diff options
author | Jakob Odersky <jakob@odersky.com> | 2017-12-03 23:59:59 -0800 |
---|---|---|
committer | Jakob Odersky <jakob@odersky.com> | 2017-12-04 00:00:13 -0800 |
commit | c780b908f539b8042881a87007859797e0d6bdc4 (patch) | |
tree | 02884c584909811de36a32ba0968ae3aafc28f23 /roles/openvpn | |
parent | df6be44d67e29d73b0f226985c2c7b6ec989c224 (diff) | |
download | metamorphic-c780b908f539b8042881a87007859797e0d6bdc4.tar.gz metamorphic-c780b908f539b8042881a87007859797e0d6bdc4.tar.bz2 metamorphic-c780b908f539b8042881a87007859797e0d6bdc4.zip |
Remove incomplete roles
Diffstat (limited to 'roles/openvpn')
-rw-r--r-- | roles/openvpn/files/ca.crt | 31 | ||||
-rw-r--r-- | roles/openvpn/files/crl.pem | 18 | ||||
-rw-r--r-- | roles/openvpn/files/dh4096.pem | 13 | ||||
-rw-r--r-- | roles/openvpn/files/server.conf | 306 | ||||
-rw-r--r-- | roles/openvpn/handlers/main.yml | 6 | ||||
-rw-r--r-- | roles/openvpn/meta/main.yml | 3 | ||||
-rw-r--r-- | roles/openvpn/tasks/main.yml | 56 |
7 files changed, 0 insertions, 433 deletions
diff --git a/roles/openvpn/files/ca.crt b/roles/openvpn/files/ca.crt deleted file mode 100644 index dc24426..0000000 --- a/roles/openvpn/files/ca.crt +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFUDCCAzigAwIBAgIJALKknwe+743TMA0GCSqGSIb3DQEBCwUAMB8xHTAbBgNV -BAMMFEpha29iIE9kZXJza3kgVlBOIENBMB4XDTE2MTIyNjE1NDYzOFoXDTI2MTIy -NDE1NDYzOFowHzEdMBsGA1UEAwwUSmFrb2IgT2RlcnNreSBWUE4gQ0EwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqQWgLTIUBuJm83VlWA0Mq6kpHGqjD -PICzlEHFjT6uliSQBeGDCBZ5VyZH3xM+KXsbibDHlWuBebrysv6Eepl64E2X9BnH -7OtCM1XaYxITB5bXLvA+YGAdklZC28Izv63elcV4HCD593T38txErGWJsK1OG78i -GKIAAlhWR9wjdGxF8YzQx1GNud1AoY8Xgi3W0cTaJc18yqaapnDNs3gRcNBSmrq/ -s5CsFG/vvz0+Njf1u79qyrQVUFLYJqFWwnqrSmj/ldVYCn2vlIExNvFy5EGQi90L -Y1jyDQYMVDIC1yLWJIlW6TGZi8qjc7MbRXqLs1SePJaYtfxMG8mGb605cZ5v3mTS -Mi3+nFe5OIqk8E8NsVl/s2oUGbYc3GMdGKUU68O6ihUwH9Gxj1ocSq4cKxyXHXPL -uErCFBu36FN/CoAgdOThPED84x9n8EklGxewJKvkHNos3zQoubEimzqw1e8hXH3Z -kxHG325W4PcaT6HK7t127wvWPNywsYa5A+cuQKnXq6NysQbEhcsHxMUmeBBEOfaH -KQmji/KQTQQPAW8GpRh/PIVY/fmKVu8tKgVhQPlURNVqU0o2Mi/xDtnhFiPmaTzt -2zOyWpl3WGZrHiX+cdHqInqSQAbBe1sjNqPDTNsTGxAEnmzYK2Ya0C1TIc2MFv/j -uQRaOTRApAxy4wIDAQABo4GOMIGLMB0GA1UdDgQWBBTOxv73DemHSrCYq3B1GcDc -NrBOKzBPBgNVHSMESDBGgBTOxv73DemHSrCYq3B1GcDcNrBOK6EjpCEwHzEdMBsG -A1UEAwwUSmFrb2IgT2RlcnNreSBWUE4gQ0GCCQCypJ8Hvu+N0zAMBgNVHRMEBTAD -AQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAckRY9ueeSa3uafKX -PzNYqmwUVlIEYhQtG3vy0rqDQU3gcNYEkABXigquZatF46qOZ0pTN+8vGCksN3mZ -42/idtEfv0yxlZIbJRHBjYs6YZP1/rABAEtZSxIebw+cq1zdXnr98xWGAVWA3WJY -np8+Man2zeBEqU4dSJOr6wPSqpwJOFaYwI+PeHqcpHUd+PWsdFaWeOkk58oaS+1j -oVPSdEP+YgAZ7Pn/O6cF7ft7k1H6mQ6oUYJwKjN9/lsaFwKghicH3/iCizwwqZCw -sFxkGUMMFlN8EAuKu/44Tk3BegsJnkF6EB6ihesA5sF/Ymbx+nYPIlkwY6E7wG5W -+/jfj+CbQmZqbtXtwtx8zCVCmNuYGFlv5nq5TpmBn9Uxb1cN7YPp/ytDd4YkvJyc -MsTKU12PFs4+XKItW0PV4ipY+djZnN//sJYjcJPKS7UsxMLg7oV5ooQvV6NMkVUg -yP+dPS5NK3L63HT2s9VyRKV058Oc/J9Kcm9GG5faFo2EUxCIRwvVne/gIcEqxaRD -5s533dmhI4VgWVIOhY00Fg7M3Ee016oTiRbZmmu2rpemHwEYkrmS4HKi+JWSce3a -PjQXZHPsfk05V84Dr2aLS7giC7QYOg+iaoeXh61djFsGaX1jltPHH2HG4F6FJ1XC -eCb8J4mhiEuYryEJKAz+55wKgp8= ------END CERTIFICATE----- diff --git a/roles/openvpn/files/crl.pem b/roles/openvpn/files/crl.pem deleted file mode 100644 index cbcc529..0000000 --- a/roles/openvpn/files/crl.pem +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN X509 CRL----- -MIIC0zCBvAIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRKYWtvYiBPZGVy -c2t5IFZQTiBDQRcNMTYxMjI2MTU1NTUzWhcNMTcwNjI0MTU1NTUzWjAUMBICAQIX -DTE2MTIyNjE1NTEyN1qgUzBRME8GA1UdIwRIMEaAFM7G/vcN6YdKsJircHUZwNw2 -sE4roSOkITAfMR0wGwYDVQQDDBRKYWtvYiBPZGVyc2t5IFZQTiBDQYIJALKknwe+ -743TMA0GCSqGSIb3DQEBCwUAA4ICAQA3NWbkDDKdaMBSMnX0pCOebHigtNwiBLa+ -7riMqu0W+lok/pnrYXIvssk36psXljv/9NZ/U3KE1TfSOXM84YKNgN9nPS1JFaMD -1bVJQ4WMlBO/onF1ELtAyIePhHm9ZQSNKa9i7hLep+PCZadvI8JIxZGNeKDHYv6x -xrs3yqyte0Lw3gRB8XjWXKJQPCmaYpRf/X1EdrHteZX78uTZX3ArbysyY1xpji98 -8r6AeYOQgR2hLmaa5mpgn9YCiN5VFherVexGubz7xRvIEvII8BcIk84tW08U9oCO -cyUsTxWeiDYd6WJY3BEjVSy0DRGHQMOhc84XSp4KMS9fQfdLpdXbpovf4mVhNuJQ -5H41ZZ7dwuVWEf0n3ma/EAVOQE6MD1vMaPedHBEwqRCNDXz6XkQPi6ar/uSi9YhX -Zyc/9DP/auQ5wgc6xkJptIB3DFKkW8yUHB7yEzhmWYuF8Z89Dtxsh9GV9e4s40v2 -ELrPm4Yf5UzeDQdl+ipkpjvL2Xs5+FRYtQIsTVGEnKcu0+fGHOd+bpRt909cpiNC -ToIgnskJpnBzGwlmCsAg3Mt8QB8GpKouIwyYRIDTSdzJnh9OUYHtqDC2MUZ+xgWF -YvqFMkMVQJ0g0X6f5BYukyicTNK/BJ++NySXov83Jb8xxQg771VxmJvWNx8plekZ -0oar1TLHJQ== ------END X509 CRL----- diff --git a/roles/openvpn/files/dh4096.pem b/roles/openvpn/files/dh4096.pem deleted file mode 100644 index 3fd26d4..0000000 --- a/roles/openvpn/files/dh4096.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIICCAKCAgEA8PC5fLB2y0AAFvUFwSoZCi/vgWVHKoHY34kU3NnCrmAHKVpvBGJ0 -g8Y4No6MHWyMGtgt7JGcnRRokzsgedtn02j69rqiwQWDS6WlU3gOYSRQAtrzU6L8 -1TYoAc5iux0M0rw9nV2XSLZSRGsLQQDDsiOb0fsZD05B3JytyjIGCgs3PiztdmCM -4BIFn2VqYj2vm9+wmwJ716JRVHgieU58pHIQrao4uSRCSVTNru8+1ACXgcFI/xGk -89hti0Ywh2sGKC+9+SZOKdZMXl8u7NhCo9dAQAjg1e6wAp/jjP0yUWnlhY87rVl/ -LNQnVSM7VmPMgUGy1ffdLd03b/MBG1to64ioSaNyq0VAuevBihQ7BZaZxuwuioWk -eTLv0dp1Zie2IihiY3/IONu8HvrqvZn8+Ml7m4icTPwQrqN9S0eMsyA09MuNI3MP -5F+fn2zyib3fxwPV7GeNjsCj+QywFGdmukThD7sT0Q7BLx2KhZaj6D76JZLz4H0S -cBkJGjK3/YcjZFHipaaFvvEdftO33o+CdWwKc3+TL1gn3TB5smZS4V5oO3SkoMOr -mowBd6CsFqdNASvoWZs29CgRHewtAmMfx4ZtlcFDffGLNzx1DO8VoCX0RGATEI/M -vlrYYchykZjEMqjS6PAxpeCSDLWqIkW9fy8qUJcebZ7Rml25vv4SeeMCAQI= ------END DH PARAMETERS----- diff --git a/roles/openvpn/files/server.conf b/roles/openvpn/files/server.conf deleted file mode 100644 index a30e72c..0000000 --- a/roles/openvpn/files/server.conf +++ /dev/null @@ -1,306 +0,0 @@ -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -;local a.b.c.d - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. -port 1194 - -# TCP or UDP server? -;proto tcp -proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap -dev tun - -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). -ca ca.crt -cert server.crt -key server.key # This file should be kept secret -crl-verify crl.pem - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh2048.pem 2048 -dh dh4096.pem - -# Network topology -# Should be subnet (addressing via IP) -# unless Windows clients v2.0.9 and lower have to -# be supported (then net30, i.e. a /30 per client) -# Defaults to net30 (not recommended) -topology subnet - -# Configure server mode and supply a VPN subnet -# for OpenVPN to draw client addresses from. -# The server will take 10.8.0.1 for itself, -# the rest will be made available to clients. -# Each client will be able to reach the server -# on 10.8.0.1. Comment this line out if you are -# ethernet bridging. See the man page for more info. -;server 10.8.0.0 255.255.255.0 -server 192.168.255.128 255.255.255.128 - -# Maintain a record of client <-> virtual IP address -# associations in this file. If OpenVPN goes down or -# is restarted, reconnecting clients can be assigned -# the same virtual IP address from the pool that was -# previously assigned. -ifconfig-pool-persist ipp.txt - -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - -# Configure server mode for ethernet bridging -# using a DHCP-proxy, where clients talk -# to the OpenVPN server-side DHCP server -# to receive their IP address allocation -# and DNS server addresses. You must first use -# your OS's bridging capability to bridge the TAP -# interface with the ethernet NIC interface. -# Note: this mode only works on clients (such as -# Windows), where the client-side TAP adapter is -# bound to a DHCP client. -;server-bridge - -# Push routes to the client to allow it -# to reach other private subnets behind -# the server. Remember that these -# private subnets will also need -# to know to route the OpenVPN client -# address pool (10.8.0.0/255.255.255.0) -# back to the OpenVPN server. -;push "route 192.168.10.0 255.255.255.0" -;push "route 192.168.20.0 255.255.255.0" - -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -;client-config-dir ccd -;route 192.168.40.128 255.255.255.248 -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 10.9.0.0 255.255.255.252 -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# or bridge the TUN/TAP interface to the internet -# in order for this to work properly). -push "redirect-gateway def1 bypass-dhcp" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -# The addresses below refer to the public -# DNS servers provided by opendns.com. -push "dhcp-option DNS 208.67.222.222" -push "dhcp-option DNS 208.67.220.220" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -;client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -keepalive 10 120 - -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES - -# Enable compression on the VPN