From 96203868dcf24637000377fee344145b94d36bb1 Mon Sep 17 00:00:00 2001 From: Lunar Date: Fri, 5 Apr 2019 22:09:25 -0500 Subject: [PATCH 01/16] Take out LimitNPROC Causes more issues than it's worth --- playbooks/roles/openvpn/templates/openvpn.service.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/playbooks/roles/openvpn/templates/openvpn.service.j2 b/playbooks/roles/openvpn/templates/openvpn.service.j2 index 8fc241f2f..2208cd582 100644 --- a/playbooks/roles/openvpn/templates/openvpn.service.j2 +++ b/playbooks/roles/openvpn/templates/openvpn.service.j2 @@ -13,7 +13,6 @@ PrivateTmp=true WorkingDirectory={{ openvpn_path }} ExecStart=/usr/sbin/openvpn --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE -LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true From f129df70d961167bc85dc6355406209cf0c0b0c1 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 10 May 2019 19:24:46 -0400 Subject: [PATCH 02/16] changing upstream DNS servers to Cloudflare and OpenDNS --- global_vars/globals.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/global_vars/globals.yml b/global_vars/globals.yml index b470ec66c..1b02f5710 100644 --- a/global_vars/globals.yml +++ b/global_vars/globals.yml @@ -1,7 +1,8 @@ --- upstream_dns_servers: - - 8.8.8.8 - - 8.8.4.4 + - 1.1.1.1 + - 208.67.222.222 + - 208.67.220.220 streisand_client_test: no From 538b3616fbae79f4ed934786f4cd171f5c8b47d8 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Fri, 10 May 2019 20:56:45 -0400 Subject: [PATCH 03/16] removing trailing space --- global_vars/globals.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global_vars/globals.yml b/global_vars/globals.yml index 1b02f5710..07de752c6 100644 --- a/global_vars/globals.yml +++ b/global_vars/globals.yml @@ -1,6 +1,6 @@ --- upstream_dns_servers: - - 1.1.1.1 + - 1.1.1.1 - 208.67.222.222 - 208.67.220.220 From 72e25e990a355991e2a3f9349f954ded5b7afaef Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 28 May 2019 10:54:09 -0400 Subject: [PATCH 04/16] Using Cloudflare primary and secondary upstream DNS servers --- global_vars/globals.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/global_vars/globals.yml b/global_vars/globals.yml index 07de752c6..ee3dd76e1 100644 --- a/global_vars/globals.yml +++ b/global_vars/globals.yml @@ -1,8 +1,7 @@ --- upstream_dns_servers: - 1.1.1.1 - - 208.67.222.222 - - 208.67.220.220 + - 1.0.0.1 streisand_client_test: no From 99dca17cee390612b6073bea48149f5fac3c9778 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Tue, 28 May 2019 10:55:26 -0400 Subject: [PATCH 05/16] removing trailing space --- global_vars/globals.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/global_vars/globals.yml b/global_vars/globals.yml index ee3dd76e1..e9440163d 100644 --- a/global_vars/globals.yml +++ b/global_vars/globals.yml @@ -1,7 +1,7 @@ --- upstream_dns_servers: - 1.1.1.1 - - 1.0.0.1 + - 1.0.0.1 streisand_client_test: no From afcce4ace2c1ac6a3b2191f21771a75bb4cfbc3b Mon Sep 17 00:00:00 2001 From: Jay Carlson Date: Sun, 16 Jun 2019 14:20:42 -0400 Subject: [PATCH 06/16] Increase process count limit for openvpn, since it's shared between services As I understand it, LimitNPROC ends up as a limit on the number of processes owned by a particular uid in a namespace. We have multiple `openvpn@foo` instances in the global namespace, so we need to bump up the process limit to account for the others. --- playbooks/roles/openvpn/templates/openvpn.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/roles/openvpn/templates/openvpn.service.j2 b/playbooks/roles/openvpn/templates/openvpn.service.j2 index 2208cd582..57a456164 100644 --- a/playbooks/roles/openvpn/templates/openvpn.service.j2 +++ b/playbooks/roles/openvpn/templates/openvpn.service.j2 @@ -13,6 +13,7 @@ PrivateTmp=true WorkingDirectory={{ openvpn_path }} ExecStart=/usr/sbin/openvpn --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +LimitNPROC=30 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true From eddde605012746b44eef1d958631fbec97d39dfe Mon Sep 17 00:00:00 2001 From: Steve Foerster Date: Wed, 17 Jul 2019 08:45:16 -0400 Subject: [PATCH 07/16] Wireguard: prevent ipv6 leaks on clients by routing all ipv6 traffic through wg (#1594) --- playbooks/roles/wireguard/templates/client.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/wireguard/templates/client.conf.j2 b/playbooks/roles/wireguard/templates/client.conf.j2 index 860e280e0..40a7f51ce 100644 --- a/playbooks/roles/wireguard/templates/client.conf.j2 +++ b/playbooks/roles/wireguard/templates/client.conf.j2 @@ -13,5 +13,5 @@ PrivateKey = {{ item[1].stdout }} [Peer] PublicKey = {{ wireguard_server_public_key }} -AllowedIPs = 0.0.0.0/0 +AllowedIPs = 0.0.0.0/0,::/0 Endpoint = {{ streisand_ipv4_address }}:{{ wireguard_port }} From 82ed020cd2f99b9f2772c748d1b44dcb8176f7ff Mon Sep 17 00:00:00 2001 From: xyyuchn Date: Wed, 17 Jul 2019 22:41:20 +0800 Subject: [PATCH 08/16] fix a symbol mistake (#1593) --- playbooks/roles/wireguard/templates/instructions.md.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/wireguard/templates/instructions.md.j2 b/playbooks/roles/wireguard/templates/instructions.md.j2 index 38bdcffbb..526f8d79b 100644 --- a/playbooks/roles/wireguard/templates/instructions.md.j2 +++ b/playbooks/roles/wireguard/templates/instructions.md.j2 @@ -68,7 +68,7 @@ An [experimental configuration for OpenWrt/LEDE](#openwrt) 17.01.4 (or later) is 1. For Linux systems using systemd you can also enable Wireguard at boot: - 'sudo systemctl enable wg-quick@{{ vpn_client_names.results[0].stdout }}.service' + `sudo systemctl enable wg-quick@{{ vpn_client_names.results[0].stdout }}.service` 1. You should be good to go! You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo]({{ streisand_my_ip_url }}). It should say *Your public IP address is {{ streisand_ipv4_address }}*. 1. To stop routing your traffic through WireGuard, simply bring the interface back down: From 5f28ab6cace63486471524dae895628824c8b9cf Mon Sep 17 00:00:00 2001 From: Steve Foerster Date: Wed, 17 Jul 2019 13:35:54 -0400 Subject: [PATCH 09/16] Feature: DNS-over-HTTPS option implemented with cloudflared (default: yes) (#1591) * ready to test cloudflared role * cloudflared installing: runtime testing * final testing integration with dnsmasq * adding cloudflared to tests/site_vars * default for DNS-over-HTTPS (cloudflared) is no * default DNS-over-HTTPS set to no in customize.yml * adding 1.0.0.1 as second upstream server * tweaks based on yaml check feedback * more yaml tweaks * more yaml tweaks * updating MIT license * explanatory comments about DNS settings in global_vars/globals.yml * consolidating the license files MIT to GPL * adding cloudflared ci test * adding comment in test file tests/site_vars/cloudflared.yml * yaml tweaks * cleaning out meta info * cleaning out old cloudflared tests * removing cloudflared checksum verification for builds that regularly update * removing unused variable references * modifying dnsmasq.conf rather than using a template * removing blank lines * adding cloudflared section to Services.md * setting DoH (cloudflared) default to yes --- .travis.yml | 1 + LICENSE | 5 + Services.md | 2 + global_vars/default-site.yml | 1 + global_vars/globals.yml | 5 + playbooks/customize.yml | 8 ++ playbooks/roles/cloudflared/defaults/main.yml | 19 ++++ .../cloudflared/files/cloudflared.service | 15 +++ playbooks/roles/cloudflared/handlers/main.yml | 5 + playbooks/roles/cloudflared/meta/main.yml | 4 + .../cloudflared/tasks/install_binary.yml | 16 ++++ .../cloudflared/tasks/install_package.yml | 26 ++++++ playbooks/roles/cloudflared/tasks/main.yml | 92 +++++++++++++++++++ .../cloudflared/templates/cloudflared.j2 | 2 + playbooks/roles/cloudflared/vars/main.yml | 2 + playbooks/streisand.yml | 2 + tests/site_vars/cloudflared.yml | 13 +++ tests/site_vars/openconnect.yml | 1 + tests/site_vars/openvpn.yml | 1 + tests/site_vars/random.yml | 1 + tests/site_vars/shadowsocks.yml | 1 + tests/site_vars/ssh.yml | 1 + 22 files changed, 223 insertions(+) create mode 100644 playbooks/roles/cloudflared/defaults/main.yml create mode 100755 playbooks/roles/cloudflared/files/cloudflared.service create mode 100644 playbooks/roles/cloudflared/handlers/main.yml create mode 100644 playbooks/roles/cloudflared/meta/main.yml create mode 100644 playbooks/roles/cloudflared/tasks/install_binary.yml create mode 100644 playbooks/roles/cloudflared/tasks/install_package.yml create mode 100644 playbooks/roles/cloudflared/tasks/main.yml create mode 100644 playbooks/roles/cloudflared/templates/cloudflared.j2 create mode 100644 playbooks/roles/cloudflared/vars/main.yml create mode 100644 