diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..32fbe8b
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,55 @@
+VAGRANTFILE_API_VERSION = "2"
+
+vm_group = "/test"
+
+vm_boxes = {
+ "zenected" => {
+ "ip" => "192.168.1.254",
+ "ports" => {
+ "http" => {
+ "host" => 8080,
+ "guest" => 80,
+ "protocol" => "tcp"
+ },
+ "https" => {
+ "host" => 8443,
+ "guest" => 443,
+ "protocol" => "tcp"
+ },
+ "ipsec1" => {
+ "host" => 8500,
+ "guest" => 500,
+ "protocol" => "udp"
+ },
+ "ipsec2" => {
+ "host" => 4500,
+ "guest" => 4500,
+ "protocol" => "udp"
+ },
+ }
+ },
+}
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+ config.vm.box = "ubuntu/trusty64"
+ # config.ssh.insert_key = false
+
+ vm_boxes.each do |name, box|
+ config.vm.define "#{name}" do |node|
+ node.vm.hostname = "#{name}"
+ node.vm.network :private_network, ip: box["ip"], netmask: "255.255.255.0"
+ box["ports"].each do |id, ports|
+ node.vm.network :forwarded_port, guest: ports["guest"], host: ports["host"], protocol: ports["protocol"], id: id
+ end
+
+ node.vm.provider "virtualbox" do |v|
+ v.memory = 1024
+ v.name = "#{name}"
+ v.customize [
+ "modifyvm", :id,
+ "--groups", vm_group
+ ]
+ end
+ end
+ end
+end
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..679e845
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,8 @@
+[defaults]
+inventory = hosts
+host_key_checking = no
+private_key_file = .vagrant/machines/zenected/virtualbox/private_key
+remote_user = vagrant
+
+[ssh_connection]
+ssh_args = -o IdentitiesOnly=yes
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..88c47f6
--- /dev/null
+++ b/hosts
@@ -0,0 +1,2 @@
+[zenected]
+localhost:2222
diff --git a/roles/apache/files/000-default.conf b/roles/apache/files/000-default.conf
new file mode 100644
index 0000000..6e64c10
--- /dev/null
+++ b/roles/apache/files/000-default.conf
@@ -0,0 +1,5 @@
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+ ErrorDocument 404 /index.php
+
\ No newline at end of file
diff --git a/roles/apache/files/dir.conf b/roles/apache/files/dir.conf
new file mode 100644
index 0000000..e35a8f2
--- /dev/null
+++ b/roles/apache/files/dir.conf
@@ -0,0 +1,3 @@
+
+ DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
+
\ No newline at end of file
diff --git a/roles/apache/files/index.html b/roles/apache/files/index.html
new file mode 100644
index 0000000..acca955
--- /dev/null
+++ b/roles/apache/files/index.html
@@ -0,0 +1,7 @@
+
+
+
+
+
+
+
diff --git a/roles/apache/files/zenusers-ssl.conf b/roles/apache/files/zenusers-ssl.conf
new file mode 100644
index 0000000..7b29925
--- /dev/null
+++ b/roles/apache/files/zenusers-ssl.conf
@@ -0,0 +1,25 @@
+
+
+ ServerAdmin webmaster@localhost
+
+ DocumentRoot /var/www/zen/
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+ SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+
+ SSLOptions +StdEnvVars
+
+
+ SSLOptions +StdEnvVars
+
+
+ BrowserMatch "MSIE [2-6]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+
\ No newline at end of file
diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
new file mode 100644
index 0000000..bd9bfc3
--- /dev/null
+++ b/roles/apache/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+- name: install apache2
+ apt:
+ name: apache2
+
+- name: configure dir
+ copy:
+ src: dir.conf
+ dest: /etc/apache2/mods-enabled/dir.conf
+
+- name: configure 000 default
+ copy:
+ src: 000-default.conf
+ dest: /etc/apache2/sites-available/000-default.conf
+
+- name: configure zenusers-ssl # why not lets encrypt cert?
+ copy:
+ src: zenusers-ssl.conf
+ dest: /etc/apache2/sites-available/zenusers-ssl.conf
+
+- name: index zen
+ copy:
+ src: index.html
+ dest: /var/www/zen/index.html
+
+- name: servername apache
+ lineinfile:
+ dest: /etc/apache2/apache2.conf
+ regexp: "^ServerName"
+ line: "ServerName localhost"
+
+- name: apache2 ssl module
+ apache2_module:
+ state: present
+ name: ssl
+
+- name: apache2 autoindex module
+ apache2_module:
+ state: absent
+ name: autoindex
+
+- name: add site zenusers-ssl
+ command: "a2ensite zenusers-ssl.conf"
+
+- name: restart apache
+ service:
+ name: apache2
+ state: restarted
diff --git a/roles/dnsmasq/files/dnsmasq.conf b/roles/dnsmasq/files/dnsmasq.conf
new file mode 100644
index 0000000..0d0777d
--- /dev/null
+++ b/roles/dnsmasq/files/dnsmasq.conf
@@ -0,0 +1,14 @@
+# Configuration file for dnsmasq.
+no-resolv
+
+##forward dns queries upstream
+server=8.8.8.8
+server=8.8.4.4
+
+no-hosts
+
+addn-hosts=/opt/zenected/dns/perun_ads.domains
+addn-hosts=/opt/zenected/dns/perun_feodo.domains
+addn-hosts=/opt/zenected/dns/perun_zeus.domains
+addn-hosts=/opt/zenected/dns/perun_suspicious.domains
+addn-hosts=/opt/zenected/dns/local_blacklist.domains
\ No newline at end of file
diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml
new file mode 100644
index 0000000..ba17851
--- /dev/null
+++ b/roles/dnsmasq/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: install dependencies
+ apt:
+ name: dnsmasq
+
+- name: configure dnsmasq
+ copy:
+ src: dnsmasq.conf
+ dest: /etc/dnsmasq.conf
+
+- name: restart dnsmasq
+ service:
+ name: dnsmasq
+ state: restarted
diff --git a/roles/l2p/defaults/main.yml b/roles/l2p/defaults/main.yml
new file mode 100644
index 0000000..48c2d23
--- /dev/null
+++ b/roles/l2p/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+ipsec_password: "{{ lookup('password', 'credentials/ipsec/password chars=ascii_letters,digits,hexdigits length=15') }}"
diff --git a/roles/l2p/files/Makefile.inc.local b/roles/l2p/files/Makefile.inc.local
new file mode 100644
index 0000000..6fed5b9
--- /dev/null
+++ b/roles/l2p/files/Makefile.inc.local
@@ -0,0 +1 @@
+WERROR_CFLAGS =
\ No newline at end of file
diff --git a/roles/l2p/files/iptables.rules b/roles/l2p/files/iptables.rules
new file mode 100644
index 0000000..196dd31
--- /dev/null
+++ b/roles/l2p/files/iptables.rules
@@ -0,0 +1,34 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:ICMPALL - [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type 255 -j ICMPALL
+-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
+-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+-A INPUT -p udp --dport 1701 -j DROP
+-A INPUT -j DROP
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i ppp+ -o eth+ -j ACCEPT
+-A FORWARD -j DROP
+-A ICMPALL -p icmp -f -j DROP
+-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
+-A ICMPALL -p icmp -j DROP
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
+COMMIT
diff --git a/roles/l2p/files/iptablesload b/roles/l2p/files/iptablesload
new file mode 100644
index 0000000..9d0d636
--- /dev/null
+++ b/roles/l2p/files/iptablesload
@@ -0,0 +1,3 @@
+#!/bin/sh
+/sbin/iptables-restore < /etc/iptables.rules
+exit 0
\ No newline at end of file
diff --git a/roles/l2p/files/options.xl2tpd b/roles/l2p/files/options.xl2tpd
new file mode 100644
index 0000000..72a0465
--- /dev/null
+++ b/roles/l2p/files/options.xl2tpd
@@ -0,0 +1,18 @@
+ipcp-accept-local
+ipcp-accept-remote
+#ms-dns 8.8.8.8
+#ms-dns 8.8.4.4
+ms-dns 192.168.42.1
+noccp
+auth
+crtscts
+idle 1800
+mtu 1280
+mru 1280
+lock
+lcp-echo-failure 10
+lcp-echo-interval 60
+connect-delay 5000
+
+plugin radius.so
+plugin radattr.so
\ No newline at end of file
diff --git a/roles/l2p/files/sysctl.conf b/roles/l2p/files/sysctl.conf
new file mode 100644
index 0000000..8687b19
--- /dev/null
+++ b/roles/l2p/files/sysctl.conf
@@ -0,0 +1,29 @@
+kernel.sysrq = 0
+kernel.core_uses_pid = 1
+net.ipv4.tcp_syncookies = 1
+kernel.msgmnb = 65536
+kernel.msgmax = 65536
+kernel.shmmax = 68719476736
+kernel.shmall = 4294967296
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 0
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+kernel.randomize_va_space = 1
+net.core.wmem_max=12582912
+net.core.rmem_max=12582912
+net.ipv4.tcp_rmem= 10240 87380 12582912
+net.ipv4.tcp_wmem= 10240 87380 12582912
\ No newline at end of file
diff --git a/roles/l2p/files/xl2tpd.conf b/roles/l2p/files/xl2tpd.conf
new file mode 100644
index 0000000..f5461d7
--- /dev/null
+++ b/roles/l2p/files/xl2tpd.conf
@@ -0,0 +1,16 @@
+[global]
+port = 1701
+;debug avp = yes
+;debug network = yes
+;debug state = yes
+;debug tunnel = yes
+[lns default]
+ip range = 192.168.42.10-192.168.42.250
+local ip = 192.168.42.1
+require chap = yes
+refuse pap = yes
+require authentication = yes
+name = l2tpd
+;ppp debug = yes
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes
\ No newline at end of file
diff --git a/roles/l2p/tasks/main.yml b/roles/l2p/tasks/main.yml
new file mode 100644
index 0000000..7a412bc
--- /dev/null
+++ b/roles/l2p/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+- name: install dependencies
+ apt:
+ name: '{{ item }}'
+ with_items: '{{ dependencies }}'
+
+- name: dowload libreswan
+ unarchive:
+ src: "https://download.libreswan.org/libreswan-{{ swan_version }}.tar.gz"
+ dest: "/opt/"
+ remote_src: yes
+
+- name: modify makefile
+ copy:
+ src: "Makefile.inc.local"
+ dest: "/opt/libreswan-{{ swan_version }}/Makefile.inc.local"
+
+- name: compile
+ make:
+ chdir: "/opt/libreswan-{{ swan_version }}"
+ target: programs
+
+- name: install
+ make:
+ chdir: "/opt/libreswan-{{ swan_version }}"
+ target: install
+
+- name: get my public IP
+ ipify_facts:
+ api_url: http://ifconfig.co/json
+
+- name: configure ipsec
+ template:
+ src: "{{ item }}.j2"
+ dest: "/etc/{{ item }}"
+ with_items:
+ - ipsec.conf
+ - ipsec.secrets
+
+- name: configure xl2tpd
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/xl2tpd/{{ item }}"
+ with_items:
+ - xl2tpd.conf
+
+- name: configure xl2tpd
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/ppp/{{ item }}"
+ with_items:
+ - options.xl2tpd
+
+- name: configure zenected
+ lineinfile:
+ dest: /etc/zenected/zenected.conf
+ regexp: "^ZEN_SHARED="
+ line: 'ZEN_SHARED="Zenected"'
+
+- name: configure systcl
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/{{ item }}"
+ backup: yes
+ with_items:
+ - sysctl.conf
+ - iptables.rules
+
+- name: configure ifpreup
+ copy:
+ src: iptablesload
+ dest: /etc/network/if-pre-up.d/iptablesload
+ mode: 0755
diff --git a/roles/l2p/templates/ipsec.conf.j2 b/roles/l2p/templates/ipsec.conf.j2
new file mode 100644
index 0000000..979c948
--- /dev/null
+++ b/roles/l2p/templates/ipsec.conf.j2
@@ -0,0 +1,32 @@
+version 2.0
+config setup
+ dumpdir=/var/run/pluto/
+ nat_traversal=yes
+ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
+ oe=off
+ protostack=netkey
+ nhelpers=0
+ interfaces=%defaultroute
+conn vpnpsk
+ connaddrfamily=ipv4
+ auto=add
+ left={{ ansible_default_ipv4["address"] }}
+ leftid={{ ipify_public_ip }}
+ leftsubnet={{ ansible_default_ipv4["netmask"] }}
+ leftnexthop=%defaultroute
+ leftprotoport=17/1701
+ rightprotoport=17/%any
+ right=%any
+ rightsubnetwithin=0.0.0.0/0
+ forceencaps=yes
+ authby=secret
+ pfs=no
+ type=transport
+ auth=esp
+ ike=3des-sha1,aes-sha1
+ phase2alg=3des-sha1,aes-sha1
+ rekey=no
+ keyingtries=5
+ dpddelay=30
+ dpdtimeout=120
+ dpdaction=clear
\ No newline at end of file
diff --git a/roles/l2p/templates/ipsec.secrets.j2 b/roles/l2p/templates/ipsec.secrets.j2
new file mode 100644
index 0000000..6fbf194
--- /dev/null
+++ b/roles/l2p/templates/ipsec.secrets.j2
@@ -0,0 +1,2 @@
+include /var/lib/openswan/ipsec.secrets.inc
+{{ ansible_default_ipv4["address"] }} %any: PSK "{{ ipsec_password }}"
\ No newline at end of file
diff --git a/roles/l2p/vars/main.yml b/roles/l2p/vars/main.yml
new file mode 100644
index 0000000..74e2db5
--- /dev/null
+++ b/roles/l2p/vars/main.yml
@@ -0,0 +1,26 @@
+---
+swan_version: 3.17
+
+dependencies:
+ - xl2tpd
+ - ppp
+ - lsof
+ - iproute2
+ - gawk
+ - xmlto # no install recommends
+ - libnss3-dev
+ - libnspr4-dev
+ - pkg-config
+ - libpam0g-dev
+ - libcap-ng-dev
+ - libcap-ng-utils
+ - libselinux1-dev
+ - libcurl4-nss-dev
+ - libgmp3-dev
+ - flex
+ - bison
+ - gcc
+ - make
+ - libunbound-dev
+ - libnss3-tools
+ - libevent-dev
diff --git a/roles/mysql/defaults/main.yml b/roles/mysql/defaults/main.yml
new file mode 100644
index 0000000..b5271b5
--- /dev/null
+++ b/roles/mysql/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+mysql_password: "{{ lookup('password', 'credentials/db/mysqlpassword chars=ascii_letters,digits,hexdigits length=15') }}"
diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml
new file mode 100644
index 0000000..ad112d7
--- /dev/null
+++ b/roles/mysql/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+- name: install dependencies
+ apt:
+ name: "{{ item }}"
+ with_items: "{{ dependencies }}"
+
+- name: debconf
+ debconf:
+ name: mysql-server
+ question: mysql-server/root_password
+ value: '{{ mysql_password }}'
+ vtype: password
+
+- name: debconf
+ debconf:
+ name: mysql-server
+ question: mysql-server/root_password_again
+ value: '{{ mysql_password }}'
+ vtype: password
+
+- name: zenected mysql password
+ lineinfile:
+ dest: /etc/zenected/zenected.conf
+ regexp: '^ZEN_MYSQL='
+ line: 'ZEN_MSQL="{{ mysql_password }}"'
+
+- name: install mysql db
+ command: mysql_install_db
+
+
+- block:
+ - name: Set root user password
+ mysql_user:
+ name: root
+ host: localhost
+ password: "{{ mysql_password }}"
+ check_implicit_admin: yes
+ login_user: root
+ state: present
+ rescue:
