wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-04-19 15:47:11 +02:00
Code Issues Projects Releases Wiki Activity

Roles and Google cloud

Browse source
This commit is contained in:
jack 2016-08-14 20:03:23 +03:00
parent 42e6067e4d
commit e729f0d303
26 changed files with 6 additions and 4018 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -33,6 +33,7 @@ Algo (short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhere
* [azure >= 0.7.1](https://github.com/Azure/azure-sdk-for-python)
* [apache-libcloud](https://github.com/apache/libcloud)
* [libcloud](https://curl.haxx.se/docs/caextract.html) (for Mac OS)
* [six](https://github.com/JioCloud/python-six)
* SHell or BASH
* libselinux-python (for RedHat based distros)

2
digitalocean.yml
View file

@ -94,7 +94,7 @@
register: droplet_info
- name: IPv6 configured
template: src=20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
template: src=roles/digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
notify:
- reload eth0

44
roles/azure/tasks/main.yml
View file

@ -1,45 +1 @@
- local_action:
module: azure
name: my-virtual-machine
role_size: Small
image: b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu_DAILY_BUILD-precise-12_04_3-LTS-amd64-server-20131205-en-us-30GB
location: 'East US'
user: ubuntu
ssh_cert_path: "/home/jack/.ssh/upwork.pub"
storage_account: my-storage-account
wait: yes
subscription_id: "02e68d20-1a39-4faa-aa35-6bdd0238b54e"
management_cert_path: "/home/jack/ownCloud/Clouds/azure/manage.cer"
#- name: "Creating a virtual machine..."
#azure:
#subscription_id: "02e68d20-1a39-4faa-aa35-6bdd0238b54e"
#name: "algo-vpn"
#role_size: Small
#image: b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu-16_04-LTS-amd64-server-20160721-en-us-30GB
#location: "West Europe"
#user: ubuntu
#ssh_cert_path: "/home/jack/.ssh/upwork.pub"
#storage_account: 'algo.vpn'
#management_cert_path: "/home/jack/ownCloud/Clouds/azure/manage.cer"
#wait: yes
#state: present
#register: azure_vm
- debug: msg="{{ azure_vm }}"
#- name: Add the droplet to an inventory group
#add_host:
#name: "{{ do.droplet.ip_address }}"
#groups: vpn-host
#ansible_ssh_user: root
#ansible_python_interpreter: "/usr/bin/python2.7"
#do_access_token: "{{ do_access_token }}"
#do_droplet_id: "{{ do.droplet.id }}"
#dns_enabled: "{{ dns_enabled }}"
#auditd_enabled: " {{ auditd_enabled }}"
#- name: Wait for SSH to become available
#local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320"

2
roles/features/tasks/main.yml
View file

@ -93,7 +93,7 @@
- restart dnsmasq
- name: Adblock script created
copy: src=templates/adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
when: dns_enabled is defined and dns_enabled == "Y"
- name: Adblock script added to cron

6
run
View file

@ -5,8 +5,7 @@ algo_provisioning () {
What provider would you like to use?
1. DigitalOcean
2. Amazon EC2
3. Azure
4. Google-cloud
3. Google-cloud
0. Local installation (non-cloud or a server already deployed)
Enter the number of your desired provider
@ -17,8 +16,7 @@ Enter the number of your desired provider
case "$N" in
1) CLOUD="digitalocean" ;;
2) CLOUD="ec2" ;;
3) CLOUD="azure" ;;
4) CLOUD="google_cloud" ;;
3) CLOUD="google_cloud" ;;
0) CLOUD="non-cloud" ;;
*) exit 1 ;;
esac

11
templates/000-default.conf.j2
View file

@ -1,11 +0,0 @@
<VirtualHost *:*>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine On
RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [NC,P]
ProxyPass / http://$1
ProxyPassReverse / http://$1
ProxyPreserveHost On
</VirtualHost>

9
templates/10-loopback-services.cfg.j2
View file

@ -1,9 +0,0 @@
auto lo:100
iface lo:100 inet static
address 172.16.0.1
netmask 255.255.255.255
iface lo:100 inet6 static
address FCAA::1
netmask 64
autoconf 0

