Merge branch 'tags' #80

8 years ago · dbeb7a13e8
parent 3522ea5cc8 4d731580b7
commit dbeb7a13e8
25 changed files with 413 additions and 495 deletions
--- a/ADVANCED.md
+++ b/ADVANCED.md
@ -0,0 +1,81 @@
 ### Cloud Providers
 **digitalocean**  
 *Requirement variables:*  
 - do_access_token  
 - do_ssh_name  
 - do_server_name  
 - do_region
 *Possible regions:*  
 - ams2
 - ams3
 - fra1
 - lon1
 - nyc1
 - nyc2
 - nyc3
 - sfo1
 - sfo2
 - sgp1
 - tor1
 - blr1
 **gce**  
 *Requirement variables:*  
 - credentials_file
 - server_name
 - ssh_public_key
 - zone
 *Possible zones:*  
 - us-central1-a
 - us-central1-b
 - us-central1-c
 - us-central1-f
 - us-east1-b
 - us-east1-c
 - us-east1-d
 - europe-west1-b
 - europe-west1-c
 - europe-west1-d
 - asia-east1-a
 - asia-east1-b
 - asia-east1-c
 **ec2**  
 *Requirement variables:*  
 - aws_access_key
 - aws_secret_key
 - aws_server_name
 - ssh_public_key
 - region
 *Possible regions:*  
 - us-east-1
 - us-west-1
 - us-west-2
 - ap-south-1
 - ap-northeast-2
 - ap-southeast-1
 - ap-southeast-2
 - ap-northeast-1
 - eu-central-1
 - eu-west-1
 - sa-east-1
 **local installation**  
 *Requirement variables:*  
 - server_ip
 - server_user
 - IP_subject
 ### Deployment
 Start the deploy with extra variables and tags that you need.  
 Example for DigitalOcean:
 ```
 ansible-playbook deploy.yml -t digitalocean,vpn -e 'do_access_token=secret_token_abc do_ssh_name=my_ssh_key do_server_name=algo.local do_region=ams2'
 ```
--- a/README.md
+++ b/README.md
@ -73,6 +73,20 @@ Ansible scripts are organized into roles. The roles used by Algo are described i
 * SHell or BASH
 * libselinux-python (for RedHat based distros)
 ### Roles and Tags
 **Cloud roles:**  
 - role: cloud-digitalocean, tags: digitalocean
 - role: cloud-ec2, tags: ec2  
 - role: cloud-gce, tags: gce  
 **Server roles:**  
 - role: vpn, tags: vpn 
 - role: dns_adblocking, tags: dns, adblock
 - role: proxy, tags: proxy, adblock 
 - role: logging, tags: logging
 - role: security, tags: security
 - role: ssh_tunneling, tags: ssh_tunneling
 ### Cloud Deployment
 To install the dependencies on OS X or Linux:
--- a/185
+++ b/185
@ -2,6 +2,180 @@
 set -e
 digitalocean () {
  read -p "
 Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):  
 : " -rs do_access_token
  read -p "
 Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):
 : " -r do_ssh_name
  read -p "
 Name the vpn server:
 [algo.local]: " -r do_server_name
  do_server_name=${do_server_name:-algo.local}
  read -p "
  What region should the server be located in?
    1.  Amsterdam        (Datacenter 2)
    2.  Amsterdam        (Datacenter 3)
    3.  Frankfurt
    4.  London
    5.  New York         (Datacenter 1)
    6.  New York         (Datacenter 2)
    7.  New York         (Datacenter 3)
    8.  San Francisco    (Datacenter 1)
    9.  San Francisco    (Datacenter 2)
    10. Singapore
    11. Toronto
    12. Bangalore
 Enter the number of your desired region: 
 [7]: " -r region
  region=${region:-7}  
  case "$region" in 
    1) do_region="ams2" ;;
    2) do_region="ams3" ;;
    3) do_region="fra1" ;;
    4) do_region="lon1" ;;
    5) do_region="nyc1" ;;
    6) do_region="nyc2" ;;
    7) do_region="nyc3" ;;
    8) do_region="sfo1" ;;
    9) do_region="sfo2" ;;
    10) do_region="sgp1" ;;
    11) do_region="tor1" ;;
    12) do_region="blr1" ;;
  esac
 ansible-playbook deploy.yml -t digitalocean,vpn -e "do_access_token=$do_access_token do_ssh_name=$do_ssh_name do_server_name=$do_server_name do_region=$do_region"    
 }
 ec2 () {
  read -p "
 Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
 : " -rs aws_access_key
  read -p "
 Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
 : " -rs aws_secret_key
  read -p "
 Enter the local path to your SSH public key:
 : " -r ssh_public_key
  read -p "
 Name the vpn server:
 [algo]: " -r aws_server_name
  aws_server_name=${aws_server_name:-algo}
  read -p "
  What region should the server be located in?
    1.   us-east-1           US East (N. Virginia)
    2.   us-west-1           US West (N. California)
    3.   us-west-2           US West (Oregon)
    4.   ap-south-1          Asia Pacific (Mumbai)
    5.   ap-northeast-2      Asia Pacific (Seoul)
    6.   ap-southeast-1      Asia Pacific (Singapore)
    7.   ap-southeast-2      Asia Pacific (Sydney)
    8.   ap-northeast-1      Asia Pacific (Tokyo)
    9.   eu-central-1        EU (Frankfurt)
    10.  eu-west-1           EU (Ireland)
    11.  sa-east-1           South America (São Paulo)
 Enter the number of your desired region: 
 [1]: " -r aws_region
  aws_region=${aws_region:-1}  
  case "$aws_region" in 
    1) region="us-east-1" ;;
    2) region="us-west-1" ;;
    3) region="us-west-2" ;;
    4) region="ap-south-1" ;;
    5) region="ap-northeast-2" ;;
    6) region="ap-southeast-1" ;;
    7) region="ap-southeast-2" ;;
    8) region="ap-northeast-1" ;;
    9) region="eu-central-1" ;;
    10) region="eu-west-1" ;;
    11) region="sa-east-1" ;;
  esac
 ansible-playbook deploy.yml -t ec2,vpn -e "aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
 }
 gce () {
  read -p "
 Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): 
 : " -r credentials_file
  read -p "
 Enter the local path to your SSH public key:
 : " -r ssh_public_key
  read -p "
 Name the vpn server:
 [algo]: " -r server_name
  server_name=${server_name:-algo}
  read -p "
  What zone should the server be located in?
    1. Central US       (Iowa A)
    2. Central US       (Iowa B)
    3. Central US       (Iowa C)
    4. Central US       (Iowa F)
    5. Eastern US       (South Carolina B)
    6. Eastern US       (South Carolina C)
    7. Eastern US       (South Carolina D)
    8. Western Europe   (Belgium B)
    9. Western Europe   (Belgium C)
    10. Western Europe  (Belgium D)
    11. East Asia       (Taiwan A)
    12. East Asia       (Taiwan B)
    13. East Asia       (Taiwan C)
 Please choose the number of your zone. Press enter for default (#8) zone.
 [8]: " -r region
  region=${region:-8}  
  case "$region" in 
    1) zone="us-central1-a" ;;
    2) zone="us-central1-b" ;;
    3) zone="us-central1-c" ;;
    4) zone="us-central1-f" ;;
    5) zone="us-east1-b" ;;
    6) zone="us-east1-c" ;;
    7) zone="us-east1-d" ;;
    8) zone="europe-west1-b" ;;
    9) zone="europe-west1-c" ;;
    10) zone="europe-west1-d" ;;
    11) zone="asia-east1-a" ;;
    12) zone="asia-east1-b" ;;
    13) zone="asia-east1-c" ;;
  esac
 ansible-playbook deploy.yml -t gce,vpn -e "credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone"   
 }
 non_cloud () {
  read -p "
 Enter IP address of your server: (use localhost for local installation)
 : " -r server_ip
  read -p "
 What user should we use to login on the server? (ignore if you're deploying to localhost)
 [root]: " -r server_user
  server_user=${server_user:-root}
  read -p "
 Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)
 : " -r IP_subject
  ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject=$IP_subject" 
 }
 algo_provisioning () {
  echo -n "
  What provider would you like to use?
@ -16,14 +190,13 @@ Enter the number of your desired provider
  read -r N
  case "$N" in
-    1) CLOUD="digitalocean" ;;
+    1) digitalocean; ;;
-    2) CLOUD="ec2" ;;
+    2) ec2; ;;
-    3) CLOUD="gce" ;;
+    3) gce; ;;
-    4) CLOUD="non-cloud" ;;
+    4) non_cloud; ;;
    *) exit 1 ;;
  esac
-  
+
  ansible-playbook "${CLOUD}.yml"
 }
 user_management () {
--- a/config.cfg
+++ b/config.cfg
@ -13,6 +13,8 @@ auditd_action_mail_acct: email@example.com
 easyrsa_dir: /opt/easy-rsa-ipsec
 easyrsa_ca_expire: 3650
 easyrsa_cert_expire: 3650
 easyrsa_p12_export_password: vpnpws
 # If True re-init all existing certificates. (True or False)
 easyrsa_reinit_existent: False
--- a/deploy.yml
+++ b/deploy.yml
@ -0,0 +1,41 @@
 - name: Configure the server and install required software
  hosts: localhost
  tags: algo
  vars_files:
    - config.cfg
  roles:
    - { role: cloud-digitalocean, tags: ['digitalocean'] }
    - { role: cloud-ec2, tags: ['ec2'] }
    - { role: cloud-gce, tags: ['gce'] }
    - { role: local, tags: ['local'] }
 - name: Post-provisioning tasks
  hosts: vpn-host
  gather_facts: false
  tags: algo
  become: true
  vars_files:
    - config.cfg
  pre_tasks:
    - name: Common pre-tasks
      include: playbooks/common.yml
      tags: [ 'digitalocean', 'ec2', 'gce', 'pre' ]
    - name: DigitalOcean pre-tasks
      include: playbooks/digitalocean.yml
      tags: [ 'digitalocean' ]
  roles:
    - { role: security, tags: [ 'security' ] }
    - { role: proxy, tags: [ 'proxy', 'adblock' ] }
    - { role: dns_adblocking, tags: ['dns', 'adblock' ] }
    - { role: logging, tags: [ 'logging' ] }
    - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
    - { role: vpn, tags: [ 'vpn' ] }
  handlers:
    - name: reload eth0
      shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
--- a/digitalocean.yml
+++ b/digitalocean.yml
@ -1,147 +0,0 @@
 # vim:ft=ansible:
 - name: Configure the server and install required software
  hosts: localhost
  vars:
    regions:
      "1":  "ams2"
      "2":  "ams3"
      "3":  "fra1"
      "4":  "lon1"
      "5":  "nyc1"
      "6":  "nyc2"
      "7":  "nyc3"
      "8":  "sfo1"
      "9":  "sfo2"
      "10": "sgp1"
      "11": "tor1"
      "12": "blr1"
  vars_prompt:
  - name: "do_access_token"
    prompt: "Enter your API Token (https://cloud.digitalocean.com/settings/api/tokens):\n"
    private: yes
  - name: "do_ssh_name"
    prompt: "Enter a valid SSH key name (https://cloud.digitalocean.com/settings/security):\n"
    private: no
  - name: "do_region"
    prompt: >
      What region should the server be located in?
        1.  Amsterdam        (Datacenter 2)
        2.  Amsterdam        (Datacenter 3)
        3.  Frankfurt
        4.  London
        5.  New York         (Datacenter 1)
        6.  New York         (Datacenter 2)
        7.  New York         (Datacenter 3)
        8.  San Francisco    (Datacenter 1)
        9.  San Francisco    (Datacenter 2)
        10. Singapore
        11. Toronto
        12. Bangalore
      Enter the number of your desired region:
    default: "7"
    private: no
  - name: "do_server_name"
    prompt: "Name the vpn server:\n"
    default: "algo.local"
    private: no
  - name: "dns_enabled"
    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "proxy_enabled"
    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "auditd_enabled"
    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
    default: "y"
    private: no
  - name: "ssh_tunneling_enabled"
    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
    default: "y"
    private: no
  - name: "security_enabled"
    prompt: "Do you want to enable the security role? (y/n):\n"
    default: "y"
    private: no
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
    private: yes
  roles:
    - cloud-digitalocean
 - name: Post-provisioning tasks
  hosts: vpn-host
  gather_facts: false
  become: true
  vars_files:
    - config.cfg
  pre_tasks:
    - name: Install prerequisites
      raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
    - name: Configure defaults
      raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
    - name: Enable IPv6 on the droplet
      uri:
        url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
        method: POST
        body:
          type: enable_ipv6
        body_format: json
        status_code: 201
        HEADER_Authorization: "Bearer {{ do_access_token }}"
        HEADER_Content-Type: "application/json"
    - name: Get Droplet networks
      uri:
        url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
        method: GET
        status_code: 200
        HEADER_Authorization: "Bearer {{ do_access_token }}"
        HEADER_Content-Type: "application/json"
      register: droplet_info
    - name: IPv6 configured
      template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
      with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
      notify:
        - reload eth0
    - name: IPv6 included into the network config
      lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
      notify:
        - reload eth0
    - meta: flush_handlers
    - name: Wait for SSH to become available
      local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
      become: false
  roles:
    - common
    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
    - vpn    
  handlers:
    - name: reload eth0
      shell: sh -c 'ifdown eth0; ip addr flush dev eth0; ifup eth0'
--- a/ec2.yml
+++ b/ec2.yml
@ -1,112 +0,0 @@
 # vim:ft=ansible:
 - name: Create a sandbox instance
  hosts: localhost
  gather_facts: False
  vars_files:
    - config.cfg
  vars:
    instance_type: t2.nano
    security_group: vpn-secgroup
    regions:
      "1":  "us-east-1"
      "2":  "us-west-1"
      "3":  "us-west-2"
      "4":  "ap-south-1"
      "5":  "ap-northeast-2"
      "6":  "ap-southeast-1"
      "7":  "ap-southeast-2"
      "8":  "ap-northeast-1"
      "9":  "eu-central-1"
      "10": "eu-west-1"
      "11": "sa-east-1"
  vars_prompt:
  - name: "aws_access_key"
    prompt: "Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
    private: yes
  - name: "aws_secret_key"
    prompt: "Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):\n"
    private: yes
  - name: "region"
    prompt: >
      What region should the server be located in?
       1.   us-east-1           US East (N. Virginia)
       2.   us-west-1           US West (N. California)
       3.   us-west-2           US West (Oregon)
       4.   ap-south-1          Asia Pacific (Mumbai)
       5.   ap-northeast-2      Asia Pacific (Seoul)
       6.   ap-southeast-1      Asia Pacific (Singapore)
       7.   ap-southeast-2      Asia Pacific (Sydney)
       8.   ap-northeast-1      Asia Pacific (Tokyo)
       9.   eu-central-1        EU (Frankfurt)
       10.  eu-west-1           EU (Ireland)
       11.  sa-east-1           South America (São Paulo)
    default: "1"
    private: no
  - name: "aws_server_name"
    prompt: "Name the vpn server:\n"
    default: "algo.local"
    private: no
  - name: "ssh_public_key"
    prompt: "Enter the local path to your SSH public key:\n"
    default: "~/.ssh/id_rsa.pub"
    private: no
  - name: "dns_enabled"
    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "proxy_enabled"
    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "auditd_enabled"
    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
    default: "y"
    private: no
  - name: "ssh_tunneling_enabled"
    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
    default: "y"
    private: no
  - name: "security_enabled"
    prompt: "Do you want to enable the security role? (y/n):\n"
    default: "y"
    private: no
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
    private: yes
  roles:
    - cloud-ec2
 - name: Post-provisioning tasks
  hosts: vpn-host
  gather_facts: false
  become: true
  vars_files:
    - config.cfg
  pre_tasks:
    - name: Install prerequisites
      raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
    - name: Configure defaults
      raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
  roles:
    - common
    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
    - vpn    
--- a/gce.yml
+++ b/gce.yml
@ -1,110 +0,0 @@
 # vim:ft=ansible:
 - name: Configure the server and install required software
  hosts: localhost
  gather_facts: false
  vars:
    zones:
      "1": "us-central1-a"
      "2": "us-central1-b"
      "3": "us-central1-c"
      "4": "us-central1-f"
      "5": "us-east1-b"
      "6": "us-east1-c"
      "7": "us-east1-d"
      "8": "europe-west1-b"
      "9": "europe-west1-c"
      "10": "europe-west1-d"
      "11": "asia-east1-a"
      "12": "asia-east1-b"
      "13": "asia-east1-c"
  vars_prompt:
  - name: "credentials_file"
    prompt: "Enter the local path to your credentials JSON file [ex: ~/gogle_cloud.json] (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts):\n"
    private: no
  - name: "ssh_public_key"
    prompt: "Enter the local path to your SSH public key:\n"
    default: "~/.ssh/id_rsa.pub"
    private: no
  - name: "zone"
    prompt: >
      What zone should the server be located in?
        1. Central US       (Iowa A)
        2. Central US       (Iowa B)
        3. Central US       (Iowa C)
        4. Central US       (Iowa F)
        5. Eastern US       (South Carolina B)
        6. Eastern US       (South Carolina C)
        7. Eastern US       (South Carolina D)
        8. Western Europe   (Belgium B)
        9. Western Europe   (Belgium C)
        10. Western Europe  (Belgium D)
        11. East Asia       (Taiwan A)
        12. East Asia       (Taiwan B)
        13. East Asia       (Taiwan C)
      Please choose the number of your zone. Press enter for default (#8) zone.
    default: "8"
    private: no
  - name: "server_name"
    prompt: "Name the vpn server:\n"
    default: "algo"
    private: no
  - name: "dns_enabled"
    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "proxy_enabled"
    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "auditd_enabled"
    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
    default: "y"
    private: no
  - name: "ssh_tunneling_enabled"
    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
    default: "y"
    private: no
  - name: "security_enabled"
    prompt: "Do you want to enable the security role? (y/n):\n"
    default: "y"
    private: no
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
    private: yes
  roles:
    - cloud-gce
 - name: Post-provisioning tasks
  hosts: vpn-host
  gather_facts: false
  become: true
  vars_files:
    - config.cfg
  pre_tasks:
    - name: Install prerequisites
      raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
    - name: Configure defaults
      raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
  roles:
    - common
    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
    - vpn    
--- a/non-cloud.yml
+++ b/non-cloud.yml
@ -1,89 +0,0 @@
 # vim:ft=ansible:
 - hosts: localhost
  gather_facts: False
  vars_files:
    - config.cfg
  vars_prompt:
  - name: "server_ip"
    prompt: "Enter IP address of your server: (use localhost for local installation)\n"
    default: localhost
    private: no
  - name: "server_user"
    prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
    default: "root"
    private: no
  - name: "dns_enabled"
    prompt: "Do you want to install a local DNS resolver to block ads while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "proxy_enabled"
    prompt: "Do you want to install an HTTP proxy to block ads and decrease traffic usage while surfing? (y/n):\n"
    default: "y"
    private: no
  - name: "auditd_enabled"
    prompt: "Do you want to use auditd for security monitoring (see config.cfg)? (y/n):\n"
    default: "y"
    private: no
  - name: "ssh_tunneling_enabled"
    prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
    default: "y"
    private: no
  - name: "security_enabled"
    prompt: "Do you want to enable the security role? (y/n):\n"
    default: "y"
    private: no
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
    private: yes
  - name: "IP_subject"
    prompt: "Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
    private: no
  tasks:
    - name: Add the server to the vpn-host group
      add_host:
        hostname: "{{ server_ip }}"
        groupname: vpn-host
        ansible_ssh_user: "{{ server_user }}"
        ansible_python_interpreter: "/usr/bin/python2.7"
        dns_enabled: "{{ dns_enabled }}"
        proxy_enabled: "{{ proxy_enabled }}"
        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
        security_enabled: "{{ security_enabled }}"
        auditd_enabled: " {{ auditd_enabled }}"
        easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
        IP_subject: "{{ IP_subject }}"
 - name: Post-provisioning tasks
  hosts: vpn-host
  gather_facts: false
  become: true
  vars_files:
    - config.cfg
  pre_tasks:
    - name: Install prerequisites
      raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
    - name: Configure defaults
      raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
    - set_fact:
        IP_subject_alt_name: "{{ IP_subject }}"
  roles:
    - common
    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
    - { role: ssh_tunneling, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
    - vpn    
--- a/playbooks/common.yml
+++ b/playbooks/common.yml
@ -0,0 +1,5 @@
 - name: Install prerequisites
  raw: sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
 - name: Configure defaults
  raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
--- a/playbooks/digitalocean.yml
+++ b/playbooks/digitalocean.yml
@ -0,0 +1,36 @@
 - name: Enable IPv6 on the droplet
  uri:
    url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}/actions"
    method: POST
    body:
      type: enable_ipv6
    body_format: json
    status_code: 201
    HEADER_Authorization: "Bearer {{ do_access_token }}"
    HEADER_Content-Type: "application/json"
 - name: Get Droplet networks
  uri:
    url: "https://api.digitalocean.com/v2/droplets/{{ do_droplet_id }}"
    method: GET
    status_code: 200
    HEADER_Authorization: "Bearer {{ do_access_token }}"
    HEADER_Content-Type: "application/json"
  register: droplet_info
 - name: IPv6 configured
  template: src=roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 dest=/etc/network/interfaces.d/20-ipv6.cfg owner=root group=root mode=0644
  with_items: "{{ droplet_info.json.droplet.networks.v6 }}"
  notify:
    - reload eth0
 - name: IPv6 included into the network config
  lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/20-ipv6.cfg' state=present
  notify:
    - reload eth0
 - meta: flush_handlers
 - name: Wait for SSH to become available
  local_action: "wait_for port=22 host={{ inventory_hostname }} timeout=320"
  become: false
--- a/roles/cloud-digitalocean/tasks/main.yml
+++ b/roles/cloud-digitalocean/tasks/main.yml
@ -1,6 +1,6 @@
 - name: Set the DigitalOcean Access Token fact
  set_fact:
-    do_token: "{{ do_access_token | default( lookup('env', 'DIGITALOCEAN_API_KEY') ) }}"
+    do_token: "{{ do_access_token }}"
 - name: "Getting your SSH key ID on Digital Ocean..."
  digital_ocean:
@ -15,7 +15,7 @@
    state: present
    command: droplet
    name: "{{ do_server_name }}"
-    region_id: "{{ regions[do_region] }}"
+    region_id: "{{ do_region }}"
    size_id: "512mb"
    image_id: "ubuntu-16-04-x64"
    ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}"
@ -31,11 +31,6 @@
    ansible_python_interpreter: "/usr/bin/python2.7"
    do_access_token: "{{ do_access_token }}"
    do_droplet_id: "{{ do.droplet.id }}"
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    security_enabled: "{{ security_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: digitalocean
    ipv6_support: yes
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@ -7,7 +7,7 @@
    sort: name
    sort_order: descending
    sort_end: 1
-    region: "{{ regions[region] }}"
+    region: "{{ region }}"
  register: ami_search
 - set_fact:
@ -18,7 +18,7 @@
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    name: VPNKEY
-    region: "{{ regions[region] }}"
+    region: "{{ region }}"
    key_material: "{{ item }}"
  with_file: "{{ ssh_public_key }}"
  register: keypair
@ -27,9 +27,9 @@
  ec2_group:
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
-    name: "{{ security_group }}"
+    name: vpn-secgroup
    description: Security group for VPN servers
-    region: "{{ regions[region] }}"
+    region: "{{ region }}"
    rules:
      - proto: udp
        from_port: 4500
@ -54,11 +54,11 @@
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    keypair: "VPNKEY"
-    group: "{{ security_group }}"
+    group: vpn-secgroup
-    instance_type: "{{ instance_type }}"
+    instance_type: t2.nano
    image: "{{ ami_image }}"
    wait: true
-    region: "{{ regions[region] }}"
+    region: "{{ region }}"
    instance_tags:
      name: "{{ aws_server_name }}"
  register: ec2
@ -69,11 +69,6 @@
    groupname: vpn-host
    ansible_ssh_user: ubuntu
    ansible_python_interpreter: "/usr/bin/python2.7"
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    security_enabled: "{{ security_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: ec2
    ipv6_support: no
--- a/roles/cloud-gce/tasks/main.yml
+++ b/roles/cloud-gce/tasks/main.yml
@ -5,7 +5,7 @@
 - name: "Creating a new instance..."
