mirror of https://github.com/trailofbits/algo
new tags
parent
05df4f0c04
commit
97a00699b7
@ -0,0 +1,39 @@
|
||||
- name: Configure the server and install required software
|
||||
hosts: localhost
|
||||
vars_files:
|
||||
- config.cfg
|
||||
|
||||
roles:
|
||||
- { role: cloud-digitalocean, tags: ['digitalocean'] }
|
||||
- { role: cloud-ec2, tags: ['ec2'] }
|
||||
- { role: cloud-gce, tags: ['gce'] }
|
||||
|
||||
- name: Post-provisioning tasks
|
||||
hosts: vpn-host
|
||||
gather_facts: false
|
||||
become: true
|
||||
vars_files:
|
||||
- config.cfg
|
||||
|
||||
pre_tasks:
|
||||
- name: Common pre-tasks
|
||||
include: playbooks/common.yml
|
||||
tags: [ 'digitalocean', 'ec2', 'gce' ]
|
||||
|
||||
- name: DigitalOcean pre-tasks
|
||||
include: playbooks/digitalocean.yml
|
||||
tags: [ 'digitalocean', 'ec2', 'gce' ]
|
||||
|
||||
roles:
|
||||
- { role: common, tags: [ 'vpn' ] }
|
||||
- { role: security, tags: [ 'security' ] }
|
||||
- { role: proxy, tags: [ 'proxy', 'adblock' ] }
|
||||
- { role: dns_adblocking, tags: ['dns', 'adblock' ] }
|
||||
- { role: logging, tags: [ 'logging' ] }
|
||||
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
|
||||
- { role: vpn, tags: [ 'vpn' ] }
|
||||
|
||||
|
||||
handlers:
|
||||
- name: reload eth0
|
||||
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
|
@ -1,147 +0,0 @@
|
||||
# vim:ft=ansible:
|
||||
- name: Configure the server and install required software
|
||||
hosts: localhost
|
||||
|
||||
vars:
|
||||
regions:
|
||||
"1": "ams2"
|
||||
"2": "ams3"
|
||||
"3": "fra1"
|
||||
"4": "lon1"
|
||||
"5": "nyc1"
|
||||
"6": "nyc2"
|
||||
"7": "nyc3"
|
||||
"8": "sfo1"
|
||||
"9": "sfo2"
|
||||
"10": "sgp1"
|
||||
"11": "tor1"
|
||||
"12": "blr1"
|
||||
|
||||
vars_prompt:
|
||||
- name: "do_access_token"
|
||||
prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
|
||||
private: yes
|
||||
|
||||
- name: "do_ssh_name"
|
||||
prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
|
||||
private: no
|
||||
|
||||
- name: "do_region"
|
||||
prompt: >
|
||||
What region should the server be located in?
|
||||
1. Amsterdam (Datacenter 2)
|
||||
2. Amsterdam (Datacenter 3)
|
||||
3. Frankfurt
|
||||
4. London
|
||||
5. New York (Datacenter 1)
|
||||
6. New York (Datacenter 2)
|
||||
7. New York (Datacenter 3)
|
||||
8. San Francisco (Datacenter 1)
|
||||
9. San Francisco (Datacenter 2)
|
||||
10. Singapore
|
||||
11. Toronto
|
||||
12. Bangalore
|
||||
Enter the number of your desired region:
|
||||
default: "7"
|
||||
private: no
|
||||
|
||||
- name: "do_server_name"
|
||||
prompt: "Name the vpn server:\n"
|
||||
default: "algo.local"
|
||||
private: no
|
||||
|
||||
- name: "dns_enabled"
|
||||
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
|
||||
default: "y"
|
||||
private: no
|
||||
|
||||
- name: "proxy_enabled"
|
||||
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
|
||||
default: "y"
|
||||
private: no
|
||||
|
||||
- name: "auditd_enabled"
|
||||
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
|
||||
default: "y"
|
||||
private: no
|
||||
|
||||
- name: "ssh_tunneling_enabled"
|
||||
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
||||
default: "y"
|
||||
private: no
|
||||
|
||||
- name: "security_enabled"
|
||||
prompt: "Do you want to enable the security role? (y/n):\n"
|
||||
default: "y"
|
||||
private: no
|
||||
|
||||
- name: "easyrsa_p12_export_password"
|
||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||
default: "vpnpw"
|
||||
private: yes
|
||||
|
||||
roles:
|
||||
- cloud-digitalocean
|
||||
|
||||
- name: Post-provisioning tasks
|
||||
hosts: vpn-host
|
||||
gather_facts: false
|
||||
become: true
|
||||
vars_files:
|
||||
- config.cfg
|
||||
|
||||
pre_tasks:
|
||||
- name: Install prerequisites
|
||||
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
||||
- name: Configure defaults
|
||||
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
||||
|
||||
- name: Enable IPv6 on the droplet
|
||||
uri:
|
||||
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
|
||||
method: POST
|
||||
body:
|
||||
type: enable_ipv6
|
||||
body_format: json
|
||||
status_code: 201
|
||||
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
||||
HEADER_Content-Type: "application/json"
|
||||
|
||||
- name: Get Droplet networks
|
||||
uri:
|
||||
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
|
||||
method: GET
|
||||
status_code: 200
|
||||
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
