Ansible migration

Vagrantfile

@@ -0,0 +1,55 @@
+VAGRANTFILE_API_VERSION = "2"
+
+vm_group = "/test"
+
+vm_boxes = {
+  "zenected" => {
+    "ip" => "192.168.1.254",
+    "ports" => {
+      "http" => {
+        "host" => 8080,
+        "guest" => 80,
+        "protocol" => "tcp"
+      },
+      "https" => {
+        "host" => 8443,
+        "guest" => 443,
+        "protocol" => "tcp"
+      },
+      "ipsec1" => {
+        "host" => 8500,
+        "guest" => 500,
+        "protocol" => "udp"
+      },
+      "ipsec2" => {
+        "host" => 4500,
+        "guest" => 4500,
+        "protocol" => "udp"
+      },
+    }
+  },
+}
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = "ubuntu/trusty64"
+  # config.ssh.insert_key = false
+
+  vm_boxes.each do |name, box|
+    config.vm.define "#{name}" do |node|
+      node.vm.hostname = "#{name}"
+      node.vm.network :private_network, ip: box["ip"], netmask: "255.255.255.0"
+      box["ports"].each do |id, ports|
+        node.vm.network :forwarded_port, guest: ports["guest"], host: ports["host"], protocol: ports["protocol"], id: id
+      end
+
+      node.vm.provider "virtualbox" do |v|
+        v.memory = 1024
+        v.name = "#{name}"
+        v.customize [
+          "modifyvm", :id,
+          "--groups", vm_group
+        ]
+      end
+    end
+  end
+end

ansible.cfg

@@ -0,0 +1,8 @@
+[defaults]
+inventory  = hosts
+host_key_checking = no
+private_key_file = .vagrant/machines/zenected/virtualbox/private_key
+remote_user = vagrant
+
+[ssh_connection]
+ssh_args = -o IdentitiesOnly=yes

hosts

@@ -0,0 +1,2 @@
+[zenected]
+localhost:2222

roles/apache/files/000-default.conf

@@ -0,0 +1,5 @@
+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        ErrorDocument 404 /index.php
+</VirtualHost>

roles/apache/files/dir.conf

@@ -0,0 +1,3 @@
+<IfModule mod_dir.c>
+    DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
+</IfModule>

roles/apache/files/index.html

@@ -0,0 +1,7 @@
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title></title>
+  </head>
+  <body>
+  </body>
+</html>

roles/apache/files/zenusers-ssl.conf

@@ -0,0 +1,25 @@
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@localhost
+
+        DocumentRoot /var/www/zen/
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+        SSLEngine on
+        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+            SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+            SSLOptions +StdEnvVars
+        </Directory>
+
+        BrowserMatch "MSIE [2-6]" \
+            nokeepalive ssl-unclean-shutdown \
+            downgrade-1.0 force-response-1.0
+        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+    </VirtualHost>
+</IfModule>

roles/apache/tasks/main.yml

@@ -0,0 +1,48 @@
+---
+- name: install apache2
+  apt:
+    name: apache2
+
+- name: configure dir
+  copy:
+    src: dir.conf
+    dest: /etc/apache2/mods-enabled/dir.conf
+
+- name: configure 000 default
+  copy:
+    src: 000-default.conf
+    dest: /etc/apache2/sites-available/000-default.conf
+
+- name: configure zenusers-ssl # why not lets encrypt cert?
+  copy:
+    src: zenusers-ssl.conf
+    dest: /etc/apache2/sites-available/zenusers-ssl.conf
+
+- name: index zen
+  copy:
+    src: index.html
+    dest: /var/www/zen/index.html
+
+- name: servername apache
+  lineinfile:
+    dest: /etc/apache2/apache2.conf
+    regexp: "^ServerName"
+    line: "ServerName localhost"
+
+- name: apache2 ssl module
+  apache2_module:
+    state: present
+    name: ssl
+
+- name: apache2 autoindex module
+  apache2_module:
+    state: absent
+    name: autoindex
+
+- name: add site zenusers-ssl
+  command: "a2ensite zenusers-ssl.conf"
+
+- name: restart apache
+  service:
+    name: apache2
+    state: restarted

roles/dnsmasq/files/dnsmasq.conf

@@ -0,0 +1,14 @@
+# Configuration file for dnsmasq.
+no-resolv
+
+##forward dns queries upstream
+server=8.8.8.8
+server=8.8.4.4
+
+no-hosts
+
+addn-hosts=/opt/zenected/dns/perun_ads.domains
+addn-hosts=/opt/zenected/dns/perun_feodo.domains
+addn-hosts=/opt/zenected/dns/perun_zeus.domains
+addn-hosts=/opt/zenected/dns/perun_suspicious.domains
+addn-hosts=/opt/zenected/dns/local_blacklist.domains

