From f538ffe4e8c2f27fb17f56d58acfad2db2adcc64 Mon Sep 17 00:00:00 2001 From: Dan Guido Date: Mon, 15 Aug 2016 23:32:44 -0400 Subject: [PATCH] linting --- README.md | 9 +--- azure.yml | 22 ++++----- digitalocean.yml | 36 +++++++------- ec2.yml | 49 ++++++++++--------- google_cloud.yml | 23 ++++----- non-cloud.yml | 27 ++++++----- roles/common/handlers/main.yml | 5 +- roles/common/tasks/main.yml | 28 +++++------ roles/digitalocean/tasks/main.yml | 1 - roles/ec2/tasks/main.yml | 5 +- roles/features/handlers/main.yml | 16 +++---- roles/features/tasks/main.yml | 78 +++++++++++++++---------------- roles/google_cloud/tasks/main.yml | 12 ++--- roles/logging/tasks/main.yml | 5 +- roles/security/handlers/main.yml | 4 +- roles/security/tasks/main.yml | 36 +++++++------- roles/vpn/handlers/main.yml | 6 +-- roles/vpn/tasks/main.yml | 50 ++++++++++---------- users.yml | 29 ++++++------ 19 files changed, 206 insertions(+), 235 deletions(-) diff --git a/README.md b/README.md index 932962e..def5464 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ Algo (short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhere ## Features * Supports only IKEv2 -* Supports only AES GCM, SHA2 HMAC, and P-256 DH +* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH * Generates mobileconfig profiles to auto-configure Apple devices * Provides helper scripts to add and remove users * Blocks ads with a local DNS resolver and HTTP proxy (optional) * Based on current versions of Ubuntu and StrongSwan +* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server ## Anti-features @@ -46,12 +47,6 @@ sudo easy_install pip sudo pip install ansible dopy==0.3.5 boto apache-libcloud six ``` -There are four available installation targets: -* DigitalOcean -* Amazon EC2 -* Google Cloud Engine -* Local servers - Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Start the deploy and follow the instructions: diff --git a/azure.yml b/azure.yml index 5e35b77..06098fb 100644 --- a/azure.yml +++ b/azure.yml @@ -31,7 +31,7 @@ #- name: "ssh_public_key" #prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n" - #private: no + #private: no #- name: "region" #prompt: > @@ -54,22 +54,22 @@ #Enter the number of your desired region: #default: "7" #private: no - + #- name: "azure_server_name" #prompt: "Name the vpn server:\n" #default: "algo.local" #private: no - + #- name: "dns_enabled" #prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" #default: "Y" #private: no - + #- name: "auditd_enabled" #prompt: "Do you want to use auditd ? (Y or N):\n" #default: "Y" - #private: no - + #private: no + roles: - azure @@ -79,21 +79,17 @@ become: true vars_files: - config.cfg - + pre_tasks: - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 roles: - common - security - features - vpn - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - - - - + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } diff --git a/digitalocean.yml b/digitalocean.yml index ecd6262..e82d394 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -41,22 +41,22 @@ Enter the number of your desired region: default: "7" private: no - + - name: "do_server_name" prompt: "Name the vpn server:\n" default: "algo.local" private: no - + - name: "dns_enabled" prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" default: "Y" private: no - + - name: "auditd_enabled" prompt: "Do you want to use auditd ? (Y or N):\n" default: "Y" - private: no - + private: no + roles: - digitalocean @@ -66,13 +66,13 @@ become: true vars_files: - config.cfg - + pre_tasks: - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + - name: Enable IPv6 on the droplet uri: url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" @@ -83,7 +83,7 @@ status_code: 201 HEADER_Authorization: "Bearer {{ do_access_token }}" HEADER_Content-Type: "application/json" - + - name: Get Droplet networks uri: url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" @@ -97,30 +97,26 @@ template: src=roles/digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 with_items: "{{ droplet_info.json.droplet.networks.v6 }}" notify: - - reload eth0 - + - reload eth0 + - name: IPv6 included into the network config lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present notify: - reload eth0 - + - meta: flush_handlers - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" become: false - + roles: - common - security - features - vpn - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } + handlers: - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' - - - - + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' diff --git a/ec2.yml b/ec2.yml index 2e1bdfd..0a11e48 100644 --- a/ec2.yml +++ b/ec2.yml @@ -3,7 +3,7 @@ hosts: localhost gather_facts: False vars_files: - - config.cfg + - config.cfg vars: instance_type: t2.nano security_group: vpn-secgroup @@ -21,71 +21,70 @@ "11": "sa-east-1" vars_prompt: - + - name: "aws_access_key" prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" private: yes - + - name: "aws_secret_key" prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - + private: yes + - name: "region" prompt: > What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) + 1. us-east-1 US East (N. Virginia) + 2. us-west-1 US West (N. California) 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) + 4. ap-south-1 Asia Pacific (Mumbai) + 5. ap-northeast-2 Asia Pacific (Seoul) + 6. ap-southeast-1 Asia Pacific (Singapore) + 7. ap-southeast-2 Asia Pacific (Sydney) + 8. ap-northeast-1 Asia Pacific (Tokyo) + 9. eu-central-1 EU (Frankfurt) + 10. eu-west-1 EU (Ireland) 11. sa-east-1 South America (São Paulo) default: "1" private: no - + - name: "aws_server_name" prompt: "Name the vpn server:\n" default: "algo.local" - private: no - + private: no + - name: "ssh_public_key" prompt: "Enter the local path to your SSH public key (ex: ~/.ssh/id_rsa.pub):\n" - private: no + private: no - name: "dns_enabled" prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" default: "Y" private: no - + - name: "auditd_enabled" prompt: "Do you want to use auditd ? (Y or N):\n" default: "Y" private: no roles: - - ec2 - + - ec2 + - name: Post-provisioning tasks hosts: vpn-host gather_facts: false become: true vars_files: - config.cfg - + pre_tasks: - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - + roles: - common - security - features - vpn - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } diff --git a/google_cloud.yml b/google_cloud.yml index 504f82f..d1cd9d4 100644 --- a/google_cloud.yml +++ b/google_cloud.yml @@ -22,10 +22,10 @@ - name: "credentials_file" prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n" private: no - + - name: "ssh_public_key" prompt: "Enter the local path to your SSH public key [ex: ~/.ssh/id_rsa.pub] :\n" - private: no + private: no - name: "zone" prompt: > @@ -46,22 +46,22 @@ Please choose the number of your zone. Press enter for default (#8) zone. default: "8" private: no - + - name: "server_name" prompt: "Name the vpn server:\n" default: "algo" private: no - + - name: "dns_enabled" prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" default: "Y" private: no - + - name: "auditd_enabled" prompt: "Do you want to use auditd ? (Y or N):\n" default: "Y" private: no - + roles: - google_cloud @@ -71,21 +71,16 @@ become: true vars_files: - config.cfg - + pre_tasks: - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 roles: - common - security - features - vpn - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - - - - - + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } diff --git a/non-cloud.yml b/non-cloud.yml index 19a9c77..d0f32f5 100644 --- a/non-cloud.yml +++ b/non-cloud.yml @@ -1,31 +1,31 @@ - hosts: localhost gather_facts: False vars_files: - - config.cfg + - config.cfg vars_prompt: - + - name: "server_ip" prompt: "Enter IP address of your server:\n" private: no - + - name: "server_user" prompt: "What user should we use to login on the server?:\n" default: "root" private: no - + - name: "dns_enabled" prompt: "Do you want to use a local DNS resolver to block ads while surfing? (Y or N):\n" default: "Y" private: no - + - name: "auditd_enabled" prompt: "Do you want to use auditd ? (Y or N):\n" default: "Y" - private: no - + private: no + tasks: - name: Add the server to the vpn-host group - add_host: + add_host: hostname: "{{ server_ip }}" groupname: vpn-host ansible_ssh_user: "{{ server_user }}" @@ -36,24 +36,23 @@ - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ server_ip }} timeout=320" become: false - + - name: Post-provisioning tasks hosts: vpn-host gather_facts: false become: true vars_files: - config.cfg - + pre_tasks: - name: Install prerequisites raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 + roles: - common - security - features - vpn - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - + - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index d7a822d..65e6972 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,9 +1,8 @@ - name: restart rsyslog service: name=rsyslog state=restarted - + - name: restart ssh service: name=ssh state=restarted - + - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush - diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 078726a..f258515 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -2,7 +2,7 @@ - name: Gather Facts setup: - + - name: Install software updates apt: update_cache=yes upgrade=dist @@ -10,9 +10,9 @@ shell: > if [[ $(readlink -f /vmlinuz) != /boot/vmlinuz-$(uname -r) ]]; then echo "required"; else echo "no"; fi args: - executable: /bin/bash + executable: /bin/bash register: reboot_required - + - name: Reboot shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 @@ -23,30 +23,30 @@ - name: Wait for shutdown local_action: wait_for host={{ inventory_hostname }} port=22 state=stopped timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' - become: false + become: false - name: Wait until SSH becomes ready... local_action: wait_for host={{ inventory_hostname }} port=22 state=started timeout=120 when: reboot_required is defined and reboot_required.stdout == 'required' - become: false - + become: false + # SSH fixes - + - name: SSH config lineinfile: dest="{{ item.file }}" regexp="{{ item.regexp }}" line="{{ item.line }}" state=present with_items: - { regexp: '^PasswordAuthentication.*', line: 'PasswordAuthentication no', file: '/etc/ssh/sshd_config' } - { regexp: '^PermitRootLogin.*', line: 'PermitRootLogin without-password', file: '/etc/ssh/sshd_config' } - { regexp: '^UseDNS.*', line: 'UseDNS no', file: '/etc/ssh/sshd_config' } - - { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' } + - { regexp: '^Ciphers', line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com', file: '/etc/ssh/sshd_config' } - { regexp: '^MACs', line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com', file: '/etc/ssh/sshd_config' } - { regexp: '^KexAlgorithms', line: 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384', file: '/etc/ssh/sshd_config' } notify: - - restart ssh - + - restart ssh + - name: Disable MOTD on login and SSHD replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" - with_items: + with_items: - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } @@ -62,9 +62,9 @@ - sendmail - unattended-upgrades - iptables-persistent - + - name: Configure unattended-upgrades - template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=644 + template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644 - name: Periodic upgrades configured - template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=644 + template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 diff --git a/roles/digitalocean/tasks/main.yml b/roles/digitalocean/tasks/main.yml index 8f0c20f..0fa4120 100644 --- a/roles/digitalocean/tasks/main.yml +++ b/roles/digitalocean/tasks/main.yml @@ -36,4 +36,3 @@ - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320" - diff --git a/roles/ec2/tasks/main.yml b/roles/ec2/tasks/main.yml index 52a5fac..75bd4f2 100644 --- a/roles/ec2/tasks/main.yml +++ b/roles/ec2/tasks/main.yml @@ -64,7 +64,7 @@ register: ec2 - name: Add new instance to host group - add_host: + add_host: hostname: "{{ item.public_ip }}" groupname: vpn-host ansible_ssh_user: ubuntu @@ -76,5 +76,4 @@ - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ item.public_dns_name }} timeout=320" with_items: "{{ ec2.instances }}" - become: false - + become: false diff --git a/roles/features/handlers/main.yml b/roles/features/handlers/main.yml index 284064f..c42aea8 100644 --- a/roles/features/handlers/main.yml +++ b/roles/features/handlers/main.yml @@ -1,17 +1,17 @@ - name: restart privoxy service: name=privoxy state=restarted - + - name: restart dnsmasq - service: name=dnsmasq state=restarted - + service: name=dnsmasq state=restarted + - name: restart apparmor service: name=apparmor state=restarted - + - name: restart apache2 - service: name=apache2 state=restarted - + service: name=apache2 state=restarted + - name: save iptables command: service netfilter-persistent save - + - name: restart loopback - shell: ifdown lo:100 && ifup lo:100 + shell: ifdown lo:100 && ifup lo:100 diff --git a/roles/features/tasks/main.yml b/roles/features/tasks/main.yml index 8045981..a1454e8 100644 --- a/roles/features/tasks/main.yml +++ b/roles/features/tasks/main.yml @@ -1,19 +1,19 @@ - name: Gather Facts setup: - + - name: Loopback for services configured template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg notify: - restart loopback - + - name: Loopback included into the network config lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present notify: - restart loopback - + - meta: flush_handlers - -# Privoxy + +# Privoxy - name: Privoxy installed apt: name=privoxy state=latest @@ -22,36 +22,36 @@ template: src=privoxy_config.j2 dest=/etc/privoxy/config notify: - restart privoxy - + - name: Privoxy profile for apparmor configured - template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=600 + template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600 notify: - restart privoxy - + - name: Enforce the privoxy AppArmor policy - shell: aa-enforce usr.sbin.privoxy - + shell: aa-enforce usr.sbin.privoxy + - name: Privoxy enabled and started service: name=privoxy state=started enabled=yes - + # PageSpeed - name: Apache installed apt: name=apache2 state=latest - + - name: PageSpeed installed for x86_64 apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb when: ansible_architecture == "x86_64" - + - name: PageSpeed installed for i386 apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb - when: ansible_architecture != "x86_64" - + when: ansible_architecture != "x86_64" + - name: PageSpeed configured template: src=pagespeed.conf.j2 dest=/etc/apache2/mods-available/pagespeed.conf notify: - - restart apache2 - + - restart apache2 + - name: Modules enabled apache2_module: state=present name="{{ item }}" with_items: @@ -63,39 +63,39 @@ - rewrite notify: - restart apache2 - + - name: VirtualHost configured for the PageSpeed module template: src=000-default.conf.j2 dest=/etc/apache2/sites-enabled/000-default.conf notify: - - restart apache2 - + - restart apache2 + - name: Apache ports configured template: src=ports.conf.j2 dest=/etc/apache2/ports.conf notify: - - restart apache2 - -# DNS + - restart apache2 + +# DNS - name: Dnsmasq installed - apt: name=dnsmasq state=latest - + apt: name=dnsmasq state=latest + - name: Dnsmasq profile for apparmor configured - template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=600 + template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 notify: - restart dnsmasq - + - name: Enforce the dnsmasq AppArmor policy shell: aa-enforce usr.sbin.dnsmasq - + - name: Dnsmasq configured template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf notify: - restart dnsmasq - + - name: Adblock script created - template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755 + template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755 when: dns_enabled is defined and dns_enabled == "Y" - + - name: Adblock script added to cron cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh" when: dns_enabled is defined and dns_enabled == "Y" @@ -104,9 +104,9 @@ shell: > /opt/adblock.sh when: dns_enabled is defined and dns_enabled == "Y" - + - name: Forward all DNS requests to the local resolver - iptables: + iptables: table: nat chain: PREROUTING protocol: udp @@ -117,9 +117,9 @@ notify: - save iptables when: dns_enabled is defined and dns_enabled == "Y" - + - name: Forward all DNS requests to the local resolver - iptables: + iptables: table: nat chain: PREROUTING protocol: udp @@ -130,12 +130,12 @@ ip_version: ipv6 notify: - save iptables - when: dns_enabled is defined and dns_enabled == "Y" - + when: dns_enabled is defined and dns_enabled == "Y" + - name: Dnsmasq enabled and started service: name=dnsmasq state=started enabled=yes when: dns_enabled is defined and dns_enabled == "Y" - + - name: Dnsmasq disabled and stopped service: name=dnsmasq state=stopped enabled=no - when: dns_enabled is defined and dns_enabled != "Y" + when: dns_enabled is defined and dns_enabled != "Y" diff --git a/roles/google_cloud/tasks/main.yml b/roles/google_cloud/tasks/main.yml index dbe5c6c..b8957b1 100644 --- a/roles/google_cloud/tasks/main.yml +++ b/roles/google_cloud/tasks/main.yml @@ -13,7 +13,7 @@ project_id: "{{ credentials_file_lookup.project_id }}" metadata: '{"sshKeys":"root:{{ ssh_public_key_lookup }}"}' register: google_vm - + - name: Add the droplet to an inventory group add_host: name: "{{ google_vm.instance_data[0].public_ip}}" @@ -22,7 +22,7 @@ ansible_python_interpreter: "/usr/bin/python2.7" dns_enabled: "{{ dns_enabled }}" auditd_enabled: " {{ auditd_enabled }}" - + - name: Firewall configured local_action: module: gce_net @@ -31,13 +31,9 @@ allowed: "udp:500,4500;tcp:22" state: "present" src_range: 0.0.0.0/0 - service_account_email: "{{ credentials_file_lookup.client_email }}" + service_account_email: "{{ credentials_file_lookup.client_email }}" credentials_file: "{{ credentials_file }}" - project_id: "{{ credentials_file_lookup.project_id }}" + project_id: "{{ credentials_file_lookup.project_id }}" - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ google_vm.instance_data[0].public_ip }} timeout=320" - - - - diff --git a/roles/logging/tasks/main.yml b/roles/logging/tasks/main.yml index e6a8885..fdda937 100644 --- a/roles/logging/tasks/main.yml +++ b/roles/logging/tasks/main.yml @@ -5,12 +5,11 @@ template: src=audit.rules.j2 dest=/etc/audit/audit.rules notify: - restart auditd - + - name: Auditd configured template: src=auditd.conf.j2 