link. -# If you enable it here, you must also -# enable it in the client config file. -comp-lzo - -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -user nobody -group nogroup - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - -# Output a short status file showing -# current connections, truncated -# and rewritten every minute. -status openvpn-status.log - -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log openvpn.log -;log-append openvpn.log - -# Set the appropriate level of log -# file verbosity. -# -# 0 is silent, except for fatal errors -# 4 is reasonable for general usage -# 5 and 6 can help to debug connection problems -# 9 is extremely verbose -verb 4 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml deleted file mode 100644 index d462ff1..0000000 --- a/roles/openvpn/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: restart openvpn - service: name=openvpn state=restarted - -- name: restart ufw - service: name=ufw state=restarted diff --git a/roles/openvpn/meta/main.yml b/roles/openvpn/meta/main.yml deleted file mode 100644 index fdda41b..0000000 --- a/roles/openvpn/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: common diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml deleted file mode 100644 index ad3b928..0000000 --- a/roles/openvpn/tasks/main.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- name: install openvpn - apt: name=openvpn state=latest - -- name: copy root certificate - copy: src=ca.crt dest=/etc/openvpn/ca.crt - notify: restart openvpn - -- name: copy dh parameters - copy: src=dh4096.pem dest=/etc/openvpn/dh4096.pem - notify: restart openvpn - -- name: copy server config - copy: src=server.conf dest=/etc/openvpn/server.conf - notify: restart openvpn - -- name: copy crl - copy: src=crl.pem dest=/etc/openvpn/crl.pem - notify: restart openvpn # restart to terminate all connections and enforce crl - -- name: copy server certificate - copy: - src="host_files/{{inventory_hostname}}/etc/openvpn/server.crt" - dest=/etc/openvpn/server.crt - notify: restart openvpn - -- name: copy server key - copy: - src="host_files/{{inventory_hostname}}/etc/openvpn/server.key" - dest=/etc/openvpn/server.key - mode=0600 - notify: restart openvpn - -- name: enable ip forwarding - sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes - -- name: firewall - update default forward policy - lineinfile: dest=/etc/default/ufw regexp=^DEFAULT_FORWARD_POLICY line=DEFAULT_FORWARD_POLICY="ACCEPT" - notify: restart ufw - -- name: firewall - add NAT rules - blockinfile: - dest: /etc/ufw/before.rules - insertbefore: BOF - block: | - # NAT table rules - *nat - :POSTROUTING ACCEPT [0:0] - # Allow traffic from OpenVPN client to eth0 - -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE - COMMIT - notify: restart ufw - -- name: firewall - allow openvpn - ufw: rule=allow port=1194 proto=udp - notify: restart ufw |