roles/dnsmasq/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: install dependencies
+  apt:
+    name: dnsmasq
+
+- name: configure dnsmasq
+  copy:
+    src: dnsmasq.conf
+    dest: /etc/dnsmasq.conf
+
+- name: restart dnsmasq
+  service:
+    name: dnsmasq
+    state: restarted

roles/l2p/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+ipsec_password: "{{ lookup('password', 'credentials/ipsec/password chars=ascii_letters,digits,hexdigits length=15') }}"

roles/l2p/files/Makefile.inc.local

@@ -0,0 +1 @@
+WERROR_CFLAGS =

roles/l2p/files/iptables.rules

@@ -0,0 +1,34 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:ICMPALL - [0:0]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp --icmp-type 255 -j ICMPALL
+-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
+-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+-A INPUT -p udp --dport 1701 -j DROP
+-A INPUT -j DROP
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i ppp+ -o eth+ -j ACCEPT
+-A FORWARD -j DROP
+-A ICMPALL -p icmp -f -j DROP
+-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
+-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
+-A ICMPALL -p icmp -j DROP
+COMMIT
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
+COMMIT

roles/l2p/files/iptablesload

@@ -0,0 +1,3 @@
+#!/bin/sh
+/sbin/iptables-restore < /etc/iptables.rules
+exit 0

roles/l2p/files/options.xl2tpd

@@ -0,0 +1,18 @@
+ipcp-accept-local
+ipcp-accept-remote
+#ms-dns 8.8.8.8
+#ms-dns 8.8.4.4
+ms-dns 192.168.42.1
+noccp
+auth
+crtscts
+idle 1800
+mtu 1280
+mru 1280
+lock
+lcp-echo-failure 10
+lcp-echo-interval 60
+connect-delay 5000
+
+plugin radius.so
+plugin radattr.so

roles/l2p/files/sysctl.conf

@@ -0,0 +1,29 @@
+kernel.sysrq = 0
+kernel.core_uses_pid = 1
+net.ipv4.tcp_syncookies = 1
+kernel.msgmnb = 65536
+kernel.msgmax = 65536
+kernel.shmmax = 68719476736
+kernel.shmall = 4294967296
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 0
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+kernel.randomize_va_space = 1
+net.core.wmem_max=12582912
+net.core.rmem_max=12582912
+net.ipv4.tcp_rmem= 10240 87380 12582912
+net.ipv4.tcp_wmem= 10240 87380 12582912

roles/l2p/files/xl2tpd.conf

@@ -0,0 +1,16 @@
+[global]
+port = 1701
+;debug avp = yes
+;debug network = yes
+;debug state = yes
+;debug tunnel = yes
+[lns default]
+ip range = 192.168.42.10-192.168.42.250
+local ip = 192.168.42.1
+require chap = yes
+refuse pap = yes
+require authentication = yes
+name = l2tpd
+;ppp debug = yes
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes

roles/l2p/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+- name: install dependencies
+  apt:
+    name: '{{ item }}'
+  with_items: '{{ dependencies }}'
+
+- name: dowload libreswan
+  unarchive:
+    src: "https://download.libreswan.org/libreswan-{{ swan_version }}.tar.gz"
+    dest: "/opt/"
+    remote_src: yes
+
+- name: modify makefile
+  copy:
+    src: "Makefile.inc.local"
+    dest: "/opt/libreswan-{{ swan_version }}/Makefile.inc.local"
+
+- name: compile
+  make:
+    chdir: "/opt/libreswan-{{ swan_version }}"
+    target: programs
+
+- name: install
+  make:
+    chdir: "/opt/libreswan-{{ swan_version }}"
+    target: install
+
+- name: get my public IP
+  ipify_facts:
+    api_url: http://ifconfig.co/json
+
+- name: configure ipsec
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/{{ item }}"
+  with_items:
+    - ipsec.conf
+    - ipsec.secrets
+
+- name: configure xl2tpd
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/xl2tpd/{{ item }}"
+  with_items:
+    - xl2tpd.conf
+
+- name: configure xl2tpd
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/ppp/{{ item }}"
+  with_items:
+    - options.xl2tpd
+
+- name: configure zenected
+  lineinfile:
+    dest: /etc/zenected/zenected.conf
+    regexp: "^ZEN_SHARED="
+    line: 'ZEN_SHARED="Zenected"'
+
+- name: configure systcl
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/{{ item }}"
+    backup: yes
+  with_items:
+    - sysctl.conf
+    - iptables.rules
+
+- name: configure ifpreup
+  copy:
+    src: iptablesload
+    dest: /etc/network/if-pre-up.d/iptablesload
+    mode: 0755