\n ![\"Automate](\"https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg\"){kind=logo}
\n
\n \n
\n \n
\n \n
\r\n\tRechercher **Inscriptions d’applications** dans la barre de recherche et sélectionnez le premier résultat.
\r\n\tSélectionnez **Inscriptions d’applications**.
\r\n\tRemplissez le formulaire:\r\n\r\n\t\tName: StreisandAuth\r\n\t\tApplication type: Web app / API\r\n\t\tSign-on URL: http://StreisandAuth\r\n\r\n* Assurez que l'application peut créer des instances Azure ( [guide visuel](https://docs.microsoft.com/fr-fr/azure/azure-resource-manager/resource-group-create-service-principal-portal#assign-application-to-role) )
\r\n\tRechercher **Abonnements** dans la barre de recherche et sélectionnez le premier résultat.
\r\n\tChoisissez l'abonnement souhaité.
\r\n\tSélectionnez **Access control (IAM)** à partir du menu nouvellement ouvert.
\r\n\tAjouter:\r\n\r\n\t\tRole: Contributor\r\n\t\tSelect: StreisandAuth\r\n\r\nAutorisations\r\n-------------\r\nEmplacement du fichier:\r\n\r\n\t\t~/.azure/credentials\r\n\r\nFormat du fichier ( [source](https://docs.ansible.com/ansible/guide_azure.html#storing-in-a-file) ).\r\n\r\n\t\t[default]\r\n\t\tsubscription_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n\t\tclient_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n\t\tsecret=xxxxxxxxxxxxxxxxx\r\n\t\ttenant=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n\r\nRemplacez le motif **xxxxx** par les valeurs obtenues en suivant les étapes ci-dessous.\r\n\r\n* Obtenir le **subscription_id**
\r\n\tRechercher pour **Subscriptions** à partir du menu nouvellement ouvert.
\r\n\tL'ID de l'abonnement sera dans la deuxième colonne du tableau des abonnements.\r\n\r\n* Obtenir le **client_id** ( [guide visuel](https://docs.microsoft.com/fr-fr/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-application-id-and-authentication-key) )
\r\n\tRechercher pour **App registrations** à partir du menu nouvellement ouvert.
\r\n\tSélectionnez votre application dans la liste: **StreisandAuth**.
\r\n\tLe client_id est le [Guid](https://en.wikipedia.org/wiki/Universally_unique_identifier) sous **Application ID**.
\r\n\r\n* Obtenir le **secret** ( [guide visuel](https://docs.microsoft.com/fr-fr/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-application-id-and-authentication-key) )
\r\n\tRechercher pour **App registrations** à partir du menu nouvellement ouvert.
\r\n\tSélectionnez votre application dans la liste: **StreisandAuth**.
\r\n\tSélectionnez **Keys** à partir du menu nouvellement ouvert à droite.
\r\n\tCréer une nouvelle clé:\r\n\r\n\t\tKey description: streisand\r\n\t\tDuration: Never expires\r\n\tLa clé secrète sera générée après la sauvegarde.\r\n\r\n* Obtenir le **tenant** ( [guide visuel](https://docs.microsoft.com/fr-fr/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-tenant-id) )
\r\n\tRechercher pour **Azure Active Directory** à partir du menu nouvellement ouvert.
\r\n\tFaites défiler vers le bas et sélectionnez **Properties** à partir du menu nouvellement ouvert à gauche.
\r\n\tLe locataire est le Guid sous **Directory ID**.
\r\n\r\nProblèmes possibles et dépannage\r\n--------------------------------\r\n* You cannot register an application (Vous ne pouvez pas enregistrer une application)
\r\n\tRechercher pour **Azure Active Directory** à partir du menu nouvellement ouvert.
\r\n\tDans le menu gauche résultant, sélectionnez \"User settings\".
\r\n\tAssurez-vous que **App registrations** sont réglés sur **Yes**.\r\n" }, { "path": "documentation/AZURE.md", "content": "Azure credential and setup\r\n==========================\r\n\r\n- - -\r\n[English](AZURE.md), [Français](AZURE-fr.md)\r\n- - -\r\n\r\nSetup\r\n-----\r\n* Create an application ( [visual guide](https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-create-service-principal-portal#create-an-active-directory-application) )
\r\n\tSearch for **App registrations** in the top search bar and select the first result.
\r\n\tSelect **New application registration**.
\r\n\tFill in the application form:\r\n\r\n\t\tName: StreisandAuth\r\n\t\tApplication type: Web app / API\r\n\t\tSign-on URL: http://StreisandAuth\r\n\r\n* Ensure that the application can create Azure instances ( [visual guide](https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-create-service-principal-portal#assign-application-to-role) )
\r\n\tSearch for **Subscriptions** in the top search bar and select the first result.
\r\n\tChoose the desired subscription.
\r\n\tSelect **Access control (IAM)** from the newly opened menu.
\r\n\tAdd:\r\n\r\n\t\tRole: Contributor\r\n\t\tSelect: StreisandAuth\r\n\r\nCredentials\r\n-----------\r\nFile location:\r\n\r\n\t\t~/.azure/credentials\r\n\r\nFile format ( [source](https://docs.ansible.com/ansible/guide_azure.html#storing-in-a-file) ).\r\n\r\n\t\t[default]\r\n\t\tsubscription_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n\t\tclient_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n\t\tsecret=xxxxxxxxxxxxxxxxx\r\n\t\ttenant=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\n\r\nReplace the **xxxxx** pattern with the values obtained by following the below steps.\r\n\r\n* Get the **subscription_id**
\r\n\tSearch for **Subscriptions** in the top search bar and select the first result.
\r\n\tThe subscription ID will be in the second column of the subscriptions table.\r\n\r\n* Get the **client_id** ( [visual guide](https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-application-id-and-authentication-key) )
\r\n\tSearch for **App registrations** in the top search bar and select the first result.
\r\n\tSelect your application from the list: **StreisandAuth**.
\r\n\tThe client_id is the [Guid](https://en.wikipedia.org/wiki/Universally_unique_identifier) under **Application ID**.
\r\n\r\n* Get the **secret** ( [visual guide](https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-application-id-and-authentication-key) )
\r\n\tSearch for **App registrations** in the top search bar and select the first result.
\r\n\tSelect your application from the list: **StreisandAuth**.
\r\n\tSelect **Certificates & secrets** from the newly opened menu on the left.
\r\n\tSelect **New client secret** under **Client secrets**.
\r\n\tCreate a new key:\r\n\r\n\t\tKey description: streisand\r\n\t\tDuration: Never expires\r\n\tThe secret key will be generated after saving.\r\n\r\n* Get the **tenant** ( [visual guide](https://docs.microsoft.com/en-in/azure/azure-resource-manager/resource-group-create-service-principal-portal#get-tenant-id) )
\r\n\tSearch for **Azure Active Directory** in the top search bar and select the first result.
\r\n\tScroll down and select **Properties** from the newly opened left menu.
\r\n\tThe tenant is the Guid under **Directory ID**.
\r\n\r\nPossible issues and troubleshooting\r\n-----------------------------------\r\n* You cannot register an application
\r\n\tSearch for **Azure Active Directory** in the top search bar and select the first result.
\r\n\tIn the resulting left menu select \"User settings\".
\r\n\tEnsure that **App registrations** is set to **Yes**.\r\n" }, { "path": "documentation/SOURCES.md", "content": "# Source of packages installed\r\n\r\n## From APT\r\n\r\n- Ubuntu standard repositories\r\n - [Streisand Common Packages](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/common/vars/main.yml)\r\n - [`bind`](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/dnsmasq/tasks/main.yml)\r\n - [`dnsmasq`](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/dnsmasq/tasks/main.yml)\r\n - [Libreswan Compilation Dependencies](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/l2tp-ipsec/vars/main.yml)\r\n - [OpenConnect Dependencies](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/openconnect/vars/main.yml)\r\n - [Shadowsocks Dependencies](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/vars/main.yml)\r\n - [`sslh`](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/sslh/tasks/main.yml)\r\n - [`stunnel4`](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/stunnel/tasks/main.yml)\r\n - [`tinyproxy`](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/tinyproxy/tasks/main.yml)\r\n - [`ufw`](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/ufw/tasks/main.yml)\r\n- from 3rd party repositories:\r\n - [`nginx` (from nginx.org)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/nginx/tasks/main.yml)\r\n - [`obbfs4proxy` (from deb.torproject.org)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/tor-bridge/tasks/main.yml)\r\n - [Wireguard Packages (from wireguard PPA)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/wireguard/tasks/install.yml)\r\n - [Acmetool (from PPA)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/lets-encrypt/tasks/install.yml)\r\n\r\n## Source\r\n- [Libreswan](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/l2tp-ipsec/vars/main.yml)\r\n- [OpenConnect](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/openconnect/vars/main.yml)\r\n- [OpenVPN (from build.openvpn.net)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/openvpn/vars/mirror.yml)\r\n- [Shadowsocks (from github.com/shadowsocks)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/tasks/main.yml)\r\n- [Shadowsocks Simple-obfs (from github.com/shadowsocks-simpleobfs)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/tasks/simple-obfs.yml)\r\n\r\n\r\n# Source of all clients mirrored\r\n\r\n- Android\r\n - [Shadowsocks (from github.com/shadowsocks)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/vars/mirror.yml)\r\n- Linux\r\n - [Shadowsocks (from github.com/shadowsocks)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/vars/mirror.yml)\r\n - [Tor Browser (from dist.torproject.org)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/tor-bridge/vars/mirror-common.yml)\r\n- macOS\r\n - [Tunnelblick (from tunnelblick.net)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/openvpn/vars/mirror.yml)\r\n - [Shadowsocks (from github.com/shadowsocks)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/vars/mirror.yml)\r\n - [Tor Browser (from dist.torproject.org)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/tor-bridge/vars/mirror-common.yml)\r\n- Windows\r\n - [OpenVPN (from build.openvpn.net)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/openvpn/vars/mirror.yml)\r\n - [Shadowsocks (from github.com/shadowsocks)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/shadowsocks/vars/mirror.yml)\r\n - [Shuttle (from github.com/sshuttle)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/streisand-mirror/vars/ssh.yml)\r\n - [Stunnel (from stunnel.org)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/stunnel/vars/mirror.yml)\r\n - [Putty (from the.earth.li)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/streisand-mirror/vars/ssh.yml)\r\n - [Tor Browser (from dist.torproject.org)](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/tor-bridge/vars/mirror-common.yml)\r\n" }, { "path": "documentation/certificates.md", "content": "Streisand PKI\n=============\n\nStreisand includes a role responsible for PKI certificate generation,\nseparated into three heirarchical tasks:\n\n```\nCA/Server\n \\__ CA Certificate\n \\__ Server certificate\n \\__ Client (1..n)\n \\__ Client PKCS (1..n)\n \n```\n\nCA/Server\n---------\nGuarded by `generate_ca_server: yes`\n\nGenerate a certificate authority, and a server \ncertificate signed by the newly minted certificate authority.\n\nClient\n------\nGenerate client certificates using the CA from `generate_ca_server: yes`. \nThese client certificates can be used by VPN clients to authenticate with \nVPN services on the server.\n\nClient (PKCS#11 format)\n-----------------------\nGuarded by `generate_pkcs: yes`\n\nAlso convert client certificates into PKCS#12 format.\n\nInfrastructure\n--------------\n\nNote: Each VPN service that invokes the certificates role will generate it's own \ndistinct public key infrastructure.\n\nThe overall Streisand PKI infrastructure assumes the following structure:\n\n```\nWeb Root CA: \n \\__ gateway HTTPS cert (unless Let's Encrypt; see below)\n\nOpenConnect CA: \n \\__ OpenConnect server cert\n \\__ OpenConnect client 1\n \\__ OpenConnect client ...\n \\__ OpenConnect client n\n\nOpenVPN CA: \n \\__ OpenVPN server cert\n \\__ OpenVPN client 1\n \\__ OpenVPN client ...\n \\__ OpenVPN client n\n\nISRG X1:\n \\__ Let's Encrypt Authority X3\n \\__ streisand.example.com HTTPS cert\n``` \n\nUsage\n-----\n\nThe `certificates` role can be invoked as follows (using OpenVPN as an example, with variables expanded for brevity):\n\n```\n- include_role:\n name: certificates\n vars:\n ca_path: \"/etc/openvpn\"\n tls_ca: \"/etc/openvpn/ca\"\n tls_client_path: \"/etc/openvpn\"\n generate_ca_server: yes \n generate_client: yes\n tls_request_subject: \"/C=US/ST=California/L=Beverly Hills/O=ACME CORPORATION/OU=Anvil Department\"\n tls_server_common_name_file: \"/etc/openvpn/openvpn-common-name.txt\"\n tls_sans: # sets the Subject Alternative Name(s) attribute(s)\n - \"1.2.3.4\"\n - \"5.6.7.8\"\n```\n\nNote the following flags:\n - `generate_ca_server: yes`\n - `generate_client: yes`\n - `generate_pkcs: yes`\n\n These must be made explicit, as the default value is `no`; certificates should not be generated unless\n they have to be.\n\nThe certificates role makes certain assumptions with regards to default values,\nall of which can be inspected [here](https://github.com/StreisandEffect/streisand/blob/master/playbooks/roles/certificates/defaults/main.yml).\n\n" }, { "path": "documentation/localization_howto.md", "content": "Localizing Streisand in your language\n=====================================\n\nOne of the most unique aspects of the Streisand project are the\ndetailed and customized instructions that it generates for each\nof the VPN services it provides. The instructions are hosted\non a password protected website allowing them to be easily shared\namong fellow users. This can help in removing ambiguity in how \ncertain services need to be set up and can be easily updated as\nStreisand evolves.\n\nScope\n-----\n\nThe best place to focus localization efforts is on user facing\ncontent, as opposed to developer content.\n\nFor example, documentation that can help a user navigate the particularities of certain\ncloud providers (account setup, permissions, etc...) are good candidates for localization.\n\nOn the other hand, translation of developer oriented texts, such as Ansible \ntask names isn't needed at this time.\n\nLanguage codes\n--------------\n\nFor simplicity, it is preferable to use 2 character language codes (fr -> French, ar -> Arabic),\nas defined by [ISO 631-1](https://en.wikipedia.org/wiki/ISO_639). For certain locales such as\nChinese vs Simplified Chinese, 3 character codes are also acceptable.\n\nFilename conventions\n--------------------\n\nIn order to differentiate a localized file, append the lowercase language code after the\nfilename with a 'dash' symbol (e.x. README-fr.md for a README localized in French).\n\nPoint of reference\n------------------\n\nWhen translating, English should be considered the point of reference to translate *from*.\n\nREADMEs and Documentation\n-------------------------\n\nThe interaction with Streisand for an end user would be first visiting the project README,\nwhere all the necessary steps one would need to set up their computing environment are\ndetailed, as well as a listing of all the VPN services provided by Streisand.\n\nUnlike Streisand's instructions markdown template files, READMEs and documentation are\northogonal to Streisand being able to successfully build. As a consequences, it is possible\nto have READMEs and documentation in more languages than Streisand builds documentation with.\n\nDefining locales\n----------------\n\nIn order to define a locale for Streisand, a new entry defining your language must be\nadded to the `streisand_languages` dict object in the `playbooks/roles/common/vars/main.yml` file,\nwhere the 2 letter code is considered the key, and a list of key-value pairs with additional data\nas its value.