Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

new tags

Browse Source
pull/101/head
Jack Ivanov 8 years ago
parent 05df4f0c04
commit 97a00699b7
7 changed files with 161 additions and 154 deletions
Show Stats Download Patch File Download Diff File

2
config.cfg
Unescape Escape View File

@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com
easyrsa_dir: /opt/easy-rsa-ipsec
easyrsa_ca_expire: 3650
easyrsa_cert_expire: 3650
easyrsa_p12_export_password: vpnpws
# If True re-init all existing certificates. (True or False)
easyrsa_reinit_existent: False

39
deploy.yml
Unescape Escape View File

@ -0,0 +1,39 @@
- name: Configure the server and install required software
hosts: localhost
vars_files:
- config.cfg
roles:
- { role: cloud-digitalocean, tags: ['digitalocean'] }
- { role: cloud-ec2, tags: ['ec2'] }
- { role: cloud-gce, tags: ['gce'] }
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Common pre-tasks
include: playbooks/common.yml
tags: [ 'digitalocean', 'ec2', 'gce' ]
- name: DigitalOcean pre-tasks
include: playbooks/digitalocean.yml
tags: [ 'digitalocean', 'ec2', 'gce' ]
roles:
- { role: common, tags: [ 'vpn' ] }
- { role: security, tags: [ 'security' ] }
- { role: proxy, tags: [ 'proxy', 'adblock' ] }
- { role: dns_adblocking, tags: ['dns', 'adblock' ] }
- { role: logging, tags: [ 'logging' ] }
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
- { role: vpn, tags: [ 'vpn' ] }
handlers:
- name: reload eth0
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'

147
digitalocean.yml
Unescape Escape View File

@ -1,147 +0,0 @@
# vim:ft=ansible:
- name: Configure the server and install required software
hosts: localhost
vars:
regions:
"1": "ams2"
"2": "ams3"
"3": "fra1"
"4": "lon1"
"5": "nyc1"
"6": "nyc2"
"7": "nyc3"
"8": "sfo1"
"9": "sfo2"
"10": "sgp1"
"11": "tor1"
"12": "blr1"
vars_prompt:
- name: "do_access_token"
prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
private: yes
- name: "do_ssh_name"
prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
private: no
- name: "do_region"
prompt: >
What region should the server be located in?
1. Amsterdam (Datacenter 2)
2. Amsterdam (Datacenter 3)
3. Frankfurt
4. London
5. New York (Datacenter 1)
6. New York (Datacenter 2)
7. New York (Datacenter 3)
8. San Francisco (Datacenter 1)
9. San Francisco (Datacenter 2)
10. Singapore
11. Toronto
12. Bangalore
Enter the number of your desired region:
default: "7"
private: no
- name: "do_server_name"
prompt: "Name the vpn server:\n"
default: "algo.local"
private: no
- name: "dns_enabled"
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
default: "y"
private: no
- name: "proxy_enabled"
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
default: "y"
private: no
- name: "auditd_enabled"
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
default: "y"
private: no
- name: "ssh_tunneling_enabled"
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
default: "y"
private: no
- name: "security_enabled"
prompt: "Do you want to enable the security role? (y/n):\n"
default: "y"
private: no
- name: "easyrsa_p12_export_password"
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
default: "vpnpw"
private: yes
roles:
- cloud-digitalocean
- name: Post-provisioning tasks
hosts: vpn-host
gather_facts: false
become: true
vars_files:
- config.cfg
pre_tasks:
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
- name: Enable IPv6 on the droplet
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
method: POST
body:
type: enable_ipv6
body_format: json
status_code: 201
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
- name: Get Droplet networks
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
method: GET
status_code: 200
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
register: droplet_info
- name: IPv6 configured
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
notify:
- reload eth0
- name: IPv6 included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
notify:
- reload eth0
- meta: flush_handlers
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
become: false
roles:
- common
- { role: security, when: security_enabled is defined and security_enabled == "y" }
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
- vpn
handlers:
- name: reload eth0
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'

5
playbooks/common.yml
Unescape Escape View File

@ -0,0 +1,5 @@
- name: Install prerequisites
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1

114
playbooks/digitalocean.yml
Unescape Escape View File

@ -0,0 +1,114 @@
#vars:
#regions:
#"1": "ams2"
#"2": "ams3"
#"3": "fra1"
#"4": "lon1"
#"5": "nyc1"
#"6": "nyc2"
#"7": "nyc3"
#"8": "sfo1"
#"9": "sfo2"
#"10": "sgp1"
#"11": "tor1"
#"12": "blr1"
#vars_prompt:
#- name: "do_access_token"
#prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
#private: yes
#- name: "do_ssh_name"
#prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
#private: no
#- name: "do_region"
#prompt: >
#What region should the server be located in?
#1. Amsterdam (Datacenter 2)
#2. Amsterdam (Datacenter 3)
#3. Frankfurt
#4. London
#5. New York (Datacenter 1)
#6. New York (Datacenter 2)
#7. New York (Datacenter 3)
#8. San Francisco (Datacenter 1)
#9. San Francisco (Datacenter 2)
#10. Singapore
#11. Toronto
#12. Bangalore
#Enter the number of your desired region:
#default: "7"
#private: no
#- name: "do_server_name"
#prompt: "Name the vpn server:\n"
#default: "algo.local"
#private: no
#- name: "dns_enabled"
#prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
#default: "y"
#private: no
#- name: "proxy_enabled"
#prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
#default: "y"
#private: no
#- name: "auditd_enabled"
#prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
#default: "y"
#private: no
#- name: "ssh_tunneling_enabled"
#prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
#default: "y"
#private: no
#- name: "security_enabled"
#prompt: "Do you want to enable the security role? (y/n):\n"
#default: "y"
#private: no
#- name: "easyrsa_p12_export_password"
#prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
#default: "vpnpw"
#private: yes
- name: Enable IPv6 on the droplet
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
method: POST
body:
type: enable_ipv6
body_format: json
status_code: 201
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
- name: Get Droplet networks
uri:
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
method: GET
status_code: 200
HEADER_Authorization: "Bearer {{ do_access_token }}"
HEADER_Content-Type: "application/json"
register: droplet_info
- name: IPv6 configured
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
notify:
- reload eth0
- name: IPv6 included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
notify:
- reload eth0
- meta: flush_handlers
- name: Wait for SSH to become available
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
become: false

7
roles/cloud-digitalocean/tasks/main.yml
Unescape Escape View File

@ -15,7 +15,7 @@
state: present
command: droplet
name: "{{ do_server_name }}"
region_id: "{{ regions[do_region] }}"
region_id: "{{ do_region }}"
size_id: "512mb"
image_id: "ubuntu-16-04-x64"
ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
@ -31,11 +31,6 @@
ansible_python_interpreter: "/usr/bin/python2.7"
do_access_token: "{{ do_access_token }}"
do_droplet_id: "{{ do.droplet.id }}"
dns_enabled: "{{ dns_enabled }}"
proxy_enabled: "{{ proxy_enabled }}"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
security_enabled: "{{ security_enabled }}"
auditd_enabled: " {{ auditd_enabled }}"
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
cloud_provider: digitalocean
ipv6_support: yes

1
roles/security/tasks/main.yml
Unescape Escape View File

@ -9,7 +9,6 @@
- name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
# Using a two-pass approach for checking directories in order to support symlinks.
- name: Find directories for minimizing access
stat:
path: "{{ item }}"

Write Preview
Loading…
Cancel
Save