wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 22:54:01 +02:00
Code Issues Projects Releases Wiki Activity

linting

Browse source
This commit is contained in:
Dan Guido 2016-08-15 23:32:44 -04:00
parent 470f60a46f
commit f538ffe4e8
19 changed files with 206 additions and 235 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -7,11 +7,12 @@ Algo (short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhere
## Features
* Supports only IKEv2
* Supports only AES GCM, SHA2 HMAC, and P-256 DH
* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH
* Generates mobileconfig profiles to auto-configure Apple devices
* Provides helper scripts to add and remove users
* Blocks ads with a local DNS resolver and HTTP proxy (optional)
* Based on current versions of Ubuntu and StrongSwan
* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server
## Anti-features
@ -46,12 +47,6 @@ sudo easy_install pip
sudo pip install ansible dopy==0.3.5 boto apache-libcloud six
```
There are four available installation targets:
* DigitalOcean
* Amazon EC2
* Google Cloud Engine
* Local servers
Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
Start the deploy and follow the instructions:

22
azure.yml
View file

@ -31,7 +31,7 @@
#- name: "ssh_public_key"
#prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n"
#private: no
#private: no
#- name: "region"
#prompt: >
@ -54,22 +54,22 @@
#Enter the number of your desired region:
#default: "7"
#private: no
#- name: "azure_server_name"
#prompt: "Name the vpn server:\n"
#default: "algo.local"
#private: no
#- name: "dns_enabled"
#prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
#default: "Y"
#private: no
#- name: "auditd_enabled"
#prompt: "Do you want to use auditd ? (Y or N):\n"
#default: "Y"
#private: no
#private: no
roles:
- azure
@ -79,21 +79,17 @@
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- security
- features
- vpn
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

36
digitalocean.yml
View file

@ -41,22 +41,22 @@
Enter the number of your desired region:
default: "7"
private: no
- name: "do_server_name"
prompt: "Name the vpn server:\n"
default: "algo.local"
private: no
- name: "dns_enabled"
prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
default: "Y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n"
default: "Y"
private: no
private: no
roles:
- digitalocean
@ -66,13 +66,13 @@
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
- name: Enable IPv6 on the droplet
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
@ -83,7 +83,7 @@
status_code: 201
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
- name: Get Droplet networks
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
@ -97,30 +97,26 @@
template: src=roles/digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
notify:
- reload eth0
- reload eth0
- name: IPv6 included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
notify:
- reload eth0
- meta: flush_handlers
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
become: false
roles:
- common
- security
- features
- vpn
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
handlers:
- name: reload eth0
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'

49
ec2.yml
View file

@ -3,7 +3,7 @@
hosts: localhost
gather_facts: False
vars_files:
- config.cfg
- config.cfg
vars:
instance_type: t2.nano
security_group: vpn-secgroup
@ -21,71 +21,70 @@
"11": "sa-east-1"
vars_prompt:
- name: "aws_access_key"
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes
- name: "aws_secret_key"
prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
private: yes
private: yes
- name: "region"
prompt: >
What region should the server be located in?
1. us-east-1 US East (N. Virginia)
2. us-west-1 US West (N. California)
1. us-east-1 US East (N. Virginia)
2. us-west-1 US West (N. California)
3. us-west-2 US West (Oregon)
4. ap-south-1 Asia Pacific (Mumbai)
5. ap-northeast-2 Asia Pacific (Seoul)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ap-northeast-1 Asia Pacific (Tokyo)
9. eu-central-1 EU (Frankfurt)
10. eu-west-1 EU (Ireland)
4. ap-south-1 Asia Pacific (Mumbai)
5. ap-northeast-2 Asia Pacific (Seoul)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ap-northeast-1 Asia Pacific (Tokyo)
9. eu-central-1 EU (Frankfurt)
10. eu-west-1 EU (Ireland)
11. sa-east-1 South America (São Paulo)
default: "1"
private: no
- name: "aws_server_name"
prompt: "Name the vpn server:\n"
default: "algo.local"
private: no
private: no
- name: "ssh_public_key"
prompt: "Enter the local path to your SSH public key (ex: ~/.ssh/id_rsa.pub):\n"
private: no
private: no
- name: "dns_enabled"
prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
default: "Y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n"
default: "Y"
private: no
roles:
- ec2
- ec2
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- security
- features
- vpn
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

23
google_cloud.yml
View file

@ -22,10 +22,10 @@
- name: "credentials_file"
prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n"
private: no
- name: "ssh_public_key"
prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n"
private: no
private: no
- name: "zone"
prompt: >
@ -46,22 +46,22 @@
Please choose the number of your zone. Press enter for default (#8) zone.
default: "8"
private: no
- name: "server_name"
prompt: "Name the vpn server:\n"
default: "algo"
private: no
- name: "dns_enabled"
prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
default: "Y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n"
default: "Y"
private: no
roles:
- google_cloud
@ -71,21 +71,16 @@
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- security
- features
- vpn
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

27
non-cloud.yml
View file

@ -1,31 +1,31 @@
- hosts: localhost
gather_facts: False
vars_files:
- config.cfg
- config.cfg
vars_prompt:
- name: "server_ip"
prompt: "Enter IP address of your server:\n"
private: no
- name: "server_user"
prompt: "What user should we use to login on the server?:\n"
default: "root"
private: no
- name: "dns_enabled"
prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n"
default: "Y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd ? (Y or N):\n"
default: "Y"
private: no
private: no
tasks:
- name: Add the server to the vpn-host group
add_host:
add_host:
hostname: "{{ server_ip }}"
groupname: vpn-host
ansible_ssh_user: "{{ server_user }}"
@ -36,24 +36,23 @@
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ server_ip }} timeout=320"
become: false
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
roles:
- common
- security
- features
- vpn
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }

5
roles/common/handlers/main.yml
View file

@ -1,9 +1,8 @@
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: restart ssh
service: name=ssh state=restarted
- name: flush routing cache
shell: echo 1 > /proc/sys/net/ipv4/route/flush

28
roles/common/tasks/main.yml
View file

@ -2,7 +2,7 @@
- name: Gather Facts
setup:
- name: Install software updates
apt: update_cache=yes upgrade=dist
@ -10,9 +10,9 @@
shell: >
if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi
args:
executable: /bin/bash
executable: /bin/bash
register: reboot_required
- name: Reboot
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
@ -23,30 +23,30 @@
- name: Wait for shutdown
local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
become: false
- name: Wait until SSH becomes ready...
local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
become: false
# SSH fixes
- name: SSH config
lineinfile: dest="{{ item.file }}" regexp="{{ item.regexp }}" line="{{ item.line }}" state=present
with_items:
- { regexp: '^PasswordAuthentication.*', line: 'PasswordAuthentication no', file: '/etc/ssh/sshd_config' }
- { regexp: '^PermitRootLogin.*', line: 'PermitRootLogin without-password', file: '/etc/ssh/sshd_config' }
- { regexp: '^UseDNS.*', line: 'UseDNS no', file: '/etc/ssh/sshd_config' }
- { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' }
- { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' }
- { regexp: '^MACs', line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com', file: '/etc/ssh/sshd_config' }
- { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384', file: '/etc/ssh/sshd_config' }
notify:
- restart ssh
- restart ssh
- name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
with_items:
with_items:
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
@ -62,9 +62,9 @@
- sendmail
- unattended-upgrades
- iptables-persistent
- name: Configure unattended-upgrades
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=644
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
- name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=644
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644

1
roles/digitalocean/tasks/main.yml
View file

@ -36,4 +36,3 @@
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320"

5
roles/ec2/tasks/main.yml
View file

@ -64,7 +64,7 @@
register: ec2
- name: Add new instance to host group
add_host:
add_host:
hostname: "{{ item.public_ip }}"
groupname: vpn-host
ansible_ssh_user: ubuntu
@ -76,5 +76,4 @@
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ item.public_dns_name }} timeout=320"
with_items: "{{ ec2.instances }}"
become: false
become: false

16
roles/features/handlers/main.yml
View file

@ -1,17 +1,17 @@
- name: restart privoxy
service: name=privoxy state=restarted
- name: restart dnsmasq
service: name=dnsmasq state=restarted
service: name=dnsmasq state=restarted
- name: restart apparmor
service: name=apparmor state=restarted
- name: restart apache2
service: name=apache2 state=restarted
service: name=apache2 state=restarted
- name: save iptables
command: service netfilter-persistent save
- name: restart loopback
shell: ifdown lo:100 && ifup lo:100
shell: ifdown lo:100 && ifup lo:100

78
roles/features/tasks/main.yml
View file

@ -1,19 +1,19 @@
- name: Gather Facts
setup:
- name: Loopback for services configured
template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
notify:
- restart loopback
- name: Loopback included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
notify:
- restart loopback
- meta: flush_handlers
# Privoxy
# Privoxy
- name: Privoxy installed
apt: name=privoxy state=latest
@ -22,36 +22,36 @@
template: src=privoxy_config.j2 dest=/etc/privoxy/config
notify:
- restart privoxy
- name: Privoxy profile for apparmor configured
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=600
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
notify:
- restart privoxy
- name: Enforce the privoxy AppArmor policy
shell: aa-enforce usr.sbin.privoxy
shell: aa-enforce usr.sbin.privoxy
- name: Privoxy enabled and started
service: name=privoxy state=started enabled=yes
# PageSpeed
- name: Apache installed
apt: name=apache2 state=latest
- name: PageSpeed installed for x86_64
apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
when: ansible_architecture == "x86_64"
- name: PageSpeed installed for i386
apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb
when: ansible_architecture != "x86_64"
when: ansible_architecture != "x86_64"
- name: PageSpeed configured
template: src=pagespeed.conf.j2 dest=/etc/apache2/mods-available/pagespeed.conf
notify:
- restart apache2
- restart apache2
- name: Modules enabled
apache2_module: state=present name="{{ item }}"
with_items:
@ -63,39 +63,39 @@
- rewrite
notify:
- restart apache2
- name: VirtualHost configured for the PageSpeed module
template: src=000-default.conf.j2 dest=/etc/apache2/sites-enabled/000-default.conf
notify:
- restart apache2
- restart apache2
- name: Apache ports configured
template: src=ports.conf.j2 dest=/etc/apache2/ports.conf
notify:
- restart apache2
# DNS
- restart apache2
# DNS
- name: Dnsmasq installed
apt: name=dnsmasq state=latest
apt: name=dnsmasq state=latest
- name: Dnsmasq profile for apparmor configured
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=600
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
notify:
- restart dnsmasq
- name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq
- name: Dnsmasq configured
template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
notify:
- restart dnsmasq
- name: Adblock script created
template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755
when: dns_enabled is defined and dns_enabled == "Y"
- name: Adblock script added to cron
cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh"
when: dns_enabled is defined and dns_enabled == "Y"
@ -104,9 +104,9 @@
shell: >
/opt/adblock.sh
when: dns_enabled is defined and dns_enabled == "Y"
- name: Forward all DNS requests to the local resolver
iptables:
iptables:
table: nat
chain: PREROUTING
protocol: udp
@ -117,9 +117,9 @@
notify:
- save iptables
when: dns_enabled is defined and dns_enabled == "Y"
- name: Forward all DNS requests to the local resolver
iptables:
iptables:
table: nat
chain: PREROUTING
protocol: udp
@ -130,12 +130,12 @@
ip_version: ipv6
notify:
- save iptables
when: dns_enabled is defined and dns_enabled == "Y"
when: dns_enabled is defined and dns_enabled == "Y"
- name: Dnsmasq enabled and started
service: name=dnsmasq state=started enabled=yes
when: dns_enabled is defined and dns_enabled == "Y"
- name: Dnsmasq disabled and stopped
service: name=dnsmasq state=stopped enabled=no
when: dns_enabled is defined and dns_enabled != "Y"
when: dns_enabled is defined and dns_enabled != "Y"

12
roles/google_cloud/tasks/main.yml
View file

@ -13,7 +13,7 @@
project_id: "{{ credentials_file_lookup.project_id }}"
metadata: '{"sshKeys":"root:{{ ssh_public_key_lookup }}"}'
register: google_vm
- name: Add the droplet to an inventory group
add_host:
