mirror of
https://github.com/trailofbits/algo.git
synced 2025-04-25 10:43:48 +02:00
273c7665d3
<!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ |-- ipsec | |-- apple | | |-- desktop.mobileconfig | | |-- laptop.mobileconfig | | `-- phone.mobileconfig | |-- manual | | |-- cacert.pem | | |-- desktop.p12 | | |-- desktop.ssh.pem | | |-- ipsec_desktop.conf | | |-- ipsec_desktop.secrets | | |-- ipsec_laptop.conf | | |-- ipsec_laptop.secrets | | |-- ipsec_phone.conf | | |-- ipsec_phone.secrets | | |-- laptop.p12 | | |-- laptop.ssh.pem | | |-- phone.p12 | | `-- phone.ssh.pem | `-- windows | |-- desktop.ps1 | |-- laptop.ps1 | `-- phone.ps1 |-- ssh-tunnel | |-- desktop.pem | |-- desktop.pub | |-- laptop.pem | |-- laptop.pub | |-- phone.pem | |-- phone.pub | `-- ssh_config `-- wireguard |-- desktop.conf |-- desktop.png |-- laptop.conf |-- laptop.png |-- phone.conf `-- phone.png ```  </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the **CONTRIBUTING** document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed.
139 lines
5.9 KiB
YAML
139 lines
5.9 KiB
YAML
---
|
|
- name: Ask user for the input
|
|
hosts: localhost
|
|
tags: always
|
|
vars:
|
|
defaults:
|
|
server_name: algo
|
|
ondemand_cellular: false
|
|
ondemand_wifi: false
|
|
local_dns: false
|
|
ssh_tunneling: false
|
|
windows: false
|
|
store_cakey: false
|
|
providers_map:
|
|
- { name: DigitalOcean, alias: digitalocean }
|
|
- { name: Amazon Lightsail, alias: lightsail }
|
|
- { name: Amazon EC2, alias: ec2 }
|
|
- { name: Vultr, alias: vultr }
|
|
- { name: Microsoft Azure, alias: azure }
|
|
- { name: Google Compute Engine, alias: gce }
|
|
- { name: Scaleway, alias: scaleway}
|
|
- { name: OpenStack (DreamCompute optimised), alias: openstack }
|
|
- { name: Install to existing Ubuntu 18.04 server (Advanced), alias: local }
|
|
vars_files:
|
|
- config.cfg
|
|
|
|
tasks:
|
|
- pause:
|
|
prompt: |
|
|
What provider would you like to use?
|
|
{% for p in providers_map %}
|
|
{{ loop.index }}. {{ p['name']}}
|
|
{% endfor %}
|
|
|
|
Enter the number of your desired provider
|
|
register: _algo_provider
|
|
when: provider is undefined
|
|
|
|
- name: Set facts based on the input
|
|
set_fact:
|
|
algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
|
|
|
|
- pause:
|
|
prompt: |
|
|
Name the vpn server
|
|
[algo]
|
|
register: _algo_server_name
|
|
when:
|
|
- server_name is undefined
|
|
- algo_provider != "local"
|
|
- block:
|
|
- pause:
|
|
prompt: |
|
|
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
|
|
[y/N]
|
|
register: _ondemand_cellular
|
|
when: ondemand_cellular is undefined
|
|
|
|
- pause:
|
|
prompt: |
|
|
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
|
|
[y/N]
|
|
register: _ondemand_wifi
|
|
when: ondemand_wifi is undefined
|
|
|
|
- pause:
|
|
prompt: |
|
|
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
|
|
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
|
|
register: _ondemand_wifi_exclude
|
|
when:
|
|
- ondemand_wifi_exclude is undefined
|
|
- (ondemand_wifi|default(false)|bool) or
|
|
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
|
|
|
|
- pause:
|
|
prompt: |
|
|
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
|
|
[y/N]
|
|
register: _windows
|
|
when: windows is undefined
|
|
|
|
- pause:
|
|
prompt: |
|
|
Do you want to retain the CA key? (required to add users in the future, but less secure)
|
|
[y/N]
|
|
register: _store_cakey
|
|
when: store_cakey is undefined
|
|
when: ipsec_enabled
|
|
|
|
- pause:
|
|
prompt: |
|
|
Do you want to install an ad blocking DNS resolver on this VPN server?
|
|
[y/N]
|
|
register: _local_dns
|
|
when: local_dns is undefined
|
|
|
|
- pause:
|
|
prompt: |
|
|
Do you want each user to have their own account for SSH tunneling?
|
|
[y/N]
|
|
register: _ssh_tunneling
|
|
when: ssh_tunneling is undefined
|
|
|
|
- name: Set facts based on the input
|
|
set_fact:
|
|
algo_server_name: >-
|
|
{% if server_name is defined %}{% set _server = server_name %}
|
|
{%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input != "" %}{% set _server = _algo_server_name.user_input %}
|
|
{%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
|
|
{{ _server | regex_replace('(?!\.)(\W|_)', '-') }}
|
|
algo_ondemand_cellular: >-
|
|
{% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
|
|
{%- elif _ondemand_cellular.user_input is defined and _ondemand_cellular.user_input != "" %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_ondemand_wifi: >-
|
|
{% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }}
|
|
{%- elif _ondemand_wifi.user_input is defined and _ondemand_wifi.user_input != "" %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_ondemand_wifi_exclude: >-
|
|
{% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
|
|
{%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input != "" %}{{ _ondemand_wifi_exclude.user_input | b64encode }}
|
|
{%- else %}{{ '_null' | b64encode }}{% endif %}
|
|
algo_local_dns: >-
|
|
{% if local_dns is defined %}{{ local_dns | bool }}
|
|
{%- elif _local_dns.user_input is defined and _local_dns.user_input != "" %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_ssh_tunneling: >-
|
|
{% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
|
|
{%- elif _ssh_tunneling.user_input is defined and _ssh_tunneling.user_input != "" %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_windows: >-
|
|
{% if windows is defined %}{{ windows | bool }}
|
|
{%- elif _windows.user_input is defined and _windows.user_input != "" %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_store_cakey: >-
|
|
{% if store_cakey is defined %}{{ store_cakey | bool }}
|
|
{%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
|
|
{%- else %}false{% endif %}
|