Add openvpn service to ibex, new cert

5 files changed, 148 insertions, 20 deletions

diff --git a/files/ca/dh.pem b/files/ca/dh.pem
new file mode 100644
index 0000000..c3c1516
--- /dev/null
+++ b/files/ca/dh.pem
@@ -0,0 +1,19 @@
+-----BEGIN DH PARAMETERS-----
+MIIDDQKCAYEAhIcg0xhUusSNbrAdDVJU+YZ/O83CLcCf38lJdG8rrqzRacjGzxKM
+1godXXDqJIv3EVeDtYqITkZN6gOMC4DQratPyLPuXxllj820SesEiWgNdl8/lyp4
+Jh8bB8zd68yY4Sl2dUka5OVibdZnsbgoKleImVwwaeAvZSECYlhV6HKQNyK+bMja
+EJeR88xaJsLelNixO+NMLqvIoTj24qOc3A5np2YOfsHtmFb1scBP5Jh/t5hOz+/V
+MAy0fRzW81ZFgrV/JMBBM/YweOtRifks2jay3dGpa7tWpAGo78BIPQWg0F4ajhI0
+4+wwBpymJR/paiIvh5VEx+dEdVzD39rWWfuplZyHLtJgwx49lkQGXJjHHeTXvwji
+uvIS5kcEKhQioud+alYY+lJcCEmHUuDBikPSyPmJVNeDd9cRvjuD2MQv/L+iZ8IN
+yPcB+TTgqZaDWOWIe6sqyG7vGg+P5rtswRZPA/7YSrdOt2hKqmErGPKHL41bQUu4
+v/CTD/xf5pWfAoIBgDYUElLXOy90o+SyYC9e0ZnHFWcej1Wqy3FdT3dm509/FNf2
+jQB/XOVu865FenX5GiDSJAFw4wu41Ibx4aHIA7gfBXVyswvLj7R4cDBxQxIUG9tf
+8qL53Gr8e+vTGgl/cUVY7FcSDxzekPdlo1qBkVFSBtgLOlctfbLv0ZKnMwbZp/QZ
+f8cIc3UA/2fBmoC6yDNSjPD41mxZtJAbZmYdQnntOV30PRv2cxrUpSVPOyUFtdS2
+wa1wIVFQPHca/Gucw5z6VFxTmmp3Je9oUgAFfIKMaRnRdDENNwX9GkzYTEoH5HsH
+AvUtpItBDEy+4ZSTOYX/YRI//3ZCkbRAlEjxfBGM6Jxsm2rRAUT68sL0Mt++nAFu
+70dlbHIRRYRsHpXJ58vrEyzyeeaHzcWVMjYPekIGPx6pU0Eqg8raQj0LV836AWZ4
+bVSahHkSKkhg95DQzV9eymfx/wW6LXZvZx2fAdmPxhRIOzW5pUtqpLdg770EFUMk
+FoGN5pOkPzDkzERtDwICAQA=
+-----END DH PARAMETERS-----
diff --git a/files/cert/ci.leap.se.crt b/files/cert/ci.leap.se.crt
index 703e5f8..cef23b5 100644
--- a/files/cert/ci.leap.se.crt
+++ b/files/cert/ci.leap.se.crt
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIF9zCCBN+gAwIBAgISA9kCtjuFf164UcjdnBD/7f3hMA0GCSqGSIb3DQEBCwUA
+MIIF9zCCBN+gAwIBAgISBCc2irfLZrl3QD8ru600RkbVMA0GCSqGSIb3DQEBCwUA
 MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MDgyMjAxMDBaFw0x
-NzA5MDYyMjAxMDBaMBUxEzARBgNVBAMTCmNpLmxlYXAuc2UwggIiMA0GCSqGSIb3
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA3MTgxODAyMDBaFw0x
+NzEwMTYxODAyMDBaMBUxEzARBgNVBAMTCmNpLmxlYXAuc2UwggIiMA0GCSqGSIb3
 DQEBAQUAA4ICDwAwggIKAoICAQC9JM0dQyuX1nno1y3vb45R/U0e/dsFduslfADd
 UQ9eIKasp2itVRG/iikSvYxUbFBtbzUqHboZQEY3bm7dQbJgfbv9kBKWwNuEyWar
 gcjGhXJsBx8LhEsdutY19kPsWevM4ZPy3m1XY2QZHoBCgOAMVOSaZf+1qbvQpa8P
@@ -25,12 +25,12 @@ dHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlz
 IENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcg
 UGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmlj
 YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBv
-c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAhCEZf9INAvZykNd0lL/SEg3UcAFn
-WThCr2QKoQSYaNrfi8F46OqRKvoVCddShztrC4NveRD/4xGKdPpF1X2XG5h9fQSs
-+mJ/gNjIiH3YJAgaOadcarC0RVVrC3zDwCZhWSTOWv3nX5QZJTGtrVKaK43IV9o5
-yscq6gCe0VwnpClf/fiGEtYLCVFxyKNBPchX84XRIaFA6mSMWHriOwYFbUOEdWwD
-cTAsDmDKdZZh+FonWxCO9xBqnyY4OdgqvhFXHLN+esQB3bkxtEZdg9c1kpmdhBZn
-26xPcorJh6tyo0qhoMi6y8q4SU9dikQqNCEQQiQcxsCV+yMrZKytWW5ZgA==
+c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAPoVIo2EmLDl7O10uWgT5+EKo9XTE
+ja2hX2tWVIvRJE0Nekq0/ULYbYO/PiqsSIAuPaHxdlLB/8H0yn//lt1HhX5sosCS
+SPGienuqJgddlA/ck3boMzse/7UZZDkPYUA52kvQxGUF6hAPtndssUXQDe7SW6l4
+6c61hBtWQFKkylOA7xtNXSXPdEQanqIA7BDgn7rdns3CEpotUqeTcTCBKUct7rpo