name: "{{ google_vm.instance_data[0].public_ip}}"
@ -22,7 +22,7 @@
ansible_python_interpreter: "/usr/bin/python2.7"
dns_enabled: "{{ dns_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
- name: Firewall configured
local_action:
module: gce_net
@ -31,13 +31,9 @@
allowed: "udp:500,4500;tcp:22"
state: "present"
src_range: 0.0.0.0/0
service_account_email: "{{ credentials_file_lookup.client_email }}"
service_account_email: "{{ credentials_file_lookup.client_email }}"
credentials_file: "{{ credentials_file }}"
project_id: "{{ credentials_file_lookup.project_id }}"
project_id: "{{ credentials_file_lookup.project_id }}"
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ google_vm.instance_data[0].public_ip }} timeout=320"

5
roles/logging/tasks/main.yml
View file

@ -5,12 +5,11 @@
template: src=audit.rules.j2 dest=/etc/audit/audit.rules
notify:
- restart auditd
- name: Auditd configured
template: src=auditd.conf.j2 dest=/etc/audit/auditd.conf
notify:
- restart auditd
- name: Enable services
service: name=auditd enabled=yes

4
roles/security/handlers/main.yml
View file

@ -1,5 +1,5 @@
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: flush routing cache
shell: echo 1 > /proc/sys/net/ipv4/route/flush
shell: echo 1 > /proc/sys/net/ipv4/route/flush

36
roles/security/tasks/main.yml
View file

@ -15,38 +15,38 @@
file: path='{{ item.stat.path }}' mode='go-w' recurse=yes
when: item.stat.isdir
with_items: "{{ minimize_access_directories.results }}"
no_log: True
no_log: True
- name: Change shadow ownership to root and mode to 0600
file: dest='/etc/shadow' owner=root group=root mode=0600
- name: change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode=0750
- name: Collect Use of privileged commands
shell: >
shell: >
/usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
args:
executable: /bin/bash
register: privileged_programs
register: privileged_programs
# Rsyslog
- name: Rsyslog configured
template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf
notify:
- restart rsyslog
- restart rsyslog
- name: Rsyslog CIS configured
template: src=CIS.conf.j2 dest=/etc/rsyslog.d/CIS.conf owner=root group=root mode=0644
notify:
- restart rsyslog
- restart rsyslog
- name: Enable services
service: name=rsyslog enabled=yes
# Core dumps
- name: Restrict core dumps (with PAM)
lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present
@ -62,13 +62,13 @@
- net.ipv4.conf.default.accept_source_route
notify:
- flush routing cache
- name: Disable ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_redirects
- name: Disable Secure ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
@ -76,12 +76,12 @@
- net.ipv4.conf.default.secure_redirects
notify:
- flush routing cache
- name: Enable Bad Error Message Protection
sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present
notify:
- flush routing cache
- name: Enable RFC-recommended Source Route Validation
sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
@ -89,12 +89,12 @@
- net.ipv4.conf.default.rp_filter
notify:
- flush routing cache
- name: Enable packet forwarding for IPv4
sysctl: name=net.ipv4.ip_forward value=1
- name: Enable packet forwarding for IPv6
sysctl: name=net.ipv6.conf.all.forwarding value=1
sysctl: name=net.ipv6.conf.all.forwarding value=1
- name: Do not send ICMP redirects (we are not a router)
sysctl: name=net.ipv4.conf.all.send_redirects value=0

6
roles/vpn/handlers/main.yml
View file

@ -3,10 +3,10 @@
- name: restart apparmor
service: name=apparmor state=restarted
- name: save iptables
command: service netfilter-persistent save
command: service netfilter-persistent save
- name: congrats
debug:
msg:

50
roles/vpn/tasks/main.yml
View file

@ -9,7 +9,7 @@
- /usr/lib/ipsec/stroke
notify:
- restart apparmor
- name: Enable services
service: name={{ item }} enabled=yes
with_items:
@ -21,32 +21,32 @@
iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
notify:
- save iptables
- name: Configure ip6tables so IPSec traffic can traverse the tunnel
iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
notify:
- save iptables
- save iptables
- name: Setup the ipsec.conf file from our template
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
notify:
- restart strongswan
- restart strongswan
