mirror of https://github.com/trailofbits/algo
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
161 lines
4.6 KiB
YAML
161 lines
4.6 KiB
YAML
---
|
|
|
|
- name: Other features
|
|
hosts: vpn-host
|
|
become: true
|
|
vars_files:
|
|
- config.cfg
|
|
|
|
tasks:
|
|
- name: Loopback for services configured
|
|
template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
|
|
|
|
- name: Loopback included into the network config
|
|
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
|
|
|
|
- name: Loopback is running
|
|
shell: ifdown lo:100 && ifup lo:100
|
|
|
|
# Privoxy
|
|
|
|
- name: Install privoxy
|
|
apt: name=privoxy state=latest
|
|
|
|
- name: Privoxy configured
|
|
template: src=privoxy_config.j2 dest=/etc/privoxy/config
|
|
notify:
|
|
- restart privoxy
|
|
|
|
- name: Privoxy profile for apparmor configured
|
|
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=600
|
|
notify:
|
|
- restart privoxy
|
|
|
|
- name: Enforce the privoxy AppArmor policy
|
|
shell: aa-enforce usr.sbin.privoxy
|
|
|
|
- name: Privoxy enabled and started
|
|
service: name=privoxy state=started enabled=yes
|
|
|
|
# PageSpeed
|
|
|
|
- name: Apache installed
|
|
apt: name=apache2 state=latest
|
|
|
|
- name: PageSpeed installed for x86_64
|
|
apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
|
|
when: ansible_architecture == "x86_64"
|
|
|
|
- name: PageSpeed installed for i386
|
|
apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb
|
|
when: ansible_architecture != "x86_64"
|
|
|
|
- name: PageSpeed configured
|
|
template: src=pagespeed.conf.j2 dest=/etc/apache2/mods-available/pagespeed.conf
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: Modules enabled
|
|
apache2_module: state=present name="{{ item }}"
|
|
with_items:
|
|
- proxy_http
|
|
- pagespeed
|
|
- cache
|
|
- proxy_connect
|
|
- proxy_html
|
|
- rewrite
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: VirtualHost configured for the PageSpeed module
|
|
template: src=000-default.conf.j2 dest=/etc/apache2/sites-enabled/000-default.conf
|
|
notify:
|
|
- restart apache2
|
|
|
|
- name: Apache ports configured
|
|
template: src=ports.conf.j2 dest=/etc/apache2/ports.conf
|
|
notify:
|
|
- restart apache2
|
|
|
|
# DNS
|
|
|
|
- name: Install dnsmasq
|
|
apt: name=dnsmasq state=latest
|
|
|
|
- name: Dnsmasq profile for apparmor configured
|
|
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=600
|
|
notify:
|
|
- restart dnsmasq
|
|
|
|
- name: Enforce the dnsmasq AppArmor policy
|
|
shell: aa-enforce usr.sbin.dnsmasq
|
|
|
|
- name: Dnsmasq configured
|
|
template: src=dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
|
|
notify:
|
|
- restart dnsmasq
|
|
|
|
- name: Adblock script created
|
|
copy: src=templates/adblock.sh dest=/opt/adblock.sh owner=root group=root mode=755
|
|
when: service_dns is defined and service_dns == "True"
|
|
|
|
- name: Adblock script added to cron
|
|
cron: name="Adblock hosts update" minute="10" hour="2" job="/opt/adblock.sh"
|
|
when: service_dns is defined and service_dns == "True"
|
|
|
|
- name: Update adblock hosts
|
|
shell: >
|
|
/opt/adblock.sh
|
|
when: service_dns is defined and service_dns == "True"
|
|
|
|
- name: Forward all DNS requests to the local resolver
|
|
iptables:
|
|
table: nat
|
|
chain: PREROUTING
|
|
protocol: udp
|
|
destination_port: 53
|
|
source: "{{ vpn_network }}"
|
|
jump: DNAT
|
|
to_destination: 172.16.0.1:53
|
|
notify:
|
|
- save iptables
|
|
when: service_dns is defined and service_dns == "True"
|
|
|
|
- name: Forward all DNS requests to the local resolver
|
|
iptables:
|
|
table: nat
|
|
chain: PREROUTING
|
|
protocol: udp
|
|
destination_port: 53
|
|
source: "{{ vpn_network_ipv6 }}"
|
|
jump: DNAT
|
|
to_destination: fcaa::1:53
|
|
ip_version: ipv6
|
|
notify:
|
|
- save iptables
|
|
when: service_dns is defined and service_dns == "True"
|
|
|
|
- name: Dnsmasq enabled and started
|
|
service: name=dnsmasq state=started enabled=yes
|
|
when: service_dns is defined and service_dns == "True"
|
|
|
|
- name: Dnsmasq disabled and stopped
|
|
service: name=dnsmasq state=stopped enabled=no
|
|
when: service_dns is defined and service_dns == "False"
|
|
|
|
handlers:
|
|
- name: restart privoxy
|
|
service: name=privoxy state=restarted
|
|
|
|
- name: restart dnsmasq
|
|
service: name=dnsmasq state=restarted
|
|
|
|
- name: restart apparmor
|
|
service: name=apparmor state=restarted
|
|
|
|
- name: restart apache2
|
|
service: name=apache2 state=restarted
|
|
|
|
- name: save iptables
|
|
command: service netfilter-persistent save
|