tests/site_vars/cloudflared.yml diff --git a/.travis.yml b/.travis.yml index 1a310c896..816231aaa 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,6 +16,7 @@ env: - RUN="ci" SITE="tests/site_vars/openvpn.yml" - RUN="ci" SITE="tests/site_vars/shadowsocks.yml" - RUN="ci" SITE="tests/site_vars/ssh.yml" + - RUN="ci" SITE="tests/site_vars/cloudflared.yml" - RUN="ci" SITE="random" before_install: diff --git a/LICENSE b/LICENSE index 19f193a58..b1a1d91f2 100644 --- a/LICENSE +++ b/LICENSE @@ -12,6 +12,11 @@ Modifications to the L2TP/IPsec configuration files are licensed under CC Attribution-ShareAlike 3.0 Unported (http://creativecommons.org/licenses/by-sa/3.0/). +Cloudflared DNS-over-HTTPS role courtesy of Steven Foerster +(https://github.com/sfoerster/ansible-cloudflared). +Copyright 2019 Steven Foerster, and based on the work of +Ben Dews (Copyright 2018). + This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or diff --git a/Services.md b/Services.md index df824917e..b765544ed 100644 --- a/Services.md +++ b/Services.md @@ -37,3 +37,5 @@ Services Provided * Your Streisand server is configured to automatically install new security updates. * [WireGuard](https://www.wireguard.com/) * Linux users can take advantage of this next-gen, simple, kernel-based, state-of-the-art VPN that also happens to be ridiculously fast and uses modern cryptographic principles that all other highspeed VPN solutions lack. +* [Cloudflared DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/dns-over-https/) + * Even when you are visiting a site using HTTPS, by default your DNS query is sent over an unencrypted connection (between the Streisand server and upstream DNS servers). With Streisand's DNS-over-HTTPS service provided by the cloudflared client enabled, your DNS queries are blocked from view by the cloud provider hosting your Streisand server and everyone in between them and the upstream DNS server. The DNS reply from the upstream server is also protected from both view and tampering on its way back to your Streisand server. diff --git a/global_vars/default-site.yml b/global_vars/default-site.yml index 2688903a0..699d8a10d 100644 --- a/global_vars/default-site.yml +++ b/global_vars/default-site.yml @@ -22,3 +22,4 @@ streisand_stunnel_enabled: yes streisand_tinyproxy_enabled: yes streisand_tor_enabled: no streisand_wireguard_enabled: yes +streisand_cloudflared_enabled: yes diff --git a/global_vars/globals.yml b/global_vars/globals.yml index e9440163d..3de18937c 100644 --- a/global_vars/globals.yml +++ b/global_vars/globals.yml @@ -1,8 +1,13 @@ --- + +# If using regular cleartext DNS then dnsmasq will set these upstream DNS servers upstream_dns_servers: - 1.1.1.1 - 1.0.0.1 +# If using DNS-over-HTTPS with cloudflared then the upstream servers and queries can be set in: +# playbooks/roles/cloudflared/defaults/main.yml + streisand_client_test: no streisand_site_vars: "{{ lookup('env','HOME') }}/.streisand/site.yml" diff --git a/playbooks/customize.yml b/playbooks/customize.yml index 099742814..02fbf3170 100644 --- a/playbooks/customize.yml +++ b/playbooks/customize.yml @@ -48,6 +48,10 @@ prompt: "Enable WireGuard? Press enter for default " default: "yes" private: no + - name: streisand_cloudflared_enabled + prompt: "Enable DNS-over-HTTPS (cloudflared)? Press enter for default " + default: "yes" + private: no tasks: - lineinfile: @@ -94,3 +98,7 @@ path: "{{ streisand_site_vars }}" regexp: "^streisand_wireguard_enabled: (?:yes|no)$" line: "streisand_wireguard_enabled: {{ streisand_wireguard_enabled }}" + - lineinfile: + path: "{{ streisand_site_vars }}" + regexp: "^streisand_cloudflared_enabled: (?:yes|no)$" + line: "streisand_cloudflared_enabled: {{ streisand_cloudflared_enabled }}" diff --git a/playbooks/roles/cloudflared/defaults/main.yml b/playbooks/roles/cloudflared/defaults/main.yml new file mode 100644 index 000000000..3457fc10f --- /dev/null +++ b/playbooks/roles/cloudflared/defaults/main.yml @@ -0,0 +1,19 @@ +--- +cloudflared_base_url: "https://bin.equinox.io/c/VdrWdbjqyF/" + +cloudflared_amd64_apt: "cloudflared-stable-linux-amd64.deb" +cloudflared_amd64_yum: "cloudflared-stable-linux-amd64.rpm" +cloudflared_amd64_binary: "cloudflared-stable-linux-amd64.tgz" +cloudflared_arm_apt: "cloudflared-stable-linux-arm.deb" +cloudflared_arm_yum: "cloudflared-stable-linux-arm.rpm" +cloudflared_arm_binary: "cloudflared-stable-linux-arm.tgz" + +cloudflared_allow_firewall: false +cloudflared_enable_service: true +cloudflared_upstream1: "https://1.1.1.1/dns-query" +cloudflared_upstream2: "https://1.0.0.1/dns-query" +cloudflared_port: 5053 + +cloudflared_options: "proxy-dns --port {{ cloudflared_port }} --upstream {{ cloudflared_upstream1 }} --upstream {{ cloudflared_upstream2 }}" + +cloudflared_bin_location: /usr/local/bin diff --git a/playbooks/roles/cloudflared/files/cloudflared.service b/playbooks/roles/cloudflared/files/cloudflared.service new file mode 100755 index 000000000..ded022025 --- /dev/null +++ b/playbooks/roles/cloudflared/files/cloudflared.service @@ -0,0 +1,15 @@ +[Unit] +Description=cloudflared service +After=syslog.target network-online.target + +[Service] +Type=simple +User=cloudflared +EnvironmentFile=/etc/default/cloudflared +ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS +Restart=on-failure +RestartSec=10 +KillMode=process + +[Install] +WantedBy=multi-user.target diff --git a/playbooks/roles/cloudflared/handlers/main.yml b/playbooks/roles/cloudflared/handlers/main.yml new file mode 100644 index 000000000..a7ce47c56 --- /dev/null +++ b/playbooks/roles/cloudflared/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart cloudflared service + systemd: + name: cloudflared.service + state: restarted diff --git a/playbooks/roles/cloudflared/meta/main.yml b/playbooks/roles/cloudflared/meta/main.yml new file mode 100644 index 000000000..fb954d5d4 --- /dev/null +++ b/playbooks/roles/cloudflared/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - { role: dnsmasq } + - { role: ip-forwarding } diff --git a/playbooks/roles/cloudflared/tasks/install_binary.yml b/playbooks/roles/cloudflared/tasks/install_binary.yml new file mode 100644 index 000000000..6b3a3e151 --- /dev/null +++ b/playbooks/roles/cloudflared/tasks/install_binary.yml @@ -0,0 +1,16 @@ +--- +- name: build filename of file to be downloaded + set_fact: + cloudflared_file: "{{ vars['cloudflared_'+device_arch+'_binary'] }}" + +- name: download correct file for device + get_url: + url: "{{ cloudflared_base_url }}{{ cloudflared_file }}" + dest: "/tmp/{{ cloudflared_file }}" + #checksum: "{{ cloudflared_file_checksum }}" + +- name: extract cloudflared into /usr/local/bin + unarchive: + src: "/tmp/{{ cloudflared_file }}" + dest: "{{ cloudflared_bin_location }}" + remote_src: yes diff --git a/playbooks/roles/cloudflared/tasks/install_package.yml b/playbooks/roles/cloudflared/tasks/install_package.yml new file mode 100644 index 000000000..45bd204b1 --- /dev/null +++ b/playbooks/roles/cloudflared/tasks/install_package.yml @@ -0,0 +1,26 @@ +--- +- name: build filename of file to be downloaded + set_fact: + cloudflared_file: "{{ vars['cloudflared_'+device_arch+'_'+ansible_pkg_mgr] }}" + +- name: download correct file for device + get_url: + url: "{{ cloudflared_base_url }}{{ cloudflared_file }}" + dest: "/tmp/{{ cloudflared_file }}" + #checksum: "{{ cloudflared_file_checksum }}" + +- name: Install a .deb package + apt: + deb: "/tmp/{{ cloudflared_file }}" + state: present + register: pkg_mgr_output + ignore_errors: true + when: ansible_pkg_mgr == 'apt' + +- name: Install a .rpm package + yum: + name: "/tmp/{{ cloudflared_file }}" + state: present + register: pkg_mgr_output + ignore_errors: true + when: ansible_pkg_mgr == 'yum' diff --git a/playbooks/roles/cloudflared/tasks/main.yml b/playbooks/roles/cloudflared/tasks/main.yml new file mode 100644 index 000000000..83f02d947 --- /dev/null +++ b/playbooks/roles/cloudflared/tasks/main.yml @@ -0,0 +1,92 @@ +--- +- stat: + path: "{{ cloudflared_bin_location }}/cloudflared" + register: cloudflared_binary + +- set_fact: + cloudflared_installed: "{{ cloudflared_binary.stat.exists | default(false) }}" + +- name: set device architecture and package manager vars + set_fact: + device_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm' }}" + +- name: install package + import_tasks: install_package.yml + when: (not cloudflared_installed) and (ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'apt') and (ansible_architecture == 'x86_64' or ansible_architecture == 'arm') + +- name: install binary + import_tasks: install_binary.yml + when: (not cloudflared_installed) and ((pkg_mgr_output is undefined or pkg_mgr_output