4
templates/10periodic.j2
View file

@ -1,4 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

6
templates/20-ipv6.cfg.j2
View file

@ -1,6 +0,0 @@
iface eth0 inet6 static
address {{ item.ip_address }}
netmask {{ item.netmask }}
gateway {{ item.gateway }}
autoconf 0
dns-nameservers 2001:4860:4860::8844 2001:4860:4860::8888

59
templates/50unattended-upgrades.j2
View file

@ -1,59 +0,0 @@
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

15
templates/CIS.conf.j2
View file

@ -1,15 +0,0 @@
*.emerg :omusrmsg:*
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages

50
templates/adblock.sh
View file

@ -1,50 +0,0 @@
#!/bin/sh
#Block ads, malware, etc.
# Redirect endpoint
ENDPOINT_IP4="0.0.0.0"
ENDPOINT_IP6="::"
IPV6="Y"
#Delete the old block.hosts to make room for the updates
rm -f /etc/block.hosts
echo 'Downloading hosts lists...'
#Download and process the files needed to make the lists (enable/add more, if you want)
wget -qO- http://www.mvps.org/winhelp2002/hosts.txt| awk -v r="$ENDPOINT_IP4" '{sub(/^0.0.0.0/, r)} $0 ~ "^"r' > /tmp/block.build.list
wget -qO- "http://adaway.org/hosts.txt"|awk -v r="$ENDPOINT_IP4" '{sub(/^127.0.0.1/, r)} $0 ~ "^"r' >> /tmp/block.build.list
wget -qO- http://www.malwaredomainlist.com/hostslist/hosts.txt|awk -v r="$ENDPOINT_IP4" '{sub(/^127.0.0.1/, r)} $0 ~ "^"r' >> /tmp/block.build.list
wget -qO- "http://hosts-file.net/.\ad_servers.txt"|awk -v r="$ENDPOINT_IP4" '{sub(/^127.0.0.1/, r)} $0 ~ "^"r' >> /tmp/block.build.list
#Add black list, if non-empty
if [ -s "/etc/black.list" ]
then
echo 'Adding blacklist...'
awk -v r="$ENDPOINT_IP4" '/^[^#]/ { print r,$1 }' /etc/black.list >> /tmp/block.build.list
fi
#Sort the download/black lists
awk '{sub(/\r$/,"");print $1,$2}' /tmp/block.build.list|sort -u > /tmp/block.build.before
#Filter (if applicable)
if [ -s "/etc/white.list" ]
then
#Filter the blacklist, supressing whitelist matches
# This is relatively slow =-(
echo 'Filtering white list...'
egrep -v "^[[:space:]]*$" /etc/white.list | awk '/^[^#]/ {sub(/\r$/,"");print $1}' | grep -vf - /tmp/block.build.before > /etc/block.hosts
else
cat /tmp/block.build.before > /etc/block.hosts
fi
if [ "$IPV6" = "Y" ]
then
safe_pattern=$(printf '%s\n' "$ENDPOINT_IP4" | sed 's/[[\.*^$(){}?+|/]/\\&/g')
safe_addition=$(printf '%s\n' "$ENDPOINT_IP6" | sed 's/[\&/]/\\&/g')
echo 'Adding ipv6 support...'
sed -i -re "s/^(${safe_pattern}) (.*)$/\1 \2\n${safe_addition} \2/g" /etc/block.hosts
fi
service dnsmasq restart
exit 0

