mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-07 15:43:54 +02:00
linting
This commit is contained in:
Dan Guido
parent
470f60a46f
commit
f538ffe4e8
19 changed files with 206 additions and 235 deletions
|
|
@ -7,11 +7,12 @@ Algo (short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhere
|
||||||
## Features
|
## Features
|
||||||
|
|
||||||
* Supports only IKEv2
|
* Supports only IKEv2
|
||||||
* Supports only AES GCM, SHA2 HMAC, and P-256 DH
|
* Supports only a single cipher suite w/ AES GCM, SHA2 HMAC, and P-256 DH
|
||||||
* Generates mobileconfig profiles to auto-configure Apple devices
|
* Generates mobileconfig profiles to auto-configure Apple devices
|
||||||
* Provides helper scripts to add and remove users
|
* Provides helper scripts to add and remove users
|
||||||
* Blocks ads with a local DNS resolver and HTTP proxy (optional)
|
* Blocks ads with a local DNS resolver and HTTP proxy (optional)
|
||||||
* Based on current versions of Ubuntu and StrongSwan
|
* Based on current versions of Ubuntu and StrongSwan
|
||||||
|
* Installs to DigitalOcean, Amazon EC2, Google Cloud Engine, or your own server
|
||||||
|
|
||||||
## Anti-features
|
## Anti-features
|
||||||
|
|
||||||
|
|
@ -46,12 +47,6 @@ sudo easy_install pip
|
||||||
sudo pip install ansible dopy==0.3.5 boto apache-libcloud six
|
sudo pip install ansible dopy==0.3.5 boto apache-libcloud six
|
||||||
```
|
```
|
||||||
|
|
||||||
There are four available installation targets:
|
|
||||||
* DigitalOcean
|
|
||||||
* Amazon EC2
|
|
||||||
* Google Cloud Engine
|
|
||||||
* Local servers
|
|
||||||
|
|
||||||
Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
|
Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list.
|
||||||
|
|
||||||
Start the deploy and follow the instructions:
|
Start the deploy and follow the instructions:
|
||||||
|
|
|
||||||
|
|
@ -93,7 +93,3 @@
|
||||||
- vpn
|
- vpn
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -120,7 +120,3 @@
|
||||||
handlers:
|
handlers:
|
||||||
- name: reload eth0
|
- name: reload eth0
|
||||||
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
|
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
1
ec2.yml
1
ec2.yml
|
|
@ -88,4 +88,3 @@
|
||||||
- features
|
- features
|
||||||
- vpn
|
- vpn
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -84,8 +84,3 @@
|
||||||
- features
|
- features
|
||||||
- vpn
|
- vpn
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -56,4 +56,3 @@
|
||||||
- features
|
- features
|
||||||
- vpn
|
- vpn
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
- { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' }
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -6,4 +6,3 @@
|
||||||
|
|
||||||
- name: flush routing cache
|
- name: flush routing cache
|
||||||
shell: echo 1 > /proc/sys/net/ipv4/route/flush
|
shell: echo 1 > /proc/sys/net/ipv4/route/flush
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@
|
||||||
- iptables-persistent
|
- iptables-persistent
|
||||||
|
|
||||||
- name: Configure unattended-upgrades
|
- name: Configure unattended-upgrades
|
||||||
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=644
|
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
|
||||||
|
|
||||||
- name: Periodic upgrades configured
|
- name: Periodic upgrades configured
|
||||||
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=644
|
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
|
||||||
|
|
|
||||||
|
|
@ -36,4 +36,3 @@
|
||||||
|
|
||||||
- name: Wait for SSH to become available
|
- name: Wait for SSH to become available
|
||||||
local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320"
|
local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -77,4 +77,3 @@
|
||||||
local_action: "wait_for port=22 host={{ item.public_dns_name }} timeout=320"
|
local_action: "wait_for port=22 host={{ item.public_dns_name }} timeout=320"
|
||||||
with_items: "{{ ec2.instances }}"
|
with_items: "{{ ec2.instances }}"
|
||||||
become: false
|
become: false
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@
|
||||||
- restart privoxy
|
- restart privoxy
|
||||||
|
|
||||||
- name: Privoxy profile for apparmor configured
|
- name: Privoxy profile for apparmor configured
|
||||||
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=600
|
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
|
||||||
notify:
|
notify:
|
||||||
- restart privoxy
|
- restart privoxy
|
||||||
|
|
||||||
|
|
@ -80,7 +80,7 @@
|
||||||
apt: name=dnsmasq state=latest
|
apt: name=dnsmasq state=latest
|
||||||
|
|
||||||
- name: Dnsmasq profile for apparmor configured
|
- name: Dnsmasq profile for apparmor configured
|
||||||
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=600
|
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
|
||||||
notify:
|
notify:
|
||||||
- restart dnsmasq
|
- restart dnsmasq
|
||||||
|
|
||||||
|
|
@ -93,7 +93,7 @@
|
||||||
- restart dnsmasq
|
- restart dnsmasq
|
||||||
|
|
||||||
- name: Adblock script created
|
- name: Adblock script created
|
||||||
template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
|
template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755
|
||||||
when: dns_enabled is defined and dns_enabled == "Y"
|
when: dns_enabled is defined and dns_enabled == "Y"
|
||||||
|
|
||||||
- name: Adblock script added to cron
|
- name: Adblock script added to cron
|
||||||
|
|
|
||||||
|
|
@ -31,13 +31,9 @@
|
||||||
allowed: "udp:500,4500;tcp:22"
|
allowed: "udp:500,4500;tcp:22"
|
||||||
state: "present"
|
state: "present"
|
||||||
src_range: 0.0.0.0/0
|
src_range: 0.0.0.0/0
|
||||||
service_account_email: "{{ credentials_file_lookup.client_email }}"
|
service_account_email: "{{ credentials_file_lookup.client_email }}"
|
||||||
credentials_file: "{{ credentials_file }}"
|
credentials_file: "{{ credentials_file }}"
|
||||||
project_id: "{{ credentials_file_lookup.project_id }}"
|
project_id: "{{ credentials_file_lookup.project_id }}"
|
||||||
|
|
||||||
- name: Wait for SSH to become available
|
- name: Wait for SSH to become available
|
||||||
local_action: "wait_for port=22 host={{ google_vm.instance_data[0].public_ip }} timeout=320"
|
local_action: "wait_for port=22 host={{ google_vm.instance_data[0].public_ip }} timeout=320"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,4 +13,3 @@
|
||||||
|
|
||||||
- name: Enable services
|
- name: Enable services
|
||||||
service: name=auditd enabled=yes
|
service: name=auditd enabled=yes
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -28,17 +28,17 @@
|
||||||
- save iptables
|
- save iptables
|
||||||
|
|
||||||
- name: Setup the ipsec.conf file from our template
|
- name: Setup the ipsec.conf file from our template
|
||||||
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
|
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- restart strongswan
|
||||||
|
|
||||||
- name: Setup the ipsec.secrets file
|
- name: Setup the ipsec.secrets file
|
||||||
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
|
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- restart strongswan
|
||||||
|
|
||||||
- name: Fetch easy-rsa-ipsec from git
|
- name: Fetch easy-rsa-ipsec from git
|
||||||
git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
|
git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"
|
||||||
|
|
||||||
- name: Setup the vars file from our template
|
- name: Setup the vars file from our template
|
||||||
template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
|
template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
|
||||||
|
|
|
||||||
|
|
@ -98,4 +98,3 @@
|
||||||
|
|
||||||
- name: Fetch server CA certificate
|
- name: Fetch server CA certificate
|
||||||
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue