mirror of
https://github.com/trailofbits/algo
synced 2024-11-04 06:00:21 +00:00
143 lines
5.9 KiB
YAML
143 lines
5.9 KiB
YAML
---
|
|
- name: Ask user for the input
|
|
hosts: localhost
|
|
tags: always
|
|
vars:
|
|
defaults:
|
|
server_name: algo
|
|
ondemand_cellular: false
|
|
ondemand_wifi: false
|
|
dns_adblocking: false
|
|
ssh_tunneling: false
|
|
store_pki: false
|
|
providers_map:
|
|
- { name: DigitalOcean, alias: digitalocean }
|
|
- { name: Amazon Lightsail, alias: lightsail }
|
|
- { name: Amazon EC2, alias: ec2 }
|
|
- { name: Microsoft Azure, alias: azure }
|
|
- { name: Google Compute Engine, alias: gce }
|
|
- { name: Hetzner Cloud, alias: hetzner }
|
|
- { name: Vultr, alias: vultr }
|
|
- { name: Scaleway, alias: scaleway}
|
|
- { name: OpenStack (DreamCompute optimised), alias: openstack }
|
|
- { name: CloudStack (Exoscale optimised), alias: cloudstack }
|
|
- { name: "Install to existing Ubuntu 18.04 or 19.10 server (for more advanced users)", alias: local }
|
|
vars_files:
|
|
- config.cfg
|
|
|
|
tasks:
|
|
- block:
|
|
- name: Cloud prompt
|
|
pause:
|
|
prompt: |
|
|
What provider would you like to use?
|
|
{% for p in providers_map %}
|
|
{{ loop.index }}. {{ p['name'] }}
|
|
{% endfor %}
|
|
|
|
Enter the number of your desired provider
|
|
register: _algo_provider
|
|
when: provider is undefined
|
|
|
|
- name: Set facts based on the input
|
|
set_fact:
|
|
algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
|
|
|
|
- name: VPN server name prompt
|
|
pause:
|
|
prompt: |
|
|
Name the vpn server
|
|
[algo]
|
|
register: _algo_server_name
|
|
when:
|
|
- server_name is undefined
|
|
- algo_provider != "local"
|
|
- block:
|
|
- name: Cellular On Demand prompt
|
|
pause:
|
|
prompt: |
|
|
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
|
|
[y/N]
|
|
register: _ondemand_cellular
|
|
when: ondemand_cellular is undefined
|
|
|
|
- name: Wi-Fi On Demand prompt
|
|
pause:
|
|
prompt: |
|
|
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
|
|
[y/N]
|
|
register: _ondemand_wifi
|
|
when: ondemand_wifi is undefined
|
|
|
|
- name: Trusted Wi-Fi networks prompt
|
|
pause:
|
|
prompt: |
|
|
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
|
|
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
|
|
register: _ondemand_wifi_exclude
|
|
when:
|
|
- ondemand_wifi_exclude is undefined
|
|
- (ondemand_wifi|default(false)|bool) or
|
|
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
|
|
|
|
- name: Retain the PKI prompt
|
|
pause:
|
|
prompt: |
|
|
Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
|
|
[y/N]
|
|
register: _store_pki
|
|
when: store_pki is undefined
|
|
when: ipsec_enabled
|
|
|
|
- name: DNS adblocking prompt
|
|
pause:
|
|
prompt: |
|
|
Do you want to enable DNS ad blocking on this VPN server?
|
|
[y/N]
|
|
register: _dns_adblocking
|
|
when: dns_adblocking is undefined
|
|
|
|
- name: SSH tunneling prompt
|
|
pause:
|
|
prompt: |
|
|
Do you want each user to have their own account for SSH tunneling?
|
|
[y/N]
|
|
register: _ssh_tunneling
|
|
when: ssh_tunneling is undefined
|
|
|
|
- name: Set facts based on the input
|
|
set_fact:
|
|
algo_server_name: >-
|
|
{% if server_name is defined %}{% set _server = server_name %}
|
|
{%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input|length > 0 -%}
|
|
{%- set _server = _algo_server_name.user_input -%}
|
|
{%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
|
|
{{ _server | regex_replace('(?!\.)(\W|_)', '-') }}
|
|
algo_ondemand_cellular: >-
|
|
{% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
|
|
{%- elif _ondemand_cellular.user_input is defined %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_ondemand_wifi: >-
|
|
{% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }}
|
|
{%- elif _ondemand_wifi.user_input is defined %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_ondemand_wifi_exclude: >-
|
|
{% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
|
|
{%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input|length > 0 -%}
|
|
{{ _ondemand_wifi_exclude.user_input | b64encode }}
|
|
{%- else %}{{ '_null' | b64encode }}{% endif %}
|
|
algo_dns_adblocking: >-
|
|
{% if dns_adblocking is defined %}{{ dns_adblocking | bool }}
|
|
{%- elif _dns_adblocking.user_input is defined %}{{ booleans_map[_dns_adblocking.user_input] | default(defaults['dns_adblocking']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_ssh_tunneling: >-
|
|
{% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
|
|
{%- elif _ssh_tunneling.user_input is defined %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}
|
|
{%- else %}false{% endif %}
|
|
algo_store_pki: >-
|
|
{% if ipsec_enabled %}{%- if store_pki is defined %}{{ store_pki | bool }}
|
|
{%- elif _store_pki.user_input is defined %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
|
|
{%- else %}false{% endif %}{% endif %}
|
|
rescue:
|
|
- include_tasks: playbooks/rescue.yml
|