diff --git a/.gitignore b/.gitignore index a030ccde2..b2d5d5075 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ generated-docs .DS_Store .vagrant/ ubuntu-xenial-16.04-cloudimg-console.log +ubuntu-bionic-18.04-cloudimg-console.log # Ignore changes to the existing server inventory to allow users to modify it inventories/inventory-existing diff --git a/README-chs.md b/README-chs.md index 6eef67b7d..7e77427c1 100644 --- a/README-chs.md +++ b/README-chs.md @@ -18,8 +18,8 @@ Streisand Streisand介绍 --------------------- -* 只需要一个简单的脚本,就能在全新的 Ubuntu 16.04 服务器上运行[多个不同的科学上网工具](#提供的服务),它们能够让你匿名并且加密所有的网络流量。 -* Streisand 原生支持多个 VPS 供应商,其中包括[亚马逊EC2](https://aws.amazon.com/ec2/),[微软云服务](https://azure.microsoft.com),[DigitalOcean](https://www.digitalocean.com/),[Google云计算](https://cloud.google.com/compute/),[Linode](https://www.linode.com/)和[Rackspace](https://www.rackspace.com/);随着软件的开发还将支持更多云和VPS——只要运行的是 Ubuntu 16.04 ,不论提供商是谁还是有**成百个**实例都能用这个方法部署。 +* 只需要一个简单的脚本,就能在全新的 Ubuntu 18.04 服务器上运行[多个不同的科学上网工具](#提供的服务),它们能够让你匿名并且加密所有的网络流量。 +* Streisand 原生支持多个 VPS 供应商,其中包括[亚马逊EC2](https://aws.amazon.com/ec2/),[微软云服务](https://azure.microsoft.com),[DigitalOcean](https://www.digitalocean.com/),[Google云计算](https://cloud.google.com/compute/),[Linode](https://www.linode.com/)和[Rackspace](https://www.rackspace.com/);随着软件的开发还将支持更多云和VPS——只要运行的是 Ubuntu 18.04 ,不论提供商是谁还是有**成百个**实例都能用这个方法部署。 * 整个部署过程顺利的话大概在10分钟左右搞定。试想一个没有系统管理能力的人可能要花数天来完成其中一项工作,而我们用 Streisand 让你获得获得开箱既得的畅快体验。 * 一旦部署完成,你可以将使用指南发送给你的朋友,家人和你觉得对你重要的人**(译者注:原文是社会活动家)**。在这个指南中包含唯一的一个 SSL 证书,这也意味着你发送给他们的只是一个简单的文件而已。 * 部署好网关中包含了用户需要的一切内容,例如设置向导,所支持操作系统需要的客户端。即使无法下载到官方客户端的朋友都可以在网关中的镜像里下载到需要的最新版本客户端。 @@ -173,7 +173,7 @@ Streisand 运行在**你自己的计算机上时(或者你电脑的虚拟机 ### 在其他的 VPS 供应商上运行 (高级使用)### -你同样可以将 Streisand 运行在其他 VPS 供应商(提供更好的硬件也没问题,奇葩的 VPS 供应商也行)的 16.04 Ubuntu 上,只需要你在运行 ./streisand 的时候选择菜单中的 "Existing Server (Advanced)" 就可以。你需要提供这个 VPS 的 IP 地址。 +你同样可以将 Streisand 运行在其他 VPS 供应商(提供更好的硬件也没问题,奇葩的 VPS 供应商也行)的 18.04 Ubuntu 上,只需要你在运行 ./streisand 的时候选择菜单中的 "Existing Server (Advanced)" 就可以。你需要提供这个 VPS 的 IP 地址。 这个 VPS 必须使用 `$HOME/.ssh/id_rsa` 来储存 SSH key,并且可以使用 **root** 作为默认用户登录 VPS,如果提供商没有给你 root 用户作为默认用户登录,而是别的用户名,比如:`ubuntu` ,那么在运行 `./streisand` 之前需要额外配置 `ANSIBLE_SSH_USER` 环境变量,比如修改为:`ANSIBLE_SSH_USER=ubuntu` 。 diff --git a/README-fr.md b/README-fr.md index a54e44869..3da1501f5 100644 --- a/README-fr.md +++ b/README-fr.md @@ -18,8 +18,8 @@ L'Internet peut être un peu injuste. Il est trop facile pour les fournisseurs d Présentation de Streisand ------------------------- -* Une seule commande configure un tout nouveau serveur Ubuntu 16.04 exécutant une [grande variété de logiciels anti-censure](#services-provided) qui peuvent masquer et chiffrer totalement votre trafic Internet. -* Streisand supporte nativement la création de nouveaux serveurs chez [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com/fr-fr/), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](Https://cloud.google.com/compute/), [Linode](https://www.linode.com/) et [Rackspace](https://www.rackspace.com/)— et plus de fournisseurs à venir! Il fonctionne également sur n'importe quel serveur Ubuntu 16.04 quel que soit le fournisseur, et des **centaines** d'instances peuvent être configurés simultanément en utilisant cette méthode. +* Une seule commande configure un tout nouveau serveur Ubuntu 18.04 exécutant une [grande variété de logiciels anti-censure](#services-provided) qui peuvent masquer et chiffrer totalement votre trafic Internet. +* Streisand supporte nativement la création de nouveaux serveurs chez [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com/fr-fr/), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](Https://cloud.google.com/compute/), [Linode](https://www.linode.com/) et [Rackspace](https://www.rackspace.com/)— et plus de fournisseurs à venir! Il fonctionne également sur n'importe quel serveur Ubuntu 18.04 quel que soit le fournisseur, et des **centaines** d'instances peuvent être configurés simultanément en utilisant cette méthode. * Le processus est entièrement automatisé et ne prend que quelques dizaines de minutes, ce qui est assez remarquable si vous considérez qu'il faudrait un administrateur système au moins plusieurs jours de contrainte pour mettre en place un petit sous-ensemble de ce que Streisand offre dans sa configuration. * Une fois que votre serveur Streisand est en cours d'exécution, vous pouvez donner les instructions de connexion personnalisée à vos amis, membres de la famille et activistes. Les instructions de connexion contiennent une copie intégrée du certificat SSL unique du