mirror of https://github.com/trailofbits/algo
Refactoring (#1334)
<!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ |-- ipsec | |-- apple | | |-- desktop.mobileconfig | | |-- laptop.mobileconfig | | `-- phone.mobileconfig | |-- manual | | |-- cacert.pem | | |-- desktop.p12 | | |-- desktop.ssh.pem | | |-- ipsec_desktop.conf | | |-- ipsec_desktop.secrets | | |-- ipsec_laptop.conf | | |-- ipsec_laptop.secrets | | |-- ipsec_phone.conf | | |-- ipsec_phone.secrets | | |-- laptop.p12 | | |-- laptop.ssh.pem | | |-- phone.p12 | | `-- phone.ssh.pem | `-- windows | |-- desktop.ps1 | |-- laptop.ps1 | `-- phone.ps1 |-- ssh-tunnel | |-- desktop.pem | |-- desktop.pub | |-- laptop.pem | |-- laptop.pub | |-- phone.pem | |-- phone.pub | `-- ssh_config `-- wireguard |-- desktop.conf |-- desktop.png |-- laptop.conf |-- laptop.png |-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the **CONTRIBUTING** document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed.pull/1348/head
parent
7e7476ec6b
commit
273c7665d3
@ -1,67 +0,0 @@
|
||||
---
|
||||
|
||||
# This playbook is designed to help when modifying the Windows script template
|
||||
# in roles/vpn/templates/client_windows.ps1.j2
|
||||
# It rebuilds the client_USER.ps1 scripts for each user defined in config.cfg,
|
||||
# without redeploying users or opening an SSH connection to the Algo server at
|
||||
# all.
|
||||
#
|
||||
# This playbook is _not_ part of a normal Algo deployment.
|
||||
# It is only intended to speed up development of the client_USER.ps1 Windows
|
||||
# Algo install scripts.
|
||||
#
|
||||
# REQUIREMENTS
|
||||
# - Algo must have been deployed once
|
||||
# - Windows users must have been enabled at deployment time
|
||||
# - All users defined in config.cfg must not have changed
|
||||
# - Only one Algo deployment exists in the configs/ directory
|
||||
# - There must be exactly one subfolder in the configs/ directory:
|
||||
# the folder named after the IP of the algo server
|
||||
|
||||
- hosts: localhost
|
||||
gather_facts: False
|
||||
tags: always
|
||||
vars_files:
|
||||
- ../config.cfg
|
||||
|
||||
tasks:
|
||||
|
||||
- name: Get config subdir
|
||||
shell: find ../configs/* -maxdepth 0 -type d | sed 's/.*\///'
|
||||
register: config_subdir_result
|
||||
- fail:
|
||||
msg:
|
||||
- "Found wrong number of config subdirs... stdout:"
|
||||
- "{{ config_subdir_result.split('\n') }}"
|
||||
when: config_subdir_result.stdout.split('\n') | length != 1
|
||||
- set_fact:
|
||||
IP_subject_alt_name: "{{ config_subdir_result.stdout }}"
|
||||
- debug:
|
||||
var: IP_subject_alt_name
|
||||
|
||||
- name: Register p12 PayloadContent
|
||||
shell: cat private/{{ item }}.p12 | base64
|
||||
register: PayloadContent
|
||||
args:
|
||||
chdir: "../configs/{{ IP_subject_alt_name }}/pki/"
|
||||
with_items: "{{ users }}"
|
||||
|
||||
- name: Set facts for mobileconfigs
|
||||
set_fact:
|
||||
proxy_enabled: false
|
||||
PayloadContentCA: "{{ lookup('file' , '../configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
|
||||
|
||||
- name: Build the windows client powershell script
|
||||
template:
|
||||
src: ../roles/vpn/templates/client_windows.ps1.j2
|
||||
dest: ../configs/{{ IP_subject_alt_name }}/windows_{{ item.0 }}.ps1
|
||||
mode: 0600
|
||||
with_together:
|
||||
- "{{ users }}"
|
||||
- "{{ PayloadContent.results }}"
|
||||
|
||||
- name: List windows client powershell scripts
|
||||
debug:
|
||||
msg: "configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1"
|
||||
with_items:
|
||||
- "{{ users }}"
|
@ -0,0 +1,2 @@
|
||||
---
|
||||
ssh_tunnels_config_path: "configs/{{ IP_subject_alt_name }}/ssh-tunnel/"
|
@ -1,3 +0,0 @@
|
||||
{% for item in ssh_fingerprints.stdout_lines %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
@ -0,0 +1,27 @@
|
||||
---
|
||||
|
||||
- name: Copy the keys to the strongswan directory
|
||||
copy:
|
||||
src: "{{ ipsec_pki_path }}/{{ item.src }}"
|
||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/{{ item.dest }}"
|
||||
owner: "{{ item.owner }}"
|
||||
group: "{{ item.group }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- src: "cacert.pem"
|
||||
dest: "cacerts/ca.crt"
|
||||
owner: strongswan
|
||||
group: "{{ root_group|default('root') }}"
|
||||
mode: "0600"
|
||||
- src: "certs/{{ IP_subject_alt_name }}.crt"