dest=/etc/audit/auditd.conf notify: - restart auditd - + - name: Enable services service: name=auditd enabled=yes - diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index dd2210b..da5c092 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,5 +1,5 @@ - name: restart rsyslog service: name=rsyslog state=restarted - + - name: flush routing cache - shell: echo 1 > /proc/sys/net/ipv4/route/flush + shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index e7fa93e..071f6ff 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -15,38 +15,38 @@ file: path='{{ item.stat.path }}' mode='go-w' recurse=yes when: item.stat.isdir with_items: "{{ minimize_access_directories.results }}" - no_log: True + no_log: True - name: Change shadow ownership to root and mode to 0600 file: dest='/etc/shadow' owner=root group=root mode=0600 - name: change su-binary to only be accessible to user and group root file: dest='/bin/su' owner=root group=root mode=0750 - + - name: Collect Use of privileged commands - shell: > + shell: > /usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }' args: executable: /bin/bash - register: privileged_programs - + register: privileged_programs + # Rsyslog - + - name: Rsyslog configured template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf notify: - - restart rsyslog + - restart rsyslog - name: Rsyslog CIS configured template: src=CIS.conf.j2 dest=/etc/rsyslog.d/CIS.conf owner=root group=root mode=0644 notify: - - restart rsyslog - + - restart rsyslog + - name: Enable services service: name=rsyslog enabled=yes # Core dumps - + - name: Restrict core dumps (with PAM) lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present @@ -62,13 +62,13 @@ - net.ipv4.conf.default.accept_source_route notify: - flush routing cache - + - name: Disable ICMP Redirect Acceptance sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present with_items: - net.ipv4.conf.all.accept_redirects - - net.ipv4.conf.default.accept_redirects - + - net.ipv4.conf.default.accept_redirects + - name: Disable Secure ICMP Redirect Acceptance sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present with_items: @@ -76,12 +76,12 @@ - net.ipv4.conf.default.secure_redirects notify: - flush routing cache - + - name: Enable Bad Error Message Protection sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present notify: - flush routing cache - + - name: Enable RFC-recommended Source Route Validation sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present with_items: @@ -89,12 +89,12 @@ - net.ipv4.conf.default.rp_filter notify: - flush routing cache - + - name: Enable packet forwarding for IPv4 sysctl: name=net.ipv4.ip_forward value=1 - + - name: Enable packet forwarding for IPv6 - sysctl: name=net.ipv6.conf.all.forwarding value=1 + sysctl: name=net.ipv6.conf.all.forwarding value=1 - name: Do not send ICMP redirects (we are not a router) sysctl: name=net.ipv4.conf.all.send_redirects value=0 diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index d070b51..0885344 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -3,10 +3,10 @@ - name: restart apparmor service: name=apparmor state=restarted - + - name: save iptables - command: service netfilter-persistent save - + command: service netfilter-persistent save + - name: congrats debug: msg: diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index c1bf4f8..8bbbcb5 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -9,7 +9,7 @@ - /usr/lib/ipsec/stroke notify: - restart apparmor - + - name: Enable services service: name={{ item }} enabled=yes with_items: @@ -21,32 +21,32 @@ iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE notify: - save iptables - + - name: Configure ip6tables so IPSec traffic can traverse the tunnel iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE notify: - - save iptables - + - save iptables + - name: Setup the ipsec.conf file from our template - template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644 + template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 notify: - - restart strongswan + - restart strongswan - name: Setup the ipsec.secrets file - template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600 + template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600 notify: - - restart strongswan - + - restart strongswan + - name: Fetch easy-rsa-ipsec from git - git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}" + git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}" - name: Setup the vars file from our template template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars - + - name: Ensure the pki directory is not exist