||||
HEADER_Content-Type: "application/json"
|
||||
register: droplet_info
|
||||
|
||||
- name: IPv6 configured
|
||||
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
|
||||
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
|
||||
notify:
|
||||
- reload eth0
|
||||
|
||||
- name: IPv6 included into the network config
|
||||
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
|
||||
notify:
|
||||
- reload eth0
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: Wait for SSH to become available
|
||||
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
|
||||
become: false
|
||||
|
||||
roles:
|
||||
- common
|
||||
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
||||
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
|
||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
||||
- vpn
|
||||
|
||||
handlers:
|
||||
- name: reload eth0
|
||||
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
|
@ -0,0 +1,5 @@
|
||||
- name: Install prerequisites
|
||||
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
||||
|
||||
- name: Configure defaults
|
||||
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
@ -0,0 +1,114 @@
|
||||
#vars:
|
||||
#regions:
|
||||
#"1": "ams2"
|
||||
#"2": "ams3"
|
||||
#"3": "fra1"
|
||||
#"4": "lon1"
|
||||
#"5": "nyc1"
|
||||
#"6": "nyc2"
|
||||
#"7": "nyc3"
|
||||
#"8": "sfo1"
|
||||
#"9": "sfo2"
|
||||
#"10": "sgp1"
|
||||
#"11": "tor1"
|
||||
#"12": "blr1"
|
||||
|
||||
#vars_prompt:
|
||||
#- name: "do_access_token"
|
||||
#prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
|
||||
#private: yes
|
||||
|
||||
#- name: "do_ssh_name"
|
||||
#prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
|
||||
#private: no
|
||||
|
||||
#- name: "do_region"
|
||||
#prompt: >
|
||||
#What region should the server be located in?
|
||||
#1. Amsterdam (Datacenter 2)
|
||||
#2. Amsterdam (Datacenter 3)
|
||||
#3. Frankfurt
|
||||
#4. London
|
||||
#5. New York (Datacenter 1)
|
||||
#6. New York (Datacenter 2)
|
||||
#7. New York (Datacenter 3)
|
||||
#8. San Francisco (Datacenter 1)
|
||||
#9. San Francisco (Datacenter 2)
|
||||
#10. Singapore
|
||||
#11. Toronto
|
||||
#12. Bangalore
|
||||
#Enter the number of your desired region:
|
||||
#default: "7"
|
||||
#private: no
|
||||
|
||||
#- name: "do_server_name"
|
||||
#prompt: "Name the vpn server:\n"
|
||||
#default: "algo.local"
|
||||
#private: no
|
||||
|
||||
#- name: "dns_enabled"
|
||||
#prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
|
||||
#default: "y"
|
||||
#private: no
|
||||
|
||||
#- name: "proxy_enabled"
|
||||
#prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
|
||||
#default: "y"
|
||||
#private: no
|
||||
|
||||
#- name: "auditd_enabled"
|
||||
#prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
|
||||
#default: "y"
|
||||
#private: no
|
||||
|
||||
#- name: "ssh_tunneling_enabled"
|
||||
#prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
||||
#default: "y"
|
||||
#private: no
|
||||
|
||||
#- name: "security_enabled"
|
||||
#prompt: "Do you want to enable the security role? (y/n):\n"
|
||||
#default: "y"
|
||||
#private: no
|
||||
|
||||
#- name: "easyrsa_p12_export_password"
|
||||
#prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
||||
#default: "vpnpw"
|
||||
#private: yes
|
||||
|
||||
- name: Enable IPv6 on the droplet
|
||||
uri:
|
||||
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
|
||||
method: POST
|
||||
body:
|
||||
type: enable_ipv6
|
||||
body_format: json
|
||||
status_code: 201
|
||||
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
||||
HEADER_Content-Type: "application/json"
|
||||
|
||||
- name: Get Droplet networks
|
||||
uri:
|
||||
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
|
||||
method: GET
|
||||
status_code: 200
|
||||
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
||||
HEADER_Content-Type: "application/json"
|
||||
register: droplet_info
|
||||
|
||||
- name: IPv6 configured
|
||||
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
|
||||
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
|
||||
notify:
|
||||
- reload eth0
|
||||
|
||||
- name: IPv6 included into the network config
|
||||
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
|
||||
notify:
|
||||
- reload eth0
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: Wait for SSH to become available
|
||||
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
|
||||
become: false
|
Loading…
Reference in New Issue