is failed) or ansible_architecture == 'armv7l') + +- name: Set network capabilities for cloudflared + capabilities: + path: "{{ cloudflared_bin_location }}/cloudflared" + capability: cap_net_bind_service+ep + state: present + when: cloudflared_port|int < 1024 + +- command: cloudflared update + register: update_command + changed_when: update_command.rc == '64' + +- name: create cloudflared nologin user + become: yes + user: + name: cloudflared + shell: /usr/sbin/nologin + system: True + create_home: False + +- name: set ownership of /usr/local/bin/cloudflared + file: + path: /usr/local/bin/cloudflared + state: file + owner: cloudflared + group: cloudflared + +- name: template config file + template: + src: cloudflared.j2 + dest: /etc/default/cloudflared + owner: cloudflared + group: cloudflared + notify: restart cloudflared service + tags: systemd + +- name: copy systemd service + copy: + src: cloudflared.service + dest: /etc/systemd/system/ + owner: root + group: root + mode: 0644 + notify: restart cloudflared service + register: service + tags: systemd + +- name: enable systemd service + service: + name: cloudflared + enabled: "{{ cloudflared_enable_service }}" + when: service.changed + tags: systemd + +- name: Allow port in firewall + ufw: + rule: allow + port: "{{ cloudflared_port }}" + comment: "allow cloudflared" + when: cloudflared_allow_firewall + +# DNSMASQ +- name: Remove existing upstream servers in dnsmasq + replace: + path: /etc/dnsmasq.conf + regexp: "^server=(.*)$" + +- name: Set upstream DNS server to cloudflared proxy + lineinfile: + path: /etc/dnsmasq.conf + state: present + line: "server=127.0.0.1#{{ cloudflared_port }}" + notify: Restart dnsmasq diff --git a/playbooks/roles/cloudflared/templates/cloudflared.j2 b/playbooks/roles/cloudflared/templates/cloudflared.j2 new file mode 100644 index 000000000..0ed1741d0 --- /dev/null +++ b/playbooks/roles/cloudflared/templates/cloudflared.j2 @@ -0,0 +1,2 @@ +# Commandline args for cloudflared +CLOUDFLARED_OPTS={{ cloudflared_options }} diff --git a/playbooks/roles/cloudflared/vars/main.yml b/playbooks/roles/cloudflared/vars/main.yml new file mode 100644 index 000000000..79cc4f48f --- /dev/null +++ b/playbooks/roles/cloudflared/vars/main.yml @@ -0,0 +1,2 @@ +--- +# Cloudflared variables diff --git a/playbooks/streisand.yml b/playbooks/streisand.yml index 043d0b863..f78dc065b 100644 --- a/playbooks/streisand.yml +++ b/playbooks/streisand.yml @@ -39,6 +39,8 @@ - ufw - role: wireguard when: streisand_wireguard_enabled + - role: cloudflared + when: streisand_cloudflared_enabled # streisand_le_enabled is set in lets-encrypt.yml based on user input. # lets-encrypt roles sets le_ok, which is used by streisand-gateway. - role: lets-encrypt diff --git a/tests/site_vars/cloudflared.yml b/tests/site_vars/cloudflared.yml new file mode 100644 index 000000000..4f652db40 --- /dev/null +++ b/tests/site_vars/cloudflared.yml @@ -0,0 +1,13 @@ +--- +# This site config enables openvpn, wireguard, and cloudflared (DNS-over-HTTPS) +vpn_clients: 5 +streisand_openconnect_enabled: no +streisand_openvpn_enabled: yes +streisand_shadowsocks_enabled: no +streisand_ssh_forward_enabled: no +streisand_sshuttle_enabled: no +streisand_stunnel_enabled: no +streisand_tinyproxy_enabled: no +streisand_tor_enabled: no +streisand_wireguard_enabled: yes +streisand_cloudflared_enabled: yes diff --git a/tests/site_vars/openconnect.yml b/tests/site_vars/openconnect.yml index 8e2e6cc86..667366d26 100644 --- a/tests/site_vars/openconnect.yml +++ b/tests/site_vars/openconnect.yml @@ -10,3 +10,4 @@ streisand_stunnel_enabled: no streisand_tinyproxy_enabled: no streisand_tor_enabled: no streisand_wireguard_enabled: no +streisand_cloudflared_enabled: no diff --git a/tests/site_vars/openvpn.yml b/tests/site_vars/openvpn.yml index fe3f0de89..00cd191a1 100644 --- a/tests/site_vars/openvpn.yml +++ b/tests/site_vars/openvpn.yml @@ -10,3 +10,4 @@ streisand_stunnel_enabled: no streisand_tinyproxy_enabled: no streisand_tor_enabled: no streisand_wireguard_enabled: no +streisand_cloudflared_enabled: no diff --git a/tests/site_vars/random.yml b/tests/site_vars/random.yml index 5ae043a29..54be69472 100644 --- a/tests/site_vars/random.yml +++ b/tests/site_vars/random.yml @@ -11,3 +11,4 @@ streisand_tor_enabled: no streisand_wireguard_enabled: no streisand_ssh_forward_enabled: no streisand_sshuttle_enabled: no +streisand_cloudflared_enabled: no diff --git a/tests/site_vars/shadowsocks.yml b/tests/site_vars/shadowsocks.yml index a9feb6b12..217241837 100644 --- a/tests/site_vars/shadowsocks.yml +++ b/tests/site_vars/shadowsocks.yml @@ -10,3 +10,4 @@ streisand_stunnel_enabled: no streisand_tinyproxy_enabled: no streisand_tor_enabled: no streisand_wireguard_enabled: no +streisand_cloudflared_enabled: no diff --git a/tests/site_vars/ssh.yml b/tests/site_vars/ssh.yml index e68132835..5e9c13f21 100644 --- a/tests/site_vars/ssh.yml +++ b/tests/site_vars/ssh.yml @@ -10,3 +10,4 @@ streisand_stunnel_enabled: no streisand_tinyproxy_enabled: no streisand_tor_enabled: no streisand_wireguard_enabled: no +streisand_cloudflared_enabled: no From fc6d4edb379e06902b3118316e46c83a8bb43844 Mon Sep 17 00:00:00 2001 From: Jay Carlson Date: Wed, 17 Jul 2019 16:07:29 -0400 Subject: [PATCH 10/16] Generate AWS region code blocks from a script (#1588) --- global_vars/noninteractive/amazon-site.yml | 20 +----- playbooks/amazon.yml | 77 ++++++++++++---------- util/print-aws-regions.py | 46 +++++++++++++ 3 files changed, 90 insertions(+), 53 deletions(-) create mode 100644 util/print-aws-regions.py diff --git a/global_vars/noninteractive/amazon-site.yml b/global_vars/noninteractive/amazon-site.yml index d8886b109..9a7c050ed 100644 --- a/global_vars/noninteractive/amazon-site.yml +++ b/global_vars/noninteractive/amazon-site.yml @@ -27,25 +27,11 @@ streisand_tor_enabled: no streisand_wireguard_enabled: yes # The AWS region number. -# 1. US East (N. Virginia) -# 2. US East (Ohio) -# 3. US West (N. California) -# 4. US West (Oregon) -# 5. Canada (Central) -# 6. EU (Frankfurt) -# 7. EU (Ireland) -# 8. EU (London) -# 9. EU (Paris) -# 10. Asia Pacific (Tokyo) -# 11. Asia Pacific (Seoul) -# 12. Asia Pacific (Osaka-Local) -# 13. Asia Pacific (Singapore) -# 14. Asia Pacific (Sydney) -# 15. Asia Pacific (Mumbai) -# 16. South America (São Paulo) +# +# See ./playbooks/amazon.yml for numbering. # # Note: aws_region_var must be a number in quotes, e.g. "3" not 3. -aws_region_var: "3" +aws_region_var: "16" # The VPC and subnet IDs to use. They can be empty strings to indicate that a # VPC will not be used. diff --git a/playbooks/amazon.yml b/playbooks/amazon.yml index d47adba0b..72eb6df3d 100644 --- a/playbooks/amazon.yml +++ b/playbooks/amazon.yml @@ -6,24 +6,26 @@ gather_facts: yes vars: + # The region dict is generated from ./util/print-aws-regions.py regions: - "1": "us-east-1" - "2": "us-east-2" - "3": "us-west-1" - "4": "us-west-2" - "5": "ca-central-1" - "6": "eu-central-1" - "7": "eu-west-1" - "8": "eu-west-2" - "9": "eu-west-3" - "10": "ap-northeast-1" - "11": "ap-northeast-2" - "12": "ap-northeast-3" - "13": "ap-southeast-1" - "14": "ap-southeast-2" - "15": "ap-south-1" - "16": "sa-east-1" - "17": "eu-north-1" + "1": "ap-east-1" + "2": "ap-northeast-1" + "3": "ap-northeast-2" + "4": "ap-northeast-3" + "5": "ap-south-1" + "6": "ap-southeast-1" + "7": "ap-southeast-2" + "8": "ca-central-1" + "9": "eu-central-1" + "10": "eu-north-1" + "11": "eu-west-1" + "12": "eu-west-2" + "13": "eu-west-3" + "14": "sa-east-1" + "15": "us-east-1" + "16": "us-east-2" + "17": "us-west-1" + "18": "us-west-2" # These variable files are included so the ec2-security-group role # knows which ports to open @@ -39,28 +41,31 @@ - roles/wireguard/defaults/main.yml vars_prompt: + # The region prompt is generated from ./util/print-aws-regions.py + # Don't forget to update the default if it changes. - name: "aws_region_var" prompt: | In what region should the server be located? - 1. US East (N. Virginia) - 2. US East (Ohio) - 3. US West (N. California) - 4. US West (Oregon) - 5. Canada (Central) - 6. EU (Frankfurt) - 7. EU (Ireland) - 8. EU (London) - 9. EU (Paris) - 10. Asia Pacific (Tokyo) - 11. Asia Pacific (Seoul) - 12. Asia Pacific (Osaka-Local) - 13. Asia Pacific (Singapore) - 14. Asia Pacific (Sydney) - 15. Asia Pacific (Mumbai) - 16. South America (São Paulo) - 17. EU (Stockholm) - Please choose the number of your region. Press enter for default (#13) region. - default: "13" + 1. ap-east-1 Asia Pacific (Hong Kong) + 2. ap-northeast-1 Asia Pacific (Tokyo) + 3. ap-northeast-2 Asia Pacific (Seoul) + 4. ap-northeast-3 Asia Pacific (Osaka-Local) + 5. ap-south-1 Asia Pacific (Mumbai) + 6. ap-southeast-1 Asia Pacific (Singapore) + 7. ap-southeast-2 Asia Pacific (Sydney) + 8. ca-central-1 Canada (Central) + 9. eu-central-1 EU (Frankfurt) + 10. eu-north-1 EU (Stockholm) + 11. eu-west-1 EU (Ireland) + 12. eu-west-2 EU (London) + 13. eu-west-3 EU (Paris) + 14. sa-east-1 South America (São Paulo) + 15. us-east-1 US East (N. Virginia) + 16. us-east-2 US East (Ohio) + 17. us-west-1 US West (N. California) + 18. us-west-2 US West (Oregon) + Please choose the number of your region. Press enter for default (#16) region. + default: "16" private: no - name: "aws_vpc_id_var" diff --git a/util/print-aws-regions.py b/util/print-aws-regions.py new file mode 100644 index 000000000..4330561a5 --- /dev/null +++ b/util/print-aws-regions.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +# Generate code fragments for amazon.yml + +names = ( + ("us-east-1", "US East", "N. Virginia"), + ("us-east-2", "US East", "Ohio"), + ("us-west-1", "US West", "N. California"), + ("us-west-2", "US West", "Oregon"), + ("ca-central-1", "Canada", "Central"), + ("eu-central-1", "EU", "Frankfurt"), + ("eu-west-1", "EU", "Ireland"), + ("eu-west-2", "EU", "London"), + ("eu-west-3", "EU", "Paris"), + ("ap-northeast-1", "Asia Pacific", "Tokyo"), + ("ap-northeast-2", "Asia Pacific", "Seoul"), + ("ap-northeast-3", "Asia Pacific", "Osaka-Local"), + ("ap-southeast-1", "Asia Pacific", "Singapore"), + ("ap-southeast-2", "Asia Pacific", "Sydney"), + ("ap-south-1", "Asia Pacific", "Mumbai"), + ("ap-east-1", "Asia Pacific", "Hong Kong"), + ("eu-north-1", "EU", "Stockholm"), + ("sa-east-1", "South America", "São Paulo"), +) + +sorted_names = sorted(names) + +print("") +print (""" + regions:""") +for i in range(len(sorted_names)): + j = i + 1 + o = sorted_names[i] + print(' "{j}": "{symname}"'.format(j=j, symname=o[0])) + +print ("----------------------") + +print ("") +print (""" + In what region should the server be located?""") +for i in range(len(sorted_names)): + j = i + 1 + o = sorted_names[i] + print(" {j:>2}. {symname:<15} {region:<14} ({nickname})".format( + j=j, symname=o[0], region=o[1], nickname=o[2])) From f9f8ba236793ea47fcdd00fced1c6628e470743e Mon Sep 17 00:00:00 2001 From: Ali Date: Thu, 18 Jul 2019 09:11:08 +0800 Subject: [PATCH 11/16] Make V2ray-plugin optional (#1585) * Various Fixes: 1. V2ray-plugin service has been made optional. The users now have an option to install shadowsocks in vanilla configuration or with v2ray-plugin. 2. Change in Services.md to reflect the updation of v2ray-plugin. 3. Various warnings regarding "evaluation of x as a bare variable" have been addressed. * Update the global variables list * Updating list of site_vars in tests * Changes suggested by @nopdotcom 1. The changes regarding "evaluation of x as a bare variable" have been reverted for a separate PR. 2. Single config file has been used as compared to two in the prior commits. * Activate V2ray related documentation if v2ray-enabled flag is set * Resolve #1590: On a non-fresh streisand instance re-running the scripts produce #1590. By ensuring a force re-write of v2ray-plugin this issue can be resolved. --- Services.md | 2 +- global_vars/default-site.yml | 1 + playbooks/customize.yml | 8 ++++++++ playbooks/roles/shadowsocks/tasks/main.yml | 1 + playbooks/roles/shadowsocks/tasks/v2ray.yml | 2 +- playbooks/roles/shadowsocks/templates/config.json.j2 | 5 ++++- .../roles/shadowsocks/templates/instructions-fr.md.j2 | 10 +++++++++- .../roles/shadowsocks/templates/instructions.md.j2 | 8 ++++++++ tests/site_vars/shadowsocks.yml | 1 + 9 files changed, 34 insertions(+), 4 deletions(-) diff --git a/Services.md b/Services.md index b765544ed..952ddd7d1 100644 --- a/Services.md +++ b/Services.md @@ -20,7 +20,7 @@ Services Provided * When enabled, the high-performance [libev variant](https://github.com/shadowsocks/shadowsocks-libev) is installed. This version is capable of handling thousands of simultaneous connections. * A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag '8.8.8.8' on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead! * [AEAD](https://shadowsocks.org/en/spec/AEAD-Ciphers.html) support is enabled using ChaCha20 and Poly1305 for enhanced security and improved GFW evasion. - * The [simple-obfs](https://github.com/shadowsocks/simple-obfs) plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling). + * The [v2ray-plugin](https://github.com/shadowsocks/v2ray-plugin) plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling). * [sslh](https://www.rutschle.net/tech/sslh/README.html) * Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports. * [Stunnel](https://www.stunnel.org/index.html) diff --git a/global_vars/default-site.yml b/global_vars/default-site.yml index 699d8a10d..0c572e46a 100644 --- a/global_vars/default-site.yml +++ b/global_vars/default-site.yml @@ -14,6 +14,7 @@ vpn_clients: 5 streisand_openconnect_enabled: yes streisand_openvpn_enabled: yes streisand_shadowsocks_enabled: yes +streisand_shadowsocks_v2ray_enabled: no streisand_ssh_forward_enabled: yes # By default sshuttle is disabled because it creates a `sshuttle` user that has # full shell privileges on the Streisand host diff --git a/playbooks/customize.yml b/playbooks/customize.yml index 02fbf3170..568fe0a2d 100644 --- a/playbooks/customize.yml +++ b/playbooks/customize.yml @@ -28,6 +28,10 @@ prompt: "Enable Shadowsocks? Press enter for default " default: "yes" private: no + - name: streisand_shadowsocks_v2ray_enabled + prompt: "Enable v2ray-plugin for Shadowsocks? Press enter for default " + default: "no" + private: no - name: streisand_ssh_forward_enabled prompt: "Enable SSH Forward User? (Note: A SOCKS proxy only user will be added, no shell). Press enter for default " default: "yes" @@ -74,6 +78,10 @@ path: "{{ streisand_site_vars }}" regexp: "^streisand_shadowsocks_enabled: (?:yes|no)$" line: "streisand_shadowsocks_enabled: {{ streisand_shadowsocks_enabled }}" + - lineinfile: + path: "{{ streisand_site_vars }}" + regexp: "^streisand_shadowsocks_v2ray_enabled: (?:yes|no)$" + line: "streisand_shadowsocks_v2ray_enabled: {{ streisand_shadowsocks_v2ray_enabled }}" - lineinfile: path: "{{ streisand_site_vars }}" regexp: "^streisand_ssh_forward_enabled: (?:yes|no)$" diff --git a/playbooks/roles/shadowsocks/tasks/main.yml b/playbooks/roles/shadowsocks/tasks/main.yml index 56e04352c..613b99e7b 100644 --- a/playbooks/roles/shadowsocks/tasks/main.yml +++ b/playbooks/roles/shadowsocks/tasks/main.yml @@ -54,6 +54,7 @@ # Add V2ray support - import_tasks: v2ray.yml + when: streisand_shadowsocks_v2ray_enabled|bool - name: Generate Shadowsocks config file template: diff --git a/playbooks/roles/shadowsocks/tasks/v2ray.yml b/playbooks/roles/shadowsocks/tasks/v2ray.yml index c5d8ac96c..d09d8af02 100644 --- a/playbooks/roles/shadowsocks/tasks/v2ray.yml +++ b/playbooks/roles/shadowsocks/tasks/v2ray.yml @@ -18,5 +18,5 @@ shell: "go get {{ v2ray_github }}" - name: Copying v2ray-plugin to shadowsocks-libev directory - shell: "cp {{ v2ray_location }}/v2ray-plugin {{ shadowsocks_location }}" + shell: "cp -rf {{ v2ray_location }}/v2ray-plugin {{ shadowsocks_location }}" ... diff --git a/playbooks/roles/shadowsocks/templates/config.json.j2 b/playbooks/roles/shadowsocks/templates/config.json.j2 index 3cbe4b8e7..d315a3c5e 100644 --- a/playbooks/roles/shadowsocks/templates/config.json.j2 +++ b/playbooks/roles/shadowsocks/templates/config.json.j2 @@ -5,7 +5,10 @@ "password":"{{ shadowsocks_password.stdout }}", "timeout":{{ shadowsocks_timeout }}, "method":"{{ shadowsocks_encryption_method }}", - "fast_open":{{ shadowsocks_tcp_fast_open }}, + "fast_open":{{ shadowsocks_tcp_fast_open }} +{%- if streisand_shadowsocks_v2ray_enabled -%} +, "plugin":"{{ shadowsocks_location }}/v2ray-plugin", "plugin_opts":"{{ v2ray_options }}" +{% endif %} } diff --git a/playbooks/roles/shadowsocks/templates/instructions-fr.md.j2 b/playbooks/roles/shadowsocks/templates/instructions-fr.md.j2 index c749a25e1..481c5af68 100644 --- a/playbooks/roles/shadowsocks/templates/instructions-fr.md.j2 +++ b/playbooks/roles/shadowsocks/templates/instructions-fr.md.j2 @@ -10,9 +10,13 @@ Shadowsocks * [Linux](#linux) * [Android](#android) * [iOS](#ios) +{%- if streisand_shadowsocks_v2ray_enabled -%} + * Plugins * [v2ray-plugin](#V2ray-plugin) +{% endif %} + ### Windows ### 1. Téléchargez [Shadowsocks pour Windows](/mirror/shadowsocks/index-fr.html). @@ -116,6 +120,8 @@ Une fois que vous avez Shadowsocks fonctionnant localement, vous devrez transfé * Si c'est la première fois que vous utilisez Shadowrocket, iOS vous demandera de vérifier que l'application devrait avoir la permission d'ajouter des configurations VPN. Tapez *Permettre* et suivez les instructions. 