diff --git a/docker-compose.yml b/docker-compose.yml index bb724d076..b631fa523 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,16 +30,6 @@ services: depends_on: - postgres - vpn: - image: 'python:3.10' - restart: unless-stopped - volumes: - - './scripts:/base:ro' - ports: - - '8001:8001' - working_dir: '/base' - command: 'python fake-vpn-xmlrpc-server.py' - datastore: image: 'python:3.10' restart: unless-stopped diff --git a/provisioning/group_vars/all.yml b/provisioning/group_vars/all.yml index 00eecd023..56fcab350 100644 --- a/provisioning/group_vars/all.yml +++ b/provisioning/group_vars/all.yml @@ -5,7 +5,5 @@ hisparc_path: /uufs/chpc.utah.edu/common/home/hisparc publicdb_host: hisparc-data.chpc.utah.edu datastore_host: hisparc-raw.chpc.utah.edu datastore_port: 8001 -vpn_host: -vpn_port: datastore_data_path: "{{ hisparc_path }}/data/datastore" diff --git a/provisioning/host_vars/publicdb/main.yml b/provisioning/host_vars/publicdb/main.yml index 0a588af04..a507a5488 100644 --- a/provisioning/host_vars/publicdb/main.yml +++ b/provisioning/host_vars/publicdb/main.yml @@ -10,8 +10,6 @@ publicdb_repo: https://github.com/HiSPARC/publicdb.git psql_database_name: publicdb psql_user: "{{ ansible_user }}" -# vpn_proxy: "http://{{ vpn_host }}:{{ vpn_port }}" -vpn_proxy: datastore_proxy: "http://{{ datastore_host }}:{{ datastore_port }}" email_backend: django.core.mail.backends.smtp.EmailBackend diff --git a/provisioning/host_vars/vpn/main.yml b/provisioning/host_vars/vpn/main.yml deleted file mode 100644 index 9a2a519a5..000000000 --- a/provisioning/host_vars/vpn/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -ansible_host: hisparc-data - -private_keys: - - path: adminkeys/ca.key - key: "{{ vault.adminkeys_ca_key }}" - - path: admin/server.key - key: "{{ vault.admin_server_key }}" - - path: client/ta.key - key: "{{ vault.client_ta_key }}" - - path: keys/ca.key - key: "{{ vault.keys_ca_key }}" - - path: client/server.key - key: "{{ vault.client_server_key }}" diff --git a/provisioning/host_vars/vpn/vault.yml b/provisioning/host_vars/vpn/vault.yml deleted file mode 100644 index aeac5a979..000000000 --- a/provisioning/host_vars/vpn/vault.yml +++ /dev/null @@ -1,409 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38343334316361343663363739643935383335393561316339373861613234393262623031323734 -6366623835313966636334613834656561633939373166390a333564666461643134333032386363 -33623963653631303739626637363239353830663065316430633663353038656634363261623162 -3262653265386230380a396135313535313062393736353737353064393132353930333662383733 -37636337333135346338323962353034643032393663643039346365373265663966663865663536 -34666537366230616533346330313961643562323264653139626239386339363037363630636134 -36383061343233353537353434363239653461356336616139396464393436653463373539326665 -37353039346135363739336262393837636462373536643634303866663330306263396639316238 -39393431323732383262643365346538613638656164333137306237303666653563643866316566 -62613762396331636531396666303631326233616366636332306239666132363064666364633337 -34373135363632363730363738386431323366306136346263663463306162306337323130396432 -30346363353966313762666162646464326533363035666263353434653132363837313834366233 -35636433626162326133396335316237643865336334663534653930303563623135316135373030 -64353164623762643463356364623535616139363435363862313737616161623039653161383536 -61396334383139656130306631613166653431613635386636383134306538363138393364313531 -38343539656136646230363138343566653365623038303531613163363566636131396163303039 -63633332343763363233646530646538623937616163326635663134363932663864306664363138 -66306131316534366236656238333138646530636336313738643336353662633736666538353838 -34613333303465323165623432623538373636356461303338326163646665663834623632656633 -39663530616537383564333364346563313339663265363864333162633431343334376639616637 -35666234356534373338303838656331326639633635613733346336396130353431653136663739 -61303130303062333863343765366161343033633361393961326362376162386661386164373162 -37333361316632303864383035303238616631386633343337323261636531323763316133653963 -35393562613930316633376666363634393062616437623736343065633231616234323339346532 -37616132303135353962386432623333346231353962326136623363333335666537356464356465 -64363039353862356538343035643732616232323464663166613230353866393066356161306665 -36343936363064383034333563613063306362376135353563393561333730303762623963646261 -66343735643264626463653532613835363233396564383738626263336265366464636535373236 -31303230383062643337663537613566366233646164333938333034343330663939336432306463 -36623966616263396336616633643338323339306132383630386135376138653931313631636565 -30663162636463653765633936616262653164383437393034373831366665656132613564366530 -31626166376138656337396238393261393733613931366366623436383762303538386265353430 -30363633333764623566306464326563383733626134326632303330663864313735653563316263 -64373566346332653039386435623734613938363934343535343237646135323735616261666531 -39373934383730636138356132333862393764616131386633313232393833323736363733326261 -33306235396263613535633030306631343236326433643662613432346531666437346364333431 -62643762613564666163306230303932666564663761356266636132373266656232663731333435 -30623234313130643530333161666465303566643333306432306639386566316133393362343861 -30623762616365613339633438306364656131386264363633383133643764373131346464613037 -34303033623639326535613263643337303037626431393962393236633733313934396231393736 -39666565653238313332656162366133343863393262313031643865613537306566613765333933 -63656534636265626466386434623836353962633331656138393061353032343362623833393035 -66393332623530323137643966643335373263633662353532303565633466366331336531353334 -65336263353136316435326131316464326161626233633464623861393037643063643237653932 -36303334303438646462633761636561646565303236663662316630373665663337313864376162 -61613065626266323335623139386466366636373662353936363832653866643839386433303832 -32306362316330613532333638343337316662323036313438336662633630666466373036633263 -37623061623338643131336666616337623163613033363137663166626637633863373262343766 -35396139346364393539653261633536373330373962653236633661306439636231633739336262 -39383963666234656561353065353561373636353666663165366131343063333161353537346262 -33653265316433343230666261346566353733316462363437363130653437653334613431663337 -65346265636433653536616634333132323530313163323435653939636565376262643531613965 -37306666336431376462353736356435306261313135613266646537616333363930653466663335 -30656339303433353862643538663666663538373231363266393465323962363464363862303065 -30623962323432663939393830343332376430393730386633616366623932613663346331363630 -30653931613865356439633263376662373562316363616532663261663934656531306561356262 -38346131363738623832396132373239643339613835393866616538363735366331663937613039 -30393233626361363361623836663735323133623265363335333837323863356164373532373436 -35303532646433363765346361353339326163313438363733353032626534393730633734326264 -64306330616666643130306264373835653936623735336464373134386434313966646337313539 -64616139623337613335386531363765616462633663383632373631396535626463616330636131 -39343136626635346566396331643038633766616236643332396639313437346534346537313333 -62313462643932613030636262616337336331306537353536643333346663613338663461623734 -30356539376432623535346635633034373662666236303436626632643036313337386133353530 -62633631663232663432313866626466333537636130356163346232653634633965353163643764 -39663236623430396130333533386335626666626537303965306434613134373638343036646563 -36643635626138313562616631376331376439386236326233383038316133633434333536613631 -32653365383564366365376464386535396330643233636263613337323737353736353661386336 -65326666313866376661333330616633313330663431383935336632323030303161333334313236 -36323730336134306439303964366266326564393633316334626135323562393337653236653966 -61366638633365386231383436356165333534656462663137303464623862383731636265396237 -30373163633733313636636232626137613535386363306662333765303062313737366162373439 -62333830323762613637313861663432653763643232326139313836646238373635313264353135 -35306632366262613938643337323364656537353061333137313965346433646635396165353164 -33376639323831376136346363346136613838313836343138323361363363363132656332663231 -36663762613939306161616130633964313436323431393533313435666363373939663462313135 -35633534343463663938373663313363653161646634663133366233303264636632623330656635 -62623638633431353761306234333832636662643538386166616136366535353561363233363638 -39363962333763396431646334633335306638313834303965383365653934343337356631396634 -31613366333532666235366162303734336632643531343537316332363332313334643665343737 -33396166353463633734633737383939613161633431303637333037363161303362363839336666 -30386262303933353037353935663564303664363366363937333231333033633662333134346234 -33646631383331623164343835616561333938326566653732363435303232363330346334646662 -62353063633063366131383162333938356461643561353165623463323337336233353264323262 -30386165666135643637313234646133633139363761613862613536323839363038373230393461 -35623534633062383763396661346263663336323163323663383366396166633762333564646431 -36343530653532386235313530326362366231303132356565386531383037386437333333373036 -62303034373161333633636231343466666233663564356139636134363232343534356361376432 -31323463623632626134303935623263636233313161363064626364666165336433383130313038 -63323134383063313835316363316330643166626361623834326333376561623135323666393163 -66323236316536393533343563376563663637316530306233633666383836366339663136656331 -39623735636361633833313763306532666130633134636364313432306262303937396565396532 -36396263616465363230323436366531333864636165356234643730663133393737373436393831 -30376432343464376130393461353531383738656136393632626232656366383830383433656661 -65633565656430613733383162356334336436393862663463383033323539623739356234353238 -33333663336231613433613239336465633163653239373065613263643861336233663465616462 -39316466643030616666633636386433373663373566663137363230623439346266376263303866 -64323936626335643563303839323463393737343935373833386461616434343438376531383561 -66626366393032666538303966303164663338636435333238626533376337353837376263303037 -36343165626136326638383165653164383765366432363836643938356433333739336538323363 -32623861393064633530653938346461353536343663613630646165646431363334663433666439 -31656466313535396232333837613366313836373836323166353438663432643663633662646535 -30623831613030343130633036303534303234373066616230303863323666383739373363616335 -61373663666532633665346661626661666335643164626438316136643164363531323237636134 -37653632323831386531633662383266626535333037373430376463666139653664383765316530 -63363263303531333862353062366439633266646538616334663832323334666335326464363564 -62333066633238323535386630636566353935653462336238393530346535333462306139306663 -38353361663232646265623339306261303039646133343365373037653231626130353638376463 -61653633666438623938363564396662383032653564666335373833663931326163313738383730 -39353462323232363036613032366538313139313937343364393466396466636666663164393566 -39646164313438376330353333343335333631363533626435303562346561303930653630633935 -62303433626365356164323531343832323230323030373530323933336334613137383537396434 -61393365323035656566633536356234343063373436393131386265336535303136326438383732 -37323531653039333936356665663962656263633266663032646530383030336130656330313635 -37323465303861326532393037623438366530366462643130326463323263326637626130393636 -66306364376133343331643764336365383630396233373732323634383232633330646438346236 -31323032626139363866653330363866623131656233646337623065303836646361363466316663 -39666537656334396162376166383538636139653134393832663038386130396164386365633461 -37356661643430336334316661353462306164626337643431333663323062643335336332373462 -61663432333161373933373161623139643562376563333566623839386661653466653966383239 -62313762383139616465393265336137306566623736646635366330366161373437343032626438 -30376434323437326466333438333038393762353637303335386266363830633332353064363031 -66323735313165613338363938323538386139626264666334343134383566663735376264383332 -64633963363730646563616566306165656138313365623036356135333335303034376636636564 -34613638363032353739396231313738393430343764643337393230383231366636353464303362 -34363136313732343739643564376265326331613262633164313438366261613437333263663766 -64353831643263376535303231316135376533636432646539646630376537353362373665303236 -31343532303837366533653662366231626538323064306131653334363339616232636430336666 -30316233653664393732626535343835353365626534616432383062393431623938363839303866 -61346361343362613733373734616163343537396462386565653166663530353430336263653861 -62333838643532393438646533653961643663613966353230303431643763643838333030643439 -64306165366133323733376132663837353463353361373265303238623436316162623839336234 -33363239343465356664393166326639326565343934353839356432393862346265393537613634 -63373837313030613865633565373365623763653032663864666330373263323432363765343464 -31306539323537306335656564343939363436396437303832323931653565333331623737633838 -38653361363338323939663362326536653738656265633238336433636133336137653263363739 -36326435353134326431363366366133333334373938663266336262323366633330633438626433 -64303833646431353665616637303362386263323236366335363633656630383930336334373465 -62316535393866646263636161386534623634653834626531373462623731306435313833383834 -37303566623662323236363534626464323336343436643238646431373737366634366137653738 -39353231636232643334383130663963343733306436393439396434323665656166643233386337 -38646262326563393037366565313737393138376339333939613065643139623362346366356461 -37346530396633353938313261666138353062333735613964643632666363373065323466346336 -38303030393164623461313337316431373337303939623530376461396634643964623231393338 -66306134353536363338303363336131623266323162383838363963386239336532313166626164 -34303366633362623166613637343436343063646337623033386331306132663662313537336531 -62386164623230653063316432366139646362313365393761306434313264373630633033343137 -30373132336232363661303630623031336262323434336534383134646566373135663361303337 -64323665316365623332666133653934363963363563333663396231653362306636643537633035 -61626138366238623666333632616330616535303835313466376265656435386461316566616138 -36663939393639643137626439303232336161663763353338623532653836333634646539353264 -35623861623732383662373934396133396339303033626237313462353131326531313339353431 -63653435393937626432363534363933633466396338636130323165383838363066613334333332 -37336266643335643163616561633837663335323064366630653966353238636463613036343664 -39383434656539326135646364653432396564613135353035623638313331336264333362613362 -61393737613535356366646566306236376635633564353536623230373239366666343234373437 -39393039666662396361343065323230656231376466636664646666623739633361656339353133 -35616638623437386530633939366234313561383665623135316437356138623031326463333335 -37356430636231323335633331363135373361303163643938366530666631653238386238666661 -31653066363434393031363963316138393939626633313035396338316435643031623663386532 -65363632643134353932373637363265643937643939353133663330346539623163633966623935 -37646266323162306239306264326632633765316633393932353233363531376230633633376330 -32316233613234643232636361363935366365333432313033636663353663663238343262653737 -62643064626363646233653035393964363237363661383566366235343230383134303265306630 -65636564313632303466383566373037323864616337663562323364656331383937326561386166 -31356665623565646162636436313839313831306261343337626563303330313461653966653165 -39653330623835663362666266333134623765666563663536636464306463376635633333353462 -63353561383565653432383335303564316334613731663462313232386162313666646261326463 -33613866316239336566623833353966663430653038373466343139363431396634643737343463 -63323566633935646135303339316361326633636135353135633863333363343736396230616662 -62623831386333343234323237383830616562376431386666313263616636396534613133396337 -65306136653230613935376635666539343830633939323532366461646631333762653461386534 -36623065626666646361643535623632333636373938646435626632646535643565663461393762 -33393066396663643364663535303261393535663037383231326662313032396638396666356561 -31643965633264623833353766363639646535666130646663336633323830383639626266346237 -62646431316438626432666630653663353237663532646236666531356265366138303131623461 -30396663316236393633653633656566313964623833663037386230636438313734613664373439 -62353839653662633566343063613263333934393264656339356661323037393435303634363139 -38616137356138656137396664376566613830613063303661636333613833383563656133323564 -62386631346533353130333961356236386137326439383065643933623835323233653734616366 -61383433353366353732323130396332646631386462663539653162656431633563623064316635 -31393837636636646165343232666666376139646330656466306438383538363533383930646139 -32333137656331363066393866633662613239373361386461616135393631613339373637633939 -35613234623831356566323462363361313334333965656531613361356666363830373330656662 -35356665313765343632303437346461363636346366653065663861633435356531333561333333 -62616665373462306466633561396434306266633462343438646563656366643439343762396335 -64663331646237626361346166653265636230393634666534373466393037663464336662333539 -37343233323764333361306438646666363134376232383535393266373331393930333561363462 -38386364396563383836653365306564663531353963646132316461386264626230323365653765 -38306139386637633634633964653631323361656436623562333461323238613532373938663963 -65313763633338636633373139626164643135313238616366326334396337303637323338313835 -30303261383231393932646239616661643132336562373931343337376638663938383064326230 -33633265393836363964613565363535646430386332613966366362633461363438626336343338 -33663234363163393533333461353433363561633138396565616132616138663662313239613530 -64626561306666383965663037656535636136356331626461363737373036383634613062623936 -36333031643638396131666432396164303838393331626663343961386139386631373330333765 -62643331626230626561316433323430633432376365653936356564633039643039376239613435 -34303966396662346464626266613334303736396662623435336637373864346636396166393230 -37373761336561366639303866666235613566613932373164653238333661303862373166623635 -39363337393737343138653732316436313732643266653134316538343762363162396633643236 -39626162653865396439666537353962353432363462303439636231376431373732363436353463 -37323033613830376131383639616262396132666334313732313839346230303535383263326339 -35653563396262653563313634336234333535666132383434643462653965633463363438636665 -66303166303437633764343363306538333334303531333166333061316536353233383031363138 -34633732623163643135393536666639336662656233376262633037663938643065313463616465 -31343164643134613639643535353530646636323264393131663761353264313036343661613739 -33653733643861376635646435396233353035653961356463626437636139306362336430353231 -33383934316363316463616538373963646637363833393365623535306666386561626438336430 -34363763666266376332633766356237323035373333303632626235626139336231313861353138 -36313162316463373435366238633265363464386230643132363136303833373962323436366132 -35316439376538623066353463386233636364613664313463336132396564313937643264396236 -66386634306133393336343361323132303636313231643735626166363935323130393539396361 -32616162646635373966643738636362316535666562326362343735663435353033656262373633 -64336566323836366535313435613735366337633862383263643033326537313530326534363535 -63343036393339623534306332313031333462353335333661396530626133326530346633656563 -36316231323131366466626535326231643531353964303165306335396334383430613662333465 -37353934613133373263666562316530313165303030633638633330313335323432386538653065 -34393732643432383033303238316235366438346331623865663962643231616630623661623035 -63396561316331656234326134396561623137333733663632356262656634323738393161616434 -63653038383961643634333536373030306334643231376134616462613464633539643734623665 -36363566643762363164353237663335613462303435616130623264363333373434303831333764 -38333331353332323832663565356666636631636239396161373962366563353139313864363465 -38303439343938343964333363336365306539393362626666373931383530396135303132313363 -64353264313632316162643934323539343931306339313964663135666231346235396334653066 -66646332323962646135336433336262323038373234663038636664663565303935333438616536 -30316361386332303933353831363566383961373839343666363765396335333533653031643966 -37376364383264366433653535663564336138346335393262366330633666633733353439353939 -63393431326166323162613864326537613932326238396561666633336633636465616165366164 -33373565393534306361383632626131376662353563383165656531303961613838323030653538 -38313338313530616135643637633530353762376464373666396261393432383762613165353162 -35353864363863316430363465636662653635646136306565346536326532386161623533313038 -34623966336135363632393963613135303239663766353833623439343232653235393932633366 -34363938306636633537373834626664626536316665643961316338613465626165363038356534 -39663537643433373535646464356131363337353237613332356664393464613838613233653264 -66346235396164383635653562306338666532343865323932316261366165363735653932303435 -64303632663736636238316333333463353231373661313430653732663336656536353665613965 -35633033323034306434663361333439623537363037623633353837626661646338373130353164 -33303266396562343563396138316463613162613035353530633936376333653339613333343465 -32643039306235316336643832643336666662343730343864303132643430653530316331343463 -39636261616463333862323764633439636565376465663966373735313132633161613866643733 -34643761323337646536656566336531346133663138373765643662323235343362363537613564 -66373563303038636636323461303231376238333365623738656535396665306661363134336237 -33316266333161323161393530643233356634396430393631333965653331376532313864633030 -61363939616564666164383761616633653834663737313763646665353537656434663634623834 -38383038656361303439613037333138633466366461323966633635356262376264353066343630 -62643635343631663238316238386532366239643132366265646637336633323230623735343462 -36646133346436666138333062633135333461363433633633396463653833323463323830643835 -63633231316566306235303630663566393662383839393062333835326238336635616135333865 -34323365616361323062613830316231613934366431383939346164323566376538636662626331 -62303237316430333062313966313262663139346239616661383330393064633438383630653264 -35346237633638613933646131363431396635623636306638623665323464383164663333366364 -63303266643963643062353431336336636161343631316536383938306662383930393465636166 -63613934643632373331303337313034323437316136373033373663633964653765363530326262 -33313138343366613563663139626362343437333636393961376235626162343761653539396130 -64303162383865633635613835636633336236353031323061356234633737313064323332633934 -65626633613765346132666334313632346566646564366533396537343438383937373265373638 -33386630623330636334366165373763383261393339653162396431356534643166646461336164 -36343831613534313862343734623263313030316264653864393261383537346238393238353838 -63386538306135386438396237333732373365626164356333383061336365393562343731333630 -35643232646230613237373737366339353963393863393961383532383739633731363238653337 -39363263313966623565346232316437306262363561643236633639303433303237366364333731 -66623839316264663232666462663265663330396335616265646566623161383634643138653939 -65336164393362316365306635653965313339383335373663616530343437613463393231666339 -33613330393232656633373731646630373038633362313732663861326164373237633439396265 -61353231336138623064643036323032613663383362633235373137353163643035643061636166 -66323162396639633062393461343735646138346664643231366436623230623932366238316630 -36643330373237373831623137333939323062616535313462373637636462393366643430616132 -39386363353831633264383561613363376434646637626430336439393563313636613661643666 -38626362666236396436353531386237636436373635353465663037623965656565376130633235 -36343264313938376235643765366166623633626661353262373666623632363232303662613533 -66393538623461663361316432376436656262356261663365353735653561313533316664323039 -36393034386162363938653934373730383035326363323139633333666563336566653632313164 -38326339343863653033626337386637653932333831633833373438306132336130633839343965 -34373161643835353965373533303038616362343066303937613566353236643863643637376566 -62376361623164656566356338396363626532636166306338363464353934336364616162313930 -65393264343537336632613461343938396232623962373765323066326638376161653732613432 -36316362653634356361643862633464336230636364346439663837366566653931633832363830 -30663066393834613534623430333966353431633566646534306430336332383337373737383266 -39343530626331353036346463326330373031353339363833366336343761623134356337666436 -35666236646530343730316161326262653661323738666234363563346661373636663666616236 -35363134333137313332633264326539643765646365383732396563643763303835373264353937 -36303333336133666534376361376238376134633830663432666436306431343136336431373533 -37316332353663346264333839646461613931303932383635623837363439653232633037646261 -30313333636133653730363162373835626264363730636266343065373763356236326162353063 -36326438386163333134666234346137363735333465396530313538623066363766333637626463 -39303735343037313531323163396664643531386237623731616461323462343737356230616532 -34393766623536613330383162333930373933383533313830343633353136306262326534666464 -34303834383139643431343338613765346165353430346666306135336431633038323065333733 -65373362643762313131643162306362643962383362323737323433373666386539666431313266 -39643130353836393936623564356333663531366235376263346235663333636364303332626165 -63386232653838663462353066373264306339376132306331633163313039616463613532303465 -65333533303236353462306464663562353062626564396364626330343666343463393031326236 -33373532623561386262353363323761633663323362393538336434393062326565353539333834 -63623133376538363839346464323137623233643461393731383936613335343861666333393439 -61353965643339323230643662623865346532633436366339633365363663613766346231303830 -33396361366463663531656135653439633735323836656538346639613830383739373236376563 -32383366386366633761323735303462303433386332323235633562386534643262353862333539 -64643766323863356230306439333432346335666431363639303536383861323663363739306232 -36616363666636663836366337663565636335306239366334373837396538636538646633313435 -65626136373762653839613263653635383463663162303164323536353061633865396464613035 -39613938363233323236336466323536313565616365306439376537353834656430646663383839 -32336432346236393430303465643231643064643238376261653036316661366366386133373634 -32376135373465663634633333343630313661636235383463646135643765393465383530633135 -65323366663763386331643161613633633961653738396530656666613365316337653739393165 -34303733306663376662333966333163383431383666623238653738383736616362633064356366 -32663636363739396135616634336463666338653733383232353564353136343835656439326562 -65376332386336376266613036343863353832656436333330356361623338646664313235353334 -33346537336132303837663934643034383838643963343030663161666461393439616132643763 -63666634613431373834666238626239316564393933306339623862363266376639616136383834 -62613064396161633932633533643334376534636533633931613831626332643036386437653731 -32656234636639643931396136343030633561373366303433623234353964626662356530323164 -31383933633864626365336464636662363530393031666135376430376361343732623834643830 -65633237323935383964396632653334306333636361653738363661363663393936336434393539 -33333933316539376365326165376365353464633631366236393466626636663638663066373038 -66353530613231326336633137643163336661633032306264336464343262343139383339396337 -64363235363062373735663563636463646133643662383966306465356264346461393535613464 -66346565626631306663653764653634633732666132386334623561633636323031653063303138 -31626137323230366437386134373261616131353161326234656435313939303765356638613737 -32656130306162346336373335376130346338646637373364643361623965646364383732656561 -39633333643334323066363735316463613034386131306139643635333131363065653061316131 -32623561316637313966653839623533666337376632636132323962353235333262393565333736 -37646337363366613133623564653335656664613162653337306531613330666265383035373565 -66623265383236303366353130383338613466376637656339343464306361343361366261386164 -64383130653033316435343738353132353639303666363064623937666131623834386366353536 -38366363346665343832363664333166373238306461633134626662396563326230363634323439 -66373731363361663239333435626531333930316564663637643961366666663433316338633239 -37363236646438353439393632376561336239626334353032376464323735383437336665663036 -62366138313665316239623738653436633939323137386265613763343537363439653361396230 -31333232646466616338653963623861656161373264653932623865353063326665323933373563 -61626133653636383866633330643037653835323333656231363436393335373538646234356639 -33343032666433363634303733666161653830633336666233323637386433326266353763356164 -31643937643066373138303932636365656664393863323635333438333435326433313936636634 -32336239373462366462386237643164636466623262323136376639393465383235626438393366 -37646534663734353731386339323861656337623434326530376665666461386230653263336666 -62326535656231633035303431323536613463376662383436653361386130363734383134333165 -66663739643262376464343432343130633761313462613834343535616236303566333132306135 -34373762353964323837653162353330646537633362303038636161646266623030306634656437 -34666438616630333165326665346634633766656565363362663964646332333966393737636665 -34303838333462633635363930396335666131323531383436383034356162363233633936393238 -64323230613139316331656134396362346461643163303432383636336537643261643930303136 -39383339366639336466643639663966663565626638376135396633353861396238323363333432 -33386633623238323433643631616637376436326565333134353534323233306338333563353964 -32623439653630383633323634633232376234653537663330626465373364343463316235666563 -36653564306334333734623032656131356365613064633664363062386135646532363931376137 -62323234653463666532316636326338623066613231343439363861653434636364613364366339 -33633231383734323937363631626631396665353837343262353763353135346437333635313331 -35346662303632383536343661653164636632626162623033633839376637663536303239303066 -66303837656433303663353966653531363232393964616234623236353061326533653937363638 -38623436343639336136363636393666383837323039643566616535393033366664313331383539 -30623935343939653131386330643835623837343033343164663864656164336637663838333961 -33333061323665383863336165623332666330663638353634623064356537373261376464323035 -61333732383936373838396664343238653233316332663437643462313037313331646162643163 -32656364373536623930636465663662303435626638333833313439393362313030633536633536 -38636138363734386536373331643832326239393862613966663761356665323035323932623366 -31356536373937303032613037393562666338363031343664613031626639386164333434633431 -66633364636362336635663862303937356331386236346635313331396638313761386239313463 -63386336363461386265666435333461363966373963393738376635323931383933383939333935 -32326561356330666136653239316539303631336365663130303332323938336663636363303037 -35336334306436623839343561656433613663353536303466376463336336353936333838393565 -36363461373738316330326237363239613639323036386363303139326166383534313533353938 -66613932333033656635633663343137333661363639393837636538613265333635656630356335 -36343232343238626135623135343564316636393063363233663863303463646265326531346436 -37653332373839353161633665316333336533616432336431356530353661633062343238336532 -32326534353762313939326166303361653737326366353161663162633965323538353463383464 -32396666386261336539363831363930306465643130633932383633306163376637373035326336 -31646338356237633532656134626264636237373032666436336233343534666164383430353963 -31313061373963633963643530313038623963636238346161383236393962323762613464323362 -32303533326439313933643033646138343636623232616135376332633563333165373831633635 -61636638373566373238373466376263356436343862386463306161313637396334313337636432 -66376161656365343165626337653261323662383861626332666563396161613235613131343636 -31663031666433653333336437313335393063383166653131616631353736333065646266666533 -64373137383164366337303130656330306362316336363537616530633265393430363861376461 -63373332666533613866613430343330336439616235323937656138623031663663316536356138 -31303635636432616161666234643465336436323930303633396335393939366336653032313562 -65626138613236636130623137656664383537333130376538623165333937323531363134316539 -64623333313337313739363237353936316430653732653865316363383763633362666236623566 -37356333633536323664653938623231303736633665613036353335363030386563323236303133 -63393233306663346164636437646563643431623366663462663531646133663130323530353361 -39643465303833633236393836323234396334666162326138636665393830343335396338613764 -39323065626161653133616663313930333064643239353661613835643136383364353661656461 -33383963616661373732666232396433393231326536636231633936386237333961393362396265 -39313532333166643163393162323365643136616439373462343833353366653564363538663066 -39346133333336363766613166316161316535306662656339373433616333623639316539656637 -34656634333564303033636366366139613832656365346361326238663939626232656463303865 -31653637363663396139616132653836373931626162343166653762363865623630613839383434 -35346664616462336630366464383165333237363135336564336432633364643838323731303462 -65313939643139383036383939666462373637653232646266393234636437383533303435343330 -37333739633833653039323838396430396135616132616562383033396139623831626363653732 -35613530633837613836323264643663356362646136643663653163343835386339626136363635 -37643237303531303134303464666661613366623763633236626163343433326563623830303266 -65623561333935306562343333306161646161626432316536616165636133643239643930386138 -38663838373933306139643931616534363037373634303662323361346534373563636335386430 -38353536636233303165306131316133316466633366373338343135386532383134643330653031 -63336335313462663366306231386362323538346330386466353533663137316164386533323061 -32326339623830363565643366643862323232396130386432306266333064663638666138326431 -36663164643135363834396138396661653535636431366661316237663239653438353265383035 -65383132663162393361386365666634643437653234383831636231363636323164616531343238 -61633764656633333335633639313835353734306663373232373664343665626362313133623335 -36343963626535343833393061386335316333666537306631623539656135646662306130666638 -31383462613864306366396134343939393135633431643336616463333833313836343464383736 -38353563646639363139643335376135343566376462383962386235333939333035393637653835 -34353937613264653030303930373463303734613762323066633633383136633039653033376531 -65346633613932373137306238313332333138653333663735376236386238653833356365336461 -65316663656338643139323361646134653733386563393631363438336230633363353137633435 -31623363623366353039303166626664633062336132366436663234626162323464643064363231 -32663634396265373437356661363338306132343032663830353636343464323037616261333439 -62623630633133613034623965313230356435326530666437653061353639346536666233636639 -62323033643165323263 diff --git a/provisioning/hosts.yml b/provisioning/hosts.yml index 628023d37..3a6511e9f 100644 --- a/provisioning/hosts.yml +++ b/provisioning/hosts.yml @@ -1,5 +1,4 @@ all: hosts: publicdb: - vpn: datastore: diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml index 071c6b6e5..69b77dbbb 100644 --- a/provisioning/playbook.yml +++ b/provisioning/playbook.yml @@ -1,7 +1,6 @@ -- name: Setup firewall and development tools are installed +- name: Setup prepare Python environment hosts: publicdb:datastore roles: - # - simple-firewall - development - name: Setup bashrc on shared user account @@ -19,20 +18,7 @@ hosts: datastore roles: - datastore + # Datastore Firewall (nftables) # HiSPARC datastore configuration server # ip saddr hisparc-data tcp dport { 8001 } accept - -# - name: Setup network config for tietar -# hosts: tietar.nikhef.nl -# roles: -# - network-tietar - -# - name: Setup VPN server -# hosts: vpn_group -# roles: -# - dos -# - postfix -# - shorewall-firewall -# - openvpn -# - vpn-scripts diff --git a/provisioning/roles/dos/handlers/main.yml b/provisioning/roles/dos/handlers/main.yml deleted file mode 100644 index 692139d71..000000000 --- a/provisioning/roles/dos/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: reboot - ansible.builtin.reboot: - become: true diff --git a/provisioning/roles/dos/tasks/main.yml b/provisioning/roles/dos/tasks/main.yml deleted file mode 100644 index 627f61643..000000000 --- a/provisioning/roles/dos/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Increase conntrack hash table - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/mitigate-dos.conf - create: yes - line: "options nf_conntrack hashsize=81920" - become: true - notify: reboot diff --git a/provisioning/roles/network-tietar/handlers/main.yml