diff --git a/digitalocean.yml b/digitalocean.yml index 7a7e40a..7d6ac8e 100644 --- a/digitalocean.yml +++ b/digitalocean.yml @@ -1,3 +1,4 @@ +# vim:ft=ansible: - name: Configure the server and install required software hosts: localhost @@ -50,29 +51,29 @@ private: no - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" - default: "Y" + prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + default: "y" private: no - + - name: "proxy_enabled" - prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" - default: "Y" - private: no + prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + default: "y" + private: no - name: "auditd_enabled" - prompt: "Do you want to use auditd ? (Y or N):\n" - default: "Y" + prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + default: "y" private: no - + - name: "ssh_tunneling_enabled" - prompt: "Do you want to use SSH tunneling ? (Y or N):\n" - default: "Y" - private: no - + prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + default: "y" + private: no + - name: "easyrsa_p12_export_password" - prompt: "Enter the password for p12 certificates:\n" + prompt: "Enter a password for p12 certificates:\n" default: "vpn" - private: yes + private: yes roles: - cloud-digitalocean @@ -131,10 +132,10 @@ - common - security - vpn - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "Y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } + - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } + - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } + - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } handlers: - name: reload eth0 diff --git a/ec2.yml b/ec2.yml index c906031..891f267 100644 --- a/ec2.yml +++ b/ec2.yml @@ -21,66 +21,65 @@ "11": "sa-east-1" vars_prompt: + - name: "aws_access_key" + prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" + private: yes - - name: "aws_access_key" - prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes + - name: "aws_secret_key" + prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" + private: yes - - name: "aws_secret_key" - prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes + - name: "region" + prompt: > + What region should the server be located in? + 1. us-east-1 US East (N. Virginia) + 2. us-west-1 US West (N. California) + 3. us-west-2 US West (Oregon) + 4. ap-south-1 Asia Pacific (Mumbai) + 5. ap-northeast-2 Asia Pacific (Seoul) + 6. ap-southeast-1 Asia Pacific (Singapore) + 7. ap-southeast-2 Asia Pacific (Sydney) + 8. ap-northeast-1 Asia Pacific (Tokyo) + 9. eu-central-1 EU (Frankfurt) + 10. eu-west-1 EU (Ireland) + 11. sa-east-1 South America (São Paulo) + default: "1" + private: no - - name: "region" - prompt: > - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) - default: "1" - private: no + - name: "aws_server_name" + prompt: "Name the vpn server:\n" + default: "algo.local" + private: no - - name: "aws_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no + - name: "ssh_public_key" + prompt: "Enter the local path to your SSH public key:\n" + default: "~/.ssh/id_rsa.pub" + private: no - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no + - name: "dns_enabled" + prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + default: "y" + private: no - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" - default: "Y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" - default: "Y" - private: no + - name: "proxy_enabled" + prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + default: "y" + private: no - - name: "auditd_enabled" - prompt: "Do you want to use auditd ? (Y or N):\n" - default: "Y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want to use SSH tunneling ? (Y or N):\n" - default: "Y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter the password for p12 certificates:\n" - default: "vpn" - private: yes + - name: "auditd_enabled" + prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + default: "y" + private: no + + - name: "ssh_tunneling_enabled" + prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + default: "y" + private: no + + - name: "easyrsa_p12_export_password" + prompt: "Enter a password for p12 certificates:\n" + default: "vpn" + private: yes roles: - cloud-ec2 @@ -102,7 +101,7 @@ - common - security - vpn - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } + - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } + - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } + - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } diff --git a/gce.yml b/gce.yml index ff1c5e9..b44ce86 100644 --- a/gce.yml +++ b/gce.yml @@ -1,3 +1,4 @@ +# vim:ft=ansible: - name: Configure the server and install required software hosts: localhost gather_facts: false @@ -54,27 +55,27 @@ private: no - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" - default: "Y" + prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + default: "y" private: no - + - name: "proxy_enabled" - prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" - default: "Y" + prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + default: "y" private: no - name: "auditd_enabled" - prompt: "Do you want to use auditd ? (Y or N):\n" - default: "Y" + prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + default: "y" private: no - + - name: "ssh_tunneling_enabled" - prompt: "Do you want to use SSH tunneling ? (Y or N):\n" - default: "Y" + prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + default: "y" private: no - + - name: "easyrsa_p12_export_password" - prompt: "Enter the password for p12 certificates:\n" + prompt: "Enter a password for p12 certificates:\n" default: "vpn" private: yes @@ -98,7 +99,7 @@ - common - security - vpn - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } + - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } + - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } + - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } diff --git a/non-cloud.yml b/non-cloud.yml index 4ed42df..a823cca 100644 --- a/non-cloud.yml +++ b/non-cloud.yml @@ -1,47 +1,48 @@ +# vim:ft=ansible: - hosts: localhost gather_facts: False vars_files: - config.cfg + vars_prompt: + - name: "server_ip" + prompt: "Enter IP address of your server: (use localhost for local installation)\n" + default: localhost + private: no - - name: "server_ip" - prompt: "Enter IP address of your server: (use localhost for local installation)\n" - default: localhost - private: no + - name: "server_user" + prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" + default: "root" + private: no - - name: "server_user" - prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" - default: "root" - private: no + - name: "dns_enabled" + prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" + default: "y" + private: no - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (Y or N):\n" - default: "Y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install a proxy to block ads and decrease traffic usage while surfing? (Y or N):\n" - default: "Y" - private: no + - name: "proxy_enabled" + prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" + default: "y" + private: no - - name: "auditd_enabled" - prompt: "Do you want to use auditd ? (Y or N):\n" - default: "Y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want to use SSH tunneling ? (Y or N):\n" - default: "Y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter the password for p12 certificates:\n" - default: "vpn" - private: yes + - name: "auditd_enabled" + prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" + default: "y" + private: no + + - name: "ssh_tunneling_enabled" + prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" + default: "y" + private: no + + - name: "easyrsa_p12_export_password" + prompt: "Enter a password for p12 certificates:\n" + default: "vpn" + private: yes - - name: "IP_subject" - prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" - private: no + - name: "IP_subject" + prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" + private: no tasks: - name: Add the server to the vpn-host group @@ -76,7 +77,7 @@ - common - security - vpn - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "Y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "Y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == 'Y' } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" } + - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } + - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } + - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } + - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 9752cc8..dc17b89 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -33,7 +33,7 @@ - name: SSH config template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 notify: - - restart ssh + - restart ssh - name: Disable MOTD on login and SSHD replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" @@ -70,7 +70,7 @@ lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present notify: - restart loopback - + - meta: flush_handlers - name: Enable packet forwarding for IPv4 diff --git a/roles/common/templates/sshd_config.j2 b/roles/common/templates/sshd_config.j2 index af66436..8c08f0f 100644 --- a/roles/common/templates/sshd_config.j2 +++ b/roles/common/templates/sshd_config.j2 @@ -24,7 +24,6 @@ PubkeyAuthentication yes AcceptEnv LANG LC_* # Turn off a lot of features -AllowAgentForwarding no IgnoreRhosts yes RhostsRSAAuthentication no RSAAuthentication no @@ -33,7 +32,6 @@ PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication no UseDNS no -X11Forwarding no # Do not enable sftp # If you DO enable it, use this line to log which files sftp users read/write @@ -51,21 +49,16 @@ HostKey /etc/ssh/ssh_host_ed25519_key KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com - -### - # TODO: I haven't seen anyone review these yet # HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 - # TODO: I haven't seen anyone review these yet # PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 -# TODO: I think we want to enable tunnels but disable stream local fowarding? -# PermitTunnel yes -# AllowStreamLocalForwarding no - {% if ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "Y" %} Match Group algo AllowTcpForwarding remote + AllowAgentForwarding no AllowStreamLocalForwarding no + PermitTunnel no + X11Forwarding no {% endif %} diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index df0fc37..a37bf9c 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -8,24 +8,24 @@ template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600 notify: - restart dnsmasq - + - name: The dnsmasq directory created - file: dest=/var/lib/dnsmasq state=directory mode=755 owner=dnsmasq group=nogroup + file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup - name: Enforce the dnsmasq AppArmor policy shell: aa-enforce usr.sbin.dnsmasq - name: Ensure that the dnsmasq service directory exist file: path=/etc/systemd/system/dnsmasq.service.d/ state=directory mode=0755 owner=root