vm.instance_data[0].public_ip}}" + name: "{{ google_vm.instance_data[0].public_ip }}" groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" diff --git a/roles/local/handlers/main.yml b/roles/local/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml new file mode 100644 index 0000000..de8de4c --- /dev/null +++ b/roles/local/tasks/main.yml @@ -0,0 +1,12 @@ +- name: Add the instance to an inventory group + add_host: + name: "{{ server_ip }}" + groups: vpn-host + ansible_ssh_user: "{{ server_user }}" + ansible_python_interpreter: "/usr/bin/python2.7" + easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: local + +- name: Waiting for SSH to become available + local_action: "wait_for port=22 host={{ server_ip }} timeout=320" + when: server_ip != "localhost" From 6441f2186bd8cbe8cb265992b3be9e70f9bd77b0 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 19:59:45 +0300 Subject: [PATCH 14/16] some README fixes --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 2292452..2dfc977 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,12 @@ Ansible scripts are organized into roles. The roles used by Algo are described i - eu-west-1 - sa-east-1 +**local installation** +*Requirement variables:* +- server_ip +- server_user +- IP_subject + ### Cloud Deployment To install the dependencies on OS X or Linux: From 69e7f1e5dc1812ca25846faee3ce205eb2038737 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 20:02:25 +0300 Subject: [PATCH 15/16] README fixes --- ADVANCED.md | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 77 ++------------------------------------------------ 2 files changed, 83 insertions(+), 75 deletions(-) create mode 100644 ADVANCED.md diff --git a/ADVANCED.md b/ADVANCED.md new file mode 100644 index 0000000..a9384f1 --- /dev/null +++ b/ADVANCED.md @@ -0,0 +1,81 @@ +### Cloud Providers + +**digitalocean** +*Requirement variables:* +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +*Possible regions:* +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +**gce** +*Requirement variables:* +- credentials_file +- server_name +- ssh_public_key +- zone + +*Possible zones:* +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +**ec2** +*Requirement variables:* +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +*Possible regions:* +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + +**local installation** +*Requirement variables:* +- server_ip +- server_user +- IP_subject + +### Deployment + +Start the deploy with extra variables and tags that you need. +Example for DigitalOcean: + +``` +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +``` + diff --git a/README.md b/README.md index 2dfc977..5cb7148 100644 --- a/README.md +++ b/README.md @@ -87,78 +87,6 @@ Ansible scripts are organized into roles. The roles used by Algo are described i - role: security, tags: security - role: ssh_tunneling, tags: ssh_tunneling -### Cloud Providers - -**digitalocean** -*Requirement variables:* -- do_access_token -- do_ssh_name -- do_server_name -- do_region - -*Possible regions:* -- ams2 -- ams3 -- fra1 -- lon1 -- nyc1 -- nyc2 -- nyc3 -- sfo1 -- sfo2 -- sgp1 -- tor1 -- blr1 - -**gce** -*Requirement variables:* -- credentials_file -- server_name -- ssh_public_key -- zone - -*Possible zones:* -- us-central1-a -- us-central1-b -- us-central1-c -- us-central1-f -- us-east1-b -- us-east1-c -- us-east1-d -- europe-west1-b -- europe-west1-c -- europe-west1-d -- asia-east1-a -- asia-east1-b -- asia-east1-c - -**ec2** -*Requirement variables:* -- aws_access_key -- aws_secret_key -- aws_server_name -- ssh_public_key -- region - -*Possible regions:* -- us-east-1 -- us-west-1 -- us-west-2 -- ap-south-1 -- ap-northeast-2 -- ap-southeast-1 -- ap-southeast-2 -- ap-northeast-1 -- eu-central-1 -- eu-west-1 -- sa-east-1 - -**local installation** -*Requirement variables:* -- server_ip -- server_user -- IP_subject - ### Cloud Deployment To install the dependencies on OS X or Linux: @@ -170,11 +98,10 @@ sudo pip install -r requirements.txt Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. -Start the deploy with extra variables and tags that you need. -Example for DigitalOcean: +Start the deploy and follow the instructions: ``` -ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +./algo ``` When the process is done, you can find `.mobileconfig` files and certificates in the `configs` directory. Send the `.mobileconfig` profile to users with Apple devices. Note that profile installation is supported over AirDrop. Do not send the mobileconfig file over plaintext (e.g., e-mail) since it contains the keys to access the VPN. For those using other clients, like Windows or Android, securely send them the X.509 certificates for the server and their user. From 4d731580b7bcb904e5802802ec86b2dfc0ba7fbf Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 19 Sep 2016 20:18:27 +0300 Subject: [PATCH 16/16] linting --- deploy.yml | 18 ++++---- playbooks/common.yml | 2 +- playbooks/digitalocean.yml | 80 +---------------------------------- roles/logging/tasks/main.yml | 