+h0NlaXeK0ufQWkR47V01sJxZtKOf+chZ63Mc9apuBhMOUXrIi3rdwNgL5PW65cqB
+g32b0CiXAaPxiABU/mBj/kedm9pGUr+/fy0gb/Fv5pKas1h6NK9OnTtrUw==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
diff --git a/hiera/ibex.yaml b/hiera/ibex.yaml
index a8e99d9..62ec2e6 100644
--- a/hiera/ibex.yaml
+++ b/hiera/ibex.yaml
@@ -47,6 +47,41 @@ couchdb_port: 5984
 definition_files: 
   eip_service: |-
       {
+        "gateways": [
+          {
+            "capabilities": {
+              "adblock": false,
+              "filter_dns": true,
+              "limited": false,
+              "ports": [
+                "1194",
+                "443",
+                "53",
+                "80"
+              ],
+              "protocols": [
+                "tcp",
+                "udp"
+              ],
+              "transport": [
+                "openvpn"
+              ],
+              "user_ips": false
+            },
+            "host": "ibex.ci.leap.se",
+            "ip_address": "37.218.247.97"
+          }
+        ],
+        "locations": {
+      
+        },
+        "openvpn_configuration": {
+          "auth": "SHA1",
+          "cipher": "AES-128-CBC",
+          "keepalive": "10 30",
+          "tls-cipher": "DHE-RSA-AES128-SHA",
+          "tun-ipv6": true
+        },
         "serial": 1,
         "version": 1
       }
@@ -85,7 +120,8 @@ definition_files:
           }
         },
         "services": [
-          "mx"
+          "mx",
+          "openvpn"
         ]
       }
   smtp_service: |
@@ -157,6 +193,15 @@ firewall:
     port: 22
     to: "37.218.247.96"
   stunnel: []
+  vpn: 
+    from: "*"
+    port: 
+      - "1194"
+      - 28171
+      - "443"
+      - "53"
+      - "80"
+    to: "37.218.247.97"
   webapp: 
     from: "*"
     port: 
@@ -204,10 +249,12 @@ nagios:
       domain_internal_suffix: ci.leap.i
       environment: latest
       ip_address: "37.218.247.96"
+      openvpn_gateway_address: "37.218.247.97"
       services: 
         - couchdb
         - monitor
         - mx
+        - openvpn
         - soledad
         - webapp
       ssh_port: 22
@@ -221,6 +268,38 @@ nickserver:
   couchdb_port: 5984
   domain: nicknym.ci.leap.se
   port: 6425
+obfsproxy: 
+  gateway_address: "37.218.247.97"
+  scramblesuit: 
+    password: II4TKOKIONCUKS3HO5RFUZLCK5TXA6KY
+    port: 28171
+openvpn: 
+  adblock: false
+  allow_free: false
+  allow_limited: false
+  allow_unlimited: true
+  configuration: 
+    auth: SHA1
+    cipher: AES-128-CBC
+    fragment: 1500
+    keepalive: "10 30"
+    tls-cipher: DHE-RSA-AES128-SHA
+    tun-ipv6: true
+  filter_dns: true
+  gateway_address: "37.218.247.97"
+  limited_prefix: LIMITED
+  ports: 
+    - "1194"
+    - "443"
+    - "53"
+    - "80"
+  protocols: 
+    - tcp
+    - udp
+  rate_limit: ~
+  second_gateway_address: ~
+  unlimited_prefix: UNLIMITED
+  user_ips: false
 platform: 
   major_version: "0.10"
   version: "0.10"
@@ -231,6 +310,7 @@ services:
   - couchdb
   - monitor
   - mx
+  - openvpn
   - soledad
   - webapp
 soledad: 
@@ -447,6 +527,7 @@ webapp:
       description: "Please donate."