+ - name: Set root user password
+ mysql_user:
+ name: root
+ host: localhost
+ password: "{{ mysql_password }}"
+ check_implicit_admin: yes
+ login_user: root
+ login_password: "{{ mysql_password }}"
+ state: present
+
+- name: Secure install
+ shell: 'mysql -u root -p{{ mysql_password }} -e "{{ item }}"'
+ with_items:
+ - "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
+ - "DELETE FROM mysql.user WHERE User=''"
+ - "DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'"
+ - "FLUSH PRIVILEGES"
diff --git a/roles/mysql/vars/main.yml b/roles/mysql/vars/main.yml
new file mode 100644
index 0000000..3c263a9
--- /dev/null
+++ b/roles/mysql/vars/main.yml
@@ -0,0 +1,5 @@
+---
+dependencies:
+ - mysql-server
+ - php5-mysql
+ - python-mysqldb
diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml
new file mode 100644
index 0000000..17ed76c
--- /dev/null
+++ b/roles/php/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+- name: install dependencies
+ apt:
+ name: "{{ item }}"
+ with_items: "{{ dependencies }}"
diff --git a/roles/php/vars/main.yml b/roles/php/vars/main.yml
new file mode 100644
index 0000000..127c1f6
--- /dev/null
+++ b/roles/php/vars/main.yml
@@ -0,0 +1,9 @@
+---
+dependencies:
+ - php5
+ - php-db
+ - php-pear
+ - libapache2-mod-php5
+ - php5-mcrypt
+ - php5-gd
+ - php5-sqlite
diff --git a/roles/radius/defaults/main.yml b/roles/radius/defaults/main.yml
new file mode 100644
index 0000000..e78b558
--- /dev/null
+++ b/roles/radius/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+radius_password: "{{ lookup('password', 'credentials/radius/password chars=ascii_letters,digits,hexdigits length=15') }}"
+radius_mysql_password: "{{ lookup('password', 'credentials/radius/mysqlpassword chars=ascii_letters,digits,hexdigits length=15') }}"
+mysql_password: "{{ lookup('password', 'credentials/db/mysqlpassword chars=ascii_letters,digits,hexdigits length=15') }}"
diff --git a/roles/radius/files/default b/roles/radius/files/default
new file mode 100644
index 0000000..1f199e1
--- /dev/null
+++ b/roles/radius/files/default
@@ -0,0 +1,77 @@
+# $Id$
+authorize {
+ preprocess
+ chap
+ mschap
+ digest
+ suffix
+# ntdomain
+ eap {
+ ok = return
+ }
+ files
+ sql
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+
+ Auth-Type CHAP {
+ chap
+ }
+
+ Auth-Type MS-CHAP {
+ mschap
+ }
+
+ digest
+ unix
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ sql
+# sql_log
+ exec
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+ sql
+}
+
+post-auth {
+# sql
+# sql_log
+# ldap
+ exec
+ Post-Auth-Type REJECT {
+# sql
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+# attr_rewrite
+# pre_proxy_log
+}
+
+post-proxy {
+ eap
+}
\ No newline at end of file
diff --git a/roles/radius/files/dictionary b/roles/radius/files/dictionary
new file mode 100644
index 0000000..b7f1037
--- /dev/null
+++ b/roles/radius/files/dictionary
@@ -0,0 +1,194 @@
+#
+# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl
+#
+# Following are the proper new names. Use these.
+#
+ATTRIBUTE User-Name 1 string
+ATTRIBUTE Password 2 string
+ATTRIBUTE CHAP-Password 3 string
+ATTRIBUTE NAS-IP-Address 4 ipaddr
+ATTRIBUTE NAS-Port-Id 5 integer
+ATTRIBUTE Service-Type 6 integer
+ATTRIBUTE Framed-Protocol 7 integer
+ATTRIBUTE Framed-IP-Address 8 ipaddr
+ATTRIBUTE Framed-IP-Netmask 9 ipaddr
+ATTRIBUTE Framed-Routing 10 integer
+ATTRIBUTE Filter-Id 11 string
+ATTRIBUTE Framed-MTU 12 integer
+ATTRIBUTE Framed-Compression 13 integer
+ATTRIBUTE Login-IP-Host 14 ipaddr
+ATTRIBUTE Login-Service 15 integer
+ATTRIBUTE Login-TCP-Port 16 integer
+ATTRIBUTE Reply-Message 18 string
+ATTRIBUTE Callback-Number 19 string
+ATTRIBUTE Callback-Id 20 string
+ATTRIBUTE Framed-Route 22 string
+ATTRIBUTE Framed-IPX-Network 23 ipaddr
+ATTRIBUTE State 24 string
+ATTRIBUTE Session-Timeout 27 integer
+ATTRIBUTE Idle-Timeout 28 integer
+ATTRIBUTE Termination-Action 29 integer
+ATTRIBUTE Called-Station-Id 30 string
+ATTRIBUTE Calling-Station-Id 31 string
+ATTRIBUTE Acct-Status-Type 40 integer
+ATTRIBUTE Acct-Delay-Time 41 integer
+ATTRIBUTE Acct-Input-Octets 42 integer
+ATTRIBUTE Acct-Output-Octets 43 integer
+ATTRIBUTE Acct-Session-Id 44 string
+ATTRIBUTE Acct-Authentic 45 integer
+ATTRIBUTE Acct-Session-Time 46 integer
+ATTRIBUTE Acct-Input-Packets 47 integer
+ATTRIBUTE Acct-Output-Packets 48 integer
+ATTRIBUTE Acct-Terminate-Cause 49 integer
+ATTRIBUTE Chap-Challenge 60 string
+ATTRIBUTE NAS-Port-Type 61 integer
+ATTRIBUTE Port-Limit 62 integer
+ATTRIBUTE Connect-Info 77 string
+
+#
+# Experimental Non Protocol Attributes used by Cistron-Radiusd
+#
+ATTRIBUTE Huntgroup-Name 221 string
+ATTRIBUTE User-Category 1029 string
+ATTRIBUTE Group-Name 1030 string
+ATTRIBUTE Simultaneous-Use 1034 integer
+ATTRIBUTE Strip-User-Name 1035 integer
+ATTRIBUTE Fall-Through 1036 integer
+ATTRIBUTE Add-Port-To-IP-Address 1037 integer
+ATTRIBUTE Exec-Program 1038 string
+ATTRIBUTE Exec-Program-Wait 1039 string
+ATTRIBUTE Hint 1040 string
+
+#
+# Non-Protocol Attributes
+# These attributes are used internally by the server
+#
+ATTRIBUTE Expiration 21 date
+ATTRIBUTE Auth-Type 1000 integer
+ATTRIBUTE Menu 1001 string
+ATTRIBUTE Termination-Menu 1002 string
+ATTRIBUTE Prefix 1003 string
+ATTRIBUTE Suffix 1004 string
+ATTRIBUTE Group 1005 string
+ATTRIBUTE Crypt-Password 1006 string
+ATTRIBUTE Connect-Rate 1007 integer
+
+#
+# Integer Translations
+#
+
+# User Types
+
+VALUE Service-Type Login-User 1
+VALUE Service-Type Framed-User 2
+VALUE Service-Type Callback-Login-User 3
+VALUE Service-Type Callback-Framed-User 4
+VALUE Service-Type Outbound-User 5
+VALUE Service-Type Administrative-User 6
+VALUE Service-Type NAS-Prompt-User 7
+
+# Framed Protocols
+
+VALUE Framed-Protocol PPP 1
+VALUE Framed-Protocol SLIP 2
+
+# Framed Routing Values
+
+VALUE Framed-Routing None 0
+VALUE Framed-Routing Broadcast 1
+VALUE Framed-Routing Listen 2
+VALUE Framed-Routing Broadcast-Listen 3
+
+# Framed Compression Types
+
+VALUE Framed-Compression None 0
+VALUE Framed-Compression Van-Jacobson-TCP-IP 1
+
+# Login Services
+
+VALUE Login-Service Telnet 0
+VALUE Login-Service Rlogin 1
+VALUE Login-Service TCP-Clear 2
+VALUE Login-Service PortMaster 3
+
+# Status Types
+
+VALUE Acct-Status-Type Start 1
+VALUE Acct-Status-Type Stop 2
+VALUE Acct-Status-Type Accounting-On 7
+VALUE Acct-Status-Type Accounting-Off 8
+
+# Authentication Types
+
+VALUE Acct-Authentic RADIUS 1
+VALUE Acct-Authentic Local 2
+VALUE Acct-Authentic PowerLink128 100
+
+# Termination Options
+
+VALUE Termination-Action Default 0
+VALUE Termination-Action RADIUS-Request 1
+
+# NAS Port Types, available in 3.3.1 and later
+
+VALUE NAS-Port-Type Async 0
+VALUE NAS-Port-Type Sync 1
+VALUE NAS-Port-Type ISDN 2
+VALUE NAS-Port-Type ISDN-V120 3
+VALUE NAS-Port-Type ISDN-V110 4
+
+# Acct Terminate Causes, available in 3.3.2 and later
+
+VALUE Acct-Terminate-Cause User-Request 1
+VALUE Acct-Terminate-Cause Lost-Carrier 2
+VALUE Acct-Terminate-Cause Lost-Service 3
+VALUE Acct-Terminate-Cause Idle-Timeout 4
+VALUE Acct-Terminate-Cause Session-Timeout 5
+VALUE Acct-Terminate-Cause Admin-Reset 6
+VALUE Acct-Terminate-Cause Admin-Reboot 7
+VALUE Acct-Terminate-Cause Port-Error 8
+VALUE Acct-Terminate-Cause NAS-Error 9
+VALUE Acct-Terminate-Cause NAS-Request 10
+VALUE Acct-Terminate-Cause NAS-Reboot 11
+VALUE Acct-Terminate-Cause Port-Unneeded 12
+VALUE Acct-Terminate-Cause Port-Preempted 13
+VALUE Acct-Terminate-Cause Port-Suspended 14
+VALUE Acct-Terminate-Cause Service-Unavailable 15
+VALUE Acct-Terminate-Cause Callback 16
+VALUE Acct-Terminate-Cause User-Error 17
+VALUE Acct-Terminate-Cause Host-Request 18
+
+#
+# Non-Protocol Integer Translations
+#
+
+VALUE Auth-Type Local 0
+VALUE Auth-Type System 1
+VALUE Auth-Type SecurID 2
+VALUE Auth-Type Crypt-Local 3
+VALUE Auth-Type Reject 4
+
+#
+# Cistron extensions
+#
+VALUE Auth-Type Pam 253
+VALUE Auth-Type None 254
+
+#
+# Experimental Non-Protocol Integer Translations for Cistron-Radiusd
+#
+VALUE Fall-Through No 0
+VALUE Fall-Through Yes 1
+VALUE Add-Port-To-IP-Address No 0
+VALUE Add-Port-To-IP-Address Yes 1
+
+#
+# Configuration Values
+# uncomment these two lines to turn account expiration on
+#
+
+#VALUE Server-Config Password-Expiration 30
+#VALUE Server-Config Password-Warning 5
+
+INCLUDE /etc/radiusclient/dictionary.merit
+INCLUDE /etc/radiusclient/dictionary.microsoft
\ No newline at end of file
diff --git a/roles/radius/files/dictionary.microsoft b/roles/radius/files/dictionary.microsoft
new file mode 100644
index 0000000..82a17ba
--- /dev/null
+++ b/roles/radius/files/dictionary.microsoft
@@ -0,0 +1,66 @@
+#
+# Microsoft's VSA's, from RFC 2548
+#
+# $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $
+#
+VENDOR Microsoft 311 Microsoft
+BEGIN VENDOR Microsoft
+ATTRIBUTE MS-CHAP-Response 1 string Microsoft
+ATTRIBUTE MS-CHAP-Error 2 string Microsoft
+ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
+ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
+ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
+ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
+ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
+# This is referred to as both singular and plural in the RFC.
+# Plural seems to make more sense.
+ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
+ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
+ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
+ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
+ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
+ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
+ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
+ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
+ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
+ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
+ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
+ATTRIBUTE MS-RAS-Version 18 string Microsoft
+ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
+ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
+ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
+ATTRIBUTE MS-Filter 22 string Microsoft
+ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
+ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
+ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
+ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
+ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
+ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
+ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
+ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
+ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
+#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
+#
+# Integer Translations
+#
+# MS-BAP-Usage Values
+VALUE MS-BAP-Usage Not-Allowed 0
+VALUE MS-BAP-Usage Allowed 1
+VALUE MS-BAP-Usage Required 2
+# MS-ARAP-Password-Change-Reason Values
+VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
+VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
+VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
+VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
+# MS-Acct-Auth-Type Values
+VALUE MS-Acct-Auth-Type PAP 1
+VALUE MS-Acct-Auth-Type CHAP 2
+VALUE MS-Acct-Auth-Type MS-CHAP-1 3
+VALUE MS-Acct-Auth-Type MS-CHAP-2 4
+VALUE MS-Acct-Auth-Type EAP 5
+# MS-Acct-EAP-Type Values
+VALUE MS-Acct-EAP-Type MD5 4
+VALUE MS-Acct-EAP-Type OTP 5
+VALUE MS-Acct-EAP-Type Generic-Token-Card 6
+VALUE MS-Acct-EAP-Type TLS 13
+END-VENDOR Microsoft
diff --git a/roles/radius/files/inner-tunnel b/roles/radius/files/inner-tunnel
new file mode 100644
index 0000000..6a1cfde
--- /dev/null
+++ b/roles/radius/files/inner-tunnel
@@ -0,0 +1,61 @@
+# -*- text -*-
+
+server inner-tunnel {
+listen {
+ ipaddr = 127.0.0.1
+ port = 18120
+ type = auth
+}
+authorize {
+ chap
+ mschap
+ suffix
+ update control {
+ Proxy-To-Realm := LOCAL
+ }
+ eap {
+ ok = return
+ }
+ files
+ sql
+ expiration
+ logintime
+ pap
+}
+
+authenticate {
+ Auth-Type PAP {
+ pap
+ }
+ Auth-Type CHAP {
+ chap
+ }
+ Auth-Type MS-CHAP {
+ mschap
+ }
+ # against /etc/passwd! See the FAQ for details.
+ #
+ unix
+ eap
+}
+session {
+ radutmp
+ sql
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ # log failed authentications in SQL, too.
+# sql
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/roles/radius/files/radiusclient.conf b/roles/radius/files/radiusclient.conf
new file mode 100644
index 0000000..8821bb2
--- /dev/null
+++ b/roles/radius/files/radiusclient.conf
@@ -0,0 +1,16 @@
+auth_order radius,local
+login_tries 4
+login_timeout 60
+nologin /etc/nologin
+issue /etc/radiusclient/issue
+authserver localhost:1812
+acctserver localhost:1813
+servers /etc/radiusclient/servers
+dictionary /etc/radiusclient/dictionary
+login_radius /usr/sbin/login.radius
+seqfile /var/run/radius.seq
+mapfile /etc/radiusclient/port-id-map
+default_realm
+radius_timeout 10
+radius_retries 3
+login_local /bin/login
\ No newline at end of file
diff --git a/roles/radius/files/radiusd.conf b/roles/radius/files/radiusd.conf
new file mode 100644
index 0000000..cf967ef
--- /dev/null
+++ b/roles/radius/files/radiusd.conf
@@ -0,0 +1,92 @@
+# -*- text -*-
+##
+## radiusd.conf -- FreeRADIUS server configuration file.
+##
+## http://www.freeradius.org/
+## $Id$
+
+prefix = /usr
+exec_prefix = /usr
+sysconfdir = /etc
+localstatedir = /var
+sbindir = \${exec_prefix}/sbin
+logdir = /var/log/freeradius
+raddbdir = /etc/freeradius
+radacctdir = \${logdir}/radacct
+
+name = freeradius
+
+confdir = \${raddbdir}
+run_dir = \${localstatedir}/run/\${name}
+db_dir = \${raddbdir}
+libdir = /usr/lib/freeradius
+pidfile = \${run_dir}/\${name}.pid
+user = freerad
+group = freerad
+max_request_time = 30
+cleanup_delay = 5
+max_requests = 1024
+
+listen {
+ type = auth
+ ipaddr = *
+ port = 0
+}
+
+listen {
+ ipaddr = *
+ port = 0
+ type = acct
+}
+
+hostname_lookups = no
+allow_core_dumps = no
+regular_expressions = yes
+extended_expressions = yes
+
+log {
+ destination = files
+ file = \${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = no
+ auth_badpass = no
+ auth_goodpass = no
+}
+
+checkrad = \${sbindir}/checkrad
+
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+proxy_requests = yes
+\$INCLUDE proxy.conf
+\$INCLUDE clients.conf
+
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+modules {
+ \$INCLUDE \${confdir}/modules/
+ \$INCLUDE eap.conf
+ \$INCLUDE sql.conf
+ \$INCLUDE sql/mysql/counter.conf
+}
+
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+\$INCLUDE policy.conf
+\$INCLUDE sites-enabled/
\ No newline at end of file
diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml
new file mode 100644
index 0000000..9934e1f
--- /dev/null
+++ b/roles/radius/tasks/main.yml
@@ -0,0 +1,122 @@
+---
+- name: install dependencies
+ apt:
+ name: '{{ item }}'
+ with_items: '{{ dependencies }}'
+
+- name: configure zen radius
+ lineinfile:
+ dest: /etc/zenected/zenected.conf
+ regexp: '{{ item[0] }}'
+ line: '{{ item[1] }}'
+ with_items:
+ - [ '^ZEN_RADIUS_SHARED=', 'ZEN_RADIUS_SHARED="{{ radius_password }}"' ]
+ - [ '^ZEN_RADIUS_MYSQL=', 'ZEN_RADIUS_MYSQL="{{ radius_mysql_password }}"' ]
+
+- name: change host file
+ lineinfile:
+ dest: /etc/hosts
+ regexp: '^127.0.0.1'
+ line: '127.0.0.1 localhost {{ansible_hostname}}'
+
+- name: change postinst
+ lineinfile:
+ dest: /var/lib/dpkg/info/freeradius-mysql.postinst
+ regexp: 'force-reload'
+ line: 'restart'
+
+- name: postint
+ command: /var/lib/dpkg/info/freeradius-mysql.postinst
+
+- name: drop create radius db
+ mysql_db:
+ login_password: '{{ mysql_password }}'
+ login_user: root
+ name: radius
+ state: '{{ item }}'
+ with_items:
+ - absent
+ - present
+
+- name: grant privileges
+ shell: mysql -u root -p{{ mysql_password }} -e "GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY '{{ radius_mysql_password }}'"
+
+- name: flush privileges
+ shell: 'mysql -u root -p{{ mysql_password }} -e "FLUSH PRIVILEGES"'
+
+- name: import schema.sql
+ mysql_db:
+ state: import
+ name: radius
+ login_user: radius
+ login_password: '{{ radius_mysql_password }}'
+ target: /etc/freeradius/sql/mysql/schema.sql
+
+- name: sites available configuration
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/freeradius/sites-available/{{ item }}"
+ with_items:
+ - inner-tunnel
+ - default
+
+- name: radiusd configuration
+ copy:
+ src: radiusd.conf
+ dest: /etc/freeradius/radiusd.conf
+
+- name: freeradius configuration
+ template:
+ src: "{{ item }}.conf.j2"
+ dest: "/etc/freeradius/{{ item }}.conf"
+ with_items:
+ - sql
+ - clients
+
+- name: radius client configuration
+ copy:
+ src: '{{ item }}'
+ dest: '/etc/radiusclient/{{ item }}'
+ with_items:
+ - radiusclient.conf
+ - dictionary.microsoft
+ - dictionary
+
+- name: radius server configuration
+ template:
+ src: servers.j2
+ dest: /etc/radiusclient/servers
+ mode: 0600
+
+- name: download daloradius
+ unarchive:
+ src: 'https://zenected.com/downloads/daloradius-0.9-9.tar.gz'
+# src: daloradius-0.9-9.tar.gz
+ dest: /opt/zenected/downloads/
+ remote_src: yes
+
+- name: import daloradius sql
+ mysql_db:
+ state: import
+ name: radius
+ login_user: radius
+ login_password: '{{ radius_mysql_password }}'
+ target: /opt/zenected/downloads/daloradius-0.9-9/contrib/db/mysql-daloradius.sql
+
+- name: copy daloradius files
+ shell: "cp -r /opt/zenected/downloads/daloradius-0.9-9/* /var/www/zen/users" # copy with remote_src doesn't support recursion
+
+- name: configure daloradius
+ lineinfile:
+ dest: /var/www/zen/users/library/daloradius.conf.php
+ regexp: '{{ item[0] }}'
+ line: '{{ item[1] }}'
+ with_items:
+ - [ "_USER'] = 'root';", "$configValues['CONFIG_DB_USER'] = 'radius';" ]
+ - [ "_PASS'] = '';", "$configValues['CONFIG_DB_PASS'] = '{{ radius_mysql_password }}';" ]
+ - [ "_RADIUSSECRET'] = '';", "$configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = '{{ radius_password }}';" ]
+
+- name: restart freeradius
+ service:
+ name: freeradius
+ state: restarted
diff --git a/roles/radius/templates/clients.conf.j2 b/roles/radius/templates/clients.conf.j2
new file mode 100644
index 0000000..2e94538
--- /dev/null
+++ b/roles/radius/templates/clients.conf.j2
@@ -0,0 +1,7 @@
+# -*- text -*-
+## $Id$
+
+client 127.0.0.1 {
+ secret = {{ radius_password }}
+ nastype = other
+}
\ No newline at end of file
diff --git a/roles/radius/templates/servers.j2 b/roles/radius/templates/servers.j2
new file mode 100644
index 0000000..20ff8d7
--- /dev/null
+++ b/roles/radius/templates/servers.j2
@@ -0,0 +1,5 @@
+# Make sure that this file is mode 600 (readable only to owner)!
+#
+#Server Name or Client/Server pair Key
+#---------------- ---------------
+localhost {{ radius_password }}
\ No newline at end of file
diff --git a/roles/radius/templates/sql.conf.j2 b/roles/radius/templates/sql.conf.j2
new file mode 100644
index 0000000..c1fb24a
--- /dev/null
+++ b/roles/radius/templates/sql.conf.j2
@@ -0,0 +1,32 @@
+# -*- text -*-
+##
+## sql.conf -- SQL modules
+##
+## $Id$
+
+sql {
+ database = "mysql"
+ driver = "rlm_sql_\${database}"
+ server = "localhost"
+ #port = 3306
+ login = "radius"
+ password = "{{ radius_mysql_password }}"
+ radius_db = "radius"
+ acct_table1 = "radacct"
+ acct_table2 = "radacct"
+ postauth_table = "radpostauth"
+ authcheck_table = "radcheck"
+ authreply_table = "radreply"
+ groupcheck_table = "radgroupcheck"
+ groupreply_table = "radgroupreply"
+ usergroup_table = "radusergroup"
+ deletestalesessions = yes
+ sqltrace = no
+ sqltracefile = \${logdir}/sqltrace.sql
+ num_sql_socks = 5
+ connect_failure_retry_delay = 60
+ lifetime = 0
+ max_queries = 0
+ nas_table = "nas"
+ \$INCLUDE sql/\${database}/dialup.conf
+}
diff --git a/roles/radius/vars/main.yml b/roles/radius/vars/main.yml
new file mode 100644
index 0000000..8e54179
--- /dev/null
+++ b/roles/radius/vars/main.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+ - radiusclient1
+ - freeradius #Dpkg::Options::=--force-confnew
+ - freeradius-mysql #Dpkg::Options::=--force-confnew
+ - libfreeradius2
diff --git a/roles/squid/files/squid.conf b/roles/squid/files/squid.conf
new file mode 100644
index 0000000..273ec66
--- /dev/null
+++ b/roles/squid/files/squid.conf
@@ -0,0 +1,37 @@
+# WELCOME TO SQUID 3.3.8
+acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
+acl localnet src 192.168.0.0/16
+acl localnet src 10.0.0.0/8
+acl localnet src fc00::/7 # RFC 4193 local private network range
+acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
+
+acl SSL_ports port 443
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost manager
+http_access deny manager
+http_access allow localnet
+http_access allow localhost
+http_access deny all
+
+http_port 3128 intercept
+http_port 3127
+
+coredump_dir /var/spool/squid3
+url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
+refresh_pattern . 0 20% 4320
\ No newline at end of file
diff --git a/roles/squid/files/squidGuard.conf b/roles/squid/files/squidGuard.conf
new file mode 100644
index 0000000..76f2de4
--- /dev/null
+++ b/roles/squid/files/squidGuard.conf
@@ -0,0 +1,24 @@
+# CONFIG FILE FOR SQUIDGUARD
+# Caution: do NOT use comments inside { }
+
+dbhome /opt/zenected/url
+logdir /var/log/squidguard
+
+dest perun_malware {
+ urllist perun_malware.url
+}
+
+dest perun_phishing {
+ urllist perun_phishing.url
+}
+
+dest local_blacklist {
+ urllist local_blacklist.url
+}
+
+acl {
+ default {
+ pass !perun_malware !perun_phishing !local_blacklist all
+ redirect http://127.0.0.1/?clienturl=%u&reason=%t
+ }
+}
\ No newline at end of file
diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml
new file mode 100644
index 0000000..a92f93b
--- /dev/null
+++ b/roles/squid/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: install dependencies
+ apt:
+ name: "{{ item }}"
+ with_items: "{{ dependencies }}"
+
+- name: configure squid
+ copy:
+ src: squid.conf
+ dest: /etc/squid3/squid.conf
+
+- name: configure squid
+ copy:
+ src: squidGuard.conf
+ dest: /etc/squidguard/squidGuard.conf
diff --git a/roles/squid/vars/main.yml b/roles/squid/vars/main.yml
new file mode 100644
index 0000000..ff97a9f
--- /dev/null
+++ b/roles/squid/vars/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - squidguard
diff --git a/roles/suricata/defaults/main.yml b/roles/suricata/defaults/main.yml
new file mode 100644
index 0000000..6639e41
--- /dev/null
+++ b/roles/suricata/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+home_net: "192.168.1.0/24"
diff --git a/roles/suricata/files/oinkmaster.conf b/roles/suricata/files/oinkmaster.conf
new file mode 100644
index 0000000..3c96dcc
--- /dev/null
+++ b/roles/suricata/files/oinkmaster.conf
@@ -0,0 +1,10 @@
+# Oinkmaster config for PerunWorks
+# Perun Rules
+url = file:///opt/zenected/downloads/perun_rules.tar.gz
+url = file:///opt/zenected/downloads/perun_hashes.tar.gz
+url = file:///opt/zenected/downloads/perun_feodo_rules.tar.gz
+url = file:///opt/zenected/downloads/perun_zeus_rules.tar.gz
+
+skipfile local.rules
+skipfile deleted.rules
+skipfile snort.conf
\ No newline at end of file
diff --git a/roles/suricata/files/suricata b/roles/suricata/files/suricata
new file mode 100644
index 0000000..4264e24
--- /dev/null
+++ b/roles/suricata/files/suricata
@@ -0,0 +1 @@
+RUN=yes
\ No newline at end of file
diff --git a/roles/suricata/tasks/main.yml b/roles/suricata/tasks/main.yml
new file mode 100644
index 0000000..92a0c54
--- /dev/null
+++ b/roles/suricata/tasks/main.yml
@@ -0,0 +1,50 @@
+---
+- name: install dependencies
+ apt:
+ update_cache: yes
+ name: "{{ item }}"
+ with_items: "{{ dependencies }}"
+
+- name: download source # why not install packet?
+ unarchive:
+ src: "http://www.openinfosecfoundation.org/download/suricata-{{ suricata_version }}.tar.gz"
+ dest: "/opt"
+ remote_src: True
+
+- name: configure source
+ command: "./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr"
+ args:
+ chdir: "/opt/suricata-{{ suricata_version }}"
+
+- name: make suricata
+ make:
+ chdir: "/opt/suricata-{{ suricata_version }}"
+
+- name: install suricata
+ make:
+ chdir: "/opt/suricata-{{ suricata_version }}"
+ target: "install-full"
+ become: yes
+
+- name: ldocnfig
+ command: "ldconfig"
+ args:
+ chdir: "/opt/suricata-{{ suricata_version }}"
+
+- name: configure suricata
+ template:
+ src: suricata.yml.j2
+ dest: /etc/suricata/suricata.yml
+
+- name: configure oinkmaster
+ file:
+ src: oinkmaster.conf
+ dest: /etc/oinkmaster.conf
+
+- name: configure suricata to run at boot
+ copy:
+ src: suricata
+ dest: /etc/default/suricata
+
+- name: start suricata
+ shell: 'suricata -D -c /etc/suricata/suricata.yaml -q 0'
diff --git a/roles/suricata/templates/suricata.yml.j2 b/roles/suricata/templates/suricata.yml.j2
new file mode 100644
index 0000000..38a979a
--- /dev/null
+++ b/roles/suricata/templates/suricata.yml.j2
@@ -0,0 +1,476 @@
+%YAML 1.1
+---
+host-mode: auto
+default-log-dir: /var/log/suricata/
+unix-command:
+ enabled: no
+
+outputs:
+ - fast:
+ enabled: yes
+ filename: fast.log
+ append: yes
+ #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+ # Extensible Event Format (nicknamed EVE) event log in JSON format
+ - eve-log:
+ enabled: yes
+ type: file #file|syslog|unix_dgram|unix_stream
+ filename: eve.json
+ # the following are valid when type: syslog above
+ #identity: "suricata"
+ #facility: local5
+ #level: Info ## possible levels: Emergency, Alert, Critical,
+ ## Error, Warning, Notice, Info, Debug
+ types:
+ - alert
+ ##- http:
+ ## extended: yes # enable this for extended logging information
+ # custom allows additional http fields to be included in eve-log
+ # the example below adds three additional fields when uncommented
+ #custom: [Accept-Encoding, Accept-Language, Authorization]
+ ##- dns
+ ##- tls:
+ ## extended: yes # enable this for extended logging information
+ - files:
+ force-magic: yes ##no # force logging magic on all logged files
+ force-md5: yes ##no # force logging of md5 checksums
+ #- drop
+ ##- ssh
+ - unified2-alert:
+ enabled: no #yes
+ filename: unified2.alert
+ xff:
+ enabled: no
+ mode: extra-data
+ header: X-Forwarded-For
+ - http-log:
+ enabled: yes
+ filename: http.log
+ append: yes
+ - tls-log:
+ enabled: no # Log TLS connections.
+ filename: tls.log # File to store TLS logs.
+ append: yes
+ certs-log-dir: certs # directory to store the certificates files
+ - dns-log:
+ enabled: no
+ filename: dns.log
+ append: yes
+ - pcap-info:
+ enabled: no
+ - pcap-log:
+ enabled: no
+ filename: log.pcap
+ limit: 1000mb
+ max-files: 2000
+ mode: normal # normal or sguil.
+ use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
+ - alert-debug:
+ enabled: no
+ filename: alert-debug.log
+ append: yes
+ - alert-prelude:
+ enabled: no
+ profile: suricata
+ log-packet-content: no
+ log-packet-header: yes
+ - stats:
+ enabled: yes
+ filename: stats.log
+ interval: 8
+ - syslog:
+ enabled: no
+ facility: local5
+ - drop:
+ enabled: no
+ filename: drop.log
+ append: yes
+ - file-store:
+ enabled: no # set to yes to enable
+ log-dir: files # directory to store the files
+ force-magic: no # force logging magic on all stored files
+ force-md5: no # force logging of md5 checksums
+ - file-log:
+ enabled: yes ##no
+ filename: files-json.log
+ append: yes
+ force-magic: yes ##no # force logging magic on all logged files
+ force-md5: yes ##no # force logging of md5 checksums
+magic-file: /usr/share/file/magic
+nfq:
+# mode: accept
+# repeat-mark: 1
+# repeat-mask: 1
+# route-queue: 2
+# batchcount: 20
+# fail-open: yes
+nflog:
+ - group: 2
+ buffer-size: 18432
+ - group: default
+ qthreshold: 1
+ qtimeout: 100
+ max-size: 20000
+af-packet:
+ - interface: eth0
+ threads: 1
+ cluster-id: 99
+ cluster-type: cluster_flow
+ defrag: yes
+ use-mmap: yes
+ - interface: eth1
+ threads: 1
+ cluster-id: 98
+ cluster-type: cluster_flow
+ defrag: yes
+ - interface: default
+
+legacy:
+ uricontent: enabled
+
+detect-engine:
+ - profile: medium
+ - custom-values:
+ toclient-src-groups: 2
+ toclient-dst-groups: 2
+ toclient-sp-groups: 2
+ toclient-dp-groups: 3
+ toserver-src-groups: 2
+ toserver-dst-groups: 4
+ toserver-sp-groups: 2
+ toserver-dp-groups: 25
+ - sgh-mpm-context: auto
+ - inspection-recursion-limit: 3000
+threading:
+ set-cpu-affinity: no
+ cpu-affinity:
+ - management-cpu-set:
+ cpu: [ 0 ] # include only these cpus in affinity settings
+ - receive-cpu-set:
+ cpu: [ 0 ] # include only these cpus in affinity settings
+ - decode-cpu-set:
+ cpu: [ 0, 1 ]
+ mode: "balanced"
+ - stream-cpu-set:
+ cpu: [ "0-1" ]
+ - detect-cpu-set:
+ cpu: [ "all" ]
+ mode: "exclusive" # run detect threads in these cpus
+ prio:
+ low: [ 0 ]
+ medium: [ "1-2" ]
+ high: [ 3 ]
+ default: "medium"
+ - verdict-cpu-set:
+ cpu: [ 0 ]
+ prio:
+ default: "high"
+ - reject-cpu-set:
+ cpu: [ 0 ]
+ prio:
+ default: "low"
+ - output-cpu-set:
+ cpu: [ "all" ]
+ prio:
+ default: "medium"
+ detect-thread-ratio: 1.5
+
+cuda:
+ mpm:
+ data-buffer-size-min-limit: 0
+ data-buffer-size-max-limit: 1500
+ cudabuffer-buffer-size: 500mb
+ gpu-transfer-size: 50mb
+ batching-timeout: 2000
+ device-id: 0
+ cuda-streams: 2
+mpm-algo: ac
+pattern-matcher:
+ - b2gc:
+ search-algo: B2gSearchBNDMq
+ hash-size: low
+ bf-size: medium
+ - b2gm:
+ search-algo: B2gSearchBNDMq
+ hash-size: low
+ bf-size: medium
+ - b2g:
+ search-algo: B2gSearchBNDMq
+ hash-size: low
+ bf-size: medium
+ - b3g:
+ search-algo: B3gSearchBNDMq
+ hash-size: low
+ bf-size: medium
+ - wumanber:
+ hash-size: low
+ bf-size: medium
+
+defrag:
+ memcap: 32mb
+ hash-size: 65536
+ trackers: 65535 # number of defragmented flows to follow
+ max-frags: 65535 # number of fragments to keep (higher than trackers)
+ prealloc: yes
+ timeout: 60
+flow:
+ memcap: 64mb
+ hash-size: 65536
+ prealloc: 10000
+ emergency-recovery: 30
+vlan:
+ use-for-tracking: true
+
+flow-timeouts:
+
+ default:
+ new: 30
+ established: 300
+ closed: 0
+ emergency-new: 10
+ emergency-established: 100
+ emergency-closed: 0
+ tcp:
+ new: 60
+ established: 3600
+ closed: 120
+ emergency-new: 10
+ emergency-established: 300
+ emergency-closed: 20
+ udp:
+ new: 30
+ established: 300
+ emergency-new: 10
+ emergency-established: 100
+ icmp:
+ new: 30
+ established: 300
+ emergency-new: 10
+ emergency-established: 100
+
+stream:
+ memcap: 32mb
+ checksum-validation: yes # reject wrong csums
+ inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
+ reassembly:
+ memcap: 128mb
+ depth: 1mb # reassemble 1mb into a stream
+ toserver-chunk-size: 2560
+ toclient-chunk-size: 2560
+ randomize-chunk-size: yes
+
+# Host table:
+host:
+ hash-size: 4096
+ prealloc: 1000
+ memcap: 16777216
+
+logging:
+ default-log-level: notice
+ default-output-filter:
+ outputs:
+ - console:
+ enabled: yes
+ - file:
+ enabled: no
+ filename: /var/log/suricata.log
+ - syslog:
+ enabled: no
+ facility: local5
+ format: "[%i] <%d> -- "
+
+mpipe:
+ load-balance: dynamic
+ iqueue-packets: 2048
+ inputs:
+ - interface: xgbe2
+ - interface: xgbe3
+ - interface: xgbe4
+ stack:
+ size128: 0
+ size256: 9
+ size512: 0
+ size1024: 0
+ size1664: 7
+ size4096: 0
+ size10386: 0
+ size16384: 0
+
+pfring:
+ - interface: eth0
+ threads: 1
+ cluster-id: 99
+ cluster-type: cluster_flow
+ - interface: default
+
+pcap:
+ - interface: eth0
+ - interface: default
+
+pcap-file:
+ checksum-checks: auto
+
+ipfw:
+default-rule-path: /etc/suricata/rules
+rule-files:
+ - perun_hashes.rules
+ - perun_rules.rules
+ - perun_feodo.abusech.rules
+ - perun_zeus.abusech.rules
+
+classification-file: /etc/suricata/classification.config
+reference-config-file: /etc/suricata/reference.config
+
+vars:
+
+ address-groups:
+
+ HOME_NET: "[{{ home_net }}]"
+
+ EXTERNAL_NET: "!$HOME_NET"
+
+ HTTP_SERVERS: "$HOME_NET"
+
+ SMTP_SERVERS: "$HOME_NET"
+
+ SQL_SERVERS: "$HOME_NET"
+
+ DNS_SERVERS: "$HOME_NET"
+
+ TELNET_SERVERS: "$HOME_NET"
+
+ AIM_SERVERS: "$EXTERNAL_NET"
+
+ DNP3_SERVER: "$HOME_NET"
+
+ DNP3_CLIENT: "$HOME_NET"
+
+ MODBUS_CLIENT: "$HOME_NET"
+
+ MODBUS_SERVER: "$HOME_NET"
+
+ ENIP_CLIENT: "$HOME_NET"
+
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+
+ HTTP_PORTS: "80"
+
+ SHELLCODE_PORTS: "!80"
+
+ ORACLE_PORTS: 1521
+
+ SSH_PORTS: 22
+
+ DNP3_PORTS: 20000
+
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+host-os-policy:
+ windows: [0.0.0.0/0]
+ bsd: []
+ bsd-right: []
+ old-linux: []
+ linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
+ old-solaris: []
+ solaris: ["::1"]
+ hpux10: []
+ hpux11: []
+ irix: []
+ macos: []
+ vista: []
+ windows2k3: []
+
+asn1-max-frames: 256
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+pcre:
+ match-limit: 3500
+ match-limit-recursion: 1500
+
+app-layer:
+ protocols:
+ tls:
+ enabled: yes
+ detection-ports:
+ dp: 443
+ dcerpc:
+ enabled: yes
+ ftp:
+ enabled: yes
+ ssh:
+ enabled: yes
+ smtp:
+ enabled: yes
+ imap:
+ enabled: detection-only
+ msn:
+ enabled: detection-only
+ smb:
+ enabled: yes
+ detection-ports:
+ dp: 139
+ dns:
+ tcp:
+ enabled: yes
+ detection-ports:
+ dp: 53
+ udp:
+ enabled: yes
+ detection-ports:
+ dp: 53
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+ request-body-limit: 3072
+ response-body-limit: 3072
+ request-body-minimal-inspect-size: 32kb
+ request-body-inspect-window: 4kb
+ response-body-minimal-inspect-size: 32kb
+ response-body-inspect-window: 4kb
+ double-decode-path: no
+ double-decode-query: no
+
+ server-config:
+
+profiling:
+ rules:
+ enabled: yes
+ filename: rule_perf.log
+ append: yes
+ sort: avgticks
+ limit: 100
+ keywords:
+ enabled: yes
+ filename: keyword_perf.log
+ append: yes
+ packets:
+ enabled: yes
+ filename: packet_stats.log
+ append: yes
+ csv:
+ enabled: no
+ filename: packet_stats.csv
+ locks:
+ enabled: no
+ filename: lock_stats.log
+ append: yes
+
+coredump:
+ max-dump: unlimited
+
+napatech:
+ hba: -1
+ use-all-streams: yes
+ streams: [1, 2, 3]
\ No newline at end of file
diff --git a/roles/suricata/vars/main.yml b/roles/suricata/vars/main.yml
new file mode 100644
index 0000000..986d780
--- /dev/null
+++ b/roles/suricata/vars/main.yml
@@ -0,0 +1,30 @@
+suricata_version: 3.1
+
+dependencies:
+ - oinkmaster
+ - libpcre3
+ - libpcre3-dbg
+ - libpcre3-dev
+ - build-essential
+ - autoconf
+ - automake
+ - libtool
+ - libpcap-dev
+ - libnet1-dev
+ - libyaml-0-2
+ - libyaml-dev
+ - zlib1g
+ - zlib1g-dev
+ - libcap-ng-dev
+ - libcap-ng0
+ - make
+ - libmagic-dev
+ - libjansson-dev
+ - libjansson4
+ - pkg-config
+ - libnetfilter-queue-dev
+ - libnetfilter-queue1
+ - libnfnetlink-dev
+ - libnfnetlink0
+ - libnss3-dev
+ - libnspr4-dev
diff --git a/roles/zenected.pre/tasks/main.yml b/roles/zenected.pre/tasks/main.yml
new file mode 100644
index 0000000..e00d6b1
--- /dev/null
+++ b/roles/zenected.pre/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: upgrade dist
+ apt:
+ upgrade: yes
+ update_cache: yes
+
+- name: install dependencies
+ apt:
+ name: "{{ item }}"
+ with_items: "{{ dependencies }}"
+
+- name: create necessary directories
+ file:
+ state: directory
+ path: "{{ item }}"
+ with_items: "{{ directories }}"
+
+- name: create necessary zenected directories
+ file:
+ state: directory
+ path: "/opt/zenected/{{ item }}"
+ with_items: "{{ zenected_directories }}"
+
+- name: get public IP
+ ipify_facts:
+ api_url: http://ifconfig.co/json
+
+- name: create zenected configuration
+ template:
+ src: zenected.conf.j2
+ dest: /etc/zenected/zenected.conf
+
+- name: create update crontab
+ cron:
+ minute: "0"
+ hour: "3"
+ name: "apt-get upgrade"
+ job: "/usr/bin/apt-get update && /usr/bin/apt-get -y upgrade >> /var/log/apt/myupdates.log"
+ # needs a logrotate rule?
diff --git a/roles/zenected.pre/templates/zenected.conf.j2 b/roles/zenected.pre/templates/zenected.conf.j2
new file mode 100644
index 0000000..168529c
--- /dev/null
+++ b/roles/zenected.pre/templates/zenected.conf.j2
@@ -0,0 +1,2 @@
+#Zenected config
+CURRENT_IP="{{ ipify_public_ip }}"
\ No newline at end of file
diff --git a/roles/zenected.pre/vars/main.yml b/roles/zenected.pre/vars/main.yml
new file mode 100644
index 0000000..3c859db
--- /dev/null
+++ b/roles/zenected.pre/vars/main.yml
@@ -0,0 +1,19 @@
+---
+dependencies:
+ - fail2ban
+ - curl
+ - git
+ - mysql-client
+ - debconf
+ - sed
+ - sqlite3
+
+zenected_directories:
+ - downloads
+ - dns
+ - url
+
+directories:
+ - /etc/zenected
+ - /var/www/zen/users
+ - /etc/ipsec.d/examples
diff --git a/roles/zenected/defaults/main.yml b/roles/zenected/defaults/main.yml
new file mode 100644
index 0000000..bd2bd23
--- /dev/null
+++ b/roles/zenected/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+zenredir_password: "{{ lookup('password', 'credentials/zenected/password chars=ascii_letters,digits,hexdigits length=15') }}"
+update_h: "{{ 23 | random}}"
+update_m: "{{ 59 | random}}"
diff --git a/roles/zenected/tasks/main.yml b/roles/zenected/tasks/main.yml
new file mode 100644
index 0000000..ec2c2b5
--- /dev/null
+++ b/roles/zenected/tasks/main.yml
@@ -0,0 +1,72 @@
+---
+- name: install dependencies
+ apt:
+ name: software-properties-common
+
+- name: add key
+ apt_key:
+ keyserver: keyserver.ubuntu.com
+ id: EDEA5A7B
+
+- name: add repository
+ apt_repository:
+ repo: deb http://repository.perunworks.com/ trusty main
+
+- name: install zenected
+ apt:
+ name: zenected-aws
+ update_cache: yes
+
+- name: change rc.local
+ blockinfile:
+ dest: /etc/rc.local
+ marker: "# {mark} Zenected"
+ block: |
+ sudo /opt/zenected/zenected_restart.zenx
+
+- name: drop create radius db
+ mysql_db:
+ login_password: '{{ mysql_password }}'
+ login_user: root
+ name: zenredir
+ state: '{{ item }}'
+ with_items:
+ - absent
+ - present
+
+- name: grant privileges
+ shell: mysql -u root -p{{ mysql_password }} -e "GRANT ALL ON zenredir.* TO zenredir@localhost IDENTIFIED BY '{{ zenredir_password }}'"
+
+- name: flush privileges
+ command: 'mysql -u root -p{{ mysql_password }} -e "FLUSH PRIVILEGES"'
+
+- name: configure zenected
+ lineinfile:
+ dest: /etc/zenected/zenected.conf
+ regexp: "{{ item[0] }}"
+ line: "{{ item[1] }}"
+ with_items:
+ - [ '^ZEN_REDIR_MYSQL=', 'ZEN_REDIR_MYSQL="{{ zenredir_password }}"' ]
+ - [ '^ZEN_UPDATES_H=', 'ZEN_UPDATES_H="{{ update_h }}"' ]
+ - [ '^ZEN_UPDATES_M=', 'ZEN_UPDATES_M="{{ update_m }}' ]
+
+- name: configure zenected php
+ template:
+ src: zenected.conf.php.j2
+ dest: /var/www/html/zenected.conf.php
+
+- name: zenected update
+ command: /opt/zenected/zenected_update.zenx
+
+- name: restart services
+ service:
+ name: "{{ item }}"
+ state: restarted
+ with_items:
+ - ipsec
+ - xl2tpd
+ - freeradius
+
+- name: show message
+ debug:
+ msg: "Connect to the host and run /opt/zenected/zenected_setup.zenx. Check Resources at https://zenected.com"
diff --git a/roles/zenected/templates/zenected.conf.php.j2 b/roles/zenected/templates/zenected.conf.php.j2
new file mode 100644
index 0000000..dfa4400
--- /dev/null
+++ b/roles/zenected/templates/zenected.conf.php.j2
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/zenected.yml b/zenected.yml
new file mode 100644
index 0000000..665b275
--- /dev/null
+++ b/zenected.yml
@@ -0,0 +1,25 @@
+---
+- name: install zenected
+ hosts: zenected
+ become: yes
+ roles:
+ - role: zenected.pre
+ tags: zenected.pre
+ - role: apache
+ tags: apache
+ - role: mysql
+ tags: mysql
+ - role: php
+ tags: php
+ - role: suricata
+ tags: suricata
+ - role: radius
+ tags: radius
+ - role: squid
+ tags: squid
+ - role: l2p
+ tags: l2p
+ - role: dnsmasq
+ tags: dnsmasq
+ - role: zenected
+ tags: zenected