\n\nFor example:\n\n```\nstreisand_languages:\n en:\n file_suffix: \"\"\n language_name: \"English\"\n tor_locale: \"en-US\"\n fr:\n file_suffix: \"-fr\" # appends to the end of a file name\n language_name: \"Français\" # name of the language in the language itself\n tor_locale: \"fr\" # edge case for Tor \n```\n\nLocalizing gateway instructions\n-------------------------------\n\nThe following roles contain user instructions that will require translation:\n\n - `playbooks/roles/openconnect/templates`\n 1. `instructions.md.j2`\n 1. `mirror.md.j2`\n\n - `playbooks/roles/openvpn/templates`\n 1. `instructions.md.j2`\n 1. `stunnel-insructions.md.j2`\n 1. `mirror.md.j2`\n\n - `playbooks/roles/shadowsocks/templates`\n 1. `instructions.md.j2`\n 1. `mirror.md.j2`\n\n- `playbooks/roles/ssh-forward/templates`\n 1. `instructions.md.j2`\n 1. `mirror.md.j2`\n\n - `playbooks/roles/streisand-gateway/templates`\n 1. `index.md.j2`\n 1. `instructions.md.j2`\n 1. `firewall.md.j2`\n\n - `playbooks/roles/streisand-mirror/templates`\n 1. `mirror-index.md.j2`\n\n - `playbooks/roles/stunnel/templates`\n 1. `mirror.md.j2`\n\n - `playbooks/roles/tor/templates`\n 1. `instructions.md.j2`\n 1. `mirror.md.j2`\n\n - `playbooks/roles/wireguard/templates`\n 1. `instructions.md.j2`\n\nLanguage selection in generated pages\n-------------------------------------\n\nBy default, Streisand's common header file contains language selection links\n(generated using the `streisand_languages` dict). For most pages the header with\nlanguage selection links will be included automatically. Certain edge cases \ndo exist where a jinja2 code block is explicitly needed with the generated html filename.\n\nThese edge case files maybe all reside with the `streisand-gateway` role:\n\n - `firewall.md.j2`\n - `index.md.j2`\n - `instructions.md.j2`\n\n```\n- - -\n{% for key, value in streisand_languages.items() %}\n [{{ value.language_name }}]({{ streisand_server_name }}-*generated-html-file-name*{{ value.file_suffix }}.html) \n{% endfor %}\n- - -\n```\n\nThe HTML filename can be recovered by looking at the relevant Ansible task that generates the\ntemplate.\n\nEnd user considerations\n-----------------------\n\nWhile we aim to have as-close-to-the-original-source translations, linguistic differences in\nexpressions should be taken into consideration when it makes sense.\n\nA non-technical example would be a the following\nexpression in English: \"the straw that broke the camel's back\".\nA literal translation into French\nwould give: \"la paille qui a cassé le dos du chameau\", however contextually\na similar expression exists in French: \"C'est la goutte d'eau qui fait déborder le vase\"\n(it's the drop of water that made the vase overflow). Different translations,\nsame meaning. In this case, the latter would be the 'ideal' translation, as it makes more sense\nto a native speaker of that language.\n\nAnother aspect to consider is what language an end-user's device is set to.\nIt is best to have a device nearby set in the same language, where you can see exactly what is\ndisplayed in particular menus and use those same exactly what is displayed.\n\nIt's worth noting that not all software available in app stores or otherwise are localized\nin your language of choice, and many are English only. In this case, it would be sufficient to use\nthe same English texts, and should you choose, adjacent to it between parenthesis a translation of\nthe aforementioned text.\n\nIn the case where you aren't in possession of a particular device, a best-effort\napproach is also acceptable.\n" }, { "path": "documentation/modular_roles.md", "content": "Modular Roles\n===============\n\nStreisand includes many services in an out-of-box install. This helps make\ncensorship resistance as easy as possible. In a hostile network environment the\nprotocols/services that are blocked can vary & change overnight. With many\nchoices available for connecting through a Streisand instance to clear Internet\nthere is likely always a choice that will work!\n\nFor use cases less focused on censorship resistance this \"kitchen sink of\nservices\" approach has two large downsides: many moving parts & a very large\nexternally facing attack surface.\n\nThe solution: Allowing users to selectively disable Streisand services they\ndon't require, creating custom profiles that suits their needs.\n\nThe challenge: Streisand was initially designed as a monolithic deploy. That is,\nthe Ansible roles responsible for each service inter-depend on one another. To\nenable picking and choosing Streisand services while minimizing spaghetti\ncomplexity it's necessary to eliminate cross-role dependencies.\n\nThis document aims to be a roadmap for converting roles to be stand-alone and\nsuitable for the goal of modularizing included services. As a concrete example\nthis document will discuss the Shadowsocks role, the first role that has been\nconverted to this style.\n\nRough Plan\n----------\n\n**Note**: _This is all subject to change as discussion/experience unfolds!_\n\n1. One role at a time, convert it to be stand alone (e.g. create its own\n firewall rules, do its own client mirroring, etc).\n2. Add an enable flag variable for the role, default to on (e.g. Streisand by\n default remains ship-it-all-by-default).\n3. Once all roles are converted, add infrastructure for selecting roles (helper\n script modifications).\n4. Discuss which roles should be enabled by default to perhaps pare down the\n base install.\n5. Update this documentation.\n\nImplementation\n--------------\n\nEach service has an enable bool variable defined in `playbooks/group_vars/all` to\ncontrol whether the service is going to be included or not. E.g.\n`streisand_shadowsocks_enabled: yes` would include Shadowsocks when provisioning\na server.\n\nEvery Streisand service has to handle the following responsibilities:\n\n* Installing & setting up server software/configurations.\n* Updating firewall rules/access controls.\n* Generating client connection instructions & config files.\n* Mirroring client software.\n\nFor the purpose of connection instructions & client software each service has\ntwo directories it must create & populate:\n\n* One in `/var/www/streisand/` for connection instructions.\n* One in `var/www/streisand/mirror/` for client mirroring.\n\nBoth directories should contain an `index.html` for the available Streisand\nlanguages.\n\nSince responsibilities between services are similar, the self-contained roles\nshould have roughly the same structure (minimized for brevity):\n\n```\nservice/\n├── meta\n│ └── main.yml\n├── tasks\n│ ├── main.yml\n│ ├── docs.yml\n│ ├── firewall.yml\n│ └── mirror.yml\n└── vars\n ├── main.yml\n └── mirror.yml\n```\n\n* `meta/main.yml` is used for declaring dependencies (e.g. on `ufw` for\n firewall rules). Nothing special there!\n\n* `tasks/main.yml` handles the base responsibilities of installing\n software/configs etc. and includes the subtask files: `docs.yml`,\n `firewall.yml` and `mirror.yml`.\n\n* `tasks/docs.yml` handles generating connection instructions for the service\n under its documentation root.\n\n* `tasks/firewall.yml` handles adding `ufw`/`iptables` rules as required by the\n service.\n\n* `tasks/mirror.yml` handles downloading client software to the service's mirror\n root and generating any required client install documentation.\n\n* `vars/main.yml` are the variables required for the service's configuration/etc.\n\n* `vars/mirror.yml` are mirror-specific variables (client software versions,\n download URLs, expected hashes/signatures, etc)\n\nFor Shadowsocks, initially the `ufw` role was responsible for adding a firewall\nrule for the `shadowsocks-libev` port. This created a cross-role dependency\nwhere if the `shadowsocks` role was disabled the `ufw` role would open a port\nunnecessarily, or reference a variable that didn't exist. \n\nTo remove this cross-dependency the `shadowsocks` role was updated to declare\na meta dependency on the generic firewall role (to ensure the package is\ninstalled and ready) in `meta/main.yml`. Then a `tasks/firewall.yml` subtask\nfile was added that uses `ufw` to add the required rules.\n\nSimilarly, the initial `streisand-mirror` role downloaded all of the\nShadowsocks clients for the mirror using a distinct tasks `.yml` with its own\nvariables `.yml`. This made it fairly easy to move the mirror subtasks from\n`streisand-mirror/tasks/shadowsocks.yml` to\n`shadowsocks/tasks/mirror.yml` and `streisand-mirror/vars/shadowsocks.yml` to\n`shadowsocks/vars/mirror.yml`. Now the `shadowsocks` role can be responsible for\npreparing its own client mirror.\n\nGateway & Mirror Indices\n------------------------------\n\nWhile the Gateway & Mirror documentation can be largely agnostic of which\nservices are included in a given build by outsourcing the management of\nsubfolders of `/var/www/streisand` and `/var/www/streisand/mirror` eventually\na consistent set of docs to navigate must be created based on the included\nservices. This is done by conditionally adding links to the connection\ninstruction & mirror indices of each subservice using the enable bool variables\nin the docs and mirror index files. This is the one place where the \"if\nspaghetti\" is required in order to stitch things together.\n\nAs a concrete example, consider the `shadowsocks` role. Previously the\n`streisand-gateway` and `streisand-mirror` roles were responsible for all\naspects of the Shadowsocks documentation & mirroring.\n\nNow, the `shadowsocks` role creates a `/var/www/streisand/shadowsocks/`\ndirectory and generates an `index.html` in there with connection instructions.\nSimilarly, the client software is mirrored to\n`/var/www/streisand/mirror/shadowsocks/` and an `index.html` is generated in\nthere to list the available clients & their installation instructions.\n\nThe `playbooks/roles/streisand-gateway/templates/index.md.j2` index template can\nconditionally generate a link to the installation instructions:\n\n```\n{% if streisand_shadowsocks_enabled %}\n* [Shadowsocks](/shadowsocks/)\n{% endif %}\n```\n\nSimilarly, the index can conditionally generate a link to the service client mirror:\n\n```\n{% if streisand_shadowsocks_enabled %}\n* [Shadowsocks](/mirror/shadowsocks/)\n{% endif %}\n```\n\nThe same approach is taken in the mirror index template:\n`playbooks/roles/streisand-mirror/templates/mirror-index.md.j2`.\n\nCommon Daemon Config\n------------------------\n\nSome Streisand services have to modify base daemon configurations in order to\nprovide services like DNS/DHCP to interfaces they create. Where possible we\nshould strive to avoid having centralized \"monolith\" configurations and instead\nuse the \"config.d/\" approach to allow modular configuration of these shared\ndaemons. The [original usecase](https://lists.debian.org/debian-devel/2010/04/msg00352.html)\nfor these directories closely matches the situation Streisand is in:\n\n Once upon a time, most UNIX software was controlled by a single\n configuration file per software package, and all the configuration details\n for that package went into that file. This worked reasonably well when\n that file was hand-crafted by the system administrator for local needs.\n\n When distribution packaging became more and more common, it became clear\n that we needed better ways of forming such configuration files out of\n multiple fragments, often provided by multiple independent packages. Each\n package that needs to configure some shared service should be able to\n manage only its configuration without having to edit a shared\n configuration file used by other packages.\n\n The most common convention adopted was to permit including a directory\n full of configuration files, where anything dropped into that directory\n would become active and part of that configuration.\n\nA concrete example of this common daemon problem is the `dnsmasq` service/role\nand its interactions with the `wireguard` and `openvpn` roles. Prior to\nmodularization the `dnsmasq` role made sure the daemon listened on all required\nintefaces by having one `/etc/dnsmasq.conf` config file generated by the\n`dnsmasq` role's `dnsmasq.conf.j2` template. The template had one\n`listen-address` configuration parameter that listed all of the interface\naddresses in a comma-separated form:\n\n```\nlisten-address=127.0.0.1,{{ dnsmasq_openvpn_tcp_ip }},{{ dnsmasq_openvpn_udp_ip }},{{ dnsmasq_wireguard_ip }}\n```\n\nThis meant that if the `openvpn` or `wireguard` roles were disabled/removed the\ntemplate for the `dnsmasq` config would fail due to the missing variables.\n\nThe approach used to fix this was to have the base `/etc/dnsmasq.conf` file\nspecify only `listen-address=127.0.0.1` and update the `openvpn` and `wireguard`\nroles to write their own `listen-address` fragments from a template to their own\nconfig files in `/etc/dnsmasq.d/`. Now the `dnsmasq` role is decoupled from the\n`openvpn` and `wireguard` roles that can be added/removed at will.\n\n" }, { "path": "documentation/testing.md", "content": "CI Testing\n==========================\n\nStreisand has a `.travis.yml` file that powers [continuous integration\ntests](https://travis-ci.org/jlund/streisand). It works by installing required\ntest tools (e.g. shellcheck) and an Ansible environment on a Ubuntu Trusty\n(14.04) machine.\n\nThe `test.sh` wrapper script\n--------------------------------\n\nThe `test/test.sh` wrapper script is invoked to perform tests and supports\nan argument for specifying what actions should be taken. The following are\nsupported arguments:\n\n* **\"setup\"** prepares the local environment for running a Streisand\n [LXC](https://linuxcontainers.org/lxc/introduction/) instance. The instance\n is managed via [LXD](https://linuxcontainers.org/lxd/).\n\n* **\"syntax\"** checks the Streisand playbooks for Ansible syntax errors.\n\n* **\"run\"** runs the CI tests. It assumes the local environment is already\n prepared from a previous \"setup\" run.\n\n* **\"ci\"** combines \"setup\" and \"run\".\n\n* **\"full\"** performs the same as \"ci\" but additionally adds verbose output to\n the Ansible run. This is very verbose but can be useful for diagnosing\n tricky broken builds.\n\n* By **default** the wrapper will run \"syntax\".\n\nWorking around things that won't work in Travis\n-----------------------------------------------\n\nSome playbooks/tasks can't be run in CI because of limitations imposed by the\ncontainerization or Travis. One example of this is installing a Tor relay. To\nwork around this playbooks/tasks that break in CI can be gated on the\n`streisand_ci` variable, which is `true` only for CI runs. Where possible it's\nbest to minimize the use of this variable for conditional execution because we\nwant as much code to be tested as possible!\n\nKernel Modules\n---------------------\n\nBy design LXC containers share the Linux kernel they use with the host machine.\nThis means playbooks/services that require a kernel module (e.g. Libreswan) must\nbuild the kernel module on the host machine.\n\n\nLocal Testing\n==========================\n\nFor local testing Streisand includes a `Vagrantfile` that creates two virtual\nmachines: `streisand-host` and `streisand-client`.\n\nThe `streisand-host` machine is provisioned with the standard Streisand\nplaybooks and replicates a Streisand server created with a cloud provider, but\nrunning on your local computer.\n\nNote that a throwaway SSH key pair is created in the `streisand-host` virtual\nmachine in the location specified in the Anisible variable\n`streisand_ssh_private_key`. This is not needed to SSH into the virtual machine\nusing `vagrant ssh streisand-host` and is only used by the provisioning process.\n\nThe `streisand-client` machine is provisioned specifically to act as a client of\nthe `streisand-host`. It connects to the `streiand-host`'s HTTPS gateway to\ndownload client configuration files that are used by test scripts to ensure that\nservices work \"end-to-end\".\n\nUsing Vagrant for Local Testing\n-------------------------------\n\n1. [Install Vagrant](https://www.vagrantup.com/docs/installation/)\n2. Clone the Streisand repository and enter the directory.