FreeBSD draft #35

ifconfig fix

Pre-tasks fixes

fix hardcoded IP

some refactoring

disable system-based tags

disable freebsd tags

FreeBSD vpn role #35

add defaults

ssh role freebsd

default fix

dns_adblocking freebsd

ubuntu dict fix

.travis.yml

@@ -48,4 +48,4 @@ script:
   - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
 
 after_script:
-  - ./tests/update-users.sh
+  - ./tests/update-users.sh

docs/FreeBSD.md

@@ -0,0 +1,24 @@
+# FreeBSD
+
+It is only possible to install Algo on existing systems only in order to avoid recompiling the kernel while deploying
+
+## Pre-paring the system
+
+Ensure that the following kernel options are enabled:
+
+```
+# sysctl kern.conftxt | grep -iE "IPSEC|crypto"
+options	IPSEC
+options IPSEC_NAT_T
+device	crypto
+```
+
+## Available roles
+
+* vpn
+* ssh_tunneling
+* dns_adblocking
+
+## Installation
+
+`ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$server_ip Store_CAKEY=N" --skip-tags cloud`

playbooks/common.yml

@@ -1,10 +1,16 @@
-- name: Install prerequisites
-  raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
+---
 
-- name: Configure defaults
-  raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
-  tags:
-    - update-alternatives
+- name: Check the system
+  raw: uname -a
+  register: OS
+
+- name: Ubuntu pre-tasks
+  include: ubuntu.yml
+  when: '"Ubuntu" in OS.stdout'
+
+- name: FreeBSD pre-tasks
+  include: freebsd.yml
+  when: '"FreeBSD" in OS.stdout'
 
 - name: Ensure the algo ssh key exist on the server
   authorized_key:

playbooks/facts/FreeBSD.yml

@@ -0,0 +1,10 @@
+---
+
+- set_fact:
+    config_prefix: "/usr/local/"
+    root_group: wheel
+    ssh_service_name: sshd
+    apparmor_enabled: false
+    strongswan_additional_plugins:
+      - kernel-pfroute
+      - kernel-pfkey

playbooks/freebsd.yml

@@ -0,0 +1,9 @@
+---
+
+- name: FreeBSD | Install prerequisites
+  raw: sleep 10 && sudo pkg install -y python27
+
+- name: FreeBSD | Configure defaults
+  raw: sudo ln -sf /usr/local/bin/python2.7 /usr/bin/python2.7
+
+- include: facts/FreeBSD.yml

playbooks/ubuntu.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Ubuntu | Install prerequisites
+  raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
+
+- name: Ubuntu | Configure defaults
+  raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
+  tags:
+    - update-alternatives

roles/common/handlers/main.yml

@@ -1,8 +1,18 @@
 - name: restart rsyslog
   service: name=rsyslog state=restarted
 
+- name: restart ipfw
+  service: name=ipfw state=restarted
+
 - name: flush routing cache
   shell: echo 1 > /proc/sys/net/ipv4/route/flush
 
 - name: restart loopback
   shell: ifdown lo:100 && ifup lo:100
+
+- name: restart loopback bsd
+  shell: >
+    ifconfig lo100 destroy || true &&
+    ifconfig lo100 create &&
+    ifconfig lo100 inet {{ local_service_ip }} netmask 255.255.255.255 &&
+    ifconfig lo100 inet6 FCAA::1/64; echo $?

roles/common/tasks/freebsd.yml

@@ -0,0 +1,50 @@
+---
+
+- set_fact:
+    tools:
+      - git
+      - screen
+      - coreutils
+      - openssl
+      - bash
+      - wget
+    sysctl:
+      forwarding:
+        - net.inet.ip.forwarding
+        - net.inet6.ip6.forwarding
+  tags:
+    - always
+
+- name: Loopback included into the rc config
+  blockinfile:
+    dest: /etc/rc.conf
+    create: yes
+    block: |
+      cloned_interfaces="lo100"
+      ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255"
+      ifconfig_lo100="inet6 FCAA::1/64"
+  notify:
+    - restart loopback bsd
+  tags:
+    - always
+
+- name: Enable the gateway features
+  lineinfile: dest=/etc/rc.conf regexp='^{{ item.param }}.*' line='{{ item.param }}={{ item.value }}'
+  with_items:
+    - { param: firewall_enable, value: '"YES"' }
+    - { param: firewall_type, value: '"open"' }
+    - { param: gateway_enable, value: '"YES"' }
+    - { param: natd_enable, value: '"YES"' }
+    - { param: natd_interface, value: '"{{ ansible_default_ipv4.device|default() }}"' }
+    - { param: natd_flags, value: '"-dynamic -m"' }
+  notify:
+    - restart ipfw
+  tags:
+    - always
+
+- name: FreeBSD | Activate IPFW
+  shell: >
+    kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
+    bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
+
+- meta: flush_handlers

