Skip to content
This repository has been archived by the owner on Jun 4, 2021. It is now read-only.

Commit

Permalink
Merge branch 'master' into add-aws-roles
Browse files Browse the repository at this point in the history
  • Loading branch information
nopdotcom authored Aug 7, 2019
2 parents a5793f6 + 00e08e2 commit 85865c8
Show file tree
Hide file tree
Showing 49 changed files with 458 additions and 301 deletions.
3 changes: 2 additions & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ env:
- RUN="ci" SITE="tests/site_vars/openvpn.yml"
- RUN="ci" SITE="tests/site_vars/shadowsocks.yml"
- RUN="ci" SITE="tests/site_vars/ssh.yml"
- RUN="ci" SITE="tests/site_vars/cloudflared.yml"
- RUN="ci" SITE="random"

before_install:
Expand All @@ -25,7 +26,7 @@ before_install:
- sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 762E3157

install:
- pip install ansible==2.6.5
- pip install ansible==2.8.0
- pip install urllib3 yamllint
- ansible --version

Expand Down
5 changes: 5 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ Modifications to the L2TP/IPsec configuration files are licensed
under CC Attribution-ShareAlike 3.0 Unported
(http://creativecommons.org/licenses/by-sa/3.0/).

Cloudflared DNS-over-HTTPS role courtesy of Steven Foerster
(https://github.com/sfoerster/ansible-cloudflared).
Copyright 2019 Steven Foerster, and based on the work of
Ben Dews (Copyright 2018).

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
Expand Down
4 changes: 2 additions & 2 deletions README-chs.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<p align="center">
<img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/>
<img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/>
</p>

- - -
Expand Down Expand Up @@ -141,7 +141,7 @@ Streisand 运行在**你自己的计算机上时(或者你电脑的虚拟机
sudo pip install "apache-libcloud>=1.17.0"
* Linode

sudo pip install linode-python
sudo pip install linode-api4
* Rackspace 云

sudo pip install pyrax
Expand Down
4 changes: 2 additions & 2 deletions README-ru.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<p align="center">
<img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/>
<img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/>
</p>

- - -
Expand Down Expand Up @@ -149,7 +149,7 @@

* Linode

sudo pip install linode-python
sudo pip install linode-api4
* Rackspace Cloud

sudo pip install pyrax
Expand Down
4 changes: 3 additions & 1 deletion Services.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Services Provided
* When enabled, the high-performance [libev variant](https://github.com/shadowsocks/shadowsocks-libev) is installed. This version is capable of handling thousands of simultaneous connections.
* A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag '8.8.8.8' on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead!
* [AEAD](https://shadowsocks.org/en/spec/AEAD-Ciphers.html) support is enabled using ChaCha20 and Poly1305 for enhanced security and improved GFW evasion.
* The [simple-obfs](https://github.com/shadowsocks/simple-obfs) plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling).
* The [v2ray-plugin](https://github.com/shadowsocks/v2ray-plugin) plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling).
* [sslh](https://www.rutschle.net/tech/sslh/README.html)
* Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports.
* [Stunnel](https://www.stunnel.org/index.html)
Expand All @@ -37,3 +37,5 @@ Services Provided
* Your Streisand server is configured to automatically install new security updates.
* [WireGuard](https://www.wireguard.com/)
* Linux users can take advantage of this next-gen, simple, kernel-based, state-of-the-art VPN that also happens to be ridiculously fast and uses modern cryptographic principles that all other highspeed VPN solutions lack.
* [Cloudflared DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/dns-over-https/)
* Even when you are visiting a site using HTTPS, by default your DNS query is sent over an unencrypted connection (between the Streisand server and upstream DNS servers). With Streisand's DNS-over-HTTPS service provided by the cloudflared client enabled, your DNS queries are blocked from view by the cloud provider hosting your Streisand server and everyone in between them and the upstream DNS server. The DNS reply from the upstream server is also protected from both view and tampering on its way back to your Streisand server.
2 changes: 2 additions & 0 deletions global_vars/default-site.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ vpn_clients: 5
streisand_openconnect_enabled: yes
streisand_openvpn_enabled: yes
streisand_shadowsocks_enabled: yes
streisand_shadowsocks_v2ray_enabled: no
streisand_ssh_forward_enabled: yes
# By default sshuttle is disabled because it creates a `sshuttle` user that has
# full shell privileges on the Streisand host
Expand All @@ -22,3 +23,4 @@ streisand_stunnel_enabled: yes
streisand_tinyproxy_enabled: yes
streisand_tor_enabled: no
streisand_wireguard_enabled: yes
streisand_cloudflared_enabled: yes
9 changes: 7 additions & 2 deletions global_vars/globals.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
---

# If using regular cleartext DNS then dnsmasq will set these upstream DNS servers
upstream_dns_servers:
- 8.8.8.8
- 8.8.4.4
- 1.1.1.1
- 1.0.0.1

# If using DNS-over-HTTPS with cloudflared then the upstream servers and queries can be set in:
# playbooks/roles/cloudflared/defaults/main.yml

streisand_client_test: no

Expand Down
20 changes: 3 additions & 17 deletions global_vars/noninteractive/amazon-site.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,25 +27,11 @@ streisand_tor_enabled: no
streisand_wireguard_enabled: yes

# The AWS region number.
# 1. US East (N. Virginia)
# 2. US East (Ohio)
# 3. US West (N. California)
# 4. US West (Oregon)
# 5. Canada (Central)
# 6. EU (Frankfurt)
# 7. EU (Ireland)
# 8. EU (London)
# 9. EU (Paris)
# 10. Asia Pacific (Tokyo)
# 11. Asia Pacific (Seoul)
# 12. Asia Pacific (Osaka-Local)
# 13. Asia Pacific (Singapore)
# 14. Asia Pacific (Sydney)
# 15. Asia Pacific (Mumbai)
# 16. South America (São Paulo)
#
# See ./playbooks/amazon.yml for numbering.
#
# Note: aws_region_var must be a number in quotes, e.g. "3" not 3.
aws_region_var: "3"
aws_region_var: "16"

# The VPC and subnet IDs to use. They can be empty strings to indicate that a
# VPC will not be used.
Expand Down
77 changes: 41 additions & 36 deletions playbooks/amazon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,26 @@
gather_facts: yes

vars:
# The region dict is generated from ./util/print-aws-regions.py
regions:
"1": "us-east-1"
"2": "us-east-2"
"3": "us-west-1"
"4": "us-west-2"
"5": "ca-central-1"
"6": "eu-central-1"
"7": "eu-west-1"
"8": "eu-west-2"
"9": "eu-west-3"
"10": "ap-northeast-1"
"11": "ap-northeast-2"
"12": "ap-northeast-3"
"13": "ap-southeast-1"
"14": "ap-southeast-2"
"15": "ap-south-1"
"16": "sa-east-1"
"17": "eu-north-1"
"1": "ap-east-1"
"2": "ap-northeast-1"
"3": "ap-northeast-2"
"4": "ap-northeast-3"
"5": "ap-south-1"
"6": "ap-southeast-1"
"7": "ap-southeast-2"
"8": "ca-central-1"
"9": "eu-central-1"
"10": "eu-north-1"
"11": "eu-west-1"
"12": "eu-west-2"
"13": "eu-west-3"
"14": "sa-east-1"
"15": "us-east-1"
"16": "us-east-2"
"17": "us-west-1"
"18": "us-west-2"

# These variable files are included so the ec2-security-group role
# knows which ports to open
Expand All @@ -39,28 +41,31 @@
- roles/wireguard/defaults/main.yml

vars_prompt:
# The region prompt is generated from ./util/print-aws-regions.py
# Don't forget to update the default if it changes.
- name: "aws_region_var"
prompt: |
In what region should the server be located?
1. US East (N. Virginia)
2. US East (Ohio)
3. US West (N. California)
4. US West (Oregon)
5. Canada (Central)
6. EU (Frankfurt)
7. EU (Ireland)
8. EU (London)
9. EU (Paris)
10. Asia Pacific (Tokyo)
11. Asia Pacific (Seoul)
12. Asia Pacific (Osaka-Local)
13. Asia Pacific (Singapore)
14. Asia Pacific (Sydney)
15. Asia Pacific (Mumbai)
16. South America (São Paulo)
17. EU (Stockholm)
Please choose the number of your region. Press enter for default (#13) region.
default: "13"
1. ap-east-1 Asia Pacific (Hong Kong)
2. ap-northeast-1 Asia Pacific (Tokyo)
3. ap-northeast-2 Asia Pacific (Seoul)
4. ap-northeast-3 Asia Pacific (Osaka-Local)
5. ap-south-1 Asia Pacific (Mumbai)
6. ap-southeast-1 Asia Pacific (Singapore)
7. ap-southeast-2 Asia Pacific (Sydney)
8. ca-central-1 Canada (Central)
9. eu-central-1 EU (Frankfurt)
10. eu-north-1 EU (Stockholm)
11. eu-west-1 EU (Ireland)
12. eu-west-2 EU (London)
13. eu-west-3 EU (Paris)
14. sa-east-1 South America (São Paulo)
15. us-east-1 US East (N. Virginia)
16. us-east-2 US East (Ohio)
17. us-west-1 US West (N. California)
18. us-west-2 US West (Oregon)
Please choose the number of your region. Press enter for default (#16) region.
default: "16"
private: no

- name: "aws_vpc_id_var"
Expand Down
16 changes: 16 additions & 0 deletions playbooks/customize.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@
prompt: "Enable Shadowsocks? Press enter for default "
default: "yes"
private: no
- name: streisand_shadowsocks_v2ray_enabled
prompt: "Enable v2ray-plugin for Shadowsocks? Press enter for default "
default: "no"
private: no
- name: streisand_ssh_forward_enabled
prompt: "Enable SSH Forward User? (Note: A SOCKS proxy only user will be added, no shell). Press enter for default "
default: "yes"
Expand All @@ -48,6 +52,10 @@
prompt: "Enable WireGuard? Press enter for default "
default: "yes"
private: no
- name: streisand_cloudflared_enabled
prompt: "Enable DNS-over-HTTPS (cloudflared)? Press enter for default "
default: "yes"
private: no

tasks:
- lineinfile:
Expand All @@ -70,6 +78,10 @@
path: "{{ streisand_site_vars }}"
regexp: "^streisand_shadowsocks_enabled: (?:yes|no)$"
line: "streisand_shadowsocks_enabled: {{ streisand_shadowsocks_enabled }}"
- lineinfile:
path: "{{ streisand_site_vars }}"
regexp: "^streisand_shadowsocks_v2ray_enabled: (?:yes|no)$"
line: "streisand_shadowsocks_v2ray_enabled: {{ streisand_shadowsocks_v2ray_enabled }}"
- lineinfile:
path: "{{ streisand_site_vars }}"
regexp: "^streisand_ssh_forward_enabled: (?:yes|no)$"
Expand All @@ -94,3 +106,7 @@
path: "{{ streisand_site_vars }}"
regexp: "^streisand_wireguard_enabled: (?:yes|no)$"
line: "streisand_wireguard_enabled: {{ streisand_wireguard_enabled }}"
- lineinfile:
path: "{{ streisand_site_vars }}"
regexp: "^streisand_cloudflared_enabled: (?:yes|no)$"
line: "streisand_cloudflared_enabled: {{ streisand_cloudflared_enabled }}"
2 changes: 1 addition & 1 deletion playbooks/existing-server.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
changed_when: False
rescue:
- fail:
msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_key }} to generate your key if it does not exist\n"
msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_private_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_private_key }} to generate your key if it does not exist\n"

# Ensure Python is installed on the system
- import_playbook: python.yml
Expand Down
38 changes: 20 additions & 18 deletions playbooks/linode.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,29 +7,31 @@

vars:
regions:
"1": 4
"2": 2
"3": 10
"4": 3
"5": 7
"6": 6
"7": 9
"8": 8
"9": 11
"1": "ca-central"
"2": "us-central"
"3": "us-west"
"4": "us-southeast"
"5": "us-east"
"6": "eu-west"
"7": "ap-south"
"8": "eu-central"
"9": "ap-northeast"
"10": "ap-west"

vars_prompt:
- name: "linode_datacenter"
prompt: >
What region should the server be located in?
1. Atlanta
1. Toronto
2. Dallas
3. Frankfurt
4. Fremont
5. London
6. Newark
3. Fremont
4. Atlanta
5. Newark
6. London
7. Singapore
8. Tokyo
9. Tokyo 2
8. Frankfurt
9. Tokyo
10. Mumbai
Please choose the number of your region. Press enter for default (#7) region.
default: "7"
private: no
Expand All @@ -39,8 +41,8 @@
default: "streisand"
private: no

- name: "linode_api_key"
prompt: "\n\nThe following information can be found in the Linode Manager.\nhttps://manager.linode.com/profile/api\n\nNote: API keys originating from https://cloud.linode.com/profile/tokens are not yet compatible.\n\nWhat is your Linode API key?\n"
- name: "linode_api_token"
prompt: "\n\nThe following information can be found in the Linode Manager:\nhttps://cloud.linode.com/profile/tokens\n\nWhat is your Linode API Token?\n"
private: no

- name: "confirmation"
Expand Down
19 changes: 19 additions & 0 deletions playbooks/roles/cloudflared/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
cloudflared_base_url: "https://bin.equinox.io/c/VdrWdbjqyF/"

cloudflared_amd64_apt: "cloudflared-stable-linux-amd64.deb"
cloudflared_amd64_yum: "cloudflared-stable-linux-amd64.rpm"
cloudflared_amd64_binary: "cloudflared-stable-linux-amd64.tgz"
cloudflared_arm_apt: "cloudflared-stable-linux-arm.deb"
cloudflared_arm_yum: "cloudflared-stable-linux-arm.rpm"
cloudflared_arm_binary: "cloudflared-stable-linux-arm.tgz"

cloudflared_allow_firewall: false
cloudflared_enable_service: true
cloudflared_upstream1: "https://1.1.1.1/dns-query"
cloudflared_upstream2: "https://1.0.0.1/dns-query"
cloudflared_port: 5053

cloudflared_options: "proxy-dns --port {{ cloudflared_port }} --upstream {{ cloudflared_upstream1 }} --upstream {{ cloudflared_upstream2 }}"

cloudflared_bin_location: /usr/local/bin
15 changes: 15 additions & 0 deletions playbooks/roles/cloudflared/files/cloudflared.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[Unit]
Description=cloudflared service
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target
5 changes: 5 additions & 0 deletions playbooks/roles/cloudflared/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- name: restart cloudflared service
systemd:
name: cloudflared.service
state: restarted
4 changes: 4 additions & 0 deletions playbooks/roles/cloudflared/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
dependencies:
- { role: dnsmasq }
- { role: ip-forwarding }
Loading

0 comments on commit 85865c8

Please sign in to comment.