\n\n git clone https://github.com/StreisandEffect/streisand.git && cd streisand\n3. If this is your first time following these steps, create & start the\n `streisand-host` and `streisand-client` virtual machines with:\n\n `vagrant up`\n4. To re-run the Streisand playbooks, the virtual machines can be re-provisioned\n with:\n\n `vagrant up --provision`\n\nRemote Testing\n==========================\n\nFor testing an existing Streisand server there is a `Vagrantfile.remotetest`\nVagrantifle. As compared to the stock `Vagrantfile` for local testing the\n`Vagrantfile.remotetest` Vagrantfile does not include a `streisand-host`\nmachine. This remotetest variant is useful to \"smoke test\" an existing\nStreisand server, or to provide end-to-end testing of a cloud provisioner.\n\nUsing Vagrant for Remote Testing (Easy Way)\n--------------------------------------------\n\n1. [Install Vagrant](https://www.vagrantup.com/docs/installation/)\n2. Clone the Streisand repository and enter the directory.\n\n git clone https://github.com/StreisandEffect/streisand.git && cd streisand\n3. Run the `remote_test.sh` helper script and give it the remote server IP\n & gateway password when prompted:\n\n ./tests/remote_test.sh\n\nUsing Vagrant for Remote Testing (Hard Way)\n--------------------------------------------\n1. [Install Vagrant](https://www.vagrantup.com/docs/installation/)\n2. Clone the Streisand repository and enter the directory.\n\n git clone https://github.com/StreisandEffect/streisand.git && cd streisand\n3. Edit `Vagrantfile.remotetest` and replace the `streisand_ip` host variable\n with the IP of the remote server.\n4. Create the `generated-docs/gateway-password.txt` file with the gateway\n password of the Streisand server\n5. If this is your first time following these steps, create & start the\n `streisand-client` virtual machine with:\n\n VAGRANT_VAGRANTFILE=Vagrantfile.remotetest vagrant up\n4. To re-run the Streisand playbooks, the virtual machines can be re-provisioned\n with:\n\n VAGRANT_VAGRANTFILE=Vagrantfile.remotetest vagrant up --provision\n\nMisc Tricks\n==========================\n\n* Uncomment the lines setting the `ansible.verbose` value in the Vagrantfiles to\n increase the verbosity of the Ansible playbook runs.\n* Skip the `./tests/remote_test.sh` prompts using `printf`:\n\n STREISAND_SERVER_IP=XX.XX.XX.XX; STREISAND_PASSWORD='gateway-password-goes-here'; printf \"$STREISAND_SERVER_IP\\n$STREISAND_PASSWORD\\n\" | ./tests/remote_test.sh\n" }, { "path": "global_vars/default-site.yml", "content": "---\n# Site specific Streisand configuration.\n#\n# This file is mutated by the playbooks/customize.yml tasks when a user chooses\n# to customize which Streisand services are installed.\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\n# The associated public key will be used if required when provisioning cloud\n# nodes for the authorized_keys file.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_shadowsocks_v2ray_enabled: no\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\nstreisand_cloudflared_enabled: no\n" }, { "path": "global_vars/globals.yml", "content": "---\n\n# If using regular cleartext DNS then dnsmasq will set these upstream DNS servers\nupstream_dns_servers:\n - 1.1.1.1\n - 1.0.0.1\n\n# If using DNS-over-HTTPS with cloudflared then the upstream servers and queries can be set in:\n# playbooks/roles/cloudflared/defaults/main.yml\n\nstreisand_client_test: no\n\nstreisand_site_vars: \"{{ lookup('env','HOME') }}/.streisand/site.yml\"\n" }, { "path": "global_vars/integration/test-site.yml", "content": "---\n# Test site configuration for the end-to-end integration tests.\n\n# Don't ask questions\nstreisand_noninteractive: true\nconfirmation: true\nstreisand_domain_var: \"\"\nstreisand_admin_email_var: \"\"\n\n# Take a few extra steps during server provisioning to make the client tests work\nstreisand_client_test: true\n\n# Only services with corresponding tests are enabled.\nstreisand_ad_blocking_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_wireguard_enabled: yes\nstreisand_openconnect_enabled: yes\nstreisand_tor_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\n# TODO(@cpu): The services below need some manner of integration test written\nstreisand_sshuttle_enabled: no\n" }, { "path": "global_vars/noninteractive/amazon-site.yml", "content": "---\n# Example site specific configuration for a noninteractive AWS deployment.\n#\n# Copy this and edit it as needed before running streisand-new-cloud-server.\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\n#\n# This will be added to the AWS console and given the name streisand-ssh.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# The AWS region number.\n#\n# See ./playbooks/amazon.yml for numbering.\n#\n# Note: aws_region_var must be a number in quotes, e.g. \"3\" not 3.\naws_region_var: \"16\"\n\n# The VPC and subnet IDs to use. They can be empty strings to indicate that a\n# VPC will not be used.\naws_vpc_id_var: \"\"\naws_vpc_subnet_id_var: \"\"\n\naws_instance_name: streisand\n\n# The AWS credentials to use.\naws_access_key: \"\"\naws_secret_key: \"\"\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "global_vars/noninteractive/azure-site.yml", "content": "---\n# Example site specific configuration for a noninteractive Azure deployment.\n#\n# Copy this and edit it as needed before running streisand-new-cloud-server.\n#\n# Ensure that you have the azure credentials file set up at ~/.azure/credentials\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# The region to deploy into.\n#\n# North America:\n# 1: East US (Virginia)\n# 2: East US 2 (Virginia)\n# 3: Central US (Iowa)\n# 4: North Central US (Illinois)\n# 5: South Central US (Texas)\n# 6: West Central US (West Central US)\n# 7: West US (California)\n# 8: West US 2 (West US 2)\n# 9: US Gov Virginia (Virginia)\n# 10: US Gov Iowa (Iowa)\n# 11: US DoD East (US DoD East)\n# 12: US DoD Central (US DoD Central)\n# 13: Canada East (Quebec City)\n# 14: Canada Central (Toronto)\n#\n# South America:\n# 15: Brazil South (Sao Paulo State)\n#\n# Asia:\n# 16: Southeast Asia (Singapore)\n# 17: East Asia (Hong Kong)\n# 18: China East (Shanghai)\n# 19: China North (Beijing)\n# 20: Japan East (Tokyo, Saitama)\n# 21: Japan West (Osaka)\n# 22: Korea Central (Seoul)\n# 23: Korea South (Busan)\n# 24: Central India (Pune)\n# 25: West India (Mumbai)\n# 26: South India (Chennai)\n#\n# Australia:\n# 27: Australia East (New South Wales)\n# 28: Australia Southeast (Victoria)\n#\n# Europe:\n# 29: North Europe (Ireland)\n# 30: West Europe (Netherlands)\n# 31: Germany Central (Frankfurt)\n# 32: Germany Northeast (Magdeburg)\n# 33: UK West (Cardiff)\n# 34: UK South (London)\n#\n# Note: azure_region_var must be a number in quotes, e.g. \"1\" not 1.\nazure_region_var: \"1\"\n\nazure_instance_name_var: streisand\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "global_vars/noninteractive/digitalocean-site.yml", "content": "---\n# Example site specific configuration for a noninteractive Digital Ocean\n# deployment.\n#\n# Copy this and edit it as needed before running streisand-new-cloud-server.\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\n#\n# The corresponding public key must be added to the Digital Ocean control panel\n# and the name given to it referenced below in the do_ssh_name variable.\n# The corresponding public key must be uploaded to Digital Ocean and the name\n# given to it referenced below in the do_ssh_name variable.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# The Digital Ocean region number.\n#\n# 1. Amsterdam (Datacenter 2)\n# 2. Amsterdam (Datacenter 3)\n# 3. Bangalore\n# 4. Frankfurt\n# 5. London\n# 6. New York (Datacenter 1)\n# 7. New York (Datacenter 2)\n# 8. New York (Datacenter 3)\n# 9. San Francisco (Datacenter 1)\n# 10. San Francisco (Datacenter 2)\n# 11. Singapore\n# 12. Toronto\n#\n# Note: do_region must be a number in quotes, e.g. \"2\" not 2.\ndo_region: \"2\"\n\ndo_server_name: streisand\n\n# Add the Digital Ocean access token here.\ndo_access_token_entry: \"\"\n\n# The name given to the key in the DigitalOcean control panel.\ndo_ssh_name: streisand\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "global_vars/noninteractive/google-site.yml", "content": "---\n# Example site specific configuration for a noninteractive Google Compute Engine\n# deployment.\n#\n# Copy this and edit it as needed before running streisand-new-cloud-server.\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# Server location:\n#\n# 1. Central US \"us-central1-a\"\n# 2. Central US \"us-central1-b\"\n# 3. Central US \"us-central1-c\"\n# 4. Central US \"us-central1-f\"\n# 5. Eastern US \"us-east4-a\"\n# 6. Eastern US \"us-east4-b\"\n# 7. Eastern US \"us-east4-c\"\n# 8. Eastern US \"us-east1-b\"\n# 9. Eastern US \"us-east1-c\"\n# 10. Eastern US \"us-east1-d\"\n# 11. Western US \"us-west1-a\"\n# 12. Western US \"us-west1-b\"\n# 13. Western US \"us-west1-c\"\n# 14. Western Europe \"europe-west1-b\"\n# 15. Western Europe \"europe-west1-c\"\n# 16. Western Europe \"europe-west1-d\"\n# 17. Western Europe \"europe-west2-a\"\n# 18. Western Europe \"europe-west2-b\"\n# 19. Western Europe \"europe-west2-c\"\n# 20. Western Europe \"europe-west3-a\"\n# 21. Western Europe \"europe-west3-b\"\n# 22. Western Europe \"europe-west3-c\"\n# 23. Western Europe \"europe-west4-a\"\n# 24. Western Europe \"europe-west4-b\"\n# 25. Western Europe \"europe-west4-c\"\n# 26. East Asia \"asia-east1-a\"\n# 27. East Asia \"asia-east1-b\"\n# 28. East Asia \"asia-east1-c\"\n# 29. Northeast Asia \"asia-northeast1-a\"\n# 30. Northeast Asia \"asia-northeast1-b\"\n# 31. Northeast Asia \"asia-northeast1-c\"\n# 32. South Asia \"asia-south1-a\"\n# 33. South Asia \"asia-south1-b\"\n# 34. South Asia \"asia-south1-c\"\n# 35. Southeast Asia \"asia-southeast1-a\"\n# 36. Southeast Asia \"asia-southeast1-b\"\n# 37. Southeast Australia \"australia-southeast1-a\"\n# 38. Southeast Australia \"australia-southeast1-b\"\n# 39. Southeast Australia \"australia-southeast1-c\"\n#\n\n# Named zones are more robust if you use non-interactive deployments. You can still use\n# the numbered index, however the number can change, whereas the name will stay the same.\n# Keep the idx variable non-empty if you use named zones.\n\ngce_zone_idx: \"do not remove this var if you have defined gce_zone\"\ngce_zone: us-central1-c\n\ngce_server_name: streisand\n\n# The full path of your unique service account credentials file. See:\n# https://docs.ansible.com/ansible/guide_gce.html#credentials\n# https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts\ngce_json_file_location: \"\"\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "global_vars/noninteractive/linode-site.yml", "content": "---\n# Example site specific configuration for a noninteractive Linode deployment.\n#\n# Copy this and edit it as needed before running streisand-new-cloud-server.\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# Choose the server location.\n# 1. Atlanta\n# 2. Dallas\n# 3. Frankfurt\n# 4. Fremont\n# 5. London\n# 6. Newark\n# 7. Singapore\n# 8. Tokyo\n# 9. Tokyo 2\n#\n# Note: linode_datacenter must be a number in quotes, e.g. \"7\" not 7.\nlinode_datacenter: \"7\"\n\nlinode_server_name: streisand\n\n# Obtain the API key from the Linode Manager console.\nlinode_api_key: \"\"\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "global_vars/noninteractive/local-site.yml", "content": "---\n# Example site specific configuration for a noninteractive local machine\n# deployment.\n#\n# Copy this and edit it as needed before running streisand-local.\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# Change this to the location of a key on the local system.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "global_vars/noninteractive/rackspace-site.yml", "content": "---\n# Example site specific configuration for a noninteractive Rackspace deployment.\n#\n# Copy this and edit it as needed before running streisand-new-cloud-server.\n#\n\nstreisand_noninteractive: true\nconfirmation: true\n\n# The SSH private key that Ansible will use to connect to the Streisand node.\nstreisand_ssh_private_key: \"~/.ssh/id_rsa\"\n\nvpn_clients: 10\n\nstreisand_ad_blocking_enabled: no\nstreisand_openconnect_enabled: yes\nstreisand_openvpn_enabled: yes\nstreisand_shadowsocks_enabled: yes\nstreisand_ssh_forward_enabled: yes\n# By default sshuttle is disabled because it creates a `sshuttle` user that has\n# full shell privileges on the Streisand host\nstreisand_sshuttle_enabled: no\nstreisand_stunnel_enabled: yes\nstreisand_tinyproxy_enabled: yes\nstreisand_tor_enabled: no\nstreisand_wireguard_enabled: yes\n\n# Choose the region to deploy into.\n#\n# 1. Chicago\n# 2. Dallas\n# 3. Hong Kong\n# 4. Northern Virginia\n# 5. Sydney\n#\n# Note: rackspace_region must be a number in quotes, e.g. \"1\" not 1.\nrackspace_region: \"1\"\n\nrackspace_server_name: streisand\n\n# Obtain these credentials from the Rackspace Cloud Control Panel.\nrackspace_username: \"\"\nrackspace_api_key: \"\"\n\n# Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.\n#\n# If these are both left as empty strings, Let's Encrypt will not be set up and\n# a self-signed certificate will be used instead.\n#\n# The domain to use for Let's Encrypt certificate.\nstreisand_domain_var: \"\"\n# The admin email address for Let's Encrypt certificate registration.\nstreisand_admin_email_var: \"\"\n" }, { "path": "inventories/inventory", "content": "[localhost]\nlocalhost ansible_connection=local ansible_python_interpreter=python3\n\n# Uncomment the following lines and update the IP address if you would\n# like to use Streisand to configure a server that is already running\n# (e.g. a server at a provider not natively supported by Streisand).\n#\n# Multiple servers can be configured simultaneously if multiple IP\n# addresses are defined.\n#\n# If you already have SSH fingerprints for the hosts you are configuring\n# (e.g. using `ssh-keyscan`) then you should also comment out the\n# 'host_key_checking = False' line in the ansible.cfg file. That setting\n# is only sensible and convenient when connecting to a brand-new host.\n#\n# [streisand-host]\n# 255.255.255.255\n#\n# If the SSH user to be used to login is not \"root\", specify it here with\n# the ansible_user directive. Streisand will sudo automatically. If sudo\n# requires a password, use the --ask-become-pass command line option.\n#\n# [streisand-host]\n# 255.255.255.255 ansible_user=ubuntu\n" }, { "path": "inventories/inventory-local-provision", "content": "# inventory-local-provision is a pre-built inventory file useful for doing an\n# advanced local install of Streisand where the server running Ansible is the\n# server that will be configured.\n\n# Settings for the provisioning process\n[localhost]\n\n# This must specify the Python interpreter when provisioning, because\n# \"python\" may be in, for example, a virtualenv without python-apt.\nlocalhost ansible_connection=local ansible_python_interpreter=/usr/bin/python\n\n# Settings for the Streisand host that will be provisioned\n[streisand-host]\n# If you need to override the name of the server (e.g. because the system\n# hostname is not the desired server name for documentation/etc) then add a host\n# var named \"streisand_server_name\" with the desired value.\nlocalhost ansible_connection=local streisand_noninteractive=true\n" }, { "path": "library/digital_ocean_droplet.py", "content": "#!/usr/bin/python\n# -*- coding: utf-8 -*-\n#\n# Copyright: Ansible Project\n# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)\n\n# Origin: @jackivanov's PR#61643 for ansible:\n# https://github.com/ansible/ansible/blob/b8b416d30282d6aef4b3ffb7fcb01a0dd2da9f59/lib/ansible/modules/cloud/digital_ocean/digital_ocean_droplet.py\n\n# This will be removed on fix to upstream\n\nfrom __future__ import absolute_import, division, print_function\n__metaclass__ = type\n\nANSIBLE_METADATA = {'metadata_version': '1.1',\n 'status': ['preview'],\n 'supported_by': 'community'}\n\n\nDOCUMENTATION = '''\n---\nmodule: digital_ocean_droplet\nshort_description: Create and delete a DigitalOcean droplet\ndescription:\n - Create and delete a droplet in DigitalOcean and optionally wait for it to be active.\nversion_added: \"2.8\"\nauthor: \"Gurchet Rai (@gurch101)\"\noptions:\n state:\n description:\n - Indicate desired state of the target.\n default: present\n choices: ['present', 'absent']\n id:\n description:\n - Numeric, the droplet id you want to operate on.