1. Vous pouvez vérifier que votre trafic est correctement routé par [recherche de votre adresse IP sur DuckDuckGo]({{ streisand_my_ip_url }}). Il devrait dire *Votre adresse IP publique est {{streisand_ipv4_address}}*. +{%- if streisand_shadowsocks_v2ray_enabled -%} + ### v2ray-plugin pour les réseaux peu fiables/hostiles ### Pour les utilisateurs sur des réseaux peu fiables ou hostiles (en particulier la limitation de la qualité de service (QOS)), l'utilisation du plugin simple-obfs peut vous aider à atténuer ces problèmes. La configuration supplémentaire du client Shadowsocks pour utiliser le plugin v2ray-plugin peut être effectuée via la configuration suivante: @@ -126,4 +132,6 @@ Pour les utilisateurs sur des réseaux peu fiables ou hostiles (en particulier l Encryption Method: {{ shadowsocks_encryption_method }} Plugin: {{ shadowsocks_v2ray_plugin }} Plugin_Options: {{ shadowsocks_v2ray_plugin_options }} -Les utilisateurs d'Android devront d'abord télécharger l'application [V2ray-plugin](https://play.google.com/store/apps/details?id=com.github.shadowsocks.plugin.v2ray), puis modifier le profil existant de Streisand sur votre client pour utiliser ce plugin. Vous pouvez le faire en appuyant sur le bouton d'édition (edit) à côté du profil, en tapant l'option Plugin en bas du profil et en sélectionnant le plugin "V2ray-plugin" dans le menu. Votre trafic Shadowsocks sera maintenant obscurci en tant que {{ shadowsocks_v2ray_plugin_protocol }} trafic vers `{{ shadowsocks_v2ray_cover_domain }}`. \ No newline at end of file +Les utilisateurs d'Android devront d'abord télécharger l'application [V2ray-plugin](https://play.google.com/store/apps/details?id=com.github.shadowsocks.plugin.v2ray), puis modifier le profil existant de Streisand sur votre client pour utiliser ce plugin. Vous pouvez le faire en appuyant sur le bouton d'édition (edit) à côté du profil, en tapant l'option Plugin en bas du profil et en sélectionnant le plugin "V2ray-plugin" dans le menu. Votre trafic Shadowsocks sera maintenant obscurci en tant que {{ shadowsocks_v2ray_plugin_protocol }} trafic vers `{{ shadowsocks_v2ray_cover_domain }}`. + +{% endif %} diff --git a/playbooks/roles/shadowsocks/templates/instructions.md.j2 b/playbooks/roles/shadowsocks/templates/instructions.md.j2 index dc39fa882..fc4c893ab 100644 --- a/playbooks/roles/shadowsocks/templates/instructions.md.j2 +++ b/playbooks/roles/shadowsocks/templates/instructions.md.j2 @@ -10,9 +10,13 @@ Shadowsocks * [Linux](#linux) * [Android](#android) * [iOS](#ios) +{%- if streisand_shadowsocks_v2ray_enabled -%} + * Plugins * [v2ray-plugin](#V2ray-plugin) +{% endif %} + ### Windows ### 1. Download [Shadowsocks for Windows](/mirror/shadowsocks/). @@ -117,6 +121,8 @@ This should return a 301 Found response **not** a connection refused error. * If this is your first time running Shadowrocket, iOS will ask you to verify that the application should have permission to add VPN configurations. Tap *Allow* and follow the instructions. 1. You can verify that your traffic is being routed properly by [looking up your IP address on DuckDuckGo]({{ streisand_my_ip_url }}). It should say *Your public IP address is {{ streisand_ipv4_address }}*. +{%- if streisand_shadowsocks_v2ray_enabled -%} + ### v2ray-plugin for unreliable/hostile networks ### For users on unreliable or hostile networks (esp. experiencing quality-of-service (QOS) throttling) using the [v2ray-plugin](https://github.com/shadowsocks/v2ray-plugin) may help alleviate these issues. Further configuration of the Shadowsocks client to use the v2ray-plugin can be carried out via the following configuration: @@ -129,3 +135,5 @@ For users on unreliable or hostile networks (esp. experiencing quality-of-servic Plugin_Options: {{ shadowsocks_v2ray_plugin_options }} Android users will first need to download the [V2ray-plugin](https://play.google.com/store/apps/details?id=com.github.shadowsocks.plugin.v2ray) plugin app, and then modify the existing Streisand profile on your client to use this plugin. You can do this by hitting the edit button next to the profile, tapping the `Plugin` option at the bottom of the profile and selecting the "V2ray-plugin" plugin from the menu. Your Shadowsocks traffic will now be obfuscated as `{{ shadowsocks_v2ray_plugin_protocol }}` traffic to `{{ shadowsocks_v2ray_cover_domain }}`. + +{% endif %} diff --git a/tests/site_vars/shadowsocks.yml b/tests/site_vars/shadowsocks.yml index 217241837..f752ba8ed 100644 --- a/tests/site_vars/shadowsocks.yml +++ b/tests/site_vars/shadowsocks.yml @@ -4,6 +4,7 @@ vpn_clients: 5 streisand_openconnect_enabled: no streisand_openvpn_enabled: no streisand_shadowsocks_enabled: yes +streisand_shadowsocks_v2ray_enabled: yes streisand_ssh_forward_enabled: no streisand_sshuttle_enabled: no streisand_stunnel_enabled: no From 1c3f74704866cfa4337cc7eb4e6229263e9dcb0d Mon Sep 17 00:00:00 2001 From: Jay Carlson Date: Fri, 19 Jul 2019 15:12:10 -0400 Subject: [PATCH 12/16] From documentation, revised package dependencies (#1446) --- requirements.txt | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index d938f0d8c..a8354b718 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,12 +21,11 @@ boto boto3 # Digital Ocean -packaging dopy==0.3.5 # Google Compute Engine -apache-libcloud>=1.17.0 -pycryptodome +requests +google-auth # Linode pycurl==7.43.0.1 From e3a80d319420f8c4a5a21ac5fd320b12f8402117 Mon Sep 17 00:00:00 2001 From: Jay Carlson Date: Sat, 20 Jul 2019 22:56:38 -0400 Subject: [PATCH 13/16] @nickgnazzo's GPG rollup (#1604) * Move to Mozilla GPG Keyserver, fix a few GPG verifications * Refresh PuTTY GPG release key from website curl -o 4AE8DA82.putty@projects.tartarus.org.asc \ https://www.chiark.greenend.org.uk/~sgtatham/putty/keys/release-2018.asc This above key was double-checked with the keyservers. (It generally matches the key in @nickgnazzo's patch, but is not bit-for-bit identical.) --- .../4AE8DA82.putty@projects.tartarus.org.asc | 35 ++++ .../B43434E4.putty@projects.tartarus.org.asc | 172 ------------------ playbooks/roles/gpg/templates/dirmngr.conf.j2 | 1 + playbooks/roles/gpg/vars/main.yml | 9 +- playbooks/roles/openvpn/vars/mirror.yml | 2 +- playbooks/roles/ssh-forward/vars/mirror.yml | 2 +- .../roles/tor-bridge/vars/mirror-download.yml | 2 +- 7 files changed, 46 insertions(+), 177 deletions(-) create mode 100644 playbooks/roles/gpg/files/4AE8DA82.putty@projects.tartarus.org.asc delete mode 100644 playbooks/roles/gpg/files/B43434E4.putty@projects.tartarus.org.asc diff --git a/playbooks/roles/gpg/files/4AE8DA82.putty@projects.tartarus.org.asc b/playbooks/roles/gpg/files/4AE8DA82.putty@projects.tartarus.org.asc new file mode 100644 index 000000000..6de89d036 --- /dev/null +++ b/playbooks/roles/gpg/files/4AE8DA82.putty@projects.tartarus.org.asc @@ -0,0 +1,35 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBFt5Z2QBDADj1NG9wXQ9ZicIaCwlLHbFHFwUSzNwt2wBgzBbn/QXSKcsZnCQ +W3spJ/hdHtpWTwTTE56JK4pwjPpXNO4+awkvQKgzaE7P8Sk1x5NH0tprKcYIZq4V +nkIUAym6KBrVHJGuS1H4MVuEmi3JqzIDBYbub6NRwY7R6lGg4R+kS4jI7Mhz42cy +PTy93sX1W82oKwTI40bSp3Mg4sF0mfXYU6h1iDtVDp54S9bi1iEqTkzjPB30OC8t +t9roCb88ppF3dbmSbfPe4pQAxvm/3Ky++bsaQY9FJyNxdHw0Smcw9fTaD51tuIrI +SeJ8YbNKEfSPr7094VxaSIKdY2JHvB4k9AcSCC2VJNAbsV48LzprWKEob7FLqhbC +l0hvfK6QPkfrbpIq2BVeIQC5zMYyKMU8BRdEB60DQCBW/xUjO9f6PK7ZbSu1GVew +Eb+15BLTXP7PTTfDGkJsxN4NFFp28lFQRazogVJ/oQHk8AFaMRn9ZEeQazGmq+qa +EjcJTEY9D4HAHnkAEQEAAbQsUHVUVFkgUmVsZWFzZXMgPHB1dHR5QHByb2plY3Rz +LnRhcnRhcnVzLm9yZz6JAdQEEwEIAD4WIQTic5Sso/nZBJUi4FRiiaJfSujaggUC +W3lnZAIbAwUJBbdhAAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBiiaJfSuja +gp43DACjSe2OD3pOVkBJTpzV7cwN1huB1580kxW2JRxgsvtKEag5MK2NG0tW5MTT +yRQcKsH7Nbnb6aCNbISVD49+WNZgna+g3mfYn7ITqWL7LqpF1sr3SyVkXZhQDCgc +bA5MRCzJttboDA7hGyg7lMu6hkG88H7zZkuxL1/hMqzwhHe8+o5lssRKajyWbvfR +lEvRNBalBSl7Ntwxpf6Kzmc3JxzRQ9J0DYcJNaEH3wr7JAMucVBTjU8b+R9iDKP2 +FIxfMmxfTG1/j8nnG8QwNlPmGO+jyVZGWzA9MxM8gaKuJM8dipErQnu8kDu8vvNw +KS2rg73c9jqjw3g4hirZzAlO9swV+irmi8hySDdRLjCI+AzfWir07ppjr6NS6pgm +OLI4KtRosrfKxWs9VKt/DXXWK6vzYMX3D+snJ4BCn5+sJPNGMoHs5QwLSJqNvPox +9K2D+ay+D1zGs8t5SoA7y/f6/vonanrbk4YtNg1kEm4FJgK43gVDStnFUYTPR4Fi +ovUjm4GJAjMEEAEIAB0WIQQk4bHFdeo8n/dSqSJ2vH/k6/0tngUCW3lo9AAKCRB2 +vH/k6/0tnow3D/950w6E5h8Rw4C1iZJjJOAPljdsOc/OBkb+p1RUzMF0c0VUvKl+ +QzLmRY34a02mZKARpJYaEezZJ+BaVr0hDsfits2sAgsHkNu7I1P7q/JoJO+hpUA6 +A65C2qacZfOn9tgegw6TnB68s0F8YcKTVSFbRxCNbp9mAEkv0xpz2TdNOsU2fFLT +o4EXM06Pv+KEbukMo8sQP48DlSpTKJoQ5RUahkOUhr7Ml+cRaxIefXob5dq4W+/m +WsH9AUjccGy7VTf5/RxZ6AO03KOXizciCMzxnjDukq6xMBOZkcJ4SlD72LQNFiov +2DL3taJrjwS67FEPf4BpXfJ9al2K0ZQgY51psVjcKvpgmXuFYDO1STJBAvnFnCSH +IiC3rSM2LxEVdz9jNOF8TOjtMfnGh0FCz99M/1bwDAJk+iHyUZ9ydCzI2w/Ut4QZ +fxMIIgT1yK/nxMDAKwPOuVN0T0JYcc9LNVB+3Z93qDusae9GN3JRNRVq8pOCqyMT +Y2hkyLkCPScS4PDkw57GTK5SHb7OYR+Qo6KGQo9bNbWcF0gWjsFkF4/7MckCfvoR +Tie4nmZdVYZvih9YZBwwheR5mCC/z0yRYh59gWSl0dkSshCdgHrN9caLheeJC6Gq +ET7F9zplL1YgkZWXFELPyAnBctJy8iVQW9l5r5da9ru/Uwby6rZkfqyXbQ== +=5Mif +-----END PGP PUBLIC KEY BLOCK----- diff --git a/playbooks/roles/gpg/files/B43434E4.putty@projects.tartarus.org.asc b/playbooks/roles/gpg/files/B43434E4.putty@projects.tartarus.org.asc deleted file mode 100644 index 8de6b65be..000000000 --- a/playbooks/roles/gpg/files/B43434E4.putty@projects.tartarus.org.asc +++ /dev/null @@ -1,172 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2 - -mQENBFXkgrUBCADs7c24+C3CX384H+pdjb1N8vZdv1KCbK/+58EpkVq1huL1iyfN -TX5ryEt0Fk7ouCZSW/GUwEfH37fAx7AlrXtWSvtekIHiftDmWdlyTrNGgP2tBCZK -t9XxsydsGaFbb4U4To4weffUSYEnXWAI9iz63E7hywFaEFPw5OKWY9aQOxBaNh48 -Ez7HKeoumIe4uGW7RESsbrIAljUvQkFiNrVUlFHuezrP2x0gpIwTRyoqYKdnpoUx -fe0d0fZBTJNE3YGk8OQpzv+zUeROwVE8Pu2GphEGmXzqKkSXBZKJohQeEdMqHNh8 -DZaqOFYhOrwEdQP7pPO6FiYdr50Nm0DXZdozABEBAAG0LFB1VFRZIFJlbGVhc2Vz -IDxwdXR0eUBwcm9qZWN0cy50YXJ0YXJ1cy5vcmc+iF4EEhEIAAYFAlX6G7QACgkQ -BJ8cMDO159akcgEAxJd6ORpwHN8VcxXJyahwjllZtA2gwEMYd2uLLJ/smQ4BAO44 -oQJiIhe7GHWmvIOViM01riva2+ruj9DvbpZ8jmt6iQEcBBABCAAGBQJX9uh2AAoJ -EKP/WnmwkYgkSDUH/RArxllXxQrLiwmX2prPr0UtbG6mXaTDUh9FXrHBn9RJJoDr -07oSKgTf6DrpKhl6KMTgzm2lvwBZAovoc+c1JrDisC2oAmS8F9fHWtmDj86HBB3y -VLCZaM+bUot15sPg1qjsPILIlvMR6RuQ+uapX0T0cY5yW6s4dh0YYJYyS3rK6XCy -f0EojZU5hagg8W4Yz12Hd4C2FLDn6mL1L46FRUF0Vwr6uNV1SU5mtjCXb70Ive6F -zlVsWR3lcEF6hYlbNIpQSMHdU8aMhcPZha8dZGltx80CuGrrCPopnrW/4mKhtsYe -AA2A6sQlWUUqCkfnc7XblPfxYgqf70NsR7OkAZyJARwEEAEIAAYFAli9UkMACgkQ -2G5wZ7vRtrCuYggAj+IOjJj8ShgsoFKJjM+qCGlXmxMPlabTrUHMAmMrhCMBgf6t -5FiJnM+lbdkvlnvK06wzXiwm6+B8xQaWR4au7TyTjc7dypTJVg1fSXoYATsBPfa4 -zSbQCeGq2y8+9GnuVtvFxwKB/GYQflCyFK9iuGldOXJneO6jWeH9xNZJOpSEuH2H -DTYOeo2l/Kn+3hPuI7KTbBRC9h0m+7R7k+UOHal8s7y4tV0/Wqd9P5sDbEDBgPAg -SXrFFReH3V9Muz44lws4bom1oFb4yG5++bTqK3edUj4NXmxg2/Al1PV9iQNBFkIy -8N9ONIH4rGqWQVyySNnRkOeEyNkqUgReoD2FLYkBHAQSAQgABgUCVhkVwQAKCRCU -6S35KqpcO51hB/9XvxcIue0qPApFBiWZqoj6zvHXuPoOdBs8f3y4W8OIjppwMWGJ -NDImxakoYZK0GLCED33WXyU7ByotVGJF/vNakgEdVqRSq0eV6AcGGSEq6Luwi278 -+DmEZIwiKGFZg4MrZGLqG51z3JduFnVs7TKMhjcO7bkOVDrlwZ9GvQBL9m8Bn0mh -IEL9PBNMp5xcywKy58ifDdW865vqSWCllLOsv5ijch5irfvT7s6pKBA6t9XqUkkx -dEf1oUxILX9NYDrvDG2ZJum22xRsCWSiL5QPrJjcV/odkf3uPMps8I4S2b8DJmBc -mGetC3ar9Mh9Uquc00f4i7mwuVyozCAr0AzuiQEzBBABCAAdFiEEDQhdGAlXdd9+ -auWz7ijGngsXRP8FAln6uSgACgkQ7ijGngsXRP84sggApv43TaafwwoHU6NltB6N -Atd91WG84n7MWn9ELzrjzYUTmy/AFoFTGzyXdsxwJ2U4eiZJ0HXSdXoqTXI6m8DO -kKHR0yGAlQfncaDnVePCxU/xn1TcGy7e2RAsDdnDkjCMLuCM4jpSUKZMnGziHuI+ -3fI9lpbnJJwmTzfU4pkSU+RHNWuUV0JGVqxzYOJE/4rNOMVEB8lTc2DwZvp4MMs6 -3np+9dWVJRHboKD+MYuJGUsAe9u+/+aqxs3JUn3T+R579LFNs6uiUvoxVc0lW+DO -/ahxOo2XFc8xn7gJjPI8GBDo+5MnIhwY+Pl6I7pCPyj/NCjfiazMl/Bxfas59xme -GIkBMwQQAQgAHRYhBCssxoJ2vTtogR+ddUAS6VP4HabcBQJaYlK3AAoJEEAS6VP4 -HabcCK0H/1eRyY47PGdybQpDAtolnid0RnUpykWeYLEsY9IOotoF/5p5YpeIrOZp -KYaXrMt8MZdesDOF0wLdVyfwaemvPPojvXfyBIGz94hHoRsJ84KICht0qbNbaGro -2a4jclj5jAO4U3UZ8TaY1nDkytPYjOZngz2HVh0QaEg/7ysuPdqFc5sXQ0BoU/83 -N/0i+E8tRvKnQ6gpncJiGIxKcpvnIZTEAIVice3MWU6KbLESiq3B7FJv2Pa+s372 -f/Bv0h1yh7TXwdu9gaYju8TZJDVbrQE/iLaRKE5Ab0IqHRrFLpSOAyjKma+PDWEP -Z6owmmd9ahIvqG8EGAe8w9iFIDl/3JOJATMEEAEIAB0WIQR7yzTMuFg4VckeEqF/ -LI2XSScwvAUCWkTrTwAKCRB/LI2XSScwvI9SCACkgERiWhJgU8H/ea93iG1C9HUq -z90Spdpy9d18jr//trbOuG7bYDdWBS9f4jsPl+evhJLExvDFYQDcCIanyp/Ev4Y5 -wckGqnGvWcJCcKuuqMySqzP5k0wz+ZAYy3hriRC/owEQN0TmNNdg8qMVwQsNc9bI -5sW7dVL7Sxlokti9CYLdJDZKvKelYT/Te4Pew/It8H63r50A3rDe7i446x9OInia -NY9Z8KuiGoF90OovhdCEYCc491LIz21WeRpuvJYgOE48qUnk6VOw+l4E21diJPs0 -rKlq6QTlmsSjynC68iD7ySya5jDXbOKgolS620MmvPnSeC9vHHiQLlokBYOGiQE9 -BBMBCAAnBQJV5IK1AhsDBQkFo5qABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ -EJ3+Jki0NDTkX0oIALe4AtN8ys1Vc53hD+WrUNtNGIhAM5Ptnyiz1mQ840TLnKVN -TloCg8FF/06P39Bwx6HU9zg5wOyYq98H6h+CwMSE9GpeReKfSyZDIAWkZnS+YBmS -5VH6BEH2aUOWafHcMNmQ5G0nkeF9X87qF15LJQZWicQA6b+5YtD+8MtrBtYy6xts -DWe5nTpcrch1SjmnaDttWlDTZFVXr5ensJk0kOnBZMlRAy9fFKaVQt+/rqyWwf1Z -155ndix8wYB70AsUFw9ORtJ75GqEJDqVEf3i6KkA1FgNeqVbh+oia8BehmfknkPc -LVkVpAxt4JyCJ9ZPKjVIk6Ey4OUQrhkHtPSREd2JAhwEEAECAAYFAleC6OAACgkQ -hOOSas46CKu8BxAAidgY5PPpZsksI0vNsHs0WP5u0ZfO2m+AQzzvmaXVEgZIaNPF -ZGy+P1YH2Ae2P6SCNI75mTz6/E45DjqnHR1htRuFYQm6I0iBvQujnCU4VGGddrXp -wL5Y28eAGoQYn/ZrariQOISntvGJzH/TysDi0RNAADdU8N+uGoyQPybYAukIyN/e -hNPrWJ+nJlcUBMA53iLt8I/elP+OUUnYOF4ykMLpNM6z8vRAW3RRpwroVNY6pboe -n91aENBOBfC9mdXJwFlrHeiNO4eTFgI4Bm8X3pKxRnSWdzzP72R6KT3QN3GDSlNb -eYNBjUGhHEJjNmw9fh25rmP5UAHVYzlduGFOtnUDymIIzNlC+tDea1RyCdyMe9p6 -ohpLMb2h5xO/JecsGehDXnRtdkmjgn46khvgpxnL3JFxNVo/ngx7tS3CIDVeE5Io -3RCPyTD0p/eiaxH4Mp5xLlYXS7hi+EfK7c27ICHm8yzg/BtEweBjHf5updLh2P0N -XTMXSpEfakIvUTyGHTClXjJuusPncAYBTM5ROjKvT7z4KlDxBZEH8sz4DPZKTZys -xgyZwfMHKuNWLPtAvkgBmecAdOwlVDDUKGZUnDJkdOt4ZrRrUvzb3vXVRvYl602u -Y5IG8+fl/X4uylWDo3MRAdYXhQk0kA0WxDeIqHTFMNvS0KsrvBuFxUafjZyJAhwE -EAEIAAYFAlXkhQ4ACgkQq1hdxgRnb3x1bxAA0MQ6RYy5D4FoVcjoiP8o9UIBqxh0 -XjoEV9PYOTojvW64QBZpGCT5SSslezxk7h0HG3J53WF7ASa93WYapTp3XWxPL+Jh -6yhW4W8lr7VUlHlRcZtrUX6gxLeNMpAa16rkBgYyaTARJa1wy8iZ7M0o4WXlMVSb -klK7qHKc+/AuIADEA2d3f0HGy4hJtmZ4POpxkF4+qzZgsiyrnNeNRVNMO3LYolZt -o0Lh5WhwSBorbcLE1MNFvNAPAdTyozx5uuc/hjHNVt+O3znLZGjq045ML2xAPS45 -8AaE/AOFV5wqCD7piHqr7I3kZjITs5xywHgdg6FIpL+WDyp/vWHCwSGyrcjQ2dgw -OeXoXK6327na6VIyLQPSGLo7uSJPUh/PxX/tnx0XVj3TG9lVpJp0CjkPSB2yhDgb -8j71kPu5CweepYqnJcm4CGJsZSEvwrAdJbB0Ho8f25lEGWiZEFkqHpnGKsiT6UEp -+Sf6sEO+Srp/c2J0UqHD62KCIsrjcxTKE/CHP+J88KrJ0+9abhSh4T6OvWSrr5li -FjBj/6c3BD+q+O8nzzaDWv6Uh3QFJvtYQlQFk1p2QgYZ6XQ/49OlDvhbL27h27wI -ue9huO816Ffgn9ZMlenLqlz3njX1eklMx9AY/wW5zmGzBxLv6GJsxLh4/s68LAxO -qsF+L1PtSmg2SnSJAhwEEAEIAAYFAlZCJfUACgkQvanTYRbCnoR8BA/9EHh5myMj -ieFzhvBfytKK4qPPde+ysV83qOVdte50Ovu/XO9rkBEJNIYzKdBmVZx8SP6O2kiy -mIPhdx3OTny4EGU4N+8Uvyb2YMv4RUcs3krvikV/vDLRBmTycm1PrkAIvjXU03hI -JKENqTxqCj9Hu5I2Cucomdu6fK9OcYLFEHINxNuRkJNg8gM7QK1nXuDmxz4KW63Z -tZ/RkEHcIuQ55DfkWV0A+lHYtFspuStG9yp5ZL2l0ajrM+GdTBAre1FGeHrHjbfK -PjaoQx43K8Ms7HF9tC+Atfvv6gDehX3RX58kJVAW0oh9AcTpOgs5Jvfc/FWhUKA/ -41XkaQB0ntz23Wl4cfTZFZK7zzSuFyoYWCxxZvTcUyC+DJlavGfUVXPEYGrXrJjj -ncdBfMKAiAqp+RPpl7XnukO+bhHMuuXwUXzXdCl0HwhXeiXTY8ewt/+VV4s5INd1 -MdvJZRfsxvBmxIQHgvuiLalD5zm/Auw8d210XLW6flOVc71d8z8eLvDEwDa/0cPl -AVLvqcaaa4hG16G0nL32G2IOGp9FOK9HSdlWYcg8mxekkve3Et/wTYWSpqEaB2ZA -/ePzRyOh1PK89AIx1ORHmi2tePuOiIfF2mhnVAQ3AxGqTe9Tdsp/uRcLk0jLCOpt -BYFqLsnynRS6Vfonok1IWKNt0A8OzGB3CPaJAhwEEAEIAAYFAlf26KgACgkQAngh -/3sc/sZv+g/8CJra/cGx5dQue2pQJlxcQigTsYVMZObqbUJhRKje0RNv/WXjWGw3 -OgqDDCpYPzq/5D1a6ekm95hSAXPVhxQwSYZX3m9MrdxPX3sfxNOFvNdFAuiRkn/j -dq6NpOZdP+L+tMXW7tSklfXN4uTIaAa1PzHLILzzWP+5T9NOk1ejzktzS5ImNXgk -n3OA7EUd79kDKm9VzfIQitDtypMTv3nQaZiTc5nsipDHjY8zvGfUwEPlXhCXyKnp -iCd4/lG5HHDV2YNO3ot8pjORREvBWoYMl6Z15vGlW/iFpzGKbwH1whqqOeZ/drD8 -Ky+kHCaFAe98jxqS2ZwWoGIaUNbULrx8g9WVONZ+hYoDNLSrSTk5Yw10QTRSzhsU -eAp+yEpMfMP9GS7j52XXeMfOsaE9gMW54tsCeWX6dVPeX64g4IMXd84hpbi7ds2w -pLloA5Fkhzz2W9QZ75Ng/G4Wbo00fd7x+Rm5S+E2UxoS4vuOi1sKzm2O1cVPmDYl -ZS0rSzqOCntT8bMs44SO9euhf1WAsDcjrK+j7TUPGapyf2Nd9JscuPmm5YrQfEZK -SfvvpN/I+QFdwWyz54XDxHMRRKe1np1INonNdj9cfrbR98nVqW7qcLVDTRwkNdew -9gtvmWaJkHXB7fMVdrc7XzwMjDEQtwsv3fQrP4Ip8jNKePk/+IsUrj2JAhwEEAEI -AAYFAlh1du0ACgkQFbVOtu5w2/yEABAAiDkkyYUV1PWJM0UCZLlroLqW24wqAbec -gYuCyLd/3+77RqjkX1I3rbzEEAPBxolPeOZwMS46465rDpTRQ0Ldczu9/XL24jH9 -3od+3EM5SER2EMR0IXQvB3eD6PafgVVIRrQmxYqj5U3L/eh/7IqiM5cQDDRkIRXp -18AkWGrE881qSMELNH0EOxvOCmpVYVLa1jxbXSK84uwgr0G+lhDK3UDjf69FkOck -Aq/wI//gGo9WOUGTGoFBNUgpkgHhZxsj/LLsSIDjAJs09vkGfRo2SY3H19L51yjl -oX41gmCIAHWDLiVpzzsUdgFnrJ4VPGWFhu6VuF5dLNKoPU7PkWLT7pScWMJwG0gt -ISwdtox3IHw1t65d1OwLF41Zi1s9j1YlFlF0pOlfdpE1WscZyknkL/ke4R7V2idA -73iZ8J21W4G4wlLctT/eDSycq6qDw21DC23tj6xm/S6HzyZ0/V8RrngP72hUpApt -PxJ+EXONquUpxhyLS1Em0chDXHlgVQ0dAlGarvfAuPdhN2RIfJo59Oc5qDsjQuOo -3SW052AFNUkqpEKVMaGvxFrjajOOg3Qsm2nXyOcy8YRHNHeKbAbHK/2YPBnzFeYG -3O5/3okiS3Fkxfv+o6UtEvFDxpHfNb6kYKPPku83Z35MvPRvDK6823Ckc6NQszvc -iMiCQ4+j0+GJAhwEEAEIAAYFAlitDPoACgkQlNTx7LEl+3h0ug//cS5FYTLTr4we -O8XdNXeamjWkyzW+7d5xYXj4UGvX47s5v3jHb+z7mPLgtTmvU4/j7iDjmG/uPFeC -xiFAfnEr5S6LhCbsid2VHc3ZYScBjcctiRtuw6Won6TU84pwJNHjP31BicSGkb41 -pfvdNDAyepiQQtV6XDG54X3FcJHbbYVazy3fAg5WU1odnNhzfuF71W8XXoNKy5Gw -ch8+CLMPPBF3uBYW4cmy3qg9dycmNFHI+rz3bfkst5nufHpQtcSW8lK8cQLoFHj7 -sOAm4OF+5BDJE7kqiIp2WI/vEFAY+PSb3TSlryFCRYJCKqaWMPaKH4mOycCAdgLJ -aH4c5ihps41qm+4S+NwuASsP8KZrXtfRxK1uLQeHqGrESpHrQX061Xa4oh9E8f4w -2VCSktMIb7Sdl6BlwH4ct5v2Viv1KK1Z5RCww5rbwyDIXgdl1vsl/a/SyP+Ml+TI -ouJ08Fsranewvfu+z/YuQYZ8o5/1m86o8LVP35Q8JQ/IR+EDfNDYtVO1rsKT5+V4 -JyIdygjlFG2U09uFABQhmG+xE3DbEyfjuvgdxXTDvpNIdJ7qfq59RYj2L8fvdHzf -ffp6dX9pDoZTD1scQueTarOlA8GSwlBDhFKwwaYyCq/A3Rr3d46K28BZNuYylOkz -ZpzOtAtBBD5l1Abr9HZHQcpKDl/uQVuJAhwEEAEIAAYFAlmVYTMACgkQbOjneN/2 -UndlqRAAukhWtU2vF4Xcd7tHaA9l7C5UaqeUt7vtBrb3UxuL6HDN6HTd6RxmfdvS -+UkKwyxK9AsrsK1VKV7ZYG2ewUvtE9QFGw86agehcaMe0zZujjlvvKNa/LZymD7a -MS54msgNLnWeE6vBeX3kfz+SHv7bygjBwneQ0Nc1Dj2+la5FwClTa/WUr1u/A+tl -UMQbHNiEiKizVHY5Mrd2zJlCEsXBHETZnqZBanXDa6n5XvyRspG3t9wKZzRI1YbQ -zywEzH9K+/pwouQYBXtZ1vdkYKHMX7NaEDj9jK3MjuG67IczQElbA4Qe2oGXdnDq -FOqVkk5VSsWHCjiKgbHN3+EmqB3IGgWt7WuNutRbTzPF5HAcvzJxtV4jl0epgce6 -x5Vflzn5hDGoTmJmlESH3eg2/SJs70TKLSRuwv9zv2oTBlnm9uVSsDcygKkR2+b6 -/qlvDy317jHOQL8tG40ieAUP2AKVrT+suCjqSnTalusfWj1WaJBXuX+Eay8uLq4A -ZnKqglz5srBYCKV6zv0PPBgQb1pPfyQC2qfeKl4drqAVXrYJa+XnKfkdXfnO/2GE -XneD81oRDTfg4giQm/v+CRM9rsrM20F7/yl1CPBsZbeN5lNWW/VvzuaINh7yO4GW -BeLTbyZYiI47uA/SgMntFQy7utJXnpj2RiMJG3v+CyvVRWjislyJAhwEEAEKAAYF -Alp9Oi8ACgkQw7DeDnjqz157vw//cdzEjUO1YQR9CyLW8j81StsQ6CE7IqYliceb -kruovTYmXs2xpPgYRSsuuXNweTpVP8u2tvqsZX3g7KYvGmvnmzocEa0/AQm3/psg -zp4HJRBx0SjdRpQEtt0BPN0jgA36c36Dr7+dRgY+vPO1JOXdioMwHXF1RlnBXsf2 -4RH6T7iDkAr1z+CF8C4dnBAmbI0Kp2zJypS67Qs6J5QeoL6eSJ26yzSRp1exLoMP -ANyzQKSOwSxk8zyz0LFPUuOL5iw2YyxCNw5Jn+0P1/vJA2hj2trn1SaAr70bja98 -TTnQmX5SbKc7mblSYYuPOgqKNBRn7d28A++xF6fyYMPrIpZT+rUZl4DOoefQ7JsW -krM5xvkYfBqI9T4f99WAow44Qxi73XPhXwAzOteIKzt0vxnP8YJ9QzzLzIdoHh2y -1JAuPJaNThbZQ/wBCl0HqipQI/e46FbNFzzLu7T2crHAEw/K8g//oP2/+Fcg6BNj -G2LPsSlKviqpzSbo9hBsb67bG6q7BHGdAFiL98nBh4U18AxbXF4OoakVfG5YNyym -/O955smpQScbDIPjZszLhkg252K/jntwnUv0DN4E8YRpDiXW4xuNLgMC6HPxp/ro -4rqMeYEdoe8c4MtEoXqyy5dm0D5BgdeqAorlcToeSqv1na3J2qaD48VHOa12c4Ub -GW0s2S2JAjMEEAEIAB0WIQSvqnh6nD82xyk23ukVcMY9d53r3QUCWcUbSQAKCRAV -cMY9d53r3ZX2D/9eGL2vFkH/7CPhntvxTS6dDktzlXFw/99ZX3E28k6sZ9bWYM7X -mIMxrtVavsQMzyZ5ObFqDUITFtmcZToZD/pnHfm9OAsNj9A0NbMWAmxu+UUeUqpe -XFlk3L3fSuFaj5s06CZc61r0ZupY+DSsqbIU8ApNz7WsYqsfhxiwjvVHFl+DbB+C -Le87/Y4dllUMRmf1fJMM7OKbWt6Sa4jvBSw/wgxLtxggoVmAEHep7B6fA3BjmZsk -9avXyR13GnakEIvAY+H5RCI1sktPCyUhSDG7X4KKRrmVesg9l0XT6XN2xWwqMQeB -l+Q1OVYOy53OR50er5hEOxMIP4v7c43OMJGns4DUitw8vhN63Q5UkH+GfJxZ9qIm -BjQJmqfD9SiUDwV8NzTLpw5v02BS6aasEnEpDEoed0LTiCX8Y8k3umQWf+t1XADm -ey/587oNheeZHZ27Q+vOqWMQTDkomOLGGmDCKDjp9l0iAvlE5GllrG08Q7dxwrSf -p3X4oiZ9RE44NbBfX7+a3/O/qeOqv8jPUTthw6L3C8SQKtNYYW1ioFIaW3CrKAMa -O3LHSRE7y5g6LlKb3gRshl7/qVrMZSseHdRaX7R5dw9wUXDYzAYfVfj29IAAQr5P -4hpr1AOeHmMuoMEjJXfQawrFfkBWEgxJfKMq4lhS/3Avi3qYL+AryN2XSokCMwQQ -AQoAHRYhBF5kCTFMqsnyuic/s06j+D9y/ugKBQJaEwuxAAoJEE6j+D9y/ugKkEkP -+wXrRubxWbr2MtBCr50ae/GqgdcKDYNDSPDL5fDTZI73/Is7wQUSATBNerBtYg+j -2E/POxDHCEp6oRKC5QuYR4dakV+jbDINwiVcsKuJf+D4+zrjtO4Qsht+x6vtD9x+ -Pkkc0TqY+Jz8jR4wXFbIy/b6aKAg7EVyV3zOutwmfmrwyvMFKWPQlJ45iHa5CD7c -FbO1wMHHWZFBxk6GWli/Nj04QSkORNSAwOUYq96eyc7czTp1P7UcosKdIdzJgKg7 -ruNcHXr9UH9N+kDk9/QYhACgP9jQPTK4PnXWpwF+D+ovzP+Ai8nRu/fIR44z0og3 -hL3IZ7So3M9jOkebRPuh/H6jaUFpe84zL4GSTN76uchRHRHbsjz4+QiX/ZfjItfV -uoBo5JVV1xE61I1KY3hOy4vzGOhR2wrlv60YjFzXiq/5p3Ej56ToaURUYvNGIPb3 -95iqqSYrenyxPZbL/bu21+waILEG8rdG3fBNZLdpsPqT9BI2MAtUIAQQiQo28x2V -XPHXxqLnmh+Dx1bnwXW3N4GFf+ZGqUVShzn20NKlDShBdh4IHZlEoBKPv8w/GLl9 -9GCLicHWPLY/U6YtvqhCjnoUzc3N1/gTYraHTrKsLaZA5VwE+aFABcstlfLvsRy7 -52CcA1OGrdOMUgL6KRCxuwTHtPF3vfRBvawrxk+xnU+3 -=wyjd ------END PGP PUBLIC KEY BLOCK----- diff --git a/playbooks/roles/gpg/templates/dirmngr.conf.j2 b/playbooks/roles/gpg/templates/dirmngr.conf.j2 index e0401b242..8312e6ed0 100644 --- a/playbooks/roles/gpg/templates/dirmngr.conf.j2 +++ b/playbooks/roles/gpg/templates/dirmngr.conf.j2 @@ -1 +1,2 @@ keyserver {{ streisand_gpg_keyserver_address }} +hkp-cacert /etc/ssl/certs/{{ streisand_gpg_keyserver_root_ca }} diff --git a/playbooks/roles/gpg/vars/main.yml b/playbooks/roles/gpg/vars/main.yml index f2ba99265..0030f77e4 100644 --- a/playbooks/roles/gpg/vars/main.yml +++ b/playbooks/roles/gpg/vars/main.yml @@ -5,6 +5,11 @@ root_gpg_dir: "/root/.gnupg" # Keep Streisand's GPG cruft out of the way streisand_gpg_dir: "{{ root_gpg_dir }}/streisand" +# GPG Keyserver's Root CA Cert +# Currently the keyserver is using an Amazon certificate, whose root CA is signed +# by "Starfield Services", which should be available by default in /etc/ssl/certs +streisand_gpg_keyserver_root_ca: "Starfield_Services_Root_Certificate_Authority_-_G2.pem" + # Where is the Streisand specific GPG keyring kept? streisand_gpg_keyring: "{{ streisand_gpg_dir }}/pubring.gpg" @@ -16,7 +21,7 @@ streisand_default_gpg_flags: "--no-default-keyring --keyring {{ streisand_gpg_ke # built into the GNUPG distribution, so we don't need to specify a CA cert # explicitly in a dirmngr config if we stick with this particular pool. # By default use HKP over HTTPS to the SKS Keyserver pool -streisand_gpg_keyserver_address: "hkps://hkps.pool.sks-keyservers.net" +streisand_gpg_keyserver_address: "hkps://gpg.mozilla.org" # The default timeout is 30s, we use something larger streisand_gpg_timeout: "120" @@ -34,7 +39,7 @@ streisand_bootstrap_gpg_keys: # Tor browser release signing key - 93298290.torbrowser@torproject.org.asc # PuTTY release signing key - - B43434E4.putty@projects.tartarus.org.asc + - 4AE8DA82.putty@projects.tartarus.org.asc # Stunnel release signing key - DD3AAAA3.Michal.Trojnara@stunnel.org.asc # Streisand maintainer - Github @cpu diff --git a/playbooks/roles/openvpn/vars/mirror.yml b/playbooks/roles/openvpn/vars/mirror.yml index 8eac17178..c03f4a515 100644 --- a/playbooks/roles/openvpn/vars/mirror.yml +++ b/playbooks/roles/openvpn/vars/mirror.yml @@ -16,7 +16,7 @@ openvpn_windows_installer_sig_filename: "{{ openvpn_windows_installer_filename } openvpn_windows_installer_href: "{{ openvpn_mirror_href_base }}/{{ openvpn_windows_installer_filename }}" openvpn_windows_installer_sig_href: "{{ openvpn_mirror_href_base }}/{{ openvpn_windows_installer_sig_filename }}" -openvpn_gpg_keyid: "AF131CAE" +openvpn_gpg_keyid: "5ACFEAC6" openvpn_download_files: - { "file": "{{ openvpn_source_filename }}", "sig": "{{ openvpn_source_sig_filename }}" } - { "file": "{{ openvpn_windows_installer_filename }}", "sig": "{{ openvpn_windows_installer_sig_filename }}" } diff --git a/playbooks/roles/ssh-forward/vars/mirror.yml b/playbooks/roles/ssh-forward/vars/mirror.yml index 82eba1fc4..1daa95f1e 100644 --- a/playbooks/roles/ssh-forward/vars/mirror.yml +++ b/playbooks/roles/ssh-forward/vars/mirror.yml @@ -12,7 +12,7 @@ putty_href: "{{ ssh_mirror_href_base }}/{{ putty_filename }}" # download-and-verify.yml renames files with non-standard extensions putty_sig_href: "{{ ssh_mirror_href_base }}/{{ putty_filename }}.asc" -putty_gpg_keyid: "B43434E4" +putty_gpg_keyid: "4AE8DA82" putty_download_files: - { "file": "{{ putty_filename }}", "sig": "{{ putty_sig_filename }}" } diff --git a/playbooks/roles/tor-bridge/vars/mirror-download.yml b/playbooks/roles/tor-bridge/vars/mirror-download.yml index 66e2a16e0..577d1a113 100644 --- a/playbooks/roles/tor-bridge/vars/mirror-download.yml +++ b/playbooks/roles/tor-bridge/vars/mirror-download.yml @@ -18,7 +18,7 @@ tor_browser_bundle_linux32_sig_filename: "{{ tor_browser_bundle_linux32_filename tor_browser_bundle_linux64_filename: "{{ tor_linux64_filename_base }}_{{ locale }}.tar.xz" tor_browser_bundle_linux64_sig_filename: "{{ tor_browser_bundle_linux64_filename }}.asc" -tor_signer_keyid: "C3C07136" +tor_signer_keyid: "D9FF06E2" tor_download_files: - { "file": "{{ tor_browser_bundle_windows_filename }}", "sig": "{{ tor_browser_bundle_windows_sig_filename }}" } From 9da427d917e811410952335fe82f822646a506ec Mon Sep 17 00:00:00 2001 From: Pat Thiel Date: Sun, 21 Jul 2019 22:08:57 -0400 Subject: [PATCH 14/16] Add Linode API v4 support (#1580) * Added: linode_v4 module support * Remove note about apiv3 keys, rename api key to api token * Fix linode install typo * Upgrade ansible * Fix trailing whitespace * added: mumbai region --- .travis.yml | 2 +- README-chs.md | 4 +- README-ru.md | 4 +- playbooks/linode.yml | 38 ++++++++++--------- .../roles/genesis-linode/defaults/main.yml | 20 ++++++---- playbooks/roles/genesis-linode/tasks/main.yml | 38 ++++++++----------- requirements.txt | 5 +-- util/ansible_check.sh | 2 +- 8 files changed, 56 insertions(+), 57 deletions(-) diff --git a/.travis.yml b/.travis.yml index 816231aaa..e24ff96ae 100644 --- a/.travis.yml +++ b/.travis.yml @@ -26,7 +26,7 @@ before_install: - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 762E3157 install: - - pip install ansible==2.6.5 + - pip install ansible==2.8.0 - pip install urllib3 yamllint - ansible --version diff --git a/README-chs.md b/README-chs.md index dd11ec611..51f7f4a22 100644 --- a/README-chs.md +++ b/README-chs.md @@ -1,5 +1,5 @@

- Automate the effect + Automate the effect

