mirror of https://github.com/trailofbits/algo
Merge branch 'tags' #80
commit
dbeb7a13e8
@ -0,0 +1,81 @@
|
|||||||
|
### Cloud Providers
|
||||||
|
|
||||||
|
**digitalocean**
|
||||||
|
*Requirement variables:*
|
||||||
|
- do_access_token
|
||||||
|
- do_ssh_name
|
||||||
|
- do_server_name
|
||||||
|
- do_region
|
||||||
|
|
||||||
|
*Possible regions:*
|
||||||
|
- ams2
|
||||||
|
- ams3
|
||||||
|
- fra1
|
||||||
|
- lon1
|
||||||
|
- nyc1
|
||||||
|
- nyc2
|
||||||
|
- nyc3
|
||||||
|
- sfo1
|
||||||
|
- sfo2
|
||||||
|
- sgp1
|
||||||
|
- tor1
|
||||||
|
- blr1
|
||||||
|
|
||||||
|
**gce**
|
||||||
|
*Requirement variables:*
|
||||||
|
- credentials_file
|
||||||
|
- server_name
|
||||||
|
- ssh_public_key
|
||||||
|
- zone
|
||||||
|
|
||||||
|
*Possible zones:*
|
||||||
|
- us-central1-a
|
||||||
|
- us-central1-b
|
||||||
|
- us-central1-c
|
||||||
|
- us-central1-f
|
||||||
|
- us-east1-b
|
||||||
|
- us-east1-c
|
||||||
|
- us-east1-d
|
||||||
|
- europe-west1-b
|
||||||
|
- europe-west1-c
|
||||||
|
- europe-west1-d
|
||||||
|
- asia-east1-a
|
||||||
|
- asia-east1-b
|
||||||
|
- asia-east1-c
|
||||||
|
|
||||||
|
**ec2**
|
||||||
|
*Requirement variables:*
|
||||||
|
- aws_access_key
|
||||||
|
- aws_secret_key
|
||||||
|
- aws_server_name
|
||||||
|
- ssh_public_key
|
||||||
|
- region
|
||||||
|
|
||||||
|
*Possible regions:*
|
||||||
|
- us-east-1
|
||||||
|
- us-west-1
|
||||||
|
- us-west-2
|
||||||
|
- ap-south-1
|
||||||
|
- ap-northeast-2
|
||||||
|
- ap-southeast-1
|
||||||
|
- ap-southeast-2
|
||||||
|
- ap-northeast-1
|
||||||
|
- eu-central-1
|
||||||
|
- eu-west-1
|
||||||
|
- sa-east-1
|
||||||
|
|
||||||
|
**local installation**
|
||||||
|
*Requirement variables:*
|
||||||
|
- server_ip
|
||||||
|
- server_user
|
||||||
|
- IP_subject
|
||||||
|
|
||||||
|
### Deployment
|
||||||
|
|
||||||
|
Start the deploy with extra variables and tags that you need.
|
||||||
|
Example for DigitalOcean:
|
||||||
|
|
||||||
|
```
|
||||||
|
ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2'
|
||||||
|
```
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
- name: Configure the server and install required software
|
||||||
|
hosts: localhost
|
||||||
|
tags: algo
|
||||||
|
vars_files:
|
||||||
|
- config.cfg
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: cloud-digitalocean, tags: ['digitalocean'] }
|
||||||
|
- { role: cloud-ec2, tags: ['ec2'] }
|
||||||
|
- { role: cloud-gce, tags: ['gce'] }
|
||||||
|
- { role: local, tags: ['local'] }
|
||||||
|
|
||||||
|
- name: Post-provisioning tasks
|
||||||
|
hosts: vpn-host
|
||||||
|
gather_facts: false
|
||||||
|
tags: algo
|
||||||
|
become: true
|
||||||
|
vars_files:
|
||||||
|
- config.cfg
|
||||||
|
|
||||||
|
pre_tasks:
|
||||||
|
- name: Common pre-tasks
|
||||||
|
include: playbooks/common.yml
|
||||||
|
tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ]
|
||||||
|
|
||||||
|
- name: DigitalOcean pre-tasks
|
||||||
|
include: playbooks/digitalocean.yml
|
||||||
|
tags: [ 'digitalocean' ]
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- { role: security, tags: [ 'security' ] }
|
||||||
|
- { role: proxy, tags: [ 'proxy', 'adblock' ] }
|
||||||
|
- { role: dns_adblocking, tags: ['dns', 'adblock' ] }
|
||||||
|
- { role: logging, tags: [ 'logging' ] }
|
||||||
|
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
|
||||||
|
- { role: vpn, tags: [ 'vpn' ] }
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: reload eth0
|
||||||
|
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
|
||||||
|
|
@ -1,147 +0,0 @@
|
|||||||
# vim:ft=ansible:
|
|
||||||
- name: Configure the server and install required software
|
|
||||||
hosts: localhost
|
|
||||||
|
|
||||||
vars:
|
|
||||||
regions:
|
|
||||||
"1": "ams2"
|
|
||||||
"2": "ams3"
|
|
||||||
"3": "fra1"
|
|
||||||
"4": "lon1"
|
|
||||||
"5": "nyc1"
|
|
||||||
"6": "nyc2"
|
|
||||||
"7": "nyc3"
|
|
||||||
"8": "sfo1"
|
|
||||||
"9": "sfo2"
|
|
||||||
"10": "sgp1"
|
|
||||||
"11": "tor1"
|
|
||||||
"12": "blr1"
|
|
||||||
|
|
||||||
vars_prompt:
|
|
||||||
- name: "do_access_token"
|
|
||||||
prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
- name: "do_ssh_name"
|
|
||||||
prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "do_region"
|
|
||||||
prompt: >
|
|
||||||
What region should the server be located in?
|
|
||||||
1. Amsterdam (Datacenter 2)
|
|
||||||
2. Amsterdam (Datacenter 3)
|
|
||||||
3. Frankfurt
|
|
||||||
4. London
|
|
||||||
5. New York (Datacenter 1)
|
|
||||||
6. New York (Datacenter 2)
|
|
||||||
7. New York (Datacenter 3)
|
|
||||||
8. San Francisco (Datacenter 1)
|
|
||||||
9. San Francisco (Datacenter 2)
|
|
||||||
10. Singapore
|
|
||||||
11. Toronto
|
|
||||||
12. Bangalore
|
|
||||||
Enter the number of your desired region:
|
|
||||||
default: "7"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "do_server_name"
|
|
||||||
prompt: "Name the vpn server:\n"
|
|
||||||
default: "algo.local"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "dns_enabled"
|
|
||||||
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "proxy_enabled"
|
|
||||||
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "auditd_enabled"
|
|
||||||
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "ssh_tunneling_enabled"
|
|
||||||
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "security_enabled"
|
|
||||||
prompt: "Do you want to enable the security role? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
|
||||||
default: "vpnpw"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- cloud-digitalocean
|
|
||||||
|
|
||||||
- name: Post-provisioning tasks
|
|
||||||
hosts: vpn-host
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- config.cfg
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Install prerequisites
|
|
||||||
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
|
||||||
- name: Configure defaults
|
|
||||||
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
|
||||||
|
|
||||||
- name: Enable IPv6 on the droplet
|
|
||||||
uri:
|
|
||||||
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
|
|
||||||
method: POST
|
|
||||||
body:
|
|
||||||
type: enable_ipv6
|
|