- name: Setup the ipsec.secrets file
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600
notify:
- restart strongswan
- restart strongswan
- name: Fetch easy-rsa-ipsec from git
git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"
- name: Setup the vars file from our template
template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
- name: Ensure the pki directory is not exist
file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent
when: easyrsa_reinit_existent == True
- name: Build the pki enviroments
shell: >
./easyrsa init-pki &&
@ -55,7 +55,7 @@
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
- name: Build the CA pair
- name: Build the CA pair
shell: >
./easyrsa build-ca nopass &&
touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
@ -63,8 +63,8 @@
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized'
notify:
- restart strongswan
- restart strongswan
- name: Build the server pair
shell: >
./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&&
@ -73,7 +73,7 @@
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
notify:
- restart strongswan
- restart strongswan
- name: Build the client's pair
shell: >
@ -84,7 +84,7 @@
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
with_items: "{{ users }}"
- name: Build the client's p12
- name: Build the client's p12
shell: >
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
@ -92,7 +92,7 @@
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
with_items: "{{ users }}"
- name: Copy the CA cert to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
notify:
@ -101,12 +101,12 @@
- name: Copy the server cert to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600
notify:
- restart strongswan
- restart strongswan
- name: Copy the server key to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600
notify:
- restart strongswan
- restart strongswan
- name: Register p12 PayloadContent
shell: >
@ -118,14 +118,14 @@
shell: >
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
register: PayloadContentCA
- name: Build the mobileconfigs
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
no_log: True
no_log: True
- name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ server_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}"
@ -133,7 +133,7 @@
- name: Fetch users mobileconfig
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ server_name }}_{{ item }}.mobileconfig flat=yes
with_items: "{{ users }}"
- name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
notify:

29
users.yml
View file

@ -3,21 +3,21 @@
- hosts: localhost
gather_facts: False
vars_files:
- config.cfg
- config.cfg
vars_prompt:
- name: "server_ip"
prompt: "\nEnter IP address of your server:\n"
private: no
- name: "server_user"
prompt: "What user should we use to login on the server?:\n"
default: "root"
private: no
tasks:
- name: Add the server to the vpn-host group
add_host:
add_host:
hostname: "{{ server_ip }}"
groupname: vpn-host
ansible_ssh_user: "{{ server_user }}"
@ -25,15 +25,15 @@
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ server_ip }} timeout=320"
become: false
become: false
- name: User management
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
- config.cfg
tasks:
- name: Build the client's pair
shell: >
@ -52,14 +52,14 @@
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
with_items: "{{ users }}"
- name: Get active users
shell: >
grep ^V pki/index.txt | grep -v "{{ server_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
register: valid_certs
- name: Revoke non-existing users
shell: >
ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
@ -69,7 +69,7 @@
chdir: '{{ easyrsa_dir }}/easyrsa3/'
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
- name: Register p12 PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
@ -80,14 +80,14 @@
shell: >
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
register: PayloadContentCA
- name: Build the mobileconfigs
template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
no_log: True
no_log: True
- name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ server_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}"
@ -98,4 +98,3 @@
- name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes