Archives/algo
2
0
Fork 0
mirror of https://github.com/trailofbits/algo synced 2024-11-18 09:25:38 +00:00
Code Issues Projects Releases Wiki Activity
1,053 Commits 5 Branches 2 Tags 10 MiB
04a2f9361b
Commit Graph

390 Commits

Author SHA1 Message Date
David Myers
b1d1491a66
Clarify AWS prompts (#1861) 2020-08-08 14:10:14 +03:00
Jack Ivanov
8b2b57deda
Install dnscrypt-proxy from ubuntu repos (#1859) 2020-08-07 20:15:13 +03:00
David Myers
8894dd0848
Discontinue use of the WireGuard PPA (#1855) 
* Discontinue use of the WireGuard PPA

* Add instructions to update the system

* Change reboot instruction
 2020-08-06 19:09:15 +03:00
Jack Ivanov
c14ff0d611
Ubuntu 20.04 support (#1782) 
* ubuntu 20.04 support

* purge snapd for 20.04

* strongswan-starter fix
 2020-05-10 13:48:30 +03:00
David Myers
eeda23be97
Initial support for Ubuntu 20.04 (#1770) 2020-04-25 19:42:07 +03:00
Wade Winright
e29615bc05
Modified script to handle more types of blocklists (#1771) 
Added/modified script to better handle multiple types of blocklists available to drop in to the BLOCKLIST_URLS.
 2020-04-25 19:36:43 +03:00
Saravanan Palanisamy
02fe2f7dd5
use ca_password from variable(--extra-vars) - non-interactive installation using ansible playbook (#1774) 
* use ca_password from variable

* add tests to cover the changes

* update tests - PR #1774
 2020-04-25 19:32:16 +03:00
Jack Ivanov
27de76048c
ipv6 nat fix (#1775) 2020-04-25 19:31:47 +03:00
aleks
4f1b9270be
relax CA constraints for client (the client equivalent of PR #1675) (#1768) 
* relax CA constraints for client (the client equivalent of PR #1675)

* fixing incorrectly hard-coded output file path
 2020-04-18 17:03:29 +03:00
David Myers
3f3138f555
Fix IPsec DNS when WireGuard uses port 53 (#1719) 
* Fix IPsec DNS when WireGuard uses port 53

* Change ACCEPT to RETURN
 2020-02-25 07:43:25 +01:00
Jack Ivanov
28d95eace2
Update main.yml (#1727) 2020-02-18 16:20:27 +01:00
Jack Ivanov
1e8a9c5cf1
Generate mobileconfigs for WireGuard (#1698) 
* Generate mobileconfigs for WireGuard

* add xmllint to wireguard profiles

* Enable onDemand prompts for WireGuard

* linting
 2020-02-12 08:31:44 +01:00
Jack Ivanov
dcfed41ae8 Apply netplan for digitalocean only (#1723) 2020-02-10 11:01:20 +01:00
Austin Dworaczyk Wiltshire
027b1b8497
Update dnscrypt-proxy cache settings for improved performance and privacy. (#1714) 
These values match those recommended by the author of DNSCrypt-proxy

See:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Caching#dns-cache
https://00f.net/2019/11/03/stop-using-low-dns-ttls/
 2020-02-04 07:08:11 +01:00
Jack Ivanov
2abbf22196
Alternative Ingress IP (#1605) 
* Separate ingress IP draft

* task name fix

* placeholder
 2020-01-31 11:24:29 +01:00
Jack Ivanov
0efa4eaf91 Ca certificate name constraints (#1675) 
* X.509 Name Constraints

* nameConstraints to a random generated uuid

* Second level domain

* nameConstraints fixes

* critical in nameConstraints lost after last refactoring
 2020-01-25 20:08:55 +07:00
Jack Ivanov
eb40ade096
scaleway region fix (#1678) 2020-01-08 11:11:41 +01:00
Jack Ivanov
d635c76b50
Change default SSH port and introduce cloud-init support (#1636) 
* Change default SSH port

* Iptables to ansible_ssh_port

* Add Scaleway

* permissions and groups fixes

* update firewall docs

* SSH fixes

* add missing cloudinit to cloud-azure

* remove ansible_ssh_user from the tests

* congrats message fix
 2020-01-07 14:28:19 +01:00
Julien Bachmann
43aafdfce1 fixed code to work with python3.7 (#1608) 
* fixed code to work with python3.7

* removed trailing whitespaces and re-run ansible-linter
 2019-11-06 08:25:35 +01:00
David Myers
5737317dae Allow WireGuard to listen on port 53 (#1594) 
* Allow WireGuard to listen on port 53

* Use a variable for the port to avoid

* Add comment to config.cfg
 2019-10-30 08:38:39 +01:00
Jack Ivanov
8bdd99c05d Refactor to support Ansible 2.8 (#1549) 
* bump ansible to 2.8.3

* DigitalOcean: move to the latest modules

* Add Hetzner Cloud

* Scaleway and Lightsail fixes

* lint missing roles

* Update roles/cloud-hetzner/tasks/main.yml

Add api_token

Co-Authored-By: phaer <phaer@phaer.org>

* Update roles/cloud-hetzner/tasks/main.yml

Add api_token

Co-Authored-By: phaer <phaer@phaer.org>

* Try to run apt until succeeded

* Scaleway modules upgrade

* GCP: Refactoring, remove deprecated modules

* Doc updates (#1552)

* Update README.md

Adding links and mentions of Exoscale aka CloudStack and Hetzner Cloud.

* Update index.md

Add the Hetzner Cloud to the docs index

* Remove link to Win 10 IPsec instructions

* Delete client-windows.md

Unnecessary since the deprecation of IPsec for Win10.

* Update deploy-from-ansible.md

Added sections and required variables for CloudStack and Hetzner Cloud.

* Update deploy-from-ansible.md

Added sections for CloudStack and Hetzner, added req variables and examples, mentioned environment variables, and added links to the provider role section.

* Update deploy-from-ansible.md

Cosmetic changes to links, fix typo.

* Update GCE variables

* Update deploy-from-script-or-cloud-init-to-localhost.md

Fix a finer point, and make variables list more readable.

* update azure requirements

* Python3 draft

* set LANG=c to the p12 password generation task

* Update README

* Install cloud requirements to the existing venv

* FreeBSD fix

* env->.env fixes

* lightsail_region_facts fix

* yaml syntax fix

* Update README for Python 3 (#1564)

* Update README for Python 3

* Remove tabs and tweak instructions

* Remove cosmetic command indentation

* Update README.md

* Update README for Python 3 (#1565)

* DO fix for "found unpermitted parameters: id"

* Verify Python version

* Remove ubuntu 16.04 from readme

* Revert back DigitalOcean module

* Update deploy-from-script-or-cloud-init-to-localhost.md

* env to .env
 2019-09-28 08:10:20 +08:00
Jack Ivanov
61729ac9b5
Update client.conf.j2 (#1580) 2019-09-12 12:52:10 +02:00
Squirrel
1ca8ee5554 Generates a password by native module (#1576) 
* use password module to generate password

* fix variable reference

* reduce character set to meet origin design

*  CA and p12 password chanes

- Move the CA_password generation task to the native lookup plugin
- Get rid of unneeded tasks
 2019-09-06 10:55:57 +02:00
Jack Ivanov
c6f45ead69
Allow OnDemand to be toggled later (#1557) 2019-09-06 09:33:36 +02:00
Jack Ivanov
95eddccfb7
EC2: Enable EBS single step encryption by default (#1556) 
* EC2: EBS single step encryption by default

* return back the encryption variable
 2019-08-26 17:25:29 +02:00
Jack Ivanov
fe7755e6a0
Allow to unblock smb and netbios in config.cfg (#1558) 2019-08-21 12:03:10 +02:00
Julien Bachmann
3dc08c94cf New cloud provider CloudStack (#1420) 
* clean commits from branch cloud-cloudstack w/ proper committer email/name

* fixed ansible-lint errors

* corrected typo in prompted message

* standalone cloudstack zones module

* added missing environment variables

* remove `_cloudstack_zones` default variable

* Move to Ubuntu 19.04

* Update cloud-cloudstack.md

* Update cloud-cloudstack.md

Markdown doesn't render `<your account>`

* Update prompts.yml

* Update main.yml
 2019-08-15 15:23:10 +02:00
Jack Ivanov
211d1b2cab
Google Cloud: remove sshguard (#1548) 
* Google Cloud: remove sshguard

* Remove whitespace
 2019-08-15 09:27:54 +02:00
Jack Ivanov
38d8a6d0e2 Deprecate IKEv2 for Windows (#1521) 
* Windows to WireGuard

* Add note about WireGuard

* change wireguard faq

* Clarify Windows instructions

* Correct Wireguard description

* Update README.md
 2019-07-31 11:28:33 -04:00
Jack Ivanov
545ad480a4
Add tags to EC2 encrypted images (#1530) 2019-07-27 15:47:17 +02:00
Jack Ivanov
090a60d48d PKI to tmpfs (#1496) 
* PKI to tmpfs

* Fixes
- diskutil to full path
- unmount and eject fixes

* Umount fix

* run diskutil info only on Darwin kernels

* fix shell tasks
 2019-07-10 12:31:25 -04:00
Jack Ivanov
f986811d64
remove pycrypto from the gce role (#1489) 
pycrypto is dead
 2019-07-04 18:00:15 +02:00
Jack Ivanov
0e6554943f
Add default IPv6 routes to the windows powershell script (#1501) 2019-06-24 20:32:08 +02:00
Daniel Néri
14ee323eca Fix outdated task name in DNS role (#1499) 2019-06-24 14:10:20 +02:00
TC1977
8462f0fb6c Unattended upgrade fixes (#1485) 
* Keep custom dnscrypt-proxy conffile when upgrading

* Unattended upgrade tuning
- Upgrade the 50unattended-upgrades file with latest options
- Keep the common unattended upgrade options in one file
- Enable removing of unused kernels and dependencies to save some space
 2019-06-24 10:23:34 +02:00
Jack Ivanov
6f58093a06
Update azure regions 
Closes #1492
 2019-06-21 16:01:41 +02:00
Jack Ivanov
8602a697cc
dnscrypt-proxy as a dns adblocker (#1480) 
* Move DNS adblocking to dnscrypt-proxy

* Update docs

* remove unneeded variable dnscrypt_proxy_version

* Update to the latest dnscrypt-proxy version

* install.sh fix

* spelling
 2019-06-19 17:31:43 +02:00
rodeodomino
fa5b86961c Adding ipv6 localhost to the listen addresses (#1476) 2019-06-10 18:13:01 +02:00
elreydetoda
146cbc71ce Adding preshared key support (#1465) 
* adding preshared key generation

* adding preshared folder

* Update client.conf.j2

adding preshared key options

* adding preshared keys to server template

* making sure private preshared is right

* making sure preshared keygen working for main.yml

* changing private to preshared for name

* changing to preshared dir instead of public
 2019-06-05 08:31:16 +02:00
Jack Ivanov
498cf46391 Block link-local networks. Block traffic from SSH tunnels to VPN clients (#1458) 2019-06-02 19:01:08 -04:00
Jack Ivanov
a2fdc509e1
Support for Ubuntu 19.04 (#1405) 
* Ubuntu 19.04

* Azure to 19.04
 2019-05-30 20:57:47 +02:00
Jack Ivanov
c27aed708a
EC2 eip facts authentication fix (#1454) 
* EC2 eip facts authentication fix

* add region to ec2_eip_facts
 2019-05-30 16:13:48 +02:00
Elliot Murphy
e3a6170ae6 AWS support for existing EIP (revised) (#1292) 
* Support for associating to existing AWS Elastic IP

Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>

* Backport ec2_eip_facts module for EIP support

This means that EIP support no longer requires Ansible 2.6
The local fact module has been named ec2_elasticip_facts
to avoid conflict with the ec2_eip_facts module whenever
the Ansible 2.6 upgrade takes place.

Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>

* Update from review feedback.

Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>

* Move to the native module. Add additional condition for existing Elastic IP
 2019-05-20 14:40:51 +02:00
shapiro125
72c8e9e244 Add IPv6 support to DNS (#1425) 
* Add ipv6

* Add ipv6

* add ipv6

* add ipv6

* Switching out ipv6 address with local_service_ipv6 variable from #1429

* Fixing variable error
 2019-05-20 13:17:39 +02:00
Anton Strogonoff
368ebc8625 fix: Use wait_for_connection to avoid failure (#1381) 
With preexisting wait_for implementation, deployment to Ubuntu on Lightsail failed with a connection reset error on this task. It appears that Ansible’s wait_for_connection is the recommended way. I have successfully gotten past this task after this change, however I’d appreciate more eyes on this.
 2019-05-17 16:04:13 +02:00
Jack Ivanov
5904546a48
Randomly generated IP address for the local dns resolver (#1429) 
* generate service IPs dynamically

* update cloud-init tests

* exclude ipsec and wireguard ranges from the random service ip

* Update docs

* @davidemyers: update wireguard docs for linux

* Move to netaddr filter

* AllowedIPs fix

* WireGuard IPs fix
 2019-05-17 14:49:29 +02:00
Rémy Léone
826a2c5036 Add documentation about Scaleway credentials (#1419) 2019-05-12 11:21:55 +02:00
Jack Ivanov
6b33d09d9f
Scaleway modules (#1410) 
* Scaleway modules

* Update docs
 2019-05-03 09:55:45 +02:00
Jack Ivanov
d6a1fb91bd
WIP: Facts definition fix (#1415) 
Facts definition fix
 2019-05-01 11:51:06 +02:00
TC1977
faa4b9a8da Automatically create cloud firewall rules for installs onto Vultr (#1400) 
* Update main.yml

* Change module names and add IPv6 firewall rules

Uses guide at https://www.renemoser.net/blog/2018/03/19/vultr-firewalling-with-ansible/ written by Rene Moser.

* change vultr to vr

* add ip_version to firewall rules

* add SSH access rules

* Use variable for wireguard port

* update module names for ansible 2.7

* Fix trailing whitespaces

* Try to fix trailing whitespaces again
 2019-04-27 12:59:26 +02:00