101
templates/audit.rules.j2
View file

@ -1,101 +0,0 @@
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
#
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
# Record Events That Modify Date and Time Information
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
{% endif %}
-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-w /etc/localtime -p wa -k time-change
# Record Events That Modify User/Group Information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Record Events That Modify the System's Network Environment
{% if ansible_architecture == "x86_64" %}
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
{% endif %}
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network/interfaces -p wa -k system-locale
# Collect Login and Logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# Collect Session Initiation Information
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
# Collect Discretionary Access Control Permission Modification Events
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
{% endif %}
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
# Collect Unsuccessful Unauthorized Access Attempts to Files
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
{% endif %}
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
# Collect Use of Privileged Commands
{% if privileged_programs is defined and privileged_programs.stdout_lines|length > 0 %}
{{ privileged_programs.stdout }}
{% endif %}
# Collect Successful File System Mounts
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
{% endif %}
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
# Collect File Deletion Events by User
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
{% endif %}
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
# Collect Changes to System Administration Scope
-w /etc/sudoers -p wa -k scope
# Collect System Administrator Actions (sudolog)
-w /var/log/sudo.log -p wa -k actions
# Collect Kernel Module Loading and Unloading
{% if ansible_architecture == "x86_64" %}
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
{% endif %}
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-e 2

32
templates/auditd.conf.j2
View file

@ -1,32 +0,0 @@
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 10
max_log_file_action = keep_logs
space_left = 75
space_left_action = email
action_mail_acct = {{ auditd_action_mail_acct }}
admin_space_left = 50
admin_space_left_action = email
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

669
templates/dnsmasq.conf.j2
View file

@ -1,669 +0,0 @@
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
server=8.8.8.8
server=8.8.4.4
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
user=nobody
group=nogroup
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=lo
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
listen-address=172.16.0.1,127.0.0.1,FCAA::1
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
addn-hosts=/etc/block.hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
#dhcp-range=192.168.0.50,192.168.0.150,12h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC alogrithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overriden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the Infiniband interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also the they [] around the IPv6 address are obilgatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1:1m
# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2:2m
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this is you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for Etherboot gPXE. The idea is to send two different
# filenames, the first loads gPXE, and the second tells gPXE what to
# load. The dhcp-match sets the gpxe tag for requests from gPXE.
#dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
#dhcp-boot=tag:!gpxe,undionly.kpxe
#dhcp-boot=mybootimage
# Encapsulated options for Etherboot gPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Do not abort if the tftp-root is unavailable
#tftp-no-fail
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fasion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
#

198
templates/easy-rsa.vars.j2
View file

@ -1,198 +0,0 @@
# Easy-RSA 3 parameter settings
# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.
# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.
# NOTES FOR WINDOWS USERS
#
# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# A little housekeeping: DON'T EDIT THIS SECTION
#
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
# DO YOUR EDITS BELOW THIS POINT
# This variable should point to the top level of the easy-rsa tree. By default,
# this is taken to be the directory you are currently in.
set_var EASYRSA "{{ easyrsa_dir }}/easyrsa3/"
# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.
#set_var EASYRSA_OPENSSL "openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
# Edit this variable to point to your soon-to-be-created key directory.
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)
set_var EASYRSA_PKI "$EASYRSA/pki"
# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
# cn_only - use just a CN value
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
set_var EASYRSA_DN "cn_only"
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)
# set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
set_var EASYRSA_ALGO ec
# Define the named curve, used in ec mode only:
set_var EASYRSA_CURVE prime256v1
# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE {{ easyrsa_ca_expire }}
# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE {{ easyrsa_cert_expire }}
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.
#set_var EASYRSA_NS_SUPPORT "no"
# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate"
# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.
#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!
# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command. The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"
# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
# fallback to $EASYRSA for the 'x509-types' dir. You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.
set_var EASYRSA_REQ_CN "{{ ansible_ssh_host }}"
# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
#set_var EASYRSA_DIGEST "sha256"
# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.
set_var EASYRSA_BATCH "{{ ansible_ssh_host }}"

34
templates/ipsec.conf.j2
View file

@ -1,34 +0,0 @@
config setup
uniqueids = never # allow multiple connections per user
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=300s
rekey=no
keyexchange=ikev2
ike=aes128gcm16-sha2_256-prfsha256-ecp256!
esp=aes128gcm16-sha2_256-ecp256!
compress=yes
fragmentation=yes
left=%any
leftauth=pubkey
leftid={{ ansible_ssh_host }}
leftcert={{ ansible_ssh_host }}.crt
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
right=%any
rightauth=pubkey
rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }}
{% if service_dns is defined and service_dns == "N" %}
rightdns={% for host in dns_servers %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
{% else %}
rightdns=172.16.0.1
{% endif %}
conn ikev2-pubkey
auto=add

