From 060187653a639a4b75ae9b2d049ada6d5c1083a3 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 13:49:06 -0400 Subject: [PATCH 01/20] change everything to bionic --- Vagrantfile | 2 +- playbooks/roles/common/tasks/main.yml | 6 +++--- playbooks/roles/genesis-amazon/defaults/main.yml | 2 +- playbooks/roles/genesis-azure/defaults/main.yml | 2 +- playbooks/roles/genesis-digitalocean/defaults/main.yml | 2 +- playbooks/roles/genesis-google/defaults/main.yml | 2 +- playbooks/roles/genesis-linode/defaults/main.yml | 2 +- playbooks/roles/genesis-rackspace/defaults/main.yml | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 920a8da22..2dae820e0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -4,7 +4,7 @@ Vagrant.require_version ">= 1.9.0" Vagrant.configure(2) do |config| - config.vm.box = "ubuntu/xenial64" + config.vm.box = "ubuntu/bionic64" config.vm.define "streisand-host", primary: true do |streisand| streisand.vm.hostname = "streisand-host" diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml index 029c1f2bb..3c65a2ff5 100644 --- a/playbooks/roles/common/tasks/main.yml +++ b/playbooks/roles/common/tasks/main.yml @@ -1,8 +1,8 @@ --- -- name: Warn users if the server's Linux distribution is not Ubuntu 16.04 +- name: Warn users if the server's Linux distribution is not Ubuntu 18.04 pause: - prompt: "Ubuntu 16.04 is the only officially supported distribution; the setup will probably fail. Press Enter if you still want to continue." - when: not streisand_noninteractive and (ansible_distribution != "Ubuntu" or ansible_distribution_version != "16.04") + prompt: "Ubuntu 18.04 is the only officially supported distribution; the setup will probably fail. Press Enter if you still want to continue." + when: not streisand_noninteractive and (ansible_distribution != "Ubuntu" or ansible_distribution_version != "18.04") # Set default variables - import_tasks: set-default-variables.yml diff --git a/playbooks/roles/genesis-amazon/defaults/main.yml b/playbooks/roles/genesis-amazon/defaults/main.yml index c19a5e225..b932006e1 100644 --- a/playbooks/roles/genesis-amazon/defaults/main.yml +++ b/playbooks/roles/genesis-amazon/defaults/main.yml @@ -3,4 +3,4 @@ aws_instance_type: "t2.micro" # Search AMIs owned by this owner. This is the Amazon owner ID. aws_ami_owner: "099720109477" # Find AMIs matching this name -aws_ami_name: "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" +aws_ami_name: "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*" diff --git a/playbooks/roles/genesis-azure/defaults/main.yml b/playbooks/roles/genesis-azure/defaults/main.yml index 8693767fe..b72b474a6 100644 --- a/playbooks/roles/genesis-azure/defaults/main.yml +++ b/playbooks/roles/genesis-azure/defaults/main.yml @@ -3,5 +3,5 @@ azure_instance_type: "Standard_B1s" azure_image_publisher: "Canonical" azure_image_offer: "UbuntuServer" -azure_image_sku: "16.04-LTS" +azure_image_sku: "18.04-LTS" azure_image_version: "latest" diff --git a/playbooks/roles/genesis-digitalocean/defaults/main.yml b/playbooks/roles/genesis-digitalocean/defaults/main.yml index 70b6b3fc4..af3c6115c 100644 --- a/playbooks/roles/genesis-digitalocean/defaults/main.yml +++ b/playbooks/roles/genesis-digitalocean/defaults/main.yml @@ -1,3 +1,3 @@ --- -do_ubuntu_x64_image_id: "ubuntu-16-04-x64" +do_ubuntu_x64_image_id: "ubuntu-18-04-x64" do_small_droplet_size_id: "s-1vcpu-1gb" diff --git a/playbooks/roles/genesis-google/defaults/main.yml b/playbooks/roles/genesis-google/defaults/main.yml index 2ffaa9205..b13eb2ca5 100644 --- a/playbooks/roles/genesis-google/defaults/main.yml +++ b/playbooks/roles/genesis-google/defaults/main.yml @@ -1,3 +1,3 @@ --- gce_machine_type: "f1-micro" -gce_image: "ubuntu-1604" +gce_image: "ubuntu-1804" diff --git a/playbooks/roles/genesis-linode/defaults/main.yml b/playbooks/roles/genesis-linode/defaults/main.yml index ad86d73a0..b37038076 100644 --- a/playbooks/roles/genesis-linode/defaults/main.yml +++ b/playbooks/roles/genesis-linode/defaults/main.yml @@ -2,7 +2,7 @@ # Setting to most minimal linode plan size. # For a most recent list of types: curl https://api.linode.com/v4/linode/types linode_plan_id: "g6-nanode-1" -linode_distribution_id: "linode/ubuntu16.04lts" +linode_distribution_id: "linode/ubuntu18.04lts" ### Preserving these varsfor when we can set these with the ansible linode apiv4 module: # linode_kernel_id: 210 # GRUB2 to utilize the distribution's kernel for compatibility diff --git a/playbooks/roles/genesis-rackspace/defaults/main.yml b/playbooks/roles/genesis-rackspace/defaults/main.yml index a33e9d674..f5af2def0 100644 --- a/playbooks/roles/genesis-rackspace/defaults/main.yml +++ b/playbooks/roles/genesis-rackspace/defaults/main.yml @@ -1,3 +1,3 @@ --- rackspace_flavor: 2 -rackspace_image: "Ubuntu 16.04 LTS (Xenial Xerus) (PVHVM)" +rackspace_image: "Ubuntu 18.04 LTS (Bionic Beaver) (PVHVM)" From 4a300cb8a83c87a6043e87cedfe785c7bdea9c21 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 16:03:27 -0400 Subject: [PATCH 02/20] initial commit for bionic --- .gitignore | 1 + Vagrantfile | 6 ++++- playbooks/roles/common/tasks/main.yml | 23 ++++++++++++++----- .../roles/common/templates/resolvd.conf.j2 | 22 ++++++++++++++++++ playbooks/vagrant.yml | 5 ++++ tests/development-setup.yml | 6 ++--- 6 files changed, 53 insertions(+), 10 deletions(-) create mode 100644 playbooks/roles/common/templates/resolvd.conf.j2 diff --git a/.gitignore b/.gitignore index a030ccde2..5055d98d6 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ generated-docs .DS_Store .vagrant/ ubuntu-xenial-16.04-cloudimg-console.log +ubuntu-xenial-18.04-cloudimg-console.log # Ignore changes to the existing server inventory to allow users to modify it inventories/inventory-existing diff --git a/Vagrantfile b/Vagrantfile index 2dae820e0..52923f760 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,11 +1,15 @@ # See documentation/testing.md for instructions on using this Vagrantfile # -Vagrant.require_version ">= 1.9.0" +Vagrant.require_version ">= 2.0.0" Vagrant.configure(2) do |config| config.vm.box = "ubuntu/bionic64" + config.vm.provision "shell", + inline: "sudo apt install ifupdown" + #end + config.vm.define "streisand-host", primary: true do |streisand| streisand.vm.hostname = "streisand-host" streisand.vm.network :private_network, ip: "10.0.0.10" diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml index 3c65a2ff5..f1d6da17b 100644 --- a/playbooks/roles/common/tasks/main.yml +++ b/playbooks/roles/common/tasks/main.yml @@ -23,9 +23,20 @@ purge: yes autoremove: yes -- name: Perform a full system upgrade - apt: - upgrade: "safe" +#- name: Perform a full system upgrade +# apt: +# upgrade: "safe" + +- name: Generate the custom resolvd.conf file + template: + src: resolvd.conf.j2 + dest: "/etc/systemd/resolved.conf" + +- name: Restart systemd-resolve for settings to take effect + systemd: + name: "systemd-resolved.service" + daemon_reload: yes + state: restarted - name: Copy the English BIP-0039 wordlist copy: @@ -73,6 +84,6 @@ - { src: "20auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "50unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } -- name: Apply the custom sysctl values - include_role: - name: sysctl +#- name: Apply the custom sysctl values +# include_role: +# name: sysctl diff --git a/playbooks/roles/common/templates/resolvd.conf.j2 b/playbooks/roles/common/templates/resolvd.conf.j2 new file mode 100644 index 000000000..57d9290ce --- /dev/null +++ b/playbooks/roles/common/templates/resolvd.conf.j2 @@ -0,0 +1,22 