2016-10-13 13:27:06 +00:00
# Ansible Roles
2017-04-13 00:25:31 +00:00
## Required roles
2016-10-13 13:27:06 +00:00
* **Common**
* Installs several required packages and software updates, then reboots if necessary
2017-04-01 04:19:10 +00:00
* Configures network interfaces, and enables packet forwarding on them
2016-10-13 13:27:06 +00:00
* **VPN**
2017-04-01 04:19:10 +00:00
* Installs [strongSwan ](https://www.strongswan.org/ ), enables AppArmor, limits CPU and memory access, and drops user privileges
2016-10-13 13:27:06 +00:00
* Builds a Certificate Authority (CA) with [easy-rsa-ipsec ](https://github.com/ValdikSS/easy-rsa-ipsec ) and creates one client certificate per user
* Bundles the appropriate certificates into Apple mobileconfig profiles for each user
* Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS ](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834 )
2017-04-13 00:25:31 +00:00
## Optional roles
2016-10-13 13:27:06 +00:00
2016-12-29 13:03:55 +00:00
* **Security Enhancements**
2016-10-13 13:27:06 +00:00
* Enables [unattended-upgrades ](https://help.ubuntu.com/community/AutomaticSecurityUpdates ) to ensure available patches are always applied
* Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
2016-12-30 18:20:09 +00:00
* Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP
* **DNS-based Adblocking**
2016-10-13 13:27:06 +00:00
* Install the [dnsmasq ](http://www.thekelleys.org.uk/dnsmasq/doc.html ) local resolver with a blacklist for advertising domains
* Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
* **SSH Tunneling**
* Adds a restricted `algo` group with no shell access and limited SSH forwarding options
* Creates one limited, local account per user and an SSH public key for each