2
templates/ipsec.secrets.j2
View file

@ -1,2 +0,0 @@
: ECDSA {{ ansible_ssh_host }}.key

144
templates/mobileconfig.j2
View file

@ -1,144 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IKEv2</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>19</integer>
<key>EncryptionAlgorithm</key>
<string>AES-128-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>Medium</string>
<key>DisableMOBIKE</key>
<integer>0</integer>
<key>DisableRedirect</key>
<integer>0</integer>
<key>EnableCertificateRevocationCheck</key>
<integer>0</integer>
<key>EnablePFS</key>
<true/>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>19</integer>
<key>EncryptionAlgorithm</key>
<string>AES-128-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-256</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>{{ item.0 }}</string>
<key>PayloadCertificateUUID</key>
<string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<key>CertificateType</key>
<string>ECDSA256</string>
<key>ServerCertificateIssuerCommonName</key>
<string>{{ ansible_ssh_host }}</string>
<key>RemoteAddress</key>
<string>{{ ansible_ssh_host }}</string>
<key>RemoteIdentifier</key>
<string>{{ ansible_ssh_host }}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<integer>0</integer>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>{{ ansible_ssh_host }} IKEv2</string>
<key>VPNType</key>
<string>IKEv2</string>
</dict>
<dict>
<key>Password</key>
<string>{{ easyrsa_p12_export_password }}</string>
<key>PayloadCertificateFileName</key>
<string>{{ item.0 }}.p12</string>
<key>PayloadContent</key>
<data>
{{ item.1.stdout }}
</data>
<key>PayloadDescription</key>
<string>Adds a PKCS#12-formatted certificate</string>
<key>PayloadDisplayName</key>
<string>{{ item.0 }}.p12</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>ca.crt</string>
<key>PayloadContent</key>
<data>
{{ PayloadContentCA.stdout }}
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>{{ ansible_ssh_host }}</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>32EA3AAA-D19E-43EF-B357-608218745A38</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>{{ ansible_ssh_host }} IKEv2</string>
<key>PayloadIdentifier</key>
<string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>743B04A8-5725-45A2-B1BB-836F8C16DB0A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