file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent when: easyrsa_reinit_existent == True - + - name: Build the pki enviroments shell: > ./easyrsa init-pki && @@ -55,7 +55,7 @@ chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized' -- name: Build the CA pair +- name: Build the CA pair shell: > ./easyrsa build-ca nopass && touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized @@ -63,8 +63,8 @@ chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized' notify: - - restart strongswan - + - restart strongswan + - name: Build the server pair shell: > ./easyrsa --subject-alt-name='DNS:{{ server_name }},IP:{{ ansible_ssh_host }}' build-server-full {{ ansible_ssh_host }} nopass&& @@ -73,7 +73,7 @@ chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' notify: - - restart strongswan + - restart strongswan - name: Build the client's pair shell: > @@ -84,7 +84,7 @@ creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' with_items: "{{ users }}" -- name: Build the client's p12 +- name: Build the client's p12 shell: > openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} && touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' @@ -92,7 +92,7 @@ chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' with_items: "{{ users }}" - + - name: Copy the CA cert to the strongswan directory copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600 notify: @@ -101,12 +101,12 @@ - name: Copy the server cert to the strongswan directory copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ ansible_ssh_host }}.crt' dest=/etc/ipsec.d/certs/{{ ansible_ssh_host }}.crt owner=root group=root mode=0600 notify: - - restart strongswan - + - restart strongswan + - name: Copy the server key to the strongswan directory copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ ansible_ssh_host }}.key' dest=/etc/ipsec.d/private/{{ ansible_ssh_host }}.key owner=root group=root mode=0600 notify: - - restart strongswan + - restart strongswan - name: Register p12 PayloadContent shell: > @@ -118,14 +118,14 @@ shell: > cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64 register: PayloadContentCA - + - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 with_together: - "{{ users }}" - "{{ PayloadContent.results }}" - no_log: True - + no_log: True + - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ server_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" @@ -133,7 +133,7 @@ - name: Fetch users mobileconfig fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ server_name }}_{{ item }}.mobileconfig flat=yes with_items: "{{ users }}" - + - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes notify: diff --git a/users.yml b/users.yml index e2060a4..a7489c0 100644 --- a/users.yml +++ b/users.yml @@ -3,21 +3,21 @@ - hosts: localhost gather_facts: False vars_files: - - config.cfg + - config.cfg vars_prompt: - + - name: "server_ip" prompt: "\nEnter IP address of your server:\n" private: no - + - name: "server_user" prompt: "What user should we use to login on the server?:\n" default: "root" private: no - + tasks: - name: Add the server to the vpn-host group - add_host: + add_host: hostname: "{{ server_ip }}" groupname: vpn-host ansible_ssh_user: "{{ server_user }}" @@ -25,15 +25,15 @@ - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ server_ip }} timeout=320" - become: false + become: false - name: User management hosts: vpn-host gather_facts: false become: true vars_files: - - config.cfg - + - config.cfg + tasks: - name: Build the client's pair shell: > @@ -52,14 +52,14 @@ chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' with_items: "{{ users }}" - + - name: Get active users shell: > grep ^V pki/index.txt | grep -v "{{ server_name }}" | awk '{print $5}' | sed 's/\/CN=//g' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' register: valid_certs - + - name: Revoke non-existing users shell: > ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der && @@ -69,7 +69,7 @@ chdir: '{{ easyrsa_dir }}/easyrsa3/' when: item not in users with_items: "{{ valid_certs.stdout_lines }}" - + - name: Register p12 PayloadContent shell: > cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64 @@ -80,14 +80,14 @@ shell: > cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64 register: PayloadContentCA - + - name: Build the mobileconfigs template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 with_together: - "{{ users }}" - "{{ PayloadContent.results }}" - no_log: True - + no_log: True + - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ server_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" @@ -98,4 +98,3 @@ - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes -