Browse Source

Lots of updates, first test of VPN.

Thomas Buck 5 years ago
parent
commit
ee0f739b1d

+ 4
- 0
README.md View File

@@ -104,6 +104,10 @@ Also install the dependencies for password generation as well as ansible itself.
104 104
     cd sovereign
105 105
     sudo pip install -r ./requirements.txt
106 106
 
107
+Or, if you're on Arch, instead of using pip, install the required stuff manually:
108
+
109
+    sudo pacman -Syu ansible python-jmespath python-passlib
110
+
107 111
 #### 4. Configure your installation
108 112
 
109 113
 Modify the settings in the `group_vars/sovereign` folder to your liking.

+ 1
- 1
roles/common/defaults/main.yml View File

@@ -13,7 +13,7 @@ db_admin_username: 'postgres'
13 13
 db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
14 14
 
15 15
 # let's encrypt
16
-letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
16
+letsencrypt_server: "https://acme-v02.api.letsencrypt.org/directory"
17 17
 
18 18
 # ssh
19 19
 # Following https://infosec.mozilla.org/guidelines/openssh

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf View File

@@ -9,5 +9,5 @@
9 9
 plugin {
10 10
   # FTS (full text search with Solr)
11 11
   fts = solr
12
-  fts_solr = break-imap-search url=http://localhost:8080/solr/
12
+  fts_solr = url=http://localhost:8080/solr/
13 13
 }

+ 0
- 2
roles/mailserver/files/etc_dovecot_sieve_before.d_no-spam.sieve View File

@@ -2,13 +2,11 @@ require "fileinto";
2 2
 require "imap4flags";
3 3
 
4 4
 if header :contains "X-Spam-Flag" "YES" {
5
-    setflag "\\seen";
6 5
     fileinto "Junk";
7 6
     stop;
8 7
 }
9 8
 
10 9
 if header :is "X-Spam" "Yes" {
11
-    setflag "\\seen";
12 10
     fileinto "Junk";
13 11
     stop;
14 12
 }

+ 2
- 2
roles/mailserver/tasks/checkrbl.yml View File

@@ -1,8 +1,8 @@
1 1
 - name: Download check-rbl
2 2
   get_url:
3
-    url=https://raw.githubusercontent.com/lukecyca/check-rbl/e2bd60f5e5175375cd2f7f1b1b752473e3a23640/check-rbl.pl
3
+    url=https://raw.githubusercontent.com/lukecyca/check-rbl/479c1d5aa57543ba4c495ef06028fd9092ffdf43/check-rbl.pl
4 4
     dest=/opt/check-rbl.pl
5
-    sha256sum=22093bd59ed84cb7ee6e336fb2a4ab73dbe3a05837d2bab9b491a21df16b35d8
5
+    sha256sum=0968ea1991b500a2bb39b4aefb05c6bf42a62994774f2c46de5d426d5094508b
6 6
 
7 7
 - name: Install nightly check-rbl cronjob
8 8
   cron:

+ 1
- 1
roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2 View File

@@ -9,7 +9,7 @@ actions = {
9 9
 
10 10
 # From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
11 11
 # send_reports MUST be true
12
-send_reports = true;
12
+send_reports = false;
13 13
 
14 14
 # report_settings MUST be present
15 15
 report_settings {

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_dnsmasq View File

@@ -0,0 +1,6 @@
1
+check process dnsmasq with pidfile "/run/dnsmasq/dnsmasq.pid"
2
+  group system
3
+  start program = "/bin/systemctl start dnsmasq"
4
+  stop program = "/bin/systemctl stop dnsmasq"
5
+  if failed port 53 type udp protocol dns then alert
6
+  if failed port 53 type udp protocol dns for 5 cycles then restart

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_openvpn View File

@@ -0,0 +1,6 @@
1
+check process openvpn with pidfile "/run/openvpn/server.pid"
2
+  group system
3
+  start program = "/bin/systemctl start openvpn@server"
4
+  stop program = "/bin/systemctl stop openvpn@server"
5
+  if failed port 1194 type udp then alert
6
+  if failed port 1194 type udp for 5 cycles then restart

+ 14
- 0
roles/monitoring/tasks/monit.yml View File

@@ -68,6 +68,10 @@
68 68
   stat: path=/etc/mosquitto/mosquitto.conf
69 69
   register: mosquitto_config_file
70 70
 
71
+- name: Determine if OpenVPN is installed
72
+  stat: path=/etc/openvpn/server.conf
73
+  register: openvpn_config_file
74
+
71 75
 - name: Copy ZNC monit service config files into place
72 76
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
73 77
   notify: restart monit
@@ -133,6 +137,16 @@
133 137
   notify: restart monit
134 138
   when: mosquitto_config_file.stat.exists == True
135 139
 
140
+- name: Copy OpenVPN monit service config files into place
141
+  copy: src=etc_monit_conf.d_openvpn dest=/etc/monit/conf.d/openvpn
142
+  notify: restart monit
143
+  when: openvpn_config_file.stat.exists == True
144
+
145
+- name: Copy dnsmasq monit service config files into place
146
+  copy: src=etc_monit_conf.d_dnsmasq dest=/etc/monit/conf.d/dnsmasq
147
+  notify: restart monit
148
+  when: openvpn_config_file.stat.exists == True
149
+
136 150
 - name: Copy monit service config files into place
137 151
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
138 152
   with_items:

+ 4
- 2
roles/vpn/defaults/main.yml View File

@@ -1,11 +1,13 @@
1 1
 # Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
2 2
 # Check privacy: http://witch.valdikss.org.ru/
3 3
 
4
+openvpn_ip_start: "10.8.0"
5
+
4 6
 openvpn_key_country:  "US"
5 7
 openvpn_key_province: "California"
6 8
 openvpn_key_city: "Beverly Hills"
7
-openvpn_key_org: "ACME CORPORATION"
8
-openvpn_key_ou: "Anvil Department"
9
+openvpn_key_org: "{{ domain }}"
10
+openvpn_key_ou: "{{ server_name }}"
9 11
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
10 12
 
11 13
 openvpn_days_valid: "1825"

+ 11
- 7
roles/vpn/tasks/openvpn.yml View File

@@ -3,8 +3,11 @@
3 3
 # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
4 4
 
5 5
 - name: Install OpenVPN and dependencies
6
-  apt: pkg={{ item }} state=present
7
-  with_items:
6
+  apt:
7
+    name: "{{ packages }}"
8
+    state: present
9
+  vars:
10
+    packages:
8 11
     - dnsmasq
9 12
     - openvpn
10 13
     - udev
@@ -41,13 +44,13 @@
41 44
   command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=sovereign-ca-certificate"
42 45
            creates={{ openvpn_ca }}.crt
43 46
 
44
-- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
45 47
   # Properly sets the attributes that are described here:
46 48
   # openvpn.net/index.php/open-source/documentation/howto.html#mitm
47 49
   #
48 50
   # This is required in order for the 'ns-cert-type server' option to
49 51
   # work, which is enabled by default in most standard client.conf
50 52
   # files.
53
+- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
51 54
   template: src=openssl-server-certificate.cnf.j2
52 55
             dest={{ openvpn_path }}/openssl-server-certificate.cnf
53 56
 
@@ -146,12 +149,12 @@
146 149
 - name: Enable OpenVPN server systemd service unit
147 150
   service: name=openvpn@server enabled=yes
148 151
 
149
-# OpenVPN must restart first so the 10.8.0.0 interface is available
152
+# OpenVPN must restart first so the VPN interface is available
150 153
 # to dnsmasq
151 154
 - meta: flush_handlers
152 155
 
153 156
 - name: Copy dnsmasq configuration file into place
154
-  copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
157
+  template: src=etc_dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
155 158
   notify: restart dnsmasq
156 159
 
157 160
 - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
@@ -164,11 +167,12 @@
164 167
 
165 168
 - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
166 169
   fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
167
-         dest=/tmp/sovereign-openvpn-files fail_on_missing=yes
170
+         dest="{{ secret }}/sovereign-openvpn-files"
171
+         fail_on_missing=yes
168 172
   with_nested:
169 173
     - "{{ openvpn_clients }}"
170 174
     - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
171 175
 
172 176
 - name: Pause 5s seconds for OpenVPN ready
173 177
   pause: seconds=5
174
-         prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."
178
+         prompt="You are ready to set up your OpenVPN clients. The files that you need are in {{ secret }}/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

roles/vpn/files/etc_dnsmasq.conf → roles/vpn/templates/etc_dnsmasq.conf.j2 View File

@@ -94,7 +94,7 @@ bogus-priv
94 94
 # Or which to listen on by address (remember to include 127.0.0.1 if
95 95
 # you use this.)
96 96
 #listen-address=
97
-listen-address=127.0.0.1,10.8.0.1
97
+listen-address=127.0.0.1,{{ openvpn_ip_start }}.1
98 98
 
99 99
 # If you want dnsmasq to provide only DNS service on an interface,
100 100
 # configure it as shown above, and then use the following line to

+ 2
- 2
roles/vpn/templates/etc_openvpn_server.conf.j2 View File

@@ -96,7 +96,7 @@ dh dh{{ openvpn_key_size }}.pem
96 96
 # Each client will be able to reach the server
97 97
 # on 10.8.0.1. Comment this line out if you are
98 98
 # ethernet bridging. See the man page for more info.
99
-server 10.8.0.0 255.255.255.0
99
+server {{ openvpn_ip_start }}.0 255.255.255.0
100 100
 
101 101
 # Maintain a record of client <-> virtual IP address
102 102
 # associations in this file.  If OpenVPN goes down or
@@ -188,7 +188,7 @@ ifconfig-pool-persist ipp.txt
188 188
 # or bridge the TUN/TAP interface to the internet
189 189
 # in order for this to work properly).
190 190
 push "redirect-gateway def1"
191
-push "dhcp-option DNS 10.8.0.1"
191
+push "dhcp-option DNS {{ openvpn_ip_start }}.1"
192 192
 
193 193
 # Certain Windows-specific network settings
194 194
 # can be pushed to clients, such as DNS

+ 4
- 4
roles/vpn/templates/rc.local_ansible_openvpn View File

@@ -6,12 +6,12 @@
6 6
 
7 7
 iptables -C FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT || \
8 8
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
9
-iptables -C FORWARD -s 10.8.0.0/24 -j ACCEPT || \
10
-iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
9
+iptables -C FORWARD -s {{ openvpn_ip_start }}.0/24 -j ACCEPT || \
10
+iptables -A FORWARD -s {{ openvpn_ip_start }}.0/24 -j ACCEPT
11 11
 iptables -C FORWARD -j REJECT || \
12 12
 iptables -A FORWARD -j REJECT
13
-iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE || \
14
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
13
+iptables -t nat -C POSTROUTING -s {{ openvpn_ip_start }}.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE || \
14
+iptables -t nat -A POSTROUTING -s {{ openvpn_ip_start }}.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
15 15
 
16 16
 systemctl restart dnsmasq
17 17
 

+ 1
- 1
roles/xmpp/tasks/prosody.yml View File

@@ -30,7 +30,7 @@
30 30
   file: state=directory path=/data/prosody owner=prosody group=prosody
31 31
 
32 32
 - name: Configure Prosody
33
-  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody
33
+  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=root mode=0644
34 34
   notify: restart prosody
35 35
 
36 36
 - name: Create Prosody accounts

Loading…
Cancel
Save