b/provisioning/roles/network-tietar/handlers/main.yml deleted file mode 100644 index 692139d71..000000000 --- a/provisioning/roles/network-tietar/handlers/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -- name: reboot - ansible.builtin.reboot: - become: true diff --git a/provisioning/roles/network-tietar/tasks/main.yml b/provisioning/roles/network-tietar/tasks/main.yml deleted file mode 100644 index 910c88ef3..000000000 --- a/provisioning/roles/network-tietar/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ -- name: Set static networking - ansible.builtin.lineinfile: - dest: /etc/sysconfig/network-scripts/ifcfg-eth0 - regexp: "^{{ item.key }}" - line: "{{ item.key }}={{ item.value }}" - with_dict: - BOOTPROTO: static - IPADDR: 192.16.186.201 - NETMASK: 255.255.255.0 - ONBOOT: 'yes' - become: true - notify: reboot - -- name: Set static gateway - ansible.builtin.lineinfile: - dest: /etc/sysconfig/network - regexp: ^GATEWAY - line: GATEWAY=192.16.192.80 - become: true - notify: reboot diff --git a/provisioning/roles/openvpn/files/dnsmasq.conf b/provisioning/roles/openvpn/files/dnsmasq.conf deleted file mode 100644 index 65b0b3d16..000000000 --- a/provisioning/roles/openvpn/files/dnsmasq.conf +++ /dev/null @@ -1,544 +0,0 @@ -# Configuration file for dnsmasq. -# -# Format is one option per line, legal options are the same -# as the long options legal on the command line. See -# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. - -# The following two options make you a better netizen, since they -# tell dnsmasq to filter out queries which the public DNS cannot -# answer, and which load the servers (especially the root servers) -# uneccessarily. If you have a dial-on-demand link they also stop -# these requests from bringing up the link uneccessarily. - -# Never forward plain names (without a dot or domain part) -#domain-needed -# Never forward addresses in the non-routed address spaces. -bogus-priv - - -# Uncomment this to filter useless windows-originated DNS requests -# which can trigger dial-on-demand links needlessly. -# Note that (amongst other things) this blocks all SRV requests, -# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. -# This option only affects forwarding, SRV records originating for -# dnsmasq (via srv-host= lines) are not suppressed by it. -#filterwin2k - -# Change this line if you want dns to get its upstream servers from -# somewhere other that /etc/resolv.conf -resolv-file=/etc/resolv.conf-nikhef - -# By default, dnsmasq will send queries to any of the upstream -# servers it knows about and tries to favour servers to are known -# to be up. Uncommenting this forces dnsmasq to try each query -# with each server strictly in the order they appear in -# /etc/resolv.conf -#strict-order - -# If you don't want dnsmasq to read /etc/resolv.conf or any other -# file, getting its servers from this file instead (see below), then -# uncomment this. -#no-resolv - -# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv -# files for changes and re-read them then uncomment this. -#no-poll - -# Add other name servers here, with domain specs if they are for -# non-public domains. -#server=/localnet/192.168.0.1 - -# Example of routing PTR queries to nameservers: this will send all -# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 -#server=/3.168.192.in-addr.arpa/10.1.2.3 - -# Add local-only domains here, queries in these domains are answered -# from /etc/hosts or DHCP only. -#local=/localnet/ -local=/his/ - -# Add domains which you want to force to an IP address here. -# The example below send any host in doubleclick.net to a local -# webserver. -#address=/doubleclick.net/127.0.0.1 - -# --address (and --server) work with IPv6 addresses too. -#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 - -# You can control how dnsmasq talks to a server: this forces -# queries to 10.1.2.3 to be routed via eth1 -# --server=10.1.2.3@eth1 - -# and this sets the source (ie local) address used to talk to -# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that -# IP on the machine, obviously). -# --server=10.1.2.3@192.168.1.1#55 - -# If you want dnsmasq to change uid and gid to something other -# than the default, edit the following lines. -#user= -#group= - -# If you want dnsmasq to listen for DHCP and DNS requests only on -# specified interfaces (and the loopback) give the name of the -# interface (eg eth0) here. -# Repeat the line for more than one interface. -#interface= -# Or you can specify which interface _not_ to listen on -#except-interface= -except-interface=eth0 -# Or which to listen on by address (remember to include 127.0.0.1 if -# you use this.) -#listen-address= -# If you want dnsmasq to provide only DNS service on an interface, -# configure it as shown above, and then use the following line to -# disable DHCP on it. -#no-dhcp-interface= - -# On systems which support it, dnsmasq binds the wildcard address, -# even when it is listening on only some interfaces. It then discards -# requests that it shouldn't reply to. This has the advantage of -# working even when interfaces come and go and change address. If you -# want dnsmasq to really bind only the interfaces it is listening on, -# uncomment this option. About the only time you may need this is when -# running another nameserver on the same machine. -#bind-interfaces - -# If you don't want dnsmasq to read /etc/hosts, uncomment the -# following line. -#no-hosts -# or if you want it to read another file, as well as /etc/hosts, use -# this. -#addn-hosts=/etc/banner_add_hosts -addn-hosts=/etc/hosts-hisparc - -# Set this (and domain: see below) if you want to have a domain -# automatically added to simple names in a hosts-file. -expand-hosts - -# Set the domain for dnsmasq. this is optional, but if it is set, it -# does the following things. -# 1) Allows DHCP hosts to have fully qualified domain names, as long -# as the domain part matches this setting. -# 2) Sets the "domain" DHCP option thereby potentially setting the -# domain of all systems configured by DHCP -# 3) Provides the domain part for "expand-hosts" -#domain=thekelleys.org.uk -domain=his - -# Set a different domain for a particular subnet -#domain=wireless.thekelleys.org.uk,192.168.2.0/24 - -# Same idea, but range rather then subnet -#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 - -# Uncomment this to enable the integrated DHCP server, you need -# to supply the range of addresses available for lease and optionally -# a lease time. If you have more than one network, you will need to -# repeat this for each network on which you want to supply DHCP -# service. -#dhcp-range=192.168.0.50,192.168.0.150,12h - -# This is an example of a DHCP range where the netmask is given. This -# is needed for networks we reach the dnsmasq DHCP server via a relay -# agent. If you don't know what a DHCP relay agent is, you probably -# don't need to worry about this. -#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h - -# This is an example of a DHCP range with a network-id, so that -# some DHCP options may be set only for this network. -#dhcp-range=red,192.168.0.50,192.168.0.150 - -# Supply parameters for specified hosts using DHCP. There are lots -# of valid alternatives, so we will give examples of each. Note that -# IP addresses DO NOT have to be in the range given above, they just -# need to be on the same network. The order of the parameters in these -# do not matter, it's permissble to give name,adddress and MAC in any order - -# Always allocate the host with ethernet address 11:22:33:44:55:66 -# The IP address 192.168.0.60 -#dhcp-host=11:22:33:44:55:66,192.168.0.60 - -# Always set the name of the host with hardware address -# 11:22:33:44:55:66 to be "fred" -#dhcp-host=11:22:33:44:55:66,fred - -# Always give the host with ethernet address 11:22:33:44:55:66 -# the name fred and IP address 192.168.0.60 and lease time 45 minutes -#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m - -# Give a host with ethernet address 11:22:33:44:55:66 or -# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume -# that these two ethernet interfaces will never be in use at the same -# time, and give the IP address to the second, even if it is already -# in use by the first. Useful for laptops with wired and wireless -# addresses. -#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 - -# Give the machine which says its name is "bert" IP address -# 192.168.0.70 and an infinite lease -#dhcp-host=bert,192.168.0.70,infinite - -# Always give the host with client identifier 01:02:02:04 -# the IP address 192.168.0.60 -#dhcp-host=id:01:02:02:04,192.168.0.60 - -# Always give the host with client identifier "marjorie" -# the IP address 192.168.0.60 -#dhcp-host=id:marjorie,192.168.0.60 - -# Enable the address given for "judge" in /etc/hosts -# to be given to a machine presenting the name "judge" when -# it asks for a DHCP lease. -#dhcp-host=judge - -# Never offer DHCP service to a machine whose ethernet -# address is 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,ignore - -# Ignore any client-id presented by the machine with ethernet -# address 11:22:33:44:55:66. This is useful to prevent a machine -# being treated differently when running under different OS's or -# between PXE boot and OS boot. -#dhcp-host=11:22:33:44:55:66,id:* - -# Send extra options which are tagged as "red" to -# the machine with ethernet address 11:22:33:44:55:66 -#dhcp-host=11:22:33:44:55:66,net:red - -# Send extra options which are tagged as "red" to -# any machine with ethernet address starting 11:22:33: -#dhcp-host=11:22:33:*:*:*,net:red - -# Ignore any clients which are specified in dhcp-host lines -# or /etc/ethers. Equivalent to ISC "deny unkown-clients". -# This relies on the special "known" tag which is set when -# a host is matched. -#dhcp-ignore=#known - -# Send extra options which are tagged as "red" to any machine whose -# DHCP vendorclass string includes the substring "Linux" -#dhcp-vendorclass=red,Linux - -# Send extra options which are tagged as "red" to any machine one -# of whose DHCP userclass strings includes the substring "accounts" -#dhcp-userclass=red,accounts - -# Send extra options which are tagged as "red" to any machine whose -# MAC address matches the pattern. -#dhcp-mac=red,00:60:8C:*:*:* - -# If this line is uncommented, dnsmasq will read /etc/ethers and act -# on the ethernet-address/IP pairs found there just as if they had -# been given as --dhcp-host options. Useful if you keep -# MAC-address/host mappings there for other purposes. -#read-ethers - -# Send options to hosts which ask for a DHCP lease. -# See RFC 2132 for details of available options. -# Common options can be given to dnsmasq by name: -# run "dnsmasq --help dhcp" to get a list. -# Note that all the common settings, such as netmask and -# broadcast address, DNS server and default route, are given -# sane defaults by dnsmasq. You very likely will not need -# any dhcp-options. If you use Windows clients and Samba, there -# are some options which are recommended, they are detailed at the -# end of this section. - -# Override the default route supplied by dnsmasq, which assumes the -# router is the same machine as the one running dnsmasq. -#dhcp-option=3,1.2.3.4 - -# Do the same thing, but using the option name -#dhcp-option=option:router,1.2.3.4 - -# Override the default route supplied by dnsmasq and send no default -# route at all. Note that this only works for the options sent by -# default (1, 3, 6, 12, 28) the same line will send a zero-length option -# for all other option numbers. -#dhcp-option=3 - -# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 -#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 - -# Set the NTP time server address to be the same machine as -# is running dnsmasq -#dhcp-option=42,0.0.0.0 - -# Set the NIS domain name to "welly" -#dhcp-option=40,welly - -# Set the default time-to-live to 50 -#dhcp-option=23,50 - -# Set the "all subnets are local" flag -#dhcp-option=27,1 - -# Send the etherboot magic flag and then etherboot options (a string). -#dhcp-option=128,e4:45:74:68:00:00 -#dhcp-option=129,NIC=eepro100 - -# Specify an option which will only be sent to the "red" network -# (see dhcp-range for the declaration of the "red" network) -# Note that the net: part must precede the option: part. -#dhcp-option = net:red, option:ntp-server, 192.168.1.1 - -# The following DHCP options set up dnsmasq in the same way as is specified -# for the ISC dhcpcd in -# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt -# adapted for a typical dnsmasq installation where the host running -# dnsmasq is also the host running samba. -# you may want to uncomment some or all of them if you use -# Windows clients and Samba. -#dhcp-option=19,0 # option ip-forwarding off -#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) -#dhcp-option=45,0.0.0.0 # netbios datagram distribution server -#dhcp-option=46,8 # netbios node type - -# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client -# probably doesn't support this...... -#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com - -# Send RFC-3442 classless static routes (note the netmask encoding) -#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 - -# Send vendor-class specific options encapsulated in DHCP option 43. -# The meaning of the options is defined by the vendor-class so -# options are sent only when the client supplied vendor class -# matches the class given here. (A substring match is OK, so "MSFT" -# matches "MSFT" and "MSFT 5.0"). This example sets the -# mtftp address to 0.0.0.0 for PXEClients. -#dhcp-option=vendor:PXEClient,1,0.0.0.0 - -# Send microsoft-specific option to tell windows to release the DHCP lease -# when it shuts down. Note the "i" flag, to tell dnsmasq to send the -# value as a four-byte integer - that's what microsoft wants. See -# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true -#dhcp-option=vendor:MSFT,2,1i - -# Send the Encapsulated-vendor-class ID needed by some configurations of -# Etherboot to allow is to recognise the DHCP server. -#dhcp-option=vendor:Etherboot,60,"Etherboot" - -# Send options to PXELinux. Note that we need to send the options even -# though they don't appear in the parameter request list, so we need -# to use dhcp-option-force here. -# See http://syslinux.zytor.com/pxe.php#special for details. -# Magic number - needed before anything else is recognised -#dhcp-option-force=208,f1:00:74:7e -# Configuration file name -#dhcp-option-force=209,configs/common -# Path prefix -#dhcp-option-force=210,/tftpboot/pxelinux/files/ -# Reboot time. (Note 'i' to send 32-bit value) -#dhcp-option-force=211,30i - -# Set the boot filename for netboot/PXE. You will only need -# this is you want to boot machines over the network and you will need -# a TFTP server; either dnsmasq's built in TFTP server or an -# external one. (See below for how to enable the TFTP server.) -#dhcp-boot=pxelinux.0 - -# Boot for Etherboot gPXE. The idea is to send two different -# filenames, the first loads gPXE, and the second tells gPXE what to -# load. The dhcp-match sets the gpxe tag for requests from gPXE. -#dhcp-match=gpxe,175 # gPXE sends a 175 option. -#dhcp-boot=net:#gpxe,undionly.kpxe -#dhcp-boot=mybootimage - -# Encapsulated options for Etherboot gPXE. All the options are -# encapsulated within option 175 -#dhcp-option=encap:175, 1, 5b # priority code -#dhcp-option=encap:175, 176, 1b # no-proxydhcp -#dhcp-option=encap:175, 177, string # bus-id -#dhcp-option=encap:175, 189, 1b # BIOS drive code -#dhcp-option=encap:175, 190, user # iSCSI username -#dhcp-option=encap:175, 191, pass # iSCSI password - -# Test for the architecture of a netboot client. PXE clients are -# supposed to send their architecture as option 93. (See RFC 4578) -#dhcp-match=peecees, option:client-arch, 0 #x86-32 -#dhcp-match=itanics, option:client-arch, 2 #IA64 -#dhcp-match=hammers, option:client-arch, 6 #x86-64 -#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 - -# Do real PXE, rather than just booting a single file, this is an -# alternative to dhcp-boot. -#pxe-prompt="What system shall I netboot?" -# or with timeout before first available action is taken: -#pxe-prompt="Press F8 for menu.", 60 - -# Available boot services. for PXE. -#pxe-service=x86PC, "Boot from local disk", 0 - -# Loads /pxelinux.0 from dnsmasq TFTP server. -#pxe-service=x86PC, "Install Linux", pxelinux - -# Loads /pxelinux.0 from TFTP server at 1.2.3.4. -# Beware this fails on old PXE ROMS. -#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 - -# Use bootserver on network, found my multicast or broadcast. -#pxe-service=x86PC, "Install windows from RIS server", 1 - -# Use bootserver at a known IP address. -#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 - -# If you have multicast-FTP available, -# information for that can be passed in a similar way using options 1 -# to 5. See page 19 of -# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf - - -# Enable dnsmasq's built-in TFTP server -#enable-tftp - -# Set the root directory for files availble via FTP. -#tftp-root=/var/ftpd - -# Make the TFTP server more secure: with this set, only files owned by -# the user dnsmasq is running as will be send over the net. -#tftp-secure - -# This option stops dnsmasq from negotiating a larger blocksize for TFTP -# transfers. It will slow things down, but may rescue some broken TFTP -# clients. -#tftp-no-blocksize - -# Set the boot file name only when the "red" tag is set. -#dhcp-boot=net:red,pxelinux.red-net - -# An example of dhcp-boot with an external TFTP server: the name and IP -# address of the server are given after the filename. -# Can fail with old PXE ROMS. Overridden by --pxe-service. -#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 - -# Set the limit on DHCP leases, the default is 150 -#dhcp-lease-max=150 - -# The DHCP server needs somewhere on disk to keep its lease database. -# This defaults to a sane location, but if you want to change it, use -# the line below. -#dhcp-leasefile=/var/lib/misc/dnsmasq.leases - -# Set the DHCP server to authoritative mode. In this mode it will barge in -# and take over the lease for any client which broadcasts on the network, -# whether it has a record of the lease or not. This avoids long timeouts -# when a machine wakes up on a new network. DO NOT enable this if there's -# the slighest chance that you might end up accidentally configuring a DHCP -# server for your campus/company accidentally. The ISC server uses -# the same option, and this URL provides more information: -# http://www.isc.org/index.pl?/sw/dhcp/authoritative.php -#dhcp-authoritative - -# Run an executable when a DHCP lease is created or destroyed. -# The arguments sent to the script are "add" or "del", -# then the MAC address, the IP address and finally the hostname -# if there is one. -#dhcp-script=/bin/echo - -# Set the cachesize here. -#cache-size=150 - -# If you want to disable negative caching, uncomment this. -#no-negcache - -# Normally responses which come form /etc/hosts and the DHCP lease -# file have Time-To-Live set as zero, which conventionally means -# do not cache further. If you are happy to trade lower load on the -# server for potentially stale date, you can set a time-to-live (in -# seconds) here. -#local-ttl= - -# If you want dnsmasq to detect attempts by Verisign to send queries -# to unregistered .com and .net hosts to its sitefinder service and -# have dnsmasq instead return the correct NXDOMAIN response, uncomment -# this line. You can add similar lines to do the same for other -# registries which have implemented wildcard A records. -#bogus-nxdomain=64.94.110.11 - -# If you want to fix up DNS results from upstream servers, use the -# alias option. This only works for IPv4. -# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 -#alias=1.2.3.4,5.6.7.8 -# and this maps 1.2.3.x to 5.6.7.x -#alias=1.2.3.0,5.6.7.0,255.255.255.0 -# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 -#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 - -# Change these lines if you want dnsmasq to serve MX records. - -# Return an MX record named "maildomain.com" with target -# servermachine.com and preference 50 -#mx-host=maildomain.com,servermachine.com,50 - -# Set the default target for MX records created using the localmx option. -#mx-target=servermachine.com - -# Return an MX record pointing to the mx-target for all local -# machines. -#localmx - -# Return an MX record pointing to itself for all local machines. -#selfmx - -# Change the following lines if you want dnsmasq to serve SRV -# records. These are useful if you want to serve ldap requests for -# Active Directory and other windows-originated DNS requests. -# See RFC 2782. -# You may add multiple srv-host lines. -# The fields are ,,,, -# If the domain part if missing from the name (so that is just has the -# service and protocol sections) then the domain given by the domain= -# config option is used. (Note that expand-hosts does not need to be -# set for this to work.) - -# A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 289 -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 - -# A SRV record sending LDAP for the example.com domain to -# ldapserver.example.com port 289 (using domain=) -#domain=example.com -#srv-host=_ldap._tcp,ldapserver.example.com,389 - -# Two SRV records for LDAP, each with different priorities -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 -#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 - -# A SRV record indicating that there is no LDAP server for the domain -# example.com -#srv-host=_ldap._tcp.example.com - -# The following line shows how to make dnsmasq serve an arbitrary PTR -# record. This is useful for DNS-SD. (Note that the -# domain-name expansion done for SRV records _does_not -# occur for PTR records.) -#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" - -# Change the following lines to enable dnsmasq to serve TXT records. -# These are used for things like SPF and zeroconf. (Note that the -# domain-name expansion done for SRV records _does_not -# occur for TXT records.) - -#Example SPF. -#txt-record=example.com,"v=spf1 a -all" - -#Example zeroconf -#txt-record=_http._tcp.example.com,name=value,paper=A4 - -# Provide an alias for a "local" DNS name. Note that this _only_ works -# for targets which are names from DHCP or /etc/hosts. Give host -# "bert" another name, bertrand -#cname=bertand,bert - -# For debugging purposes, log each DNS query as it passes through -# dnsmasq. -#log-queries - -# Log lots of extra information about DHCP transactions. -#log-dhcp - -# Include a another lot of configuration options. -#conf-file=/etc/dnsmasq.more.conf -#conf-dir=/etc/dnsmasq.d diff --git a/provisioning/roles/openvpn/files/openvpn/README.md b/provisioning/roles/openvpn/files/openvpn/README.md deleted file mode 100644 index 76f04440d..000000000 --- a/provisioning/roles/openvpn/files/openvpn/README.md +++ /dev/null @@ -1,198 +0,0 @@ -HiSPARC VPN -=========== - -Er zijn twee VPNs: -- een stations VPN. Hierin zitten alle stations. Station kunnen elkaar niet benaderen. -- een admin VPN. In dit VPN loggen beheerders/coordinator in. Vanuit dit VPN kunnen alle stations (die in verbinding gemaakt hebben met het stations VPN) benaderd worden. (VNC e.d.) - -OpenVPN configs staan op tietar in `/etc/openvpn` - -``` -client.conf # stations VPN -admin.conf # admin VPN -openssl.conf # openssl config voor keys -openssladmin.conf # openssl config voor admin adminkeys -client/ # de keys die nodig zijn voor OpenVPN van het stations VPN -admin/ # de keys die nodig zijjn voor OpenVPN van het admin VPN -keys/ # PKI/sleutelparen stations VPN -adminkeys/ # PKI/sleutelparen admin VPN -# de sleutelparen worden via de admin interface van pique -# gemaakt door `hisparcvpnd` (met `easy_rsa`) en in deze -# mappen opgeslagen -easy_rsa # scripts om met openssl sleutelparen en sigs te maken. -``` - -OpenVPN logt naar syslog: `/var/log/messages` -OpenVPN herstarten: `sudo service openvpn restart` - - -De certificaten voor het HiSPARC VPN -==================================== - -OpenVPN gebruikt x509 certificaten (zoals TLS/SSL voor HTTPS) voor het -verifieren van de identiteit van servers/clients bij het inloggen. -x509 gebruikt een RSA publiek/geheim sleutelpaar als cryptografische basis. -De x509 PKI is gebaseerd op een vertrouwde centrale service: De root certificate -authority: `root CA`. - -Er zijn type drie bestanden: - -- `naam.key`: De RSA geheime sleutel. Moet geheim blijven. -- `naam.csr`: `Certificate Signing Request`: De publieke sleutel met contact -info. Waardeloos omdat de echtheid niet kan worden geverifieerd. Een CA -(Certificate Authority) maakt hiervan een certificaat. -- `naam.crt`: Certificaat: RSA publieke sleutel digitaal ondertekend, in ons -geval door de root CA geheime sleutel. - -Het admin VPN gebruikt een ander root CA sleutelpaar dan het station VPN. -De client/server van beide VPNs gebruiken wel dezelfde root CA. -Dat wil zeggen clients en server gebruiken hetzelfde RSA sleutelpaar als root. - -De CA root bestanden zijn: -``` -ca.crt # publiek -ca.key # geheim. Niet op de server bewaren! -``` -Het publieke deel (`ca.crt`) bevat de RSA publieke sleutel. Hiermee kunnen -signatures van andere sleutels geverifieerd worden. Dit bestand is op alle -clients nodig. - -`ca.key` is in de HiSPARC implementatie op de server nodig, omdat het nodig -is om nieuwe stations certificaten te ondertekenen. `tietar` is ook de CA. - -De server heeft een sleutelpaar: -``` -server.crt # publiek: RSA publieke sleutel ondertekend door root CA -server.csr # niet nodig. Gooi weg. -server.key # geheim. Moet op server staan. -``` - -Alle clients (elk station, elke admin) hebben een RSA sleutelpaar: - -``` -station.crt # publiek: RSA publieke sleutel ondertekend door root CA -station.csr # niet nodig. Gooi weg. -station.key # geheim. Niet op de server bewaren! Is nodig op de client. -``` - -De `*.csr` bestanden zijn niet nodig omdat het een tussenproduct is. Een -RSA sleutelpaar (`.key` en `.csr`) kan fysiek gescheiden van de CA gemaakt -worden. De CA ontvangt alleen de publieke sleutel in `.csr` en verifieert -de identiteit en sleutel. Daarna ondertekent de CA de publieke sleutel -en stuurt `.crt` terug. -In HiSPARC kunnen we de `.csr` bestanden dus weggooien. Ze bevatten geen -informatie die niet ook in het `.crt` certificaat staat. - -Certificaten bekijken -===================== - -Bekijk certificaat (vervaldatum, serie nummer, modulus): - -``` -openssl x509 -noout -text -in ca.crt -``` - -Controleer of de signature van een station/server certificaat -geldig is: - -``` -openssl verify -CAfile ca.crt sciencepark501.crt -openssl verify -CAfile ca.crt server.crt -``` - - -Nieuw keys Maart 2018 -===================== - -Op 1 Maart 2018 verliep het root CA van het station VPN - -``` -cd /etc/openvpn/keys -openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key -# vervang ca.crt door ca_new.crt en sla ca.key ergens veilig op. -``` - -Het oude root CA was 10 jaar geldig. Het nieuwe 100 jaar. Omdat het RSA sleutelpaar niet gewijzigd is, zijn signatures -van het oude CA ook nog geldig met het nieuwe. De station/server sleutels "doen het nog". (Tot ze zelf verlopen) - -De server key verliep op dezelfde dag. We maken een nieuw -sleutelpaar: - -``` -# backup /etc/openvpn/keys/server* -# start een root shell: -cd /etc/openvpn/easy_rsa -# voeg COMMON_NAME=tietar.hisparc.nl toe aan `vars` -source ./vars -build-server-keys server -``` -`/etc/openvpn/keys/server.*` zijn nu vervangen. Opslaan op - veilige plek! - -Doe hetzelfde voor het admin VPN: - -``` -cd /etc/openvpn/adminkeys -openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key -# vervang ca.crt door ca_new.crt en sla ca.key ergens veilig op. -``` - -``` -# backup /etc/openvpn/keys/server* -# start een root shell: -cd /etc/openvpn/easy_rsa -# voeg COMMON_NAME=server toe aan `vars-admin` -source ./vars-admin -build-server-keys server -``` - -`/etc/openvpn/adminkeys/server.*` zijn nu vervangen. Opslaan op veilige plek! - -Zoeken naar certificaten die gaan verlopen -========================================== - -Gebruik dit script: `checkdates.sh` -``` -#!/usr/bin/env bash -for filename in $(find /etc/openvpn/keys/*.crt 2> /dev/null); do - { date --date="$(openssl x509 -in $filename -noout -enddate | cut -d= -f 2)" --iso-8601; echo "$filename";} | xargs -n 2 -done -``` -En sorteer: - -``` -> ./checkdates.sh | sort | head -2018-03-01 /etc/openvpn/keys/karel.crt -2018-06-07 /etc/openvpn/keys/pimu1.crt -2018-06-07 /etc/openvpn/keys/uva1.crt -2018-06-11 /etc/openvpn/keys/hal1.crt -2018-06-11 /etc/openvpn/keys/nikhef2.crt -2018-06-11 /etc/openvpn/keys/sara1.crt -2018-06-14 /etc/openvpn/keys/kascade1.crt -2018-06-24 /etc/openvpn/keys/hwc1.crt -2018-07-12 /etc/openvpn/keys/nikhef1.crt -2018-07-30 /etc/openvpn/keys/testdrive.crt - -``` - -easy_rsa -======== - -`easy_rsa` is een verzameling script die OpenSSL gebruiken om de x509 PKI te runnen. (https://github.com/OpenVPN/easy-rsa) -We gebruiken een vendored (eigen) versie in `/etc/openvpn/easy_rsa` deze loopt zover achter op -de huidige versie van `easy_rsa` dat overstappen niet meer praktisch is. - -MD5 -> SHA256 -============= - -Er is een script `replace-key` in onze vendored `easy_rsa` waarmee je een nieuw certificaat `.crt` (publieke sleutel) kan maken -bij een bestaande geheime sleuel (`.key`). Dit is tegen de x509 standaard, maar maakt het mogelijk om een station (per email) een -nieuwe certificaat te sturen, waarmee ingelogd kan worden zonder het geheime deel te veranderen en uit te wisselen. - -Keys op tietar? -=============== -In a perfect world we would: -Store the root CA secret key on `pique` and let the STATION PC generate an RSA keypair and send it's certificate signing request (CSR) to an admin, while keeping it's secret key secret. An admin uses the admin interface on pique to create a PC object, and uploades the CSR to create a certificate signed with the root CA and stores the certificate (or just it's serial) in the database, to be able to revoke it. Keys are not in possession of the admins or on pique or tietar. hisparcvpnd is only used to add the new hostname to the hostfile on tietar. The admin then sends the certificate to the station pc, which can login because it owns the matching secret key. - -TODO -==== diff --git a/provisioning/roles/openvpn/files/openvpn/admin.conf b/provisioning/roles/openvpn/files/openvpn/admin.conf deleted file mode 100644 index d96eaa5ed..000000000 --- a/provisioning/roles/openvpn/files/openvpn/admin.conf +++ /dev/null @@ -1,75 +0,0 @@ -# OpenVPN Client Configuratie - -# Connectie poort -port 1194 - -# Protocal -proto udp - -#type vpn -dev tun0 - -# de belangrijkste certificaten -ca /etc/openvpn/admin/ca.crt -cert /etc/openvpn/admin/server.crt -key /etc/openvpn/admin/server.key # This file should be kept secret - -# Diffie hellman parameters. -dh /etc/openvpn/client/dh2048.pem - -# De ip range voor het netwerk -server 172.16.66.0 255.255.255.0 - -# Om te onthouden wie welk ip krijgt -ifconfig-pool-persist ipp-admin.txt - -# Zodat verkeer tussen Client en Admin VPN mogelijk blijft -push "route 194.171.82.0 255.255.254.0" - -# Om de configuratie voor de Clients uit te lezen -;client-config-dir ccd - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -push "dhcp-option DNS 172.16.66.1" -push "dhcp-option DOMAIN his" - -# Om tegen te client te zeggen als de verbinding wegvalt dat hij binnen 20 secs weer connectie zoekt -keepalive 10 20 - -# Vooral om DDOSSEN te voorkomen en langdurige overbelasting ervan -tls-auth /etc/openvpn/client/ta.key 0 # This file is secret - -# Om de verbinding te comprimeren -comp-lzo - -# Aantal clients tegelijk mogelijk -max-clients 100 - -# User en Group waarop OpenVPN draait -user nobody -group nobody - -# Om ervoor te zorgen dat OpenVPN nog steeds de certificaten kan uitlezen als nobody -persist-key -persist-tun - -# Logging -status /var/log/openvpn-status-admin.log - -verb 6 - -# Voor het controleren of een certificaat geblokkeerd is -#;crl-verify /etc/openvpn/keys/crl.pem - -# Voor het IP adressen uitdelen -topology subnet - -#management interface -#management localhost 1338 - -# support two different versions of OpenVPN -tun-mtu 1500 -tun-mtu-extra 32 diff --git a/provisioning/roles/openvpn/files/openvpn/admin/README b/provisioning/roles/openvpn/files/openvpn/admin/README deleted file mode 100644 index ff14a322c..000000000 --- a/provisioning/roles/openvpn/files/openvpn/admin/README +++ /dev/null @@ -1,5 +0,0 @@ -The PKI (where hisparcvpnd does its work, controlled by the data.hisparc.nl admin interface) lives in /etc/openvpn/adminkeys. - -in this folder the keys/certs necessary for OpenVPN live. - - diff --git a/provisioning/roles/openvpn/files/openvpn/admin/ca.crt b/provisioning/roles/openvpn/files/openvpn/admin/ca.crt deleted file mode 100644 index a3c20eb28..000000000 --- a/provisioning/roles/openvpn/files/openvpn/admin/ca.crt +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEuTCCA6GgAwIBAgIJAOzofGOfNzjOMA0GCSqGSIb3DQEBCwUAMIGYMQswCQYD -VQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEYMBYGA1UE -ChMPSGlTUEFSQywgTmlraGVmMRAwDgYDVQQLEwdIaVNQQVJDMRowGAYDVQQDExFI -aVNQQVJDIEFkbWluIFZQTjEgMB4GCSqGSIb3DQEJARYRaGlzcGFyY0BuaWtoZWYu -bmwwIBcNMTgwMzI2MDg0OTQyWhgPMjExODAzMDIwODQ5NDJaMIGYMQswCQYDVQQG -EwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEYMBYGA1UEChMP -SGlTUEFSQywgTmlraGVmMRAwDgYDVQQLEwdIaVNQQVJDMRowGAYDVQQDExFIaVNQ -QVJDIEFkbWluIFZQTjEgMB4GCSqGSIb3DQEJARYRaGlzcGFyY0BuaWtoZWYubmww -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTa6a2K6UkglFWgZF8Sj7T -yKyhnaMEYhqq6szPVIwzGUV4xSS6kXc0R2HXNGau9xIlKHH5GMe1US5IiRr8hEhJ -xOGGqlMj1q3HBl3cLKOzrI47m7/XoKRAjoeChyS4WcwJWQoV5pS5oP6XI8TpIrY7 -1LaOCq/StGmrU7DCgu8mQcrWT+4h7EAPF4sxShAC9Fpnb/roZmh+nmmBjmCwBGjf -rN9oCUzEPKZB0mh8WvyoVIkgpMH7gRw7Okw0o6SZ8pHoJvyB8bbp2CzpPlcQ6NqL -wpfv/cv+mEVhP7mGNWqsbkSwYZEb8Pdf+50p5hIiy2sB5xehGxsO5P1KwqH1mzXz -AgMBAAGjggEAMIH9MB0GA1UdDgQWBBQp/4MIEZ9TNDi1YMcoZRH+zKHVMzCBzQYD -VR0jBIHFMIHCgBQp/4MIEZ9TNDi1YMcoZRH+zKHVM6GBnqSBmzCBmDELMAkGA1UE -BhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xGDAWBgNVBAoT -D0hpU1BBUkMsIE5pa2hlZjEQMA4GA1UECxMHSGlTUEFSQzEaMBgGA1UEAxMRSGlT -UEFSQyBBZG1pbiBWUE4xIDAeBgkqhkiG9w0BCQEWEWhpc3BhcmNAbmlraGVmLm5s -ggkA7Oh8Y583OM4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAF44P -J4NhmYLvZ1NVsrfA8NYkw+z4Bg7eKpTKcUif5NET76jZi83NsaCSfECaAd9UJ3BJ -gGJv1E7palUB7cHs+KaWSZ+0i0pCPfMGj7ZUgq6NCrQcJg7pbdKRLmXq11tNLpxs -TeSeJDABApjJv8LdNYY8YbJj4gV8+DuvZEd+bUvIwGOde+Jonaq+TxM183xUAhto -rFJoDY5gTZh95tXWJ3Y5GHwfxfWGcnlMCja6WvSPN/cIdw5aXTVEViyLY+f5Pv8x -2N9rkJHqQmfRk7drwVgnldReB/2eFt9o7sG5AoC6SS0xs/qAsgLdaXr4J9KW2dJd -DqvEhMlmgQrHPQ34Zg== ------END CERTIFICATE----- diff --git a/provisioning/roles/openvpn/files/openvpn/admin/server.crt b/provisioning/roles/openvpn/files/openvpn/admin/server.crt deleted file mode 100644 index a313311b7..000000000 --- a/provisioning/roles/openvpn/files/openvpn/admin/server.crt +++ /dev/null @@ -1,94 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 19 (0x13) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=NL, ST=NH, L=Amsterdam, O=HiSPARC, Nikhef, OU=HiSPARC, CN=HiSPARC Admin VPN/emailAddress=hisparc@nikhef.nl - Validity - Not Before: Apr 16 06:05:35 2018 GMT - Not After : Mar 23 06:05:35 2118 GMT - Subject: C=NL, ST=NH, O=HiSPARC, Nikhef, OU=HiSPARC, CN=server/emailAddress=hisparc@nikhef.nl - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c9:82:71:0d:62:65:97:7c:3e:b4:b5:53:86:99: - 5c:8f:7b:a6:bd:4b:d1:6d:97:a4:a4:3a:3e:5f:d3: - 6c:cb:4e:ea:bd:65:69:45:be:8c:58:05:fc:90:88: - 48:6c:9e:03:00:35:66:d8:f9:0e:1d:a1:e6:a8:22: - 78:f9:36:a8:cf:3e:ac:ac:85:4e:4d:43:26:fa:08: - 9c:5b:32:e2:e6:14:1c:6c:04:df:8f:09:10:04:28: - 58:87:a1:ac:50:3f:b5:1d:73:ac:e7:cf:e7:7f:65: - ac:c7:bd:a7:9a:42:44:a3:96:ed:e1:b0:08:89:73: - 4c:a0:a5:5f:d6:16:c5:5f:67:ba:d7:cb:21:09:dd: - 7e:db:c1:de:20:5e:2e:20:74:0a:f7:08:4c:e5:db: - b6:b3:37:71:ce:24:a9:fd:f9:94:fd:82:1f:ca:83: - bb:22:71:83:43:6a:0e:e8:9c:ed:5b:4a:29:95:30: - 3a:d7:d4:fd:ff:44:b6:81:b0:91:30:22:7d:68:78: - e6:19:eb:93:8d:8a:3a:17:99:44:29:b8:0f:92:d3: - 00:fc:83:d5:47:d4:9d:a8:4d:32:06:5e:a9:06:8d: - 36:7c:30:ff:35:86:4d:2e:46:d1:52:af:82:d4:eb: - 9e:bb:08:10:41:63:b6:fb:98:eb:c1:13:23:18:c8: - 2f:a7 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Comment: - OpenSSL Generated Server Certificate - X509v3 Subject Key Identifier: - DB:8F:7E:2E:3F:5D:DB:C7:6F:F8:8F:51:40:89:57:37:F2:35:A9:D8 - X509v3 Authority Key Identifier: - keyid:29:FF:83:08:11:9F:53:34:38:B5:60:C7:28:65:11:FE:CC:A1:D5:33 - DirName:/C=NL/ST=NH/L=Amsterdam/O=HiSPARC, Nikhef/OU=HiSPARC/CN=HiSPARC Admin VPN/emailAddress=hisparc@nikhef.nl - serial:EC:E8:7C:63:9F:37:38:CE - - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha256WithRSAEncryption - 9f:cd:06:52:b0:83:f2:33:62:b3:bf:df:1e:11:a8:23:8f:df: - fa:00:61:54:02:ee:f9:49:70:df:21:ac:01:eb:79:48:fb:7d: - 80:e3:76:87:9f:5c:25:ce:fd:5b:59:24:33:34:b2:00:0f:75: - 01:17:53:01:39:be:56:1f:29:53:2a:e7:8b:53:ea:da:a2:82: - 0f:44:c1:0d:69:c7:3c:65:e4:41:93:b7:b4:9e:ae:2a:8e:24: - da:75:75:08:7d:95:36:cf:03:f4:05:6d:f2:73:be:e9:80:57: - 3f:d8:f0:e6:39:96:9f:20:6a:d8:94:9d:59:67:e9:6c:3f:dc: - 97:5d:a0:3b:86:26:3b:98:de:00:c0:44:aa:29:a9:ad:c1:0a: - 07:4f:02:aa:3e:aa:af:a5:4d:50:ab:1a:de:ee:83:9f:e4:0b: - f4:4c:cb:b1:ad:a5:8c:97:18:07:2a:32:f2:ca:71:a1:47:21: - 4f:c2:b5:9e:35:46:16:f1:81:17:0c:da:2f:47:10:bf:ae:90: - cf:46:99:3e:0e:17:d7:bd:97:57:1e:eb:57:d7:43:ed:89:12: - 9d:9d:cd:e0:24:86:66:47:9a:69:0d:26:96:17:d4:bc:68:76: - 2c:05:05:96:9e:3e:e7:12:98:cc:39:70:78:a1:6e:d5:2b:15: - 49:68:95:97 ------BEGIN CERTIFICATE----- -MIIE5jCCA86gAwIBAgIBEzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCTkwx -CzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xGDAWBgNVBAoTD0hpU1BB -UkMsIE5pa2hlZjEQMA4GA1UECxMHSGlTUEFSQzEaMBgGA1UEAxMRSGlTUEFSQyBB -ZG1pbiBWUE4xIDAeBgkqhkiG9w0BCQEWEWhpc3BhcmNAbmlraGVmLm5sMCAXDTE4 -MDQxNjA2MDUzNVoYDzIxMTgwMzIzMDYwNTM1WjB5MQswCQYDVQQGEwJOTDELMAkG -A1UECBMCTkgxGDAWBgNVBAoTD0hpU1BBUkMsIE5pa2hlZjEQMA4GA1UECxMHSGlT -UEFSQzEPMA0GA1UEAxMGc2VydmVyMSAwHgYJKoZIhvcNAQkBFhFoaXNwYXJjQG5p -a2hlZi5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmCcQ1iZZd8 -PrS1U4aZXI97pr1L0W2XpKQ6Pl/TbMtO6r1laUW+jFgF/JCISGyeAwA1Ztj5Dh2h -5qgiePk2qM8+rKyFTk1DJvoInFsy4uYUHGwE348JEAQoWIehrFA/tR1zrOfP539l -rMe9p5pCRKOW7eGwCIlzTKClX9YWxV9nutfLIQndftvB3iBeLiB0CvcITOXbtrM3 -cc4kqf35lP2CH8qDuyJxg0NqDuic7VtKKZUwOtfU/f9EtoGwkTAifWh45hnrk42K -OheZRCm4D5LTAPyD1UfUnahNMgZeqQaNNnww/zWGTS5G0VKvgtTrnrsIEEFjtvuY -68ETIxjIL6cCAwEAAaOCAVUwggFRMAkGA1UdEwQCMAAwMwYJYIZIAYb4QgENBCYW -JE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU -249+Lj9d28dv+I9RQIlXN/I1qdgwgc0GA1UdIwSBxTCBwoAUKf+DCBGfUzQ4tWDH -KGUR/syh1TOhgZ6kgZswgZgxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJOSDESMBAG -A1UEBxMJQW1zdGVyZGFtMRgwFgYDVQQKEw9IaVNQQVJDLCBOaWtoZWYxEDAOBgNV -BAsTB0hpU1BBUkMxGjAYBgNVBAMTEUhpU1BBUkMgQWRtaW4gVlBOMSAwHgYJKoZI -hvcNAQkBFhFoaXNwYXJjQG5pa2hlZi5ubIIJAOzofGOfNzjOMBMGA1UdJQQMMAoG -CCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAQEAn80GUrCD -8jNis7/fHhGoI4/f+gBhVALu+Ulw3yGsAet5SPt9gON2h59cJc79W1kkMzSyAA91 -ARdTATm+Vh8pUyrni1Pq2qKCD0TBDWnHPGXkQZO3tJ6uKo4k2nV1CH2VNs8D9AVt -8nO+6YBXP9jw5jmWnyBq2JSdWWfpbD/cl12gO4YmO5jeAMBEqimprcEKB08Cqj6q -r6VNUKsa3u6Dn+QL9EzLsa2ljJcYByoy8spxoUchT8K1njVGFvGBFwzaL0cQv66Q -z0aZPg4X172XVx7rV9dD7YkSnZ3N4CSGZkeaaQ0mlhfUvGh2LAUFlp4+5xKYzDlw -eKFu1SsVSWiVlw== ------END CERTIFICATE----- diff --git a/provisioning/roles/openvpn/files/openvpn/adminkeys/README b/provisioning/roles/openvpn/files/openvpn/adminkeys/README deleted file mode 100644 index 9ff25b8d9..000000000 --- a/provisioning/roles/openvpn/files/openvpn/adminkeys/README +++ /dev/null @@ -1,5 +0,0 @@ -The PKI of the admin vpn lives here. - -Keys/certificates here are not used by OpenVPN. But are -created and stored here. `hisparcvpnd` uses `easy_rsa` to create -keys here and transfers them to pique from here. diff --git a/provisioning/roles/openvpn/files/openvpn/client.conf b/provisioning/roles/openvpn/files/openvpn/client.conf deleted file mode 100644 index 4c3021b13..000000000 --- a/provisioning/roles/openvpn/files/openvpn/client.conf +++ /dev/null @@ -1,74 +0,0 @@ -# OpenVPN Client Configuratie - -# Connectie poort -port 443 - -# Protocal -proto tcp - -#type vpn -dev tun1 - -# de belangrijkste certificaten -ca /etc/openvpn/client/ca.crt -cert /etc/openvpn/client/server.crt -key /etc/openvpn/client/server.key # This file should be kept secret - -# Diffie hellman parameters. -dh /etc/openvpn/client/dh2048.pem - -# De ip range voor het netwerk -server 194.171.82.0 255.255.254.0 - -# Om te onthouden wie welk ip krijgt -ifconfig-pool-persist ipp.txt - -# Zodat verkeer tussen Client en Admin VPN mogelijk blijft -push "route 172.16.66.0 255.255.255.0" - -# Om de configuratie voor de Clients uit te lezen -client-config-dir ccd - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option DNS 10.8.0.1" - -# Om tegen te client te zeggen als de verbinding wegvalt dat hij binnen 20 secs weer connectie zoekt -keepalive 10 20 - -# Vooral om DDOSSEN te voorkomen en langdurige overbelasting ervan -tls-auth /etc/openvpn/client/ta.key 0 # This file is secret - -# Om de verbinding te comprimeren -comp-lzo - -# Aantal clients tegelijk mogelijk -max-clients 500 - -# User en Group waarop OpenVPN draait -user nobody -group nobody - -# Om ervoor te zorgen dat OpenVPN nog steeds de certificaten kan uitlezen als nobody -persist-key -persist-tun - -# Logging -status /var/log/openvpn-status.log - -verb 3 - -# Voor het controleren of een certificaat geblokkeerd is -#crl-verify /etc/openvpn/keys/crl.pem - -# Voor het IP adressen uitdelen -topology subnet - -#management interface -#management localhost 1337 - -#support two different versions op OpenVPN -tun-mtu 1500 -tun-mtu-extra 32 diff --git a/provisioning/roles/openvpn/files/openvpn/client/README b/provisioning/roles/openvpn/files/openvpn/client/README deleted file mode 100644 index db4c2fcf6..000000000 --- a/provisioning/roles/openvpn/files/openvpn/client/README +++ /dev/null @@ -1,5 +0,0 @@ -The keys for the client (station) VPN live here. - -server.key and ta.key SHOULD BE KEPT SECRET - -dh2048.pem (not secret) and ta.key (secret) are also used by the admin VPN. diff --git a/provisioning/roles/openvpn/files/openvpn/client/ca.crt b/provisioning/roles/openvpn/files/openvpn/client/ca.crt deleted file mode 100644 index 335d88efd..000000000 --- a/provisioning/roles/openvpn/files/openvpn/client/ca.crt +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEtTCCA52gAwIBAgIJAMW2050JiGatMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD -VQQGEwJOTDELMAkGA1UECBMCTkgxEjAQBgNVBAcTCUFtc3RlcmRhbTEYMBYGA1UE -ChMPSGlTUEFSQywgTmlraGVmMRAwDgYDVQQLEwdIaVNQQVJDMRkwFwYDVQQDExB0 -aWV0YXIubmlraGVmLm5sMSAwHgYJKoZIhvcNAQkBFhFoaXNwYXJjQG5pa2hlZi5u -bDAgFw0xODAzMjcyMDA5NThaGA8yMTE4MDMwMzIwMDk1OFowgZcxCzAJBgNVBAYT -Ak5MMQswCQYDVQQIEwJOSDESMBAGA1UEBxMJQW1zdGVyZGFtMRgwFgYDVQQKEw9I -aVNQQVJDLCBOaWtoZWYxEDAOBgNVBAsTB0hpU1BBUkMxGTAXBgNVBAMTEHRpZXRh -ci5uaWtoZWYubmwxIDAeBgkqhkiG9w0BCQEWEWhpc3BhcmNAbmlraGVmLm5sMIIB -IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0dYabrSl3aIcgFCE8p2Sz/jv -xlavYjD6UXEcr4HNf1T5qkAqV1UCy189dPe9Heiu//awUPla0ZNtpY4g2SQ/H/+9 -SskUQnBfReSbuyYC3MvANM6KFLzV3ufjCwTgo2ivyTgTm+rah+fmiTWQco2Jtu2J -2HthHuMo7cBdMn0Asy51CZbLTL118qee9CIhRsNupPzn9ZHqhba8AItutmEQOMGd -lNutu0HLoQ4r1xBQ2TCzCToPCO30s1H/jsQ+0Tw6uK8bYDf0IByoHUNRzxSoXSJ8 -PYJ4UQvWKV6ZTzf6zB3KpEXm6hHKpC3pmHVJ79zY8LVpbgQD0wlRmlDq1KGHKwID -AQABo4H/MIH8MB0GA1UdDgQWBBSrw0cU0u6bG+bj3E9ZcJVVxgZy8TCBzAYDVR0j -BIHEMIHBgBSrw0cU0u6bG+bj3E9ZcJVVxgZy8aGBnaSBmjCBlzELMAkGA1UEBhMC -TkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJkYW0xGDAWBgNVBAoTD0hp -U1BBUkMsIE5pa2hlZjEQMA4GA1UECxMHSGlTUEFSQzEZMBcGA1UEAxMQdGlldGFy -Lm5pa2hlZi5ubDEgMB4GCSqGSIb3DQEJARYRaGlzcGFyY0BuaWtoZWYubmyCCQDF -ttOdCYhmrTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAg4LpBeIsK -rRgEQd5zKCvjtaAmX9512AH9UDWvjyKtX0Hp0eqoLPxIkHZouGSJRXGThsLOK+gK -7ONN2CqO5R5n5j/JceT+KOzXam6yZxEcEYKbQ3SdLiaNJxdMhvJTKS91AXSIy770 -CBLE+OA8o51YwPLu93SzZhVXIYsRurgyNxb+YZ4FhvijNr3AwFDR5LVQQni0kWZr -2KH2ovFlEDbl7GbAteCqkzgeCkiDwhpYvkW+HpPFaOSC6FXaJaTPU9haVIDO98cE -NBoZxASBDjmFOvgBlwCk8gwlJcSmcaHF5/EBz14weAUj9GE/J/8Pmd9GHghPiOhX -arMVtAPOoRFn ------END CERTIFICATE----- diff --git a/provisioning/roles/openvpn/files/openvpn/client/dh2048.pem b/provisioning/roles/openvpn/files/openvpn/client/dh2048.pem deleted file mode 100644 index f99600d5f..000000000 --- a/provisioning/roles/openvpn/files/openvpn/client/dh2048.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEApbPC8dtZYv1zCbzk5g8oDIUJTaHo0fVGYX6/uAxRZqHiiywc9vXc -vJNP+cVdtY5TkZ5SjCsufIf26vG19AG0/62hudrGJnrpX0mml26/qE3QNcbsHCZJ -K/lN5uDXyhYuR03VUINLmSQjHgs1e/QtTUZLaqcN3wfiSP+mPkgTJoLhOIRy813X -2+cTOCrF6gUhGDoQsKBu/VPFpkz9jAFYIqiQIEFGMTnU6WdtAvsS9+swLyHFohuC -/n+cJ2rojAXEq4jthHfiNypYBNzyjpu0gNVfOpkx0wHJ8tiIybgYHebUuuKyVdgR -HeeFoFCs8Y+C/xYZhr1K9rVEXDaHJylBswIBAg== ------END DH PARAMETERS----- diff --git a/provisioning/roles/openvpn/files/openvpn/client/server.crt b/provisioning/roles/openvpn/files/openvpn/client/server.crt deleted file mode 100644 index 49b5c5bcf..000000000 --- a/provisioning/roles/openvpn/files/openvpn/client/server.crt +++ /dev/null @@ -1,96 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 4097 (0x1001) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=NL, ST=NH, L=Amsterdam, O=HiSPARC, Nikhef, OU=HiSPARC, CN=tietar.nikhef.nl/emailAddress=hisparc@nikhef.nl - Validity - Not Before: Mar 29 12:18:24 2018 GMT - Not After : Mar 5 12:18:24 2118 GMT - Subject: C=NL, ST=NH, O=HiSPARC, Nikhef, OU=HiSPARC, CN=server/emailAddress=hisparc@nikhef.nl - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:c2:20:7a:76:6b:9b:58:38:22:7f:e7:ef:4a:c8: - cb:5d:80:d2:56:40:02:b1:a3:36:87:65:45:8a:28: - 09:c3:32:02:07:43:2b:78:1a:9d:94:15:b7:12:9c: - a8:1a:9c:20:1f:48:83:15:90:d6:8b:8d:73:ec:5d: - 07:02:b7:93:c3:23:45:67:21:10:3d:9b:bc:c4:61: - f0:36:d3:8a:21:bf:a3:e6:65:5f:f8:51:9f:22:e7: - c2:a9:1a:f6:e0:6f:7f:c9:1f:90:bc:82:95:22:4f: - 8e:47:f5:2a:4a:65:f6:da:e5:6a:6a:ff:14:f1:65: - 5a:a2:b0:09:27:dc:bc:ca:18:2d:b3:cd:51:52:0b: - bf:5a:5d:dc:12:ce:3a:02:2f:e1:e2:26:87:db:75: - 31:77:c2:a0:31:84:bf:55:d8:a0:25:4a:c0:08:43: - 5c:93:28:3b:7e:ed:bc:6a:b1:e9:65:76:f0:9e:b2: - 20:87:90:9d:48:03:a8:12:72:04:a9:0b:40:2f:01: - 2d:28:b7:07:52:77:8e:39:bf:db:bb:b6:24:12:63: - 7b:95:35:e3:28:bd:4d:0c:2b:96:6a:e5:b1:fa:fb: - dd:2d:3e:d9:42:3c:54:27:f2:5e:2b:f7:81:15:cc: - 48:be:c9:2a:57:28:78:4b:3a:3e:e0:0b:03:eb:a3: - be:f1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - Netscape Cert Type: - SSL Server - Netscape Comment: - OpenSSL Generated Server Certificate - X509v3 Authority Key Identifier: - keyid:AB:C3:47:14:D2:EE:9B:1B:E6:E3:DC:4F:59:70:95:55:C6:06:72:F1 - DirName:/C=NL/ST=NH/L=Amsterdam/O=HiSPARC, Nikhef/OU=HiSPARC/CN=tietar.nikhef.nl/emailAddress=hisparc@nikhef.nl - serial:C5:B6:D3:9D:09:88:66:AD - - X509v3 Subject Key Identifier: - 28:1C:70:C6:70:35:71:E0:E3:6D:8A:61:10:F7:4C:EA:5F:4F:A0:21 - X509v3 Extended Key Usage: - TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha256WithRSAEncryption - b9:2a:5f:8a:0e:6c:b1:73:a9:80:55:44:e3:00:24:ed:ff:89: - f0:77:09:cd:50:91:79:f1:ad:80:0a:9c:43:57:25:75:08:87: - 23:d0:07:57:2e:fe:d3:b6:f9:a8:66:63:dc:5c:4a:bf:89:75: - 7f:25:04:81:b1:3e:39:a4:9e:a9:06:f7:ce:ca:47:de:79:c1: - 89:8c:2c:49:b4:bb:27:4b:cf:28:78:94:8a:01:41:5c:1b:c7: - 46:c1:f6:9c:2f:7a:d5:f8:3a:cb:04:7f:62:93:44:48:2f:de: - 82:8b:68:dd:aa:93:39:fa:2f:08:7e:c9:09:7a:2b:7d:bf:b4: - 53:01:bf:a6:37:5f:de:b6:95:5e:f9:ba:78:6b:07:e8:e6:45: - 71:af:42:4a:78:f1:c1:ec:75:18:38:ec:46:32:dc:f2:76:b9: - 73:26:82:68:be:bb:bf:be:28:94:e3:15:c6:5e:2b:cf:f2:25: - e2:a2:1a:97:fe:42:89:de:cd:ad:c7:1e:66:b9:3e:4b:22:fd: - 4c:54:01:b7:f8:6f:e4:6d:b4:d2:76:04:37:4c:be:1b:9e:1e: - 15:92:23:92:36:22:ee:d8:db:79:a6:42:fd:5a:9e:59:78:a1: - 6d:01:f9:6a:08:85:ac:59:46:ba:f2:34:6b:f5:ff:a3:2f:c3: - dd:80:89:68 ------BEGIN CERTIFICATE----- -MIIE+DCCA+CgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAk5M -MQswCQYDVQQIEwJOSDESMBAGA1UEBxMJQW1zdGVyZGFtMRgwFgYDVQQKEw9IaVNQ -QVJDLCBOaWtoZWYxEDAOBgNVBAsTB0hpU1BBUkMxGTAXBgNVBAMTEHRpZXRhci5u -aWtoZWYubmwxIDAeBgkqhkiG9w0BCQEWEWhpc3BhcmNAbmlraGVmLm5sMCAXDTE4 -MDMyOTEyMTgyNFoYDzIxMTgwMzA1MTIxODI0WjB5MQswCQYDVQQGEwJOTDELMAkG -A1UECBMCTkgxGDAWBgNVBAoTD0hpU1BBUkMsIE5pa2hlZjEQMA4GA1UECxMHSGlT -UEFSQzEPMA0GA1UEAxMGc2VydmVyMSAwHgYJKoZIhvcNAQkBFhFoaXNwYXJjQG5p -a2hlZi5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIgenZrm1g4 -In/n70rIy12A0lZAArGjNodlRYooCcMyAgdDK3ganZQVtxKcqBqcIB9IgxWQ1ouN -c+xdBwK3k8MjRWchED2bvMRh8DbTiiG/o+ZlX/hRnyLnwqka9uBvf8kfkLyClSJP -jkf1Kkpl9trlamr/FPFlWqKwCSfcvMoYLbPNUVILv1pd3BLOOgIv4eImh9t1MXfC -oDGEv1XYoCVKwAhDXJMoO37tvGqx6WV28J6yIIeQnUgDqBJyBKkLQC8BLSi3B1J3 -jjm/27u2JBJje5U14yi9TQwrlmrlsfr73S0+2UI8VCfyXiv3gRXMSL7JKlcoeEs6 -PuALA+ujvvECAwEAAaOCAWcwggFjMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQD -AgZAMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2Vy -dGlmaWNhdGUwgcwGA1UdIwSBxDCBwYAUq8NHFNLumxvm49xPWXCVVcYGcvGhgZ2k -gZowgZcxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJOSDESMBAGA1UEBxMJQW1zdGVy -ZGFtMRgwFgYDVQQKEw9IaVNQQVJDLCBOaWtoZWYxEDAOBgNVBAsTB0hpU1BBUkMx -GTAXBgNVBAMTEHRpZXRhci5uaWtoZWYubmwxIDAeBgkqhkiG9w0BCQEWEWhpc3Bh -cmNAbmlraGVmLm5sggkAxbbTnQmIZq0wHQYDVR0OBBYEFCgccMZwNXHg422KYRD3 -TOpfT6AhMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG -9w0BAQsFAAOCAQEAuSpfig5ssXOpgFVE4wAk7f+J8HcJzVCRefGtgAqcQ1cldQiH -I9AHVy7+07b5qGZj3FxKv4l1fyUEgbE+OaSeqQb3zspH3nnBiYwsSbS7J0vPKHiU -igFBXBvHRsH2nC961fg6ywR/YpNESC/egoto3aqTOfovCH7JCXorfb+0UwG/pjdf -3raVXvm6eGsH6OZFca9CSnjxwex1GDjsRjLc8na5cyaCaL67v74olOMVxl4rz/Il -4qIal/5Cid7NrcceZrk+SyL9TFQBt/hv5G200nYEN0y+G54eFZIjkjYi7tjbeaZC -/VqeWXihbQH5agiFrFlGuvI0a/X/oy/D3YCJaA== ------END CERTIFICATE----- diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/README b/provisioning/roles/openvpn/files/openvpn/easy_rsa/README deleted file mode 100755 index fd424ef44..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/README +++ /dev/null @@ -1,161 +0,0 @@ -This is a small RSA key management package, -based on the openssl command line tool, that -can be found in the easy-rsa subdirectory -of the OpenVPN distribution. - -These are reference notes. For step -by step instructions, see the HOWTO: - -http://openvpn.net/howto.html - -INSTALL - -1. Edit vars. -2. Set KEY_CONFIG to point to the openssl.cnf file - included in this distribution. -3. Set KEY_DIR to point to a directory which will - contain all keys, certificates, etc. This - directory need not exist, and if it does, - it will be deleted with rm -rf, so BE - CAREFUL how you set KEY_DIR. -4. (Optional) Edit other fields in vars - per your site data. You may want to - increase KEY_SIZE to 2048 if you are - paranoid and don't mind slower key - processing, but certainly 1024 is - fine for testing purposes. KEY_SIZE - must be compatible across both peers - participating in a secure SSL/TLS - connection. -5 . vars -6. ./clean-all -7. As you create certificates, keys, and - certificate signing requests, understand that - only .key files should be kept confidential. - .crt and .csr files can be sent over insecure - channels such as plaintext email. -8. You should never need to copy a .key file - between computers. Normally each computer - will have its own certificate/key pair. - -BUILD YOUR OWN ROOT CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY - -1. ./build-ca -2. ca.crt and ca.key will be built in your KEY_DIR - directory - -BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional) - -1. ./build-inter inter -2. inter.crt and inter.key will be built in your KEY_DIR - directory and signed with your root certificate. - -BUILD DIFFIE-HELLMAN PARAMETERS (necessary for -the server end of a SSL/TLS connection). - -1. ./build-dh - -BUILD A CERTIFICATE SIGNING REQUEST (If -you want to sign your certificate with a root -certificate controlled by another individual -or organization, or residing on a different machine). - -1. Get ca.crt (the root certificate) from your - certificate authority. Though this - transfer can be over an insecure channel, to prevent - man-in-the-middle attacks you must confirm that - ca.crt was not tampered with. Large CAs solve this - problem by hardwiring their root certificates into - popular web browsers. A simple way to verify a root - CA is to call the issuer on the telephone and confirm - that the md5sum or sha1sum signatures on the ca.crt - files match (such as with the command: "md5sum ca.crt"). -2. Choose a name for your certificate such as your computer - name. In our example we will use "mycert". -3. ./build-req mycert -4. You can ignore most of the fields, but set - "Common Name" to something unique such as your - computer's host name. Leave all password - fields blank, unless you want your private key - to be protected by password. Using a password - is not required -- it will make your key more secure - but also more inconvenient to use, because you will - need to supply your password anytime the key is used. - NOTE: if you are using a password, use ./build-req-pass - instead of ./build-req -5. Your key will be written to $KEY_DIR/mycert.key -6. Your certificate signing request will be written to - to $KEY_DIR/mycert.csr -7. Email mycert.csr to the individual or organization - which controls the root certificate. This can be - done over an insecure channel. -8. After the .csr file is signed by the root certificate - authority, you will receive a file mycert.crt - (your certificate). Place mycert.crt in your - KEY_DIR directory. -9. The combined files of mycert.crt, mycert.key, - and ca.crt can now be used to secure one end of - an SSL/TLS connection. - -SIGN A CERTIFICATE SIGNING REQUEST - -1. ./sign-req mycert -2. mycert.crt will be built in your KEY_DIR - directory using mycert.csr and your root CA - file as input. - -BUILD AND SIGN A CERTIFICATE SIGNING REQUEST -USING A LOCALLY INSTALLED ROOT CERTIFICATE/KEY -- this -script generates and signs a certificate in one step, -but it requires that the generated certificate and private -key files be copied to the destination host over a -secure channel. - -1. ./build-key mycert (no password protection) -2. OR ./build-key-pass mycert (with password protection) -3. OR ./build-key-pkcs12 mycert (PKCS #12 format) -4. OR ./build-key-server mycert (with nsCertType=server) -5. mycert.crt and mycert.key will be built in your - KEY_DIR directory, and mycert.crt will be signed - by your root CA. If ./build-key-pkcs12 was used a - mycert.p12 file will also be created including the - private key, certificate and the ca certificate. - -IMPORTANT - -To avoid a possible Man-in-the-Middle attack where an authorized -client tries to connect to another client by impersonating the -server, make sure to enforce some kind of server certificate -verification by clients. There are currently four different ways -of accomplishing this, listed in the order of preference: - -(1) Build your server certificates with the build-key-server - script. This will designate the certificate as a - server-only certificate by setting nsCertType=server. - Now add the following line to your client configuration: - - ns-cert-type server - - This will block clients from connecting to any - server which lacks the nsCertType=server designation - in its certificate, even if the certificate has been - signed by the CA which is cited in the OpenVPN configuration - file (--ca directive). - -(2) Use the --tls-remote directive on the client to - accept/reject the server connection based on the common - name of the server certificate. - -(3) Use a --tls-verify script or plugin to accept/reject the - server connection based on a custom test of the server - certificate's embedded X509 subject details. - -(4) Sign server certificates with one CA and client certificates - with a different CA. The client config "ca" directive should - reference the server-signing CA while the server config "ca" - directive should reference the client-signing CA. - -NOTES - -Show certificate fields: - openssl x509 -in cert.crt -text diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-ca b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-ca deleted file mode 100755 index c58c00072..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-ca +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh - -# -# Build a root certificate -# - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 36500 -nodes -new -x509 -keyout ca.key -out ca.crt -config $KEY_CONFIG && \ - chmod 0600 ca.key -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-dh b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-dh deleted file mode 100755 index 6de4bafb5..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-dh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -# -# Build Diffie-Hellman parameters for the server side -# of an SSL/TLS connection. -# - -if test $KEY_DIR; then - openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-inter b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-inter deleted file mode 100755 index 63fa70195..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-inter +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh - -# -# Make an intermediate CA certificate/private key pair using a locally generated -# root certificate. -# - -if test $# -ne 1; then - echo "usage: build-inter "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -extensions v3_ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key deleted file mode 100755 index e9b95dc57..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -# -# Make a certificate/private key pair using a locally generated -# root certificate. -# -# DF: added -batch options (Tristan did in his inforecords view code). - -if test $# -ne 1; then - echo "usage: build-key "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG -batch && \ - openssl ca -out $1.crt -in $1.csr -config $KEY_CONFIG -batch - chmod 0600 $1.key -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-pass b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-pass deleted file mode 100755 index 03ab30466..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-pass +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -# -# Similar to build-key, but protect the private key -# with a password. -# - -if test $# -ne 1; then - echo "usage: build-key-pass "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - chmod 0600 $1.key -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-pkcs12 b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-pkcs12 deleted file mode 100755 index f8a057b1e..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-pkcs12 +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -# -# Make a certificate/private key pair using a locally generated -# root certificate and convert it to a PKCS #12 file including the -# the CA certificate as well. - -if test $# -ne 1; then - echo "usage: build-key-pkcs12 "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \ - openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \ - openssl pkcs12 -export -inkey $1.key -in $1.crt -certfile ca.crt -out $1.p12 && \ - chmod 0600 $1.key $1.p12 -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-server b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-server deleted file mode 100755 index d3af4e699..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-key-server +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# -# Make a certificate/private key pair using a locally generated -# root certificate. -# -# Explicitly set nsCertType to server using the "server" -# extension in the openssl.cnf file. - -if test $# -ne 1; then - echo "usage: build-key-server "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -nodes -new -keyout $1.key -out $1.csr -extensions server -config $KEY_CONFIG && \ - openssl ca -out $1.crt -in $1.csr -extensions server -config $KEY_CONFIG && \ - chmod 0600 $1.key -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-req b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-req deleted file mode 100755 index 30f62f5ef..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-req +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# Build a certificate signing request and private key. Use this -# when your root certificate and key is not available locally. -# - -if test $# -ne 1; then - echo "usage: build-req "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-req-pass b/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-req-pass deleted file mode 100755 index 829b286b5..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/build-req-pass +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# Like build-req, but protect your private key -# with a password. -# - -if test $# -ne 1; then - echo "usage: build-req-pass "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl req -days 3650 -new -keyout $1.key -out $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/clean-all b/provisioning/roles/openvpn/files/openvpn/easy_rsa/clean-all deleted file mode 100755 index fb523a473..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/clean-all +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# -# Initialize the $KEY_DIR directory. -# Note that this script does a -# rm -rf on $KEY_DIR so be careful! -# - -d=$KEY_DIR - -if test $d; then - rm -rf $d - mkdir $d && \ - chmod go-rwx $d && \ - touch $d/index.txt && \ - echo 01 >$d/serial -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/list-crl b/provisioning/roles/openvpn/files/openvpn/easy_rsa/list-crl deleted file mode 100755 index b214dbd18..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/list-crl +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# list revoked certificates -# -# - -if test $# -ne 1; then - echo "usage: list-crl "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl crl -text -noout -in $1 -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/make-crl b/provisioning/roles/openvpn/files/openvpn/easy_rsa/make-crl deleted file mode 100755 index 62fe6c132..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/make-crl +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# generate a CRL -# -# - -if test $# -ne 1; then - echo "usage: make-crl "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -gencrl -out $1 -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/openssl.cnf b/provisioning/roles/openvpn/files/openvpn/easy_rsa/openssl.cnf deleted file mode 100755 index e8e0a2571..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/openssl.cnf +++ /dev/null @@ -1,256 +0,0 @@ -# -# OpenSSL example configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = /etc/openvpn/keys # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = md5 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = match -stateOrProvinceName = match -organizationName = match -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = $ENV::KEY_SIZE -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = NL -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = NH - -localityName = Locality Name (eg, city) -localityName_default = Amsterdam - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = HiSPARC, Nikhef - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = HiSPARC - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_default = $ENV::COMMON_NAME -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = $ENV::KEY_EMAIL -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 - -#unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ server ] - -# JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/replace-key b/provisioning/roles/openvpn/files/openvpn/easy_rsa/replace-key deleted file mode 100644 index ac51033ea..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/replace-key +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -# -# Make a new certificate for an existing private key. -# signed by the CA root certificate. -# -# TK: This requires unique_keys: no - -if test $# -ne 1; then - echo "usage: replace-key "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - cp $1.crt $1.crt.OLD && \ - openssl req -nodes -new -key $1.key -out $1.csr -config $KEY_CONFIG -batch && \ - openssl ca -out $1.crt -in $1.csr -config $KEY_CONFIG -batch -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/revoke-crt b/provisioning/roles/openvpn/files/openvpn/easy_rsa/revoke-crt deleted file mode 100755 index 35b071a78..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/revoke-crt +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# revoke a certificate -# -# - -if test $# -ne 1; then - echo "usage: revoke-crt "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -revoke $1 -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/revoke-full b/provisioning/roles/openvpn/files/openvpn/easy_rsa/revoke-full deleted file mode 100755 index 66ea03fa3..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/revoke-full +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# revoke a certificate, regenerate CRL, -# and verify revocation - -CRL=crl.pem -RT=revoke-test.pem - -if test $# -ne 1; then - echo "usage: revoke-full "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR - rm -f $RT - - # revoke key and generate a new CRL - openssl ca -revoke $1.crt -config $KEY_CONFIG - - # generate a new CRL - openssl ca -gencrl -out $CRL -config $KEY_CONFIG - cat ca.crt $CRL >$RT - - # verify the revocation - openssl verify -CAfile $RT -crl_check $1.crt -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/sign-req b/provisioning/roles/openvpn/files/openvpn/easy_rsa/sign-req deleted file mode 100755 index aea37edd0..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/sign-req +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# -# Sign a certificate signing request (a .csr file) -# with a local root certificate and key. -# - -if test $# -ne 1; then - echo "usage: sign-req "; - exit 1 -fi - -if test $KEY_DIR; then - cd $KEY_DIR && \ - openssl ca -days 36500 -out $1.crt -in $1.csr -config $KEY_CONFIG -else - echo you must define KEY_DIR -fi diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/vars b/provisioning/roles/openvpn/files/openvpn/easy_rsa/vars deleted file mode 100755 index b03bb712b..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/vars +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export D="/etc/openvpn" - -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG=$D/openssl.cnf - -# Edit this variable to point to -# your soon-to-be-created key -# directory. -# -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR=$D/keys - -# Issue rm -rf warning -echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=2048 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY=NL -export KEY_PROVINCE=NH -export KEY_CITY=Amsterdam -export KEY_ORG="HiSPARC, Nikhef" -export KEY_EMAIL="hisparc@nikhef.nl" diff --git a/provisioning/roles/openvpn/files/openvpn/easy_rsa/vars-admin b/provisioning/roles/openvpn/files/openvpn/easy_rsa/vars-admin deleted file mode 100755 index 688cdb840..000000000 --- a/provisioning/roles/openvpn/files/openvpn/easy_rsa/vars-admin +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export D="/etc/openvpn" - -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG=$D/openssladmin.cnf - -# Edit this variable to point to -# your soon-to-be-created key -# directory. -# -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR=$D/adminkeys - -# Issue rm -rf warning -echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=2048 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY=NL -export KEY_PROVINCE=NH -export KEY_CITY=Amsterdam -export KEY_ORG="HiSPARC, Nikhef" -export KEY_EMAIL="hisparc@nikhef.nl" diff --git a/provisioning/roles/openvpn/files/openvpn/keys/README b/provisioning/roles/openvpn/files/openvpn/keys/README deleted file mode 100644 index aa2f9e1d3..000000000 --- a/provisioning/roles/openvpn/files/openvpn/keys/README +++ /dev/null @@ -1,5 +0,0 @@ -The PKI of the station vpn lives here. - -Keys/certificates here are not used by OpenVPN. But are -created and stored here. `hisparcvpnd` uses `easy_rsa` to create -keys here and transfers them to pique from here. diff --git a/provisioning/roles/openvpn/files/openvpn/openssl.cnf b/provisioning/roles/openvpn/files/openvpn/openssl.cnf deleted file mode 100644 index c83ca98bf..000000000 --- a/provisioning/roles/openvpn/files/openvpn/openssl.cnf +++ /dev/null @@ -1,261 +0,0 @@ -# -# OpenSSL configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = $ENV::KEY_DIR -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = /etc/openvpn/keys # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 36500 # how long to certify for -default_crl_days= 36500 # how long before next CRL -default_md = sha256 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = $ENV::KEY_SIZE -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -default_md = sha256 -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = NL -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = NH - -localityName = Locality Name (eg, city) -localityName_default = Amsterdam - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = HiSPARC, Nikhef - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = HiSPARC - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_default = $ENV::COMMON_NAME -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = $ENV::KEY_EMAIL -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 - -#unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ server ] - -# JY ADDED -- Make a cert with nsCertType set to "server" -# TK ADDED -- extendedKeyUsage = Serverauth -basicConstraints=CA:FALSE -nsCertType = server -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -subjectKeyIdentifier = hash -extendedKeyUsage = serverAuth -keyUsage = digitalSignature,keyEncipherment - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/provisioning/roles/openvpn/files/openvpn/openssladmin.cnf b/provisioning/roles/openvpn/files/openvpn/openssladmin.cnf deleted file mode 100644 index 22c80c132..000000000 --- a/provisioning/roles/openvpn/files/openvpn/openssladmin.cnf +++ /dev/null @@ -1,264 +0,0 @@ -# -# OpenSSL configuration file. -# This is mostly being used for generation of certificate requests. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -#HOME = . -HOME = $ENV::KEY_DIR -RANDFILE = $ENV::HOME/.rnd - -# Extra OBJECT IDENTIFIER info: -#oid_file = $ENV::HOME/.oid -oid_section = new_oids - -# To use this configuration file with the "-extfile" option of the -# "openssl x509" utility, name here the section containing the -# X.509v3 extensions to use: -# extensions = -# (Alternatively, use a configuration file that has only -# X.509v3 extensions in its main [= default] section.) - -[ new_oids ] - -# We can add new OIDs in here for use by 'ca' and 'req'. -# Add a simple OID like this: -# testoid1=1.2.3.4 -# Or use config file substitution like this: -# testoid2=${testoid1}.5.6 - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = /etc/openvpn/adminkeys # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = usr_cert # The extentions to add to the cert - -# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs -# so this is commented out by default to leave a V1 CRL. -# crl_extensions = crl_ext - -default_days = 36500 # how long to certify for -default_crl_days= 36500 # how long before next CRL -default_md = sha256 # which md to use. -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_match - -# For the CA policy -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -# For the 'anything' policy -# At this point in time, you must list all acceptable 'object' -# types. -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -#################################################################### -[ req ] -default_bits = $ENV::KEY_SIZE -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -default_md = sha256 -x509_extensions = v3_ca # The extentions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -# input_password = secret -# output_password = secret - -# This sets a mask for permitted string types. There are several options. -# default: PrintableString, T61String, BMPString. -# pkix : PrintableString, BMPString. -# utf8only: only UTF8Strings. -# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). -# MASK:XXXX a literal mask value. -# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings -# so use this option with caution! -string_mask = nombstr - -# req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = NL -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = NH - -localityName = Locality Name (eg, city) -localityName_default = Amsterdam - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = HiSPARC, Nikhef - -# we can do this but it is not needed normally :-) -#1.organizationName = Second Organization Name (eg, company) -#1.organizationName_default = World Wide Web Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = HiSPARC - -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_default = $ENV::COMMON_NAME -commonName_max = 64 - -emailAddress = Email Address -emailAddress_default = $ENV::KEY_EMAIL -emailAddress_max = 40 - -# SET-ex3 = SET extension number 3 - -[ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 - -#unstructuredName = An optional company name - -[ usr_cert ] - -# These extensions are added when 'ca' signs a request. - -# This goes against PKIX guidelines but some CAs do it and some software -# requires this to avoid interpreting an end user certificate as a CA. - -basicConstraints=CA:FALSE - -# Here are some examples of the usage of nsCertType. If it is omitted -# the certificate can be used for anything *except* object signing. - -# This is OK for an SSL server. -# nsCertType = server - -# For an object signing certificate this would be used. -# nsCertType = objsign - -# For normal client use this is typical -# nsCertType = client, email - -# and for everything including object signing: -# nsCertType = client, email, objsign - -# This is typical in keyUsage for a client certificate. -# keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -# This will be displayed in Netscape's comment listbox. -nsComment = "OpenSSL Generated Certificate" - -# PKIX recommendations harmless if included in all certificates. -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage = clientAuth -keyUsage = digitalSignature,keyEncipherment - -# This stuff is for subjectAltName and issuerAltname. -# Import the email address. -# subjectAltName=email:copy - -# Copy subject details -# issuerAltName=issuer:copy - -#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem -#nsBaseUrl -#nsRevocationUrl -#nsRenewalUrl -#nsCaPolicyUrl -#nsSslServerName - -[ server ] - -#Add extendedKeyUsage = ServerAuth to the server cert. This requires -# `remote-cert-tls server` in the openvpn client config. -# `ns-cert-type server` is deprecated and not allowed on the Admin VPN. -basicConstraints=CA:FALSE -nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage = serverAuth -keyUsage = digitalSignature,keyEncipherment - - -[ v3_req ] - -# Extensions to add to a certificate request - -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] - - -# Extensions for a typical CA - - -# PKIX recommendation. - -subjectKeyIdentifier=hash - -authorityKeyIdentifier=keyid:always,issuer:always - -# This is what PKIX recommends but some broken software chokes on critical -# extensions. -#basicConstraints = critical,CA:true -# So we do this instead. -basicConstraints = CA:true - -# Key usage: this is typical for a CA certificate. However since it will -# prevent it being used as an test self-signed certificate it is best -# left out by default. -# keyUsage = cRLSign, keyCertSign - -# Some might want this also -# nsCertType = sslCA, emailCA - -# Include email address in subject alt name: another PKIX recommendation -# subjectAltName=email:copy -# Copy issuer details -# issuerAltName=issuer:copy - -# DER hex encoding of an extension: beware experts only! -# obj=DER:02:03 -# Where 'obj' is a standard or added object -# You can even override a supported extension: -# basicConstraints= critical, DER:30:03:01:01:FF - -[ crl_ext ] - -# CRL extensions. -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always diff --git a/provisioning/roles/openvpn/files/openvpn@client.service b/provisioning/roles/openvpn/files/openvpn@client.service deleted file mode 100644 index 1b00a0354..000000000 --- a/provisioning/roles/openvpn/files/openvpn@client.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=OpenVPN with MD5 enabled On %I -After=network.target - -[Service] -Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5" -Type=notify -PrivateTmp=true -ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf - -[Install] -WantedBy=multi-user.target diff --git a/provisioning/roles/openvpn/files/resolv.conf b/provisioning/roles/openvpn/files/resolv.conf deleted file mode 100644 index a739e2820..000000000 --- a/provisioning/roles/openvpn/files/resolv.conf +++ /dev/null @@ -1,2 +0,0 @@ -search nikhef.nl his -nameserver 127.0.0.1 diff --git a/provisioning/roles/openvpn/handlers/main.yml b/provisioning/roles/openvpn/handlers/main.yml deleted file mode 100644 index 145ab61ba..000000000 --- a/provisioning/roles/openvpn/handlers/main.yml +++ /dev/null @@ -1,21 +0,0 @@ -- name: restart dnsmasq - ansible.builtin.service: - name: dnsmasq - state: restarted - become: true - -- name: restart openvpn - ansible.builtin.service: - name: "openvpn@{{ item }}.service" - state: restarted - with_items: - - admin - - client - become: true - notify: restart shorewall - -- name: restart shorewall - ansible.builtin.service: - name: shorewall - state: restarted - become: true diff --git a/provisioning/roles/openvpn/tasks/main.yml b/provisioning/roles/openvpn/tasks/main.yml deleted file mode 100644 index 9f812003f..000000000 --- a/provisioning/roles/openvpn/tasks/main.yml +++ /dev/null @@ -1,106 +0,0 @@ -- name: Install openvpn and dnsmasq - ansible.builtin.yum: - name: - - openvpn - - openssl - - dnsmasq - become: true - -- name: Copy dnsmasq config - ansible.builtin.copy: - src: dnsmasq.conf - dest: /etc/dnsmasq.conf - backup: yes - become: true - notify: restart dnsmasq - -- name: Copy openvpn config. Including vendored easy_rsa - ansible.builtin.copy: - src: openvpn/ - dest: /etc/openvpn - backup: yes - become: true - notify: restart openvpn - -- name: Overwrite systemd openvpn configuration to enable MD5 - ansible.builtin.copy: - src: openvpn@client.service - dest: /etc/systemd/system/openvpn@client.service - backup: yes - become: true - notify: restart openvpn - -- name: Create private keys - ansible.builtin.copy: - content: "{{ item.key }}" - dest: "/etc/openvpn/{{ item.path }}" - backup: no - mode: 0600 - become: true - notify: restart openvpn - with_items: "{{ private_keys }}" - no_log: True - -- name: Ensure ccd directory exists - ansible.builtin.file: - path: /etc/openvpn/ccd - state: directory - become: true - notify: restart openvpn - -- name: Ensure dnsmasq is started - ansible.builtin.service: - name: dnsmasq - enabled: yes - state: started - become: true - -- name: Ensure openvpn is started - ansible.builtin.service: - name: "openvpn@{{ item }}.service" - enabled: yes - state: restarted - with_items: - - admin - - client - become: true - -- name: Create nikhef network resolv.conf - ansible.builtin.lineinfile: - create: yes - dest: /etc/resolv.conf-nikhef - line: "nameserver {{ item }}" - with_items: - - 8.8.8.8 - - 8.8.4.4 - become: true - -- name: Copy resolv.conf - ansible.builtin.copy: - src: resolv.conf - dest: /etc/resolv.conf - backup: yes - become: true - -- name: Enable cron job for daily backup of openvpn config and PKI - ansible.builtin.cron: - name: "openvpn backup" - cron_file: root - minute: 0 - hour: 1 - state: present - user: root - job: "if [ -f '/backups/openvpn-backup.tar.gz' ]; then mv /backups/openvpn-backup.tar.gz /backups/openvpn-backup_yesterday.tar.gz; fi; tar czf /backups/openvpn-backup.tar.gz /etc/openvpn" - become: true - -- name: Enable cron job for monthly backup of openvpn config and PKI - ansible.builtin.cron: - name: "Monthly openvpn backup" - cron_file: root - minute: 0 - hour: 20 - day: 1 - state: present - user: root - job: "if [ -f '/backups/openvpn-backup_this_month.tar.gz' ]; then mv /backups/openvpn-backup_this_month.tar.gz /backups/openvpn-backup_previous_month.tar.gz; fi; tar czf /backups/openvpn-backup_this_month.tar.gz /etc/openvpn" - become: true diff --git a/provisioning/roles/postfix/files/main.cf b/provisioning/roles/postfix/files/main.cf deleted file mode 100644 index 45f3db6e6..000000000 --- a/provisioning/roles/postfix/files/main.cf +++ /dev/null @@ -1,29 +0,0 @@ -queue_directory = /var/spool/postfix -command_directory = /usr/sbin -daemon_directory = /usr/libexec/postfix -data_directory = /var/lib/postfix -mail_owner = postfix -inet_interfaces = localhost -inet_protocols = all -mydestination = $myhostname, localhost.$mydomain, localhost -unknown_local_recipient_reject_code = 550 -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -debug_peer_level = 2 -debugger_command = - PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin - ddd $daemon_directory/$process_name $process_id & sleep 5 -sendmail_path = /usr/sbin/sendmail.postfix -newaliases_path = /usr/bin/newaliases.postfix -mailq_path = /usr/bin/mailq.postfix -setgid_group = postdrop -html_directory = no -manpage_directory = /usr/share/man -sample_directory = /usr/share/doc/postfix-2.6.6/samples -readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES - -# Changes for HiSPARC servers below this line -mydomain = nikhef.nl -luser_relay = $local@nikhef.nl -mailbox_transport = smtp:smtp.nikhef.nl -relayhost = [smtp.nikhef.nl] diff --git a/provisioning/roles/postfix/handlers/main.yml b/provisioning/roles/postfix/handlers/main.yml deleted file mode 100644 index 0dae8c176..000000000 --- a/provisioning/roles/postfix/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart postfix - ansible.builtin.service: - name: postfix - state: restarted - become: true diff --git a/provisioning/roles/postfix/tasks/main.yml b/provisioning/roles/postfix/tasks/main.yml deleted file mode 100644 index 18423e3ae..000000000 --- a/provisioning/roles/postfix/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: Install postfix configuration - ansible.builtin.copy: - src: main.cf - dest: /etc/postfix/main.cf - backup: yes - become: true - notify: restart postfix diff --git a/provisioning/roles/publicdb/templates/settings.py b/provisioning/roles/publicdb/templates/settings.py index ecd83224d..9b32fd804 100644 --- a/provisioning/roles/publicdb/templates/settings.py +++ b/provisioning/roles/publicdb/templates/settings.py @@ -45,12 +45,10 @@ # Path of the mounted KNMI Lightning data root folder LGT_PATH = '{{ lgt_path }}' -# VPN and datastore XML-RPC Proxies -VPN_PROXY = '{{ vpn_proxy }}' +# Datastore XML-RPC Proxy DATASTORE_PROXY = '{{ datastore_proxy }}' -# VPN and datastore host names -VPN_HOST = '{{ vpn_host }}' +# Datastore host name DATASTORE_HOST = '{{ datastore_host }}' # Configure HiSPARC public database url for SAPPHiRE diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/interfaces b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/interfaces deleted file mode 100644 index c3c5f976b..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/interfaces +++ /dev/null @@ -1,19 +0,0 @@ -# -# Shorewall version 4 - Interfaces File -# -# For information about entries in this file, type "man shorewall-interfaces" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-interfaces.html -# -############################################################################### -?FORMAT 2 -############################################################################### -#ZONE INTERFACE OPTIONS -net em1 logmartians,nosmurfs,routefilter,tcpflags -net enp0s3 logmartians,nosmurfs,routefilter,tcpflags -net enp0s8 logmartians,nosmurfs,routefilter,tcpflags -net eth0 logmartians,nosmurfs,routefilter,tcpflags -net eth1 logmartians,nosmurfs,routefilter,tcpflags -det tun1 logmartians,nosmurfs,routefilter,tcpflags -adm tun0 logmartians,nosmurfs,routefilter,tcpflags diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/policy b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/policy deleted file mode 100644 index c4b5a64c3..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/policy +++ /dev/null @@ -1,30 +0,0 @@ -# -# Shorewall version 4 - Policy File -# -# For information about entries in this file, type "man shorewall-policy" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-policy.html -# -############################################################################### -#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: -# LEVEL BURST MASK - -# The firewall may connect to the internet -$FW net ACCEPT - -# The internet should not be aware of any services running on the -# firewall, except for a few exceptions (see rules) -net all DROP info - -# HiSPARC detector pc's should never route traffic over their VPN -# interfaces, except for a few exceptions (see rules) -det net DROP err -det adm DROP err - -# HiSPARC admins should never route internet traffic over their VPN -# interfaces -adm net DROP err - -# All other connections: reject -all all REJECT info diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/routestopped b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/routestopped deleted file mode 100644 index b7dc87da1..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/routestopped +++ /dev/null @@ -1,17 +0,0 @@ -# -# Shorewall version 4 - Routestopped File -# -# For information about entries in this file, type "man shorewall-routestopped" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-routestopped.html -# -# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional -# information. -# -############################################################################### -#INTERFACE HOST(S) OPTIONS PROTO DEST SOURCE -# PORT(S) PORT(S) -em1 - - tcp ssh -eth0 - - tcp ssh -eth1 - - tcp ssh diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/rules b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/rules deleted file mode 100644 index aeda075f8..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/rules +++ /dev/null @@ -1,44 +0,0 @@ -# -# Shorewall version 4 - Rules File -# -# For information on the settings in this file, type "man shorewall-rules" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-rules.html -# -###################################################################################################################################################################################### -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH -# PORT PORT(S) DEST LIMIT GROUP -#SECTION ALL -#SECTION ESTABLISHED -#SECTION RELATED -?SECTION NEW - -# Always accept SSH to tietar -SSH(ACCEPT) all $FW -# Accept SSH from detector vpn to admin vpn -#SSH(ACCEPT) det adm - -# Accept ping to firewall and icmp from firewall -Ping(ACCEPT) all $FW -ACCEPT $FW all icmp -# Accept ping from admin vpn to detector vpn -Ping(ACCEPT) adm det - -# -# Services running on tietar -# -# DNS -DNS(ACCEPT) det $FW -DNS(ACCEPT) adm $FW -# Web -Web(ACCEPT) net $FW -# vpn xml-rpc server (allowed from pique) -ACCEPT net:192.16.186.202 $FW tcp 8001 - -# -# Admin access to detector pc's -# -# VNC -ACCEPT adm det tcp 5900 -SSH(ACCEPT) adm det diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/shorewall.conf b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/shorewall.conf deleted file mode 100644 index 2a3265b64..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/shorewall.conf +++ /dev/null @@ -1,300 +0,0 @@ -############################################################################### -# -# Shorewall Version 5 -- /etc/shorewall/shorewall.conf -# -# For information about the settings in this file, type "man shorewall.conf" -# -# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html -############################################################################### -# S T A R T U P E N A B L E D -############################################################################### - -STARTUP_ENABLED=Yes - -############################################################################### -# V E R B O S I T Y -############################################################################### - -VERBOSITY=1 - -############################################################################### -# P A G E R -############################################################################### - -PAGER= - -############################################################################### -# F I R E W A L L -############################################################################### - -FIREWALL= - -############################################################################### -# L O G G I N G -############################################################################### - -LOG_LEVEL="info" - -BLACKLIST_LOG_LEVEL= - -INVALID_LOG_LEVEL= - -LOG_BACKEND= - -LOG_MARTIANS=Yes - -LOG_VERBOSITY=2 - -LOGALLNEW= - -LOGFILE=/var/log/messages - -LOGFORMAT="Shorewall:%s:%s:" - -LOGTAGONLY=No - -LOGLIMIT= - -MACLIST_LOG_LEVEL="info" - -RELATED_LOG_LEVEL= - -RPFILTER_LOG_LEVEL="$LOG_LEVEL" - -SFILTER_LOG_LEVEL="info" - -SMURF_LOG_LEVEL="info" - -STARTUP_LOG=/var/log/shorewall-init.log - -TCP_FLAGS_LOG_LEVEL="info" - -UNTRACKED_LOG_LEVEL= - -############################################################################### -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -############################################################################### - -ARPTABLES= - -CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" - -GEOIPDIR=/usr/share/xt_geoip/LE - -IPTABLES= - -IP= - -IPSET= - -LOCKFILE= - -MODULESDIR= - -NFACCT= - -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" - -PERL=/usr/bin/perl - -RESTOREFILE=restore - -SHOREWALL_SHELL=/bin/sh - -SUBSYSLOCK=/var/lock/subsys/shorewall - -TC= - -############################################################################### -# D E F A U L T A C T I O N S / M A C R O S -############################################################################### - -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="dropBcasts,dropNotSyn,dropInvalid" -DROP_DEFAULT="Drop" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Reject" - -############################################################################### -# R S H / R C P C O M M A N D S -############################################################################### - -RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' -RSH_COMMAND='ssh ${root}@${system} ${command}' - -############################################################################### -# F I R E W A L L O P T I O N S -############################################################################### - -ACCOUNTING=Yes - -ACCOUNTING_TABLE=filter - -ADD_IP_ALIASES=No - -ADD_SNAT_ALIASES=No - -ADMINISABSENTMINDED=Yes - -AUTOCOMMENT=Yes - -AUTOHELPERS=Yes - -AUTOMAKE=No - -BALANCE_PROVIDERS=No - -BASIC_FILTERS=No - -BLACKLIST="NEW,INVALID" - -CLAMPMSS=No - -CLEAR_TC=Yes - -COMPLETE=No - -DEFER_DNS_RESOLUTION=Yes - -DELETE_THEN_ADD=Yes - -DETECT_DNAT_IPADDRS=No - -DISABLE_IPV6=No - -DOCKER=No - -DONT_LOAD= - -DYNAMIC_BLACKLIST=Yes - -EXPAND_POLICIES=Yes - -EXPORTMODULES=Yes - -FASTACCEPT=No - -FORWARD_CLEAR_MARK= - -HELPERS= - -IGNOREUNKNOWNVARIABLES=No - -IMPLICIT_CONTINUE=No - -INLINE_MATCHES=No - -IPSET_WARNINGS=Yes - -IP_FORWARDING=On - -KEEP_RT_TABLES=No - -LOAD_HELPERS_ONLY=No - -MACLIST_TABLE=filter - -MACLIST_TTL= - -MANGLE_ENABLED=Yes - -MAPOLDACTIONS=No - -MARK_IN_FORWARD_CHAIN=No - -MINIUPNPD=No - -MULTICAST=No - -MUTEX_TIMEOUT=60 - -NULL_ROUTE_RFC1918=No - -OPTIMIZE=0 - -OPTIMIZE_ACCOUNTING=No - -PERL_HASH_SEED=0 - -REJECT_ACTION= - -REQUIRE_INTERFACE=No - -RESTART=reload - -RESTORE_DEFAULT_ROUTE=Yes - -RESTORE_ROUTEMARKS=Yes - -RETAIN_ALIASES=No - -ROUTE_FILTER=No - -SAVE_ARPTABLES=No - -SAVE_IPSETS=No - -TC_ENABLED=Internal - -TC_EXPERT=No - -TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" - -TRACK_PROVIDERS=No - -TRACK_RULES=No - -USE_DEFAULT_RT=No - -USE_NFLOG_SIZE=No - -USE_PHYSICAL_NAMES=No - -USE_RT_NAMES=No - -VERBOSE_MESSAGES=Yes - -WARNOLDCAPVERSION=Yes - -WORKAROUNDS=No - -ZERO_MARKS=No - -ZONE2ZONE=2 - -############################################################################### -# P A C K E T D I S P O S I T I O N -############################################################################### - -BLACKLIST_DISPOSITION=DROP - -INVALID_DISPOSITION=CONTINUE - -MACLIST_DISPOSITION=REJECT - -RELATED_DISPOSITION=ACCEPT - -RPFILTER_DISPOSITION=DROP - -SMURF_DISPOSITION=DROP - -SFILTER_DISPOSITION=DROP - -TCP_FLAGS_DISPOSITION=DROP - -UNTRACKED_DISPOSITION=CONTINUE - -################################################################################ -# P A C K E T M A R K L A Y O U T -################################################################################ - -TC_BITS= - -PROVIDER_BITS= - -PROVIDER_OFFSET= - -MASK_BITS= - -ZONE_BITS=0 diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/tunnels b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/tunnels deleted file mode 100644 index 77cc36694..