pull in changes from master

8 years ago · 1a3a14943c
parent 462bf29e08 fcf29534ba
commit 1a3a14943c
12 changed files with 29 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -73,7 +73,7 @@ Use the following command to SSH tunnel through the server:

 ```asdf```

-[explain the options]
+asdf then explain the options used

 ## FAQ

--- a/4
+++ b/4
@ -64,9 +64,9 @@ Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing
 Note: Make sure to use either your root key (recommended) or an IAM user with an acceptable policy attached
 [ABCD...]: " -rs aws_secret_key
  
-  read -p "
+  read -e -p "
 Enter the local path to your SSH public key:
-: " -r ssh_public_key
+: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key

  read -p "
 Name the vpn server:
--- a/docs/ADVANCED.md
+++ b/docs/ADVANCED.md
@ -17,6 +17,8 @@ Before you begin, make sure you have installed all the dependencies necessary fo

 ## Local Deployment

+**Warning**: If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. You can find some information about tags below.
+
 It is possible to download the Algo scripts to your own Ubuntu server and run the scripts locally. You need to install ansible to run Algo on Ubuntu. Installing ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It is easier to use apt, however, Ubuntu 16.04 only comes with ansible 2.0.0.2. Therefore, to use apt you must use the ansible PPA, and using a PPA requires installing `software-properties-common`.

 tl;dr:
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -5,7 +5,10 @@
  apt: name=privoxy state=latest

 - name: Privoxy configured
-  template: src=privoxy_config.j2 dest=/etc/privoxy/config
+  template: src="{{ item.src }}" dest="{{ item.dest }}"
+  with_items:
+    - { src: privoxy_config.j2, dest: /etc/privoxy/config }
+    - { src: default.filter.j2, dest: /etc/privoxy/default.filter }
  notify:
    - restart privoxy

--- a/roles/proxy/templates/default.filter.j2
+++ b/roles/proxy/templates/default.filter.j2
--- a/roles/security/handlers/main.yml
+++ b/roles/security/handlers/main.yml
@ -1,8 +1,5 @@
 - name: restart ssh
  service: name=ssh state=restarted

- name: restart iptables
-  service: name=netfilter-persistent state=restarted
-
 - name: flush routing cache
  shell: echo 1 > /proc/sys/net/ipv4/route/flush
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@ -88,14 +88,6 @@
 - name: Do not send ICMP redirects (we are not a router)
  sysctl: name=net.ipv4.conf.all.send_redirects value=0

- name: Iptables configured
-  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
-  with_items:
-    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
-    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
-  notify:
-    - restart iptables
-
 - name: SSH config
  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
  notify:
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -6,13 +6,13 @@

 - name: restart apparmor
  service: name=apparmor state=restarted
-  
- name: save iptables
-  shell: service netfilter-persistent save

 - name: save iptables
  shell: service netfilter-persistent save

+- name: restart iptables
+  service: name=netfilter-persistent state=restarted
+
 - name: congrats
  debug:
    msg:
--- a/roles/vpn/tasks/iptables.yml
+++ b/roles/vpn/tasks/iptables.yml
@ -0,0 +1,9 @@
+---
+
+- name: Iptables configured
+  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
+  with_items:
+    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
+    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
+  notify:
+    - restart iptables
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -191,3 +191,7 @@
  fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
  notify:
    - congrats
+
+- include: iptables.yml
+  tags: iptables
+
--- a/roles/security/templates/rules.v4.j2
+++ b/roles/security/templates/rules.v4.j2
--- a/roles/security/templates/rules.v6.j2
+++ b/roles/security/templates/rules.v6.j2
@ -17,6 +17,10 @@ COMMIT
 -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
 # TODO:
 # The IP of the resolver should be bound to a DUMMY interface.
 # DUMMY interfaces are the proper way to install IPs without assigning them any