369
templates/pagespeed.conf.j2
View file

@ -1,369 +0,0 @@
<IfModule pagespeed_module>
# Turn on mod_pagespeed. To completely disable mod_pagespeed, you
# can set this to "off".
ModPagespeed on
# We want VHosts to inherit global configuration.
# If this is not included, they'll be independent (except for inherently
# global options), at least for backwards compatibility.
ModPagespeedInheritVHostConfig on
# Direct Apache to send all HTML output to the mod_pagespeed
# output handler.
AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html
# If you want mod_pagespeed process XHTML as well, please uncomment this
# line.
# AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER application/xhtml+xml
# The ModPagespeedFileCachePath directory must exist and be writable
# by the apache user (as specified by the User directive).
ModPagespeedFileCachePath "/var/cache/mod_pagespeed/"
# LogDir is needed to store various logs, including the statistics log
# required for the console.
ModPagespeedLogDir "/var/log/pagespeed"
# The locations of SSL Certificates is distribution-dependent.
ModPagespeedSslCertDirectory "/etc/ssl/certs"
# If you want, you can use one or more memcached servers as the store for
# the mod_pagespeed cache.
# ModPagespeedMemcachedServers localhost:11211
# A portion of the cache can be kept in memory only, to reduce load on disk
# (or memcached) from many small files.
# ModPagespeedCreateSharedMemoryMetadataCache "/var/cache/mod_pagespeed/" 51200
# Override the mod_pagespeed 'rewrite level'. The default level
# "CoreFilters" uses a set of rewrite filters that are generally
# safe for most web pages. Most sites should not need to change
# this value and can instead fine-tune the configuration using the
# ModPagespeedDisableFilters and ModPagespeedEnableFilters
# directives, below. Valid values for ModPagespeedRewriteLevel are
# PassThrough, CoreFilters and TestingCoreFilters.
#
ModPagespeedRewriteLevel CoreFilters
ModPagespeedEnableFilters combine_heads
ModPagespeedEnableFilters combine_javascript
ModPagespeedEnableFilters convert_jpeg_to_webp
ModPagespeedEnableFilters convert_png_to_jpeg
ModPagespeedEnableFilters inline_preview_images
ModPagespeedEnableFilters make_google_analytics_async
ModPagespeedEnableFilters move_css_above_scripts
ModPagespeedEnableFilters move_css_to_head
ModPagespeedEnableFilters resize_mobile_images
ModPagespeedEnableFilters sprite_images
ModPagespeedEnableFilters defer_iframe
ModPagespeedEnableFilters defer_javascript
ModPagespeedEnableFilters lazyload_images
# Explicitly disables specific filters. This is useful in
# conjuction with ModPagespeedRewriteLevel. For instance, if one
# of the filters in the CoreFilters needs to be disabled for a
# site, that filter can be added to
# ModPagespeedDisableFilters. This directive contains a
# comma-separated list of filter names, and can be repeated.
#
# ModPagespeedDisableFilters rewrite_images
# Explicitly enables specific filters. This is useful in
# conjuction with ModPagespeedRewriteLevel. For instance, filters
# not included in the CoreFilters may be enabled using this
# directive. This directive contains a comma-separated list of
# filter names, and can be repeated.
#
# ModPagespeedEnableFilters rewrite_javascript,rewrite_css
# ModPagespeedEnableFilters collapse_whitespace,elide_attributes
# Explicitly forbids the enabling of specific filters using either query
# parameters or request headers. This is useful, for example, when we do
# not want the filter to run for performance or security reasons. This
# directive contains a comma-separated list of filter names, and can be
# repeated.
#
# ModPagespeedForbidFilters rewrite_images
# How long mod_pagespeed will wait to return an optimized resource
# (per flush window) on first request before giving up and returning the
# original (unoptimized) resource. After this deadline is exceeded the
# original resource is returned and the optimization is pushed to the
# background to be completed for future requests. Increasing this value will
# increase page latency, but might reduce load time (for instance on a
# bandwidth-constrained link where it's worth waiting for image
# compression to complete). If the value is less than or equal to zero
# mod_pagespeed will wait indefinitely for the rewrite to complete before
# returning.
#
# ModPagespeedRewriteDeadlinePerFlushMs 10
# ModPagespeedDomain
# authorizes rewriting of JS, CSS, and Image files found in this
# domain. By default only resources with the same origin as the
# HTML file are rewritten. For example:
#
ModPagespeedDomain *