||||||
body_format: json
|
|
||||||
status_code: 201
|
|
||||||
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
|
||||||
HEADER_Content-Type: "application/json"
|
|
||||||
|
|
||||||
- name: Get Droplet networks
|
|
||||||
uri:
|
|
||||||
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
|
|
||||||
method: GET
|
|
||||||
status_code: 200
|
|
||||||
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
|
||||||
HEADER_Content-Type: "application/json"
|
|
||||||
register: droplet_info
|
|
||||||
|
|
||||||
- name: IPv6 configured
|
|
||||||
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
|
|
||||||
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
|
|
||||||
notify:
|
|
||||||
- reload eth0
|
|
||||||
|
|
||||||
- name: IPv6 included into the network config
|
|
||||||
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
|
|
||||||
notify:
|
|
||||||
- reload eth0
|
|
||||||
|
|
||||||
- meta: flush_handlers
|
|
||||||
|
|
||||||
- name: Wait for SSH to become available
|
|
||||||
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
|
|
||||||
become: false
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- common
|
|
||||||
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
|
||||||
- { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
|
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
|
||||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
||||||
- vpn
|
|
||||||
|
|
||||||
handlers:
|
|
||||||
- name: reload eth0
|
|
||||||
shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
|
|
@ -1,112 +0,0 @@
|
|||||||
# vim:ft=ansible:
|
|
||||||
- name: Create a sandbox instance
|
|
||||||
hosts: localhost
|
|
||||||
gather_facts: False
|
|
||||||
vars_files:
|
|
||||||
- config.cfg
|
|
||||||
vars:
|
|
||||||
instance_type: t2.nano
|
|
||||||
security_group: vpn-secgroup
|
|
||||||
regions:
|
|
||||||
"1": "us-east-1"
|
|
||||||
"2": "us-west-1"
|
|
||||||
"3": "us-west-2"
|
|
||||||
"4": "ap-south-1"
|
|
||||||
"5": "ap-northeast-2"
|
|
||||||
"6": "ap-southeast-1"
|
|
||||||
"7": "ap-southeast-2"
|
|
||||||
"8": "ap-northeast-1"
|
|
||||||
"9": "eu-central-1"
|
|
||||||
"10": "eu-west-1"
|
|
||||||
"11": "sa-east-1"
|
|
||||||
|
|
||||||
vars_prompt:
|
|
||||||
- name: "aws_access_key"
|
|
||||||
prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
- name: "aws_secret_key"
|
|
||||||
prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
- name: "region"
|
|
||||||
prompt: >
|
|
||||||
What region should the server be located in?
|
|
||||||
1. us-east-1 US East (N. Virginia)
|
|
||||||
2. us-west-1 US West (N. California)
|
|
||||||
3. us-west-2 US West (Oregon)
|
|
||||||
4. ap-south-1 Asia Pacific (Mumbai)
|
|
||||||
5. ap-northeast-2 Asia Pacific (Seoul)
|
|
||||||
6. ap-southeast-1 Asia Pacific (Singapore)
|
|
||||||
7. ap-southeast-2 Asia Pacific (Sydney)
|
|
||||||
8. ap-northeast-1 Asia Pacific (Tokyo)
|
|
||||||
9. eu-central-1 EU (Frankfurt)
|
|
||||||
10. eu-west-1 EU (Ireland)
|
|
||||||
11. sa-east-1 South America (São Paulo)
|
|
||||||
default: "1"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "aws_server_name"
|
|
||||||
prompt: "Name the vpn server:\n"
|
|
||||||
default: "algo.local"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "ssh_public_key"
|
|
||||||
prompt: "Enter the local path to your SSH public key:\n"
|
|
||||||
default: "~/.ssh/id_rsa.pub"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "dns_enabled"
|
|
||||||
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "proxy_enabled"
|
|
||||||
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "auditd_enabled"
|
|
||||||
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "ssh_tunneling_enabled"
|
|
||||||
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "security_enabled"
|
|
||||||
prompt: "Do you want to enable the security role? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
|
||||||
default: "vpnpw"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- cloud-ec2
|
|
||||||
|
|
||||||
- name: Post-provisioning tasks
|
|
||||||
hosts: vpn-host
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- config.cfg
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Install prerequisites
|
|
||||||
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
|
||||||
- name: Configure defaults
|
|
||||||
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- common
|
|
||||||
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
|
||||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
|
||||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
||||||
- vpn
|
|
@ -1,110 +0,0 @@
|
|||||||
# vim:ft=ansible:
|
|
||||||
- name: Configure the server and install required software
|
|
||||||
hosts: localhost
|
|
||||||
gather_facts: false
|
|
||||||
|
|
||||||
vars:
|
|
||||||
zones:
|
|
||||||
"1": "us-central1-a"
|
|
||||||
"2": "us-central1-b"
|
|
||||||
"3": "us-central1-c"
|
|
||||||
"4": "us-central1-f"
|
|
||||||
"5": "us-east1-b"
|
|
||||||
"6": "us-east1-c"
|
|
||||||
"7": "us-east1-d"
|
|
||||||
"8": "europe-west1-b"
|
|
||||||
"9": "europe-west1-c"
|
|
||||||
"10": "europe-west1-d"
|
|
||||||
"11": "asia-east1-a"
|
|
||||||
"12": "asia-east1-b"
|
|
||||||
"13": "asia-east1-c"
|
|
||||||
|
|
||||||
vars_prompt:
|
|
||||||
- name: "credentials_file"
|
|
||||||
prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "ssh_public_key"
|
|
||||||
prompt: "Enter the local path to your SSH public key:\n"
|
|
||||||
default: "~/.ssh/id_rsa.pub"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "zone"
|
|
||||||
prompt: >
|
|
||||||
What zone should the server be located in?
|
|
||||||
1. Central US (Iowa A)
|
|
||||||
2. Central US (Iowa B)
|
|
||||||
3. Central US (Iowa C)
|
|
||||||
4. Central US (Iowa F)
|
|
||||||
5. Eastern US (South Carolina B)
|
|
||||||
6. Eastern US (South Carolina C)
|
|
||||||
7. Eastern US (South Carolina D)
|
|
||||||
8. Western Europe (Belgium B)
|
|
||||||
9. Western Europe (Belgium C)
|
|
||||||
10. Western Europe (Belgium D)
|
|
||||||
11. East Asia (Taiwan A)
|
|
||||||
12. East Asia (Taiwan B)
|
|
||||||
13. East Asia (Taiwan C)
|
|
||||||
Please choose the number of your zone. Press enter for default (#8) zone.
|
|
||||||
default: "8"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "server_name"
|
|
||||||
prompt: "Name the vpn server:\n"
|
|
||||||
default: "algo"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "dns_enabled"
|
|
||||||
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "proxy_enabled"
|
|
||||||
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "auditd_enabled"
|
|
||||||
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "ssh_tunneling_enabled"
|
|
||||||
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "security_enabled"
|
|
||||||
prompt: "Do you want to enable the security role? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
|
||||||
default: "vpnpw"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- cloud-gce
|
|
||||||
|
|
||||||
- name: Post-provisioning tasks
|
|
||||||
hosts: vpn-host
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- config.cfg
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Install prerequisites
|
|
||||||
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
|
||||||
- name: Configure defaults
|
|
||||||
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- common
|
|
||||||
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
|
||||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
|
||||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
||||||
- vpn
|
|
@ -1,89 +0,0 @@
|
|||||||
# vim:ft=ansible:
|
|
||||||
- hosts: localhost
|
|
||||||
gather_facts: False
|
|
||||||
vars_files:
|
|
||||||
- config.cfg
|
|
||||||
|
|
||||||
vars_prompt:
|
|
||||||
- name: "server_ip"
|
|
||||||
prompt: "Enter IP address of your server: (use localhost for local installation)\n"
|
|
||||||
default: localhost
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "server_user"
|
|
||||||
prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
|
|
||||||
default: "root"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "dns_enabled"
|
|
||||||
prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "proxy_enabled"
|
|
||||||
prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "auditd_enabled"
|
|
||||||
prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "ssh_tunneling_enabled"
|
|
||||||
prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "security_enabled"
|
|
||||||
prompt: "Do you want to enable the security role? (y/n):\n"