serveur, il vous suffit de leur envoyer un seul fichier. * Chaque serveur est entièrement autonome et comprend tout ce dont les utilisateurs ont besoin pour démarrer, y compris les miroirs cryptographiquement vérifiés de tous les clients communs. Cela rend toute tentative de censure des emplacements de téléchargement par défaut complètement inefficace. @@ -149,7 +149,7 @@ Si vous ne pouvez pas exécuter Streisand de la manière normale (à partir de v ### Exécution de Streisand sur d'autres fournisseurs (Avancé) ### -Vous pouvez également exécuter Streisand sur un nouveau serveur Ubuntu 16.04. Serveur dédié? Génial! Fournisseur de cloud ésotérique? Fantastique! Pour ce faire, choisissez simplement `Existing server (Advanced)` dans le menu après avoir exécuté `./streisand` et fournissez l'adresse IP du serveur existant lorsque vous y êtes invité. +Vous pouvez également exécuter Streisand sur un nouveau serveur Ubuntu 18.04. Serveur dédié? Génial! Fournisseur de cloud ésotérique? Fantastique! Pour ce faire, choisissez simplement `Existing server (Advanced)` dans le menu après avoir exécuté `./streisand` et fournissez l'adresse IP du serveur existant lorsque vous y êtes invité. Le serveur doit être accessible en utilisant la clé SSH `$HOME/.ssh/id_rsa`, avec **root** comme utilisateur de connexion par défaut. Si votre fournisseur vous demande un utilisateur SSH au lieu de `root` (par exemple, `ubuntu`), spécifiez la variable environnementale `ANSIBLE_SSH_USER` (par exemple `ANSIBLE_SSH_USER=ubuntu`) lorsque vous exécutez `./streisand`. diff --git a/README-ru.md b/README-ru.md index aaf6f5524..dde62c477 100644 --- a/README-ru.md +++ b/README-ru.md @@ -18,8 +18,8 @@ Представляем Стрейзанд --------------------- -* Одна-единственная команда настраивает с нуля сервер под операционной системой Ubuntu 16.04 с большим набором [ПО для противодействия цензуре](#services-provided), который может полностью скрыть и зашифровать весь ваш трафик. -* Стрейзанд поддерживает создание новых серверов в [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Linode](https://www.linode.com/), и [Rackspace](https://www.rackspace.com/). В скором времени ожидается поддержка также и других облачных хостеров. Стрейзанд также можно запускать на любом сервере с операционной системой Ubuntu 16.04 вне зависимости от хостера, и **сотни** серверов могут быть одновременно сконфигурированы с применением этого метода. +* Одна-единственная команда настраивает с нуля сервер под операционной системой Ubuntu 18.04 с большим набором [ПО для противодействия цензуре](#services-provided), который может полностью скрыть и зашифровать весь ваш трафик. +* Стрейзанд поддерживает создание новых серверов в [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Linode](https://www.linode.com/), и [Rackspace](https://www.rackspace.com/). В скором времени ожидается поддержка также и других облачных хостеров. Стрейзанд также можно запускать на любом сервере с операционной системой Ubuntu 18.04 вне зависимости от хостера, и **сотни** серверов могут быть одновременно сконфигурированы с применением этого метода. * Процесс полностью автоматизирован и занимает примерно десять минут, что довольно круто, учитывая что среднему системному администратору требуется несколько дней возни, для того, чтобы настроить малую часть того, что Стрейзанд предлагает "из коробки". * После того, как ваш сервер Стрейзанд запущен, вы можете раздать инструкции по подключению друзьям, членам семьи и соратникам. Инструкции по подключению содержат в себе копию SSL-сертификата, уникального для каждого сервера, так что вам нужно послать им всего один файл. * Каждый сервер полностью самодостаточен и содержит абсолютно всё, что нужно для того, чтобы начать использовать Стрейзанд, включая криптографически верифицированные копии основного клиентского ПО. Это позволяет обойти попытки подвергнуть цензуре соответствующее ПО. @@ -174,7 +174,7 @@ ### Использование Стрейзанд для других хостеров (Для продвинутых) ### -Вы также можете запустить Стрейзанд на любом сервере Ubuntu 16.04. Выделенный сервер? Отлично! Странный облачный хостер? Замечательно! Чтобы это сделать, просто выберите +Вы также можете запустить Стрейзанд на любом сервере Ubuntu 18.04. Выделенный сервер? Отлично! Странный облачный хостер? Замечательно! Чтобы это сделать, просто выберите "Existing Server (Advanced)" из меню после запуска `./streisand` и введите IP адрес существующего сервера , когда скрипт запросит эти данные. Этот сервер должен разрешать подключение с SSH-ключом `$HOME/.ssh/id_rsa` и по умолчанию для подключения будет использоваться пользователь **root**. Если ваш хостер требует, чтобы для подключения использовался какой-то другой пользователь (например `ubuntu`), установите переменную среды `ANSIBLE_SSH_USER` (например `ANSIBLE_SSH_USER=ubuntu` ) перед запуском `./streisand`. diff --git a/Vagrantfile b/Vagrantfile index 920a8da22..52923f760 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,10 +1,14 @@ # See documentation/testing.md for instructions on using this Vagrantfile # -Vagrant.require_version ">= 1.9.0" +Vagrant.require_version ">= 2.0.0" Vagrant.configure(2) do |config| - config.vm.box = "ubuntu/xenial64" + config.vm.box = "ubuntu/bionic64" + + config.vm.provision "shell", + inline: "sudo apt install ifupdown" + #end config.vm.define "streisand-host", primary: true do |streisand| streisand.vm.hostname = "streisand-host" diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml index 029c1f2bb..122675f72 100644 --- a/playbooks/roles/common/tasks/main.yml +++ b/playbooks/roles/common/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: Warn users if the server's Linux distribution is not Ubuntu 16.04 +- name: Warn users if the server's Linux distribution is not Ubuntu 18.04 pause: - prompt: "Ubuntu 16.04 is the only officially supported distribution; the setup will probably fail. Press Enter if you still want to continue." - when: not streisand_noninteractive and (ansible_distribution != "Ubuntu" or ansible_distribution_version != "16.04") + prompt: "Ubuntu 18.04 is the only officially supported distribution; the setup will probably fail. Press Enter if you still want to continue." + when: not streisand_noninteractive and (ansible_distribution != "Ubuntu" or ansible_distribution_version != "18.04") # Set default variables - import_tasks: set-default-variables.yml @@ -27,6 +27,17 @@ apt: upgrade: "safe" +- name: Generate the custom resolvd.conf file + template: + src: resolvd.conf.j2 + dest: "/etc/systemd/resolved.conf" + +- name: Restart systemd-resolve for settings to take effect + systemd: + name: "systemd-resolved.service" + daemon_reload: yes + state: restarted + - name: Copy the English BIP-0039 wordlist copy: src: english.txt diff --git a/playbooks/roles/common/templates/resolvd.conf.j2 b/playbooks/roles/common/templates/resolvd.conf.j2 new file mode 100644 index 000000000..765720d12 --- /dev/null +++ b/playbooks/roles/common/templates/resolvd.conf.j2 @@ -0,0 +1,21 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See resolved.conf(5) for details + +[Resolve] +DNS={{ upstream_dns_servers | join(' ') }} +FallbackDNS=1.1.1.1 1.0.0.1 +DNSOverTLS="opportunistic" +LLMNR=yes +DNSSEC=no +Cache=yes +DNSStubListener=yes diff --git a/playbooks/roles/common/vars/main.yml b/playbooks/roles/common/vars/main.yml index a7965fdeb..6427a2e80 100644 --- a/playbooks/roles/common/vars/main.yml +++ b/playbooks/roles/common/vars/main.yml @@ -6,8 +6,6 @@ streisand_common_packages: - apt-transport-https # Used to perform a system upgrade - aptitude - # Used to compile Libreswan and OpenConnect Server (ocserv) - - build-essential # Used to perform API requests, including the version check for # the Tor Browser Bundle - curl diff --git a/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 b/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 index d28901e6a..1b31c2089 100644 --- a/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 +++ b/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 @@ -18,6 +18,10 @@ bogus-priv # uncomment this. no-resolv -{% for item in upstream_dns_servers %} -server={{ item }} -{% endfor %} +bind-interfaces + +server=127.0.0.53 + +#{% for item in upstream_dns_servers %} +#server={{ item }} +#{% endfor %} diff --git a/playbooks/roles/download-and-verify/tasks/main.yml b/playbooks/roles/download-and-verify/tasks/main.yml index 5f482a8cd..034d26934 100644 --- a/playbooks/roles/download-and-verify/tasks/main.yml +++ b/playbooks/roles/download-and-verify/tasks/main.yml @@ -55,15 +55,14 @@ - name: "Verify the {{ project_name }} download signatures were from the correct keys" assert: that: - # By default gpgv outputs to stderr. For a good signature the first line - # always ends being like: - # "gpgv: Signature made Fri 16 Mar 2018 11:16:40 PM UTC using RSA key ID - # C3C07136" + # By default gpgv outputs to stderr. For a good signature the second line + # will contain the key ID: + # "gpgv: using RSA key 2BC7E4E67E3CC0C1BEA72F8C2EFC7FF0D416E014" # Since we've already verified the gpgv2 return code we can just check for # the presence of the key ID we expect in the first line of stderr output # and be confident we saw a valid signature from the expected key ID and # not another unrelated key in the Streisand keyring. - - "'key ID {{ project_signer_keyid }}' in '{{ item.stderr_lines[0] }}'" + - "'{{ project_signer_keyid }}' in '{{ item.stderr_lines[1] }}'" msg: "The GPG signature on {{ item.item.file }} was not from {{ project_signer_keyid }}" with_items: "{{ gpg_verification_results.results }}" loop_control: diff --git a/playbooks/roles/genesis-amazon/defaults/main.yml b/playbooks/roles/genesis-amazon/defaults/main.yml index c19a5e225..b932006e1 100644 --- a/playbooks/roles/genesis-amazon/defaults/main.yml +++ b/playbooks/roles/genesis-amazon/defaults/main.yml @@ -3,4 +3,4 @@ aws_instance_type: "t2.micro" # Search AMIs owned by this owner. This is the Amazon owner ID. aws_ami_owner: "099720109477" # Find AMIs matching this name -aws_ami_name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" +aws_ami_name: "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*" diff --git a/playbooks/roles/genesis-azure/defaults/main.yml b/playbooks/roles/genesis-azure/defaults/main.yml index 8693767fe..b72b474a6 100644 --- a/playbooks/roles/genesis-azure/defaults/main.yml +++ b/playbooks/roles/genesis-azure/defaults/main.yml @@ -3,5 +3,5 @@ azure_instance_type: "Standard_B1s" azure_image_publisher: "Canonical" azure_image_offer: "UbuntuServer" -azure_image_sku: "16.04-LTS" +azure_image_sku: "18.04-LTS" azure_image_version: "latest" diff --git a/playbooks/roles/genesis-digitalocean/defaults/main.yml b/playbooks/roles/genesis-digitalocean/defaults/main.yml index 70b6b3fc4..af3c6115c 100644 --- a/playbooks/roles/genesis-digitalocean/defaults/main.yml +++ b/playbooks/roles/genesis-digitalocean/defaults/main.yml @@ -1,3 +1,3 @@ --- -do_ubuntu_x64_image_id: "ubuntu-16-04-x64" +do_ubuntu_x64_image_id: "ubuntu-18-04-x64" do_small_droplet_size_id: "s-1vcpu-1gb" diff --git a/playbooks/roles/genesis-google/defaults/main.yml b/playbooks/roles/genesis-google/defaults/main.yml index 2ffaa9205..b13eb2ca5 100644 --- a/playbooks/roles/genesis-google/defaults/main.yml +++ b/playbooks/roles/genesis-google/defaults/main.yml @@ -1,3 +1,3 @@ --- gce_machine_type: "f1-micro" -gce_image: "ubuntu-1604" +gce_image: "ubuntu-1804" diff --git a/playbooks/roles/genesis-linode/defaults/main.yml b/playbooks/roles/genesis-linode/defaults/main.yml index ad86d73a0..b37038076 100644 --- a/playbooks/roles/genesis-linode/defaults/main.yml +++ b/playbooks/roles/genesis-linode/defaults/main.yml @@ -2,7 +2,7 @@ # Setting to most minimal linode plan size. # For a most recent list of types: curl https://api.linode.com/v4/linode/types linode_plan_id: "g6-nanode-1" -linode_distribution_id: "linode/ubuntu16.04lts" +linode_distribution_id: "linode/ubuntu18.04lts" ### Preserving these varsfor when we can set these with the ansible linode apiv4 module: # linode_kernel_id: 210 # GRUB2 to utilize the distribution's kernel for compatibility diff --git a/playbooks/roles/genesis-rackspace/defaults/main.yml b/playbooks/roles/genesis-rackspace/defaults/main.yml index a33e9d674..f5af2def0 100644 --- a/playbooks/roles/genesis-rackspace/defaults/main.yml +++ b/playbooks/roles/genesis-rackspace/defaults/main.yml @@ -1,3 +1,3 @@ --- rackspace_flavor: 2 -rackspace_image: "Ubuntu 16.04 LTS (Xenial Xerus) (PVHVM)" +rackspace_image: "Ubuntu 18.04 LTS (Bionic Beaver) (PVHVM)" diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml index 8f8883362..d58c0fb45 100644 --- a/playbooks/roles/gpg/tasks/main.yml +++ b/playbooks/roles/gpg/tasks/main.yml @@ -59,6 +59,7 @@ with_items: - "S.dirmngr" - "S.gpg-agent" + when: not streisand_ci - name: "Create the Streisand GPG keyring" command: "gpg2 {{ streisand_default_gpg_flags }} --fingerprint" diff --git a/playbooks/roles/openconnect/tasks/firewall.yml b/playbooks/roles/openconnect/tasks/firewall.yml index f388cdfd0..c19ab1e81 100644 --- a/playbooks/roles/openconnect/tasks/firewall.yml +++ b/playbooks/roles/openconnect/tasks/firewall.yml @@ -12,15 +12,15 @@ proto: "any" rule: "allow" -- name: Install the ocserv iptables service file - template: - src: ocserv-iptables.service.j2 - dest: /etc/systemd/system/ocserv-iptables.service - mode: 0644 +#- name: Install the ocserv iptables service file +# template: +# src: ocserv-iptables.service.j2 +# dest: /etc/systemd/system/ocserv-iptables.service +# mode: 0644 -- name: Enable the ocserv-iptables service - systemd: - daemon_reload: yes - name: ocserv-iptables.service - enabled: yes - state: started +#- name: Enable the ocserv-iptables service +# systemd: +# daemon_reload: yes +# name: ocserv-iptables.service +# enabled: yes +# state: started diff --git a/playbooks/roles/openvpn/tasks/firewall.yml b/playbooks/roles/openvpn/tasks/firewall.yml index e2d516629..4a75c25de 100644 --- a/playbooks/roles/openvpn/tasks/firewall.yml +++ b/playbooks/roles/openvpn/tasks/firewall.yml @@ -29,15 +29,15 @@ proto: "udp" rule: "allow" -- name: Install the OpenVPN iptables service file - template: - src: openvpn-iptables.service.j2 - dest: /etc/systemd/system/openvpn-iptables.service - mode: 0644 +#- name: Install the OpenVPN iptables service file +# template: +# src: openvpn-iptables.service.j2 +# dest: /etc/systemd/system/openvpn-iptables.service +# mode: 0644 -- name: Enable the openvpn-iptables service - systemd: - daemon_reload: yes - name: openvpn-iptables.service - enabled: yes - state: started +#- name: Enable the openvpn-iptables service +# systemd: +# daemon_reload: yes +# name: openvpn-iptables.service +# enabled: yes +# state: started diff --git a/playbooks/roles/openvpn/tasks/install.yml b/playbooks/roles/openvpn/tasks/install.yml index 6ec9ee688..e4de03494 100644 --- a/playbooks/roles/openvpn/tasks/install.yml +++ b/playbooks/roles/openvpn/tasks/install.yml @@ -6,14 +6,14 @@ with_file: openvpn_signing.key no_log: True -- name: Add the official OpenVPN repository - apt_repository: - repo: 'deb https://build.openvpn.net/debian/openvpn/stable {{ ansible_lsb.codename }} main' - state: present - register: openvpn_add_apt_repository - until: not openvpn_add_apt_repository.failed - retries: "{{ apt_repository_retries }}" - delay: "{{ apt_repository_delay }}" +#- name: Add the official OpenVPN repository +# apt_repository: +# repo: 'deb https://build.openvpn.net/debian/openvpn/stable {{ ansible_lsb.codename }} main' +# state: present +# register: openvpn_add_apt_repository +# until: not openvpn_add_apt_repository.failed +# retries: "{{ apt_repository_retries }}" +# delay: "{{ apt_repository_delay }}" - name: Install OpenVPN and its dependencies from APT apt: diff --git a/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 b/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 index f2fe15428..74135f5e6 100644 --- a/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 +++ b/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 @@ -1,7 +1,6 @@ cert = {{ stunnel_cert }} key = {{ stunnel_key }} debug = 4 -options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 diff --git a/playbooks/roles/tinyproxy/tasks/main.yml b/playbooks/roles/tinyproxy/tasks/main.yml index b97014b6b..4ebe5a827 100644 --- a/playbooks/roles/tinyproxy/tasks/main.yml +++ b/playbooks/roles/tinyproxy/tasks/main.yml @@ -3,47 +3,42 @@ apt: package: tinyproxy -- name: Stop (init.d's) tinyproxy - systemd: - name: tinyproxy.service - state: stopped - -- name: Create the tinyproxy config directory - file: - path: "{{ tinyproxy_conf_dir }}" - state: directory - owner: nobody - group: nogroup - mode: 0755 +#- name: Create the tinyproxy config directory +# file: +# path: "{{ tinyproxy_conf_dir }}" +# state: directory +# owner: nobody +# group: nogroup +# mode: 0755 -- name: Generate the tinyproxy configuration file - template: - src: tinyproxy.conf.j2 - dest: "{{ tinyproxy_conf_file }}" - owner: root - group: root - mode: 0644 +#- name: Generate the tinyproxy configuration file +# template: +# src: tinyproxy.conf.j2 +# dest: "{{ tinyproxy_conf_file }}" +# owner: root +# group: root +# mode: 0644 -- name: Generate the tinyproxy system unit file - template: - src: tinyproxy.service.j2 - dest: /etc/systemd/system/tinyproxy.service - owner: root - group: root - mode: 0644 +#- name: Create the tinyproxy systemd drop-in configuration directory +# file: +# path: "{{ tinyproxy_systemd_service_path }}" +# state: directory -- name: Generate the systemd tmpfile for tinyproxy - template: - src: tinyproxytmp.conf.j2 - dest: /etc/tmpfiles.d/tinyproxy.conf - owner: root - group: root - mode: 0644 +#- name: Generate the tinyproxy systemd drop-in service file +# template: +# src: tinyproxy.service.j2 +# dest: "{{ tinyproxy_systemd_service_path }}/10-restart-failure.service" +# owner: root +# group: root +# mode: 0644 -- name: Clean up the installed-by-default tinyproxy configuration file - file: - path: /etc/tinyproxy.conf - state: absent +#- name: Generate the systemd tmpfile for tinyproxy +# template: +# src: tinyproxytmp.conf.j2 +# dest: /etc/tmpfiles.d/tinyproxy.conf +# owner: root +# group: root +# mode: 0644 - name: Enable and restart the tinyproxy service systemd: diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 index 4b829a0c7..7600c3234 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 @@ -12,8 +12,8 @@ # as the root user. Either the user or group name or the UID or GID # number may be used. # -User nobody -Group nogroup +User tinyproxy +Group tinyproxy # # Port: Specify the port which tinyproxy will listen on. Please note @@ -29,11 +29,38 @@ Port {{ tinyproxy_port }} # Listen {{ tinyproxy_listen_address }} +# +# Bind: This allows you to specify which interface will be used for +# outgoing connections. This is useful for multi-home'd machines where +# you want all traffic to appear outgoing from one particular interface. +# +#Bind 192.168.0.1 + +# +# BindSame: If enabled, tinyproxy will bind the outgoing connection to the +# ip address of the incoming connection. +# +#BindSame yes + # # Timeout: The maximum number of seconds of inactivity a connection is # allowed to have before it is closed by tinyproxy. # -Timeout {{ tinyproxy_timeout_seconds }} +Timeout 600 + +# +# ErrorFile: Defines the HTML file to send when a given HTTP error +# occurs. You will probably need to customize the location to your +# particular install. The usual locations to check are: +# /usr/local/share/tinyproxy +# /usr/share/tinyproxy +# /etc/tinyproxy +# +#ErrorFile 404 "/usr/share/tinyproxy/404.html" +#ErrorFile 400 "/usr/share/tinyproxy/400.html" +#ErrorFile 503 "/usr/share/tinyproxy/503.html" +#ErrorFile 403 "/usr/share/tinyproxy/403.html" +#ErrorFile 408 "/usr/share/tinyproxy/408.html" # # DefaultErrorFile: The HTML file that gets sent if there is no @@ -42,6 +69,16 @@ Timeout {{ tinyproxy_timeout_seconds }} # DefaultErrorFile "/usr/share/tinyproxy/default.html" +# +# StatHost: This configures the host name or IP address that is treated +# as the stat host: Whenever a request for this host is received, +# Tinyproxy will return an internal statistics page instead of +# forwarding the request to that host. The default value of StatHost is +# tinyproxy.stats. +# +#StatHost "tinyproxy.stats" +# + # # StatFile: The HTML file that gets sent when a request is made # for the stathost. If this file doesn't exist a basic page is @@ -55,18 +92,25 @@ StatFile "/usr/share/tinyproxy/stats.html" # and enable the Syslog directive. These directives are mutually # exclusive. # -Logfile "/var/log/tinyproxy/tinyproxy.log" +Logfile "{{ tinyproxy_log_file }}" + +# +# Syslog: Tell tinyproxy to use syslog instead of a logfile. This +# option must not be enabled if the Logfile directive is being used. +# These two directives are mutually exclusive. +# +#Syslog On # -# LogLevel: +# LogLevel: # # Set the logging level. Allowed settings are: -# Critical (least verbose) -# Error -# Warning -# Notice -# Connect (to log connections without Info's noise) -# Info (most verbose) +# Critical (least verbose) +# Error +# Warning +# Notice +# Connect (to log connections without Info's noise) +# Info (most verbose) # # The LogLevel logs from the set level and above. For example, if the # LogLevel was set to Warning, then all log messages from Warning to @@ -80,6 +124,50 @@ LogLevel {{ tinyproxy_log_level }} # PidFile "{{ tinyproxy_pid_file }}" +# +# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which +# contains the client's IP address. +# +#XTinyproxy Yes + +# +# Upstream: +# +# Turns on upstream proxy support. +# +# The upstream rules allow you to selectively route upstream connections +# based on the host/domain of the site being accessed. +# +# For example: +# # connection to test domain goes through testproxy +# upstream testproxy:8008 ".test.domain.invalid" +# upstream testproxy:8008 ".our_testbed.example.com" +# upstream testproxy:8008 "192.168.128.0/255.255.254.0" +# +# # no upstream proxy for internal websites and unqualified hosts +# no upstream ".internal.example.com" +# no upstream "www.example.com" +# no upstream "10.0.0.0/8" +# no upstream "192.168.0.0/255.255.254.0" +# no upstream "." +# +# # connection to these boxes go through their DMZ firewalls +# upstream cust1_firewall:8008 "testbed_for_cust1" +# upstream cust2_firewall:8008 "testbed_for_cust2" +# +# # default upstream is internet firewall +# upstream firewall.internal.example.com:80 +# +# The LAST matching rule wins the route decision. As you can see, you +# can use a host, or a domain: +# name matches host exactly +# .name matches any host in domain "name" +# . matches any host with no domain (in 'empty' domain) +# IP/bits matches network/mask +# IP/mask matches network/mask +# +#Upstream some.remote.proxy:port + # # MaxClients: This is the absolute highest number of threads which will # be created. In other words, only MaxClients number of clients can be @@ -121,6 +209,16 @@ MaxRequestsPerChild 0 # Allow {{ tinyproxy_listen_address }} Allow {{ streisand_ipv4_address }} +#Allow 192.168.0.0/16 +#Allow 172.16.0.0/12 +#Allow 10.0.0.0/8 + +# +# AddHeader: Adds the specified headers to outgoing HTTP requests that +# Tinyproxy makes. Note that this option will not work for HTTPS +# traffic, as Tinyproxy has no control over what headers are exchanged. +# +#AddHeader "X-My-Header" "Powered by Tinyproxy" # # ViaProxyName: The "Via" header is required by the HTTP RFC, but using @@ -130,6 +228,61 @@ Allow {{ streisand_ipv4_address }} # ViaProxyName "tinyproxy" +# +# DisableViaHeader: When this is set to yes, Tinyproxy does NOT add +# the Via header to the requests. This virtually puts Tinyproxy into +# stealth mode. Note that RFC 2616 requires proxies to set the Via +# header, so by enabling this option, you break compliance. +# Don't disable the Via header unless you know what you are doing... +# +#DisableViaHeader Yes + +# +# Filter: This allows you to specify the location of the filter file. +# +#Filter "/etc/tinyproxy/filter" + +# +# FilterURLs: Filter based on URLs rather than domains. +# +#FilterURLs On + +# +# FilterExtended: Use POSIX Extended regular expressions rather than +# basic. +# +#FilterExtended On + +# +# FilterCaseSensitive: Use case sensitive regular expressions. +# +#FilterCaseSensitive On + +# +# FilterDefaultDeny: Change the default policy of the filtering system. +# If this directive is commented out, or is set to "No" then the default +# policy is to allow everything which is not specifically denied by the +# filter file. +# +# However, by setting this directive to "Yes" the default policy becomes +# to deny everything which is _not_ specifically allowed by the filter +# file. +# +#FilterDefaultDeny Yes + +# +# Anonymous: If an Anonymous keyword is present, then anonymous proxying +# is enabled. The headers listed are allowed through, while all others +# are denied. If no Anonymous keyword is present, then all headers are +# allowed through. You must include quotes around the headers. +# +# Most sites require cookies to be enabled for them to work correctly, so +# you will need to allow Cookies through if you access those sites. +# +#Anonymous "Host" +#Anonymous "Authorization" +#Anonymous "Cookie" + # # ConnectPort: This is a list of ports allowed by tinyproxy when the # CONNECT method is used. To disable the CONNECT method altogether, set @@ -140,3 +293,39 @@ ViaProxyName "tinyproxy" # ConnectPort 443 ConnectPort 563 + +# +# Configure one or more ReversePath directives to enable reverse proxy +# support. With reverse proxying it's possible to make a number of +# sites appear as if they were part of a single site. +# +# If you uncomment the following two directives and run tinyproxy +# on your own computer at port 8888, you can access Google using +# http://localhost:8888/google/ and Wired News using +# http://localhost:8888/wired/news/. Neither will actually work +# until you uncomment ReverseMagic as they use absolute linking. +# +#ReversePath "/google/" "http://www.google.com/" +#ReversePath "/wired/" "http://www.wired.com/" + +# +# When using tinyproxy as a reverse proxy, it is STRONGLY recommended +# that the normal proxy is turned off by uncommenting the next directive. +# +#ReverseOnly Yes + +# +# Use a cookie to track reverse proxy mappings. If you need to reverse +# proxy sites which have absolute links you must uncomment this. +# +#ReverseMagic Yes + +# +# The URL that's used to access this reverse proxy. The URL is used to +# rewrite HTTP redirects so that they won't escape the proxy. If you +# have a chain of reverse proxies, you'll need to put the outermost +# URL here (the address which the end user types into his/her browser). +# +# If not set then no rewriting occurs. +# +#ReverseBaseURL "http://localhost:8888/" diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 index 63a799ac3..49ffe33a4 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 @@ -1,18 +1,10 @@ [Unit] -Description=tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems -After=network-online.target sshd.service -Documentation=man:tinyproxy(8) +After=network.target sshd.service +Documentation=man:tinyproxy(8) man:tinyproxy.conf(5) Documentation=https://www.banu.com/tinyproxy/ [Service] -Type=forking -PIDFile={{ tinyproxy_pid_file }} ExecStart=/usr/sbin/tinyproxy -c {{ tinyproxy_conf_file }} -ExecStop=/usr/bin/killall -9 tinyproxy -ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=true RestartSec=5s Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 