#
# This will allow resources found on http://cdn.myhost.com to be
# rewritten in addition to those in the same domain as the HTML.
#
# Other domain-related directives (like ModPagespeedMapRewriteDomain
# and ModPagespeedMapOriginDomain) can also authorize domains.
#
# Wildcards (* and ?) are allowed in the domain specification. Be
# careful when using them as if you rewrite domains that do not
# send you traffic, then the site receiving the traffic will not
# know how to serve the rewritten content.
# If you use downstream caches such as varnish or proxy_cache for caching
# HTML, you can configure pagespeed to work with these caches correctly
# using the following directives. Note that the values for
# ModPagespeedDownstreamCachePurgeLocationPrefix and
# ModPagespeedDownstreamCacheRebeaconingKey are deliberately left empty here
# in order to force the webmaster to choose appropriate value for these.
#
# ModPagespeedDownstreamCachePurgeLocationPrefix
# ModPagespeedDownstreamCachePurgeMethod PURGE
# ModPagespeedDownstreamCacheRewrittenPercentageThreshold 95
# ModPagespeedDownstreamCacheRebeaconingKey
# Other defaults (cache sizes and thresholds):
#
# ModPagespeedFileCacheSizeKb 102400
# ModPagespeedFileCacheCleanIntervalMs 3600000
# ModPagespeedLRUCacheKbPerProcess 1024
# ModPagespeedLRUCacheByteLimit 16384
# ModPagespeedCssFlattenMaxBytes 102400
# ModPagespeedCssInlineMaxBytes 2048
# ModPagespeedCssImageInlineMaxBytes 0
# ModPagespeedImageInlineMaxBytes 3072
# ModPagespeedJsInlineMaxBytes 2048
# ModPagespeedCssOutlineMinBytes 3000
# ModPagespeedJsOutlineMinBytes 3000
# ModPagespeedMaxCombinedCssBytes -1
# ModPagespeedMaxCombinedJsBytes 92160
# Limit the number of inodes in the file cache. Set to 0 for no limit.
# The default value if this paramater is not specified is 0 (no limit).
ModPagespeedFileCacheInodeLimit 500000
# Bound the number of images that can be rewritten at any one time; this
# avoids overloading the CPU. Set this to 0 to remove the bound.
#
# ModPagespeedImageMaxRewritesAtOnce 8
# You can also customize the number of threads per Apache process
# mod_pagespeed will use to do resource optimization. Plain
# "rewrite threads" are used to do short, latency-sensitive work,
# while "expensive rewrite threads" are used for actual optimization
# work that's more computationally expensive. If you live these unset,
# or use values <= 0 the defaults will be used, which is 1 for both
# values when using non-threaded MPMs (e.g. prefork) and 4 for both
# on threaded MPMs (e.g. worker and event). These settings can only
# be changed globally, and not per virtual host.
#
# ModPagespeedNumRewriteThreads 4
# ModPagespeedNumExpensiveRewriteThreads 4
# Randomly drop rewrites (*) to increase the chance of optimizing
# frequently fetched resources and decrease the chance of optimizing
# infrequently fetched resources. This can reduce CPU load. The default
# value of this parameter is 0 (no drops). 90 means that a resourced
# fetched once has a 10% probability of being optimized while a resource
# that is fetched 50 times has a 99.65% probability of being optimized.
#
# (*) Currently only CSS files and images are randomly dropped. Images
# within CSS files are not randomly dropped.
#
# ModPagespeedRewriteRandomDropPercentage 90
# Many filters modify the URLs of resources in HTML files. This is typically
# harmless but pages whose Javascript expects to read or modify the original
# URLs may break. The following parameters prevent filters from modifying
# URLs of their respective types.
#
# ModPagespeedJsPreserveURLs on
# ModPagespeedImagePreserveURLs on
# ModPagespeedCssPreserveURLs on
# When PreserveURLs is on, it is still possible to enable browser-specific
# optimizations (for example, webp images can be served to browsers that
# will accept them). They'll be served with Vary: Accept or Vary:
# User-Agent headers as appropriate. Note that this may require configuring
# reverse proxy caches such as varnish to handle these headers properly.
#
# ModPagespeedFilters in_place_optimize_for_browser
# Internet Explorer has difficulty caching resources with Vary: headers.
# They will either be uncached (older IE) or require revalidation. See:
# http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/vary-header-prevents-caching-in-ie.aspx
# As a result we serve them as Cache-Control: private instead by default.
# If you are using a reverse proxy or CDN configured to cache content with
# the Vary: Accept header you should turn this setting off.
#
# ModPagespeedPrivateNotVaryForIE on
# Settings for image optimization:
#
# Lossy image recompression quality (0 to 100, -1 just strips metadata):
# ModPagespeedImageRecompressionQuality 85
#
# Jpeg recompression quality (0 to 100, -1 uses ImageRecompressionQuality):
# ModPagespeedJpegRecompressionQuality -1
# ModPagespeedJpegRecompressionQualityForSmallScreens 70
ModPagespeedJpegRecompressionQuality 75
#
# WebP recompression quality (0 to 100, -1 uses ImageRecompressionQuality):
# ModPagespeedWebpRecompressionQuality 80
# ModPagespeedWebpRecompressionQualityForSmallScreens 70
#
# Timeout for conversions to WebP format, in
# milliseconds. Negative values mean no timeout is applied. The
# default value is -1:
# ModPagespeedWebpTimeoutMs 5000
#
# Percent of original image size below which optimized images are retained:
# ModPagespeedImageLimitOptimizedPercent 100
#
# Percent of original image area below which image resizing will be
# attempted:
# ModPagespeedImageLimitResizeAreaPercent 100
# Settings for inline preview images
#
# Setting this to n restricts preview images to the first n images found on
# the page. The default of -1 means preview images can appear anywhere on
# the page (if those images appear above the fold).
# ModPagespeedMaxInlinedPreviewImagesIndex -1
# Sets the minimum size in bytes of any image for which a low quality image
# is generated.