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See resolved.conf(5) for details + +[Resolve] +DNS={{ upstream_dns_servers | join(' ') }} +#FallbackDNS= +#Domains= +#LLMNR=no +#MulticastDNS=no +DNSSEC=yes +Cache=yes +DNSStubListener=yes diff --git a/playbooks/vagrant.yml b/playbooks/vagrant.yml index 5c03f0f99..f3fb92b02 100644 --- a/playbooks/vagrant.yml +++ b/playbooks/vagrant.yml @@ -14,6 +14,11 @@ # fact with an interface's details. Without the below route being added this # results in enp0s3 being used when we want enp0s8 to be used. We work # around this by setting a route for 8.8.8.8 through enp0s8. + - name: Install ifupdown + apt: + name: ifupdown + state: present + - name: Workaround Ansible default ipv4 interface detection raw: route add -net 8.8.8.8 netmask 255.255.255.255 enp0s8 args: diff --git a/tests/development-setup.yml b/tests/development-setup.yml index 52e0cb352..9900b4e18 100644 --- a/tests/development-setup.yml +++ b/tests/development-setup.yml @@ -82,9 +82,9 @@ - name: Retrieve the Ubuntu Xenial AMD64 LXC image fingerprint uri: - url: https://images.linuxcontainers.org/1.0/images/aliases/ubuntu/xenial/amd64 + url: https://images.linuxcontainers.org/1.0/images/aliases/ubuntu/bionic/amd64 return_content: yes - register: xenial_fingerprint + register: bionic_fingerprint - name: Launch streisand container (this will take a while) lxd_container: @@ -97,7 +97,7 @@ server: https://images.linuxcontainers.org protocol: lxd # Use the retrieved alias to fetch the image - alias: "{{ xenial_fingerprint['json']['metadata']['target'] }}" + alias: "{{ bionic_fingerprint['json']['metadata']['target'] }}" profiles: ["default"] config: security.privileged: "true" From 01070263b0213b34cbef506e02c3ffe0e5e5f45a Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 16:08:28 -0400 Subject: [PATCH 03/20] uncomment stuff --- playbooks/roles/common/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/playbooks/roles/common/tasks/main.yml b/playbooks/roles/common/tasks/main.yml index f1d6da17b..122675f72 100644 --- a/playbooks/roles/common/tasks/main.yml +++ b/playbooks/roles/common/tasks/main.yml @@ -23,9 +23,9 @@ purge: yes autoremove: yes -#- name: Perform a full system upgrade -# apt: -# upgrade: "safe" +- name: Perform a full system upgrade + apt: + upgrade: "safe" - name: Generate the custom resolvd.conf file template: @@ -84,6 +84,6 @@ - { src: "20auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" } - { src: "50unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" } -#- name: Apply the custom sysctl values -# include_role: -# name: sysctl +- name: Apply the custom sysctl values + include_role: + name: sysctl From fab3f20111033e94e8803774b2396f88c04ba92c Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 16:26:27 -0400 Subject: [PATCH 04/20] maybe fixed --- .gitignore | 2 +- playbooks/roles/common/templates/resolvd.conf.j2 | 2 +- tests/development-setup.yml | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 5055d98d6..b2d5d5075 100644 --- a/.gitignore +++ b/.gitignore @@ -8,7 +8,7 @@ generated-docs .DS_Store .vagrant/ ubuntu-xenial-16.04-cloudimg-console.log -ubuntu-xenial-18.04-cloudimg-console.log +ubuntu-bionic-18.04-cloudimg-console.log # Ignore changes to the existing server inventory to allow users to modify it inventories/inventory-existing diff --git a/playbooks/roles/common/templates/resolvd.conf.j2 b/playbooks/roles/common/templates/resolvd.conf.j2 index 57d9290ce..c20f93380 100644 --- a/playbooks/roles/common/templates/resolvd.conf.j2 +++ b/playbooks/roles/common/templates/resolvd.conf.j2 @@ -17,6 +17,6 @@ DNS={{ upstream_dns_servers | join(' ') }} #Domains= #LLMNR=no #MulticastDNS=no -DNSSEC=yes +DNSSEC=no Cache=yes DNSStubListener=yes diff --git a/tests/development-setup.yml b/tests/development-setup.yml index 9900b4e18..1c30b259a 100644 --- a/tests/development-setup.yml +++ b/tests/development-setup.yml @@ -80,7 +80,10 @@ - name: lxd create network command: lxc network create testbr0 - - name: Retrieve the Ubuntu Xenial AMD64 LXC image fingerprint + - name: lxd attach network to default profile + command: lxc network attach-profile testbr0 default eth0 + + - name: Retrieve the Ubuntu Bionic AMD64 LXC image fingerprint uri: url: https://images.linuxcontainers.org/1.0/images/aliases/ubuntu/bionic/amd64 return_content: yes From 7322de479dbd09c456276da5500d24a37da11db8 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 17:09:58 -0400 Subject: [PATCH 05/20] dont deny traffic for now --- playbooks/roles/ufw/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/playbooks/roles/ufw/tasks/main.yml b/playbooks/roles/ufw/tasks/main.yml index 6ab6d0116..5445e2ca7 100644 --- a/playbooks/roles/ufw/tasks/main.yml +++ b/playbooks/roles/ufw/tasks/main.yml @@ -21,11 +21,11 @@ proto: "tcp" rule: "allow" -- name: Ensure UFW is enabled and denies by default - ufw: - state: "enabled" - policy: "deny" - direction: "incoming" +#- name: Ensure UFW is enabled and denies by default +# ufw: +# state: "enabled" +# policy: "deny" +# direction: "incoming" - name: Ensure UFW allows nginx ufw: From 2c51ad7f3c90fd368ccf6ad1c3119aeb5bb41edf Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 18:42:07 -0400 Subject: [PATCH 06/20] remove 16.04 references --- README-chs.md | 6 +++--- README-fr.md | 6 +++--- README-ru.md | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README-chs.md b/README-chs.md index 2de67b95d..1b92f1dc4 100644 --- a/README-chs.md +++ b/README-chs.md @@ -18,8 +18,8 @@ Streisand Streisand介绍 --------------------- -* 只需要一个简单的脚本,就能在全新的 Ubuntu 16.04 服务器上运行[多个不同的科学上网工具](#提供的服务),它们能够让你匿名并且加密所有的网络流量。 -* Streisand 原生支持多个 VPS 供应商,其中包括[亚马逊EC2](https://aws.amazon.com/ec2/),[微软云服务](https://azure.microsoft.com),[DigitalOcean](https://www.digitalocean.com/),[Google云计算](https://cloud.google.com/compute/),[Linode](https://www.linode.com/)和[Rackspace](https://www.rackspace.com/);随着软件的开发还将支持更多云和VPS——只要运行的是 Ubuntu 16.04 ,不论提供商是谁还是有**成百个**实例都能用这个方法部署。 +* 只需要一个简单的脚本,就能在全新的 Ubuntu 18.04 服务器上运行[多个不同的科学上网工具](#提供的服务),它们能够让你匿名并且加密所有的网络流量。 +* Streisand 原生支持多个 VPS 供应商,其中包括[亚马逊EC2](https://aws.amazon.com/ec2/),[微软云服务](https://azure.microsoft.com),[DigitalOcean](https://www.digitalocean.com/),[Google云计算](https://cloud.google.com/compute/),[Linode](https://www.linode.com/)和[Rackspace](https://www.rackspace.com/);随着软件的开发还将支持更多云和VPS——只要运行的是 Ubuntu 18.04 ,不论提供商是谁还是有**成百个**实例都能用这个方法部署。 * 整个部署过程顺利的话大概在10分钟左右搞定。试想一个没有系统管理能力的人可能要花数天来完成其中一项工作,而我们用 Streisand 让你获得获得开箱既得的畅快体验。 * 一旦部署完成,你可以将使用指南发送给你的朋友,家人和你觉得对你重要的人**(译者注:原文是社会活动家)**。在这个指南中包含唯一的一个 SSL 证书,这也意味着你发送给他们的只是一个简单的文件而已。 * 部署好网关中包含了用户需要的一切内容,例如设置向导,所支持操作系统需要的客户端。即使无法下载到官方客户端的朋友都可以在网关中的镜像里下载到需要的最新版本客户端。 @@ -173,7 +173,7 @@ Streisand 运行在**你自己的计算机上时(或者你电脑的虚拟机 ### 在其他的 VPS 供应商上运行 (高级使用)### -你同样可以将 Streisand 运行在其他 VPS 供应商(提供更好的硬件也没问题,奇葩的 VPS 供应商也行)的 16.04 Ubuntu 上,只需要你在运行 ./streisand 的时候选择菜单中的 "Existing Server (Advanced)" 就可以。你需要提供这个 VPS 的 IP 地址。 +你同样可以将 Streisand 运行在其他 VPS 供应商(提供更好的硬件也没问题,奇葩的 VPS 供应商也行)的 18.04 Ubuntu 上,只需要你在运行 ./streisand 的时候选择菜单中的 "Existing Server (Advanced)" 就可以。你需要提供这个 VPS 的 IP 地址。 这个 VPS 必须使用 `$HOME/.ssh/id_rsa` 来储存 SSH key,并且可以使用 **root** 作为默认用户登录 VPS,如果提供商没有给你 root 用户作为默认用户登录,而是别的用户名,比如:`ubuntu` ,那么在运行 `./streisand` 之前需要额外配置 `ANSIBLE_SSH_USER` 环境变量,比如修改为:`ANSIBLE_SSH_USER=ubuntu` 。 