  gce:
    instance_names: "{{ server_name }}"
-    zone: "{{ zones[zone] }}"
+    zone: "{{ zone }}"
    machine_type: n1-standard-1
    image: ubuntu-1604
    service_account_email: "{{ credentials_file_lookup.client_email  }}"
@ -16,15 +16,10 @@
 - name: Add the instance to an inventory group
  add_host:
-    name: "{{ google_vm.instance_data[0].public_ip}}"
+    name: "{{ google_vm.instance_data[0].public_ip }}"
    groups: vpn-host
    ansible_ssh_user: ubuntu
    ansible_python_interpreter: "/usr/bin/python2.7"
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    security_enabled: "{{ security_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: gce
    ipv6_support: no
--- a/roles/dns_adblocking/meta/main.yml
+++ b/roles/dns_adblocking/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
  - { role: common }
--- a/roles/local/handlers/main.yml
+++ b/roles/local/handlers/main.yml
--- a/roles/local/tasks/main.yml
+++ b/roles/local/tasks/main.yml
@ -0,0 +1,12 @@
 - name: Add the instance to an inventory group
  add_host:
    name: "{{ server_ip }}"
    groups: vpn-host
    ansible_ssh_user: "{{ server_user }}"
    ansible_python_interpreter: "/usr/bin/python2.7"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: local
 - name: Waiting for SSH to become available
  local_action: "wait_for port=22 host={{ server_ip }} timeout=320"
  when: server_ip != "localhost"
--- a/roles/logging/meta/main.yml
+++ b/roles/logging/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
  - { role: common }
--- a/roles/logging/tasks/main.yml
+++ b/roles/logging/tasks/main.yml
@ -15,7 +15,7 @@
 - name: Enable services
  service: name=auditd enabled=yes
-  
+
 # Rsyslog
 - name: Rsyslog installed
@ -32,4 +32,4 @@
    - restart rsyslog
 - name: Enable services
-  service: name=rsyslog enabled=yes  
+  service: name=rsyslog enabled=yes
--- a/roles/proxy/meta/main.yml
+++ b/roles/proxy/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
  - { role: common }
--- a/roles/security/meta/main.yml
+++ b/roles/security/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
  - { role: common }
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@ -2,14 +2,13 @@
  apt: name="{{ item }}" state=latest
  with_items:
    - unattended-upgrades
-    
+
 - name: Configure unattended-upgrades
  template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
 - name: Periodic upgrades configured
-  template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644    
+  template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
 # Using a two-pass approach for checking directories in order to support symlinks.
 - name: Find directories for minimizing access
  stat:
    path: "{{ item }}"
--- a/roles/ssh_tunneling/meta/main.yml
+++ b/roles/ssh_tunneling/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
  - { role: common }
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -10,6 +10,9 @@
 - name: save iptables
  shell: service netfilter-persistent save
 - name: save iptables
  shell: service netfilter-persistent save
 - name: congrats
  debug:
    msg:
--- a/roles/vpn/meta/main.yml
+++ b/roles/vpn/meta/main.yml
@ -0,0 +1,5 @@
 ---
 dependencies:
  - { role: common }