# ModPagespeedMinImageSizeLowResolutionBytes 3072
# The maximum URL size is generally limited to about 2k characters
# due to IE: See http://support.microsoft.com/kb/208427/EN-US.
# Apache servers by default impose a further limitation of about
# 250 characters per URL segment (text between slashes).
# mod_pagespeed circumvents this limitation, but if you employ
# proxy servers in your path you may need to re-impose it by
# overriding the setting here. The default setting is 1024
# characters.
#
# ModPagespeedMaxSegmentLength 250
# Uncomment this if you want to prevent mod_pagespeed from combining files
# (e.g. CSS files) across paths
#
# ModPagespeedCombineAcrossPaths off
# Renaming JavaScript URLs can sometimes break them. With this
# option enabled, mod_pagespeed uses a simple heuristic to decide
# not to rename JavaScript that it thinks is introspective.
#
# You can uncomment this to let mod_pagespeed rename all JS files.
#
# ModPagespeedAvoidRenamingIntrospectiveJavascript off
# Certain common JavaScript libraries are available from Google, which acts
# as a CDN and allows you to benefit from browser caching if a new visitor
# to your site previously visited another site that makes use of the same
# libraries as you do. Enable the following filter to turn on this feature.
#
# ModPagespeedEnableFilters canonicalize_javascript_libraries
# The following line configures a library that is recognized by
# canonicalize_javascript_libraries. This will have no effect unless you
# enable this filter (generally by uncommenting the last line in the
# previous stanza). The format is:
# ModPagespeedLibrary bytes md5 canonical_url
# Where bytes and md5 are with respect to the *minified* JS; use
# js_minify --print_size_and_hash to obtain this data.
# Note that we can register multiple hashes for the same canonical url;
# we do this if there are versions available that have already been minified
# with more sophisticated tools.
#
# Additional library configuration can be found in
# pagespeed_libraries.conf included in the distribution. You should add
# new entries here, though, so that file can be automatically upgraded.
# ModPagespeedLibrary 43 1o978_K0_LNE5_ystNklf http://www.modpagespeed.com/rewrite_javascript.js
# Explicitly tell mod_pagespeed to load some resources from disk.
# This will speed up load time and update frequency.
#
# This should only be used for static resources which do not need
# specific headers set or other processing by Apache.
#
# Both URL and filesystem path should specify directories and
# filesystem path must be absolute (for now).
#
# ModPagespeedLoadFromFile "http://example.com/static/" "/var/www/static/"
# Enables server-side instrumentation and statistics. If this rewriter is
# enabled, then each rewritten HTML page will have instrumentation javacript
# added that sends latency beacons to /mod_pagespeed_beacon. These
# statistics can be accessed at /mod_pagespeed_statistics. You must also
# enable the mod_pagespeed_statistics and mod_pagespeed_beacon handlers
# below.
#
# ModPagespeedEnableFilters add_instrumentation
# The add_instrumentation filter sends a beacon after the page onload
# handler is called. The user might navigate to a new URL before this. If
# you enable the following directive, the beacon is sent as part of an
# onbeforeunload handler, for pages where navigation happens before the
# onload event.
#
# ModPagespeedReportUnloadTime on
# Uncomment the following line so that ModPagespeed will not cache or
# rewrite resources with Vary: in the header, e.g. Vary: User-Agent.
# Note that ModPagespeed always respects Vary: headers on html content.
# ModPagespeedRespectVary on
# Uncomment the following line if you want to disable statistics entirely.
#
# ModPagespeedStatistics off
# These handlers are central entry-points into the admin pages.
# By default, pagespeed_admin and pagespeed_global_admin present
# the same data, and differ only when
# ModPagespeedUsePerVHostStatistics is enabled. In that case,
# /pagespeed_global_admin sees aggregated data across all vhosts,
# and the /pagespeed_admin sees data only for a particular vhost.
#
# You may insert other "Allow from" lines to add hosts you want to
# allow to look at generated statistics. Another possibility is
# to comment out the "Order" and "Allow" options from the config
# file, to allow any client that can reach your server to access
# and change server state, such as statistics, caches, and
# messages. This might be appropriate in an experimental setup.
<Location /pagespeed_admin>
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
SetHandler pagespeed_admin
</Location>
<Location /pagespeed_global_admin>
Order allow,deny
Allow from localhost
Allow from 127.0.0.1
SetHandler pagespeed_global_admin
</Location>
# Enable logging of mod_pagespeed statistics, needed for the console.
ModPagespeedStatisticsLogging on
# Page /mod_pagespeed_message lets you view the latest messages from
# mod_pagespeed, regardless of log-level in your httpd.conf
# ModPagespeedMessageBufferSize is the maximum number of bytes you would
# like to dump to your /mod_pagespeed_message page at one time,
# its default value is 100k bytes.
# Set it to 0 if you want to disable this feature.
ModPagespeedMessageBufferSize 100000
</IfModule>

