diff --git a/ADVANCED.md b/ADVANCED.md new file mode 100644 index 0000000..a9384f1 --- /dev/null +++ b/ADVANCED.md @@ -0,0 +1,81 @@ +### Cloud Providers + +**digitalocean** +*Requirement variables:* +- do_access_token +- do_ssh_name +- do_server_name +- do_region + +*Possible regions:* +- ams2 +- ams3 +- fra1 +- lon1 +- nyc1 +- nyc2 +- nyc3 +- sfo1 +- sfo2 +- sgp1 +- tor1 +- blr1 + +**gce** +*Requirement variables:* +- credentials_file +- server_name +- ssh_public_key +- zone + +*Possible zones:* +- us-central1-a +- us-central1-b +- us-central1-c +- us-central1-f +- us-east1-b +- us-east1-c +- us-east1-d +- europe-west1-b +- europe-west1-c +- europe-west1-d +- asia-east1-a +- asia-east1-b +- asia-east1-c + +**ec2** +*Requirement variables:* +- aws_access_key +- aws_secret_key +- aws_server_name +- ssh_public_key +- region + +*Possible regions:* +- us-east-1 +- us-west-1 +- us-west-2 +- ap-south-1 +- ap-northeast-2 +- ap-southeast-1 +- ap-southeast-2 +- ap-northeast-1 +- eu-central-1 +- eu-west-1 +- sa-east-1 + +**local installation** +*Requirement variables:* +- server_ip +- server_user +- IP_subject + +### Deployment + +Start the deploy with extra variables and tags that you need. +Example for DigitalOcean: + +``` +ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2' +``` + diff --git a/README.md b/README.md index 7896c9a..5cb7148 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,20 @@ Ansible scripts are organized into roles. The roles used by Algo are described i * SHell or BASH * libselinux-python (for RedHat based distros) +### Roles and Tags +**Cloud roles:** +- role: cloud-digitalocean, tags: digitalocean +- role: cloud-ec2, tags: ec2 +- role: cloud-gce, tags: gce + +**Server roles:** +- role: vpn, tags: vpn +- role: dns_adblocking, tags: dns, adblock +- role: proxy, tags: proxy, adblock +- role: logging, tags: logging +- role: security, tags: security +- role: ssh_tunneling, tags: ssh_tunneling + ### Cloud Deployment To install the dependencies on OS X or Linux: diff --git a/algo b/algo index 8283b3c..d5302b4 100755 --- a/algo +++ b/algo @@ -2,6 +2,180 @@ set -e +digitalocean () { + read -p " +Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens): +: " -rs do_access_token + + read -p " +Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security): +: " -r do_ssh_name + + read -p " +Name the vpn server: +[algo.local]: " -r do_server_name + do_server_name=${do_server_name:-algo.local} + + read -p " + What region should the server be located in? + 1. Amsterdam (Datacenter 2) + 2. Amsterdam (Datacenter 3) + 3. Frankfurt + 4. London + 5. New York (Datacenter 1) + 6. New York (Datacenter 2) + 7. New York (Datacenter 3) + 8. San Francisco (Datacenter 1) + 9. San Francisco (Datacenter 2) + 10. Singapore + 11. Toronto + 12. Bangalore +Enter the number of your desired region: +[7]: " -r region + region=${region:-7} + + case "$region" in + 1) do_region="ams2" ;; + 2) do_region="ams3" ;; + 3) do_region="fra1" ;; + 4) do_region="lon1" ;; + 5) do_region="nyc1" ;; + 6) do_region="nyc2" ;; + 7) do_region="nyc3" ;; + 8) do_region="sfo1" ;; + 9) do_region="sfo2" ;; + 10) do_region="sgp1" ;; + 11) do_region="tor1" ;; + 12) do_region="blr1" ;; + esac + +ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region" + +} + +ec2 () { + read -p " +Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +: " -rs aws_access_key + + read -p " +Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html): +: " -rs aws_secret_key + + read -p " +Enter the local path to your SSH public key: +: " -r ssh_public_key + + read -p " +Name the vpn server: +[algo]: " -r aws_server_name + aws_server_name=${aws_server_name:-algo} + + read -p " + What region should the server be located in? + 1. us-east-1 US East (N. Virginia) + 2. us-west-1 US West (N. California) + 3. us-west-2 US West (Oregon) + 4. ap-south-1 Asia Pacific (Mumbai) + 5. ap-northeast-2 Asia Pacific (Seoul) + 6. ap-southeast-1 Asia Pacific (Singapore) + 7. ap-southeast-2 Asia Pacific (Sydney) + 8. ap-northeast-1 Asia Pacific (Tokyo) + 9. eu-central-1 EU (Frankfurt) + 10. eu-west-1 EU (Ireland) + 11. sa-east-1 South America (São Paulo) +Enter the number of your desired region: +[1]: " -r aws_region + aws_region=${aws_region:-1} + + case "$aws_region" in + 1) region="us-east-1" ;; + 2) region="us-west-1" ;; + 3) region="us-west-2" ;; + 4) region="ap-south-1" ;; + 5) region="ap-northeast-2" ;; + 6) region="ap-southeast-1" ;; + 7) region="ap-southeast-2" ;; + 8) region="ap-northeast-1" ;; + 9) region="eu-central-1" ;; + 10) region="eu-west-1" ;; + 11) region="sa-east-1" ;; + esac + +ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" + +} + +gce () { + read -p " +Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): +: " -r credentials_file + + read -p " +Enter the local path to your SSH public key: +: " -r ssh_public_key + + read -p " +Name the vpn server: +[algo]: " -r server_name + server_name=${server_name:-algo} + + read -p " + What zone should the server be located in? + 1. Central US (Iowa A) + 2. Central US (Iowa B) + 3. Central US (Iowa C) + 4. Central US (Iowa F) + 5. Eastern US (South Carolina B) + 6. Eastern US (South Carolina C) + 7. Eastern US (South Carolina D) + 8. Western Europe (Belgium B) + 9. Western Europe (Belgium C) + 10. Western Europe (Belgium D) + 11. East Asia (Taiwan A) + 12. East Asia (Taiwan B) + 13. East Asia (Taiwan C) +Please choose the number of your zone. Press enter for default (#8) zone. +[8]: " -r region + region=${region:-8} + + case "$region" in + 1) zone="us-central1-a" ;; + 2) zone="us-central1-b" ;; + 3) zone="us-central1-c" ;; + 4) zone="us-central1-f" ;; + 5) zone="us-east1-b" ;; + 6) zone="us-east1-c" ;; + 7) zone="us-east1-d" ;; + 8) zone="europe-west1-b" ;; + 9) zone="europe-west1-c" ;; + 10) zone="europe-west1-d" ;; + 11) zone="asia-east1-a" ;; + 12) zone="asia-east1-b" ;; + 13) zone="asia-east1-c" ;; + esac + +ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone" + +} + +non_cloud () { + read -p " +Enter IP address of your server: (use localhost for local installation) +: " -r server_ip + + read -p " +What user should we use to login on the server? (ignore if you're deploying to localhost) +[root]: " -r server_user + server_user=${server_user:-root} + + read -p " +Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) +: " -r IP_subject + + ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject=$IP_subject" +} + algo_provisioning () { echo -n " What provider would you like to use? @@ -16,14 +190,13 @@ Enter the number of your desired provider read -r N case "$N" in - 1) CLOUD="digitalocean" ;; - 2) CLOUD="ec2" ;; - 3) CLOUD="gce" ;; - 4) CLOUD="non-cloud" ;; + 1) digitalocean; ;; + 2) ec2; ;; + 3) gce; ;; + 4) non_cloud; ;; *) exit 1 ;; esac - - ansible-playbook "${CLOUD}.yml" + } user_management () { diff --git a/config.cfg b/config.cfg index c8178b5..cd827f3 100644 --- a/config.cfg +++ b/config.cfg @@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 +easyrsa_p12_export_password: vpnpws + # If True re-init all existing certificates. (True or False) easyrsa_reinit_existent: False diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..4e6ca20 --- /dev/null +++ b/deploy.yml @@ -0,0 +1,41 @@ +- name: Configure the server and install required software + hosts: localhost + tags: algo + vars_files: + - config.cfg + + roles: + - { role: cloud-digitalocean, tags: ['digitalocean'] } + - { role: cloud-ec2, tags: ['ec2'] } + - { role: cloud-gce, tags: ['gce'] } + - { role: local, tags: ['local'] } + +- name: Post-provisioning tasks + hosts: vpn-host + gather_facts: false + tags: algo + become: true + vars_files: + - config.cfg + + pre_tasks: + - name: Common pre-tasks + include: playbooks/common.yml + tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ] + + - name: DigitalOcean pre-tasks + include: playbooks/digitalocean.yml + tags: [ 'digitalocean' ] + + roles: + - { role: security, tags: [ 'security' ] } + - { role: proxy, tags: [ 'proxy', 'adblock' ] } + - { role: dns_adblocking, tags: ['dns', 'adblock' ] } + - { role: logging, tags: [ 'logging' ] } + - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } + - { role: vpn, tags: [ 'vpn' ] } + + handlers: + - name: reload eth0 + shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' + diff --git a/digitalocean.yml b/digitalocean.yml deleted file mode 100644 index fad6b34..0000000 --- a/digitalocean.yml +++ /dev/null @@ -1,147 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - - vars: - regions: - "1": "ams2" - "2": "ams3" - "3": "fra1" - "4": "lon1" - "5": "nyc1" - "6": "nyc2" - "7": "nyc3" - "8": "sfo1" - "9": "sfo2" - "10": "sgp1" - "11": "tor1" - "12": "blr1" - - vars_prompt: - - name: "do_access_token" - prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n" - private: yes - - - name: "do_ssh_name" - prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n" - private: no - - - name: "do_region" - prompt: > - What region should the server be located in? - 1. Amsterdam (Datacenter 2) - 2. Amsterdam (Datacenter 3) - 3. Frankfurt - 4. London - 5. New York (Datacenter 1) - 6. New York (Datacenter 2) - 7. New York (Datacenter 3) - 8. San Francisco (Datacenter 1) - 9. San Francisco (Datacenter 2) - 10. Singapore - 11. Toronto - 12. Bangalore - Enter the number of your desired region: - default: "7" - private: no - - - name: "do_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-digitalocean - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - - name: Enable IPv6 on the droplet - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" - method: POST - body: - type: enable_ipv6 - body_format: json - status_code: 201 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - - - name: Get Droplet networks - uri: - url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" - method: GET - status_code: 200 - HEADER_Authorization: "Bearer {{ do_access_token }}" - HEADER_Content-Type: "application/json" - register: droplet_info - - - name: IPv6 configured - template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 - with_items: "{{ droplet_info.json.droplet.networks.v6 }}" - notify: - - reload eth0 - - - name: IPv6 included into the network config - lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present - notify: - - reload eth0 - - - meta: flush_handlers - - - name: Wait for SSH to become available - local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" - become: false - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn - - handlers: - - name: reload eth0 - shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0' diff --git a/ec2.yml b/ec2.yml deleted file mode 100644 index 884e643..0000000 --- a/ec2.yml +++ /dev/null @@ -1,112 +0,0 @@ -# vim:ft=ansible: -- name: Create a sandbox instance - hosts: localhost - gather_facts: False - vars_files: - - config.cfg - vars: - instance_type: t2.nano - security_group: vpn-secgroup - regions: - "1": "us-east-1" - "2": "us-west-1" - "3": "us-west-2" - "4": "ap-south-1" - "5": "ap-northeast-2" - "6": "ap-southeast-1" - "7": "ap-southeast-2" - "8": "ap-northeast-1" - "9": "eu-central-1" - "10": "eu-west-1" - "11": "sa-east-1" - - vars_prompt: - - name: "aws_access_key" - prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "aws_secret_key" - prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n" - private: yes - - - name: "region" - prompt: > - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-west-1 US West (N. California) - 3. us-west-2 US West (Oregon) - 4. ap-south-1 Asia Pacific (Mumbai) - 5. ap-northeast-2 Asia Pacific (Seoul) - 6. ap-southeast-1 Asia Pacific (Singapore) - 7. ap-southeast-2 Asia Pacific (Sydney) - 8. ap-northeast-1 Asia Pacific (Tokyo) - 9. eu-central-1 EU (Frankfurt) - 10. eu-west-1 EU (Ireland) - 11. sa-east-1 South America (São Paulo) - default: "1" - private: no - - - name: "aws_server_name" - prompt: "Name the vpn server:\n" - default: "algo.local" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-ec2 - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/gce.yml b/gce.yml deleted file mode 100644 index 599855f..0000000 --- a/gce.yml +++ /dev/null @@ -1,110 +0,0 @@ -# vim:ft=ansible: -- name: Configure the server and install required software - hosts: localhost - gather_facts: false - - vars: - zones: - "1": "us-central1-a" - "2": "us-central1-b" - "3": "us-central1-c" - "4": "us-central1-f" - "5": "us-east1-b" - "6": "us-east1-c" - "7": "us-east1-d" - "8": "europe-west1-b" - "9": "europe-west1-c" - "10": "europe-west1-d" - "11": "asia-east1-a" - "12": "asia-east1-b" - "13": "asia-east1-c" - - vars_prompt: - - name: "credentials_file" - prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n" - private: no - - - name: "ssh_public_key" - prompt: "Enter the local path to your SSH public key:\n" - default: "~/.ssh/id_rsa.pub" - private: no - - - name: "zone" - prompt: > - What zone should the server be located in? - 1. Central US (Iowa A) - 2. Central US (Iowa B) - 3. Central US (Iowa C) - 4. Central US (Iowa F) - 5. Eastern US (South Carolina B) - 6. Eastern US (South Carolina C) - 7. Eastern US (South Carolina D) - 8. Western Europe (Belgium B) - 9. Western Europe (Belgium C) - 10. Western Europe (Belgium D) - 11. East Asia (Taiwan A) - 12. East Asia (Taiwan B) - 13. East Asia (Taiwan C) - Please choose the number of your zone. Press enter for default (#8) zone. - default: "8" - private: no - - - name: "server_name" - prompt: "Name the vpn server:\n" - default: "algo" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - roles: - - cloud-gce - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/non-cloud.yml b/non-cloud.yml deleted file mode 100644 index 8f5a33e..0000000 --- a/non-cloud.yml +++ /dev/null @@ -1,89 +0,0 @@ -# vim:ft=ansible: -- hosts: localhost - gather_facts: False - vars_files: - - config.cfg - - vars_prompt: - - name: "server_ip" - prompt: "Enter IP address of your server: (use localhost for local installation)\n" - default: localhost - private: no - - - name: "server_user" - prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" - default: "root" - private: no - - - name: "dns_enabled" - prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n" - default: "y" - private: no - - - name: "proxy_enabled" - prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n" - default: "y" - private: no - - - name: "auditd_enabled" - prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n" - default: "y" - private: no - - - name: "ssh_tunneling_enabled" - prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" - default: "y" - private: no - - - name: "security_enabled" - prompt: "Do you want to enable the security role? (y/n):\n" - default: "y" - private: no - - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - - name: "IP_subject" - prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" - private: no - - tasks: - - name: Add the server to the vpn-host group - add_host: - hostname: "{{ server_ip }}" - groupname: vpn-host - ansible_ssh_user: "{{ server_user }}" - ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" - IP_subject: "{{ IP_subject }}" - -- name: Post-provisioning tasks - hosts: vpn-host - gather_facts: false - become: true - vars_files: - - config.cfg - - pre_tasks: - - name: Install prerequisites - raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 - - name: Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - - set_fact: - IP_subject_alt_name: "{{ IP_subject }}" - - roles: - - common - - { role: security, when: security_enabled is defined and security_enabled == "y" } - - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" } - - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" } - - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" } - - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - vpn diff --git a/playbooks/common.yml b/playbooks/common.yml new file mode 100644 index 0000000..d84a6eb --- /dev/null +++ b/playbooks/common.yml @@ -0,0 +1,5 @@ +- name: Install prerequisites + raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + +- name: Configure defaults + raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/playbooks/digitalocean.yml b/playbooks/digitalocean.yml new file mode 100644 index 0000000..703e5d0 --- /dev/null +++ b/playbooks/digitalocean.yml @@ -0,0 +1,36 @@ +- name: Enable IPv6 on the droplet + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions" + method: POST + body: + type: enable_ipv6 + body_format: json + status_code: 201 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + +- name: Get Droplet networks + uri: + url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}" + method: GET + status_code: 200 + HEADER_Authorization: "Bearer {{ do_access_token }}" + HEADER_Content-Type: "application/json" + register: droplet_info + +- name: IPv6 configured + template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644 + with_items: "{{ droplet_info.json.droplet.networks.v6 }}" + notify: + - reload eth0 + +- name: IPv6 included into the network config + lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present + notify: + - reload eth0 + +- meta: flush_handlers + +- name: Wait for SSH to become available + local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320" + become: false diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index ca8d7de..5a28f8f 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -1,6 +1,6 @@ - name: Set the DigitalOcean Access Token fact set_fact: - do_token: "{{ do_access_token | default( lookup('env', 'DIGITALOCEAN_API_KEY') ) }}" + do_token: "{{ do_access_token }}" - name: "Getting your SSH key ID on Digital Ocean..." digital_ocean: @@ -15,7 +15,7 @@ state: present command: droplet name: "{{ do_server_name }}" - region_id: "{{ regions[do_region] }}" + region_id: "{{ do_region }}" size_id: "512mb" image_id: "ubuntu-16-04-x64" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" @@ -31,11 +31,6 @@ ansible_python_interpreter: "/usr/bin/python2.7" do_access_token: "{{ do_access_token }}" do_droplet_id: "{{ do.droplet.id }}" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean ipv6_support: yes diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 1bfb382..4f25e1b 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -7,7 +7,7 @@ sort: name sort_order: descending sort_end: 1 - region: "{{ regions[region] }}" + region: "{{ region }}" register: ami_search - set_fact: @@ -18,7 +18,7 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" name: VPNKEY - region: "{{ regions[region] }}" + region: "{{ region }}" key_material: "{{ item }}" with_file: "{{ ssh_public_key }}" register: keypair @@ -27,9 +27,9 @@ ec2_group: aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" - name: "{{ security_group }}" + name: vpn-secgroup description: Security group for VPN servers - region: "{{ regions[region] }}" + region: "{{ region }}" rules: - proto: udp from_port: 4500 @@ -54,11 +54,11 @@ aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" keypair: "VPNKEY" - group: "{{ security_group }}" - instance_type: "{{ instance_type }}" + group: vpn-secgroup + instance_type: t2.nano image: "{{ ami_image }}" wait: true - region: "{{ regions[region] }}" + region: "{{ region }}" instance_tags: name: "{{ aws_server_name }}" register: ec2 @@ -69,11 +69,6 @@ groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - security_enabled: "{{ security_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: ec2 ipv6_support: no diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index f96690d..959ec6f 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -5,7 +5,7 @@ - name: "Creating a new instance..." gce: instance_names: "{{ server_name }}" - zone: "{{ zones[zone] }}" + zone: "{{ zone }}" machine_type: n1-standard-1 image: ubuntu-1604 service_account_email: "{{ credentials_file_lookup.client_email }}" @@ -16,15 +16,10 @@ - name: Add the instance to an inventory group add_host: - name: "{{ google_vm.instance_data[0].public_ip}}" + name: "{{ google_vm.instance_data[0].public_ip }}" groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - dns_enabled: "{{ dns_enabled }}" - proxy_enabled: "{{ proxy_enabled }}" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - auditd_enabled: " {{ auditd_enabled }}" - security_enabled: "{{ security_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: gce ipv6_support: no diff --git a/roles/dns_adblocking/meta/main.yml b/roles/dns_adblocking/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/dns_adblocking/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/local/handlers/main.yml b/roles/local/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml new file mode 100644 index 0000000..de8de4c --- /dev/null +++ b/roles/local/tasks/main.yml @@ -0,0 +1,12 @@ +- name: Add the instance to an inventory group + add_host: + name: "{{ server_ip }}" + groups: vpn-host + ansible_ssh_user: "{{ server_user }}" + ansible_python_interpreter: "/usr/bin/python2.7" + easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: local + +- name: Waiting for SSH to become available + local_action: "wait_for port=22 host={{ server_ip }} timeout=320" + when: server_ip != "localhost" diff --git a/roles/logging/meta/main.yml b/roles/logging/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/logging/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/logging/tasks/main.yml b/roles/logging/tasks/main.yml index 821157e..467de88 100644 --- a/roles/logging/tasks/main.yml +++ b/roles/logging/tasks/main.yml @@ -15,7 +15,7 @@ - name: Enable services service: name=auditd enabled=yes - + # Rsyslog - name: Rsyslog installed @@ -32,4 +32,4 @@ - restart rsyslog - name: Enable services - service: name=rsyslog enabled=yes + service: name=rsyslog enabled=yes diff --git a/roles/proxy/meta/main.yml b/roles/proxy/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/proxy/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/security/meta/main.yml b/roles/security/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/security/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 7046e2c..f951616 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -2,14 +2,13 @@ apt: name="{{ item }}" state=latest with_items: - unattended-upgrades - + - name: Configure unattended-upgrades template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644 - name: Periodic upgrades configured - template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 + template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644 -# Using a two-pass approach for checking directories in order to support symlinks. - name: Find directories for minimizing access stat: path: "{{ item }}" diff --git a/roles/ssh_tunneling/meta/main.yml b/roles/ssh_tunneling/meta/main.yml new file mode 100644 index 0000000..325ccd9 --- /dev/null +++ b/roles/ssh_tunneling/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - { role: common } \ No newline at end of file diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index a8e921a..4ba5173 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -10,6 +10,9 @@ - name: save iptables shell: service netfilter-persistent save +- name: save iptables + shell: service netfilter-persistent save + - name: congrats debug: msg: diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml new file mode 100644 index 0000000..4b583d6 --- /dev/null +++ b/roles/vpn/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: + - { role: common } +