|
||||
dest: "certs/{{ IP_subject_alt_name }}.crt"
|
||||
owner: strongswan
|
||||
group: "{{ root_group|default('root') }}"
|
||||
mode: "0600"
|
||||
- src: "private/{{ IP_subject_alt_name }}.key"
|
||||
dest: "private/{{ IP_subject_alt_name }}.key"
|
||||
owner: strongswan
|
||||
group: "{{ root_group|default('root') }}"
|
||||
mode: "0600"
|
||||
notify:
|
||||
- restart strongswan
|
@ -1,11 +1,5 @@
|
||||
---
|
||||
- block:
|
||||
- name: Include WireGuard role
|
||||
include_role:
|
||||
name: wireguard
|
||||
tags: wireguard
|
||||
when: wireguard_enabled and ansible_distribution == 'Ubuntu'
|
||||
|
||||
- include_tasks: ubuntu.yml
|
||||
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
|
||||
|
@ -1,27 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Copy the keys to the strongswan directory
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ item.owner }}"
|
||||
group: "{{ item.group }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
|
||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/cacerts/ca.crt"
|
||||
owner: strongswan
|
||||
group: "{{ root_group|default('root') }}"
|
||||
mode: "0600"
|
||||
- src: "configs/{{ IP_subject_alt_name }}/pki/certs/{{ IP_subject_alt_name }}.crt"
|
||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt"
|
||||
owner: strongswan
|
||||
group: "{{ root_group|default('root') }}"
|
||||
mode: "0600"
|
||||
- src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ IP_subject_alt_name }}.key"
|
||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/private/{{ IP_subject_alt_name }}.key"
|
||||
owner: strongswan
|
||||
group: "{{ root_group|default('root') }}"
|
||||
mode: "0600"
|
||||
notify:
|
||||
- restart strongswan
|
@ -1,4 +1,28 @@
|
||||
---
|
||||
wireguard_PersistentKeepalive: 0
|
||||
wireguard_client_ip: "{{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + index|int + 1 }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + index|int + 1 }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}"
|
||||
wireguard_server_ip: "{{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}"
|
||||
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/"
|
||||
wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
|
||||
wireguard_interface: wg0
|
||||
_wireguard_network_ipv4:
|
||||
subnet: 10.19.49.0
|
||||
prefix: 24
|
||||
gateway: 10.19.49.1
|
||||
clients_range: 10.19.49
|
||||
clients_start: 2
|
||||
_wireguard_network_ipv6:
|
||||
subnet: 'fd9d:bc11:4021::'
|
||||
prefix: 48
|
||||
gateway: 'fd9d:bc11:4021::1'
|
||||
clients_range: 'fd9d:bc11:4021::'
|
||||
clients_start: 2
|
||||
wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
|
||||
wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
|
||||
keys_clean_all: false
|
||||
wireguard_dns_servers: >-
|
||||
{% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %}
|
||||
{{ local_service_ip }}
|
||||
{% else %}
|
||||
{% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
|
||||
{% endif %}
|
||||
wireguard_client_ip: "{{ _wireguard_network_ipv4['clients_range'] }}.{{ _wireguard_network_ipv4['clients_start'] + index|int + 1 }}/{{ _wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ _wireguard_network_ipv6['clients_range'] }}{{ _wireguard_network_ipv6['clients_start'] + index|int + 1 }}/{{ _wireguard_network_ipv6['prefix'] }}{% endif %}"
|
||||
wireguard_server_ip: "{{ _wireguard_network_ipv4['gateway'] }}/{{ _wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ _wireguard_network_ipv6['gateway'] }}/{{ _wireguard_network_ipv6['prefix'] }}{% endif %}"
|
||||
|
@ -1,12 +1,12 @@
|
||||
[Interface]
|
||||
PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + item.1) }}
|
||||
PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + item.1) }}
|
||||
Address = {{ wireguard_client_ip }}
|
||||
DNS = {{ wireguard_dns_servers }}
|
||||
{% if reduce_mtu|int > 0 %}MTU = {{ 1420 - reduce_mtu|int }}
|
||||
{% endif %}
|
||||
|
||||
[Peer]
|
||||
PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + IP_subject_alt_name) }}
|
||||
PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
|
||||
AllowedIPs = 0.0.0.0/0, ::/0
|
||||
Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
|
||||
{{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}
|
||||
|
Loading…
Reference in New Issue