\n aliases: ['droplet_id']\n name:\n description:\n - String, this is the name of the droplet - must be formatted by hostname rules.\n unique_name:\n description:\n - require unique hostnames. By default, DigitalOcean allows multiple hosts with the same name. Setting this to \"yes\" allows only one host\n per name. Useful for idempotence.\n default: False\n type: bool\n size:\n description:\n - This is the slug of the size you would like the droplet created with.\n aliases: ['size_id']\n image:\n description:\n - This is the slug of the image you would like the droplet created with.\n aliases: ['image_id']\n region:\n description:\n - This is the slug of the region you would like your server to be created in.\n aliases: ['region_id']\n ssh_keys:\n description:\n - array of SSH key (numeric) ID that you would like to be added to the server.\n required: False\n private_networking:\n description:\n - add an additional, private network interface to droplet for inter-droplet communication.\n default: False\n type: bool\n user_data:\n description:\n - opaque blob of data which is made available to the droplet\n required: False\n ipv6:\n description:\n - enable IPv6 for your droplet.\n required: False\n default: False\n type: bool\n wait:\n description:\n - Wait for the droplet to be active before returning. If wait is \"no\" an ip_address may not be returned.\n required: False\n default: True\n type: bool\n wait_timeout:\n description:\n - How long before wait gives up, in seconds, when creating a droplet.\n default: 120\n backups:\n description:\n - indicates whether automated backups should be enabled.\n required: False\n default: False\n type: bool\n monitoring:\n description:\n - indicates whether to install the DigitalOcean agent for monitoring.\n required: False\n default: False\n type: bool\n tags:\n description:\n - List, A list of tag names as strings to apply to the Droplet after it is created. Tag names can either be existing or new tags.\n required: False\n volumes:\n description:\n - List, A list including the unique string identifier for each Block Storage volume to be attached to the Droplet.\n required: False\n oauth_token:\n description:\n - DigitalOcean OAuth token. Can be specified in C(DO_API_KEY), C(DO_API_TOKEN), or C(DO_OAUTH_TOKEN) environment variables\n aliases: ['API_TOKEN']\n required: True\nrequirements:\n - \"python >= 2.6\"\n'''\n\n\nEXAMPLES = '''\n- name: create a new droplet\n digital_ocean_droplet:\n state: present\n name: mydroplet\n oauth_token: XXX\n size: 2gb\n region: sfo1\n image: ubuntu-16-04-x64\n wait_timeout: 500\n register: my_droplet\n\n- debug:\n msg: \"ID is {{ my_droplet.data.droplet.id }}, IP is {{ my_droplet.data.ip_address }}\"\n\n- name: ensure a droplet is present\n digital_ocean_droplet:\n state: present\n id: 123\n name: mydroplet\n oauth_token: XXX\n size: 2gb\n region: sfo1\n image: ubuntu-16-04-x64\n wait_timeout: 500\n'''\n\n\nRETURN = '''\n# Digital Ocean API info https://developers.digitalocean.com/documentation/v2/#droplets\ndata:\n description: a DigitalOcean Droplet\n returned: changed\n type: dict\n sample: {\n \"ip_address\": \"104.248.118.172\",\n \"ipv6_address\": \"2604:a880:400:d1::90a:6001\",\n \"private_ipv4_address\": \"10.136.122.141\",\n \"droplet\": {\n \"id\": 3164494,\n \"name\": \"example.com\",\n \"memory\": 512,\n \"vcpus\": 1,\n \"disk\": 20,\n \"locked\": true,\n \"status\": \"new\",\n \"kernel\": {\n \"id\": 2233,\n \"name\": \"Ubuntu 14.04 x64 vmlinuz-3.13.0-37-generic\",\n \"version\": \"3.13.0-37-generic\"\n },\n \"created_at\": \"2014-11-14T16:36:31Z\",\n \"features\": [\"virtio\"],\n \"backup_ids\": [],\n \"snapshot_ids\": [],\n \"image\": {},\n \"volume_ids\": [],\n \"size\": {},\n \"size_slug\": \"512mb\",\n \"networks\": {},\n \"region\": {},\n \"tags\": [\"web\"]\n }\n }\n'''\n\nimport time\nimport json\nfrom ansible.module_utils.basic import AnsibleModule, env_fallback\nfrom ansible.module_utils.digital_ocean import DigitalOceanHelper\n\n\nclass DODroplet(object):\n def __init__(self, module):\n self.rest = DigitalOceanHelper(module)\n self.module = module\n self.wait = self.module.params.pop('wait', True)\n self.wait_timeout = self.module.params.pop('wait_timeout', 120)\n self.unique_name = self.module.params.pop('unique_name', False)\n # pop the oauth token so we don't include it in the POST data\n self.module.params.pop('oauth_token')\n\n def get_by_id(self, droplet_id):\n if not droplet_id:\n return None\n response = self.rest.get('droplets/{0}'.format(droplet_id))\n json_data = response.json\n if response.status_code == 200:\n return json_data\n return None\n\n def get_by_name(self, droplet_name):\n if not droplet_name:\n return None\n page = 1\n while page is not None:\n response = self.rest.get('droplets?page={0}'.format(page))\n json_data = response.json\n if response.status_code == 200:\n for droplet in json_data['droplets']:\n if droplet['name'] == droplet_name:\n return {'droplet': droplet}\n if 'links' in json_data and 'pages' in json_data['links'] and 'next' in json_data['links']['pages']:\n page += 1\n else:\n page = None\n return None\n\n def get_addresses(self, data):\n \"\"\"\n Expose IP addresses as their own property allowing users extend to additional tasks\n \"\"\"\n _data = data\n for k, v in data.items():\n setattr(self, k, v)\n networks = _data['droplet']['networks']\n for network in networks.get('v4', []):\n if network['type'] == 'public':\n _data['ip_address'] = network['ip_address']\n else:\n _data['private_ipv4_address'] = network['ip_address']\n for network in networks.get('v6', []):\n if network['type'] == 'public':\n _data['ipv6_address'] = network['ip_address']\n else:\n _data['private_ipv6_address'] = network['ip_address']\n return _data\n\n def get_droplet(self):\n json_data = self.get_by_id(self.module.params['id'])\n if not json_data and self.unique_name:\n json_data = self.get_by_name(self.module.params['name'])\n return json_data\n\n def create(self):\n json_data = self.get_droplet()\n droplet_data = None\n if json_data:\n droplet_data = self.get_addresses(json_data)\n self.module.exit_json(changed=False, data=droplet_data)\n if self.module.check_mode:\n self.module.exit_json(changed=True)\n data = self.module.params\n try:\n del data['id']\n except KeyError:\n pass\n response = self.rest.post('droplets', data=data)\n json_data = response.json\n if response.status_code >= 400:\n self.module.fail_json(changed=False, msg=json_data['message'])\n if self.wait:\n json_data = self.ensure_power_on(json_data['droplet']['id'])\n droplet_data = self.get_addresses(json_data)\n self.module.exit_json(changed=True, data=droplet_data)\n\n def delete(self):\n json_data = self.get_droplet()\n if json_data:\n if self.module.check_mode:\n self.module.exit_json(changed=True)\n response = self.rest.delete('droplets/{0}'.format(json_data['droplet']['id']))\n json_data = response.json\n if response.status_code == 204:\n self.module.exit_json(changed=True, msg='Droplet deleted')\n self.module.fail_json(changed=False, msg='Failed to delete droplet')\n else:\n self.module.exit_json(changed=False, msg='Droplet not found')\n\n def ensure_power_on(self, droplet_id):\n end_time = time.time() + self.wait_timeout\n while time.time() < end_time:\n response = self.rest.get('droplets/{0}'.format(droplet_id))\n json_data = response.json\n if json_data['droplet']['status'] == 'active':\n return json_data\n time.sleep(min(2, end_time - time.time()))\n self.module.fail_json(msg='Wait for droplet powering on timeout')\n\n\ndef core(module):\n state = module.params.pop('state')\n droplet = DODroplet(module)\n if state == 'present':\n droplet.create()\n elif state == 'absent':\n droplet.delete()\n\n\ndef main():\n module = AnsibleModule(\n argument_spec=dict(\n state=dict(choices=['present', 'absent'], default='present'),\n oauth_token=dict(\n aliases=['API_TOKEN'],\n no_log=True,\n fallback=(env_fallback, ['DO_API_TOKEN', 'DO_API_KEY', 'DO_OAUTH_TOKEN'])\n ),\n name=dict(type='str'),\n size=dict(aliases=['size_id']),\n image=dict(aliases=['image_id']),\n region=dict(aliases=['region_id']),\n ssh_keys=dict(type='list'),\n private_networking=dict(type='bool', default=False),\n backups=dict(type='bool', default=False),\n monitoring=dict(type='bool', default=False),\n id=dict(aliases=['droplet_id'], type='int'),\n user_data=dict(default=None),\n ipv6=dict(type='bool', default=False),\n volumes=dict(type='list'),\n tags=dict(type='list'),\n wait=dict(type='bool', default=True),\n wait_timeout=dict(default=120, type='int'),\n unique_name=dict(type='bool', default=False),\n ),\n required_one_of=(\n ['id', 'name'],\n ),\n required_if=([\n ('state', 'present', ['name', 'size', 'image', 'region']),\n ]),\n supports_check_mode=True,\n )\n\n core(module)\n\n\nif __name__ == '__main__':\n main()\n" }, { "path": "playbooks/amazon.yml", "content": "---\n- name: Provision the EC2 Server\n# ==============================\n hosts: localhost\n connection: local\n gather_facts: yes\n\n vars:\n # The region dict is generated from ./util/print-aws-regions.py\n regions:\n \"1\": \"ap-east-1\"\n \"2\": \"ap-northeast-1\"\n \"3\": \"ap-northeast-2\"\n \"4\": \"ap-northeast-3\"\n \"5\": \"ap-south-1\"\n \"6\": \"ap-southeast-1\"\n \"7\": \"ap-southeast-2\"\n \"8\": \"ca-central-1\"\n \"9\": \"eu-central-1\"\n \"10\": \"eu-north-1\"\n \"11\": \"eu-west-1\"\n \"12\": \"eu-west-2\"\n \"13\": \"eu-west-3\"\n \"14\": \"sa-east-1\"\n \"15\": \"us-east-1\"\n \"16\": \"us-east-2\"\n \"17\": \"us-west-1\"\n \"18\": \"us-west-2\"\n\n # These variable files are included so the ec2-security-group role\n # knows which ports to open\n vars_files:\n - roles/openconnect/defaults/main.yml\n - roles/openvpn/defaults/main.yml\n - roles/shadowsocks/defaults/main.yml\n - roles/ssh/defaults/main.yml\n - roles/lets-encrypt/vars/main.yml\n - roles/streisand-gateway/defaults/main.yml\n - roles/stunnel/defaults/main.yml\n - roles/tor-bridge/defaults/main.yml\n - roles/wireguard/defaults/main.yml\n\n vars_prompt:\n # The region prompt is generated from ./util/print-aws-regions.py\n # Don't forget to update the default if it changes.\n - name: \"aws_region_var\"\n prompt: |\n In what region should the server be located?\n 1. ap-east-1 Asia Pacific (Hong Kong)\n 2. ap-northeast-1 Asia Pacific (Tokyo)\n 3. ap-northeast-2 Asia Pacific (Seoul)\n 4. ap-northeast-3 Asia Pacific (Osaka-Local)\n 5. ap-south-1 Asia Pacific (Mumbai)\n 6. ap-southeast-1 Asia Pacific (Singapore)\n 7. ap-southeast-2 Asia Pacific (Sydney)\n 8. ca-central-1 Canada (Central)\n 9. eu-central-1 EU (Frankfurt)\n 10. eu-north-1 EU (Stockholm)\n 11. eu-west-1 EU (Ireland)\n 12. eu-west-2 EU (London)\n 13. eu-west-3 EU (Paris)\n 14. sa-east-1 South America (São Paulo)\n 15. us-east-1 US East (N. Virginia)\n 16. us-east-2 US East (Ohio)\n 17. us-west-1 US West (N. California)\n 18. us-west-2 US West (Oregon)\n Please choose the number of your region. Press enter for default (#16) region.\n default: \"16\"\n private: no\n\n - name: \"aws_vpc_id_var\"\n prompt: |\n\n In which VPC would you like to create the server and security group\n (e.g. vpc-89d740ee)?\n\n Press enter to use the default VPC.\n private: no\n\n - name: \"aws_vpc_subnet_id_var\"\n prompt: |\n\n From which subnet should the server receive an address (e.g. subnet-78d9a232)?\n\n Press enter to use the default subnet.\n private: no\n\n - name: \"aws_instance_name\"\n prompt: \"\\nWhat should the server be named? Press enter for default (streisand).\\n\"\n default: \"streisand\"\n private: no\n\n - name: \"aws_access_key\"\n prompt: \"\\n\\nThe following information can be found in the IAM Management Console.\\nhttps://console.aws.amazon.com/iam/home?#security_credential\\n\\nWhat is your AWS Access Key ID?\\n\"\n private: no\n\n - name: \"aws_secret_key\"\n prompt: \"\\nWhat is your AWS Secret Access Key?\\n\"\n private: no\n\n - name: \"confirmation\"\n prompt: \"\\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\\n\"\n\n pre_tasks:\n - name: Set the AWS Region fact\n set_fact:\n aws_region: \"{{ regions[aws_region_var] }}\"\n\n - name: Set the AWS VPC ID fact\n set_fact:\n aws_vpc_id: \"{{ aws_vpc_id_var }}\"\n when: aws_vpc_id_var != \"\"\n\n - name: Set the AWS VPC Subnet ID fact\n set_fact:\n aws_vpc_subnet_id: \"{{ aws_vpc_subnet_id_var }}\"\n when: aws_vpc_subnet_id_var != \"\"\n\n roles:\n - genesis-amazon\n\n- import_playbook: ssh-setup.yml\n- import_playbook: cloud-status.yml\n- import_playbook: python.yml\n- import_playbook: ec2-metadata-instance.yml\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/azure.yml", "content": "---\n- name: Provision the Azure Server (Resource Manager mode)\n# ========================================================\n hosts: localhost\n connection: local\n gather_facts: yes\n\n vars:\n regions:\n \"1\": \"eastus\"\n \"2\": \"eastus2\"\n \"3\": \"centralus\"\n \"4\": \"northcentralus\"\n \"5\": \"southcentralus\"\n \"6\": \"westcentralus\"\n \"7\": \"westus\"\n \"8\": \"westus2\"\n \"9\": \"usgovvirginia\"\n \"10\": \"usgoviowa\"\n \"11\": \"usdodeast\"\n \"12\": \"usdodcentral\"\n \"13\": \"canadaeast\"\n \"14\": \"canadacentral\"\n \"15\": \"brazilsouth\"\n \"16\": \"southeastasia\"\n \"17\": \"eastasia\"\n \"18\": \"chinaeast\"\n \"19\": \"chinanorth\"\n \"20\": \"japaneast\"\n \"21\": \"japanwest\"\n \"22\": \"koreacentral\"\n \"23\": \"koreasouth\"\n \"24\": \"centralindia\"\n \"25\": \"westindia\"\n \"26\": \"southindia\"\n \"27\": \"australiaeast\"\n \"28\": \"australiasoutheast\"\n \"29\": \"australiacentral\"\n \"30\": \"australiacentral2\"\n \"31\": \"northeurope\"\n \"32\": \"westeurope\"\n \"33\": \"germanycentral\"\n \"34\": \"germanynortheast\"\n \"35\": \"ukwest\"\n \"36\": \"uksouth\"\n \"37\": \"francecentral\"\n \"38\": \"francesouth\"\n\n # These variable files are included so the azure-security-group role\n # knows which ports to open\n vars_files:\n - roles/openconnect/defaults/main.yml\n - roles/openvpn/defaults/main.yml\n - roles/shadowsocks/defaults/main.yml\n - roles/ssh/defaults/main.yml\n - roles/lets-encrypt/vars/main.yml\n - roles/streisand-gateway/defaults/main.yml\n - roles/stunnel/defaults/main.yml\n - roles/tor-bridge/defaults/main.yml\n - roles/wireguard/defaults/main.yml\n\n vars_prompt:\n - name: \"azure_region_var\"\n prompt: >\n What region should the server be located in?\n\n North America:\n 1: East US (Virginia)\n 2: East US 2 (Virginia)\n 3: Central US (Iowa)\n 4: North Central US (Illinois)\n 5: South Central US (Texas)\n 6: West Central US (West Central US)\n 7: West US (California)\n 8: West US 2 (West US 2)\n 9: US Gov Virginia (Virginia)\n 10: US Gov Iowa (Iowa)\n 11: US DoD East (US DoD East)\n 12: US DoD Central (US DoD Central)\n 13: Canada East (Quebec City)\n 14: Canada Central (Toronto)\n\n South America:\n 15: Brazil South (Sao Paulo State)\n\n Asia:\n 16: Southeast Asia (Singapore)\n 17: East Asia (Hong Kong)\n 18: China East (Shanghai)\n 19: China North (Beijing)\n 20: Japan East (Tokyo, Saitama)\n 21: Japan West (Osaka)\n 22: Korea Central (Seoul)\n 23: Korea South (Busan)\n 24: Central India (Pune)\n 25: West India (Mumbai)\n 26: South India (Chennai)\n\n Australia:\n 27: Australia East (New South Wales)\n 28: Australia Southeast (Victoria)\n 29: Austrailia Central (Canberra)\n 30: Austrailia Central 2 (Canberra)\n\n Europe:\n 31: North Europe (Ireland)\n 32: West Europe (Netherlands)\n 33: Germany Central (Frankfurt)\n 34: Germany Northeast (Magdeburg)\n 35: UK West (Cardiff)\n 36: UK South (London)\n 37: France Central (Paris)\n 38: France South (Marseille)\n\n Please choose the number of your region: Press enter for default (#1) region.\n default: \"1\"\n private: no\n\n - name: \"azure_instance_name_var\"\n prompt: \"\\nWhat should the server be named? Press enter for default (streisand).\\n\"\n default: \"streisand\"\n private: no\n\n - name: \"confirmation_credentials\"\n prompt: \"\\nEnsure that you have the azure credentials file: ~/.azure/credentials \\nDetails on generating this can be found at https://github.com/StreisandEffect/streisand/blob/master/documentation/AZURE.md\"\n\n - name: \"confirmation\"\n prompt: \"\\nStreisand will now set up your server: This process usually takes around ten minutes: Press Enter to begin setup...