       name: free
       services: 
+        - eip
         - email
 x509: 
   ca_cert: |
@@ -606,10 +687,10 @@ x509:
   commercial_ca_cert: ~
   commercial_cert: |
       -----BEGIN CERTIFICATE-----
-      MIIF9zCCBN+gAwIBAgISA9kCtjuFf164UcjdnBD/7f3hMA0GCSqGSIb3DQEBCwUA
+      MIIF9zCCBN+gAwIBAgISBCc2irfLZrl3QD8ru600RkbVMA0GCSqGSIb3DQEBCwUA
       MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-      ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA2MDgyMjAxMDBaFw0x
-      NzA5MDYyMjAxMDBaMBUxEzARBgNVBAMTCmNpLmxlYXAuc2UwggIiMA0GCSqGSIb3
+      ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA3MTgxODAyMDBaFw0x
+      NzEwMTYxODAyMDBaMBUxEzARBgNVBAMTCmNpLmxlYXAuc2UwggIiMA0GCSqGSIb3
       DQEBAQUAA4ICDwAwggIKAoICAQC9JM0dQyuX1nno1y3vb45R/U0e/dsFduslfADd
       UQ9eIKasp2itVRG/iikSvYxUbFBtbzUqHboZQEY3bm7dQbJgfbv9kBKWwNuEyWar
       gcjGhXJsBx8LhEsdutY19kPsWevM4ZPy3m1XY2QZHoBCgOAMVOSaZf+1qbvQpa8P
@@ -632,12 +713,12 @@ x509:
       IENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcg
       UGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmlj
       YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBv
-      c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAhCEZf9INAvZykNd0lL/SEg3UcAFn
-      WThCr2QKoQSYaNrfi8F46OqRKvoVCddShztrC4NveRD/4xGKdPpF1X2XG5h9fQSs
-      +mJ/gNjIiH3YJAgaOadcarC0RVVrC3zDwCZhWSTOWv3nX5QZJTGtrVKaK43IV9o5
-      yscq6gCe0VwnpClf/fiGEtYLCVFxyKNBPchX84XRIaFA6mSMWHriOwYFbUOEdWwD
-      cTAsDmDKdZZh+FonWxCO9xBqnyY4OdgqvhFXHLN+esQB3bkxtEZdg9c1kpmdhBZn
-      26xPcorJh6tyo0qhoMi6y8q4SU9dikQqNCEQQiQcxsCV+yMrZKytWW5ZgA==
+      c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAPoVIo2EmLDl7O10uWgT5+EKo9XTE
+      ja2hX2tWVIvRJE0Nekq0/ULYbYO/PiqsSIAuPaHxdlLB/8H0yn//lt1HhX5sosCS
+      SPGienuqJgddlA/ck3boMzse/7UZZDkPYUA52kvQxGUF6hAPtndssUXQDe7SW6l4
+      6c61hBtWQFKkylOA7xtNXSXPdEQanqIA7BDgn7rdns3CEpotUqeTcTCBKUct7rpo
+      h0NlaXeK0ufQWkR47V01sJxZtKOf+chZ63Mc9apuBhMOUXrIi3rdwNgL5PW65cqB
+      g32b0CiXAaPxiABU/mBj/kedm9pGUr+/fy0gb/Fv5pKas1h6NK9OnTtrUw==
       -----END CERTIFICATE-----
       -----BEGIN CERTIFICATE-----
       MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
@@ -718,6 +799,26 @@ x509:
       +6TpJJd8JETQb6yItIBs5/MfSGIKoydj21UY8+jh0/vwd0xBjfdzP+wj+n6yd9jn
       Jqieey5xCNZkz92PfirrbBmokf4eTfbh74tuS0emN9WqK4g6zoJDo8PO6Jk=
       -----END RSA PRIVATE KEY-----
+  dh: |
