From 78f58eca7067652b12376bb4cc1c1eda2fea28e8 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Thu, 20 Oct 2022 23:44:28 +0200 Subject: initial simple demo provider --- .ansible_vault_pw.gpg | 30 ++++++++++++ config/roles/kresd/templates/kresd.conf.j2.bk | 17 +++++++ config/roles/openvpn/tasks/credentials.yml | 2 +- credentials/common/api_ca.crt | 10 ++++ credentials/common/api_ca.key | 17 +++++++ credentials/common/client_ca.crt | 11 +++++ credentials/common/client_ca.key | 17 +++++++ credentials/secrets.yml | 46 ++++++++++++++++++ credentials/shapeshifter/obfs4_bridgeline.txt | 1 + credentials/shapeshifter/obfs4_cert.txt | 1 + credentials/shapeshifter/obfs4_state.json | 20 ++++++++ credentials/ssh/key | 25 ++++++++++ credentials/ssh/key.pub | 1 + credentials/sso/public.key | 1 + credentials/sso/secret.key | 9 ++++ credentials/x509/ca.pem | 10 ++++ credentials/x509/ca_private_key.pem | 17 +++++++ credentials/x509/dhparam | 8 ++++ group_vars/all/config.yml | 14 +++--- group_vars/all/gateway_locations.yml | 6 ++- group_vars/all/provider_config.yml | 4 +- group_vars/all/secrets.yml | 1 + hosts.yml | 69 ++++++++++++++------------- 23 files changed, 294 insertions(+), 43 deletions(-) create mode 100644 .ansible_vault_pw.gpg create mode 100644 config/roles/kresd/templates/kresd.conf.j2.bk create mode 100644 credentials/common/api_ca.crt create mode 100644 credentials/common/api_ca.key create mode 100644 credentials/common/client_ca.crt create mode 100644 credentials/common/client_ca.key create mode 100644 credentials/secrets.yml create mode 100644 credentials/shapeshifter/obfs4_bridgeline.txt create mode 100644 credentials/shapeshifter/obfs4_cert.txt create mode 100644 credentials/shapeshifter/obfs4_state.json create mode 100644 credentials/ssh/key create mode 100644 credentials/ssh/key.pub create mode 100644 credentials/sso/public.key create mode 100644 credentials/sso/secret.key create mode 100644 credentials/x509/ca.pem create mode 100644 credentials/x509/ca_private_key.pem create mode 100644 credentials/x509/dhparam create mode 120000 group_vars/all/secrets.yml diff --git a/.ansible_vault_pw.gpg b/.ansible_vault_pw.gpg new file mode 100644 index 0000000..528c805 --- /dev/null +++ b/.ansible_vault_pw.gpg @@ -0,0 +1,30 @@ +-----BEGIN PGP MESSAGE----- + +hF4DpfWzu9aeW0ISAQdA9oEXYzY16y3F7Y7cjv+dMJ0bD+4k1onc86S7rncaEngw +8xyTlHpFfSeQHK78LlsLY6KBf6NpZHXNyFCZy6NidINSxe3vUq/E4TwHvyYkRrYF +hQIMA4yO+U9cs73UAQ/8DT0KLuZ2bhyJyzSGcb/s5O6qyqQypozeLvRvtbResnyL +YWhG7/yMjmzhGCHW1daj9W4gcTQFYq0Mh+x5SAcDFKzJ8XeN4hQGR+AXhucxpyJn +e4T0RHNyzztGcEWvFNazq5uBv2OsoeZtnwOOd1C3gZvKkfD2E5eJa0DaLSbwUBw7 +/4fTlDwiJTP5suk2D1W2m65cY+gze2uMokfEgeP7YquSnBQZKWgv/IZ9fnvar6Pm ++YCGMmuFtIBu1kyGKR3akef372JspJJrMHlG9Z9zvQRgLHvXuQ+jzDXjB2iWP0xX +wmF3WBzGReqIYABmmpzx78+U+azTR25ZcaAtzKwxUmH27vQSeUx4xKozyZ611TSk +T0WwT7CJEDB2M9m8js6oxbQjFIp8XJQ9h/5qXfJoZzRhmwviH05YZ9RpPFWkPfgS +vj6tadJdFZPtJ2wC3fv+VIydRbKxk0pIGE5v3ZVqC5HwDYLj4tyekosa71FK+N+w +U7NNpz+j8UBZ5cTogkJCOGGkEp10o1obpOs6qe71M9eIVxOjx+NO1pJK/4l1j5vA +ha770oK+9jJB/V0r/g4qZ2MhecbhrUgngp7V9QueqMoBGVFSR0NApY1X1oAvRwA5 +B/W3h2kFDED6TPCy3uWds3PNGKK1nwvftONtcAQreWYzBlhmk3GRlj54oVL77JCF +AgwDKS9PgWe1HjoBD/0WMlgM9ix7E/GiKjzP8pu7QaTr8fQ9BkmODwGsH6AjlW6o +sNsE+68+uc/Yl0GWkdWf0qGuk8Nh8/B5sFdmFknsCidpvSorwonin7rLUunNypmu +qpOQwuBiZIGJ6YV545Mv9pNw4BEL/tFWc2AKslCiogUiMcjRlBTZgWMQ7Rf3LhFW +HcEa6h/o7m5kfbSk4dIeb+MT/VG5HCOnabADSLRUqULMU9AHJNB5IktoTQLrHgCs +V3SdaqF3zz3iAu+3SX4qey7+BKQQ4EdeZCaJ81/y7Onm2/Zj09CADd4qKpQW7+lq +QkA0C55Vpiyid/BNgcQwIS1FQsS/F/fWTzdPLXbda7/dB6ZEf+YkDE0s8DMpJayp +myMGfh9CWp/S9nmo+6BSLDEqJ0aKJNggYlRGX3/5uay07SAI2oFSU7kFEv0s9ND2 +Vf2rGxs8CqnYyTAB2W98bP2LO1W9dIQCV8UdnZc6Id5ufXgYI2UANkZgruLrN8Oo +5kBVAQvmS5qXdjchyAuq+jSVGL//mqOmNvnOjBj6uLqwzNWBPUuAMb/wBc5uI2+7 +RnkzVAIEsVjEwk2waUKyPeK2Adm4GWqUcd2+Z7T52Z2xIbjTgQUn9TK/Mj83n/F2 +iTaOGob/WFEe50FbVtXgMTa6jTCtGqrAMTdmZvYF0uI/647X6U5vGXZwM0dhINJV +AbfA4AACXW3xjF4CyIXX7TCaRW7cp3pAgaMbIVafQQvYnRz9/TOi70OJIgXyoLKv +Hq6NMlwAuXj7dv7XFMtoeEPJm/yA/RkVU7d4aSxqnkIEP+dLyg== +=lLtL +-----END PGP MESSAGE----- diff --git a/config/roles/kresd/templates/kresd.conf.j2.bk b/config/roles/kresd/templates/kresd.conf.j2.bk new file mode 100644 index 0000000..bf9a141 --- /dev/null +++ b/config/roles/kresd/templates/kresd.conf.j2.bk @@ -0,0 +1,17 @@ +net.listen('10.41.0.1', 53, { kind = 'dns' }) +net.listen('10.42.0.1', 53, { kind = 'dns' }) +{% if openvpn_udp_network6 is defined and openvpn_udp_network6|length %} +net.listen('::1', 53, { kind = 'dns' }) +{% endif %} +net.listen('{{ansible_vpn0.ipv4.address}}', 8453, { kind = 'webmgmt' }) #} +{# net.listen('{{ansible_vpn0.ipv4}}', 8453, { kind = 'webmgmt' }) #} + +-- Load Useful modules +modules = { + 'stats', -- Track internal statistics + 'http', +} + +cache.size = 400 * MB + +http.config({ geoip = '/var/lib/GeoIP/GeoLite2-Country.mmdb', }) diff --git a/config/roles/openvpn/tasks/credentials.yml b/config/roles/openvpn/tasks/credentials.yml index b7e5dec..153b972 100644 --- a/config/roles/openvpn/tasks/credentials.yml +++ b/config/roles/openvpn/tasks/credentials.yml @@ -40,7 +40,7 @@ - name: Install client certificate generating and API endpoint CA bundle copy: - content: "{{ lookup('file', '{{ credentials_dir }}/common/old_client_ca.crt') }}\n{{lookup('file', '{{ credentials_dir }}/common/api_ca.crt') }}\n{{ lookup('file', '{{ credentials_dir }}/common/client_ca.crt') }}\n" + content: "{{ lookup('file', '{{ credentials_dir }}/common/api_ca.crt') }}\n{{ lookup('file', '{{ credentials_dir }}/common/client_ca.crt') }}\n" dest: /etc/leap/ca/leap_ca_bundle.crt mode: 0444 notify: diff --git a/credentials/common/api_ca.crt b/credentials/common/api_ca.crt new file mode 100644 index 0000000..129f23c --- /dev/null +++ b/credentials/common/api_ca.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBYzCCAQigAwIBAgIBATAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxMRUFQIFJv +b3QgQ0EwHhcNMjIxMDEzMDc0NTQ1WhcNMjcxMDEzMDc1MDQ1WjAXMRUwEwYDVQQD +EwxMRUFQIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASyXDmsyb59 +20V/xA5S0jpeWin9GA4/wx6+95+UDvfUrcvdp8Jl2MgZ4bjGxukxwid9Hpg1Sl4B +7qXJ4aiIFnc9o0UwQzAOBgNVHQ8BAf8EBAMCAqQwEgYDVR0TAQH/BAgwBgEB/wIB +ATAdBgNVHQ4EFgQUmQw7Vs00S3n1i4xT26OM8AvXcVQwCgYIKoZIzj0EAwIDSQAw +RgIhAOQYVy5F2jD7LIiHIJNOderYPJrTWxHVZY5QOibu1xZGAiEAp9Ud1q2fEQNd +RxUXi+oOJHrogXMJ13XI7ng4Z8aKtEA= +-----END CERTIFICATE----- diff --git a/credentials/common/api_ca.key b/credentials/common/api_ca.key new file mode 100644 index 0000000..3454ebf --- /dev/null +++ b/credentials/common/api_ca.key @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +35643461613861323338663861653766333232663034383636613532666535663931333762613639 +3139356634343565613963633965656535643731633139390a323234613264633630663133366435 +37373464656331653630616331646439633339326166313533396666346337343064373637373839 +6434333264613732640a613235336464636132366339383632663065623434653965663930363261 +30653463646130333037313861653961343839393135336262373637353131393932353762386562 +31656333393062306538396531623734333162353134376664383732643061303930336137656562 +63643862333737356665616139643336633665393264313137643265376531303862623166326230 +35303261336531646161353337353639323036336663346264653933656566383364623237356337 +35623466363538336235643066633031613238653061653030346462353034653332633565373739 +39343530353862356163323836633139653531653861383237393265623035313836373933373735 +37306665303535383264376336353437653434353761356435366539343666336137623633346665 +32653034633964366337643032393833646264323930353838323439333030373934343030353131 +30316166623162643032386461373130646163393039313439623732613166383563666130666539 +64376466333861363563633362383934376662333636346430343865636237613435313962333261 +62363130363139636264316666393833326339396634646266643066663662386662306437346435 +63663732303032316336 diff --git a/credentials/common/client_ca.crt b/credentials/common/client_ca.crt new file mode 100644 index 0000000..cdfc1ab --- /dev/null +++ b/credentials/common/client_ca.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBmTCCAUCgAwIBAgIBATAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChMRUFQIFJv +b3QgQ0EgKGNsaWVudCBjZXJ0aWZpY2F0ZXMgb25seSEpMB4XDTIyMTAxMzA3NDU0 +NFoXDTI3MTAxMzA3NTA0NFowMzExMC8GA1UEAwwoTEVBUCBSb290IENBIChjbGll +bnQgY2VydGlmaWNhdGVzIG9ubHkhKTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA +BEd37Qs5xn9yvpFs88+8b4fneBbJ5x5xQBiHjpzCpFTA4knxrsvnDEk2Nd8kmUvt +bAepDtwA5X0C8/6Mo484OmSjRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8E +CDAGAQH/AgEBMB0GA1UdDgQWBBQ6x1braM6bjH/HwjUgFxpmmd9fOTAKBggqhkjO +PQQDAgNHADBEAiA3qpW+dHpB4XR+Z+QZ4KokJ7+UdHvFrpo0I7NT5cAxcwIgeK76 +1cBhWAhtFlNHdF/4MDLj4h5eROpvZHoWGq2wwcY= +-----END CERTIFICATE----- diff --git a/credentials/common/client_ca.key b/credentials/common/client_ca.key new file mode 100644 index 0000000..aa6940d --- /dev/null +++ b/credentials/common/client_ca.key @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +36346530626238626261666434663330393239323032376563666364383033633237376365313233 +3936363264616331356135363561633030666265656464370a666566626332356163343066393537 +64343731653130623032336564616534333031303033363734623832383232306637626162383336 +3939663932346164630a616534656265363766623139643165383461656338666665653934633237 +37383139363533326161633133333937643330376530336333356163623731653234383862383632 +38613236656139613330306230656462653435393130396531373230616432616163663430623161 +38313639396235383339343563636562656238353239663830623937623436336362316633313730 +38623966356362306130333735393631336130353365373962656466363230326233306139643635 +61343864633937316165643761656630646238396438616164333263323930373435386665373232 +39336135383139656330366631316136633162313434663766303630316531336630633534343566 +61373236653132336630386434623662636434633535623265363463346232323763383566653565 +61616666626234326533316333626133353237373931653161613164633933356562373236633637 +39326138326664643532343065646330333236343437373932326338326635393637333561376665 +62646131646130356661343361656563353635653331303665633237393437323463366533353764 +34633230333664326336353539633431633165303732383831303130333762633136393239383765 +65313263316430623436 diff --git a/credentials/secrets.yml b/credentials/secrets.yml new file mode 100644 index 0000000..79e719e --- /dev/null +++ b/credentials/secrets.yml @@ -0,0 +1,46 @@ +$ANSIBLE_VAULT;1.1;AES256 +36366435343065336330643334656161363133383338343137326136353432633165653337336333 +3731383663666238393664316534306131323037306237300a333237306563353361643463383639 +31353935393065336262313230616263333535646334386462663366623630353735306565373734 +3333363439356531630a336563396539336638373966313264343731353439326362643162366230 +33373863633532316664643062316239376634616630663161333439653965356432393433366333 +34323965666235653664393863643365313639646638323532316434646363363633616438386532 +37303962386564666234363935383334313431326161333164366433373663643438386163386537 +30393537336364643437326131376434616662366536353233353765626535356363366439316665 +63373931303632393533366332313937663336663235663638323739653531333530383233633031 +33643335393830323333313033363762333331393935643861303439636434373830393336613734 +63623563396530316332373132393136656138646635393938613662613638323031373961663663 +64646135366231306265383864636362633761393035313136303663343339386432353362616665 +30633535386430656134336538316430633033323030613439323939623835333436386162316234 +62616137623365313433396538653636343336653063343831636131376166643432633533616265 +65646232306165626162646534666130373939373134646134356563353434616435303033666436 +31303932363965646237363434653738356263633462393535663464346566336363626565336230 +39313330656339643033346335373663313835313430363663373863316564613162356463356463 +34336430643236366135643738363162663463633730623862363364626339306666623566333438 +31616435386133623933386362393637323530356239343635343861313739623364333865656538 +36613939346634376332373935393461646366656439316638663738636335386331326136643736 +36613563373933646139353334373136653336326635616533656537323564343761653563613137 +62306466613565623437633665376136383532613036346563303236326636633130383231323161 +32396466383732366636346131363761363732643961393636303331316533646133633338396330 +64323633633632633864616135353830633032653338636332643863376665623663376435373933 +62613832396337326639393361323733353564613038356439656132653232303363623936353930 +30623065626135333437663130383637393035366134643331396461363433323963303164316566 +39666133336533313161396535656665383830323365616639333437636132313465356131373932 +34626633376462663637333736666135396165663835386431666434663731383565363837373130 +35386439633533626238373463616339653364636138643939653663343163323131643966646563 +65313636633337393738646433623533323437313566353066663962353934356264363663323235 +30623164363831333636396165323038313265663835376132323537663463316463396636306136 +30343864643632613233356364323739366163666161323735636235386637366361373034383330 +63323235323066613461653632383463373363613438633664653334333232383664346437343832 +31323735393233366432376630626637623961656637643134666636306632376130666536613132 +35646662343066373766326538333730343565633464363435303236636239346364613065363266 +33353530616331613764343562656634346236623766343164346233623035306533303237356238 +31643463376538633363643832363337356465386635616662613861306439613836643039376263 +37356163623132613561633930616532303238363239393263313935373336373033646330323862 +65613032366534623966626533666335353635333337636364383639616566633137326564373835 +31636161323433373237386336623736663032363464333835333437666134626331623735363432 +66386133333932656638633932626565336161666432343936346162336363396330646261616237 +64663537646564643664383863653662646563643434623761636430313934386232383234306461 +63616466323965343838383530323430613434336665373438373461333533333133636434353835 +39393138663862663965383766353162653336663139343130626263316531376534643036653063 +63373633326464383864373533313735326334393334633039346638373865356263 diff --git a/credentials/shapeshifter/obfs4_bridgeline.txt b/credentials/shapeshifter/obfs4_bridgeline.txt new file mode 100644 index 0000000..057c1cc --- /dev/null +++ b/credentials/shapeshifter/obfs4_bridgeline.txt @@ -0,0 +1 @@ +Bridge obfs4 : cert=akSHu9L0n4dQysz1mxPMdEEP7eNQIJNpYLkMZQOtxyCWLR+CIoftP87MLpoR4P7bpW/5Cw== iatMode=0 \ No newline at end of file diff --git a/credentials/shapeshifter/obfs4_cert.txt b/credentials/shapeshifter/obfs4_cert.txt new file mode 100644 index 0000000..5d6ca1e --- /dev/null +++ b/credentials/shapeshifter/obfs4_cert.txt @@ -0,0 +1 @@ +akSHu9L0n4dQysz1mxPMdEEP7eNQIJNpYLkMZQOtxyCWLR+CIoftP87MLpoR4P7bpW/5Cw \ No newline at end of file diff --git a/credentials/shapeshifter/obfs4_state.json b/credentials/shapeshifter/obfs4_state.json new file mode 100644 index 0000000..638d149 --- /dev/null +++ b/credentials/shapeshifter/obfs4_state.json @@ -0,0 +1,20 @@ +$ANSIBLE_VAULT;1.1;AES256 +63633035666565323030623266626462363865643561356564323731373665373462613830333563 +3364626637376239616433636437336465346430653737320a373264393566653135333732336237 +39306663313466333139333566663765373830653737353164663566323332616234633937636534 +6531356166396466390a633635626234653436303236393135343762326535396566653964323965 +33373631323465666435323565633834643536663238326433646466633661333166613063316633 +37613161383166366534366465653634663535643864663363646332343434613734383465313263 +62353031386664663562343963336236653333653864333030356261383663363465643965383662 +35356361646233323662623663623639666433386534333032303230663531623666386333306233 +30363937663534376532373436316339393137653565346232656435353936366561326663623561 +32393864616239663737323630313339363433346631613531363465313736326534313730303865 +62376163363137303034663735646635326636626239373561373362656531346532323939323833 +39663130653438303330393530653736383334366365633761396234383932643732363935313735 +34303665316334356463636666663466623238303739643231643636623635383830376138626330 +33343836373361326436333934313136643939363137323631396533306563323338663735323764 +32666531616639333363666134333334343938313837376230636362616139633363306336613566 +30393334313034323736316266383339366135663662366333633763663937346130343935623665 +61393364376636613638323234623566386162636138303665366664663532353537353439313937 +39356638653166336530396361313230636564663939613165626663323434393166343730623561 +623361666639333431646662333065383830 diff --git a/credentials/ssh/key b/credentials/ssh/key new file mode 100644 index 0000000..d749e32 --- /dev/null +++ b/credentials/ssh/key @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +64633232343931353562326462613034633330313537363134653436666532303931643265366332 +3732653133616238343431383566396665346234613332610a643138336262323261313735626364 +39616361306530656335633134343566303934323633376461616631316435383162316235396333 +3763343066323338630a623663636230346665393432663936353035383537616461356239306239 +61333431353031383435623631343761326162663734373137393732653835383839643931356264 +32303337616664636663613334653233306464636132373433623338353736353530636339636337 +32356362613231316638373663646166326634333432376534623566373832396134663965653637 +30653138666631643739353839636433663964323466366236343930303434663836643834616163 +31353732623631336432346339383162613666643938653038346665643036343331636262623533 +38313164313937343834636565303034313563323931306663313737616538396639623966396433 +62323863386331386532323964353534356563616337396433386666373739616530343239376331 +35333439323164326264326230626139356231623766646362666530663363333438656236663565 +32346237396138363937396266666565616338613839373430373532373638656562323231376365 +65353735363963383831616263316430323634343364376532643263623166353364373735313539 +36353735386633663334366664336466316365386334366635653333343433386462626336346434 +64323230613534643066646532303539356161396463353039653632313631656463396662363063 +62613664653731343530376437616436363562636463326166653436396534356139323734626532 +34303965636639623664653636393963373436323762643461646538646235353731626231626230 +35313361336239353138373635336639343335333365343137373165316166666534366435343061 +39643934323466633136353935323731663837346637383236333234666334363562353766306465 +31626534663565393163326361396339643264373461303830613931393931363336633862373066 +39313436346265383633633766636635353236326135613636313534316237386564656631303538 +33656134343965343434383664323534616633663462363535613739376637363662613035313937 +32663266386562336665 diff --git a/credentials/ssh/key.pub b/credentials/ssh/key.pub new file mode 100644 index 0000000..8567070 --- /dev/null +++ b/credentials/ssh/key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxyRXHorPp0fzuucay5TvfLS1SSTHuj9OQ9682C4NXO ca diff --git a/credentials/sso/public.key b/credentials/sso/public.key new file mode 100644 index 0000000..520df08 --- /dev/null +++ b/credentials/sso/public.key @@ -0,0 +1 @@ +^^ˆLB BtÂ,Ò ¡MßžÉ÷œ¯Š¤€eã3A \ No newline at end of file diff --git a/credentials/sso/secret.key b/credentials/sso/secret.key new file mode 100644 index 0000000..655cdad --- /dev/null +++ b/credentials/sso/secret.key @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +36636631323030663832613939313837363466656231376335633161343931313764326530353930 +3734656464386430623939373761323664613232306538620a376161633238626539303439353863 +63353634316437663833646662383039396364623037376535633161666363636136653366383833 +3532633937386663610a333764643231646562643966656339313864363430383433616138393032 +39616666376137633835636265613039393537636239643031303432653566623236623433623264 +37393836353063633635633666316366303130363963613536396335313265626337636335613361 +33363938363136323435653432626462323239303731643537363537373433376334663266333533 +63656533343066343534 diff --git a/credentials/x509/ca.pem b/credentials/x509/ca.pem new file mode 100644 index 0000000..73cac34 --- /dev/null +++ b/credentials/x509/ca.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBXjCCAQSgAwIBAgIBATAKBggqhkjOPQQDAjAVMRMwEQYDVQQDEwpTZXJ2aWNl +IENBMB4XDTIyMTAxMzA3NDYwNloXDTI3MTAxMzA3NTEwNlowFTETMBEGA1UEAxMK +U2VydmljZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ+FQ/L7u/+KoDpK +kT5TbuKgrGEFGp6j+hj4LeTDwcD03GlqY+/4e5epMAOYvOLtATShELU7UMh9b2+R +7anWlA6jRTBDMA4GA1UdDwEB/wQEAwICpDASBgNVHRMBAf8ECDAGAQH/AgEBMB0G +A1UdDgQWBBQYINJv1nly3l/6KzvybVdgqaN0VDAKBggqhkjOPQQDAgNIADBFAiBm +n/pZUNIGFKuxWJRpBzdU5hzn29wb0LMywFxUy+EnuwIhAOGa7bgzH2qm0GNb65j6 +OgpHAK040uHaMF6BEKKwOYHM +-----END CERTIFICATE----- diff --git a/credentials/x509/ca_private_key.pem b/credentials/x509/ca_private_key.pem new file mode 100644 index 0000000..410011f --- /dev/null +++ b/credentials/x509/ca_private_key.pem @@ -0,0 +1,17 @@ +$ANSIBLE_VAULT;1.1;AES256 +37633430636639663837306163376461623665303963633532306330666164643934643736663761 +6133363965323239396133303834383265323435653636360a343635373831396437663561613566 +36383565653632663139353538323832393966333065383631626534643938633236656163333234 +3134393735373265320a383037653934323064636632383530363336666535343436623236323534 +35653762373862353666376333656630323432663134663736313861663864633032663733326531 +63363165663733336662356163383438386236636662383865386661343136336564623663376237 +61643936666537373366653164643035306166653335313833643266643437633832373632326631 +62316664373937323662663363323533326134646162613065366233663537636362303036336135 +36353436623365363337373866636237613435336430376466323732353730326335343138346432 +36626561623834663464343137613637323939376536363037613235333461633066366536326362 +30303337386336613962303231386539663032636433613864393361353230396636366434333961 +34633933396233656564663935643733333431393563346336636538643566336437343665336666 +62343937663162646433366231643335363264313531663737656137333733356338313833303365 +32393837303661393734326565323762373836656539353665616365393138316631313461303637 +66373630303763636663323265353065346438313333346165383262373739323030326162643037 +30346664643961383330 diff --git a/credentials/x509/dhparam b/credentials/x509/dhparam new file mode 100644 index 0000000..7ddcad5 --- /dev/null +++ b/credentials/x509/dhparam @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAgvk9tlIXF7nEBp/lKXtBcQOlBryBDca63MJAbpIF4s3QarPUVB3U +cocCQZvlVlxw29XhjifUMDc214FFvwzlVbMjhVahCpZYurfHI4L1xLMmcSx0zfvj +HV8yhCKn0HMCjU2bVXd6OqZbjnpLI+XlWvZETxU93bhDpV2Bn41TSbUlTN+GxcAZ ++v8bKIP5Eok6NMAY2IHEfRgAgeFrHx7wxxd4pboEqhAU4RH9M0BN8CS1z41yVWOS +EmLXujZHWuVT41mXkf89XBONMU0l9sxJde0zJV79AdJgWXemXvX2PAF8WHQQaHaK +dDxxxNkUQ4RVyOf+p1D51b3FQyetWyFyWwIBAg== +-----END DH PARAMETERS----- diff --git a/group_vars/all/config.yml b/group_vars/all/config.yml index c615004..2864b22 100644 --- a/group_vars/all/config.yml +++ b/group_vars/all/config.yml @@ -3,28 +3,28 @@ float_debian_dist: bullseye float_limit_bind_to_known_interfaces: true domain: infra.bitmask.net domain_public: - - float.bitmask.net + - demo.bitmask.net net_overlays: - name: vpn0 network: 172.16.1.0/24 enable_ssh: true enable_osquery: false -alert_email: root@bitmask.net +alert_email: bitmask-demo@kwadronaut@leap.se alertmanager_smtp_from: float@bitmask.net alertmanager_smtp_smarthost: smtp.bitmask.net:25 alertmanager_smtp_require_tls: true alertmanager_smtp_auth_username: float alertmanager_smtp_auth_password: somepassword alertmanager_smtp_hello: float.bitmask.net -geoip_account_id: 1234 -geoip_license_key: Welcome123 +geoip_account_id: 255595 +geoip_license_key: Pufl3DucM3R4LkqF # optional: 'custom_vpn_web_domains' can be a list of additional domains # that vpnweb should respond to, eg. custom_vpn_web_domains: [api.foo.net] admins: - - name: admin - email: "admin@bitmask.net" - password: "$s$16384$8$1$c479e8eb722f1b071efea7826ccf9c20$96d63ebed0c64afb746026f56f71b2a1f8796c73141d2d6b1958d4ea26c60a0b" + - name: leap + email: "demo.bitmask@chocovax.net" + password: "$a2$3$32768$4$3e0b56ee9961aa6c6d9c3f000d399d66$dad8085fc9d155e4c4e4a841b8292925be22faa4c02c0dd929776e0992055d8e" ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICF6TDr56rmY8TMRCG5KSde0yajXktsUV3Q+7vRRN25D" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYvrtfHSy+W4CQCkmlm2/rV1J5xpzpRVqB8SfHFtnG5" diff --git a/group_vars/all/gateway_locations.yml b/group_vars/all/gateway_locations.yml index 1f75391..68d2ff0 100644 --- a/group_vars/all/gateway_locations.yml +++ b/group_vars/all/gateway_locations.yml @@ -10,4 +10,8 @@ locations: 'country_code': 'NL' 'hemisphere': 'N' 'timezone': '+2' - + 'Miami': + 'name': 'Miami' + 'country_code': 'US' + 'hemisphere': 'N' + 'timezone': '-4' diff --git a/group_vars/all/provider_config.yml b/group_vars/all/provider_config.yml index 289d454..6fe16fa 100644 --- a/group_vars/all/provider_config.yml +++ b/group_vars/all/provider_config.yml @@ -1,5 +1,5 @@ --- provider_config: name: "demo provider" - description: "this is a demo provider" - domain: 'float.bitmask.net' + description: "Thanks for beta testing. Give feedback, don't