algo/docs/setup-roles.md

# Ansible Roles

## Required roles

* **Common**
  * Installs several required packages and software updates, then reboots if necessary
  * Configures network interfaces, and enables packet forwarding on them
* **VPN**
  * Installs [strongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges
  * Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user
  * Bundles the appropriate certificates into Apple mobileconfig profiles for each user
  * Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)

## Optional roles

* **Security Enhancements**
  * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
  * Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
  * Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP
* **DNS-based Adblocking**
  * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
  * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations
* **DNS encryption**
  * Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)
  * Constrains dingo with AppArmor and cgroups CPU and memory limitations
* **SSH Tunneling**
  * Adds a restricted `algo` group with no shell access and limited SSH forwarding options
  * Creates one limited, local account per user and an SSH public key for each
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00			`# Ansible Roles`

Reorganize documentation for GitHub pages (#378) Reorganize documentation for clarity and use with GitHub pages static site generator. This closes #371. 2017-04-13 00:25:31 +00:00			`## Required roles`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00
			`* Common`
			`* Installs several required packages and software updates, then reboots if necessary`
Minor name and documentation edits (#327) 2017-04-01 04:19:10 +00:00			`* Configures network interfaces, and enables packet forwarding on them`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00			`* VPN`
Minor name and documentation edits (#327) 2017-04-01 04:19:10 +00:00			`* Installs [strongSwan](https://www.strongswan.org/), enables AppArmor, limits CPU and memory access, and drops user privileges`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00			`* Builds a Certificate Authority (CA) with [easy-rsa-ipsec](https://github.com/ValdikSS/easy-rsa-ipsec) and creates one client certificate per user`
			`* Bundles the appropriate certificates into Apple mobileconfig profiles for each user`
			`* Configures IPtables to block traffic that might pose a risk to VPN users, such as [SMB/CIFS](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)`

Reorganize documentation for GitHub pages (#378) Reorganize documentation for clarity and use with GitHub pages static site generator. This closes #371. 2017-04-13 00:25:31 +00:00			`## Optional roles`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00
consistency 2016-12-29 13:03:55 +00:00			`* Security Enhancements`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00			`* Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied`
			`* Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks`
clarifications 2016-12-30 18:20:09 +00:00			`* Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP`
			`* DNS-based Adblocking`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00			`* Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains`
			`* Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations`
DNS-over-HTTPS (#875) 2018-04-25 19:27:58 +00:00			`* DNS encryption`
			`* Install [dnscrypt-proxy](https://github.com/jedisct1/dnscrypt-proxy)`
			`* Constrains dingo with AppArmor and cgroups CPU and memory limitations`
Initial commit of reorg'd docs 2016-10-13 13:27:06 +00:00			`* SSH Tunneling`
			* Adds a restricted `algo` group with no shell access and limited SSH forwarding options
			`* Creates one limited, local account per user and an SSH public key for each`