\\n\"\n\n pre_tasks:\n - name: Set the Azure Region fact\n set_fact:\n azure_region: \"{{ regions[azure_region_var] }}\"\n\n - name: Set the Azure Instance Name fact\n set_fact:\n azure_instance_name: \"{{ azure_instance_name_var | regex_replace('\\\\s', '_') }}\"\n\n roles:\n - genesis-azure\n\n- import_playbook: ssh-setup.yml\n- import_playbook: cloud-status.yml\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/cloud-status.yml", "content": "---\n- name: Checking instance status\n# =========================================\n hosts: streisand-host\n gather_facts: no\n\n remote_user: \"root\"\n become: true\n\n tasks:\n - name: Wait for cloud-init to complete\n raw: bash -c \"for i in {1..30}; do if [ -f /var/lib/cloud/instance/boot-finished ]; then exit 0; fi; sleep 1; done; exit 1;\"\n register: result\n changed_when: False\n failed_when: result.rc != 0\n...\n" }, { "path": "playbooks/customize.yml", "content": "---\n- name: Customize enabled Streisand services\n hosts: localhost\n gather_facts: no\n\n vars_prompt:\n - name: streisand_ssh_private_key\n prompt: \"Enter the path to your SSH private key, or press enter for default \"\n default: \"~/.ssh/id_rsa\"\n private: no\n - name: vpn_clients\n prompt: \"How many VPN client profiles should be generated per-service (min: 1 max: 20)? Press enter for default \"\n default: 10\n private: no\n - name: streisand_ad_blocking_enabled\n prompt: \"Enable DNS-based ad-blocking? Press enter for default \"\n default: \"no\"\n private: no\n - name: streisand_openconnect_enabled\n prompt: \"Enable OpenConnect? Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_openvpn_enabled\n prompt: \"Enable OpenVPN? Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_stunnel_enabled\n prompt: \"Enable stunnel service (only allowed for OpenVPN)? Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_shadowsocks_enabled\n prompt: \"Enable Shadowsocks? Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_shadowsocks_v2ray_enabled\n prompt: \"Enable v2ray-plugin for Shadowsocks? Press enter for default \"\n default: \"no\"\n private: no\n - name: streisand_ssh_forward_enabled\n prompt: \"Enable SSH Forward User? (Note: A SOCKS proxy only user will be added, no shell). Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_sshuttle_enabled\n prompt: \"Enable sshuttle? (Note: A full shell access user will be added) Press enter for default \"\n default: \"no\"\n private: no\n - name: streisand_tinyproxy_enabled\n prompt: \"Enable tinyproxy? Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_tor_enabled\n prompt: \"Enable Tor? Press enter for default \"\n default: \"no\"\n private: no\n - name: streisand_wireguard_enabled\n prompt: \"Enable WireGuard? Press enter for default \"\n default: \"yes\"\n private: no\n - name: streisand_cloudflared_enabled\n prompt: \"[BROKEN ON SOME PROVIDERS, including AWS] Enable DNS-over-HTTPS (cloudflared)? Press enter for default \"\n default: \"no\"\n private: no\n\n tasks:\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_ssh_private_key: .*$\"\n line: \"streisand_ssh_private_key: {{ streisand_ssh_private_key }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^vpn_clients: [\\\\d]+$\"\n line: \"vpn_clients: {{ vpn_clients }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_ad_blocking_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_ad_blocking_enabled: {{ streisand_ad_blocking_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_openconnect_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_openconnect_enabled: {{ streisand_openconnect_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_openvpn_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_openvpn_enabled: {{ streisand_openvpn_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_shadowsocks_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_shadowsocks_enabled: {{ streisand_shadowsocks_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_shadowsocks_v2ray_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_shadowsocks_v2ray_enabled: {{ streisand_shadowsocks_v2ray_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_ssh_forward_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_ssh_forward_enabled: {{ streisand_ssh_forward_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_sshuttle_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_sshuttle_enabled: {{ streisand_sshuttle_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_stunnel_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_stunnel_enabled: {{ streisand_stunnel_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_tinyproxy_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_tinyproxy_enabled: {{ streisand_tinyproxy_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_tor_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_tor_enabled: {{ streisand_tor_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_wireguard_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_wireguard_enabled: {{ streisand_wireguard_enabled|bool }}\"\n - lineinfile:\n path: \"{{ streisand_site_vars }}\"\n regexp: \"^streisand_cloudflared_enabled: (?:yes|no|True|False)$\"\n line: \"streisand_cloudflared_enabled: {{ streisand_cloudflared_enabled|bool }}\"\n" }, { "path": "playbooks/digitalocean.yml", "content": "---\n- name: Provision the DigitalOcean Server\n# =======================================\n hosts: localhost\n connection: local\n gather_facts: yes\n\n vars:\n regions:\n \"1\": \"ams2\"\n \"2\": \"ams3\"\n \"3\": \"blr1\"\n \"4\": \"fra1\"\n \"5\": \"lon1\"\n \"6\": \"nyc1\"\n \"7\": \"nyc2\"\n \"8\": \"nyc3\"\n \"9\": \"sfo1\"\n \"10\": \"sfo2\"\n \"11\": \"sgp1\"\n \"12\": \"tor1\"\n\n vars_prompt:\n - name: \"do_region\"\n prompt: >\n What region should the server be located in?\n 1. Amsterdam (Datacenter 2)\n 2. Amsterdam (Datacenter 3)\n 3. Bangalore\n 4. Frankfurt\n 5. London\n 6. New York (Datacenter 1)\n 7. New York (Datacenter 2)\n 8. New York (Datacenter 3)\n 9. San Francisco (Datacenter 1)\n 10. San Francisco (Datacenter 2)\n 11. Singapore\n 12. Toronto\n Please choose the number of your region. Press enter for default (#2) region.\n default: \"2\"\n private: no\n\n - name: \"do_server_name\"\n prompt: \"\\nWhat should the server be named? Press enter for default (streisand).\\n\"\n default: \"streisand\"\n private: no\n\n - name: \"do_access_token_entry\"\n prompt: |\n\n Personal Access Tokens allow Streisand to create a droplet for you.\n New Personal Access Tokens can be generated in the DigitalOcean control panel.\n To generate a new token please do the following:\n * Go to https://cloud.digitalocean.com/settings/applications\n * Click 'Generate New Token'\n * Give the token a name (it is arbitrary)\n * Be sure to select the 'Write' scope as well (this is not optional)\n * Click 'Generate Token'\n * Copy the long string that is generated and paste it below.\n If this field is left blank, the environment variable DO_API_KEY will be used.\n\n What is your DigitalOcean Personal Access Token?\n private: no\n\n - name: \"do_ssh_name\"\n prompt: \"\\n\\nThe following information can be found on your DigitalOcean control panel.\\nhttps://cloud.digitalocean.com/settings/security\\n\\nWhat is the name of the DigitalOcean SSH key that you would like to use?\\n * If you have never uploaded an SSH key to DigitalOcean then the default\\n value will work!\\n * This key should match your Streisand SSH key file (default: ~/.ssh/id_rsa.pub).\\n\\ * DigitalOcean requires SSH keys to be unique. You cannot upload multiple\\n keys that have the same value under different names.\\n\\n If you see an error that says 'SSH Key failed to be created' once the setup\\n process starts, then this is the problem. You can retry the setup process\\n using the name of the existing SSH key from the DigitalOcean control panel\\n that matches the contents of your RSA public key.\\n\"\n default: \"streisand\"\n private: no\n\n - name: \"confirmation\"\n prompt: \"\\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\\n\"\n\n roles:\n - genesis-digitalocean\n\n- import_playbook: ssh-setup.yml\n- import_playbook: cloud-status.yml\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/ec2-metadata-instance.yml", "content": "---\n- name: Drop packets to the Amazon EC2 metadata instance\n hosts: streisand-host\n gather_facts: no\n\n remote_user: \"root\"\n become: true\n\n tasks:\n\n - name: Copy the EC2 metadata instance oneshot unit file\n copy:\n src: \"./roles/genesis-amazon/files/aws-metadata-instance.service\"\n dest: \"/etc/systemd/system/aws-metadata-instance.service\"\n owner: root\n group: root\n mode: 0644\n\n - name: Enable and reload the EC2 metadata instance\n systemd:\n name: aws-metadata-instance.service\n daemon_reload: yes\n enabled: yes\n state: restarted\n" }, { "path": "playbooks/existing-server.yml", "content": "---\n# existing-server.yml is an advanced provisioning option that doesn't use a genesis\n# role to create a new server and instead applies Streisand to an existing\n# remote server.\n\n- name: Register the genesis role in use\n hosts: localhost\n gather_facts: yes\n tasks:\n - set_fact:\n streisand_genesis_role: \"existing-server\"\n\n- include: ssh-setup.yml\n\n- name: Check SSH access to existing server\n hosts: streisand-host\n gather_facts: no\n remote_user: \"{{ lookup('env', 'SSH_USER') }}\"\n become: true\n tasks:\n - block:\n - raw: whoami\n args:\n executable: /bin/bash\n changed_when: False\n rescue:\n - fail:\n msg: \"Unable to SSH to existing streisand-host.\\nEnsure private key corresponding to \\\"{{ streisand_ssh_private_key }}\\\" is loaded in your SSH key agent.\\nTry using `ssh-keygen -i {{ streisand_ssh_private_key }} to generate your key if it does not exist\\n\"\n\n# Ensure Python is installed on the system\n- import_playbook: python.yml\n\n# Try and detect the remote server's provider & apply required workarounds\n- import_playbook: provider-detect.yml\n\n- name: Prepare the remote server for Streisand\n# =========================================\n hosts: streisand-host\n remote_user: \"{{ lookup('env', 'SSH_USER') }}\"\n become: true\n\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/google.yml", "content": "---\n- name: Provision the GCE Server\n# =======================================\n hosts: localhost\n connection: local\n gather_facts: yes\n\n vars:\n zones:\n \"1\": \"us-central1-a\"\n \"2\": \"us-central1-b\"\n \"3\": \"us-central1-c\"\n \"4\": \"us-central1-f\"\n \"5\": \"us-east4-a\"\n \"6\": \"us-east4-b\"\n \"7\": \"us-east4-c\"\n \"8\": \"us-east1-b\"\n \"9\": \"us-east1-c\"\n \"10\": \"us-east1-d\"\n \"11\": \"us-west1-a\"\n \"12\": \"us-west1-b\"\n \"13\": \"us-west1-c\"\n \"14\": \"europe-west1-b\"\n \"15\": \"europe-west1-c\"\n \"16\": \"europe-west1-d\"\n \"17\": \"europe-west2-a\"\n \"18\": \"europe-west2-b\"\n \"19\": \"europe-west2-c\"\n \"20\": \"europe-west3-a\"\n \"21\": \"europe-west3-b\"\n \"22\": \"europe-west3-c\"\n \"23\": \"europe-west4-a\"\n \"24\": \"europe-west4-b\"\n \"25\": \"europe-west4-c\"\n \"26\": \"asia-east1-a\"\n \"27\": \"asia-east1-b\"\n \"28\": \"asia-east1-c\"\n \"29\": \"asia-east2-a\"\n \"30\": \"asia-east2-b\"\n \"31\": \"asia-east2-c\"\n \"32\": \"asia-northeast1-a\"\n \"33\": \"asia-northeast1-b\"\n \"34\": \"asia-northeast1-c\"\n \"35\": \"asia-south1-a\"\n \"36\": \"asia-south1-b\"\n \"37\": \"asia-south1-c\"\n \"38\": \"asia-southeast1-a\"\n \"39\": \"asia-southeast1-b\"\n \"40\": \"australia-southeast1-a\"\n \"41\": \"australia-southeast1-b\"\n \"42\": \"australia-southeast1-c\"\n \"43\": \"southamerica-east1-a\"\n \"44\": \"southamerica-east1-b\"\n \"45\": \"southamerica-east1-c\"\n\n # These variable files are included so the gce-network role\n # knows which ports to open\n vars_files:\n - roles/openconnect/defaults/main.yml\n - roles/openvpn/defaults/main.yml\n - roles/shadowsocks/defaults/main.yml\n - roles/ssh/defaults/main.yml\n - roles/lets-encrypt/vars/main.yml\n - roles/streisand-gateway/defaults/main.yml\n - roles/stunnel/defaults/main.yml\n - roles/tor-bridge/defaults/main.yml\n - roles/wireguard/defaults/main.yml\n\n vars_prompt:\n - name: \"gce_zone_idx\"\n prompt: >\n What zone should the server be located in?\n 1. Central US (Iowa A)\n 2. Central US (Iowa B)\n 3. Central US (Iowa C)\n 4. Central US (Iowa F)\n 5. Eastern US (Northern Virginia A)\n 6. Eastern US (Northern Virginia B)\n 7. Eastern US (Northern Virginia C)\n 8. Eastern US (South Carolina B)\n 9. Eastern US (South Carolina C)\n 10. Eastern US (South Carolina D)\n 11. Western US (Oregon A)\n 12. Western US (Oregon B)\n 13. Western US (Oregon C)\n 14. Western Europe (Belgium B)\n 15. Western Europe (Belgium C)\n 16. Western Europe (Belgium D)\n 17. Western Europe (London A)\n 18. Western Europe (London B)\n 19. Western Europe (London C)\n 20. Western Europe (Frankfurt A)\n 21. Western Europe (Frankfurt B)\n 22. Western Europe (Frankfurt C)\n 23. Western Europe (Netherlands A)\n 24. Western Europe (Netherlands B)\n 25. Western Europe (Netherlands C)\n 26. East Asia (Taiwan A)\n 27. East Asia (Taiwan B)\n 28. East Asia (Taiwan C)\n 29. East Asia (Hong Kong A)\n 30. East Asia (Hong Kong B)\n 31. East Asia (Hong Kong C)\n 32. Northeast Asia (Tokyo A)\n 33. Northeast Asia (Tokyo B)\n 34. Northeast Asia (Tokyo C)\n 35. South Asia (Mumbai A)\n 36. South Asia (Mumbai B)\n 37. South Asia (Mumbai C)\n 38. Southeast Asia (Singapore A)\n 39. Southeast Asia (Singapore B)\n 40. Southeast Australia (Sydney A)\n 41. Southeast Australia (Sydney B)\n 42. Southeast Australia (Sydney C)\n 43. South America (São Paulo A)\n 44. South America (São Paulo B)\n 45. South America (São Paulo C)\n Please choose the number of your zone. Press enter for default (#3) zone.\n default: \"3\"\n when: gce_zone is not defined\n private: no\n\n - name: \"gce_server_name\"\n prompt: \"\\nWhat should the server be named? Press enter for default (streisand).\\n\"\n default: \"streisand\"\n private: no\n\n - name: \"gce_json_file_location\"\n prompt: \"\\n\\nThe full path of your unique service account credentials file. Details on generating this can be found at \\nhttps://docs.ansible.com/ansible/guide_gce.html#credentials\\n and \\nhttps://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts\\n\"\n default: \"{{ lookup('env','HOME') }}/streisand.json\"\n private: no\n\n - name: \"confirmation\"\n prompt: \"\\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\\n\"\n\n pre_tasks:\n - name: Set the Google Compute Engine Zone interactive\n set_fact:\n gce_zone: \"{{ zones[gce_zone_idx] }}\"\n when: gce_zone is not defined\n\n - name: Register JSON file contents\n command: cat {{ gce_json_file_location }}\n register: gce_json_file_contents\n changed_when: False\n\n - name: Set JSON file contents fact\n set_fact:\n gce_json_contents_fact: \"{{ gce_json_file_contents.stdout | from_json }}\"\n\n - name: Set the Google Compute Engine Service Account Email\n set_fact:\n gce_service_account_email: \"{{ gce_json_contents_fact.client_email }}\"\n\n - name: Set the Google Compute Engine Project ID\n set_fact:\n gce_project_id: \"{{ gce_json_contents_fact.project_id }}\"\n\n roles:\n - genesis-google\n\n- import_playbook: ssh-setup.yml\n- import_playbook: cloud-status.yml\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/group_vars/all", "content": "---\nstreisand_ci: no\nstreisand_noninteractive: no\n" }, { "path": "playbooks/lets-encrypt.yml", "content": "---\n# lets-encrypt.yml asks questions about Streisand instance domain name, which\n# is used to request TLS certificates from Let's Encrypt. If user fails to\n# answer these questions, lets-encrypt role would not be run, and self-signed\n# certificates are generated and used instead.\n- name: Collect information about the Streisand domain\n# =========================================\n hosts: streisand-host\n gather_facts: no\n\n vars_files:\n - roles/lets-encrypt/vars/main.yml\n\n vars_prompt:\n - name: \"streisand_domain_var\"\n prompt: |\n Do you have a fully qualified domain pointed at your Streisand server?