roles/common/tasks/main.yml

@@ -5,101 +5,24 @@
   tags:
     - always
 
-- name: Install software updates
-  apt: update_cache=yes upgrade=dist
-  tags:
-    - cloud
-
-- name: Check if reboot is required
-  shell: >
-    if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
-  args:
-    executable: /bin/bash
-  register: reboot_required
-  tags:
-    - cloud
-
-- name: Reboot
-  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-  async: 1
-  poll: 0
-  when: reboot_required is defined and reboot_required.stdout == 'required'
-  ignore_errors: true
-  tags:
-    - cloud
-
-- name: Wait until SSH becomes ready...
-  local_action:
-    module: wait_for
-    port: 22
-    host: "{{ inventory_hostname }}"
-    search_regex: OpenSSH
-    delay: 10
-    timeout: 320
-  when: reboot_required is defined and reboot_required.stdout == 'required'
-  become: false
-  tags:
-    - cloud
+- include: ubuntu.yml
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
-- name: Disable MOTD on login and SSHD
-  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
-  with_items:
-    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
-    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
-  tags:
-    - cloud
+- include: freebsd.yml
+  when: ansible_distribution == 'FreeBSD'
 
 - name: Install tools
-  apt: name="{{ item }}" state=latest
+  package: name="{{ item }}" state=present
   with_items:
-    - git
-    - screen
-    - apparmor-utils
-    - uuid-runtime
-    - coreutils
-    - sendmail
-    - iptables-persistent
-    - cgroup-tools
-    - openssl
-  tags:
-    - always
-
-- name: Loopback for services configured
-  template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
-  notify:
-    - restart loopback
-  tags:
-    - always
-
-- name: Loopback included into the network config
-  lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
-  notify:
-    - restart loopback
-  tags:
-    - always
-
-- meta: flush_handlers
+    - "{{ tools }}"
   tags:
     - always
 
 - name: Enable packet forwarding for IPv4
   sysctl: name="{{ item }}" value=1
   with_items:
-    - net.ipv4.ip_forward
-    - net.ipv4.conf.all.forwarding
-  tags:
-    - always
-
-- name: Enable packet forwarding for IPv6
-  sysctl: name=net.ipv6.conf.all.forwarding value=1
+    - "{{ sysctl.forwarding }}"
   tags:
     - always
 
-- name: Check apparmor support
-  shell: apparmor_status
-  ignore_errors: yes
-  register: apparmor_status
-
-- set_fact:
-    apparmor_enabled: true
-  when: '"profiles are in enforce mode" in apparmor_status.stdout'
+- meta: flush_handlers

roles/common/tasks/ubuntu.yml

@@ -0,0 +1,91 @@
+---
+
+- name: Install software updates
+  apt: update_cache=yes upgrade=dist
+  tags:
+    - cloud
+
+- name: Check if reboot is required
+  shell: >
+    if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
+  args:
+    executable: /bin/bash
+  register: reboot_required
+  tags:
+    - cloud
+
+- name: Reboot
+  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+  async: 1
+  poll: 0
+  when: reboot_required is defined and reboot_required.stdout == 'required'
+  ignore_errors: true
+  tags:
+    - cloud
+
+- name: Wait until SSH becomes ready...
+  local_action:
+    module: wait_for
+    port: 22
+    host: "{{ inventory_hostname }}"
+    search_regex: OpenSSH
+    delay: 10
+    timeout: 320
+  when: reboot_required is defined and reboot_required.stdout == 'required'
+  become: false
+  tags:
+    - cloud
+
+- name: Disable MOTD on login and SSHD
+  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
+  with_items:
+    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
+    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
+  tags:
+    - cloud
+
+- name: Loopback for services configured
+  template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
+  notify:
+    - restart loopback
+  tags:
+    - always
+
+- name: Loopback included into the network config
+  lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
+  notify:
+    - restart loopback
+  tags:
+    - always
+
+- meta: flush_handlers
+  tags:
+    - always
+
+- name: Check apparmor support
+  shell: apparmor_status
+  ignore_errors: yes
+  register: apparmor_status
+
+- set_fact:
+    apparmor_enabled: true
+  when: '"profiles are in enforce mode" in apparmor_status.stdout'
+
+- set_fact:
+    tools:
+      - git
+      - screen
+      - apparmor-utils
+      - uuid-runtime
+      - coreutils
+      - sendmail
+      - iptables-persistent
+      - cgroup-tools
+      - openssl
+    sysctl:
+      forwarding:
+        - net.ipv4.ip_forward
+        - net.ipv4.conf.all.forwarding
+        - net.ipv6.conf.all.forwarding
+  tags:
+    - always

roles/dns_adblocking/tasks/freebsd.yml

@@ -0,0 +1,4 @@
+---
+
+- name: FreeBSD | Enable dnsmasq
+  lineinfile: dest=/etc/rc.conf regexp=^dnsmasq_enable= line='dnsmasq_enable="YES"'