13
templates/ports.conf.j2
View file

@ -1,13 +0,0 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 172.16.0.1:8080
<IfModule ssl_module>
Listen 172.16.0.1:443
</IfModule>
<IfModule mod_gnutls.c>
Listen 172.16.0.1:443
</IfModule>

2107
templates/privoxy_config.j2
View file

File diff suppressed because it is too large Load diff

61
templates/rsyslog.conf.j2
View file

@ -1,61 +0,0 @@
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imklog") # provides kernel logging support
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

68
templates/usr.sbin.dnsmasq.j2
View file

@ -1,68 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2009 John Dong <jdong@ubuntu.com>
# Copyright (C) 2010 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
@{TFTP_DIR}=/var/tftp /srv/tftpboot
#include <tunables/global>
/usr/sbin/dnsmasq {
#include <abstractions/base>
#include <abstractions/dbus>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability dac_override,
capability net_admin, # for DHCP server
capability net_raw, # for DHCP server ping checks
network inet raw,
signal (receive) peer=/usr/sbin/libvirtd,
ptrace (readby) peer=/usr/sbin/libvirtd,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
/etc/ethers r,
/etc/NetworkManager/dnsmasq.d/ r,
/etc/NetworkManager/dnsmasq.d/* r,
/etc/block.hosts r,
/usr/sbin/dnsmasq mr,
/{,var/}run/*dnsmasq*.pid w,
/{,var/}run/dnsmasq-forwarders.conf r,
/{,var/}run/dnsmasq/ r,
/{,var/}run/dnsmasq/* rw,
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,
# libvirt config, lease and hosts files for dnsmasq
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/* r,
/var/lib/libvirt/dnsmasq/*.leases rw,
# libvirt pid files for dnsmasq
/{,var/}run/libvirt/network/ r,
/{,var/}run/libvirt/network/*.pid rw,
# NetworkManager integration
/{,var/}run/nm-dns-dnsmasq.conf r,
/{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
/{,var/}run/NetworkManager/dnsmasq.conf r,
/{,var/}run/NetworkManager/dnsmasq.pid w,
}

15
templates/usr.sbin.privoxy.j2
View file

@ -1,15 +0,0 @@
#include <tunables/global>
/usr/sbin/privoxy {
#include <abstractions/apache2-common>
#include <abstractions/base>
capability setgid,
capability setuid,
/etc/privoxy/* r,
/etc/privoxy/templates/* r,
/run/privoxy.pid w,
/var/log/privoxy/logfile w,
}

2
users.yml
View file

@ -82,7 +82,7 @@
register: PayloadContentCA
- name: Build the mobileconfigs
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"