Skip to content

Commit

Permalink
FreeBSD draft #35
Browse files Browse the repository at this point in the history
ifconfig fix

Pre-tasks fixes

fix hardcoded IP

some refactoring

disable system-based tags

disable freebsd tags

FreeBSD vpn role #35

add defaults

ssh role freebsd

default fix

dns_adblocking freebsd

ubuntu dict fix
  • Loading branch information
jackivanov committed Feb 28, 2017
1 parent 71b3b5a commit 46afa68
Show file tree
Hide file tree
Showing 24 changed files with 613 additions and 412 deletions.
2 changes: 1 addition & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,4 @@ script:
- ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"

after_script:
- ./tests/update-users.sh
- ./tests/update-users.sh
24 changes: 24 additions & 0 deletions docs/FreeBSD.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# FreeBSD

It is only possible to install Algo on existing systems only in order to avoid recompiling the kernel while deploying

## Pre-paring the system

Ensure that the following kernel options are enabled:

```
# sysctl kern.conftxt | grep -iE "IPSEC|crypto"
options IPSEC
options IPSEC_NAT_T
device crypto
```

## Available roles

* vpn
* ssh_tunneling
* dns_adblocking

## Installation

`ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$server_ip Store_CAKEY=N" --skip-tags cloud`
18 changes: 12 additions & 6 deletions playbooks/common.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,16 @@
- name: Install prerequisites
raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
---

- name: Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
tags:
- update-alternatives
- name: Check the system
raw: uname -a
register: OS

- name: Ubuntu pre-tasks
include: ubuntu.yml
when: '"Ubuntu" in OS.stdout'

- name: FreeBSD pre-tasks
include: freebsd.yml
when: '"FreeBSD" in OS.stdout'

- name: Ensure the algo ssh key exist on the server
authorized_key:
Expand Down
10 changes: 10 additions & 0 deletions playbooks/facts/FreeBSD.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---

- set_fact:
config_prefix: "/usr/local/"
root_group: wheel
ssh_service_name: sshd
apparmor_enabled: false
strongswan_additional_plugins:
- kernel-pfroute
- kernel-pfkey
9 changes: 9 additions & 0 deletions playbooks/freebsd.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---

- name: FreeBSD | Install prerequisites
raw: sleep 10 && sudo pkg install -y python27

- name: FreeBSD | Configure defaults
raw: sudo ln -sf /usr/local/bin/python2.7 /usr/bin/python2.7

- include: facts/FreeBSD.yml
9 changes: 9 additions & 0 deletions playbooks/ubuntu.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---

- name: Ubuntu | Install prerequisites
raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7

- name: Ubuntu | Configure defaults
raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
tags:
- update-alternatives
10 changes: 10 additions & 0 deletions roles/common/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,18 @@
- name: restart rsyslog
service: name=rsyslog state=restarted

- name: restart ipfw
service: name=ipfw state=restarted

- name: flush routing cache
shell: echo 1 > /proc/sys/net/ipv4/route/flush

- name: restart loopback
shell: ifdown lo:100 && ifup lo:100

- name: restart loopback bsd
shell: >
ifconfig lo100 destroy || true &&
ifconfig lo100 create &&
ifconfig lo100 inet {{ local_service_ip }} netmask 255.255.255.255 &&
ifconfig lo100 inet6 FCAA::1/64; echo $?
50 changes: 50 additions & 0 deletions roles/common/tasks/freebsd.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---

- set_fact:
tools:
- git
- screen
- coreutils
- openssl
- bash
- wget
sysctl:
forwarding:
- net.inet.ip.forwarding
- net.inet6.ip6.forwarding
tags:
- always

- name: Loopback included into the rc config
blockinfile:
dest: /etc/rc.conf
create: yes
block: |
cloned_interfaces="lo100"
ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255"
ifconfig_lo100="inet6 FCAA::1/64"
notify:
- restart loopback bsd
tags:
- always

- name: Enable the gateway features
lineinfile: dest=/etc/rc.conf regexp='^{{ item.param }}.*' line='{{ item.param }}={{ item.value }}'
with_items:
- { param: firewall_enable, value: '"YES"' }
- { param: firewall_type, value: '"open"' }
- { param: gateway_enable, value: '"YES"' }
- { param: natd_enable, value: '"YES"' }
- { param: natd_interface, value: '"{{ ansible_default_ipv4.device|default() }}"' }
- { param: natd_flags, value: '"-dynamic -m"' }
notify:
- restart ipfw
tags:
- always

- name: FreeBSD | Activate IPFW
shell: >
kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
- meta: flush_handlers
93 changes: 8 additions & 85 deletions roles/common/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,101 +5,24 @@
tags:
- always

- name: Install software updates
apt: update_cache=yes upgrade=dist
tags:
- cloud

- name: Check if reboot is required
shell: >
if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
args:
executable: /bin/bash
register: reboot_required
tags:
- cloud

- name: Reboot
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
when: reboot_required is defined and reboot_required.stdout == 'required'
ignore_errors: true
tags:
- cloud

- name: Wait until SSH becomes ready...
local_action:
module: wait_for
port: 22
host: "{{ inventory_hostname }}"
search_regex: OpenSSH
delay: 10
timeout: 320
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
tags:
- cloud
- include: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

- name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
with_items:
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
tags:
- cloud
- include: freebsd.yml
when: ansible_distribution == 'FreeBSD'

- name: Install tools
apt: name="{{ item }}" state=latest
package: name="{{ item }}" state=present
with_items:
- git
- screen
- apparmor-utils
- uuid-runtime
- coreutils
- sendmail
- iptables-persistent
- cgroup-tools
- openssl
tags:
- always

- name: Loopback for services configured
template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
notify:
- restart loopback
tags:
- always

- name: Loopback included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
notify:
- restart loopback
tags:
- always

- meta: flush_handlers
- "{{ tools }}"
tags:
- always

- name: Enable packet forwarding for IPv4
sysctl: name="{{ item }}" value=1
with_items:
- net.ipv4.ip_forward
- net.ipv4.conf.all.forwarding
tags:
- always

- name: Enable packet forwarding for IPv6
sysctl: name=net.ipv6.conf.all.forwarding value=1
- "{{ sysctl.forwarding }}"
tags:
- always

- name: Check apparmor support
shell: apparmor_status
ignore_errors: yes
register: apparmor_status

- set_fact:
apparmor_enabled: true
when: '"profiles are in enforce mode" in apparmor_status.stdout'
- meta: flush_handlers
91 changes: 91 additions & 0 deletions roles/common/tasks/ubuntu.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
---

- name: Install software updates
apt: update_cache=yes upgrade=dist
tags:
- cloud

- name: Check if reboot is required
shell: >
if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
args:
executable: /bin/bash
register: reboot_required
tags:
- cloud

- name: Reboot
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
when: reboot_required is defined and reboot_required.stdout == 'required'
ignore_errors: true
tags:
- cloud

- name: Wait until SSH becomes ready...
local_action:
module: wait_for
port: 22
host: "{{ inventory_hostname }}"
search_regex: OpenSSH
delay: 10
timeout: 320
when: reboot_required is defined and reboot_required.stdout == 'required'
become: false
tags:
- cloud

- name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
with_items:
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
tags:
- cloud

- name: Loopback for services configured
template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
notify:
- restart loopback
tags:
- always

- name: Loopback included into the network config
lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
notify:
- restart loopback
tags:
- always

- meta: flush_handlers
tags:
- always

- name: Check apparmor support
shell: apparmor_status
ignore_errors: yes
register: apparmor_status

- set_fact:
apparmor_enabled: true
when: '"profiles are in enforce mode" in apparmor_status.stdout'

- set_fact:
tools:
- git
- screen
- apparmor-utils
- uuid-runtime
- coreutils
- sendmail
- iptables-persistent
- cgroup-tools
- openssl
sysctl:
forwarding:
- net.ipv4.ip_forward
- net.ipv4.conf.all.forwarding
- net.ipv6.conf.all.forwarding
tags:
- always
4 changes: 4 additions & 0 deletions roles/dns_adblocking/tasks/freebsd.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---

- name: FreeBSD | Enable dnsmasq
lineinfile: dest=/etc/rc.conf regexp=^dnsmasq_enable= line='dnsmasq_enable="YES"'
Loading

0 comments on commit 46afa68

Please sign in to comment.