Browse Source

Lots of updates, first test of VPN.

Thomas Buck 5 years ago
parent
commit
ee0f739b1d

+ 4
- 0
README.md View File

104
     cd sovereign
104
     cd sovereign
105
     sudo pip install -r ./requirements.txt
105
     sudo pip install -r ./requirements.txt
106
 
106
 
107
+Or, if you're on Arch, instead of using pip, install the required stuff manually:
108
+
109
+    sudo pacman -Syu ansible python-jmespath python-passlib
110
+
107
 #### 4. Configure your installation
111
 #### 4. Configure your installation
108
 
112
 
109
 Modify the settings in the `group_vars/sovereign` folder to your liking.
113
 Modify the settings in the `group_vars/sovereign` folder to your liking.

+ 1
- 1
roles/common/defaults/main.yml View File

13
 db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
13
 db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
14
 
14
 
15
 # let's encrypt
15
 # let's encrypt
16
-letsencrypt_server: "https://acme-v01.api.letsencrypt.org/directory"
16
+letsencrypt_server: "https://acme-v02.api.letsencrypt.org/directory"
17
 
17
 
18
 # ssh
18
 # ssh
19
 # Following https://infosec.mozilla.org/guidelines/openssh
19
 # Following https://infosec.mozilla.org/guidelines/openssh

+ 1
- 1
roles/mailserver/files/etc_dovecot_conf.d_90-plugin.conf View File

9
 plugin {
9
 plugin {
10
   # FTS (full text search with Solr)
10
   # FTS (full text search with Solr)
11
   fts = solr
11
   fts = solr
12
-  fts_solr = break-imap-search url=http://localhost:8080/solr/
12
+  fts_solr = url=http://localhost:8080/solr/
13
 }
13
 }

+ 0
- 2
roles/mailserver/files/etc_dovecot_sieve_before.d_no-spam.sieve View File

2
 require "imap4flags";
2
 require "imap4flags";
3
 
3
 
4
 if header :contains "X-Spam-Flag" "YES" {
4
 if header :contains "X-Spam-Flag" "YES" {
5
-    setflag "\\seen";
6
     fileinto "Junk";
5
     fileinto "Junk";
7
     stop;
6
     stop;
8
 }
7
 }
9
 
8
 
10
 if header :is "X-Spam" "Yes" {
9
 if header :is "X-Spam" "Yes" {
11
-    setflag "\\seen";
12
     fileinto "Junk";
10
     fileinto "Junk";
13
     stop;
11
     stop;
14
 }
12
 }

+ 2
- 2
roles/mailserver/tasks/checkrbl.yml View File

1
 - name: Download check-rbl
1
 - name: Download check-rbl
2
   get_url:
2
   get_url:
3
-    url=https://raw.githubusercontent.com/lukecyca/check-rbl/e2bd60f5e5175375cd2f7f1b1b752473e3a23640/check-rbl.pl
3
+    url=https://raw.githubusercontent.com/lukecyca/check-rbl/479c1d5aa57543ba4c495ef06028fd9092ffdf43/check-rbl.pl
4
     dest=/opt/check-rbl.pl
4
     dest=/opt/check-rbl.pl
5
-    sha256sum=22093bd59ed84cb7ee6e336fb2a4ab73dbe3a05837d2bab9b491a21df16b35d8
5
+    sha256sum=0968ea1991b500a2bb39b4aefb05c6bf42a62994774f2c46de5d426d5094508b
6
 
6
 
7
 - name: Install nightly check-rbl cronjob
7
 - name: Install nightly check-rbl cronjob
8
   cron:
8
   cron:

+ 1
- 1
roles/mailserver/templates/etc_rspamd_local.d_dmarc.conf.j2 View File

9
 
9
 
10
 # From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
10
 # From Rspamd 1.6 experimental support for generation of DMARC reports is provided.
11
 # send_reports MUST be true
11
 # send_reports MUST be true
12
-send_reports = true;
12
+send_reports = false;
13
 
13
 
14
 # report_settings MUST be present
14
 # report_settings MUST be present
15
 report_settings {
15
 report_settings {

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_dnsmasq View File

1
+check process dnsmasq with pidfile "/run/dnsmasq/dnsmasq.pid"
2
+  group system
3
+  start program = "/bin/systemctl start dnsmasq"
4
+  stop program = "/bin/systemctl stop dnsmasq"
5
+  if failed port 53 type udp protocol dns then alert
6
+  if failed port 53 type udp protocol dns for 5 cycles then restart

+ 6
- 0
roles/monitoring/files/etc_monit_conf.d_openvpn View File

1
+check process openvpn with pidfile "/run/openvpn/server.pid"
2
+  group system
3
+  start program = "/bin/systemctl start openvpn@server"
4
+  stop program = "/bin/systemctl stop openvpn@server"
5
+  if failed port 1194 type udp then alert
6
+  if failed port 1194 type udp for 5 cycles then restart

+ 14
- 0
roles/monitoring/tasks/monit.yml View File

68
   stat: path=/etc/mosquitto/mosquitto.conf
68
   stat: path=/etc/mosquitto/mosquitto.conf
69
   register: mosquitto_config_file
69
   register: mosquitto_config_file
70
 
70
 
71
+- name: Determine if OpenVPN is installed
72
+  stat: path=/etc/openvpn/server.conf
73
+  register: openvpn_config_file
74
+
71
 - name: Copy ZNC monit service config files into place
75
 - name: Copy ZNC monit service config files into place
72
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
76
   copy: src=etc_monit_conf.d_znc dest=/etc/monit/conf.d/znc
73
   notify: restart monit
77
   notify: restart monit
133
   notify: restart monit
137
   notify: restart monit
134
   when: mosquitto_config_file.stat.exists == True
138
   when: mosquitto_config_file.stat.exists == True
135
 
139
 
140
+- name: Copy OpenVPN monit service config files into place
141
+  copy: src=etc_monit_conf.d_openvpn dest=/etc/monit/conf.d/openvpn
142
+  notify: restart monit
143
+  when: openvpn_config_file.stat.exists == True
144
+
145
+- name: Copy dnsmasq monit service config files into place
146
+  copy: src=etc_monit_conf.d_dnsmasq dest=/etc/monit/conf.d/dnsmasq
147
+  notify: restart monit
148
+  when: openvpn_config_file.stat.exists == True
149
+
136
 - name: Copy monit service config files into place
150
 - name: Copy monit service config files into place
137
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
151
   copy: src=etc_monit_conf.d_{{ item }} dest=/etc/monit/conf.d/{{ item }}
138
   with_items:
152
   with_items:

+ 4
- 2
roles/vpn/defaults/main.yml View File

1
 # Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
1
 # Notes about security: https://blog.g3rt.nl/openvpn-security-tips.html
2
 # Check privacy: http://witch.valdikss.org.ru/
2
 # Check privacy: http://witch.valdikss.org.ru/
3
 
3
 
4
+openvpn_ip_start: "10.8.0"
5
+
4
 openvpn_key_country:  "US"
6
 openvpn_key_country:  "US"
5
 openvpn_key_province: "California"
7
 openvpn_key_province: "California"
6
 openvpn_key_city: "Beverly Hills"
8
 openvpn_key_city: "Beverly Hills"
7
-openvpn_key_org: "ACME CORPORATION"
8
-openvpn_key_ou: "Anvil Department"
9
+openvpn_key_org: "{{ domain }}"
10
+openvpn_key_ou: "{{ server_name }}"
9
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
11
 openssl_request_subject: "/C={{ openvpn_key_country }}/ST={{ openvpn_key_province }}/L={{ openvpn_key_city }}/O={{ openvpn_key_org }}/OU={{ openvpn_key_ou }}"
10
 
12
 
11
 openvpn_days_valid: "1825"
13
 openvpn_days_valid: "1825"

+ 11
- 7
roles/vpn/tasks/openvpn.yml View File

3
 # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
3
 # ref: https://library.linode.com/networking/openvpn/debian-6-squeeze
4
 