diff --git a/README-fr.md b/README-fr.md index 4106438aa..e449b9724 100644 --- a/README-fr.md +++ b/README-fr.md @@ -18,8 +18,8 @@ L'Internet peut être un peu injuste. Il est trop facile pour les fournisseurs d Présentation de Streisand ------------------------- -* Une seule commande configure un tout nouveau serveur Ubuntu 16.04 exécutant une [grande variété de logiciels anti-censure](#services-provided) qui peuvent masquer et chiffrer totalement votre trafic Internet. -* Streisand supporte nativement la création de nouveaux serveurs chez [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com/fr-fr/), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](Https://cloud.google.com/compute/), [Linode](https://www.linode.com/) et [Rackspace](https://www.rackspace.com/)— et plus de fournisseurs à venir! Il fonctionne également sur n'importe quel serveur Ubuntu 16.04 quel que soit le fournisseur, et des **centaines** d'instances peuvent être configurés simultanément en utilisant cette méthode. +* Une seule commande configure un tout nouveau serveur Ubuntu 18.04 exécutant une [grande variété de logiciels anti-censure](#services-provided) qui peuvent masquer et chiffrer totalement votre trafic Internet. +* Streisand supporte nativement la création de nouveaux serveurs chez [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com/fr-fr/), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](Https://cloud.google.com/compute/), [Linode](https://www.linode.com/) et [Rackspace](https://www.rackspace.com/)— et plus de fournisseurs à venir! Il fonctionne également sur n'importe quel serveur Ubuntu 18.04 quel que soit le fournisseur, et des **centaines** d'instances peuvent être configurés simultanément en utilisant cette méthode. * Le processus est entièrement automatisé et ne prend que quelques dizaines de minutes, ce qui est assez remarquable si vous considérez qu'il faudrait un administrateur système au moins plusieurs jours de contrainte pour mettre en place un petit sous-ensemble de ce que Streisand offre dans sa configuration. * Une fois que votre serveur Streisand est en cours d'exécution, vous pouvez donner les instructions de connexion personnalisée à vos amis, membres de la famille et activistes. Les instructions de connexion contiennent une copie intégrée du certificat SSL unique du serveur, il vous suffit de leur envoyer un seul fichier. * Chaque serveur est entièrement autonome et comprend tout ce dont les utilisateurs ont besoin pour démarrer, y compris les miroirs cryptographiquement vérifiés de tous les clients communs. Cela rend toute tentative de censure des emplacements de téléchargement par défaut complètement inefficace. @@ -149,7 +149,7 @@ Si vous ne pouvez pas exécuter Streisand de la manière normale (à partir de v ### Exécution de Streisand sur d'autres fournisseurs (Avancé) ### -Vous pouvez également exécuter Streisand sur un nouveau serveur Ubuntu 16.04. Serveur dédié? Génial! Fournisseur de cloud ésotérique? Fantastique! Pour ce faire, choisissez simplement `Existing server (Advanced)` dans le menu après avoir exécuté `./streisand` et fournissez l'adresse IP du serveur existant lorsque vous y êtes invité. +Vous pouvez également exécuter Streisand sur un nouveau serveur Ubuntu 18.04. Serveur dédié? Génial! Fournisseur de cloud ésotérique? Fantastique! Pour ce faire, choisissez simplement `Existing server (Advanced)` dans le menu après avoir exécuté `./streisand` et fournissez l'adresse IP du serveur existant lorsque vous y êtes invité. Le serveur doit être accessible en utilisant la clé SSH `$HOME/.ssh/id_rsa`, avec **root** comme utilisateur de connexion par défaut. Si votre fournisseur vous demande un utilisateur SSH au lieu de `root` (par exemple, `ubuntu`), spécifiez la variable environnementale `ANSIBLE_SSH_USER` (par exemple `ANSIBLE_SSH_USER=ubuntu`) lorsque vous exécutez `./streisand`. diff --git a/README-ru.md b/README-ru.md index a1ffba27d..5330aa276 100644 --- a/README-ru.md +++ b/README-ru.md @@ -18,8 +18,8 @@ Представляем Стрейзанд --------------------- -* Одна-единственная команда настраивает с нуля сервер под операционной системой Ubuntu 16.04 с большим набором [ПО для противодействия цензуре](#services-provided), который может полностью скрыть и зашифровать весь ваш трафик. -* Стрейзанд поддерживает создание новых серверов в [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Linode](https://www.linode.com/), и [Rackspace](https://www.rackspace.com/). В скором времени ожидается поддержка также и других облачных хостеров. Стрейзанд также можно запускать на любом сервере с операционной системой Ubuntu 16.04 вне зависимости от хостера, и **сотни** серверов могут быть одновременно сконфигурированы с применением этого метода. +* Одна-единственная команда настраивает с нуля сервер под операционной системой Ubuntu 18.04 с большим набором [ПО для противодействия цензуре](#services-provided), который может полностью скрыть и зашифровать весь ваш трафик. +* Стрейзанд поддерживает создание новых серверов в [Amazon EC2](https://aws.amazon.com/ec2/), [Azure](https://azure.microsoft.com), [DigitalOcean](https://www.digitalocean.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Linode](https://www.linode.com/), и [Rackspace](https://www.rackspace.com/). В скором времени ожидается поддержка также и других облачных хостеров. Стрейзанд также можно запускать на любом сервере с операционной системой Ubuntu 18.04 вне зависимости от хостера, и **сотни** серверов могут быть одновременно сконфигурированы с применением этого метода. * Процесс полностью автоматизирован и занимает примерно десять минут, что довольно круто, учитывая что среднему системному администратору требуется несколько дней возни, для того, чтобы настроить малую часть того, что Стрейзанд предлагает "из коробки". * После того, как ваш сервер Стрейзанд запущен, вы можете раздать инструкции по подключению друзьям, членам семьи и соратникам. Инструкции по подключению содержат в себе копию SSL-сертификата, уникального для каждого сервера, так что вам нужно послать им всего один файл. * Каждый сервер полностью самодостаточен и содержит абсолютно всё, что нужно для того, чтобы начать использовать Стрейзанд, включая криптографически верифицированные копии основного клиентского ПО. Это позволяет обойти попытки подвергнуть цензуре соответствующее ПО. @@ -174,7 +174,7 @@ ### Использование Стрейзанд для других хостеров (Для продвинутых) ### -Вы также можете запустить Стрейзанд на любом сервере Ubuntu 16.04. Выделенный сервер? Отлично! Странный облачный хостер? Замечательно! Чтобы это сделать, просто выберите +Вы также можете запустить Стрейзанд на любом сервере Ubuntu 18.04. Выделенный сервер? Отлично! Странный облачный хостер? Замечательно! Чтобы это сделать, просто выберите "Existing Server (Advanced)" из меню после запуска `./streisand` и введите IP адрес существующего сервера , когда скрипт запросит эти данные. Этот сервер должен разрешать подключение с SSH-ключом `$HOME/.ssh/id_rsa` и по умолчанию для подключения будет использоваться пользователь **root**. Если ваш хостер требует, чтобы для подключения использовался какой-то другой пользователь (например `ubuntu`), установите переменную среды `ANSIBLE_SSH_USER` (например `ANSIBLE_SSH_USER=ubuntu` ) перед запуском `./streisand`. From 0ac014408baf7afbb345a91c085ce4676250b43b Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sat, 28 Apr 2018 21:39:23 -0400 Subject: [PATCH 07/20] cleanup --- playbooks/roles/common/templates/resolvd.conf.j2 | 4 ++-- playbooks/roles/common/vars/main.yml | 2 +- playbooks/vagrant.yml | 5 ----- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/playbooks/roles/common/templates/resolvd.conf.j2 b/playbooks/roles/common/templates/resolvd.conf.j2 index c20f93380..523fa3e2f 100644 --- a/playbooks/roles/common/templates/resolvd.conf.j2 +++ b/playbooks/roles/common/templates/resolvd.conf.j2 @@ -13,9 +13,9 @@ [Resolve] DNS={{ upstream_dns_servers | join(' ') }} -#FallbackDNS= +FallbackDNS=1.1.1.1 1.0.0.1 #Domains= -#LLMNR=no +LLMNR=yes #MulticastDNS=no DNSSEC=no Cache=yes diff --git a/playbooks/roles/common/vars/main.yml b/playbooks/roles/common/vars/main.yml index a7965fdeb..9033712d6 100644 --- a/playbooks/roles/common/vars/main.yml +++ b/playbooks/roles/common/vars/main.yml @@ -7,7 +7,7 @@ streisand_common_packages: # Used to perform a system upgrade - aptitude # Used to compile Libreswan and OpenConnect Server (ocserv) - - build-essential + #- build-essential # Used to perform API requests, including the version check for # the Tor Browser Bundle - curl diff --git a/playbooks/vagrant.yml b/playbooks/vagrant.yml index f3fb92b02..5c03f0f99 100644 --- a/playbooks/vagrant.yml +++ b/playbooks/vagrant.yml @@ -14,11 +14,6 @@ # fact with an interface's details. Without the below route being added this # results in enp0s3 being used when we want enp0s8 to be used. We work # around this by setting a route for 8.8.8.8 through enp0s8. - - name: Install ifupdown - apt: - name: ifupdown - state: present - - name: Workaround Ansible default ipv4 interface detection raw: route add -net 8.8.8.8 netmask 255.255.255.255 enp0s8 args: From 5c3adb7b3f0843101ecac4cba57c42179a993a95 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 29 Apr 2018 09:52:07 -0400 Subject: [PATCH 08/20] commit --- .../roles/openconnect/tasks/firewall.yml | 22 +++++++++---------- playbooks/roles/openvpn/tasks/firewall.yml | 22 +++++++++---------- playbooks/roles/openvpn/tasks/main.yml | 10 ++++----- playbooks/roles/wireguard/meta/main.yml | 2 +- playbooks/roles/wireguard/tasks/main.yml | 16 +++++++------- 5 files changed, 36 insertions(+), 36 deletions(-) diff --git a/playbooks/roles/openconnect/tasks/firewall.yml b/playbooks/roles/openconnect/tasks/firewall.yml index f388cdfd0..c19ab1e81 100644 --- a/playbooks/roles/openconnect/tasks/firewall.yml +++ b/playbooks/roles/openconnect/tasks/firewall.yml @@ -12,15 +12,15 @@ proto: "any" rule: "allow" -- name: Install the ocserv iptables service file - template: - src: ocserv-iptables.service.j2 - dest: /etc/systemd/system/ocserv-iptables.service - mode: 0644 +#- name: Install the ocserv iptables service file +# template: +# src: ocserv-iptables.service.j2 +# dest: /etc/systemd/system/ocserv-iptables.service +# mode: 0644 -- name: Enable the ocserv-iptables service - systemd: - daemon_reload: yes - name: ocserv-iptables.service - enabled: yes - state: started +#- name: Enable the ocserv-iptables service +# systemd: +# daemon_reload: yes +# name: ocserv-iptables.service +# enabled: yes +# state: started diff --git a/playbooks/roles/openvpn/tasks/firewall.yml b/playbooks/roles/openvpn/tasks/firewall.yml index e2d516629..4a75c25de 100644 --- a/playbooks/roles/openvpn/tasks/firewall.yml +++ b/playbooks/roles/openvpn/tasks/firewall.yml @@ -29,15 +29,15 @@ proto: "udp" rule: "allow" -- name: Install the OpenVPN iptables service file - template: - src: openvpn-iptables.service.j2 - dest: /etc/systemd/system/openvpn-iptables.service - mode: 0644 +#- name: Install the OpenVPN iptables service file +# template: +# src: openvpn-iptables.service.j2 +# dest: /etc/systemd/system/openvpn-iptables.service +# mode: 0644 -- name: Enable the openvpn-iptables service - systemd: - daemon_reload: yes - name: openvpn-iptables.service - enabled: yes - state: started +#- name: Enable the openvpn-iptables service +# systemd: +# daemon_reload: yes +# name: openvpn-iptables.service +# enabled: yes +# state: started diff --git a/playbooks/roles/openvpn/tasks/main.yml b/playbooks/roles/openvpn/tasks/main.yml index 18d03f64c..697127f52 100644 --- a/playbooks/roles/openvpn/tasks/main.yml +++ b/playbooks/roles/openvpn/tasks/main.yml @@ -2,11 +2,11 @@ # Add the apt key and install OpenVPN - import_tasks: install.yml -- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53" - template: - src: openvpn_dnsmasq.conf.j2 - dest: /etc/dnsmasq.d/openvpn.conf - notify: Restart dnsmasq +#- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53" +# template: +# src: openvpn_dnsmasq.conf.j2 +# dest: /etc/dnsmasq.d/openvpn.conf +# notify: Restart dnsmasq - include_role: name: certificates diff --git a/playbooks/roles/wireguard/meta/main.yml b/playbooks/roles/wireguard/meta/main.yml index fb954d5d4..3814d9a6c 100644 --- a/playbooks/roles/wireguard/meta/main.yml +++ b/playbooks/roles/wireguard/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - - { role: dnsmasq } + #- { role: dnsmasq } - { role: ip-forwarding } diff --git a/playbooks/roles/wireguard/tasks/main.yml b/playbooks/roles/wireguard/tasks/main.yml index c44a207d7..330e98fa9 100644 --- a/playbooks/roles/wireguard/tasks/main.yml +++ b/playbooks/roles/wireguard/tasks/main.yml @@ -117,20 +117,20 @@ # Temporary workaround for issue #500 ignore_errors: yes -- name: "Configure DNSMasq to listen on {{ dnsmasq_wireguard_ip }}:53" - template: - src: wireguard_dnsmasq.conf.j2 - dest: /etc/dnsmasq.d/wireguard.conf +#- name: "Configure DNSMasq to listen on {{ dnsmasq_wireguard_ip }}:53" +# template: +# src: wireguard_dnsmasq.conf.j2 +# dest: /etc/dnsmasq.d/wireguard.conf # NOTE(@cpu): We don't use a `notify` to "Restart dnsmasq" here because it seems # that in some conditions Ansible mistakenly believes the dnsmasq restart can be # skipped. We also don't use "reloaded" instead of "restarted" here because # dnsmasq doesn't seem to reload _new_ config files in that case, just existing # ones. A full restart is required in practice (sigh) -- name: "Restart DNSMasq to pick up the new configuration" - service: - name: dnsmasq - state: restarted +#- name: "Restart DNSMasq to pick up the new configuration" +# service: +# name: dnsmasq +# state: restarted # Generate Gateway documentation - import_tasks: docs.yml From 26f89dbd77b6fcb3e09c48503f7854544bd7a9c9 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Thu, 28 Jun 2018 21:43:08 -0400 Subject: [PATCH 09/20] gpg agent start, set dns stub resolver to no --- playbooks/roles/common/templates/resolvd.conf.j2 | 2 +- playbooks/roles/gpg/tasks/main.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/roles/common/templates/resolvd.conf.j2 b/playbooks/roles/common/templates/resolvd.conf.j2 index 523fa3e2f..ecf46c93b 100644 --- a/playbooks/roles/common/templates/resolvd.conf.j2 +++ b/playbooks/roles/common/templates/resolvd.conf.j2 @@ -19,4 +19,4 @@ LLMNR=yes #MulticastDNS=no DNSSEC=no Cache=yes -DNSStubListener=yes +DNSStubListener=no diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml index 8f8883362..08e670b4f 100644 --- a/playbooks/roles/gpg/tasks/main.yml +++ b/playbooks/roles/gpg/tasks/main.yml @@ -50,6 +50,9 @@ - name: "Start a new dirmngr with our config changes" command: "gpgconf --launch dirmngr" +- name: "Start the gpg-agent" + command: "gpg-agent --daemon --write-env-file {{ root_gpg_dir }}" + - name: "Wait for the GPG agent and dirmngr control sockets" wait_for: path: "{{ root_gpg_dir }}/{{ item }}" From 300085c6753dc3cf804a829fbc023035759834e9 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Fri, 29 Jun 2018 16:40:36 -0400 Subject: [PATCH 10/20] fix device already exists error in travis --- tests/development-setup.