diff --git a/.yamllint b/.yamllint index 523a0ece..ee7463e6 100644 --- a/.yamllint +++ b/.yamllint @@ -17,6 +17,10 @@ rules: level: warning comments: min-spaces-from-content: 1 + comments-indentation: false + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true braces: max-spaces-inside: 1 truthy: diff --git a/algo.egg-info/PKG-INFO b/algo.egg-info/PKG-INFO index f566afd0..c629f176 100644 --- a/algo.egg-info/PKG-INFO +++ b/algo.egg-info/PKG-INFO @@ -4,7 +4,7 @@ Version: 2.0.0b0 Summary: Set up a personal IPSEC VPN in the cloud Requires-Python: >=3.11 License-File: LICENSE -Requires-Dist: ansible==11.8.0 +Requires-Dist: ansible==11.9.0 Requires-Dist: jinja2>=3.1.6 Requires-Dist: netaddr==1.3.0 Requires-Dist: pyyaml>=6.0.2 diff --git a/algo.egg-info/requires.txt b/algo.egg-info/requires.txt index 876f5268..1490b2af 100644 --- a/algo.egg-info/requires.txt +++ b/algo.egg-info/requires.txt @@ -1,4 +1,4 @@ -ansible==11.8.0 +ansible==11.9.0 jinja2>=3.1.6 netaddr==1.3.0 pyyaml>=6.0.2 diff --git a/roles/client/tasks/main.yml b/roles/client/tasks/main.yml index 098da975..85d247d3 100644 --- a/roles/client/tasks/main.yml +++ b/roles/client/tasks/main.yml @@ -45,11 +45,14 @@ dest: "{{ item.dest }}" line: "{{ item.line }}" create: true + mode: "{{ item.mode }}" with_items: - dest: "{{ configs_prefix }}/ipsec.conf" line: include ipsec.{{ IP_subject_alt_name }}.conf + mode: '0644' - dest: "{{ configs_prefix }}/ipsec.secrets" line: include ipsec.{{ IP_subject_alt_name }}.secrets + mode: '0600' notify: - restart strongswan @@ -59,18 +62,22 @@ dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf" owner: root group: root - mode: 0644 + mode: '0644' - name: Setup the certificates and keys template: src: "{{ item.src }}" dest: "{{ item.dest }}" + mode: "{{ item.mode }}" with_items: - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt" + mode: '0644' - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem" + mode: '0644' - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key" + mode: '0600' notify: - restart strongswan diff --git a/roles/common/tasks/aip/digitalocean.yml b/roles/common/tasks/aip/digitalocean.yml index bc016305..bedf60d2 100644 --- a/roles/common/tasks/aip/digitalocean.yml +++ b/roles/common/tasks/aip/digitalocean.yml @@ -16,6 +16,7 @@ template: src: 99-algo-ipv6-egress.yaml.j2 dest: /etc/netplan/99-algo-ipv6-egress.yaml + mode: '0644' when: - ipv6_support - ipv6_subnet_size|int > 1 diff --git a/roles/common/tasks/iptables.yml b/roles/common/tasks/iptables.yml index 463dc381..ddf801c4 100644 --- a/roles/common/tasks/iptables.yml +++ b/roles/common/tasks/iptables.yml @@ -5,7 +5,7 @@ dest: "{{ item.dest }}" owner: root group: root - mode: 0640 + mode: '0640' with_items: - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } notify: @@ -17,7 +17,7 @@ dest: "{{ item.dest }}" owner: root group: root - mode: 0640 + mode: '0640' when: ipv6_support with_items: - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index b5a919ac..bc53075d 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -77,6 +77,7 @@ section: Resolve option: FallbackDNS value: "{{ dns_servers.ipv4 | join(' ') }}" + mode: '0644' notify: - restart systemd-resolved @@ -84,6 +85,7 @@ template: src: 10-algo-lo100.network.j2 dest: /etc/systemd/network/10-algo-lo100.network + mode: '0644' notify: - restart systemd-networkd diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml index da7c2fb2..3ffe32cf 100644 --- a/roles/common/tasks/unattended-upgrades.yml +++ b/roles/common/tasks/unattended-upgrades.yml @@ -10,7 +10,7 @@ dest: /etc/apt/apt.conf.d/50unattended-upgrades owner: root group: root - mode: 0644 + mode: '0644' - name: Periodic upgrades configured template: @@ -18,4 +18,4 @@ dest: /etc/apt/apt.conf.d/10periodic owner: root group: root - mode: 0644 + mode: '0644' diff --git a/roles/dns/tasks/dns_adblocking.yml b/roles/dns/tasks/dns_adblocking.yml index ec2271a5..d0a85ad9 100644 --- a/roles/dns/tasks/dns_adblocking.yml +++ b/roles/dns/tasks/dns_adblocking.yml @@ -5,7 +5,7 @@ dest: /usr/local/sbin/adblock.sh owner: root group: "{{ root_group | default('root') }}" - mode: 0755 + mode: '0755' - name: Adblock script added to cron cron: diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index f845a382..724db679 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -8,6 +8,7 @@ template: src: ip-blacklist.txt.j2 dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt" + mode: '0644' notify: - restart dnscrypt-proxy @@ -15,6 +16,7 @@ template: src: dnscrypt-proxy.toml.j2 dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml" + mode: '0644' notify: - restart dnscrypt-proxy diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml index f54f643b..c9c23400 100644 --- a/roles/dns/tasks/ubuntu.yml +++ b/roles/dns/tasks/ubuntu.yml @@ -16,7 +16,7 @@ dest: /etc/apt/apt.conf.d/50-dnscrypt-proxy-unattended-upgrades owner: root group: root - mode: 0644 + mode: '0644' when: ansible_facts['distribution_version'] is version('20.04', '<') - name: Install dnscrypt-proxy (individual) @@ -33,7 +33,7 @@ dest: /etc/apparmor.d/usr.bin.dnscrypt-proxy owner: root group: root - mode: 0600 + mode: '0600' notify: restart dnscrypt-proxy - name: Ubuntu | Enforce the dnscrypt-proxy AppArmor policy @@ -46,13 +46,14 @@ file: path: /etc/systemd/system/dnscrypt-proxy.service.d/ state: directory - mode: 0755 + mode: '0755' owner: root group: root - name: Ubuntu | Add custom requirements to successfully start the unit copy: dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf + mode: '0644' content: | [Unit] After=systemd-resolved.service @@ -93,7 +94,7 @@ SystemCallErrorNumber=EPERM owner: root group: root - mode: 0644 + mode: '0644' notify: - daemon-reload - restart dnscrypt-proxy diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index bb6bf26d..a462346f 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -23,7 +23,7 @@ file: path: /var/jail/ state: directory - mode: 0755 + mode: '0755' owner: root group: "{{ root_group | default('root') }}" @@ -87,7 +87,7 @@ template: src: ssh_config.j2 dest: "{{ ssh_tunnels_config_path }}/{{ item }}.ssh_config" - mode: 0700 + mode: '0700' with_items: "{{ users }}" delegate_to: localhost become: false diff --git a/roles/strongswan/tasks/client_configs.yml b/roles/strongswan/tasks/client_configs.yml index 08e51429..a596f756 100644 --- a/roles/strongswan/tasks/client_configs.yml +++ b/roles/strongswan/tasks/client_configs.yml @@ -19,7 +19,7 @@ template: src: mobileconfig.j2 dest: "{{ ipsec_config_path }}/apple/{{ item.0 }}.mobileconfig" - mode: 0600 + mode: '0600' with_together: - "{{ users }}" - "{{ PayloadContent.results }}" @@ -29,7 +29,7 @@ template: src: client_ipsec.conf.j2 dest: "{{ ipsec_config_path }}/manual/{{ item }}.conf" - mode: 0600 + mode: '0600' with_items: - "{{ users }}" @@ -38,7 +38,7 @@ template: src: client_ipsec.secrets.j2 dest: "{{ ipsec_config_path }}/manual/{{ item }}.secrets" - mode: 0600 + mode: '0600' with_items: - "{{ users }}" @@ -46,4 +46,4 @@ file: path: "{{ ipsec_config_path }}" state: directory - mode: 0700 + mode: '0700' diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index 8c5c0267..79782b32 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -98,6 +98,7 @@ copy: src: "{{ ipsec_pki_path }}/cacert.pem" dest: "{{ ipsec_config_path }}/manual/cacert.pem" + mode: '0644' - name: Create private keys for users and server community.crypto.openssl_privatekey: @@ -213,6 +214,7 @@ copy: src: "{{ ipsec_pki_path }}/private/{{ item }}.p12" dest: "{{ ipsec_config_path }}/manual/{{ item }}.p12" + mode: '0600' with_items: - "{{ users }}" @@ -227,6 +229,7 @@ ansible.builtin.lineinfile: path: "{{ ipsec_pki_path }}/all-users" line: "{{ item }}" + mode: '0644' create: true with_items: "{{ users }}" register: users_file @@ -277,5 +280,6 @@ copy: src: "{{ ipsec_pki_path }}/crl.pem" dest: "{{ config_prefix | default('/') }}etc/ipsec.d/crls/algo.root.pem" + mode: '0644' notify: - rereadcrls diff --git a/roles/strongswan/tasks/ubuntu.yml b/roles/strongswan/tasks/ubuntu.yml index b17b3a0b..92601905 100644 --- a/roles/strongswan/tasks/ubuntu.yml +++ b/roles/strongswan/tasks/ubuntu.yml @@ -25,7 +25,7 @@ content: " capability setpcap," owner: root group: root - mode: 0644 + mode: '0644' notify: restart strongswan - name: Ubuntu | Enforcing ipsec with apparmor @@ -49,7 +49,7 @@ file: path: /etc/systemd/system/{{ strongswan_service }}.service.d/ state: directory - mode: 0755 + mode: '0755' owner: root group: root @@ -57,6 +57,7 @@ template: src: 100-CustomLimitations.conf.j2 dest: /etc/systemd/system/{{ strongswan_service }}.service.d/100-CustomLimitations.conf + mode: '0644' notify: - daemon-reload - restart strongswan diff --git a/roles/wireguard/files/wireguard.sh b/roles/wireguard/files/wireguard.sh index aefd44c5..a7d97184 100644 --- a/roles/wireguard/files/wireguard.sh +++ b/roles/wireguard/files/wireguard.sh @@ -5,14 +5,19 @@ # BEFORE: securelevel # KEYWORD: shutdown +# shellcheck source=/dev/null . /etc/rc.subr name="wg" +# shellcheck disable=SC2034 rcvar=wg_enable command="/usr/local/bin/wg-quick" +# shellcheck disable=SC2034 start_cmd=wg_up +# shellcheck disable=SC2034 stop_cmd=wg_down +# shellcheck disable=SC2034 status_cmd=wg_status pidfile="/var/run/$name.pid" load_rc_config "$name" diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml index 0f7aa23f..74f380e9 100644 --- a/roles/wireguard/tasks/keys.yml +++ b/roles/wireguard/tasks/keys.yml @@ -47,3 +47,12 @@ - "{{ users }}" - "{{ IP_subject_alt_name }}" no_log: true + +- name: Set permissions for public keys + file: + path: "{{ wireguard_pki_path }}/public/{{ item }}" + mode: '0644' + with_items: + - "{{ users }}" + - "{{ IP_subject_alt_name }}" + no_log: true diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml index 63d61d41..4051d1e9 100644 --- a/roles/wireguard/tasks/ubuntu.yml +++ b/roles/wireguard/tasks/ubuntu.yml @@ -15,7 +15,7 @@ file: path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/ state: directory - mode: 0755 + mode: '0755' owner: root group: root @@ -48,7 +48,7 @@ SystemCallErrorNumber=EPERM owner: root group: root - mode: 0644 + mode: '0644' notify: - daemon-reload - restart wireguard diff --git a/server.yml b/server.yml index 1045f749..83c60614 100644 --- a/server.yml +++ b/server.yml @@ -186,6 +186,7 @@ - name: Dump the configuration copy: dest: configs/{{ IP_subject_alt_name }}/.config.yml + mode: '0644' content: | server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }} server_user: {{ ansible_ssh_user }} diff --git a/tests/legacy-lxd/ipsec-client.sh b/tests/legacy-lxd/ipsec-client.sh index b5d49586..d72cc08c 100755 --- a/tests/legacy-lxd/ipsec-client.sh +++ b/tests/legacy-lxd/ipsec-client.sh @@ -8,9 +8,12 @@ CA_CONSTRAINTS="$(openssl verify -verbose \ -CAfile ./configs/10.0.8.100/ipsec/.pki/cacert.pem \ ./configs/10.0.8.100/ipsec/.pki/certs/google-algo-test-pair.com.crt 2>&1)" || true -echo "$CA_CONSTRAINTS" | grep "permitted subtree violation" >/dev/null && \ - echo "Name Constraints test passed" || \ - (echo "Name Constraints test failed" && exit 1) +if echo "$CA_CONSTRAINTS" | grep "permitted subtree violation" >/dev/null; then + echo "Name Constraints test passed" +else + echo "Name Constraints test failed" + exit 1 +fi echo "$CA_CONSTRAINTS" diff --git a/tests/legacy-lxd/pre-deploy.sh b/tests/legacy-lxd/pre-deploy.sh index 0b0c8727..fc9d871e 100755 --- a/tests/legacy-lxd/pre-deploy.sh +++ b/tests/legacy-lxd/pre-deploy.sh @@ -22,7 +22,7 @@ lxc profile set default raw.lxc 'lxc.apparmor.profile = unconfined' lxc profile set default security.privileged true lxc profile show default -lxc init ubuntu:${UBUNTU_VERSION} algo +lxc init ubuntu:"${UBUNTU_VERSION}" algo lxc network attach lxdbr0 algo eth0 eth0 lxc config device set algo eth0 ipv4.address 10.0.8.100 lxc start algo diff --git a/tests/legacy-lxd/ssh-tunnel.sh b/tests/legacy-lxd/ssh-tunnel.sh index 0b491b9d..30064217 100755 --- a/tests/legacy-lxd/ssh-tunnel.sh +++ b/tests/legacy-lxd/ssh-tunnel.sh @@ -4,12 +4,18 @@ set -euxo pipefail PASS=$(grep ^p12_password: configs/10.0.8.100/.config.yml | awk '{print $2}' | cut -f2 -d\') -ssh-keygen -p -P ${PASS} -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem +ssh-keygen -p -P "${PASS}" -N '' -f configs/10.0.8.100/ssh-tunnel/desktop.pem ssh -o StrictHostKeyChecking=no -D 127.0.0.1:1080 -f -q -C -N desktop@10.0.8.100 -i configs/10.0.8.100/ssh-tunnel/desktop.pem -F configs/10.0.8.100/ssh_config git config --global http.proxy 'socks5://127.0.0.1:1080' -for i in {1..10}; do git clone -vv https://github.com/trailofbits/algo /tmp/ssh-tunnel-check && break || sleep 1; done +for _ in {1..10}; do + if git clone -vv https://github.com/trailofbits/algo /tmp/ssh-tunnel-check; then + break + else + sleep 1 + fi +done echo "SSH tunneling tests passed"