+      -----BEGIN DH PARAMETERS-----
+      MIIDDQKCAYEAhIcg0xhUusSNbrAdDVJU+YZ/O83CLcCf38lJdG8rrqzRacjGzxKM
+      1godXXDqJIv3EVeDtYqITkZN6gOMC4DQratPyLPuXxllj820SesEiWgNdl8/lyp4
+      Jh8bB8zd68yY4Sl2dUka5OVibdZnsbgoKleImVwwaeAvZSECYlhV6HKQNyK+bMja
+      EJeR88xaJsLelNixO+NMLqvIoTj24qOc3A5np2YOfsHtmFb1scBP5Jh/t5hOz+/V
+      MAy0fRzW81ZFgrV/JMBBM/YweOtRifks2jay3dGpa7tWpAGo78BIPQWg0F4ajhI0
+      4+wwBpymJR/paiIvh5VEx+dEdVzD39rWWfuplZyHLtJgwx49lkQGXJjHHeTXvwji
+      uvIS5kcEKhQioud+alYY+lJcCEmHUuDBikPSyPmJVNeDd9cRvjuD2MQv/L+iZ8IN
+      yPcB+TTgqZaDWOWIe6sqyG7vGg+P5rtswRZPA/7YSrdOt2hKqmErGPKHL41bQUu4
+      v/CTD/xf5pWfAoIBgDYUElLXOy90o+SyYC9e0ZnHFWcej1Wqy3FdT3dm509/FNf2
+      jQB/XOVu865FenX5GiDSJAFw4wu41Ibx4aHIA7gfBXVyswvLj7R4cDBxQxIUG9tf
+      8qL53Gr8e+vTGgl/cUVY7FcSDxzekPdlo1qBkVFSBtgLOlctfbLv0ZKnMwbZp/QZ
+      f8cIc3UA/2fBmoC6yDNSjPD41mxZtJAbZmYdQnntOV30PRv2cxrUpSVPOyUFtdS2
+      wa1wIVFQPHca/Gucw5z6VFxTmmp3Je9oUgAFfIKMaRnRdDENNwX9GkzYTEoH5HsH
+      AvUtpItBDEy+4ZSTOYX/YRI//3ZCkbRAlEjxfBGM6Jxsm2rRAUT68sL0Mt++nAFu
+      70dlbHIRRYRsHpXJ58vrEyzyeeaHzcWVMjYPekIGPx6pU0Eqg8raQj0LV836AWZ4
+      bVSahHkSKkhg95DQzV9eymfx/wW6LXZvZx2fAdmPxhRIOzW5pUtqpLdg770EFUMk
+      FoGN5pOkPzDkzERtDwICAQA=
+      -----END DH PARAMETERS-----
   key: |
       -----BEGIN RSA PRIVATE KEY-----
       MIIJKAIBAAKCAgEArwsEh0vom2fDDhPqs8XZExo/mgWqzsuMQjGWdCwiyhe3pPlB
diff --git a/nodes/ibex.json b/nodes/ibex.json
index 9841ae8..21d7be7 100644
--- a/nodes/ibex.json
+++ b/nodes/ibex.json
@@ -1,11 +1,17 @@
 {
   "ip_address": "37.218.247.96",
+  "openvpn": {
+    "gateway_address": "37.218.247.97",
+    "allow_free": false,
+    "filter_dns": true
+  },
   "tags": ["latest"],
   "services": [
     "couchdb",
     "soledad",
     "webapp",
     "mx",
-    "monitor"
+    "monitor",
+    "openvpn"
   ]
 }
diff --git a/secrets.json b/secrets.json
index 95ecbbb..1b0e369 100644
--- a/secrets.json
+++ b/secrets.json
@@ -15,6 +15,8 @@
     "couch_webapp_password_salt": "aed0aec852ef37a68a6c094234dee647",
     "nagios_admin_password": "FpSg3XZsWExCr9LutSaqxcW8tCNswJR8",
     "nagios_test_password": "3B5JwXJCKxuQhQhkvxfbz2u8naBSsje5",
+    "scramblesuit_password_ibex": "II4TKOKIONCUKS3HO5RFUZLCK5TXA6KY",
+    "scramblesuit_port_ibex": 28171,
     "webapp_secret_key_base": "hegWFhb7kBgaPRefPDP3RDyZYasMT3T7",
     "webapp_secret_token": "JBZXpeg7vgLaznqhWZkVNRpMHPeSKvSn"
   }