\n\n This is an optional question. If you have a domain that points to your\n Streisand server, the installation scripts can request a Let's Encrypt\n HTTPS certificate for you automatically. If you do not provide one or\n the request fails, a self-signed certificate will be used instead.\n\n If you have just created a new cloud server in previous steps now is a\n good time to point your fully qualified domain to your server's public\n address. Make sure the fully qualified domain resolves to the correct IP\n address before proceeding.\n\n Please type your fully qualified domain below. Press enter to skip.\n private: no\n\n - name: \"streisand_admin_email_var\"\n prompt: |\n Which email address do you want to use as a contact for the Streisand\n server's Let's Encrypt certificate?\n\n This is an optional question. If you supply an email address Let's\n Encrypt will send you important (but infrequent) notifications about\n your certificate. These messages include any upcoming certificate\n expirations, and important changes to the Let's Encrypt service.\n The email provided will not be used for anything else or shared with the\n Streisand developers.\n\n Please type your contact email below. Press enter to skip.\n private: no\n\n pre_tasks:\n - name: Set Streisand domain\n set_fact:\n streisand_domain: \"{{ streisand_domain_var }}\"\n when: streisand_domain_var != \"\"\n\n - name: Set Streisand admin email\n set_fact:\n streisand_admin_email: \"{{ streisand_admin_email_var }}\"\n\n - name: Enable Let's Encrypt role\n set_fact:\n streisand_le_enabled: yes\n when: streisand_domain_var != \"\"\n\n - name: Disable Let's Encrypt role\n set_fact:\n streisand_le_enabled: no\n streisand_domain: \"\"\n streisand_admin_email: \"\"\n le_ok: False\n when: streisand_domain_var == \"\"\n...\n" }, { "path": "playbooks/linode.yml", "content": "---\n- name: Provision the Linode Server\n# =================================\n hosts: localhost\n connection: local\n gather_facts: yes\n\n vars:\n regions:\n \"1\": \"ca-central\"\n \"2\": \"us-central\"\n \"3\": \"us-west\"\n \"4\": \"us-southeast\"\n \"5\": \"us-east\"\n \"6\": \"eu-west\"\n \"7\": \"ap-south\"\n \"8\": \"eu-central\"\n \"9\": \"ap-northeast\"\n \"10\": \"ap-west\"\n \"11\": \"ap-southeast\"\n\n vars_prompt:\n - name: \"linode_datacenter\"\n prompt: >\n What region should the server be located in?\n 1. Toronto\n 2. Dallas\n 3. Fremont\n 4. Atlanta\n 5. Newark\n 6. London\n 7. Singapore\n 8. Frankfurt\n 9. Tokyo\n 10. Mumbai\n 11. Sydney\n Please choose the number of your region. Press enter for default (#7) region.\n default: \"7\"\n private: no\n\n - name: \"linode_server_name\"\n prompt: \"\\nWhat should the server be named? Press enter for default (streisand).\\n\"\n default: \"streisand\"\n private: no\n\n - name: \"linode_api_token\"\n prompt: \"\\n\\nThe following information can be found in the Linode Manager:\\nhttps://cloud.linode.com/profile/tokens\\n\\nWhat is your Linode API Token?\\n\"\n private: no\n\n - name: \"confirmation\"\n prompt: \"\\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\\n\"\n\n roles:\n - genesis-linode\n\n- import_playbook: ssh-setup.yml\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/localhost.yml", "content": "---\n# localhost.yml is an advanced provisioning option that doesn't use a genesis\n# role to create a new server and instead applies Streisand to the localhost.\n\n# Ensure Python is installed on the system\n- import_playbook: python.yml\n\n# Try and detect localhost's provider & apply required workarounds\n- import_playbook: provider-detect.yml\n\n- name: Prepare the localhost for Streisand\n# =========================================\n hosts: streisand-host\n remote_user: \"root\"\n become: true\n\n tasks:\n - set_fact:\n streisand_genesis_role: \"localhost\"\n\n # If there's no streisand_ipv4_address set then we try our best using\n # the interface Ansible thinks is the default.\n - name: \"Set the Streisand IPv4 address to the Ansible default: interface: {{ ansible_default_ipv4.alias }} address: {{ ansible_default_ipv4.address }}\"\n set_fact:\n # The ansible_default_ipv4 address is calculated based on the default\n # ipv4 route to 8.8.8.8 for the system, and for local provisioning on\n # _most_ providers, seems to work well for finding the external facing IP.\n # See `provider-detect.yml` for cases where this approach doesn't work\n # (e.g. GCE) and workarounds.\n streisand_ipv4_address: \"{{ ansible_default_ipv4.address }}\"\n when: streisand_ipv4_address is not defined\n\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/provider-detect.yml", "content": "---\n# provider-detect.yml is used for the advanced existing/localhost provisioning\n# to try and determine if a given host is from a specific cloud provider. If\n# the cloud provider is detected, some facts/workarounds may be set to aid in\n# provisioning in place of one of the geneiss roles.\n- name: Try to detect Cloud providers for specific overrides\n# =========================================\n hosts: streisand-host\n\n remote_user: \"root\"\n become: true\n\n tasks:\n - name: \"Install dmidecode to use for BIOS version detection\"\n apt:\n package: dmidecode\n\n - name: \"Try to determine localhost Cloud provider name from BIOS version\"\n # Looking into ways to detect EC2/GCE instances without relying on\n # connections to metadata IPs this solution[0] seemed the most\n # straightforward & reliable.\n # https://serverfault.com/a/775063\n command: dmidecode -s bios-version\n register: streisand_localhost_bios_name\n changed_when: False\n ignore_errors: True\n\n - name: \"Set BIOS name fact from dmidecode if possible\"\n set_fact:\n streisand_bios_name: \"{{ streisand_localhost_bios_name.stdout }}\"\n when: streisand_localhost_bios_name.rc == 0\n\n - name: \"...Otherwise set unknown BIOS fact\"\n set_fact:\n streisand_bios_name: \"Unknown\"\n when: streisand_bios_name is undefined\n\n # GCE specific work-arounds:\n # * None of the interfaces have the external IP bound, so this must be set\n # from the Google Platform medatadata service.\n - block:\n - name: Warn about manual provisioning of GCE instances\n pause:\n prompt: \"You are running Streisand in an advanced mode against an existing GCE instance. Unlike the standard GCE provisioning mode this means Streisand *CAN NOT* open ports on your behalf. You will need to manually create the correct VPC Network and firewall rules. See 'generated-docs/' for the firewall-information.html file at the end of installation for a list of ports to open. The Streisand maintainers are not able to support this configuration. Press [enter] to continue\"\n when: not streisand_noninteractive\n\n - name: \"Find the external GCE IP from Google Metadata\"\n # NOTE: We use the command module and `curl` here because (AFAICT)\n # there isn't a way to `register` a `get_url` call and it seems\n # hackier overall to add an intermediate step using a file on disk\n #\n # Metadata URL & the required \"Metadata-Flavor\" are explained in the\n # Google Cloud Platform documentation[0].\n # [0]: https://cloud.google.com/compute/docs/storing-retrieving-metadata#querying\n command: curl -H Metadata-Flavor:Google http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip\n register: streisand_gce_external_ip\n changed_when: False\n - name: \"Set the Streiand IPv4 address to the GCE external IP: {{ streisand_gce_external_ip.stdout }}\"\n set_fact:\n streisand_ipv4_address: \"{{ streisand_gce_external_ip.stdout }}\"\n when: \"streisand_bios_name == 'Google'\"\n\n # Amazon EC2 specific work-arounds:\n # * None of the interfaces have the external IP bound, so this must be set\n # from the EC2 medatadata service.\n - block:\n - name: Warn about manual provisioning of EC2 instances\n pause:\n prompt: \"You are running Streisand in an advanced mode against an existing Amazon EC2 instance. Unlike the standard EC2 provisioning mode this means Streisand *CAN NOT* open ports on your behalf. You will need to manually assinging this machine to a security group with the correct firewall rules. See 'generated-docs/' for the firewall-information.html file at the end of installation for a list of ports to open. The Streisand maintainers are not able to support this configuration. Press [enter] to continue\"\n when: not streisand_noninteractive\n\n # EC2 Instance Metadata API is explained in the EC2 docs[0].\n # [0]: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html\n - name: \"Find the external EC2 IP from Metadata\"\n command: curl http://169.254.169.254/latest/meta-data/public-ipv4\n register: streisand_ec2_external_ip\n changed_when: False\n - name: \"Set the Streiand IPv4 address to the EC2 external IP: {{ streisand_ec2_external_ip.stdout }}\"\n set_fact:\n streisand_ipv4_address: \"{{ streisand_ec2_external_ip.stdout }}\"\n when: \"'amazon' in streisand_bios_name\"\n...\n" }, { "path": "playbooks/python.yml", "content": "---\n- name: Prepare the new server for Ansible\n# =========================================\n hosts: streisand-host\n gather_facts: no\n\n remote_user: \"root\"\n become: true\n\n tasks:\n - name: Install Python using a raw SSH command to enable the execution of Ansible modules\n raw: apt update && apt install python -y\n args:\n executable: /bin/bash\n...\n" }, { "path": "playbooks/rackspace.yml", "content": "---\n- name: Provision the Rackspace Server\n# ====================================\n hosts: localhost\n connection: local\n gather_facts: yes\n\n vars:\n regions:\n \"1\": \"ORD\"\n \"2\": \"DFW\"\n \"3\": \"HKG\"\n \"4\": \"IAD\"\n \"5\": \"SYD\"\n\n vars_prompt:\n - name: \"rackspace_region\"\n prompt: >\n What region should the server be located in?\n 1. Chicago\n 2. Dallas\n 3. Hong Kong\n 4. Northern Virginia\n 5. Sydney\n Please choose the number of your region. Press enter for default (#1) region.\n default: \"1\"\n private: no\n\n - name: \"rackspace_server_name\"\n prompt: \"\\nWhat should the server be named? Press enter for default (streisand).\\n\"\n private: no\n default: \"streisand\"\n\n - name: \"rackspace_username\"\n prompt: \"\\nWhat is your Rackspace username?\\n\"\n private: no\n\n - name: \"rackspace_api_key\"\n prompt: \"\\n\\nThe following information can be found in the Rackspace Cloud Control Panel.\\nhttps://mycloud.rackspace.com/\\n\\nWhat is your Rackspace API key?\\n\"\n private: no\n\n - name: \"confirmation\"\n prompt: \"\\nStreisand will now set up your server. This process usually takes around ten minutes. Press Enter to begin setup...\\n\"\n\n roles:\n - genesis-rackspace\n\n- import_playbook: ssh-setup.yml\n- import_playbook: cloud-status.yml\n- import_playbook: streisand.yml\n...\n" }, { "path": "playbooks/roles/ad-blocking/files/download-blocklists", "content": "#!/bin/bash\nset -e\n\n# Now, if there were only some convenient way of storing etags from\n# those fetches.\n\ndownload_if_newer () {\n filename=\"$1\"\n url=\"$2\"\n if [ -e \"$filename\" ]; then\n\tcurl --time-cond \"$filename\" -o \"$filename\" \"$url\"\n else\n\tcurl -o \"$filename\" \"$url\"\n fi\n}\n\n\nmkdir -p /var/lib/blocklists\n\ndownload_if_newer /var/lib/blocklists/block-hostnames.txt 'https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt'\n\ndownload_if_newer /var/lib/blocklists/block-domains.txt 'https://raw.githubusercontent.com/notracking/hosts-blocklists/master/domains.txt'\n\ntransform-domain-list /etc/dnsmasq.d/block-domains.conf\ntransform-host-list /etc/dnsmasq-block-hosts\n\necho \"addn-hosts=/etc/dnsmasq-block-hosts\" >/etc/dnsmasq.d/block-hosts.conf\n\n# Sadly, \"reload\" doesn't work\"\nsystemctl restart dnsmasq.service\n" }, { "path": "playbooks/roles/ad-blocking/files/download-blocklists.service", "content": "[Unit]\nDescription=Download blocklists\n\n[Service]\nType=oneshot\nExecStart=/usr/local/bin/download-blocklists\n\n" }, { "path": "playbooks/roles/ad-blocking/files/download-blocklists.timer", "content": "[Timer]\nOnActiveSec=0\nOnBootSec=60\nOnUnitActiveSec=1d\nRandomizedDelaySec=1h\n\n[Install]\nWantedBy=network.target\n" }, { "path": "playbooks/roles/ad-blocking/files/transform-domain-list", "content": "#!/bin/bash\n\nawk '\nBEGIN { FS=\"/\"; print \"# post-processed by transform-domain-list\" }\n\n/^#/ { print $0; next; }\n\n/^address=\\/.*\\/0\\.0\\.0\\.0$/ { next; }\n\n/^address=\\/.*\\/::$/ {\n if ($2 !~ /\\./) {\n print \"### no dot found in domain, skipping: \" $0;\n next;\n }\n print \"address=/\" $2 \"/0.0.0.0\\naddress=/\" $2 \"/::\";\n next;\n}\n\n{ print \"### ERROR unprocessed line: \" $0; }\n'\n" }, { "path": "playbooks/roles/ad-blocking/files/transform-host-list", "content": "#!/bin/bash\n\nawk '\nBEGIN { print \"# post-processed by transform-host-list\"; }\n\n/^#/ { print $0; next; }\n\n/^0\\.0\\.0\\.0 / { next; }\n\n/^:: / {\n if ($2 !~ /\\./) {\n print \"### no dot found in hostname, skipping: \" $0;\n next;\n }\n print \"0.0.0.0 \" $2 \"\\n:: \" $2;\n next;\n}\n\n{ print \"### ERROR unprocessed line: \" $0; }\n'\n" }, { "path": "playbooks/roles/ad-blocking/tasks/main.yml", "content": "- name: \"Install blocklist tools\"\n copy:\n src: \"{{ item }}\"\n dest: /usr/local/bin/\n mode: '0755'\n loop:\n - download-blocklists\n - transform-domain-list\n - transform-host-list\n\n- name: \"Install blocklist systemd goo\"\n copy:\n src: \"{{ item }}\"\n dest: /etc/systemd/system/\n mode: '0644'\n loop:\n - download-blocklists.service\n - download-blocklists.timer\n\n- name: \"Enable the blocklist download service\"\n systemd:\n name: download-blocklists.service\n daemon_reload: true\n enabled: true\n state: started\n\n- name: \"Enable and start the blocklist re-download timer\"\n systemd:\n name: download-blocklists.timer\n enabled: true\n state: started\n" }, { "path": "playbooks/roles/azure-security-group/meta/main.yml", "content": "---\nallow_duplicates: yes\n" }, { "path": "playbooks/roles/azure-security-group/tasks/main.yml", "content": "---\n- name: Create Azure resource group\n azure_rm_resourcegroup:\n name: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n\n- name: Create Azure virtual network\n azure_rm_virtualnetwork:\n resource_group: \"{{ azure_resource_group_name }}\"\n name: \"{{ azure_resource_group_name }}\"\n address_prefixes: \"10.10.0.0/16\"\n\n- name: Create Azure subnet\n azure_rm_subnet:\n resource_group: \"{{ azure_resource_group_name }}\"\n name: \"{{ azure_resource_group_name }}\"\n address_prefix: \"10.10.0.0/24\"\n virtual_network: \"{{ azure_resource_group_name }}\"\n\n- name: Create Azure public ip\n azure_rm_publicipaddress:\n resource_group: \"{{ azure_resource_group_name }}\"\n allocation_method: Static\n name: \"{{ azure_resource_group_name }}\"\n\n- name: Open all of the necessary ports across every service in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n # Nginx\n # ---\n - name: \"AllowNGINX\"\n destination_port_range: \"{{ nginx_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 101\n # SSH\n # ---\n - name: \"AllowSSHTCP\"\n destination_port_range: \"{{ ssh_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 108\n # HTTP (Let's Encrypt)\n # ---\n - name: \"AllowHTTP\"\n destination_port_range: \"{{ le_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 120\n\n# Shadowsocks\n# ---\n- name: Open Shadowsocks ports in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n # Shadowsocks TCP\n # ---\n - name: \"AllowShadowsocksTCP\"\n destination_port_range: \"{{ shadowsocks_server_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 106\n # Shadowsocks UDP\n # ---\n - name: \"AllowShadowsocksUDP\"\n destination_port_range: \"{{ shadowsocks_server_port }}\"\n protocol: Udp\n access: Allow\n direction: Inbound\n priority: 107\n when: streisand_shadowsocks_enabled\n\n# WireGuard\n# ---\n- name: Open WireGuard ports in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n - name: \"AllowWireguard\"\n destination_port_range: \"{{ wireguard_port }}\"\n protocol: Udp\n access: Allow\n direction: Inbound\n priority: 112\n when: streisand_wireguard_enabled\n\n# OpenConnect (ocserv)\n# ---\n- name: Open the OpenConnect ports in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n # OpenConnect TCP\n # ---\n - name: \"AllowOCServTCP\"\n destination_port_range: \"{{ ocserv_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 102\n # OpenConnect UDP\n # ---\n - name: \"AllowOCServUDP\"\n