4
 
5
 - name: Install OpenVPN and dependencies
5
 - name: Install OpenVPN and dependencies
6
-  apt: pkg={{ item }} state=present
7
-  with_items:
6
+  apt:
7
+    name: "{{ packages }}"
8
+    state: present
9
+  vars:
10
+    packages:
8
     - dnsmasq
11
     - dnsmasq
9
     - openvpn
12
     - openvpn
10
     - udev
13
     - udev
41
   command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=sovereign-ca-certificate"
44
   command: openssl req -nodes -batch -new -x509 -key {{ openvpn_ca }}.key -out {{ openvpn_ca }}.crt -days {{ openvpn_days_valid }} -subj "{{ openssl_request_subject }}/CN=sovereign-ca-certificate"
42
            creates={{ openvpn_ca }}.crt
45
            creates={{ openvpn_ca }}.crt
43
 
46
 
44
-- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
45
   # Properly sets the attributes that are described here:
47
   # Properly sets the attributes that are described here:
46
   # openvpn.net/index.php/open-source/documentation/howto.html#mitm
48
   # openvpn.net/index.php/open-source/documentation/howto.html#mitm
47
   #
49
   #
48
   # This is required in order for the 'ns-cert-type server' option to
50
   # This is required in order for the 'ns-cert-type server' option to
49
   # work, which is enabled by default in most standard client.conf
51
   # work, which is enabled by default in most standard client.conf
50
   # files.
52
   # files.
53
+- name: Generate the OpenSSL configuration that will be used for the Server certificate's req and ca commands
51
   template: src=openssl-server-certificate.cnf.j2
54
   template: src=openssl-server-certificate.cnf.j2
52
             dest={{ openvpn_path }}/openssl-server-certificate.cnf
55
             dest={{ openvpn_path }}/openssl-server-certificate.cnf
53
 
56
 
146
 - name: Enable OpenVPN server systemd service unit
149
 - name: Enable OpenVPN server systemd service unit
147
   service: name=openvpn@server enabled=yes
150
   service: name=openvpn@server enabled=yes
148
 
151
 
149
-# OpenVPN must restart first so the 10.8.0.0 interface is available
152
+# OpenVPN must restart first so the VPN interface is available
150
 # to dnsmasq
153
 # to dnsmasq
151
 - meta: flush_handlers
154
 - meta: flush_handlers
152
 
155
 
153
 - name: Copy dnsmasq configuration file into place
156
 - name: Copy dnsmasq configuration file into place
154
-  copy: src=etc_dnsmasq.conf dest=/etc/dnsmasq.conf
157
+  template: src=etc_dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
155
   notify: restart dnsmasq
158
   notify: restart dnsmasq
156
 
159
 
157
 - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
160
 - name: Copy the ca.crt and ta.key files that clients will need in order to connect to the OpenVPN server
164
 
167
 
165
 - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
168
 - name: Retrieve the files that clients will need in order to connect to the OpenVPN server
166
   fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
169
   fetch: src={{ openvpn_path }}/{{ item[0] }}/{{ item[1] }}
167
-         dest=/tmp/sovereign-openvpn-files fail_on_missing=yes
170
+         dest="{{ secret }}/sovereign-openvpn-files"
171
+         fail_on_missing=yes
168
   with_nested:
172
   with_nested:
169
     - "{{ openvpn_clients }}"
173
     - "{{ openvpn_clients }}"
170
     - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
174
     - ["client.crt", "client.key", "ca.crt", "ta.key", "{{ openvpn_server }}.ovpn"]
171
 
175
 
172
 - name: Pause 5s seconds for OpenVPN ready
176
 - name: Pause 5s seconds for OpenVPN ready
173
   pause: seconds=5
177
   pause: seconds=5
174
-         prompt="You are ready to set up your OpenVPN clients. The files that you need are in /tmp/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."
178
+         prompt="You are ready to set up your OpenVPN clients. The files that you need are in {{ secret }}/sovereign-openvpn-files. Make sure LZO compression is enabled and that you provide the ta.key file for the TLS-Auth option with a direction of '1'. Press any key to continue..."

roles/vpn/files/etc_dnsmasq.conf → roles/vpn/templates/etc_dnsmasq.conf.j2 View File

94
 # Or which to listen on by address (remember to include 127.0.0.1 if
94
 # Or which to listen on by address (remember to include 127.0.0.1 if
95
 # you use this.)
95
 # you use this.)
96
 #listen-address=
96
 #listen-address=
97
-listen-address=127.0.0.1,10.8.0.1
97
+listen-address=127.0.0.1,{{ openvpn_ip_start }}.1
98
 
98
 
99
 # If you want dnsmasq to provide only DNS service on an interface,
99
 # If you want dnsmasq to provide only DNS service on an interface,
100
 # configure it as shown above, and then use the following line to
100
 # configure it as shown above, and then use the following line to

+ 2
- 2
roles/vpn/templates/etc_openvpn_server.conf.j2 View File

96
 # Each client will be able to reach the server
96
 # Each client will be able to reach the server
97
 # on 10.8.0.1. Comment this line out if you are
97
 # on 10.8.0.1. Comment this line out if you are
98
 # ethernet bridging. See the man page for more info.
98
 # ethernet bridging. See the man page for more info.
99
-server 10.8.0.0 255.255.255.0
99
+server {{ openvpn_ip_start }}.0 255.255.255.0
100
 
100
 
101
 # Maintain a record of client <-> virtual IP address
101
 # Maintain a record of client <-> virtual IP address
102
 # associations in this file.  If OpenVPN goes down or
102
 # associations in this file.  If OpenVPN goes down or
188
 # or bridge the TUN/TAP interface to the internet
188
 # or bridge the TUN/TAP interface to the internet
189
 # in order for this to work properly).
189
 # in order for this to work properly).
190
 push "redirect-gateway def1"
190
 push "redirect-gateway def1"
191
-push "dhcp-option DNS 10.8.0.1"
191
+push "dhcp-option DNS {{ openvpn_ip_start }}.1"
192
 
192
 
193
 # Certain Windows-specific network settings
193
 # Certain Windows-specific network settings
194
 # can be pushed to clients, such as DNS
194
 # can be pushed to clients, such as DNS

+ 4
- 4
roles/vpn/templates/rc.local_ansible_openvpn View File

6
 
6
 
7
 iptables -C FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT || \
7
 iptables -C FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT || \
8
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
8
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
9
-iptables -C FORWARD -s 10.8.0.0/24 -j ACCEPT || \
10
-iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
9
+iptables -C FORWARD -s {{ openvpn_ip_start }}.0/24 -j ACCEPT || \
10
+iptables -A FORWARD -s {{ openvpn_ip_start }}.0/24 -j ACCEPT
11
 iptables -C FORWARD -j REJECT || \
11
 iptables -C FORWARD -j REJECT || \
12
 iptables -A FORWARD -j REJECT
12
 iptables -A FORWARD -j REJECT
13
-iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE || \
14
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
13
+iptables -t nat -C POSTROUTING -s {{ openvpn_ip_start }}.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE || \
14
+iptables -t nat -A POSTROUTING -s {{ openvpn_ip_start }}.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
15
 
15
 
16
 systemctl restart dnsmasq
16
 systemctl restart dnsmasq
17
 
17
 

+ 1
- 1
roles/xmpp/tasks/prosody.yml View File

30
   file: state=directory path=/data/prosody owner=prosody group=prosody
30
   file: state=directory path=/data/prosody owner=prosody group=prosody
31
 
31
 
32
 - name: Configure Prosody
32
 - name: Configure Prosody
33
-  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=prosody
33
+  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=prosody owner=root mode=0644
34
   notify: restart prosody
34
   notify: restart prosody
35
 
35
 
36
 - name: Create Prosody accounts
36
 - name: Create Prosody accounts

Loading…
Cancel
Save