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/development-setup.yml b/tests/development-setup.yml index 1c30b259a..e04157d9e 100644 --- a/tests/development-setup.yml +++ b/tests/development-setup.yml @@ -80,8 +80,8 @@ - name: lxd create network command: lxc network create testbr0 - - name: lxd attach network to default profile - command: lxc network attach-profile testbr0 default eth0 + #- name: lxd attach network to default profile + # command: lxc network attach-profile testbr0 default eth0 - name: Retrieve the Ubuntu Bionic AMD64 LXC image fingerprint uri: From fff1d75c1b39bb6dfb988f257fab852a09623e16 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Fri, 29 Jun 2018 20:58:02 -0400 Subject: [PATCH 11/20] disabling openvpn, shadowsocks --- playbooks/roles/common/templates/resolvd.conf.j2 | 5 ++--- playbooks/roles/openvpn/meta/main.yml | 2 +- playbooks/streisand.yml | 8 ++++---- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/playbooks/roles/common/templates/resolvd.conf.j2 b/playbooks/roles/common/templates/resolvd.conf.j2 index ecf46c93b..765720d12 100644 --- a/playbooks/roles/common/templates/resolvd.conf.j2 +++ b/playbooks/roles/common/templates/resolvd.conf.j2 @@ -14,9 +14,8 @@ [Resolve] DNS={{ upstream_dns_servers | join(' ') }} FallbackDNS=1.1.1.1 1.0.0.1 -#Domains= +DNSOverTLS="opportunistic" LLMNR=yes -#MulticastDNS=no DNSSEC=no Cache=yes -DNSStubListener=no +DNSStubListener=yes diff --git a/playbooks/roles/openvpn/meta/main.yml b/playbooks/roles/openvpn/meta/main.yml index c2fd8b436..3a2781432 100644 --- a/playbooks/roles/openvpn/meta/main.yml +++ b/playbooks/roles/openvpn/meta/main.yml @@ -2,5 +2,5 @@ dependencies: # OpenVPN needs to be added to the firewall - { role: ufw } - - { role: dnsmasq } + # - { role: dnsmasq } - { role: ip-forwarding } diff --git a/playbooks/streisand.yml b/playbooks/streisand.yml index f78dc065b..4571de6e3 100644 --- a/playbooks/streisand.yml +++ b/playbooks/streisand.yml @@ -23,10 +23,10 @@ - service-net - role: openconnect when: streisand_openconnect_enabled - - role: openvpn - when: streisand_openvpn_enabled - - role: shadowsocks - when: streisand_shadowsocks_enabled + #- role: openvpn + # when: streisand_openvpn_enabled + #- role: shadowsocks + # when: streisand_shadowsocks_enabled - role: ssh-forward when: streisand_ssh_forward_enabled - role: tinyproxy From 26df041acf27b18f84f0b73d4261ed62b8be4465 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Fri, 29 Jun 2018 21:06:28 -0400 Subject: [PATCH 12/20] tinyproxy cleanup --- playbooks/roles/tinyproxy/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playbooks/roles/tinyproxy/tasks/main.yml b/playbooks/roles/tinyproxy/tasks/main.yml index b97014b6b..74db4b66b 100644 --- a/playbooks/roles/tinyproxy/tasks/main.yml +++ b/playbooks/roles/tinyproxy/tasks/main.yml @@ -40,10 +40,10 @@ group: root mode: 0644 -- name: Clean up the installed-by-default tinyproxy configuration file - file: - path: /etc/tinyproxy.conf - state: absent +#- name: Clean up the installed-by-default tinyproxy configuration file +# file: +# path: /etc/tinyproxy.conf +# state: absent - name: Enable and restart the tinyproxy service systemd: From 12064b2dc367aae23cd91463ebfb4d8fc19c544a Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 1 Jul 2018 21:32:12 -0400 Subject: [PATCH 13/20] temp commit --- playbooks/roles/tinyproxy/tasks/main.yml | 10 ---------- playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 | 2 +- .../roles/tinyproxy/templates/tinyproxy.service.j2 | 4 ++-- .../roles/tinyproxy/templates/tinyproxytmp.conf.j2 | 1 + playbooks/roles/tinyproxy/vars/main.yml | 3 +++ 5 files changed, 7 insertions(+), 13 deletions(-) diff --git a/playbooks/roles/tinyproxy/tasks/main.yml b/playbooks/roles/tinyproxy/tasks/main.yml index 74db4b66b..d19a23470 100644 --- a/playbooks/roles/tinyproxy/tasks/main.yml +++ b/playbooks/roles/tinyproxy/tasks/main.yml @@ -3,11 +3,6 @@ apt: package: tinyproxy -- name: Stop (init.d's) tinyproxy - systemd: - name: tinyproxy.service - state: stopped - - name: Create the tinyproxy config directory file: path: "{{ tinyproxy_conf_dir }}" @@ -40,11 +35,6 @@ group: root mode: 0644 -#- name: Clean up the installed-by-default tinyproxy configuration file -# file: -# path: /etc/tinyproxy.conf -# state: absent - - name: Enable and restart the tinyproxy service systemd: daemon_reload: yes diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 index 4b829a0c7..41c264461 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 @@ -55,7 +55,7 @@ StatFile "/usr/share/tinyproxy/stats.html" # and enable the Syslog directive. These directives are mutually # exclusive. # -Logfile "/var/log/tinyproxy/tinyproxy.log" +# Logfile "{{ tinyproxy_log_file }}" # # LogLevel: diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 index 63a799ac3..75289b646 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 @@ -1,6 +1,6 @@ [Unit] Description=tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems -After=network-online.target sshd.service +After=network.target sshd.service Documentation=man:tinyproxy(8) Documentation=https://www.banu.com/tinyproxy/ @@ -8,9 +8,9 @@ Documentation=https://www.banu.com/tinyproxy/ Type=forking PIDFile={{ tinyproxy_pid_file }} ExecStart=/usr/sbin/tinyproxy -c {{ tinyproxy_conf_file }} -ExecStop=/usr/bin/killall -9 tinyproxy ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=true +PrivateDevices=yes RestartSec=5s Restart=on-failure diff --git a/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 b/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 index df4df4aa5..92205b781 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxytmp.conf.j2 @@ -2,3 +2,4 @@ # tinyproxy to write its PID file # https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html d {{ tinyproxy_pid_dir }} 0755 nobody nogroup - +d {{ tinyproxy_log_dir }} 0755 nobody nogroup - diff --git a/playbooks/roles/tinyproxy/vars/main.yml b/playbooks/roles/tinyproxy/vars/main.yml index 21d667f54..ef4df9142 100644 --- a/playbooks/roles/tinyproxy/vars/main.yml +++ b/playbooks/roles/tinyproxy/vars/main.yml @@ -5,6 +5,9 @@ tinyproxy_port: 8888 tinyproxy_listen_address: "127.0.0.1" tinyproxy_log_level: "Critical" +tinyproxy_log_dir: "/var/log/tinyproxy" +tinyproxy_log_file: "{{ tinyproxy_log_dir }}/tinyproxy.log" + tinyproxy_pid_dir: "/var/run/tinyproxy" tinyproxy_pid_file: "{{ tinyproxy_pid_dir }}/tinyproxy.pid" From 0f37141fcca48f6fcc39da7be9a82e4a2d75457a Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 23 Sep 2018 14:48:36 -0400 Subject: [PATCH 14/20] comment out openvpn apt, install from ubuntu repo instead --- playbooks/roles/openvpn/tasks/install.yml | 28 +++++++++++------------ playbooks/streisand.yml | 4 ++-- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/playbooks/roles/openvpn/tasks/install.yml b/playbooks/roles/openvpn/tasks/install.yml index 6ec9ee688..0002f8863 100644 --- a/playbooks/roles/openvpn/tasks/install.yml +++ b/playbooks/roles/openvpn/tasks/install.yml @@ -1,19 +1,19 @@ --- -- name: "Add the official OpenVPN APT key; hiding 25 lines of log..." - apt_key: - id: E158C569 - data: "{{ item }}" - with_file: openvpn_signing.key - no_log: True +#- name: "Add the official OpenVPN APT key; hiding 25 lines of log..." +# apt_key: +# id: E158C569 +# data: "{{ item }}" +# with_file: openvpn_signing.key +# no_log: True -- name: Add the official OpenVPN repository - apt_repository: - repo: 'deb https://build.openvpn.net/debian/openvpn/stable {{ ansible_lsb.codename }} main' - state: present - register: openvpn_add_apt_repository - until: not openvpn_add_apt_repository.failed - retries: "{{ apt_repository_retries }}" - delay: "{{ apt_repository_delay }}" +#- name: Add the official OpenVPN repository +# apt_repository: +# repo: 'deb