destination_port_range: \"{{ ocserv_port }}\"\n protocol: Udp\n access: Allow\n direction: Inbound\n priority: 103\n when: streisand_openconnect_enabled\n\n# OpenVPN\n# ---\n- name: Open the OpenVPN ports in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n # OpenVPN TCP\n # ---\n - name: \"AllowOpenVPNTCP\"\n destination_port_range: \"{{ openvpn_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 104\n # OpenVPN UDP\n # ---\n - name: \"AllowOpenVPNUDP\"\n destination_port_range: \"{{ openvpn_port_udp }}\"\n protocol: Udp\n access: Allow\n direction: Inbound\n priority: 105\n when: streisand_openvpn_enabled\n\n# stunnel\n# ---\n- name: Open the stunnel port in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n - name: \"AllowStunnelTCP\"\n destination_port_range: \"{{ stunnel_remote_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 109\n when: streisand_openvpn_enabled and streisand_stunnel_enabled\n\n# Tor\n# ---\n- name: Open Tor ports in the Azure security group\n azure_rm_securitygroup:\n name: \"{{ azure_resource_group_name }}\"\n resource_group: \"{{ azure_resource_group_name }}\"\n location: \"{{ azure_region }}\"\n rules:\n # Tor TCP\n # ---\n - name: \"AllowTorTCP\"\n destination_port_range: \"{{ tor_orport }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 110\n # Tor obfs4 TCP port\n # ---\n - name: \"AllowOBFS4TCP\"\n destination_port_range: \"{{ tor_obfs4_port }}\"\n protocol: Tcp\n access: Allow\n direction: Inbound\n priority: 111\n when: streisand_tor_enabled\n\n- name: Create Azure network interface\n azure_rm_networkinterface:\n resource_group: \"{{ azure_resource_group_name }}\"\n name: \"{{ azure_resource_group_name }}\"\n virtual_network: \"{{ azure_resource_group_name }}\"\n subnet: \"{{ azure_resource_group_name }}\"\n public_ip_name: \"{{ azure_resource_group_name }}\"\n security_group: \"{{ azure_resource_group_name }}\"\n" }, { "path": "playbooks/roles/azure-security-group/vars/main.yml", "content": "---\nazure_resource_group_name: \"streisand-{{ azure_instance_name }}\"\n" }, { "path": "playbooks/roles/certificates/defaults/main.yml", "content": "---\ntls_key_country: \"US\"\ntls_key_province: \"California\"\ntls_key_city: \"Beverly Hills\"\ntls_key_org: \"ACME CORPORATION\"\ntls_key_ou: \"Anvil Department\"\ntls_days_valid: \"1825\"\ntls_default_md: \"sha256\"\ntls_key_size: \"4096\"\n\n# What type of certificates to be generated\n# must be explicitly set by playbooks that\n# include the certificates role\ngenerate_ca_server: no\ngenerate_client: no\ngenerate_pkcs: no\n" }, { "path": "playbooks/roles/certificates/tasks/ca-server.yml", "content": "---\n- name: \"Generate the private keys for the CA and Server certificates\"\n command: openssl genrsa -out {{ item }}.key {{ tls_key_size }}\n args:\n chdir: \"{{ ca_path }}\"\n creates: \"{{ item }}.key\"\n with_items:\n - ca\n - server\n\n- name: Set the proper permissions on all the private keys\n file:\n path: \"{{ ca_path }}\"\n recurse: yes\n state: directory\n owner: root\n group: root\n mode: 0600\n\n- name: Generate CA certificate\n command: openssl req -nodes -batch -new -x509 -key {{ tls_ca }}.key -days {{ tls_days_valid }} -out {{ tls_ca }}.crt -subj \"{{ tls_request_subject }}/CN=ca-certificate\"\n args:\n creates: \"{{ tls_ca }}.crt\"\n\n- name: Generate a random server common name\n shell: \"{{ streisand_word_gen.long_identifier | trim }} > {{ tls_server_common_name_file }}\"\n args:\n creates: \"{{ tls_server_common_name_file }}\"\n\n- name: Set permissions on the TLS server common name file\n file:\n path: \"{{ tls_server_common_name_file }}\"\n owner: root\n group: root\n mode: 0600\n\n- name: Register the TLS server common name\n command: cat \"{{ tls_server_common_name_file }}\"\n register: tls_server_common_name\n changed_when: False\n\n- name: Generate the OpenSSL configuration that will be used for the server certificate's req and ca commands\n template:\n src: openssl.cnf.j2\n dest: \"{{ ca_path }}/openssl.cnf\"\n\n- name: Seed a blank database file that will be used when generating the Server's certificate\n file:\n path: \"{{ ca_path }}/index.txt\"\n state: touch\n\n- name: Seed a serial file that will be used when generating the Server's certificate\n copy:\n content: \"01\"\n dest: \"{{ ca_path }}/serial\"\n\n- name: Generate CSR for the Server\n command: openssl req -batch -extensions server -new -key server.key -out server.csr -config {{ ca_path }}/openssl.cnf\n args:\n chdir: \"{{ ca_path }}\"\n creates: server.csr\n\n- name: Generate certificate for the Server\n command: openssl ca -batch -extensions server -in server.csr -out server.crt -config openssl.cnf\n args:\n chdir: \"{{ ca_path }}\"\n creates: server.crt\n" }, { "path": "playbooks/roles/certificates/tasks/client.yml", "content": "---\n- name: Create directories for clients\n file:\n path: \"{{ tls_client_path }}/{{ client_name.stdout }}\"\n state: directory\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n\n- name: Generate the private keys for the client certificates\n command: openssl genrsa -out client.key {{ tls_key_size }}\n args:\n chdir: \"{{ tls_client_path }}/{{ client_name.stdout }}\"\n creates: client.key\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n\n- name: Set the proper permissions on all private client keys\n file:\n path: \"{{ ca_path }}\"\n recurse: yes\n state: directory\n owner: root\n group: root\n mode: 0600\n\n- name: Generate CSRs for the clients\n command: openssl req -new -extensions client -key client.key -out client.csr -subj \"{{ tls_request_subject }}/CN={{ client_name.stdout }}\" -config {{ ca_path }}/openssl.cnf\n args:\n chdir: \"{{ tls_client_path }}/{{ client_name.stdout }}\"\n creates: client.csr\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n\n- name: Generate certificates for the clients\n command: openssl x509 -extensions client -CA {{ tls_ca }}.crt -CAkey {{ tls_ca }}.key -CAcreateserial -req -days {{ tls_days_valid }} -in client.csr -out client.crt -extfile {{ ca_path }}/openssl.cnf\n args:\n chdir: \"{{ tls_client_path }}/{{ client_name.stdout }}\"\n creates: client.crt\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n\n- name: Authorize certificates via /etc/allowed_vpn_certs\n template:\n src: allowed_vpn_certs.j2\n dest: /etc/allowed_vpn_certs\n owner: root\n group: root\n mode: 0644\n" }, { "path": "playbooks/roles/certificates/tasks/main.yml", "content": "---\n- import_tasks: ca-server.yml\n when: generate_ca_server\n\n- import_tasks: client.yml\n when: generate_client\n\n- import_tasks: pkcs.yml\n when: generate_pkcs\n" }, { "path": "playbooks/roles/certificates/tasks/pkcs.yml", "content": "---\n- name: \"Generate a random password that will be used during the PKCS #12 conversion\"\n shell: \"{{ streisand_word_gen.weak_password | trim }} > {{ tls_client_path }}/{{ client_name.stdout }}/{{ vpn_name }}-{{ client_name.stdout }}-pkcs12-password\"\n args:\n creates: \"{{ tls_client_path }}/{{ client_name.stdout }}/{{ vpn_name }}-{{ client_name.stdout }}-pkcs12-password\"\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n\n- name: \"Set permissions on the PKCS #12 password file\"\n file:\n path: \"{{ tls_client_path }}/{{ client_name.stdout }}/{{ vpn_name }}-{{ client_name.stdout }}-pkcs12-password\"\n owner: root\n group: root\n mode: 0600\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n\n- name: \"Register the PKCS #12 passwords\"\n command: cat {{ tls_client_path }}/{{ client_name.stdout }}/{{ vpn_name }}-{{ client_name.stdout }}-pkcs12-password\n register: \"vpn_client_pkcs12_password_list\"\n with_items: \"{{ vpn_client_names.results }}\"\n loop_control:\n loop_var: \"client_name\"\n label: \"{{ client_name.item }}\"\n changed_when: False\n\n- name: \"Convert the {{ vpn_name }} client keys and certificates into PKCS #12 format\"\n command: >\n openssl pkcs12 -export\n -in {{ tls_client_path }}/{{ vpn_client_password.client_name.stdout }}/client.crt\n -inkey {{ tls_client_path }}/{{ vpn_client_password.client_name.stdout }}/client.key\n -name {{ vpn_client_password.client_name.stdout }}\n -out {{ tls_client_path }}/{{ vpn_client_password.client_name.stdout }}/{{ vpn_client_password.client_name.stdout }}.p12\n -certfile {{ tls_client_path }}/ca.crt\n -passout pass:\"{{ vpn_client_password.stdout }}\"\n args:\n creates: \"{{ tls_client_path }}/{{ vpn_client_password.client_name.stdout }}/{{ vpn_client_password.client_name.stdout }}.p12\"\n with_items: \"{{ vpn_client_pkcs12_password_list.results }}\"\n loop_control:\n loop_var: \"vpn_client_password\"\n label: \"{{ vpn_client_password.client_name.item }}\"\n" }, { "path": "playbooks/roles/certificates/templates/allowed_vpn_certs.j2", "content": "# This file lists all the enabled VPN certificate names. Note that\n# it does not affect WireGuard.\n\n{% for client in vpn_client_names.results -%}\n{{ client.stdout }}\n{% endfor %}\n" }, { "path": "playbooks/roles/certificates/templates/openssl.cnf.j2", "content": "[ ca ]\ndefault_ca = CA_default\n\n[ CA_default ]\n\ndir = {{ ca_path }}\ncerts = $dir\ncrl_dir = $dir\ndatabase = $dir/index.txt\nnew_certs_dir = $dir\n\ncertificate = {{ tls_ca }}.crt\nserial = $dir/serial\ncrl = $dir/crl.pem\nprivate_key = {{ tls_ca }}.key\nRANDFILE = $dir/.rand\n\ncopy_extensions = copy\n\nx509_extensions = server\n\ndefault_days = {{ tls_days_valid }}\ndefault_crl_days= 30\ndefault_md = {{ tls_default_md }}\npreserve = no\n\npolicy = policy_anything\n\nkeyUsage = cRLSign, keyCertSign\n\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid:always,issuer:always\n\n[ policy_anything ]\ncountryName = optional\nstateOrProvinceName = optional\nlocalityName = optional\norganizationName = optional\norganizationalUnitName = optional\ncommonName = supplied\nname = optional\nemailAddress = optional\n\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = req_ext\n\n[ req_ext ]\nsubjectAltName = @alt_names\n\n[ alt_names ]\n{% for item in tls_sans %}\nIP.{{ loop.index }} = {{ item }}\n{% endfor %}\n\n[ req_distinguished_name ]\ncountryName = Country Name (2 letter code)\ncountryName_default = {{ tls_key_country }}\n\nstateOrProvinceName = State or Province Name (full name)\nstateOrProvinceName_default = {{ tls_key_province }}\n\nlocalityName = Locality Name (eg, city)\nlocalityName_default = {{ tls_key_city }}\n\n0.organizationName = Organization Name (eg, company)\n0.organizationName_default = {{ tls_key_org }}\n\norganizationalUnitName = Organizational Unit Name (eg, section)\norganizationalUnitName_default = {{ tls_key_ou }}\n\ncommonName = Common Name (eg, your name or your server\\'s hostname)\ncommonName_default = {{ tls_server_common_name.stdout }}\n\n[ v3_ca ]\nkeyUsage = digitalSignature, keyEncipherment\n\n[ server ]\nbasicConstraints=CA:FALSE\nnsComment = \"Ansible Generated Server Certificate\"\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer:always\nextendedKeyUsage=serverAuth\nkeyUsage = digitalSignature, keyEncipherment\nsubjectAltName = @alt_names\n\n[ client ]\nbasicConstraints=CA:FALSE\nnsComment = \"Ansible Generated Client Certificate\"\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid,issuer:always\nextendedKeyUsage=clientAuth\nkeyUsage = digitalSignature\n" }, { "path": "playbooks/roles/certificates/vars/main.yml", "content": "---\ntls_request_subject: \"/C={{ tls_key_country }}/ST={{ tls_key_province }}/L={{ tls_key_city }}/O={{ tls_key_org }}/OU={{ tls_key_ou }}\"\n" }, { "path": "playbooks/roles/cloudflared/defaults/main.yml", "content": "---\ncloudflared_base_url: \"https://bin.equinox.io/c/VdrWdbjqyF/\"\n\ncloudflared_amd64_apt: \"cloudflared-stable-linux-amd64.deb\"\ncloudflared_amd64_yum: \"cloudflared-stable-linux-amd64.rpm\"\ncloudflared_amd64_binary: \"cloudflared-stable-linux-amd64.tgz\"\ncloudflared_arm_apt: \"cloudflared-stable-linux-arm.deb\"\ncloudflared_arm_yum: \"cloudflared-stable-linux-arm.rpm\"\ncloudflared_arm_binary: \"cloudflared-stable-linux-arm.tgz\"\n\ncloudflared_allow_firewall: false\ncloudflared_enable_service: true\ncloudflared_upstream1: \"https://1.1.1.1/dns-query\"\ncloudflared_upstream2: \"https://1.0.0.1/dns-query\"\ncloudflared_port: 5053\n\ncloudflared_options: \"proxy-dns --port {{ cloudflared_port }} --upstream {{ cloudflared_upstream1 }} --upstream {{ cloudflared_upstream2 }}\"\n\ncloudflared_bin_location: /usr/local/bin\n" }, { "path": "playbooks/roles/cloudflared/files/cloudflared.service", "content": "[Unit]\nDescription=cloudflared service\nAfter=syslog.target network-online.target\n\n[Service]\nType=simple\nUser=cloudflared\nEnvironmentFile=/etc/default/cloudflared\nExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS\nRestart=on-failure\nRestartSec=10\nKillMode=process\n\n[Install]\nWantedBy=multi-user.target\n" }, { "path": "playbooks/roles/cloudflared/handlers/main.yml", "content": "---\n- name: restart cloudflared service\n systemd:\n name: cloudflared.service\n state: restarted\n" }, { "path": "playbooks/roles/cloudflared/meta/main.yml", "content": "---\ndependencies:\n - { role: dnsmasq }\n - { role: ip-forwarding }\n" }, { "path": "playbooks/roles/cloudflared/tasks/install_binary.yml", "content": "---\n- name: build filename of file to be downloaded\n set_fact:\n cloudflared_file: \"{{ vars['cloudflared_'+device_arch+'_binary'] }}\"\n\n- name: download correct file for device\n get_url:\n url: \"{{ cloudflared_base_url }}{{ cloudflared_file }}\"\n dest: \"/tmp/{{ cloudflared_file }}\"\n #checksum: \"{{ cloudflared_file_checksum }}\"\n\n- name: extract cloudflared into /usr/local/bin\n unarchive:\n src: \"/tmp/{{ cloudflared_file }}\"\n dest: \"{{ cloudflared_bin_location }}\"\n remote_src: yes\n" }, { "path": "playbooks/roles/cloudflared/tasks/install_package.yml", "content": "---\n- name: build filename of file to be downloaded\n set_fact:\n cloudflared_file: \"{{ vars['cloudflared_'+device_arch+'_'+ansible_pkg_mgr] }}\"\n\n- name: download correct file for device\n get_url:\n url: \"{{ cloudflared_base_url }}{{ cloudflared_file }}\"\n dest: \"/tmp/{{ cloudflared_file }}\"\n #checksum: \"{{ cloudflared_file_checksum }}\"\n\n- name: Install a .deb package\n apt:\n deb: \"/tmp/{{ cloudflared_file }}\"\n state: present\n register: pkg_mgr_output\n ignore_errors: true\n when: ansible_pkg_mgr == 'apt'\n\n- name: Install a .rpm package\n yum:\n name: \"/tmp/{{ cloudflared_file }}\"\n state: present\n register: pkg_mgr_output\n ignore_errors: true\n when: ansible_pkg_mgr == 'yum'\n" }, { "path": "playbooks/roles/cloudflared/tasks/main.yml", "content": "---\n- stat:\n path: \"{{ cloudflared_bin_location }}/cloudflared\"\n register: cloudflared_binary\n\n- set_fact:\n cloudflared_installed: \"{{ cloudflared_binary.stat.exists | default(false) }}\"\n\n- name: set device architecture and package manager vars\n set_fact:\n device_arch: \"{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm' }}\"\n\n- name: install package\n import_tasks: install_package.yml\n when: (not cloudflared_installed) and (ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'apt') and (ansible_architecture == 'x86_64' or ansible_architecture == 'arm')\n\n- name: install binary\n import_tasks: install_binary.yml\n when: (not cloudflared_installed) and ((pkg_mgr_output is undefined or pkg_mgr_output is failed) or ansible_architecture == 'armv7l')\n\n- name: Set network capabilities for cloudflared\n capabilities:\n path: \"{{ cloudflared_bin_location }}/cloudflared\"\n capability: cap_net_bind_service+ep\n state: present\n when: cloudflared_port|int < 1024\n\n- command: cloudflared update\n register: update_command\n changed_when: update_command.rc == '64'\n\n- name: create cloudflared nologin user\n become: yes\n user:\n name: cloudflared\n shell: /usr/sbin/nologin\n system: True\n create_home: False\n\n- name: set ownership of /usr/local/bin/cloudflared\n file:\n path: /usr/local/bin/cloudflared\n state: file\n owner: cloudflared\n group: cloudflared\n\n- name: template config file\n template:\n src: cloudflared.j2\n dest: /etc/default/cloudflared\n owner: cloudflared\n group: cloudflared\n notify: restart cloudflared service\n tags: systemd\n\n- name: copy systemd service\n copy:\n src: cloudflared.service\n dest: /etc/systemd/system/\n owner: root\n group: root\n mode: 0644\n notify: restart cloudflared service\n register: service\n tags: systemd\n\n- name: enable systemd service\n service:\n name: cloudflared\n enabled: \"{{ cloudflared_enable_service }}\"\n when: service.changed\n tags: systemd\n\n- name: Allow port in firewall\n ufw:\n rule: allow\n port: \"{{ cloudflared_port }}\"\n comment: \"allow cloudflared\"\n when: cloudflared_allow_firewall\n\n# DNSMASQ\n- name: Remove existing upstream servers in dnsmasq\n replace:\n path: /etc/dnsmasq.conf\n regexp: \"^server=(.*)$\"\n\n- name: Set upstream DNS server to cloudflared proxy\n lineinfile:\n path: /etc/dnsmasq.conf\n state: present\n line: \"server=127.0.0.1#{{ cloudflared_port }}\"\n notify: Restart dnsmasq\n" }, { "path": "playbooks/roles/cloudflared/templates/cloudflared.j2", "content": "# Commandline args for cloudflared\nCLOUDFLARED_OPTS={{ cloudflared_options }}\n" }, { "path": "playbooks/roles/cloudflared/vars/main.yml", "content": "---\n# Cloudflared variables\n" }, { "path": "playbooks/roles/common/files/english.txt", "content": "abandon\nability\nable\nabout\nabove\nabsent\nabsorb\nabstract\nabsurd\nabuse\naccess\naccident\naccount\naccuse\nachieve\nacid\nacoustic\nacquire\nacross\nact\naction\nactor\nactress\nactual\nadapt\nadd\naddict\naddress\nadjust\nadmit\nadult\nadvance\nadvice\naerobic\naffair\nafford\nafraid\nagain\nage\nagent\nagree\nahead\naim\nair\nairport\naisle\nalarm\nalbum\nalcohol\nalert\nalien\nall\nalley\nallow\nalmost\nalone\nalpha\nalready\nalso\nalter\nalways\namateur\namazing\namong\namount\namused\nanalyst\nanchor\nancient\nanger\nangle\nangry\nanimal\nankle\nannounce\nannual\nanother\nanswer\nantenna\nantique\nanxiety\nany\napart\napology\nappear\napple\napprove\napril\narch\narctic\narea\narena\nargue\narm\narmed\narmor\narmy\naround\narrange\narrest\narrive\narrow\nart\nartefact\nartist\nartwork\nask\naspect\nassault\nasset\nassist\nassume\nasthma\nathlete\natom\nattack\nattend\nattitude\nattract\nauction\naudit\naugust\naunt\nauthor\nauto\nautumn\naverage\navocado\navoid\nawake\naware\naway\nawesome\nawful\nawkward\naxis\nbaby\nbachelor\nbacon\nbadge\nbag\nbalance\nbalcony\nball\nbamboo\nbanana\nbanner\nbar\nbarely\nbargain\nbarrel\nbase\nbasic\nbasket\nbattle\nbeach\nbean\nbeauty\nbecause\nbecome\nbeef\nbefore\nbegin\nbehave\nbehind\nbelieve\nbelow\nbelt\nbench\nbenefit\nbest\nbetray\nbetter\nbetween\nbeyond\nbicycle\nbid\nbike\nbind\nbiology\nbird\nbirth\nbitter\nblack\nblade\nblame\nblanket\nblast\nbleak\nbless\nblind\nblood\nblossom\nblouse\nblue\nblur\nblush\nboard\nboat\nbody\nboil\nbomb\nbone\nbonus\nbook\nboost\nborder\nboring\nborrow\nboss\nbottom\nbounce\nbox\nboy\nbracket\nbrain\nbrand\nbrass\nbrave\nbread\nbreeze\nbrick\nbridge\nbrief\nbright\nbring\nbrisk\nbroccoli\nbroken\nbronze\nbroom\nbrother\nbrown\nbrush\nbubble\nbuddy\nbudget\nbuffalo\nbuild\nbulb\nbulk\nbullet\nbundle\nbunker\nburden\nburger\nburst\nbus\nbusiness\nbusy\nbutter\nbuyer\nbuzz\ncabbage\ncabin\ncable\ncactus\ncage\ncake\ncall\ncalm\ncamera\ncamp\ncan\ncanal\ncancel\ncandy\ncannon\ncanoe\ncanvas\ncanyon\ncapable\ncapital\ncaptain\ncar\ncarbon\ncard\ncargo\ncarpet\ncarry\ncart\ncase\ncash\ncasino\ncastle\ncasual\ncat\ncatalog\ncatch\ncategory\ncattle\ncaught\ncause\ncaution\ncave\nceiling\ncelery\ncement\ncensus\ncentury\ncereal\ncertain\nchair\nchalk\nchampion\nchange\nchaos\nchapter\ncharge\nchase\nchat\ncheap\ncheck\ncheese\nchef\ncherry\nchest\nchicken\nchief\nchild\nchimney\nchoice\nchoose\nchronic\nchuckle\nchunk\nchurn\ncigar\ncinnamon\ncircle\ncitizen\ncity\ncivil\nclaim\nclap\nclarify\nclaw\nclay\nclean\nclerk\nclever\nclick\nclient\ncliff\nclimb\nclinic\nclip\nclock\nclog\nclose\ncloth\ncloud\nclown\nclub\nclump\ncluster\nclutch\ncoach\ncoast\ncoconut\ncode\ncoffee\ncoil\ncoin\ncollect\ncolor\ncolumn\ncombine\ncome\ncomfort\ncomic\ncommon\ncompany\nconcert\nconduct\nconfirm\ncongress\nconnect\nconsider\ncontrol\nconvince\ncook\ncool\ncopper\ncopy\ncoral\ncore\ncorn\ncorrect\ncost\ncotton\ncouch\ncountry\ncouple\ncourse\ncousin\ncover\ncoyote\ncrack\ncradle\ncraft\ncram\ncrane\ncrash\ncrater\ncrawl\ncrazy\ncream\ncredit\ncreek\ncrew\ncricket\ncrime\ncrisp\ncritic\ncrop\ncross\ncrouch\ncrowd\ncrucial\ncruel\ncruise\ncrumble\ncrunch\ncrush\ncry\ncrystal\ncube\nculture\ncup\ncupboard\ncurious\ncurrent\ncurtain\ncurve\ncushion\ncustom\ncute\ncycle\ndad\ndamage\ndamp\ndance\ndanger\ndaring\ndash\ndaughter\ndawn\nday\ndeal\ndebate\ndebris\ndecade\ndecember\ndecide\ndecline\ndecorate\ndecrease\ndeer\ndefense\ndefine\ndefy\ndegree\ndelay\ndeliver\ndemand\ndemise\ndenial\ndentist\ndeny\ndepart\ndepend\ndeposit\ndepth\ndeputy\nderive\ndescribe\ndesert\ndesign\ndesk\ndespair\ndestroy\ndetail\ndetect\ndevelop\ndevice\ndevote\ndiagram\ndial\ndiamond\ndiary\ndice\ndiesel\ndiet\ndiffer\ndigital\ndignity\ndilemma\ndinner\ndinosaur\ndirect\ndirt\ndisagree\ndiscover\ndisease\ndish\ndismiss\ndisorder\ndisplay\ndistance\ndivert\ndivide\ndivorce\ndizzy\ndoctor\ndocument\ndog\ndoll\ndolphin\ndomain\ndonate\ndonkey\ndonor\ndoor\ndose\ndouble\ndove\ndraft\ndragon\ndrama\ndrastic\ndraw\ndream\ndress\ndrift\ndrill\ndrink\ndrip\ndrive\ndrop\ndrum\ndry\nduck\ndumb\ndune\nduring\ndust\ndutch\nduty\ndwarf\ndynamic\neager\neagle\nearly\nearn\nearth\neasily\neast\neasy\necho\necology\neconomy\nedge\nedit\neducate\neffort\negg\neight\neither\nelbow\nelder\nelectric\nelegant\nelement\nelephant\nelevator\nelite\nelse\nembark\nembody\nembrace\nemerge\nemotion\nemploy\nempower\nempty\nenable\nenact\nend\nendless\nendorse\nenemy\nenergy\nenforce\nengage\nengine\nenhance\nenjoy\nenlist\nenough\nenrich\nenroll\nensure\nenter\nentire\nentry\nenvelope\nepisode\nequal\nequip\nera\nerase\nerode\nerosion\nerror\nerupt\nescape\nessay\nessence\nestate\neternal\nethics\nevidence\nevil\nevoke\nevolve\nexact\nexample\nexcess\nexchange\nexcite\nexclude\nexcuse\nexecute\nexercise\nexhaust\nexhibit\nexile\nexist\nexit\nexotic\nexpand\nexpect\nexpire\nexplain\nexpose\nexpress\nextend\nextra\neye\neyebrow\nfabric\nface\nfaculty\nfade\nfaint\nfaith\nfall\nfalse\nfame\nfamily\nfamous\nfan\nfancy\nfantasy\nfarm\nfashion\nfat\nfatal\nfather\nfatigue\nfault\nfavorite\nfeature\nfebruary\nfederal\nfee\nfeed\nfeel\nfemale\nfence\nfestival\nfetch\nfever\nfew\nfiber\nfiction\nfield\nfigure\nfile\nfilm\nfilter\nfinal\nfind\nfine\nfinger\nfinish\nfire\nfirm\nfirst\nfiscal\nfish\nfit\nfitness\nfix\nflag\nflame\nflash\nflat\nflavor\nflee\nflight\nflip\nfloat\nflock\nfloor\nflower\nfluid\nflush\nfly\nfoam\nfocus\nfog\nfoil\nfold\nfollow\nfood\nfoot\nforce\nforest\nforget\nfork\nfortune\nforum\nforward\nfossil\nfoster\nfound\nfox\nfragile\nframe\nfrequent\nfresh\nfriend\nfringe\nfrog\nfront\nfrost\nfrown\nfrozen\nfruit\nfuel\nfun\nfunny\nfurnace\nfury\nfuture\ngadget\ngain\ngalaxy\ngallery\ngame\ngap\ngarage\ngarbage\ngarden\ngarlic\ngarment\ngas\ngasp\ngate\ngather\ngauge\ngaze\ngeneral\ngenius\ngenre\ngentle\ngenuine\ngesture\nghost\ngiant\ngift\ngiggle\nginger\ngiraffe\ngirl\ngive\nglad\nglance\nglare\nglass\nglide\nglimpse\nglobe\ngloom\nglory\nglove\nglow\nglue\ngoat\ngoddess\ngold\ngood\ngoose\ngorilla\ngospel\ngossip\ngovern\ngown\ngrab\ngrace\ngrain\ngrant\ngrape\ngrass\ngravity\ngreat\ngreen\ngrid\ngrief\ngrit\ngrocery\ngroup\ngrow\ngrunt\nguard\nguess\nguide\nguilt\nguitar\ngun\ngym\nhabit\nhair\nhalf\nhammer\nhamster\nhand\nhappy\nharbor\nhard\nharsh\nharvest\nhat\nhave\nhawk\nhazard\nhead\nhealth\nheart\nheavy\nhedgehog\nheight\nhello\nhelmet\nhelp\nhen\nhero\nhidden\nhigh\nhill\nhint\nhip\nhire\nhistory\nhobby\nhockey\nhold\nhole\nholiday\nhollow\nhome\nhoney\nhood\nhope\nhorn\nhorror\nhorse\nhospital\nhost\nhotel\nhour\nhover\nhub\nhuge\nhuman\nhumble\nhumor\nhundred\nhungry\nhunt\nhurdle\nhurry\nhurt\nhusband\nhybrid\nice\nicon\nidea\nidentify\nidle\nignore\nill\nillegal\nillness\nimage\nimitate\nimmense\nimmune\nimpact\nimpose\nimprove\nimpulse\ninch\ninclude\nincome\nincrease\nindex\nindicate\nindoor\nindustry\ninfant\ninflict\ninform\ninhale\ninherit\ninitial\ninject\ninjury\ninmate\ninner\ninnocent\ninput\ninquiry\ninsane\ninsect\ninside\ninspire\ninstall\nintact\ninterest\ninto\ninvest\ninvite\ninvolve\niron\nisland\nisolate\nissue\nitem\nivory\njacket\njaguar\njar\njazz\njealous\njeans\njelly\njewel\njob\njoin\njoke\njourney\njoy\njudge\njuice\njump\njungle\njunior\njunk\njust\nkangaroo\nkeen\nkeep\nketchup\nkey\nkick\nkid\nkidney\nkind\nkingdom\nkiss\nkit\nkitchen\nkite\nkitten\nkiwi\nknee\nknife\nknock\nknow\nlab\nlabel\nlabor\nladder\nlady\nlake\nlamp\nlanguage\nlaptop\nlarge\nlater\nlatin\nlaugh\nlaundry\nlava\nlaw\nlawn\nlawsuit\nlayer\nlazy\nleader\nleaf\nlearn\nleave\nlecture\nleft\nleg\nlegal\nlegend\nleisure\nlemon\nlend\nlength\nlens\nleopard\nlesson\nletter\nlevel\nliar\nliberty\nlibrary\nlicense\nlife\nlift\nlight\nlike\nlimb\nlimit\nlink\nlion\nliquid\nlist\nlittle\nlive\nlizard\nload\nloan\nlobster\nlocal\nlock\nlogic\nlonely\nlong\nloop\nlottery\nloud\nlounge\nlove\nloyal\nlucky\nluggage\nlumber\nlunar\nlunch\nluxury\nlyrics\nmachine\nmad\nmagic\nmagnet\nmaid\nmail\nmain\nmajor\nmake\nmammal\nman\nmanage\nmandate\nmango\nmansion\nmanual\nmaple\nmarble\nmarch\nmargin\nmarine\nmarket\nmarriage\nmask\nmass\nmaster\nmatch\nmaterial\nmath\nmatrix\nmatter\nmaximum\nmaze\nmeadow\nmean\nmeasure\nmeat\nmechanic\nmedal\nmedia\nmelody\nmelt\nmember\nmemory\nmention\nmenu\nmercy\nmerge\nmerit\nmerry\nmesh\nmessage\nmetal\nmethod\nmiddle\nmidnight\nmilk\nmillion\nmimic\nmind\nminimum\nminor\nminute\nmiracle\nmirror\nmisery\nmiss\nmistake\nmix\nmixed\nmixture\nmobile\nmodel\nmodify\nmom\nmoment\nmonitor\nmonkey\nmonster\nmonth\nmoon\nmoral\nmore\nmorning\nmosquito\nmother\nmotion\nmotor\nmountain\nmouse\nmove\nmovie\nmuch\nmuffin\nmule\nmultiply\nmuscle\nmuseum\nmushroom\nmusic\nmust\nmutual\nmyself\nmystery\nmyth\nnaive\nname\nnapkin\nnarrow\nnasty\nnation\nnature\nnear\nneck\nneed\nnegative\nneglect\nneither\nnephew\nnerve\nnest\nnet\nnetwork\nneutral\nnever\nnews\nnext\nnice\nnight\nnoble\nnoise\nnominee\nnoodle\nnormal\nnorth\nnose\nnotable\nnote\nnothing\nnotice\nnovel\nnow\nnuclear\nnumber\nnurse\nnut\noak\nobey\nobject\noblige\nobscure\nobserve\nobtain\nobvious\noccur\nocean\noctober\nodor\noff\noffer\noffice\noften\noil\nokay\nold\nolive\nolympic\nomit\nonce\none\nonion\nonline\nonly\nopen\nopera\nopinion\noppose\noption\norange\norbit\norchard\norder\nordinary\norgan\norient\noriginal\norphan\nostrich\nother\noutdoor\nouter\noutput\noutside\noval\noven\nover\nown\nowner\noxygen\noyster\nozone\npact\npaddle\npage\npair\npalace\npalm\npanda\npanel\npanic\npanther\npaper\nparade\nparent\npark\nparrot\nparty\npass\npatch\npath\npatient\npatrol\npattern\npause\npave\npayment\npeace\npeanut\npear\npeasant\npelican\npen\npenalty\npencil\npeople\npepper\nperfect\npermit\nperson\npet\nphone\nphoto\nphrase\nphysical\npiano\npicnic\npicture\npiece\npig\npigeon\npill\npilot\npink\npioneer\npipe\npistol\npitch\npizza\nplace\nplanet\nplastic\nplate\nplay\nplease\npledge\npluck\nplug\nplunge\npoem\npoet\npoint\npolar\npole\npolice\npond\npony\npool\npopular\nportion\nposition\npossible\npost\npotato\npottery\npoverty\npowder\npower\npractice\npraise\npredict\nprefer\nprepare\npresent\npretty\nprevent\nprice\npride\nprimary\nprint\npriority\nprison\nprivate\nprize\nproblem\nprocess\nproduce\nprofit\nprogram\nproject\npromote\nproof\nproperty\nprosper\nprotect\nproud\nprovide\npublic\npudding\npull\npulp\npulse\npumpkin\npunch\npupil\npuppy\npurchase\npurity\npurpose\npurse\npush\nput\npuzzle\npyramid\nquality\nquantum\nquarter\nquestion\nquick\nquit\nquiz\nquote\nrabbit\nraccoon\nrace\nrack\nradar\nradio\nrail\nrain\nraise\nrally\nramp\nranch\nrandom\nrange\nrapid\nrare\nrate\nrather\nraven\nraw\nrazor\nready\nreal\nreason\nrebel\nrebuild\nrecall\nreceive\nrecipe\nrecord\nrecycle\nreduce\nreflect\nreform\nrefuse\nregion\nregret\nregular\nreject\nrelax\nrelease\nrelief\nrely\nremain\nremember\nremind\nremove\nrender\nrenew\nrent\nreopen\nrepair\nrepeat\nreplace\nreport\nrequire\nrescue\nresemble\nresist\nresource\nresponse\nresult\nretire\nretreat\nreturn\nreunion\nreveal\nreview\nreward\nrhythm\nrib\nribbon\nrice\nrich\nride\nridge\nrifle\nright\nrigid\nring\nriot\nripple\nrisk\nritual\nrival\nriver\nroad\nroast\nrobot\nrobust\nrocket\nromance\nroof\nrookie\nroom\nrose\nrotate\nrough\nround\nroute\nroyal\nrubber\nrude\nrug\nrule\nrun\nrunway\nrural\nsad\nsaddle\nsadness\nsafe\nsail\nsalad\nsalmon\nsalon\nsalt\nsalute\nsame\nsample\nsand\nsatisfy\nsatoshi\nsauce\nsausage\nsave\nsay\nscale\nscan\nscare\nscatter\nscene\nscheme\nschool\nscience\nscissors\nscorpion\nscout\nscrap\nscreen\nscript\nscrub\nsea\nsearch\nseason\nseat\nsecond\nsecret\nsection\nsecurity\nseed\nseek\nsegment\nselect\nsell\nseminar\nsenior\nsense\nsentence\nseries\nservice\nsession\nsettle\nsetup\nseven\nshadow\nshaft\nshallow\nshare\nshed\nshell\nsheriff\nshield\nshift\nshine\nship\nshiver\nshock\nshoe\nshoot\nshop\nshort\nshoulder\nshove\nshrimp\nshrug\nshuffle\nshy\nsibling\nsick\nside\nsiege\nsight\nsign\nsilent\nsilk\nsilly\nsilver\nsimilar\nsimple\nsince\nsing\nsiren\nsister\nsituate\nsix\nsize\nskate\nsketch\nski\nskill\nskin\nskirt\nskull\nslab\nslam\nsleep\nslender\nslice\nslide\nslight\nslim\nslogan\nslot\nslow\nslush\nsmall\nsmart\nsmile\nsmoke\nsmooth\nsnack\nsnake\nsnap\nsniff\nsnow\nsoap\nsoccer\nsocial\nsock\nsoda\nsoft\nsolar\nsoldier\nsolid\nsolution\nsolve\nsomeone\nsong\nsoon\nsorry\nsort\nsoul\nsound\nsoup\nsource\nsouth\nspace\nspare\nspatial\nspawn\nspeak\nspecial\nspeed\nspell\nspend\nsphere\nspice\nspider\nspike\nspin\nspirit\nsplit\nspoil\nsponsor\nspoon\nsport\nspot\nspray\nspread\nspring\nspy\nsquare\nsqueeze\nsquirrel\nstable\nstadium\nstaff\nstage\nstairs\nstamp\nstand\nstart\nstate\nstay\nsteak\nsteel\nstem\nstep\nstereo\nstick\nstill\nsting\nstock\nstomach\nstone\nstool\nstory\nstove\nstrategy\nstreet\nstrike\nstrong\nstruggle\nstudent\nstuff\nstumble\nstyle\nsubject\nsubmit\nsubway\nsuccess\nsuch\nsudden\nsuffer\nsugar\nsuggest\nsuit\nsummer\nsun\nsunny\nsunset\nsuper\nsupply\nsupreme\nsure\nsurface\nsurge\nsurprise\nsurround\nsurvey\nsuspect\nsustain\nswallow\nswamp\nswap\nswarm\nswear\nsweet\nswift\nswim\nswing\nswitch\nsword\nsymbol\nsymptom\nsyrup\nsystem\ntable\ntackle\ntag\ntail\ntalent\ntalk\ntank\ntape\ntarget\ntask\ntaste\ntattoo\ntaxi\nteach\nteam\ntell\nten\ntenant\ntennis\ntent\nterm\ntest\ntext\nthank\nthat\ntheme\nthen\ntheory\nthere\nthey\nthing\nthis\nthought\nthree\nthrive\nthrow\nthumb\nthunder\nticket\ntide\ntiger\ntilt\ntimber\ntime\ntiny\ntip\ntired\ntissue\ntitle\ntoast\ntobacco\ntoday\ntoddler\ntoe\ntogether\ntoilet\ntoken\ntomato\ntomorrow\ntone\ntongue\ntonight\ntool\ntooth\ntop\ntopic\ntopple\ntorch\ntornado\ntortoise\ntoss\ntotal\ntourist\ntoward\ntower\ntown\ntoy\ntrack\ntrade\ntraffic\ntragic\ntrain\ntransfer\ntrap\ntrash\ntravel\ntray\ntreat\ntree\ntrend\ntrial\ntribe\ntrick\ntrigger\ntrim\ntrip\ntrophy\ntrouble\ntruck\ntrue\ntruly\ntrumpet\ntrust\ntruth\ntry\ntube\ntuition\ntumble\ntuna\ntunnel\nturkey\nturn\nturtle\ntwelve\ntwenty\ntwice\ntwin\ntwist\ntwo\ntype\ntypical\nugly\numbrella\nunable\nunaware\nuncle\nuncover\nunder\nundo\nunfair\nunfold\nunhappy\nuniform\nunique\nunit\nuniverse\nunknown\nunlock\nuntil\nunusual\nunveil\nupdate\nupgrade\nuphold\nupon\nupper\nupset\nurban\nurge\nusage\nuse\nused\nuseful\nuseless\nusual\nutility\nvacant\nvacuum\nvague\nvalid\nvalley\nvalve\nvan\nvanish\nvapor\nvarious\nvast\nvault\nvehicle\nvelvet\nvendor\nventure\nvenue\nverb\nverify\nversion\nvery\nvessel\nveteran\nviable\nvibrant\nvicious\nvictory\nvideo\nview\nvillage\nvintage\nviolin\nvirtual\nvirus\nvisa\nvisit\nvisual\nvital\nvivid\nvocal\nvoice\nvoid\nvolcano\nvolume\nvote\nvoyage\nwage\nwagon\nwait\nwalk\nwall\nwalnut\nwant\nwarfare\nwarm\nwarrior\nwash\nwasp\nwaste\nwater\nwave\nway\nwealth\nweapon\nwear\nweasel\nweather\nweb\nwedding\nweekend\nweird\nwelcome\nwest\nwet\nwhale\nwhat\nwheat\nwheel\nwhen\nwhere\nwhip\nwhisper\nwide\nwidth\nwife\nwild\nwill\nwin\nwindow\nwine\nwing\nwink\nwinner\nwinter\nwire\nwisdom\nwise\nwish\nwitness\nwolf\nwoman\nwonder\nwood\nwool\nword\nwork\nworld\nworry\nworth\nwrap\nwreck\nwrestle\nwrist\nwrite\nwrong\nyard\nyear\nyellow\nyou\nyoung\nyouth\nzebra\nzero\nzone\nzoo\n" }, { "path": "playbooks/roles/common/files/footer.html", "content": "