|
|
||||||
default: "y"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
- name: "easyrsa_p12_export_password"
|
|
||||||
prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
|
|
||||||
default: "vpnpw"
|
|
||||||
private: yes
|
|
||||||
|
|
||||||
- name: "IP_subject"
|
|
||||||
prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
|
|
||||||
private: no
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: Add the server to the vpn-host group
|
|
||||||
add_host:
|
|
||||||
hostname: "{{ server_ip }}"
|
|
||||||
groupname: vpn-host
|
|
||||||
ansible_ssh_user: "{{ server_user }}"
|
|
||||||
ansible_python_interpreter: "/usr/bin/python2.7"
|
|
||||||
dns_enabled: "{{ dns_enabled }}"
|
|
||||||
proxy_enabled: "{{ proxy_enabled }}"
|
|
||||||
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
|
||||||
security_enabled: "{{ security_enabled }}"
|
|
||||||
auditd_enabled: " {{ auditd_enabled }}"
|
|
||||||
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
|
||||||
IP_subject: "{{ IP_subject }}"
|
|
||||||
|
|
||||||
- name: Post-provisioning tasks
|
|
||||||
hosts: vpn-host
|
|
||||||
gather_facts: false
|
|
||||||
become: true
|
|
||||||
vars_files:
|
|
||||||
- config.cfg
|
|
||||||
|
|
||||||
pre_tasks:
|
|
||||||
- name: Install prerequisites
|
|
||||||
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
|
||||||
- name: Configure defaults
|
|
||||||
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
|
||||||
- set_fact:
|
|
||||||
IP_subject_alt_name: "{{ IP_subject }}"
|
|
||||||
|
|
||||||
roles:
|
|
||||||
- common
|
|
||||||
- { role: security, when: security_enabled is defined and security_enabled == "y" }
|
|
||||||
- { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
|
|
||||||
- { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
|
|
||||||
- { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
|
|
||||||
- { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
||||||
- vpn
|
|
@ -0,0 +1,5 @@
|
|||||||
|
- name: Install prerequisites
|
||||||
|
raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
|
||||||
|
|
||||||
|
- name: Configure defaults
|
||||||
|
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
|
@ -0,0 +1,36 @@
|
|||||||
|
- name: Enable IPv6 on the droplet
|
||||||
|
uri:
|
||||||
|
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
|
||||||
|
method: POST
|
||||||
|
body:
|
||||||
|
type: enable_ipv6
|
||||||
|
body_format: json
|
||||||
|
status_code: 201
|
||||||
|
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
||||||
|
HEADER_Content-Type: "application/json"
|
||||||
|
|
||||||
|
- name: Get Droplet networks
|
||||||
|
uri:
|
||||||
|
url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
|
||||||
|
method: GET
|
||||||
|
status_code: 200
|
||||||
|
HEADER_Authorization: "Bearer {{ do_access_token }}"
|
||||||
|
HEADER_Content-Type: "application/json"
|
||||||
|
register: droplet_info
|
||||||
|
|
||||||
|
- name: IPv6 configured
|
||||||
|
template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
|
||||||
|
with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
|
||||||
|
notify:
|
||||||
|
- reload eth0
|
||||||
|
|
||||||
|
- name: IPv6 included into the network config
|
||||||
|
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
|
||||||
|
notify:
|
||||||
|
- reload eth0
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Wait for SSH to become available
|
||||||
|
local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
|
||||||
|
become: false
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
@ -0,0 +1,12 @@
|
|||||||
|
- name: Add the instance to an inventory group
|
||||||
|
add_host:
|
||||||
|
name: "{{ server_ip }}"
|
||||||
|
groups: vpn-host
|
||||||
|
ansible_ssh_user: "{{ server_user }}"
|
||||||
|
ansible_python_interpreter: "/usr/bin/python2.7"
|
||||||
|
easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
|
||||||
|
cloud_provider: local
|
||||||
|
|
||||||
|
- name: Waiting for SSH to become available
|
||||||
|
local_action: "wait_for port=22 host={{ server_ip }} timeout=320"
|
||||||
|
when: server_ip != "localhost"
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- { role: common }
|
||||||
|
|
Loading…
Reference in New Issue