https://build.openvpn.net/debian/openvpn/stable {{ ansible_lsb.codename }} main' +# state: present +# register: openvpn_add_apt_repository +# until: not openvpn_add_apt_repository.failed +# retries: "{{ apt_repository_retries }}" +# delay: "{{ apt_repository_delay }}" - name: Install OpenVPN and its dependencies from APT apt: diff --git a/playbooks/streisand.yml b/playbooks/streisand.yml index 4571de6e3..fdcd30a35 100644 --- a/playbooks/streisand.yml +++ b/playbooks/streisand.yml @@ -23,8 +23,8 @@ - service-net - role: openconnect when: streisand_openconnect_enabled - #- role: openvpn - # when: streisand_openvpn_enabled + - role: openvpn + when: streisand_openvpn_enabled #- role: shadowsocks # when: streisand_shadowsocks_enabled - role: ssh-forward From 87aaedff06ddd65fd375f158a09a94c491787570 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 30 Sep 2018 07:31:26 -0400 Subject: [PATCH 15/20] somewhat cleaner --- playbooks/roles/common/vars/main.yml | 2 - .../roles/dnsmasq/templates/dnsmasq.conf.j2 | 10 +- playbooks/roles/gpg/tasks/main.yml | 3 - playbooks/roles/openvpn/meta/main.yml | 2 +- playbooks/roles/openvpn/tasks/install.yml | 12 +- playbooks/roles/openvpn/tasks/main.yml | 10 +- .../stunnel/templates/stunnel-remote.conf.j2 | 1 - playbooks/roles/tinyproxy/tasks/main.yml | 61 ++--- .../tinyproxy/templates/tinyproxy.conf.j2 | 211 +++++++++++++++++- .../tinyproxy/templates/tinyproxy.service.j2 | 10 +- playbooks/roles/tinyproxy/vars/main.yml | 4 +- playbooks/roles/wireguard/meta/main.yml | 2 +- playbooks/streisand.yml | 4 +- 13 files changed, 259 insertions(+), 73 deletions(-) diff --git a/playbooks/roles/common/vars/main.yml b/playbooks/roles/common/vars/main.yml index 9033712d6..6427a2e80 100644 --- a/playbooks/roles/common/vars/main.yml +++ b/playbooks/roles/common/vars/main.yml @@ -6,8 +6,6 @@ streisand_common_packages: - apt-transport-https # Used to perform a system upgrade - aptitude - # Used to compile Libreswan and OpenConnect Server (ocserv) - #- build-essential # Used to perform API requests, including the version check for # the Tor Browser Bundle - curl diff --git a/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 b/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 index d28901e6a..1b31c2089 100644 --- a/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 +++ b/playbooks/roles/dnsmasq/templates/dnsmasq.conf.j2 @@ -18,6 +18,10 @@ bogus-priv # uncomment this. no-resolv -{% for item in upstream_dns_servers %} -server={{ item }} -{% endfor %} +bind-interfaces + +server=127.0.0.53 + +#{% for item in upstream_dns_servers %} +#server={{ item }} +#{% endfor %} diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml index 08e670b4f..8f8883362 100644 --- a/playbooks/roles/gpg/tasks/main.yml +++ b/playbooks/roles/gpg/tasks/main.yml @@ -50,9 +50,6 @@ - name: "Start a new dirmngr with our config changes" command: "gpgconf --launch dirmngr" -- name: "Start the gpg-agent" - command: "gpg-agent --daemon --write-env-file {{ root_gpg_dir }}" - - name: "Wait for the GPG agent and dirmngr control sockets" wait_for: path: "{{ root_gpg_dir }}/{{ item }}" diff --git a/playbooks/roles/openvpn/meta/main.yml b/playbooks/roles/openvpn/meta/main.yml index 3a2781432..c2fd8b436 100644 --- a/playbooks/roles/openvpn/meta/main.yml +++ b/playbooks/roles/openvpn/meta/main.yml @@ -2,5 +2,5 @@ dependencies: # OpenVPN needs to be added to the firewall - { role: ufw } - # - { role: dnsmasq } + - { role: dnsmasq } - { role: ip-forwarding } diff --git a/playbooks/roles/openvpn/tasks/install.yml b/playbooks/roles/openvpn/tasks/install.yml index 0002f8863..e4de03494 100644 --- a/playbooks/roles/openvpn/tasks/install.yml +++ b/playbooks/roles/openvpn/tasks/install.yml @@ -1,10 +1,10 @@ --- -#- name: "Add the official OpenVPN APT key; hiding 25 lines of log..." -# apt_key: -# id: E158C569 -# data: "{{ item }}" -# with_file: openvpn_signing.key -# no_log: True +- name: "Add the official OpenVPN APT key; hiding 25 lines of log..." + apt_key: + id: E158C569 + data: "{{ item }}" + with_file: openvpn_signing.key + no_log: True #- name: Add the official OpenVPN repository # apt_repository: diff --git a/playbooks/roles/openvpn/tasks/main.yml b/playbooks/roles/openvpn/tasks/main.yml index 697127f52..18d03f64c 100644 --- a/playbooks/roles/openvpn/tasks/main.yml +++ b/playbooks/roles/openvpn/tasks/main.yml @@ -2,11 +2,11 @@ # Add the apt key and install OpenVPN - import_tasks: install.yml -#- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53" -# template: -# src: openvpn_dnsmasq.conf.j2 -# dest: /etc/dnsmasq.d/openvpn.conf -# notify: Restart dnsmasq +- name: "Configure DNSMasq to listen on {{ dnsmasq_openvpn_tcp_ip }}:53 and {{ dnsmasq_openvpn_udp_ip }}:53" + template: + src: openvpn_dnsmasq.conf.j2 + dest: /etc/dnsmasq.d/openvpn.conf + notify: Restart dnsmasq - include_role: name: certificates diff --git a/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 b/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 index f2fe15428..74135f5e6 100644 --- a/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 +++ b/playbooks/roles/stunnel/templates/stunnel-remote.conf.j2 @@ -1,7 +1,6 @@ cert = {{ stunnel_cert }} key = {{ stunnel_key }} debug = 4 -options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 diff --git a/playbooks/roles/tinyproxy/tasks/main.yml b/playbooks/roles/tinyproxy/tasks/main.yml index d19a23470..4ebe5a827 100644 --- a/playbooks/roles/tinyproxy/tasks/main.yml +++ b/playbooks/roles/tinyproxy/tasks/main.yml @@ -3,37 +3,42 @@ apt: package: tinyproxy -- name: Create the tinyproxy config directory - file: - path: "{{ tinyproxy_conf_dir }}" - state: directory - owner: nobody - group: nogroup - mode: 0755 +#- name: Create the tinyproxy config directory +# file: +# path: "{{ tinyproxy_conf_dir }}" +# state: directory +# owner: nobody +# group: nogroup +# mode: 0755 -- name: Generate the tinyproxy configuration file - template: - src: tinyproxy.conf.j2 - dest: "{{ tinyproxy_conf_file }}" - owner: root - group: root - mode: 0644 +#- name: Generate the tinyproxy configuration file +# template: +# src: tinyproxy.conf.j2 +# dest: "{{ tinyproxy_conf_file }}" +# owner: root +# group: root +# mode: 0644 -- name: Generate the tinyproxy system unit file - template: - src: tinyproxy.service.j2 - dest: /etc/systemd/system/tinyproxy.service - owner: root - group: root - mode: 0644 +#- name: Create the tinyproxy systemd drop-in configuration directory +# file: +# path: "{{ tinyproxy_systemd_service_path }}" +# state: directory -- name: Generate the systemd tmpfile for tinyproxy - template: - src: tinyproxytmp.conf.j2 - dest: /etc/tmpfiles.d/tinyproxy.conf - owner: root - group: root - mode: 0644 +#- name: Generate the tinyproxy systemd drop-in service file +# template: +# src: tinyproxy.service.j2 +# dest: "{{ tinyproxy_systemd_service_path }}/10-restart-failure.service" +# owner: root +# group: root +# mode: 0644 + +#- name: Generate the systemd tmpfile for tinyproxy +# template: +# src: tinyproxytmp.conf.j2 +# dest: /etc/tmpfiles.d/tinyproxy.conf +# owner: root +# group: root +# mode: 0644 - name: Enable and restart the tinyproxy service systemd: diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 index 41c264461..7600c3234 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.conf.j2 @@ -12,8 +12,8 @@ # as the root user. Either the user or group name or the UID or GID # number may be used. # -User nobody -Group nogroup +User tinyproxy +Group tinyproxy # # Port: Specify the port which tinyproxy will listen on. Please note @@ -29,11 +29,38 @@ Port {{ tinyproxy_port }} # Listen {{ tinyproxy_listen_address }} +# +# Bind: This allows you to specify which interface will be used for +# outgoing connections. This is useful for multi-home'd machines where +# you want all traffic to appear outgoing from one particular interface. +# +#Bind 192.168.0.1 + +# +# BindSame: If enabled, tinyproxy will bind the outgoing connection to the +# ip address of the incoming connection. +# +#BindSame yes + # # Timeout: The maximum number of seconds of inactivity a connection is # allowed to have before it is closed by tinyproxy. # -Timeout {{ tinyproxy_timeout_seconds }} +Timeout 600 + +# +# ErrorFile: Defines the HTML file to send when a given HTTP error +# occurs. You will probably need to customize the location to your +# particular install. The usual locations to check are: +# /usr/local/share/tinyproxy +# /usr/share/tinyproxy +# /etc/tinyproxy +# +#ErrorFile 404 "/usr/share/tinyproxy/404.html" +#ErrorFile 400 "/usr/share/tinyproxy/400.html" +#ErrorFile 503 "/usr/share/tinyproxy/503.html" +#ErrorFile 403 "/usr/share/tinyproxy/403.html" +#ErrorFile 408 "/usr/share/tinyproxy/408.html" # # DefaultErrorFile: The HTML file that gets sent if there is no @@ -42,6 +69,16 @@ Timeout {{ tinyproxy_timeout_seconds }} # DefaultErrorFile "/usr/share/tinyproxy/default.html" +# +# StatHost: This configures the host name or IP address that is treated +# as the stat host: Whenever a request for this host is received, +# Tinyproxy will return an internal statistics page instead of +# forwarding the request to that host. The default value of StatHost is +# tinyproxy.stats. +# +#StatHost "tinyproxy.stats" +# + # # StatFile: The HTML file that gets sent when a request is made # for the stathost. If this file doesn't exist a basic page is @@ -55,18 +92,25 @@ StatFile "/usr/share/tinyproxy/stats.html" # and enable the Syslog directive. These directives are mutually # exclusive. # -# Logfile "{{ tinyproxy_log_file }}" +Logfile "{{ tinyproxy_log_file }}" + +# +# Syslog: Tell tinyproxy to use syslog instead of a logfile. This +# option must not be enabled if the Logfile directive is being used. +# These two directives are mutually exclusive. +# +#Syslog On # -# LogLevel: +# LogLevel: # # Set the logging level. Allowed settings are: -# Critical (least verbose) -# Error -# Warning -# Notice -# Connect (to log connections without Info's noise) -# Info (most verbose) +# Critical (least verbose) +# Error +# Warning +# Notice +# Connect (to log connections without Info's noise) +# Info (most verbose) # # The LogLevel logs from the set level and above. For example, if the # LogLevel was set to Warning, then all log messages from Warning to @@ -80,6 +124,50 @@ LogLevel {{ tinyproxy_log_level }} # PidFile "{{ tinyproxy_pid_file }}" +# +# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which +# contains the client's IP address. +# +#XTinyproxy Yes + +# +# Upstream: +# +# Turns on upstream proxy support. +# +# The upstream rules allow you to selectively route upstream connections +# based on the host/domain of the site being accessed. +# +# For example: +# # connection to test domain goes through testproxy +# upstream testproxy:8008 ".test.domain.invalid" +# upstream testproxy:8008 ".our_testbed.example.com" +# upstream testproxy:8008 "192.168.128.0/255.255.254.0" +# +# # no upstream proxy for internal websites and unqualified hosts +# no upstream ".internal.example.com" +# no upstream "www.example.com" +# no upstream "10.0.0.0/8" +# no upstream "192.168.0.0/255.255.254.0" +# no upstream "." +# +# # connection to these boxes go through their DMZ firewalls +# upstream cust1_firewall:8008 "testbed_for_cust1" +# upstream cust2_firewall:8008 "testbed_for_cust2" +# +# # default upstream is internet firewall +# upstream firewall.internal.example.com:80 +# +# The LAST matching rule wins the route decision. As you can see, you +# can use a host, or a domain: +# name matches host exactly +# .name matches any host in domain "name" +# . matches any host with no domain (in 'empty' domain) +# IP/bits matches network/mask +# IP/mask matches network/mask +# +#Upstream some.remote.proxy:port + # # MaxClients: This is the absolute highest number of threads which will # be created. In other words, only MaxClients number of clients can be @@ -121,6 +209,16 @@ MaxRequestsPerChild 0 # Allow {{ tinyproxy_listen_address }} Allow {{ streisand_ipv4_address }} +#Allow 192.168.0.0/16 +#Allow 172.16.0.0/12 +#Allow 10.0.0.0/8 + +# +# AddHeader: Adds the specified headers to outgoing HTTP requests that +# Tinyproxy makes. Note that this option will not work for HTTPS +# traffic, as Tinyproxy has no control over what headers are exchanged. +# +#AddHeader "X-My-Header" "Powered by Tinyproxy" # # ViaProxyName: The "Via" header is required by the HTTP RFC, but using @@ -130,6 +228,61 @@ Allow {{ streisand_ipv4_address }} # ViaProxyName "tinyproxy" +# +# DisableViaHeader: When this is set to yes, Tinyproxy does NOT add +# the Via header to the requests. This virtually puts Tinyproxy into +# stealth mode. Note that RFC 2616 requires proxies to set the Via +# header, so by enabling this option, you break compliance. +# Don't disable the Via header unless you know what you are doing... +# +#DisableViaHeader Yes + +# +# Filter: This allows you to specify the location of the filter file. +# +#Filter "/etc/tinyproxy/filter" + +# +# FilterURLs: Filter based on URLs rather than domains. +# +#FilterURLs On + +# +# FilterExtended: Use POSIX Extended regular expressions rather than +# basic. +# +#FilterExtended On + +# +# FilterCaseSensitive: Use case sensitive regular expressions. +# +#FilterCaseSensitive On + +# +# FilterDefaultDeny: Change the default policy of the filtering system. +# If this directive is commented out, or is set to "No" then the default +# policy is to allow everything which is not specifically denied by the +# filter file. +# +# However, by setting this directive to "Yes" the default policy becomes +# to deny everything which is _not_ specifically allowed by the filter +# file. +# +#FilterDefaultDeny Yes + +# +# Anonymous: If an Anonymous keyword is present, then anonymous proxying +# is enabled. The headers listed are allowed through, while all others +# are denied. If no Anonymous keyword is present, then all headers are +# allowed through. You must include quotes around the headers. +# +# Most sites require cookies to be enabled for them to work correctly, so +# you will need to allow Cookies through if you access those sites. +# +#Anonymous "Host" +#Anonymous "Authorization" +#Anonymous "Cookie" + # # ConnectPort: This is a list of ports allowed by tinyproxy when the # CONNECT method is used. To disable the CONNECT method altogether, set @@ -140,3 +293,39 @@ ViaProxyName "tinyproxy" # ConnectPort 443 ConnectPort 563 + +# +# Configure one or more ReversePath directives to enable reverse proxy +# support. With reverse proxying it's possible to make a number of +# sites appear as if they were part of a single site. +# +# If you uncomment the following two directives and run tinyproxy +# on your own computer at port 8888, you can access Google using +# http://localhost:8888/google/ and Wired News using +# http://localhost:8888/wired/news/. Neither will actually work +# until you uncomment ReverseMagic as they use absolute linking. +# +#ReversePath "/google/" "http://www.google.com/" +#ReversePath "/wired/" "http://www.wired.com/" + +# +# When using tinyproxy as a reverse proxy, it is STRONGLY recommended +# that the normal proxy is turned off by uncommenting the next directive. +# +#ReverseOnly Yes + +# +# Use a cookie to track reverse proxy mappings. If you need to reverse +# proxy sites which have absolute links you must uncomment this. +# +#ReverseMagic Yes + +# +# The URL that's used to access this reverse proxy. The URL is used to +# rewrite HTTP redirects so that they won't escape the proxy. If you +# have a chain of reverse proxies, you'll need to put the outermost +# URL here (the address which the end user types into his/her browser). +# +# If not set then no rewriting occurs. +# +#ReverseBaseURL "http://localhost:8888/" diff --git a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 index 75289b646..49ffe33a4 100644 --- a/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 +++ b/playbooks/roles/tinyproxy/templates/tinyproxy.service.j2 @@ -1,18 +1,10 @@ [Unit] -Description=tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems After=network.target sshd.service -Documentation=man:tinyproxy(8) +Documentation=man:tinyproxy(8) man:tinyproxy.conf(5) Documentation=https://www.banu.com/tinyproxy/ [Service] -Type=forking -PIDFile={{ tinyproxy_pid_file }} ExecStart=/usr/sbin/tinyproxy -c {{ tinyproxy_conf_file }} -ExecReload=/bin/kill -HUP $MAINPID PrivateTmp=true -PrivateDevices=yes RestartSec=5s Restart=on-failure - -[Install] -WantedBy=multi-user.target diff --git a/playbooks/roles/tinyproxy/vars/main.yml b/playbooks/roles/tinyproxy/vars/main.yml index ef4df9142..71bd582e9 100644 --- a/playbooks/roles/tinyproxy/vars/main.yml +++ b/playbooks/roles/tinyproxy/vars/main.yml @@ -5,10 +5,12 @@ tinyproxy_port: 8888 tinyproxy_listen_address: "127.0.0.1" tinyproxy_log_level: "Critical" +tinyproxy_systemd_service_path: "/etc/systemd/system/tinyproxy.service.d" + tinyproxy_log_dir: "/var/log/tinyproxy" tinyproxy_log_file: "{{ tinyproxy_log_dir }}/tinyproxy.log" -tinyproxy_pid_dir: "/var/run/tinyproxy" +tinyproxy_pid_dir: "/run/tinyproxy" tinyproxy_pid_file: "{{ tinyproxy_pid_dir }}/tinyproxy.pid" tinyproxy_conf_dir: "/etc/tinyproxy" diff --git a/playbooks/roles/wireguard/meta/main.yml b/playbooks/roles/wireguard/meta/main.yml index 3814d9a6c..fb954d5d4 100644 --- a/playbooks/roles/wireguard/meta/main.yml +++ b/playbooks/roles/wireguard/meta/main.yml @@ -1,4 +1,4 @@ --- dependencies: - #- { role: dnsmasq } + - { role: dnsmasq } - { role: ip-forwarding } diff --git a/playbooks/streisand.yml b/playbooks/streisand.yml index fdcd30a35..f78dc065b 100644 --- a/playbooks/streisand.yml +++ b/playbooks/streisand.yml @@ -25,8 +25,8 @@ when: streisand_openconnect_enabled - role: openvpn when: streisand_openvpn_enabled - #- role: shadowsocks - # when: streisand_shadowsocks_enabled + - role: shadowsocks + when: streisand_shadowsocks_enabled - role: ssh-forward when: streisand_ssh_forward_enabled - role: tinyproxy From 8aaf3bda0524f0ac39fb0731afa031ebd6ac68dc Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 14 Oct 2018 00:03:16 -0400 Subject: [PATCH 16/20] fix gpg signature verification --- playbooks/roles/download-and-verify/tasks/main.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/playbooks/roles/download-and-verify/tasks/main.yml b/playbooks/roles/download-and-verify/tasks/main.yml index 5f482a8cd..034d26934 100644 --- a/playbooks/roles/download-and-verify/tasks/main.yml +++ b/playbooks/roles/download-and-verify/tasks/main.yml @@ -55,15 +55,14 @@ - name: "Verify the {{ project_name }} download signatures were from the correct keys" assert: that: - # By default gpgv outputs to stderr. For a good signature the first line - # always ends being like: - # "gpgv: Signature made Fri 16 Mar 2018 11:16:40 PM UTC using RSA key ID - # C3C07136" + # By default gpgv outputs to stderr. For a good signature the second line + # will contain the key ID: + # "gpgv: using RSA key 2BC7E4E67E3CC0C1BEA72F8C2EFC7FF0D416E014" # Since we've already verified the gpgv2 return code we can just check for # the presence of the key ID we expect in the first line of stderr output # and be confident we saw a valid signature from the expected key ID and # not another unrelated key in the Streisand keyring. - - "'key ID {{ project_signer_keyid }}' in '{{ item.stderr_lines[0] }}'" + - "'{{ project_signer_keyid }}' in '{{ item.stderr_lines[1] }}'" msg: "The GPG signature on {{ item.item.file }} was not from {{ project_signer_keyid }}" with_items: "{{ gpg_verification_results.results }}" loop_control: From 93d0bfcfa651629fc48a8bbac1637d41a1268d8b Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Sun, 14 Oct 2018 08:57:55 -0400 Subject: [PATCH 17/20] maybe fix ci? --- playbooks/roles/gpg/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/roles/gpg/tasks/main.yml b/playbooks/roles/gpg/tasks/main.yml index 8f8883362..d58c0fb45 100644 --- a/playbooks/roles/gpg/tasks/main.yml +++ b/playbooks/roles/gpg/tasks/main.yml @@ -59,6 +59,7 @@ with_items: - "S.dirmngr" - "S.gpg-agent" + when: not streisand_ci - name: "Create the Streisand GPG keyring" command: "gpg2 {{ streisand_default_gpg_flags }} --fingerprint" From 9c5185a4dfe25f939d2a1b4fe2767c2e5305880f Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Mon, 14 Jan 2019 23:30:02 -0500 Subject: [PATCH 18/20] install wireguard from package --- playbooks/roles/wireguard/tasks/install.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/playbooks/roles/wireguard/tasks/install.yml b/playbooks/roles/wireguard/tasks/install.yml index 8e5aa7bc3..781a93fd9 100644 --- a/playbooks/roles/wireguard/tasks/install.yml +++ b/playbooks/roles/wireguard/tasks/install.yml @@ -1,8 +1,8 @@ --- -- name: Determine the running kernel release - command: uname -r - register: kernel_release +#- name: Determine the running kernel release +# command: uname -r +# register: kernel_release - name: Add the WireGuard PPA apt_repository: @@ -15,7 +15,8 @@ - name: Install the WireGuard packages apt: package: - - linux-headers-{{ kernel_release.stdout }} - - linux-headers-generic - - wireguard-dkms - - wireguard-tools + - wireguard +# - linux-headers-{{ kernel_release.stdout }} +# - linux-headers-generic +# - wireguard-dkms +# - wireguard-tools From 91d9663f3403c6f45f6ebc44cd6f184105c78cd0 Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Mon, 14 Jan 2019 23:47:39 -0500 Subject: [PATCH 19/20] remove comments --- playbooks/roles/wireguard/tasks/install.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/playbooks/roles/wireguard/tasks/install.yml b/playbooks/roles/wireguard/tasks/install.yml index 781a93fd9..49644024e 100644 --- a/playbooks/roles/wireguard/tasks/install.yml +++ b/playbooks/roles/wireguard/tasks/install.yml @@ -1,9 +1,5 @@ --- -#- name: Determine the running kernel release -# command: uname -r -# register: kernel_release - - name: Add the WireGuard PPA apt_repository: repo: 'ppa:wireguard/wireguard' @@ -16,7 +12,3 @@ apt: package: - wireguard -# - linux-headers-{{ kernel_release.stdout }} -# - linux-headers-generic -# - wireguard-dkms -# - wireguard-tools From 264ad815b0581ea761b9bda1f9c56ca34f756ecd Mon Sep 17 00:00:00 2001 From: Ali Makki Date: Mon, 14 Jan 2019 23:51:26 -0500 Subject: [PATCH 20/20] correct indentation --- playbooks/roles/wireguard/tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/roles/wireguard/tasks/install.yml b/playbooks/roles/wireguard/tasks/install.yml index 49644024e..0e54e4924 100644 --- a/playbooks/roles/wireguard/tasks/install.yml +++ b/playbooks/roles/wireguard/tasks/install.yml @@ -11,4 +11,4 @@ - name: Install the WireGuard packages apt: package: - - wireguard + - wireguard