b/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 index df4df4aa5..92205b781 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 @@ -2,3 +2,4 @@ # tinyproxy to write its PID file # https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html d {{ tinyproxy_pid_dir }} 0755 nobody nogroup - +d {{ tinyproxy_log_dir }} 0755 nobody nogroup - diff --git a/playbooks/roles/tinyproxy/vars/main.yml b/playbooks/roles/tinyproxy/vars/main.yml index 21d667f54..71bd582e9 100644 --- a/playbooks/roles/tinyproxy/vars/main.yml +++ b/playbooks/roles/tinyproxy/vars/main.yml @@ -5,7 +5,12 @@ tinyproxy_port: 8888 tinyproxy_listen_address: "127.0.0.1" tinyproxy_log_level: "Critical" -tinyproxy_pid_dir: "/var/run/tinyproxy" +tinyproxy_systemd_service_path: "/etc/systemd/system/tinyproxy.service.d" + +tinyproxy_log_dir: "/var/log/tinyproxy" +tinyproxy_log_file: "{{ tinyproxy_log_dir }}/tinyproxy.log" + +tinyproxy_pid_dir: "/run/tinyproxy" tinyproxy_pid_file: "{{ tinyproxy_pid_dir }}/tinyproxy.pid" tinyproxy_conf_dir: "/etc/tinyproxy" diff --git a/playbooks/roles/ufw/tasks/main.yml b/playbooks/roles/ufw/tasks/main.yml index 6ab6d0116..5445e2ca7 100644 --- a/playbooks/roles/ufw/tasks/main.yml +++ b/playbooks/roles/ufw/tasks/main.yml @@ -21,11 +21,11 @@ proto: "tcp" rule: "allow" -- name: Ensure UFW is enabled and denies by default - ufw: - state: "enabled" - policy: "deny" - direction: "incoming" +#- name: Ensure UFW is enabled and denies by default +# ufw: +# state: "enabled" +# policy: "deny" +# direction: "incoming" - name: Ensure UFW allows nginx ufw: diff --git a/playbooks/roles/wireguard/tasks/install.yml b/playbooks/roles/wireguard/tasks/install.yml index 8e5aa7bc3..0e54e4924 100644 --- a/playbooks/roles/wireguard/tasks/install.yml +++ b/playbooks/roles/wireguard/tasks/install.yml @@ -1,9 +1,5 @@ --- -- name: Determine the running kernel release - command: uname -r - register: kernel_release - - name: Add the WireGuard PPA apt_repository: repo: 'ppa:wireguard/wireguard' @@ -15,7 +11,4 @@ - name: Install the WireGuard packages apt: package: - - linux-headers-{{ kernel_release.stdout }} - - linux-headers-generic - - wireguard-dkms - - wireguard-tools + - wireguard diff --git a/playbooks/roles/wireguard/tasks/main.yml b/playbooks/roles/wireguard/tasks/main.yml index c44a207d7..330e98fa9 100644 --- a/playbooks/roles/wireguard/tasks/main.yml +++ b/playbooks/roles/wireguard/tasks/main.yml @@ -117,20 +117,20 @@ # Temporary workaround for issue #500 ignore_errors: yes -- name: "Configure DNSMasq to listen on {{ dnsmasq_wireguard_ip }}:53" - template: - src: wireguard_dnsmasq.conf.j2 - dest: /etc/dnsmasq.d/wireguard.conf +#- name: "Configure DNSMasq to listen on {{ dnsmasq_wireguard_ip }}:53" +# template: +# src: wireguard_dnsmasq.conf.j2 +# dest: /etc/dnsmasq.d/wireguard.conf # NOTE(@cpu): We don't use a `notify` to "Restart dnsmasq" here because it seems # that in some conditions Ansible mistakenly believes the dnsmasq restart can be # skipped. We also don't use "reloaded" instead of "restarted" here because # dnsmasq doesn't seem to reload _new_ config files in that case, just existing # ones. A full restart is required in practice (sigh) -- name: "Restart DNSMasq to pick up the new configuration" - service: - name: dnsmasq - state: restarted +#- name: "Restart DNSMasq to pick up the new configuration" +# service: +# name: dnsmasq +# state: restarted # Generate Gateway documentation - import_tasks: docs.yml diff --git a/tests/development-setup.yml b/tests/development-setup.yml index a3e849ccb..12994549b 100644 --- a/tests/development-setup.yml +++ b/tests/development-setup.yml @@ -64,11 +64,14 @@ args: creates: /var/snap/lxd/common/lxd/networks/testbr0 - - name: Retrieve the Ubuntu Xenial AMD64 LXC image fingerprint + #- name: lxd attach network to default profile + # command: lxc network attach-profile testbr0 default eth0 + + - name: Retrieve the Ubuntu Bionic AMD64 LXC image fingerprint uri: - url: https://images.linuxcontainers.org/1.0/images/aliases/ubuntu/xenial/amd64 + url: https://images.linuxcontainers.org/1.0/images/aliases/ubuntu/bionic/amd64 return_content: yes - register: xenial_fingerprint + register: bionic_fingerprint - name: Launch streisand container (this will take a while) lxd_container: @@ -81,7 +84,7 @@ server: https://images.linuxcontainers.org protocol: lxd # Use the retrieved alias to fetch the image - alias: "{{ xenial_fingerprint['json']['metadata']['target'] }}" + alias: "{{ bionic_fingerprint['json']['metadata']['target'] }}" profiles: ["default"] config: security.privileged: "true"