- - - @@ -141,7 +141,7 @@ Streisand 运行在**你自己的计算机上时(或者你电脑的虚拟机 sudo pip install "apache-libcloud>=1.17.0" * Linode - sudo pip install linode-python + sudo pip install linode-api4 * Rackspace 云 sudo pip install pyrax diff --git a/README-ru.md b/README-ru.md index 27e689941..6bce4cfee 100644 --- a/README-ru.md +++ b/README-ru.md @@ -1,5 +1,5 @@

- Automate the effect + Automate the effect

- - - @@ -149,7 +149,7 @@ * Linode - sudo pip install linode-python + sudo pip install linode-api4 * Rackspace Cloud sudo pip install pyrax diff --git a/playbooks/linode.yml b/playbooks/linode.yml index c5be16ae5..5cca1bca2 100644 --- a/playbooks/linode.yml +++ b/playbooks/linode.yml @@ -7,29 +7,31 @@ vars: regions: - "1": 4 - "2": 2 - "3": 10 - "4": 3 - "5": 7 - "6": 6 - "7": 9 - "8": 8 - "9": 11 + "1": "ca-central" + "2": "us-central" + "3": "us-west" + "4": "us-southeast" + "5": "us-east" + "6": "eu-west" + "7": "ap-south" + "8": "eu-central" + "9": "ap-northeast" + "10": "ap-west" vars_prompt: - name: "linode_datacenter" prompt: > What region should the server be located in? - 1. Atlanta + 1. Toronto 2. Dallas - 3. Frankfurt - 4. Fremont - 5. London - 6. Newark + 3. Fremont + 4. Atlanta + 5. Newark + 6. London 7. Singapore - 8. Tokyo - 9. Tokyo 2 + 8. Frankfurt + 9. Tokyo + 10. Mumbai Please choose the number of your region. Press enter for default (#7) region. default: "7" private: no @@ -39,8 +41,8 @@ default: "streisand" private: no - - name: "linode_api_key" - prompt: "\n\nThe following information can be found in the Linode Manager.\nhttps://manager.linode.com/profile/api\n\nNote: API keys originating from https://cloud.linode.com/profile/tokens are not yet compatible.\n\nWhat is your Linode API key?\n" + - name: "linode_api_token" + prompt: "\n\nThe following information can be found in the Linode Manager:\nhttps://cloud.linode.com/profile/tokens\n\nWhat is your Linode API Token?\n" private: no - name: "confirmation" diff --git a/playbooks/roles/genesis-linode/defaults/main.yml b/playbooks/roles/genesis-linode/defaults/main.yml index f234ae6a1..ad86d73a0 100644 --- a/playbooks/roles/genesis-linode/defaults/main.yml +++ b/playbooks/roles/genesis-linode/defaults/main.yml @@ -1,16 +1,20 @@ --- -linode_plan_id: 1 -linode_distribution_id: 146 -linode_kernel_id: 210 # GRUB2 to utilize the distribution's kernel for compatibility +# Setting to most minimal linode plan size. +# For a most recent list of types: curl https://api.linode.com/v4/linode/types +linode_plan_id: "g6-nanode-1" +linode_distribution_id: "linode/ubuntu16.04lts" + +### Preserving these varsfor when we can set these with the ansible linode apiv4 module: +# linode_kernel_id: 210 # GRUB2 to utilize the distribution's kernel for compatibility # Threshold for receiving CPU usage alerts. Each CPU core adds 100% to total. # Since by default Streisand provisions a Linode 1024 with one core a value of # 90% seems ~reasonable -linode_alert_cpu_threshold: 90 +# linode_alert_cpu_threshold: 90 # Other values left as the defaults from the Linode module. See # https://github.com/StreisandEffect/streisand/issues/626 for more detail. -linode_alert_diskio_threshold: 10000 -linode_alert_bwin_threshold: 10 -linode_alert_bwout_threshold: 10 -linode_alert_bwquota_threshold: 80 +# linode_alert_diskio_threshold: 10000 +# linode_alert_bwin_threshold: 10 +# linode_alert_bwout_threshold: 10 +# linode_alert_bwquota_threshold: 80 diff --git a/playbooks/roles/genesis-linode/tasks/main.yml b/playbooks/roles/genesis-linode/tasks/main.yml index 75767ec68..ccf0bbd16 100644 --- a/playbooks/roles/genesis-linode/tasks/main.yml +++ b/playbooks/roles/genesis-linode/tasks/main.yml @@ -7,39 +7,33 @@ register: ssh_key changed_when: False -- name: Create the server - linode: - api_key: "{{ linode_api_key }}" - name: "{{ linode_server_name }}" - plan: "{{ linode_plan_id }}" - datacenter: "{{ regions[linode_datacenter] }}" - distribution: "{{ linode_distribution_id }}" - kernel_id: "{{ linode_kernel_id }}" - ssh_pub_key: "{{ ssh_key.stdout }}" - alert_cpu_threshold: "{{ linode_alert_cpu_threshold }}" - alert_diskio_threshold: "{{ linode_alert_diskio_threshold }}" - alert_bwin_threshold : "{{ linode_alert_bwin_threshold }}" - alert_bwout_threshold: "{{ linode_alert_bwout_threshold }}" - alert_bwquota_threshold: "{{ linode_alert_bwquota_threshold }}" - wait: yes +- name: "Create the server" + linode_v4: + access_token: "{{ linode_api_token }}" + label: "{{ linode_server_name }}" + type: "{{ linode_plan_id }}" + region: "{{ regions[linode_datacenter] }}" + image: "{{ linode_distribution_id }}" + authorized_keys: "{{ ssh_key.stdout }}" + state: present register: streisand_server -- name: Wait until the server has finished booting and OpenSSH is accepting connections +- name: "Wait until the server has finished booting and OpenSSH is accepting connections" wait_for: - host: "{{ streisand_server.instance.ipv4 }}" + host: "{{ streisand_server.instance.ipv4[0] }}" port: 22 search_regex: OpenSSH timeout: 600 -- name: Create the in-memory inventory group +- name: "Create the in-memory inventory group" add_host: - name: "{{ streisand_server.instance.ipv4 }}" + name: "{{ streisand_server.instance.ipv4[0] }}" groups: streisand-host -- name: Set the streisand_ipv4_address variable +- name: "Set the streisand_ipv4_address variable" set_fact: - streisand_ipv4_address: "{{ streisand_server.instance.ipv4 }}" + streisand_ipv4_address: "{{ streisand_server.instance.ipv4[0] }}" -- name: Set the streisand_server_name variable +- name: "Set the streisand_server_name variable" set_fact: streisand_server_name: "{{ linode_server_name | regex_replace('\\s', '_') }}" diff --git a/requirements.txt b/requirements.txt index a8354b718..c386fc1de 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,7 +6,7 @@ # Core with Azure dependencies # -ansible[azure]==2.6.5 +ansible[azure]==2.8.0 # Multiple packages depend on SecretStorage, and versions >= 3 require # Python 3. Until we're ready for Python 3, specify the earlier rev. @@ -28,8 +28,7 @@ requests google-auth # Linode -pycurl==7.43.0.1 -linode-python +linode-api4 # Rackspace pyrax diff --git a/util/ansible_check.sh b/util/ansible_check.sh index 0c9988fa7..a91c2e49f 100644 --- a/util/ansible_check.sh +++ b/util/ansible_check.sh @@ -6,7 +6,7 @@ set -e # check_ansible checks that Ansible is installed on the local system # and that it is a supported version. function check_ansible() { - local REQUIRED_ANSIBLE_VERSION="2.5.2" + local REQUIRED_ANSIBLE_VERSION="2.8.0" if ! command -v ansible > /dev/null 2>&1; then echo " From 35ae997688308c17f1b3839bf8ded1cf7cbc55a5 Mon Sep 17 00:00:00 2001 From: Jon Miller Date: Tue, 23 Jul 2019 09:22:11 -0500 Subject: [PATCH 15/16] Use correct name for private SSH key (#1539) --- playbooks/existing-server.yml | 2 +- playbooks/roles/genesis-rackspace/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/existing-server.yml b/playbooks/existing-server.yml index 3e40eb29c..2430f4bc9 100644 --- a/playbooks/existing-server.yml +++ b/playbooks/existing-server.yml @@ -25,7 +25,7 @@ changed_when: False rescue: - fail: - msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_key }} to generate your key if it does not exist\n" + msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_private_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_private_key }} to generate your key if it does not exist\n" # Ensure Python is installed on the system - import_playbook: python.yml diff --git a/playbooks/roles/genesis-rackspace/tasks/main.yml b/playbooks/roles/genesis-rackspace/tasks/main.yml index 71f9f34bf..89f25cf03 100644 --- a/playbooks/roles/genesis-rackspace/tasks/main.yml +++ b/playbooks/roles/genesis-rackspace/tasks/main.yml @@ -16,7 +16,7 @@ image: "{{ rackspace_image }}" region: "{{ regions[rackspace_region] }}" files: - /root/.ssh/authorized_keys: "{{ streisand_ssh_key }}" + /root/.ssh/authorized_keys: "{{ streisand_ssh_private_key }}" wait: yes register: streisand_server From 7a788132c4c4d24fb1d0bf5fd3a168fe40541175 Mon Sep 17 00:00:00 2001 From: Corban Raun Date: Tue, 23 Jul 2019 17:02:54 -0600 Subject: [PATCH 16/16] Use the public key in the rax module when creating a new Rackspace server --- playbooks/roles/genesis-rackspace/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/genesis-rackspace/tasks/main.yml b/playbooks/roles/genesis-rackspace/tasks/main.yml index 89f25cf03..c0878f011 100644 --- a/playbooks/roles/genesis-rackspace/tasks/main.yml +++ b/playbooks/roles/genesis-rackspace/tasks/main.yml @@ -16,7 +16,7 @@ image: "{{ rackspace_image }}" region: "{{ regions[rackspace_region] }}" files: - /root/.ssh/authorized_keys: "{{ streisand_ssh_private_key }}" + /root/.ssh/authorized_keys: "{{ streisand_ssh_private_key }}.pub" wait: yes register: streisand_server