4 +- roles/security/tasks/main.yml | 4 +- roles/vpn/handlers/main.yml | 2 +- roles/vpn/meta/main.yml | 2 +- 7 files changed, 17 insertions(+), 95 deletions(-) diff --git a/deploy.yml b/deploy.yml index 81c6d84..4e6ca20 100644 --- a/deploy.yml +++ b/deploy.yml @@ -3,26 +3,26 @@ tags: algo vars_files: - config.cfg - + roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } - - { role: cloud-ec2, tags: ['ec2'] } - - { role: cloud-gce, tags: ['gce'] } + - { role: cloud-ec2, tags: ['ec2'] } + - { role: cloud-gce, tags: ['gce'] } - { role: local, tags: ['local'] } - + - name: Post-provisioning tasks hosts: vpn-host gather_facts: false - tags: algo + tags: algo become: true vars_files: - config.cfg - pre_tasks: + pre_tasks: - name: Common pre-tasks include: playbooks/common.yml tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] - + - name: DigitalOcean pre-tasks include: playbooks/digitalocean.yml tags: [ 'digitalocean' ] @@ -33,9 +33,9 @@ - { role: dns_adblocking, tags: ['dns', 'adblock' ] } - { role: logging, tags: [ 'logging' ] } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } - - { role: vpn, tags: [ 'vpn' ] } + - { role: vpn, tags: [ 'vpn' ] } handlers: - name: reload eth0 shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - + diff --git a/playbooks/common.yml b/playbooks/common.yml index 1cf5283..d84a6eb 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -1,5 +1,5 @@ - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - + - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml index 8973447..703e5d0 100644 --- a/playbooks/digitalocean.yml +++ b/playbooks/digitalocean.yml @@ -1,81 +1,3 @@ - #vars: - #regions: - #"1": "ams2" - #"2": "ams3" - #"3": "fra1" - #"4": "lon1" - #"5": "nyc1" - #"6": "nyc2" - #"7": "nyc3" - #"8": "sfo1" - #"9": "sfo2" - #"10": "sgp1" - #"11": "tor1" - #"12": "blr1" - - #vars_prompt: - #- name: "do_access_token" - #prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" - #private: yes - - #- name: "do_ssh_name" - #prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" - #private: no - - #- name: "do_region" - #prompt: > - #What region should the server be located in? - #1. Amsterdam (Datacenter 2) - #2. Amsterdam (Datacenter 3) - #3. Frankfurt - #4. London - #5. New York (Datacenter 1) - #6. New York (Datacenter 2) - #7. New York (Datacenter 3) - #8. San Francisco (Datacenter 1) - #9. San Francisco (Datacenter 2) - #10. Singapore - #11. Toronto - #12. Bangalore - #Enter the number of your desired region: - #default: "7" - #private: no - - #- name: "do_server_name" - #prompt: "Name the vpn server:\n" - #default: "algo.local" - #private: no - - #- name: "dns_enabled" - #prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - #default: "y" - #private: no - - #- name: "proxy_enabled" - #prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - #default: "y" - #private: no - - #- name: "auditd_enabled" - #prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - #default: "y" - #private: no - - #- name: "ssh_tunneling_enabled" - #prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - #default: "y" - #private: no - - #- name: "security_enabled" - #prompt: "Do you want to enable the security role? (y/n):\n" - #default: "y" - #private: no - - #- name: "easyrsa_p12_export_password" - #prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - #default: "vpnpw" - #private: yes - - name: Enable IPv6 on the droplet uri: url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" @@ -111,4 +33,4 @@ - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" - become: false \ No newline at end of file + become: false diff --git a/roles/logging/tasks/main.yml b/roles/logging/tasks/main.yml index 48ed479..13b0739 100644 --- a/roles/logging/tasks/main.yml +++ b/roles/logging/tasks/main.yml @@ -15,7 +15,7 @@ - name: Enable services service: name=auditd enabled=yes - + # Rsyslog - name: Rsyslog configured @@ -29,4 +29,4 @@ - restart rsyslog - name: Enable services - service: name=rsyslog enabled=yes + service: name=rsyslog enabled=yes diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 6ad36c5..f951616 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -2,12 +2,12 @@ apt: name="{{ item }}" state=latest with_items: - unattended-upgrades - + - name: Configure unattended-upgrades template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644 - name: Periodic upgrades configured - template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 + template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 - name: Find directories for minimizing access stat: diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index a8e921a..fae797f 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -6,7 +6,7 @@ - name: restart apparmor service: name=apparmor state=restarted - + - name: save iptables shell: service netfilter-persistent save diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml index 149a6fb..4b583d6 100644 --- a/roles/vpn/meta/main.yml +++ b/roles/vpn/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - { role: common } - +