group=root - + - name: Setup the cgroup limitations for the ipsec daemon template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf notify: - - daemon-reload + - daemon-reload - restart dnsmasq - -- meta: flush_handlers - + +- meta: flush_handlers + - name: Dnsmasq configured template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf notify: @@ -35,7 +35,7 @@ template: src=adblock.sh dest=/opt/adblock.sh owner=root group=root mode=0755 - name: Adblock script added to cron - cron: + cron: name: Adblock hosts update minute: 10 hour: 2 diff --git a/roles/proxy/handlers/main.yml b/roles/proxy/handlers/main.yml index bea23c7..a31941b 100644 --- a/roles/proxy/handlers/main.yml +++ b/roles/proxy/handlers/main.yml @@ -1,8 +1,8 @@ - name: restart privoxy service: name=privoxy state=restarted - + - name: daemon-reload - shell: systemctl daemon-reload + shell: systemctl daemon-reload - name: restart apparmor service: name=apparmor state=restarted diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 1157a97..81dbcab 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -16,17 +16,17 @@ - name: Enforce the privoxy AppArmor policy shell: aa-enforce usr.sbin.privoxy - + - name: Ensure that the privoxy service directory exist file: path=/etc/systemd/system/privoxy.service.d/ state=directory mode=0755 owner=root group=root - + - name: Setup the cgroup limitations for the privoxy daemon template: src=privoxy_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/privoxy.service.d/100-CustomLimitations.conf notify: - - daemon-reload + - daemon-reload - restart privoxy - -- meta: flush_handlers + +- meta: flush_handlers - name: Privoxy enabled and started service: name=privoxy state=started enabled=yes @@ -70,14 +70,14 @@ template: src=ports.conf.j2 dest=/etc/apache2/ports.conf notify: - restart apache2 - + - name: Ensure that the apache2 service directory exist file: path=/etc/systemd/system/apache2.service.d/ state=directory mode=0755 owner=root group=root - + - name: Setup the cgroup limitations for the apache2 daemon template: src=apache2_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/apache2.service.d/100-CustomLimitations.conf notify: - - daemon-reload + - daemon-reload - restart apache2 - -- meta: flush_handlers + +- meta: flush_handlers diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index f5fb1c9..ad1168b 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,8 +1,8 @@ - name: restart rsyslog service: name=rsyslog state=restarted - + - name: restart iptables service: name=netfilter-persistent state=restarted - + - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 10d31eb..a528896 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -97,6 +97,6 @@ template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640 with_items: - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 } - - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } + - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 } notify: - restart iptables diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 7d87c7e..b78b19b 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -2,12 +2,12 @@ - name: Ensure that the algo group exist group: name=algo state=present - + - name: Ensure that the jail directory exist - file: path=/var/jail/ state=directory mode=0755 owner=root group=root - + file: path=/var/jail/ state=directory mode=0755 owner=root group=root + - name: Ensure that the SSH users exist - user: + user: name: "{{ item }}" group: algo home: '/var/jail/{{ item }}' @@ -17,5 +17,5 @@ ssh_key_type: ecdsa ssh_key_bits: 521 ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' - state: present + state: present with_items: "{{ users }}" diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index c5dcdc9..a3c10f7 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -1,6 +1,6 @@ - name: restart strongswan service: name=strongswan state=restarted - + - name: daemon-reload shell: systemctl daemon-reload diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 1592db4..1fe08b9 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,6 +1,6 @@ - name: Gather Facts setup: - + - name: Install StrongSwan apt: name=strongswan state=latest update_cache=yes @@ -19,28 +19,28 @@ - apparmor - strongswan - netfilter-persistent - + - name: Ensure that the strongswan group exist group: name=strongswan state=present - + - name: Ensure that the strongswan user exist user: name=strongswan group=strongswan state=present - + - name: Ensure that the strongswan service directory exist file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root - + - name: Setup the cgroup limitations for the ipsec daemon template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf notify: - - daemon-reload + - daemon-reload - restart strongswan - -- meta: flush_handlers - + +- meta: flush_handlers + - name: Setup the strongswan.conf file from our template template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644 notify: - - restart strongswan + - restart strongswan - name: Setup the ipsec.conf file from our template template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 @@ -148,11 +148,11 @@ - name: Fetch users mobileconfig fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes with_items: "{{ users }}" - + - name: Restrict permissions file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root with_items: - - /etc/ipsec.d/private + - /etc/ipsec.d/private - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes