From fa8f79de5cfb45c9fc9c81b0350d7e53cb4281d5 Mon Sep 17 00:00:00 2001 From: Pierre Gaulon Date: Sun, 9 Apr 2017 12:56:26 +0800 Subject: [PATCH 1/4] First commit Ansible migration --- Vagrantfile | 55 ++ ansible.cfg | 8 + hosts | 2 + roles/apache/files/000-default.conf | 5 + roles/apache/files/dir.conf | 3 + roles/apache/files/index.html | 7 + roles/apache/files/zenusers-ssl.conf | 25 + roles/apache/tasks/main.yml | 48 ++ roles/dnsmasq/files/dnsmasq.conf | 14 + roles/dnsmasq/tasks/main.yml | 14 + roles/l2p/defaults/main.yml | 2 + roles/l2p/files/Makefile.inc.local | 1 + roles/l2p/files/iptables.rules | 34 ++ roles/l2p/files/iptablesload | 3 + roles/l2p/files/options.xl2tpd | 18 + roles/l2p/files/sysctl.conf | 29 ++ roles/l2p/files/xl2tpd.conf | 16 + roles/l2p/tasks/main.yml | 73 +++ roles/l2p/templates/ipsec.conf.j2 | 32 ++ roles/l2p/templates/ipsec.secrets.j2 | 2 + roles/l2p/vars/main.yml | 26 + roles/mysql/defaults/main.yml | 2 + roles/mysql/tasks/main.yml | 57 +++ roles/mysql/vars/main.yml | 5 + roles/php/tasks/main.yml | 5 + roles/php/vars/main.yml | 9 + roles/radius/defaults/main.yml | 4 + roles/radius/files/default | 77 +++ roles/radius/files/dictionary | 194 +++++++ roles/radius/files/dictionary.microsoft | 66 +++ roles/radius/files/inner-tunnel | 61 +++ roles/radius/files/radiusclient.conf | 16 + roles/radius/files/radiusd.conf | 92 ++++ roles/radius/tasks/main.yml | 122 +++++ roles/radius/templates/clients.conf.j2 | 7 + roles/radius/templates/servers.j2 | 5 + roles/radius/templates/sql.conf.j2 | 32 ++ roles/radius/vars/main.yml | 6 + roles/squid/files/squid.conf | 37 ++ roles/squid/files/squidGuard.conf | 24 + roles/squid/tasks/main.yml | 15 + roles/squid/vars/main.yml | 3 + roles/suricata/defaults/main.yml | 2 + roles/suricata/files/oinkmaster.conf | 10 + roles/suricata/files/suricata | 1 + roles/suricata/tasks/main.yml | 50 ++ roles/suricata/templates/suricata.yml.j2 | 476 ++++++++++++++++++ roles/suricata/vars/main.yml | 30 ++ roles/zenected.pre/tasks/main.yml | 39 ++ roles/zenected.pre/templates/zenected.conf.j2 | 2 + roles/zenected.pre/vars/main.yml | 19 + roles/zenected/defaults/main.yml | 4 + roles/zenected/tasks/main.yml | 72 +++ roles/zenected/templates/zenected.conf.php.j2 | 1 + zenected.yml | 25 + 55 files changed, 1987 insertions(+) create mode 100644 Vagrantfile create mode 100644 ansible.cfg create mode 100644 hosts create mode 100644 roles/apache/files/000-default.conf create mode 100644 roles/apache/files/dir.conf create mode 100644 roles/apache/files/index.html create mode 100644 roles/apache/files/zenusers-ssl.conf create mode 100644 roles/apache/tasks/main.yml create mode 100644 roles/dnsmasq/files/dnsmasq.conf create mode 100644 roles/dnsmasq/tasks/main.yml create mode 100644 roles/l2p/defaults/main.yml create mode 100644 roles/l2p/files/Makefile.inc.local create mode 100644 roles/l2p/files/iptables.rules create mode 100644 roles/l2p/files/iptablesload create mode 100644 roles/l2p/files/options.xl2tpd create mode 100644 roles/l2p/files/sysctl.conf create mode 100644 roles/l2p/files/xl2tpd.conf create mode 100644 roles/l2p/tasks/main.yml create mode 100644 roles/l2p/templates/ipsec.conf.j2 create mode 100644 roles/l2p/templates/ipsec.secrets.j2 create mode 100644 roles/l2p/vars/main.yml create mode 100644 roles/mysql/defaults/main.yml create mode 100644 roles/mysql/tasks/main.yml create mode 100644 roles/mysql/vars/main.yml create mode 100644 roles/php/tasks/main.yml create mode 100644 roles/php/vars/main.yml create mode 100644 roles/radius/defaults/main.yml create mode 100644 roles/radius/files/default create mode 100644 roles/radius/files/dictionary create mode 100644 roles/radius/files/dictionary.microsoft create mode 100644 roles/radius/files/inner-tunnel create mode 100644 roles/radius/files/radiusclient.conf create mode 100644 roles/radius/files/radiusd.conf create mode 100644 roles/radius/tasks/main.yml create mode 100644 roles/radius/templates/clients.conf.j2 create mode 100644 roles/radius/templates/servers.j2 create mode 100644 roles/radius/templates/sql.conf.j2 create mode 100644 roles/radius/vars/main.yml create mode 100644 roles/squid/files/squid.conf create mode 100644 roles/squid/files/squidGuard.conf create mode 100644 roles/squid/tasks/main.yml create mode 100644 roles/squid/vars/main.yml create mode 100644 roles/suricata/defaults/main.yml create mode 100644 roles/suricata/files/oinkmaster.conf create mode 100644 roles/suricata/files/suricata create mode 100644 roles/suricata/tasks/main.yml create mode 100644 roles/suricata/templates/suricata.yml.j2 create mode 100644 roles/suricata/vars/main.yml create mode 100644 roles/zenected.pre/tasks/main.yml create mode 100644 roles/zenected.pre/templates/zenected.conf.j2 create mode 100644 roles/zenected.pre/vars/main.yml create mode 100644 roles/zenected/defaults/main.yml create mode 100644 roles/zenected/tasks/main.yml create mode 100644 roles/zenected/templates/zenected.conf.php.j2 create mode 100644 zenected.yml diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..549d572 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,55 @@ +VAGRANTFILE_API_VERSION = "2" + +vm_group = "/test" + +vm_boxes = { + "zenected" => { + "ip" => "192.168.1.254", + "ports" => { + "http" => { + "host" => 8080, + "guest" => 80, + "protocol" => "tcp" + }, + "https" => { + "host" => 8443, + "guest" => 443, + "protocol" => "tcp" + }, + "ipsec1" => { + "host" => 8500, + "guest" => 500, + "protocol" => "udp" + }, + "ipsec2" => { + "host" => 4500, + "guest" => 4500, + "protocol" => "udp" + }, + } + }, +} + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + config.vm.box = "ubuntu/trusty64" + # config.ssh.insert_key = false + + vm_boxes.each do |name, box| + config.vm.define "#{name}" do |node| + node.vm.hostname = "#{name}" + node.vm.network :private_network, ip: box["ip"], netmask: "255.255.255.0" + box["ports"].each do |id, ports| + node.vm.network :forwarded_port, guest: ports["guest"], host: ports["host"], id: id + end + + node.vm.provider "virtualbox" do |v| + v.memory = 1024 + v.name = "#{name}" + v.customize [ + "modifyvm", :id, + "--groups", vm_group + ] + end + end + end +end diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..679e845 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,8 @@ +[defaults] +inventory = hosts +host_key_checking = no +private_key_file = .vagrant/machines/zenected/virtualbox/private_key +remote_user = vagrant + +[ssh_connection] +ssh_args = -o IdentitiesOnly=yes diff --git a/hosts b/hosts new file mode 100644 index 0000000..88c47f6 --- /dev/null +++ b/hosts @@ -0,0 +1,2 @@ +[zenected] +localhost:2222 diff --git a/roles/apache/files/000-default.conf b/roles/apache/files/000-default.conf new file mode 100644 index 0000000..6e64c10 --- /dev/null +++ b/roles/apache/files/000-default.conf @@ -0,0 +1,5 @@ + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + ErrorDocument 404 /index.php + \ No newline at end of file diff --git a/roles/apache/files/dir.conf b/roles/apache/files/dir.conf new file mode 100644 index 0000000..e35a8f2 --- /dev/null +++ b/roles/apache/files/dir.conf @@ -0,0 +1,3 @@ + + DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm + \ No newline at end of file diff --git a/roles/apache/files/index.html b/roles/apache/files/index.html new file mode 100644 index 0000000..acca955 --- /dev/null +++ b/roles/apache/files/index.html @@ -0,0 +1,7 @@ + + + + + + + diff --git a/roles/apache/files/zenusers-ssl.conf b/roles/apache/files/zenusers-ssl.conf new file mode 100644 index 0000000..7b29925 --- /dev/null +++ b/roles/apache/files/zenusers-ssl.conf @@ -0,0 +1,25 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/zen/ + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + SSLEngine on + SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem + SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + \ No newline at end of file diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml new file mode 100644 index 0000000..bd9bfc3 --- /dev/null +++ b/roles/apache/tasks/main.yml @@ -0,0 +1,48 @@ +--- +- name: install apache2 + apt: + name: apache2 + +- name: configure dir + copy: + src: dir.conf + dest: /etc/apache2/mods-enabled/dir.conf + +- name: configure 000 default + copy: + src: 000-default.conf + dest: /etc/apache2/sites-available/000-default.conf + +- name: configure zenusers-ssl # why not lets encrypt cert? + copy: + src: zenusers-ssl.conf + dest: /etc/apache2/sites-available/zenusers-ssl.conf + +- name: index zen + copy: + src: index.html + dest: /var/www/zen/index.html + +- name: servername apache + lineinfile: + dest: /etc/apache2/apache2.conf + regexp: "^ServerName" + line: "ServerName localhost" + +- name: apache2 ssl module + apache2_module: + state: present + name: ssl + +- name: apache2 autoindex module + apache2_module: + state: absent + name: autoindex + +- name: add site zenusers-ssl + command: "a2ensite zenusers-ssl.conf" + +- name: restart apache + service: + name: apache2 + state: restarted diff --git a/roles/dnsmasq/files/dnsmasq.conf b/roles/dnsmasq/files/dnsmasq.conf new file mode 100644 index 0000000..0d0777d --- /dev/null +++ b/roles/dnsmasq/files/dnsmasq.conf @@ -0,0 +1,14 @@ +# Configuration file for dnsmasq. +no-resolv + +##forward dns queries upstream +server=8.8.8.8 +server=8.8.4.4 + +no-hosts + +addn-hosts=/opt/zenected/dns/perun_ads.domains +addn-hosts=/opt/zenected/dns/perun_feodo.domains +addn-hosts=/opt/zenected/dns/perun_zeus.domains +addn-hosts=/opt/zenected/dns/perun_suspicious.domains +addn-hosts=/opt/zenected/dns/local_blacklist.domains \ No newline at end of file diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml new file mode 100644 index 0000000..ba17851 --- /dev/null +++ b/roles/dnsmasq/tasks/main.yml @@ -0,0 +1,14 @@ +--- +- name: install dependencies + apt: + name: dnsmasq + +- name: configure dnsmasq + copy: + src: dnsmasq.conf + dest: /etc/dnsmasq.conf + +- name: restart dnsmasq + service: + name: dnsmasq + state: restarted diff --git a/roles/l2p/defaults/main.yml b/roles/l2p/defaults/main.yml new file mode 100644 index 0000000..48c2d23 --- /dev/null +++ b/roles/l2p/defaults/main.yml @@ -0,0 +1,2 @@ +--- +ipsec_password: "{{ lookup('password', 'credentials/ipsec/password chars=ascii_letters,digits,hexdigits length=15') }}" diff --git a/roles/l2p/files/Makefile.inc.local b/roles/l2p/files/Makefile.inc.local new file mode 100644 index 0000000..6fed5b9 --- /dev/null +++ b/roles/l2p/files/Makefile.inc.local @@ -0,0 +1 @@ +WERROR_CFLAGS = \ No newline at end of file diff --git a/roles/l2p/files/iptables.rules b/roles/l2p/files/iptables.rules new file mode 100644 index 0000000..196dd31 --- /dev/null +++ b/roles/l2p/files/iptables.rules @@ -0,0 +1,34 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:ICMPALL - [0:0] +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp --icmp-type 255 -j ICMPALL +-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT +-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT +-A INPUT -p udp --dport 1701 -j DROP +-A INPUT -j DROP +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i ppp+ -o eth+ -j ACCEPT +-A FORWARD -j DROP +-A ICMPALL -p icmp -f -j DROP +-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT +-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT +-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT +-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT +-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT +-A ICMPALL -p icmp -j DROP +COMMIT +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP} +COMMIT diff --git a/roles/l2p/files/iptablesload b/roles/l2p/files/iptablesload new file mode 100644 index 0000000..9d0d636 --- /dev/null +++ b/roles/l2p/files/iptablesload @@ -0,0 +1,3 @@ +#!/bin/sh +/sbin/iptables-restore < /etc/iptables.rules +exit 0 \ No newline at end of file diff --git a/roles/l2p/files/options.xl2tpd b/roles/l2p/files/options.xl2tpd new file mode 100644 index 0000000..72a0465 --- /dev/null +++ b/roles/l2p/files/options.xl2tpd @@ -0,0 +1,18 @@ +ipcp-accept-local +ipcp-accept-remote +#ms-dns 8.8.8.8 +#ms-dns 8.8.4.4 +ms-dns 192.168.42.1 +noccp +auth +crtscts +idle 1800 +mtu 1280 +mru 1280 +lock +lcp-echo-failure 10 +lcp-echo-interval 60 +connect-delay 5000 + +plugin radius.so +plugin radattr.so \ No newline at end of file diff --git a/roles/l2p/files/sysctl.conf b/roles/l2p/files/sysctl.conf new file mode 100644 index 0000000..8687b19 --- /dev/null +++ b/roles/l2p/files/sysctl.conf @@ -0,0 +1,29 @@ +kernel.sysrq = 0 +kernel.core_uses_pid = 1 +net.ipv4.tcp_syncookies = 1 +kernel.msgmnb = 65536 +kernel.msgmax = 65536 +kernel.shmmax = 68719476736 +kernel.shmall = 4294967296 +net.ipv4.ip_forward = 1 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.default.rp_filter = 0 +net.ipv6.conf.all.disable_ipv6=1 +net.ipv6.conf.default.disable_ipv6=1 +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +kernel.randomize_va_space = 1 +net.core.wmem_max=12582912 +net.core.rmem_max=12582912 +net.ipv4.tcp_rmem= 10240 87380 12582912 +net.ipv4.tcp_wmem= 10240 87380 12582912 \ No newline at end of file diff --git a/roles/l2p/files/xl2tpd.conf b/roles/l2p/files/xl2tpd.conf new file mode 100644 index 0000000..f5461d7 --- /dev/null +++ b/roles/l2p/files/xl2tpd.conf @@ -0,0 +1,16 @@ +[global] +port = 1701 +;debug avp = yes +;debug network = yes +;debug state = yes +;debug tunnel = yes +[lns default] +ip range = 192.168.42.10-192.168.42.250 +local ip = 192.168.42.1 +require chap = yes +refuse pap = yes +require authentication = yes +name = l2tpd +;ppp debug = yes +pppoptfile = /etc/ppp/options.xl2tpd +length bit = yes \ No newline at end of file diff --git a/roles/l2p/tasks/main.yml b/roles/l2p/tasks/main.yml new file mode 100644 index 0000000..7a412bc --- /dev/null +++ b/roles/l2p/tasks/main.yml @@ -0,0 +1,73 @@ +--- +- name: install dependencies + apt: + name: '{{ item }}' + with_items: '{{ dependencies }}' + +- name: dowload libreswan + unarchive: + src: "https://download.libreswan.org/libreswan-{{ swan_version }}.tar.gz" + dest: "/opt/" + remote_src: yes + +- name: modify makefile + copy: + src: "Makefile.inc.local" + dest: "/opt/libreswan-{{ swan_version }}/Makefile.inc.local" + +- name: compile + make: + chdir: "/opt/libreswan-{{ swan_version }}" + target: programs + +- name: install + make: + chdir: "/opt/libreswan-{{ swan_version }}" + target: install + +- name: get my public IP + ipify_facts: + api_url: http://ifconfig.co/json + +- name: configure ipsec + template: + src: "{{ item }}.j2" + dest: "/etc/{{ item }}" + with_items: + - ipsec.conf + - ipsec.secrets + +- name: configure xl2tpd + copy: + src: "{{ item }}" + dest: "/etc/xl2tpd/{{ item }}" + with_items: + - xl2tpd.conf + +- name: configure xl2tpd + copy: + src: "{{ item }}" + dest: "/etc/ppp/{{ item }}" + with_items: + - options.xl2tpd + +- name: configure zenected + lineinfile: + dest: /etc/zenected/zenected.conf + regexp: "^ZEN_SHARED=" + line: 'ZEN_SHARED="Zenected"' + +- name: configure systcl + copy: + src: "{{ item }}" + dest: "/etc/{{ item }}" + backup: yes + with_items: + - sysctl.conf + - iptables.rules + +- name: configure ifpreup + copy: + src: iptablesload + dest: /etc/network/if-pre-up.d/iptablesload + mode: 0755 diff --git a/roles/l2p/templates/ipsec.conf.j2 b/roles/l2p/templates/ipsec.conf.j2 new file mode 100644 index 0000000..979c948 --- /dev/null +++ b/roles/l2p/templates/ipsec.conf.j2 @@ -0,0 +1,32 @@ +version 2.0 +config setup + dumpdir=/var/run/pluto/ + nat_traversal=yes + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24 + oe=off + protostack=netkey + nhelpers=0 + interfaces=%defaultroute +conn vpnpsk + connaddrfamily=ipv4 + auto=add + left={{ ansible_default_ipv4["address"] }} + leftid={{ ipify_public_ip }} + leftsubnet={{ ansible_default_ipv4["netmask"] }} + leftnexthop=%defaultroute + leftprotoport=17/1701 + rightprotoport=17/%any + right=%any + rightsubnetwithin=0.0.0.0/0 + forceencaps=yes + authby=secret + pfs=no + type=transport + auth=esp + ike=3des-sha1,aes-sha1 + phase2alg=3des-sha1,aes-sha1 + rekey=no + keyingtries=5 + dpddelay=30 + dpdtimeout=120 + dpdaction=clear \ No newline at end of file diff --git a/roles/l2p/templates/ipsec.secrets.j2 b/roles/l2p/templates/ipsec.secrets.j2 new file mode 100644 index 0000000..6fbf194 --- /dev/null +++ b/roles/l2p/templates/ipsec.secrets.j2 @@ -0,0 +1,2 @@ +include /var/lib/openswan/ipsec.secrets.inc +{{ ansible_default_ipv4["address"] }} %any: PSK "{{ ipsec_password }}" \ No newline at end of file diff --git a/roles/l2p/vars/main.yml b/roles/l2p/vars/main.yml new file mode 100644 index 0000000..74e2db5 --- /dev/null +++ b/roles/l2p/vars/main.yml @@ -0,0 +1,26 @@ +--- +swan_version: 3.17 + +dependencies: + - xl2tpd + - ppp + - lsof + - iproute2 + - gawk + - xmlto # no install recommends + - libnss3-dev + - libnspr4-dev + - pkg-config + - libpam0g-dev + - libcap-ng-dev + - libcap-ng-utils + - libselinux1-dev + - libcurl4-nss-dev + - libgmp3-dev + - flex + - bison + - gcc + - make + - libunbound-dev + - libnss3-tools + - libevent-dev diff --git a/roles/mysql/defaults/main.yml b/roles/mysql/defaults/main.yml new file mode 100644 index 0000000..b5271b5 --- /dev/null +++ b/roles/mysql/defaults/main.yml @@ -0,0 +1,2 @@ +--- +mysql_password: "{{ lookup('password', 'credentials/db/mysqlpassword chars=ascii_letters,digits,hexdigits length=15') }}" diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml new file mode 100644 index 0000000..ad112d7 --- /dev/null +++ b/roles/mysql/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: install dependencies + apt: + name: "{{ item }}" + with_items: "{{ dependencies }}" + +- name: debconf + debconf: + name: mysql-server + question: mysql-server/root_password + value: '{{ mysql_password }}' + vtype: password + +- name: debconf + debconf: + name: mysql-server + question: mysql-server/root_password_again + value: '{{ mysql_password }}' + vtype: password + +- name: zenected mysql password + lineinfile: + dest: /etc/zenected/zenected.conf + regexp: '^ZEN_MYSQL=' + line: 'ZEN_MSQL="{{ mysql_password }}"' + +- name: install mysql db + command: mysql_install_db + + +- block: + - name: Set root user password + mysql_user: + name: root + host: localhost + password: "{{ mysql_password }}" + check_implicit_admin: yes + login_user: root + state: present + rescue: + - name: Set root user password + mysql_user: + name: root + host: localhost + password: "{{ mysql_password }}" + check_implicit_admin: yes + login_user: root + login_password: "{{ mysql_password }}" + state: present + +- name: Secure install + shell: 'mysql -u root -p{{ mysql_password }} -e "{{ item }}"' + with_items: + - "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" + - "DELETE FROM mysql.user WHERE User=''" + - "DELETE FROM mysql.db WHERE Db='test' OR Db='test_%'" + - "FLUSH PRIVILEGES" diff --git a/roles/mysql/vars/main.yml b/roles/mysql/vars/main.yml new file mode 100644 index 0000000..3c263a9 --- /dev/null +++ b/roles/mysql/vars/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - mysql-server + - php5-mysql + - python-mysqldb diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml new file mode 100644 index 0000000..17ed76c --- /dev/null +++ b/roles/php/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: install dependencies + apt: + name: "{{ item }}" + with_items: "{{ dependencies }}" diff --git a/roles/php/vars/main.yml b/roles/php/vars/main.yml new file mode 100644 index 0000000..127c1f6 --- /dev/null +++ b/roles/php/vars/main.yml @@ -0,0 +1,9 @@ +--- +dependencies: + - php5 + - php-db + - php-pear + - libapache2-mod-php5 + - php5-mcrypt + - php5-gd + - php5-sqlite diff --git a/roles/radius/defaults/main.yml b/roles/radius/defaults/main.yml new file mode 100644 index 0000000..e78b558 --- /dev/null +++ b/roles/radius/defaults/main.yml @@ -0,0 +1,4 @@ +--- +radius_password: "{{ lookup('password', 'credentials/radius/password chars=ascii_letters,digits,hexdigits length=15') }}" +radius_mysql_password: "{{ lookup('password', 'credentials/radius/mysqlpassword chars=ascii_letters,digits,hexdigits length=15') }}" +mysql_password: "{{ lookup('password', 'credentials/db/mysqlpassword chars=ascii_letters,digits,hexdigits length=15') }}" diff --git a/roles/radius/files/default b/roles/radius/files/default new file mode 100644 index 0000000..1f199e1 --- /dev/null +++ b/roles/radius/files/default @@ -0,0 +1,77 @@ +# $Id$ +authorize { + preprocess + chap + mschap + digest + suffix +# ntdomain + eap { + ok = return + } + files + sql + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + + Auth-Type CHAP { + chap + } + + Auth-Type MS-CHAP { + mschap + } + + digest + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + sql +# sql_log + exec + attr_filter.accounting_response +} + +session { + radutmp + sql +} + +post-auth { +# sql +# sql_log +# ldap + exec + Post-Auth-Type REJECT { +# sql + attr_filter.access_reject + } +} + +pre-proxy { +# attr_rewrite +# pre_proxy_log +} + +post-proxy { + eap +} \ No newline at end of file diff --git a/roles/radius/files/dictionary b/roles/radius/files/dictionary new file mode 100644 index 0000000..b7f1037 --- /dev/null +++ b/roles/radius/files/dictionary @@ -0,0 +1,194 @@ +# +# Updated 97/06/13 to livingston-radius-2.01 miquels@cistron.nl +# +# Following are the proper new names. Use these. +# +ATTRIBUTE User-Name 1 string +ATTRIBUTE Password 2 string +ATTRIBUTE CHAP-Password 3 string +ATTRIBUTE NAS-IP-Address 4 ipaddr +ATTRIBUTE NAS-Port-Id 5 integer +ATTRIBUTE Service-Type 6 integer +ATTRIBUTE Framed-Protocol 7 integer +ATTRIBUTE Framed-IP-Address 8 ipaddr +ATTRIBUTE Framed-IP-Netmask 9 ipaddr +ATTRIBUTE Framed-Routing 10 integer +ATTRIBUTE Filter-Id 11 string +ATTRIBUTE Framed-MTU 12 integer +ATTRIBUTE Framed-Compression 13 integer +ATTRIBUTE Login-IP-Host 14 ipaddr +ATTRIBUTE Login-Service 15 integer +ATTRIBUTE Login-TCP-Port 16 integer +ATTRIBUTE Reply-Message 18 string +ATTRIBUTE Callback-Number 19 string +ATTRIBUTE Callback-Id 20 string +ATTRIBUTE Framed-Route 22 string +ATTRIBUTE Framed-IPX-Network 23 ipaddr +ATTRIBUTE State 24 string +ATTRIBUTE Session-Timeout 27 integer +ATTRIBUTE Idle-Timeout 28 integer +ATTRIBUTE Termination-Action 29 integer +ATTRIBUTE Called-Station-Id 30 string +ATTRIBUTE Calling-Station-Id 31 string +ATTRIBUTE Acct-Status-Type 40 integer +ATTRIBUTE Acct-Delay-Time 41 integer +ATTRIBUTE Acct-Input-Octets 42 integer +ATTRIBUTE Acct-Output-Octets 43 integer +ATTRIBUTE Acct-Session-Id 44 string +ATTRIBUTE Acct-Authentic 45 integer +ATTRIBUTE Acct-Session-Time 46 integer +ATTRIBUTE Acct-Input-Packets 47 integer +ATTRIBUTE Acct-Output-Packets 48 integer +ATTRIBUTE Acct-Terminate-Cause 49 integer +ATTRIBUTE Chap-Challenge 60 string +ATTRIBUTE NAS-Port-Type 61 integer +ATTRIBUTE Port-Limit 62 integer +ATTRIBUTE Connect-Info 77 string + +# +# Experimental Non Protocol Attributes used by Cistron-Radiusd +# +ATTRIBUTE Huntgroup-Name 221 string +ATTRIBUTE User-Category 1029 string +ATTRIBUTE Group-Name 1030 string +ATTRIBUTE Simultaneous-Use 1034 integer +ATTRIBUTE Strip-User-Name 1035 integer +ATTRIBUTE Fall-Through 1036 integer +ATTRIBUTE Add-Port-To-IP-Address 1037 integer +ATTRIBUTE Exec-Program 1038 string +ATTRIBUTE Exec-Program-Wait 1039 string +ATTRIBUTE Hint 1040 string + +# +# Non-Protocol Attributes +# These attributes are used internally by the server +# +ATTRIBUTE Expiration 21 date +ATTRIBUTE Auth-Type 1000 integer +ATTRIBUTE Menu 1001 string +ATTRIBUTE Termination-Menu 1002 string +ATTRIBUTE Prefix 1003 string +ATTRIBUTE Suffix 1004 string +ATTRIBUTE Group 1005 string +ATTRIBUTE Crypt-Password 1006 string +ATTRIBUTE Connect-Rate 1007 integer + +# +# Integer Translations +# + +# User Types + +VALUE Service-Type Login-User 1 +VALUE Service-Type Framed-User 2 +VALUE Service-Type Callback-Login-User 3 +VALUE Service-Type Callback-Framed-User 4 +VALUE Service-Type Outbound-User 5 +VALUE Service-Type Administrative-User 6 +VALUE Service-Type NAS-Prompt-User 7 + +# Framed Protocols + +VALUE Framed-Protocol PPP 1 +VALUE Framed-Protocol SLIP 2 + +# Framed Routing Values + +VALUE Framed-Routing None 0 +VALUE Framed-Routing Broadcast 1 +VALUE Framed-Routing Listen 2 +VALUE Framed-Routing Broadcast-Listen 3 + +# Framed Compression Types + +VALUE Framed-Compression None 0 +VALUE Framed-Compression Van-Jacobson-TCP-IP 1 + +# Login Services + +VALUE Login-Service Telnet 0 +VALUE Login-Service Rlogin 1 +VALUE Login-Service TCP-Clear 2 +VALUE Login-Service PortMaster 3 + +# Status Types + +VALUE Acct-Status-Type Start 1 +VALUE Acct-Status-Type Stop 2 +VALUE Acct-Status-Type Accounting-On 7 +VALUE Acct-Status-Type Accounting-Off 8 + +# Authentication Types + +VALUE Acct-Authentic RADIUS 1 +VALUE Acct-Authentic Local 2 +VALUE Acct-Authentic PowerLink128 100 + +# Termination Options + +VALUE Termination-Action Default 0 +VALUE Termination-Action RADIUS-Request 1 + +# NAS Port Types, available in 3.3.1 and later + +VALUE NAS-Port-Type Async 0 +VALUE NAS-Port-Type Sync 1 +VALUE NAS-Port-Type ISDN 2 +VALUE NAS-Port-Type ISDN-V120 3 +VALUE NAS-Port-Type ISDN-V110 4 + +# Acct Terminate Causes, available in 3.3.2 and later + +VALUE Acct-Terminate-Cause User-Request 1 +VALUE Acct-Terminate-Cause Lost-Carrier 2 +VALUE Acct-Terminate-Cause Lost-Service 3 +VALUE Acct-Terminate-Cause Idle-Timeout 4 +VALUE Acct-Terminate-Cause Session-Timeout 5 +VALUE Acct-Terminate-Cause Admin-Reset 6 +VALUE Acct-Terminate-Cause Admin-Reboot 7 +VALUE Acct-Terminate-Cause Port-Error 8 +VALUE Acct-Terminate-Cause NAS-Error 9 +VALUE Acct-Terminate-Cause NAS-Request 10 +VALUE Acct-Terminate-Cause NAS-Reboot 11 +VALUE Acct-Terminate-Cause Port-Unneeded 12 +VALUE Acct-Terminate-Cause Port-Preempted 13 +VALUE Acct-Terminate-Cause Port-Suspended 14 +VALUE Acct-Terminate-Cause Service-Unavailable 15 +VALUE Acct-Terminate-Cause Callback 16 +VALUE Acct-Terminate-Cause User-Error 17 +VALUE Acct-Terminate-Cause Host-Request 18 + +# +# Non-Protocol Integer Translations +# + +VALUE Auth-Type Local 0 +VALUE Auth-Type System 1 +VALUE Auth-Type SecurID 2 +VALUE Auth-Type Crypt-Local 3 +VALUE Auth-Type Reject 4 + +# +# Cistron extensions +# +VALUE Auth-Type Pam 253 +VALUE Auth-Type None 254 + +# +# Experimental Non-Protocol Integer Translations for Cistron-Radiusd +# +VALUE Fall-Through No 0 +VALUE Fall-Through Yes 1 +VALUE Add-Port-To-IP-Address No 0 +VALUE Add-Port-To-IP-Address Yes 1 + +# +# Configuration Values +# uncomment these two lines to turn account expiration on +# + +#VALUE Server-Config Password-Expiration 30 +#VALUE Server-Config Password-Warning 5 + +INCLUDE /etc/radiusclient/dictionary.merit +INCLUDE /etc/radiusclient/dictionary.microsoft \ No newline at end of file diff --git a/roles/radius/files/dictionary.microsoft b/roles/radius/files/dictionary.microsoft new file mode 100644 index 0000000..82a17ba --- /dev/null +++ b/roles/radius/files/dictionary.microsoft @@ -0,0 +1,66 @@ +# +# Microsoft's VSA's, from RFC 2548 +# +# $Id: poptop_ads_howto_8.htm,v 1.8 2008/10/02 08:11:48 wskwok Exp $ +# +VENDOR Microsoft 311 Microsoft +BEGIN VENDOR Microsoft +ATTRIBUTE MS-CHAP-Response 1 string Microsoft +ATTRIBUTE MS-CHAP-Error 2 string Microsoft +ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft +ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft +ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft +ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft +ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft +# This is referred to as both singular and plural in the RFC. +# Plural seems to make more sense. +ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft +ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft +ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft +ATTRIBUTE MS-CHAP-Domain 10 string Microsoft +ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft +ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1 +ATTRIBUTE MS-BAP-Usage 13 integer Microsoft +ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft +ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft +ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft +ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft +ATTRIBUTE MS-RAS-Version 18 string Microsoft +ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft +ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft +ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft +ATTRIBUTE MS-Filter 22 string Microsoft +ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft +ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft +ATTRIBUTE MS-CHAP2-Response 25 string Microsoft +ATTRIBUTE MS-CHAP2-Success 26 string Microsoft +ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft +ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr +ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr +ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft +ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft +#ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft +# +# Integer Translations +# +# MS-BAP-Usage Values +VALUE MS-BAP-Usage Not-Allowed 0 +VALUE MS-BAP-Usage Allowed 1 +VALUE MS-BAP-Usage Required 2 +# MS-ARAP-Password-Change-Reason Values +VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1 +VALUE MS-ARAP-PW-Change-Reason Expired-Password 2 +VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3 +VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4 +# MS-Acct-Auth-Type Values +VALUE MS-Acct-Auth-Type PAP 1 +VALUE MS-Acct-Auth-Type CHAP 2 +VALUE MS-Acct-Auth-Type MS-CHAP-1 3 +VALUE MS-Acct-Auth-Type MS-CHAP-2 4 +VALUE MS-Acct-Auth-Type EAP 5 +# MS-Acct-EAP-Type Values +VALUE MS-Acct-EAP-Type MD5 4 +VALUE MS-Acct-EAP-Type OTP 5 +VALUE MS-Acct-EAP-Type Generic-Token-Card 6 +VALUE MS-Acct-EAP-Type TLS 13 +END-VENDOR Microsoft diff --git a/roles/radius/files/inner-tunnel b/roles/radius/files/inner-tunnel new file mode 100644 index 0000000..6a1cfde --- /dev/null +++ b/roles/radius/files/inner-tunnel @@ -0,0 +1,61 @@ +# -*- text -*- + +server inner-tunnel { +listen { + ipaddr = 127.0.0.1 + port = 18120 + type = auth +} +authorize { + chap + mschap + suffix + update control { + Proxy-To-Realm := LOCAL + } + eap { + ok = return + } + files + sql + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + # against /etc/passwd! See the FAQ for details. + # + unix + eap +} +session { + radutmp + sql +} + +post-auth { + Post-Auth-Type REJECT { + # log failed authentications in SQL, too. +# sql + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/roles/radius/files/radiusclient.conf b/roles/radius/files/radiusclient.conf new file mode 100644 index 0000000..8821bb2 --- /dev/null +++ b/roles/radius/files/radiusclient.conf @@ -0,0 +1,16 @@ +auth_order radius,local +login_tries 4 +login_timeout 60 +nologin /etc/nologin +issue /etc/radiusclient/issue +authserver localhost:1812 +acctserver localhost:1813 +servers /etc/radiusclient/servers +dictionary /etc/radiusclient/dictionary +login_radius /usr/sbin/login.radius +seqfile /var/run/radius.seq +mapfile /etc/radiusclient/port-id-map +default_realm +radius_timeout 10 +radius_retries 3 +login_local /bin/login \ No newline at end of file diff --git a/roles/radius/files/radiusd.conf b/roles/radius/files/radiusd.conf new file mode 100644 index 0000000..cf967ef --- /dev/null +++ b/roles/radius/files/radiusd.conf @@ -0,0 +1,92 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file. +## +## http://www.freeradius.org/ +## $Id$ + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = \${exec_prefix}/sbin +logdir = /var/log/freeradius +raddbdir = /etc/freeradius +radacctdir = \${logdir}/radacct + +name = freeradius + +confdir = \${raddbdir} +run_dir = \${localstatedir}/run/\${name} +db_dir = \${raddbdir} +libdir = /usr/lib/freeradius +pidfile = \${run_dir}/\${name}.pid +user = freerad +group = freerad +max_request_time = 30 +cleanup_delay = 5 +max_requests = 1024 + +listen { + type = auth + ipaddr = * + port = 0 +} + +listen { + ipaddr = * + port = 0 + type = acct +} + +hostname_lookups = no +allow_core_dumps = no +regular_expressions = yes +extended_expressions = yes + +log { + destination = files + file = \${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = no + auth_badpass = no + auth_goodpass = no +} + +checkrad = \${sbindir}/checkrad + +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +proxy_requests = yes +\$INCLUDE proxy.conf +\$INCLUDE clients.conf + +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +modules { + \$INCLUDE \${confdir}/modules/ + \$INCLUDE eap.conf + \$INCLUDE sql.conf + \$INCLUDE sql/mysql/counter.conf +} + +instantiate { + exec + expr + expiration + logintime +} + +\$INCLUDE policy.conf +\$INCLUDE sites-enabled/ \ No newline at end of file diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml new file mode 100644 index 0000000..e89b9f4 --- /dev/null +++ b/roles/radius/tasks/main.yml @@ -0,0 +1,122 @@ +--- +- name: install dependencies + apt: + name: '{{ item }}' + with_items: '{{ dependencies }}' + +- name: configure zen radius + lineinfile: + dest: /etc/zenected/zenected.conf + regexp: '{{ item[0] }}' + line: '{{ item[1] }}' + with_items: + - [ '^ZEN_RADIUS_SHARED=', 'ZEN_RADIUS_SHARED="{{ radius_password }}"' ] + - [ '^ZEN_RADIUS_MYSQL=', 'ZEN_RADIUS_MYSQL="{{ radius_mysql_password }}"' ] + +- name: change host file + lineinfile: + dest: /etc/hosts + regexp: '^127.0.0.1' + line: '127.0.0.1 localhost {{ansible_hostname}}' + +- name: change postinst + lineinfile: + dest: /var/lib/dpkg/info/freeradius-mysql.postinst + regexp: 'force-reload' + line: 'restart' + +- name: postint + command: /var/lib/dpkg/info/freeradius-mysql.postinst + +- name: drop create radius db + mysql_db: + login_password: '{{ mysql_password }}' + login_user: root + name: radius + state: '{{ item }}' + with_items: + - absent + - present + +- name: grant privileges + shell: mysql -u root -p{{ mysql_password }} -e "GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY '{{ radius_mysql_password }}'" + +- name: flush privileges + shell: 'mysql -u root -p{{ mysql_password }} -e "FLUSH PRIVILEGES"' + +- name: import schema.sql + mysql_db: + state: import + name: radius + login_user: radius + login_password: '{{ radius_mysql_password }}' + target: /etc/freeradius/sql/mysql/schema.sql + +- name: sites available configuration + copy: + src: "{{ item }}" + dest: "/etc/freeradius/sites-available/{{ item }}" + with_items: + - inner-tunnel + - default + +- name: radiusd configuration + copy: + src: radiusd.conf + dest: /etc/freeradius/radiusd.conf + +- name: freeradius configuration + template: + src: "{{ item }}.conf.j2" + dest: "/etc/freeradius/{{ item }}.conf" + with_items: + - sql + - clients + +- name: radius client configuration + copy: + src: '{{ item }}' + dest: '/etc/radiusclient/{{ item }}' + with_items: + - radiusclient.conf + - dictionary.microsoft + - dictionary + +- name: radius server configuration + template: + src: servers.j2 + dest: /etc/radiusclient/servers + mode: 0600 + +- name: download daloradius + unarchive: +# src: 'https://zenected.com/downloads/daloradius-0.9-9.tar.gz' + src: daloradius-0.9-9.tar.gz + dest: /opt/zenected/downloads/ +# remote_src: yes + +- name: import daloradius sql + mysql_db: + state: import + name: radius + login_user: radius + login_password: '{{ radius_mysql_password }}' + target: /opt/zenected/downloads/daloradius-0.9-9/contrib/db/mysql-daloradius.sql + +- name: copy daloradius files + shell: "cp -r /opt/zenected/downloads/daloradius-0.9-9/* /var/www/zen/users" # copy with remote_src doesn't support recursion + +- name: configure daloradius + lineinfile: + dest: /var/www/zen/users/library/daloradius.conf.php + regexp: '{{ item[0] }}' + line: '{{ item[1] }}' + with_items: + - [ "_USER'] = 'root';", "$configValues['CONFIG_DB_USER'] = 'radius';" ] + - [ "_PASS'] = '';", "$configValues['CONFIG_DB_PASS'] = '{{ radius_mysql_password }}';" ] + - [ "_RADIUSSECRET'] = '';", "$configValues['CONFIG_MAINT_TEST_USER_RADIUSSECRET'] = '{{ radius_password }}';" ] + +- name: restart freeradius + service: + name: freeradius + state: restarted diff --git a/roles/radius/templates/clients.conf.j2 b/roles/radius/templates/clients.conf.j2 new file mode 100644 index 0000000..2e94538 --- /dev/null +++ b/roles/radius/templates/clients.conf.j2 @@ -0,0 +1,7 @@ +# -*- text -*- +## $Id$ + +client 127.0.0.1 { + secret = {{ radius_password }} + nastype = other +} \ No newline at end of file diff --git a/roles/radius/templates/servers.j2 b/roles/radius/templates/servers.j2 new file mode 100644 index 0000000..20ff8d7 --- /dev/null +++ b/roles/radius/templates/servers.j2 @@ -0,0 +1,5 @@ +# Make sure that this file is mode 600 (readable only to owner)! +# +#Server Name or Client/Server pair Key +#---------------- --------------- +localhost {{ radius_password }} \ No newline at end of file diff --git a/roles/radius/templates/sql.conf.j2 b/roles/radius/templates/sql.conf.j2 new file mode 100644 index 0000000..c1fb24a --- /dev/null +++ b/roles/radius/templates/sql.conf.j2 @@ -0,0 +1,32 @@ +# -*- text -*- +## +## sql.conf -- SQL modules +## +## $Id$ + +sql { + database = "mysql" + driver = "rlm_sql_\${database}" + server = "localhost" + #port = 3306 + login = "radius" + password = "{{ radius_mysql_password }}" + radius_db = "radius" + acct_table1 = "radacct" + acct_table2 = "radacct" + postauth_table = "radpostauth" + authcheck_table = "radcheck" + authreply_table = "radreply" + groupcheck_table = "radgroupcheck" + groupreply_table = "radgroupreply" + usergroup_table = "radusergroup" + deletestalesessions = yes + sqltrace = no + sqltracefile = \${logdir}/sqltrace.sql + num_sql_socks = 5 + connect_failure_retry_delay = 60 + lifetime = 0 + max_queries = 0 + nas_table = "nas" + \$INCLUDE sql/\${database}/dialup.conf +} diff --git a/roles/radius/vars/main.yml b/roles/radius/vars/main.yml new file mode 100644 index 0000000..8e54179 --- /dev/null +++ b/roles/radius/vars/main.yml @@ -0,0 +1,6 @@ +--- +dependencies: + - radiusclient1 + - freeradius #Dpkg::Options::=--force-confnew + - freeradius-mysql #Dpkg::Options::=--force-confnew + - libfreeradius2 diff --git a/roles/squid/files/squid.conf b/roles/squid/files/squid.conf new file mode 100644 index 0000000..273ec66 --- /dev/null +++ b/roles/squid/files/squid.conf @@ -0,0 +1,37 @@ +# WELCOME TO SQUID 3.3.8 +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 +acl localnet src 10.0.0.0/8 +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost manager +http_access deny manager +http_access allow localnet +http_access allow localhost +http_access deny all + +http_port 3128 intercept +http_port 3127 + +coredump_dir /var/spool/squid3 +url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 +refresh_pattern . 0 20% 4320 \ No newline at end of file diff --git a/roles/squid/files/squidGuard.conf b/roles/squid/files/squidGuard.conf new file mode 100644 index 0000000..76f2de4 --- /dev/null +++ b/roles/squid/files/squidGuard.conf @@ -0,0 +1,24 @@ +# CONFIG FILE FOR SQUIDGUARD +# Caution: do NOT use comments inside { } + +dbhome /opt/zenected/url +logdir /var/log/squidguard + +dest perun_malware { + urllist perun_malware.url +} + +dest perun_phishing { + urllist perun_phishing.url +} + +dest local_blacklist { + urllist local_blacklist.url +} + +acl { + default { + pass !perun_malware !perun_phishing !local_blacklist all + redirect http://127.0.0.1/?clienturl=%u&reason=%t + } +} \ No newline at end of file diff --git a/roles/squid/tasks/main.yml b/roles/squid/tasks/main.yml new file mode 100644 index 0000000..a92f93b --- /dev/null +++ b/roles/squid/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: install dependencies + apt: + name: "{{ item }}" + with_items: "{{ dependencies }}" + +- name: configure squid + copy: + src: squid.conf + dest: /etc/squid3/squid.conf + +- name: configure squid + copy: + src: squidGuard.conf + dest: /etc/squidguard/squidGuard.conf diff --git a/roles/squid/vars/main.yml b/roles/squid/vars/main.yml new file mode 100644 index 0000000..ff97a9f --- /dev/null +++ b/roles/squid/vars/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - squidguard diff --git a/roles/suricata/defaults/main.yml b/roles/suricata/defaults/main.yml new file mode 100644 index 0000000..6639e41 --- /dev/null +++ b/roles/suricata/defaults/main.yml @@ -0,0 +1,2 @@ +--- +home_net: "192.168.1.0/24" diff --git a/roles/suricata/files/oinkmaster.conf b/roles/suricata/files/oinkmaster.conf new file mode 100644 index 0000000..3c96dcc --- /dev/null +++ b/roles/suricata/files/oinkmaster.conf @@ -0,0 +1,10 @@ +# Oinkmaster config for PerunWorks +# Perun Rules +url = file:///opt/zenected/downloads/perun_rules.tar.gz +url = file:///opt/zenected/downloads/perun_hashes.tar.gz +url = file:///opt/zenected/downloads/perun_feodo_rules.tar.gz +url = file:///opt/zenected/downloads/perun_zeus_rules.tar.gz + +skipfile local.rules +skipfile deleted.rules +skipfile snort.conf \ No newline at end of file diff --git a/roles/suricata/files/suricata b/roles/suricata/files/suricata new file mode 100644 index 0000000..4264e24 --- /dev/null +++ b/roles/suricata/files/suricata @@ -0,0 +1 @@ +RUN=yes \ No newline at end of file diff --git a/roles/suricata/tasks/main.yml b/roles/suricata/tasks/main.yml new file mode 100644 index 0000000..4903f74 --- /dev/null +++ b/roles/suricata/tasks/main.yml @@ -0,0 +1,50 @@ +--- +- name: install dependencies + apt: + update_cache: yes + name: "{{ item }}" + with_items: "{{ dependencies }}" + +- name: download source # why not install packet? + unarchive: + src: "http://www.openinfosecfoundation.org/download/suricata-{{ suricata_version }}.tar.gz" + dest: "/opt" + remote_src: True + +- name: configure source + command: "./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr" + args: + chdir: "/opt/suricata-{{ suricata_version }}" + +- name: make suricata + make: + chdir: "/opt/suricata-{{ suricata_version }}" + +- name: install suricata + make: + chdir: "/opt/suricata-{{ suricata_version }}" + target: "install-full" + become: yes + +- name: ldocnfig + command: "ldconfig" + args: + chdir: "/opt/suricata-{{ suricata_version }}" + +- name: configure suricata + template: + src: suricata.yml.j2 + dest: /etc/suricata/suricata.yml + +- name: configure oinkmaster + file: + src: oinkmaster.conf + dest: /etc/oinkmaster.conf + +- name: configure suricata to run at boot + copy: + src: suricata + dest: /etc/default/suricata + +- name: start suricata + command: 'suricata -D -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal' diff --git a/roles/suricata/templates/suricata.yml.j2 b/roles/suricata/templates/suricata.yml.j2 new file mode 100644 index 0000000..38a979a --- /dev/null +++ b/roles/suricata/templates/suricata.yml.j2 @@ -0,0 +1,476 @@ +%YAML 1.1 +--- +host-mode: auto +default-log-dir: /var/log/suricata/ +unix-command: + enabled: no + +outputs: + - fast: + enabled: yes + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + type: file #file|syslog|unix_dgram|unix_stream + filename: eve.json + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + types: + - alert + ##- http: + ## extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + ##- dns + ##- tls: + ## extended: yes # enable this for extended logging information + - files: + force-magic: yes ##no # force logging magic on all logged files + force-md5: yes ##no # force logging of md5 checksums + #- drop + ##- ssh + - unified2-alert: + enabled: no #yes + filename: unified2.alert + xff: + enabled: no + mode: extra-data + header: X-Forwarded-For + - http-log: + enabled: yes + filename: http.log + append: yes + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + certs-log-dir: certs # directory to store the certificates files + - dns-log: + enabled: no + filename: dns.log + append: yes + - pcap-info: + enabled: no + - pcap-log: + enabled: no + filename: log.pcap + limit: 1000mb + max-files: 2000 + mode: normal # normal or sguil. + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + - stats: + enabled: yes + filename: stats.log + interval: 8 + - syslog: + enabled: no + facility: local5 + - drop: + enabled: no + filename: drop.log + append: yes + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + force-md5: no # force logging of md5 checksums + - file-log: + enabled: yes ##no + filename: files-json.log + append: yes + force-magic: yes ##no # force logging magic on all logged files + force-md5: yes ##no # force logging of md5 checksums +magic-file: /usr/share/file/magic +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes +nflog: + - group: 2 + buffer-size: 18432 + - group: default + qthreshold: 1 + qtimeout: 100 + max-size: 20000 +af-packet: + - interface: eth0 + threads: 1 + cluster-id: 99 + cluster-type: cluster_flow + defrag: yes + use-mmap: yes + - interface: eth1 + threads: 1 + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes + - interface: default + +legacy: + uricontent: enabled + +detect-engine: + - profile: medium + - custom-values: + toclient-src-groups: 2 + toclient-dst-groups: 2 + toclient-sp-groups: 2 + toclient-dp-groups: 3 + toserver-src-groups: 2 + toserver-dst-groups: 4 + toserver-sp-groups: 2 + toserver-dp-groups: 25 + - sgh-mpm-context: auto + - inspection-recursion-limit: 3000 +threading: + set-cpu-affinity: no + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - decode-cpu-set: + cpu: [ 0, 1 ] + mode: "balanced" + - stream-cpu-set: + cpu: [ "0-1" ] + - detect-cpu-set: + cpu: [ "all" ] + mode: "exclusive" # run detect threads in these cpus + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" + - reject-cpu-set: + cpu: [ 0 ] + prio: + default: "low" + - output-cpu-set: + cpu: [ "all" ] + prio: + default: "medium" + detect-thread-ratio: 1.5 + +cuda: + mpm: + data-buffer-size-min-limit: 0 + data-buffer-size-max-limit: 1500 + cudabuffer-buffer-size: 500mb + gpu-transfer-size: 50mb + batching-timeout: 2000 + device-id: 0 + cuda-streams: 2 +mpm-algo: ac +pattern-matcher: + - b2gc: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2gm: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2g: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b3g: + search-algo: B3gSearchBNDMq + hash-size: low + bf-size: medium + - wumanber: + hash-size: low + bf-size: medium + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 +flow: + memcap: 64mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 +vlan: + use-for-tracking: true + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + tcp: + new: 60 + established: 3600 + closed: 120 + emergency-new: 10 + emergency-established: 300 + emergency-closed: 20 + udp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + icmp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + +stream: + memcap: 32mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 128mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + +# Host table: +host: + hash-size: 4096 + prealloc: 1000 + memcap: 16777216 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + - file: + enabled: no + filename: /var/log/suricata.log + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + +mpipe: + load-balance: dynamic + iqueue-packets: 2048 + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +pfring: + - interface: eth0 + threads: 1 + cluster-id: 99 + cluster-type: cluster_flow + - interface: default + +pcap: + - interface: eth0 + - interface: default + +pcap-file: + checksum-checks: auto + +ipfw: +default-rule-path: /etc/suricata/rules +rule-files: + - perun_hashes.rules + - perun_rules.rules + - perun_feodo.abusech.rules + - perun_zeus.abusech.rules + +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config + +vars: + + address-groups: + + HOME_NET: "[{{ home_net }}]" + + EXTERNAL_NET: "!$HOME_NET" + + HTTP_SERVERS: "$HOME_NET" + + SMTP_SERVERS: "$HOME_NET" + + SQL_SERVERS: "$HOME_NET" + + DNS_SERVERS: "$HOME_NET" + + TELNET_SERVERS: "$HOME_NET" + + AIM_SERVERS: "$EXTERNAL_NET" + + DNP3_SERVER: "$HOME_NET" + + DNP3_CLIENT: "$HOME_NET" + + MODBUS_CLIENT: "$HOME_NET" + + MODBUS_SERVER: "$HOME_NET" + + ENIP_CLIENT: "$HOME_NET" + + ENIP_SERVER: "$HOME_NET" + + port-groups: + + HTTP_PORTS: "80" + + SHELLCODE_PORTS: "!80" + + ORACLE_PORTS: 1521 + + SSH_PORTS: 22 + + DNP3_PORTS: 20000 + +action-order: + - pass + - drop + - reject + - alert + +host-os-policy: + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] + old-solaris: [] + solaris: ["::1"] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +asn1-max-frames: 256 + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139 + dns: + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + libhtp: + default-config: + personality: IDS + request-body-limit: 3072 + response-body-limit: 3072 + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 32kb + response-body-inspect-window: 4kb + double-decode-path: no + double-decode-query: no + + server-config: + +profiling: + rules: + enabled: yes + filename: rule_perf.log + append: yes + sort: avgticks + limit: 100 + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + packets: + enabled: yes + filename: packet_stats.log + append: yes + csv: + enabled: no + filename: packet_stats.csv + locks: + enabled: no + filename: lock_stats.log + append: yes + +coredump: + max-dump: unlimited + +napatech: + hba: -1 + use-all-streams: yes + streams: [1, 2, 3] \ No newline at end of file diff --git a/roles/suricata/vars/main.yml b/roles/suricata/vars/main.yml new file mode 100644 index 0000000..986d780 --- /dev/null +++ b/roles/suricata/vars/main.yml @@ -0,0 +1,30 @@ +suricata_version: 3.1 + +dependencies: + - oinkmaster + - libpcre3 + - libpcre3-dbg + - libpcre3-dev + - build-essential + - autoconf + - automake + - libtool + - libpcap-dev + - libnet1-dev + - libyaml-0-2 + - libyaml-dev + - zlib1g + - zlib1g-dev + - libcap-ng-dev + - libcap-ng0 + - make + - libmagic-dev + - libjansson-dev + - libjansson4 + - pkg-config + - libnetfilter-queue-dev + - libnetfilter-queue1 + - libnfnetlink-dev + - libnfnetlink0 + - libnss3-dev + - libnspr4-dev diff --git a/roles/zenected.pre/tasks/main.yml b/roles/zenected.pre/tasks/main.yml new file mode 100644 index 0000000..e00d6b1 --- /dev/null +++ b/roles/zenected.pre/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: upgrade dist + apt: + upgrade: yes + update_cache: yes + +- name: install dependencies + apt: + name: "{{ item }}" + with_items: "{{ dependencies }}" + +- name: create necessary directories + file: + state: directory + path: "{{ item }}" + with_items: "{{ directories }}" + +- name: create necessary zenected directories + file: + state: directory + path: "/opt/zenected/{{ item }}" + with_items: "{{ zenected_directories }}" + +- name: get public IP + ipify_facts: + api_url: http://ifconfig.co/json + +- name: create zenected configuration + template: + src: zenected.conf.j2 + dest: /etc/zenected/zenected.conf + +- name: create update crontab + cron: + minute: "0" + hour: "3" + name: "apt-get upgrade" + job: "/usr/bin/apt-get update && /usr/bin/apt-get -y upgrade >> /var/log/apt/myupdates.log" + # needs a logrotate rule? diff --git a/roles/zenected.pre/templates/zenected.conf.j2 b/roles/zenected.pre/templates/zenected.conf.j2 new file mode 100644 index 0000000..168529c --- /dev/null +++ b/roles/zenected.pre/templates/zenected.conf.j2 @@ -0,0 +1,2 @@ +#Zenected config +CURRENT_IP="{{ ipify_public_ip }}" \ No newline at end of file diff --git a/roles/zenected.pre/vars/main.yml b/roles/zenected.pre/vars/main.yml new file mode 100644 index 0000000..3c859db --- /dev/null +++ b/roles/zenected.pre/vars/main.yml @@ -0,0 +1,19 @@ +--- +dependencies: + - fail2ban + - curl + - git + - mysql-client + - debconf + - sed + - sqlite3 + +zenected_directories: + - downloads + - dns + - url + +directories: + - /etc/zenected + - /var/www/zen/users + - /etc/ipsec.d/examples diff --git a/roles/zenected/defaults/main.yml b/roles/zenected/defaults/main.yml new file mode 100644 index 0000000..bd2bd23 --- /dev/null +++ b/roles/zenected/defaults/main.yml @@ -0,0 +1,4 @@ +--- +zenredir_password: "{{ lookup('password', 'credentials/zenected/password chars=ascii_letters,digits,hexdigits length=15') }}" +update_h: "{{ 23 | random}}" +update_m: "{{ 59 | random}}" diff --git a/roles/zenected/tasks/main.yml b/roles/zenected/tasks/main.yml new file mode 100644 index 0000000..ec2c2b5 --- /dev/null +++ b/roles/zenected/tasks/main.yml @@ -0,0 +1,72 @@ +--- +- name: install dependencies + apt: + name: software-properties-common + +- name: add key + apt_key: + keyserver: keyserver.ubuntu.com + id: EDEA5A7B + +- name: add repository + apt_repository: + repo: deb http://repository.perunworks.com/ trusty main + +- name: install zenected + apt: + name: zenected-aws + update_cache: yes + +- name: change rc.local + blockinfile: + dest: /etc/rc.local + marker: "# {mark} Zenected" + block: | + sudo /opt/zenected/zenected_restart.zenx + +- name: drop create radius db + mysql_db: + login_password: '{{ mysql_password }}' + login_user: root + name: zenredir + state: '{{ item }}' + with_items: + - absent + - present + +- name: grant privileges + shell: mysql -u root -p{{ mysql_password }} -e "GRANT ALL ON zenredir.* TO zenredir@localhost IDENTIFIED BY '{{ zenredir_password }}'" + +- name: flush privileges + command: 'mysql -u root -p{{ mysql_password }} -e "FLUSH PRIVILEGES"' + +- name: configure zenected + lineinfile: + dest: /etc/zenected/zenected.conf + regexp: "{{ item[0] }}" + line: "{{ item[1] }}" + with_items: + - [ '^ZEN_REDIR_MYSQL=', 'ZEN_REDIR_MYSQL="{{ zenredir_password }}"' ] + - [ '^ZEN_UPDATES_H=', 'ZEN_UPDATES_H="{{ update_h }}"' ] + - [ '^ZEN_UPDATES_M=', 'ZEN_UPDATES_M="{{ update_m }}' ] + +- name: configure zenected php + template: + src: zenected.conf.php.j2 + dest: /var/www/html/zenected.conf.php + +- name: zenected update + command: /opt/zenected/zenected_update.zenx + +- name: restart services + service: + name: "{{ item }}" + state: restarted + with_items: + - ipsec + - xl2tpd + - freeradius + +- name: show message + debug: + msg: "Connect to the host and run /opt/zenected/zenected_setup.zenx. Check Resources at https://zenected.com" diff --git a/roles/zenected/templates/zenected.conf.php.j2 b/roles/zenected/templates/zenected.conf.php.j2 new file mode 100644 index 0000000..dfa4400 --- /dev/null +++ b/roles/zenected/templates/zenected.conf.php.j2 @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/zenected.yml b/zenected.yml new file mode 100644 index 0000000..665b275 --- /dev/null +++ b/zenected.yml @@ -0,0 +1,25 @@ +--- +- name: install zenected + hosts: zenected + become: yes + roles: + - role: zenected.pre + tags: zenected.pre + - role: apache + tags: apache + - role: mysql + tags: mysql + - role: php + tags: php + - role: suricata + tags: suricata + - role: radius + tags: radius + - role: squid + tags: squid + - role: l2p + tags: l2p + - role: dnsmasq + tags: dnsmasq + - role: zenected + tags: zenected From 206c974683921652072fcfc51ca5b963b2665512 Mon Sep 17 00:00:00 2001 From: Pierre Gaulon Date: Sun, 9 Apr 2017 12:59:14 +0800 Subject: [PATCH 2/4] change local unarchive to remote -> Cloudflare forbidding User-Agent Python-urllib/2.7 --- roles/radius/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml index e89b9f4..9934e1f 100644 --- a/roles/radius/tasks/main.yml +++ b/roles/radius/tasks/main.yml @@ -90,10 +90,10 @@ - name: download daloradius unarchive: -# src: 'https://zenected.com/downloads/daloradius-0.9-9.tar.gz' - src: daloradius-0.9-9.tar.gz + src: 'https://zenected.com/downloads/daloradius-0.9-9.tar.gz' +# src: daloradius-0.9-9.tar.gz dest: /opt/zenected/downloads/ -# remote_src: yes + remote_src: yes - name: import daloradius sql mysql_db: From aec2d0788ef587ac26423e51ba3c6ce586780155 Mon Sep 17 00:00:00 2001 From: Pierre Gaulon Date: Wed, 12 Apr 2017 12:27:51 +0800 Subject: [PATCH 3/4] change suricata start daemon command --- roles/suricata/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/suricata/tasks/main.yml b/roles/suricata/tasks/main.yml index 4903f74..92a0c54 100644 --- a/roles/suricata/tasks/main.yml +++ b/roles/suricata/tasks/main.yml @@ -47,4 +47,4 @@ dest: /etc/default/suricata - name: start suricata - command: 'suricata -D -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal' + shell: 'suricata -D -c /etc/suricata/suricata.yaml -q 0' From 38431a11cb065b06d6999b74171738d9b96c658f Mon Sep 17 00:00:00 2001 From: Pierre Gaulon Date: Fri, 28 Apr 2017 10:34:13 +0800 Subject: [PATCH 4/4] add protocol Vagrant port forward --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 549d572..32fbe8b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -39,7 +39,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| node.vm.hostname = "#{name}" node.vm.network :private_network, ip: box["ip"], netmask: "255.255.255.0" box["ports"].each do |id, ports| - node.vm.network :forwarded_port, guest: ports["guest"], host: ports["host"], id: id + node.vm.network :forwarded_port, guest: ports["guest"], host: ports["host"], protocol: ports["protocol"], id: id end node.vm.provider "virtualbox" do |v|