abuse♥⚑" + domain: 'demo.bitmask.net' diff --git a/group_vars/all/secrets.yml b/group_vars/all/secrets.yml new file mode 120000 index 0000000..1f340cf --- /dev/null +++ b/group_vars/all/secrets.yml @@ -0,0 +1 @@ +../../credentials/secrets.yml \ No newline at end of file diff --git a/hosts.yml b/hosts.yml index 067a9de..319a107 100644 --- a/hosts.yml +++ b/hosts.yml @@ -1,53 +1,58 @@ # NOTE: This is an example hosts.yml, you will need to edit to fit your needs hosts: - floatapp1: - ansible_host: floatapp1.float.bitmask.net + donkey: + # donkey floatapp1 + ansible_host: 37.218.241.207 groups: [backend] ips: - - 37.218.241.84 + - 37.218.241.207 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique # value for each host ip_vpn0: 172.16.1.1 - floatrp1: - ansible_host: floatrp1.float.bitmask.net + koala: + # koala reverse proxy + ansible_host: 37.218.241.31 groups: [frontend] ips: - - 37.218.241.85 + - 37.218.241.31 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique # value for each host ip_vpn0: 172.16.1.2 - gateway1: - ansible_host: gateway1.float.bitmask.net + mullet: + ansible_host: 37.218.241.208 groups: [openvpn] ips: - - 37.218.242.191 + - 37.218.241.208 # The 'ip_vpn0' is for the internal network overlay only. Assign an unique # value for each host - ip_vpn0: 172.16.1.3 - # Set the egress source address for ipv4. This address should be distinct - # from the 'ip' value above to prevent traffic leaks. - egress_ip: 37.218.242.216 - location: Amsterdam - gateway2: - ansible_host: gateway2.float.bitmask.net - groups: [openvpn] - ip_vpn0: 172.16.1.4 - ips: - - 204.13.164.252 - # If the gateway has ipv6, assign it an address here. This address will be - # used as the incoming ipv6 address for the gateway. - - 2620:13:4000:4000:8080::252 + # ip_vpn0: 172.16.1.3 # Set the egress source address for ipv4. This address should be distinct # from the 'ip' value above to prevent traffic leaks. - egress_ip: 204.13.164.84 - # For each gateway that has ipv6, you should allocate two ipv6 netblocks for - # each gateway, one for TCP and one for UDP connections. These ipv6 - # netblocks should be in a different network than the ip6 address that you - # configured above. These are used by Openvpn to allocate client IPs, and - # they will be used for egress source addresses. - openvpn_tcp_network6: "2620:13:4000:eeee:eeee:eeee:eeee:0000/116" - openvpn_udp_network6: "2620:13:4000:ffff:ffff:ffff:ffff:0000/116" - location: Seattle + egress_ip: 37.218.241.141 + location: Miami + ansible_vpn0: 172.16.1.3 + ip_vpn0: 172.16.1.3 + +# gateway2: +# ansible_host: gateway2.float.bitmask.net +# groups: [openvpn] +# ip_vpn0: 172.16.1.4 +# ips: +# - 204.13.164.252 +# # If the gateway has ipv6, assign it an address here. This address will be +# # used as the incoming ipv6 address for the gateway. +# - 2620:13:4000:4000:8080::252 +# # Set the egress source address for ipv4. This address should be distinct +# # from the 'ip' value above to prevent traffic leaks. +# egress_ip: 204.13.164.84 +# # For each gateway that has ipv6, you should allocate two ipv6 netblocks for +# # each gateway, one for TCP and one for UDP connections. These ipv6 +# # netblocks should be in a different network than the ip6 address that you +# # configured above. These are used by Openvpn to allocate client IPs, and +# # they will be used for egress source addresses. +# openvpn_tcp_network6: "2620:13:4000:eeee:eeee:eeee:eeee:0000/116" +# openvpn_udp_network6: "2620:13:4000:ffff:ffff:ffff:ffff:0000/116" +# location: Seattle group_vars: all: ansible_user: root -- cgit v1.2.3