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/tunnels +++ /dev/null @@ -1,17 +0,0 @@ -# -# Shorewall version 4 - Tunnels File -# -# For information about entries in this file, type "man shorewall-tunnels" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-tunnels.html -# -############################################################################### -#TYPE ZONE GATEWAY(S) GATEWAY -# ZONE(S) - -# Admin VPN -openvpnserver net 0.0.0.0/0 - -# Detector VPN -openvpnserver:tcp:443 net 0.0.0.0/0 diff --git a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/zones b/provisioning/roles/shorewall-firewall/files/vpn-shorewall/zones deleted file mode 100644 index 3c8e88f91..000000000 --- a/provisioning/roles/shorewall-firewall/files/vpn-shorewall/zones +++ /dev/null @@ -1,15 +0,0 @@ -# -# Shorewall version 4 - Zones File -# -# For information about this file, type "man shorewall-zones" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-zones.html -# -############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall -net ipv4 -det ipv4 -adm ipv4 diff --git a/provisioning/roles/shorewall-firewall/handlers/main.yml b/provisioning/roles/shorewall-firewall/handlers/main.yml deleted file mode 100644 index 17472dd39..000000000 --- a/provisioning/roles/shorewall-firewall/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: restart shorewall - ansible.builtin.service: - name: shorewall - state: restarted - become: true diff --git a/provisioning/roles/shorewall-firewall/tasks/main.yml b/provisioning/roles/shorewall-firewall/tasks/main.yml deleted file mode 100644 index 95ba3bec3..000000000 --- a/provisioning/roles/shorewall-firewall/tasks/main.yml +++ /dev/null @@ -1,25 +0,0 @@ -- name: Install shorewall firewall - ansible.builtin.yum: - name: shorewall - become: true - -- name: Copy shorewall config - ansible.builtin.copy: - src: vpn-shorewall/ - dest: /etc/shorewall - backup: yes - become: true - notify: restart shorewall - -- name: Update shorewall configuration - ansible.builtin.command: - cmd: shorewall update -A - become: true - notify: restart shorewall - -- name: Ensure shorewall is started - ansible.builtin.service: - name: shorewall - enabled: yes - state: started - become: true diff --git a/provisioning/roles/simple-firewall/tasks/main.yml b/provisioning/roles/simple-firewall/tasks/main.yml deleted file mode 100644 index f250b51b9..000000000 --- a/provisioning/roles/simple-firewall/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ -- name: Enable firewalld - ansible.builtin.service: - name: firewalld - state: started - enabled: yes - become: true - -- name: Set dmz as default policy - ansible.builtin.command: - cmd: firewall-cmd --set-default-zone=dmz - become: true - -- name: Allow http/https - ansible.builtin.command: - cmd: firewall-cmd --zone=dmz --permanent --add-service=http --add-service=https - become: true - -- name: Add XMLRPC access to firewall rules - ansible.builtin.command: - cmd: firewall-cmd --zone=dmz --permanent --add-port=8001/tcp - become: true - -- name: Restart firewalld - ansible.builtin.service: - name: firewalld - state: restarted - become: true diff --git a/provisioning/roles/vpn-scripts/files/supervisord b/provisioning/roles/vpn-scripts/files/supervisord deleted file mode 100644 index c55976f01..000000000 --- a/provisioning/roles/vpn-scripts/files/supervisord +++ /dev/null @@ -1,151 +0,0 @@ -#!/bin/bash -# -# supervisord This scripts turns supervisord on -# -# Author: Mike McGrath (based off yumupdatesd) -# Jason Koppe adjusted to read sysconfig, -# use supervisord tools to start/stop, conditionally wait -# for child processes to shutdown, and startup later -# Mikhail Mingalev Merged -# redhat-init-jkoppe and redhat-sysconfig-jkoppe, and -# made the script "simple customizable". -# -# chkconfig: 345 83 04 -# -# description: supervisor is a process control utility. It has a web based -# xmlrpc interface as well as a few other nifty features. -# Script was originally written by Jason Koppe . -# - -# source function library -. /etc/rc.d/init.d/functions - -set -a - -PREFIX=/usr - -SUPERVISORD=$PREFIX/bin/supervisord -SUPERVISORCTL=$PREFIX/bin/supervisorctl - -PIDFILE=/var/run/supervisord.pid -LOCKFILE=/var/lock/subsys/supervisord - -OPTIONS="-c /etc/supervisord.conf" - -# unset this variable if you don't care to wait for child processes to shutdown before removing the $LOCKFILE-lock -WAIT_FOR_SUBPROCESSES=yes - -# remove this if you manage number of open files in some other fashion -ulimit -n 96000 - -RETVAL=0 - - -running_pid() -{ - # Check if a given process pid's cmdline matches a given name - pid=$1 - name=$2 - [ -z "$pid" ] && return 1 - [ ! -d /proc/$pid ] && return 1 - (cat /proc/$pid/cmdline | tr "\000" "\n"|grep -q $name) || return 1 - return 0 -} - -running() -{ -# Check if the process is running looking at /proc -# (works for all users) - - # No pidfile, probably no daemon present - [ ! -f "$PIDFILE" ] && return 1 - # Obtain the pid and check it against the binary name - pid=`cat $PIDFILE` - running_pid $pid $SUPERVISORD || return 1 - return 0 -} - -start() { - echo "Starting supervisord: " - - if [ -e $PIDFILE ]; then - echo "ALREADY STARTED" - return 1 - fi - - # start supervisord with options from sysconfig (stuff like -c) - $SUPERVISORD $OPTIONS - - # show initial startup status - $SUPERVISORCTL $OPTIONS status - - # only create the subsyslock if we created the PIDFILE - [ -e $PIDFILE ] && touch $LOCKFILE -} - -stop() { - echo -n "Stopping supervisord: " - $SUPERVISORCTL $OPTIONS shutdown - if [ -n "$WAIT_FOR_SUBPROCESSES" ]; then - echo "Waiting roughly 60 seconds for $PIDFILE to be removed after child processes exit" - for sleep in 2 2 2 2 4 4 4 4 8 8 8 8 last; do - if [ ! -e $PIDFILE ] ; then - echo "Supervisord exited as expected in under $total_sleep seconds" - break - else - if [[ $sleep -eq "last" ]] ; then - echo "Supervisord still working on shutting down. We've waited roughly 60 seconds, we'll let it do its thing from here" - return 1 - else - sleep $sleep - total_sleep=$(( $total_sleep + $sleep )) - fi - - fi - done - fi - - # always remove the subsys. We might have waited a while, but just remove it at this point. - rm -f $LOCKFILE -} - -restart() { - stop - start -} - -case "$1" in - start) - start - RETVAL=$? - ;; - stop) - stop - RETVAL=$? - ;; - restart|force-reload) - restart - RETVAL=$? - ;; - reload) - $SUPERVISORCTL $OPTIONS reload - RETVAL=$? - ;; - condrestart) - [ -f $LOCKFILE ] && restart - RETVAL=$? - ;; - status) - $SUPERVISORCTL status - if running ; then - RETVAL=0 - else - RETVAL=1 - fi - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|reload|force-reload|condrestart}" - exit 1 -esac - -exit $RETVAL diff --git a/provisioning/roles/vpn-scripts/files/supervisord.conf b/provisioning/roles/vpn-scripts/files/supervisord.conf deleted file mode 100644 index 7377bb463..000000000 --- a/provisioning/roles/vpn-scripts/files/supervisord.conf +++ /dev/null @@ -1,26 +0,0 @@ -[unix_http_server] -file=/var/tmp/supervisor.sock ; (the path to the socket file) -chmod=0770 ; socket file mode (default 0700) -chown=root:hisparc ; socket file uid:gid owner - -[supervisord] -logfile=/var/log/supervisord.log ; (main log file;default $CWD/supervisord.log) -logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) -logfile_backups=10 ; (num of main logfile rotation backups;default 10) -loglevel=info ; (log level;default info; others: debug,warn,trace) -pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) -nodaemon=false ; (start in foreground if true;default false) -minfds=1024 ; (min. avail startup file descriptors;default 1024) -minprocs=200 ; (min. avail process descriptors;default 200) - -[rpcinterface:supervisor] -supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface - -[supervisorctl] -serverurl=unix:///var/tmp/supervisor.sock ; use a unix:// URL for a unix socket - -[program:hisparcvpnd] -command=/usr/local/bin/hisparcvpnd -stopsignal=INT -redirect_stderr=true -stdout_logfile=/var/log/hisparcvpnd.log diff --git a/provisioning/roles/vpn-scripts/files/vpn-scripts/create_admin_keys.sh b/provisioning/roles/vpn-scripts/files/vpn-scripts/create_admin_keys.sh deleted file mode 100755 index c3f701894..000000000 --- a/provisioning/roles/vpn-scripts/files/vpn-scripts/create_admin_keys.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -cd $1 -. easy_rsa/vars-admin -export COMMON_NAME="$2" -sh easy_rsa/build-key $2 diff --git a/provisioning/roles/vpn-scripts/files/vpn-scripts/create_keys.sh b/provisioning/roles/vpn-scripts/files/vpn-scripts/create_keys.sh deleted file mode 100755 index c4065830b..000000000 --- a/provisioning/roles/vpn-scripts/files/vpn-scripts/create_keys.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh - -cd $1 -. easy_rsa/vars -export COMMON_NAME="$2" -sh easy_rsa/build-key $2 diff --git a/provisioning/roles/vpn-scripts/files/vpn-scripts/hisparcvpnd b/provisioning/roles/vpn-scripts/files/vpn-scripts/hisparcvpnd deleted file mode 100644 index c6c8d4731..000000000 --- a/provisioning/roles/vpn-scripts/files/vpn-scripts/hisparcvpnd +++ /dev/null @@ -1,93 +0,0 @@ -#!/usr/bin/python -""" Simple XML-RPC Server to run on the VPN server - - This daemon should be run on HiSPARC's VPN server. It will handle the - creation of hosts and keys and the retrieval of HiSPARC certificates. - - The basis for this code was ripped from the python SimpleXMLRPCServer - library documentation and extended. - -""" -import base64 -import io as StringIO -import os -import subprocess -import zipfile - -from xmlrpc.server import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer - -OPENVPN_DIR = '/etc/openvpn' -HOSTS_FILE = '/etc/hosts-hisparc' - - -def create_key(host, type, ip): - """create keys for a host and set up openvpn""" - - if type == 'client': - subprocess.check_call(['/usr/local/bin/create_keys.sh', OPENVPN_DIR, host]) - with open(os.path.join(OPENVPN_DIR, 'ccd', host), 'w') as file: - file.write(f'ifconfig-push {ip} 255.255.254.0\n') - elif type == 'admin': - subprocess.check_call(['/usr/local/bin/create_admin_keys.sh', OPENVPN_DIR, host]) - else: - raise ValueError(f'Unsupported type; {type}') - - return True - - -def register_hosts_ip(host_list): - """Register all hosts ips""" - - with open(HOSTS_FILE, 'w') as file: - for host, ip in host_list: - file.write(f'{ip}\t{host}.his\n') - subprocess.check_call(['/usr/bin/systemctl', 'restart', 'dnsmasq.service']) - - return True - - -def get_key(host, type): - """Get a zip-archive containing all relevant keys""" - - memfile = StringIO.StringIO() - zip_file = zipfile.ZipFile(memfile, 'w') - - if type == 'client': - key_dir = os.path.join(OPENVPN_DIR, 'keys') - zip_file.write(f'{key_dir}/{host}.crt', 'hisparc.crt') - zip_file.write(f'{key_dir}/{host}.key', 'hisparc.key') - zip_file.write(f'{key_dir}/ca.crt', 'ca.crt') - elif type == 'admin': - key_dir = os.path.join(OPENVPN_DIR, 'adminkeys') - zip_file.write(f'{key_dir}/{host}.crt', 'hisparc_admin.crt') - zip_file.write(f'{key_dir}/{host}.key', 'hisparc_admin.key') - zip_file.write(f'{key_dir}/ca.crt', 'ca_admin.crt') - else: - raise ValueError(f'Unsupported type; {type}') - - key_dir = os.path.join(OPENVPN_DIR, 'keys') - zip_file.write(f'{key_dir}/ta.key', 'ta.key') - zip_file.close() - - zip_file = memfile.getvalue() - memfile.close() - - return base64.b64encode(zip_file) - - -if __name__ == '__main__': - # Restrict to a particular path. - class RequestHandler(SimpleXMLRPCRequestHandler): - rpc_paths = ('/RPC2',) - - # Create server - server = SimpleXMLRPCServer(("0.0.0.0", 8001), - requestHandler=RequestHandler) - server.register_introspection_functions() - - server.register_function(create_key) - server.register_function(register_hosts_ip) - server.register_function(get_key) - - # Run the server's main loop - server.serve_forever() diff --git a/provisioning/roles/vpn-scripts/handlers/main.yml b/provisioning/roles/vpn-scripts/handlers/main.yml deleted file mode 100644 index 0bd048ffe..000000000 --- a/provisioning/roles/vpn-scripts/handlers/main.yml +++ /dev/null @@ -1,10 +0,0 @@ -- name: Restart supervisord - ansible.builtin.service: - name: supervisord - state: restarted - become: true - -- name: restart hisparcvpnd - community.general.supervisorctl: - name: hisparcvpnd - state: restarted diff --git a/provisioning/roles/vpn-scripts/tasks/main.yml b/provisioning/roles/vpn-scripts/tasks/main.yml deleted file mode 100644 index effb83516..000000000 --- a/provisioning/roles/vpn-scripts/tasks/main.yml +++ /dev/null @@ -1,56 +0,0 @@ -# Do not create backups, it will result in many executables in /usr/local/bin -- name: Copy vpn/publicdb service scripts - ansible.builtin.copy: - src: vpn-scripts/ - dest: /usr/local/bin - mode: 0755 - become: true - notify: restart hisparcvpnd - -- name: Install pip - ansible.builtin.yum: - name: python-pip - become: true - -- name: Install supervisord prerequisites - ansible.builtin.yum: - name: python-meld3 - become: true - -- name: Install supervisor daemon - ansible.builtin.pip: - name: supervisor - become: true - -- name: Copy supervisord init script - ansible.builtin.copy: - src: supervisord - dest: /etc/init.d/supervisord - backup: yes - owner: root - group: root - mode: 0755 - become: true - -- name: Copy supervisord.conf - ansible.builtin.copy: - src: supervisord.conf - dest: /etc/supervisord.conf - backup: yes - owner: root - group: root - mode: 0644 - become: true - notify: Restart supervisord - -- name: Start supervisord now and on boot - ansible.builtin.service: - name: supervisord - state: started - enabled: yes - become: true - -- name: Start hisparcvpnd - community.general.supervisorctl: - name: hisparcvpnd - state: started diff --git a/publicdb/default/templates/robots.txt b/publicdb/default/templates/robots.txt index e4bf22f83..d02523da3 100644 --- a/publicdb/default/templates/robots.txt +++ b/publicdb/default/templates/robots.txt @@ -9,5 +9,4 @@ Disallow: /maps/ Disallow: /analysis-session/ Disallow: /software-updates/ Disallow: /config/ -Disallow: /keys/ Disallow: /admin/ diff --git a/publicdb/inforecords/admin.py b/publicdb/inforecords/admin.py index 3b47a4841..fc5cb7c64 100644 --- a/publicdb/inforecords/admin.py +++ b/publicdb/inforecords/admin.py @@ -71,7 +71,7 @@ def type(self, obj): @admin.register(models.Pc) class PcAdmin(admin.ModelAdmin): - list_display = ('station', 'name', 'is_active', 'is_test', 'ip', 'url', 'keys') + list_display = ('station', 'name', 'is_active', 'is_test', 'ip') list_filter = ('is_active', 'is_test') ordering = ('station',) list_per_page = 200 diff --git a/publicdb/inforecords/models.py b/publicdb/inforecords/models.py index 218e2f032..11c09f17e 100644 --- a/publicdb/inforecords/models.py +++ b/publicdb/inforecords/models.py @@ -1,5 +1,4 @@ import datetime -import ipaddress from xmlrpc.client import ServerProxy @@ -7,8 +6,6 @@ from django.core.exceptions import ValidationError from django.db import models, transaction from django.db.models import Max -from django.urls import reverse -from django.utils.safestring import mark_safe from django.utils.text import slugify from ..histograms.models import Configuration, Summary @@ -335,67 +332,8 @@ def __str__(self): def save(self, *args, **kwargs): # slugify the short name to keep it clean self.name = slugify(self.name).replace('-', '').replace('_', '') - - if self.id is None: - if self.type.slug == 'admin': - try: - last_ip = Pc.objects.filter(type__slug='admin').latest('id').ip - except Pc.DoesNotExist: - # Initial Admin IP - last_ip = '172.16.66.1' - else: - try: - last_ip = Pc.objects.exclude(type__slug='admin').latest('id').ip - except Pc.DoesNotExist: - # Initial station IP - last_ip = '194.171.82.1' - self.ip = self.get_next_ip_address(last_ip) - - # First create keys, then issue final save - create_keys(self) - super().save(*args, **kwargs) - def keys(self): - url = reverse('keys', kwargs={'host': self.name}) - return mark_safe(f'Certificate {self.name}') - - keys.short_description = 'Certificates' - - def url(self): - if self.type.slug == 'admin': - return '' - else: - return mark_safe(f's{self.station.number}.his') - - url.short_description = 'VNC URL' - - def get_next_ip_address(self, ip): - """Generate new IP address - - Increments given IP address by 1. - - """ - return str(ipaddress.ip_address(ip) + 1) - - -def create_keys(pc): - """Create VPN keys for the given Pc""" - - if settings.VPN_PROXY: - proxy = ServerProxy(settings.VPN_PROXY) - proxy.create_key(pc.name, pc.type.slug, pc.ip) - - -def update_aliases(): - """Update VPN aliases""" - - if settings.VPN_PROXY: - proxy = ServerProxy(settings.VPN_PROXY) - aliases = [(f's{x.station.number}', x.ip) for x in Pc.objects.all()] - aliases.extend([(x.name, x.ip) for x in Pc.objects.all()]) - proxy.register_hosts_ip(aliases) - def reload_datastore(): """Reload the datastore configuration""" diff --git a/publicdb/inforecords/views.py b/publicdb/inforecords/views.py index 418f624db..155aeaab2 100644 --- a/publicdb/inforecords/views.py +++ b/publicdb/inforecords/views.py @@ -1,33 +1,10 @@ -import base64 import socket -from xmlrpc.client import ServerProxy - from django.conf import settings -from django.contrib.auth.decorators import login_required from django.core.exceptions import PermissionDenied -from django.http import HttpResponse -from django.shortcuts import get_object_or_404, render - -from .models import Pc, Station - - -@login_required -def keys(request, host): - """Return a zip-file containing the hosts OpenVPN keys""" - - host = get_object_or_404(Pc, name=host) - - if settings.VPN_PROXY: - proxy = ServerProxy(settings.VPN_PROXY) - key_file = proxy.get_key(host.name, host.type.slug).data - key_file = base64.b64decode(key_file) - else: - key_file = 'dummy' +from django.shortcuts import render - response = HttpResponse(key_file, content_type='application/zip') - response['Content-Disposition'] = f'attachment; filename={host.name}.zip' - return response +from .models import Station def create_datastore_config(request): diff --git a/publicdb/settings_develop.py b/publicdb/settings_develop.py index 8e01815f1..245b96488 100644 --- a/publicdb/settings_develop.py +++ b/publicdb/settings_develop.py @@ -34,13 +34,11 @@ # Path of the mounted KNMI Lightning data root folder LGT_PATH = os.path.join(PUBLICDB_PATH, 'knmi_lightning') -# VPN and datastore XML-RPC Proxies -# These are None in tests/development to disable attempts at connections -VPN_PROXY = None # 'http://localhost:8001' +# Datastore XML-RPC Proxy +# This is None in tests/development to disable attempts at connections DATASTORE_PROXY = None # 'http://localhost:8002' -# VPN and datastore host names -VPN_HOST = 'localhost' +# Datastore host name DATASTORE_HOST = 'localhost' # Process data with multiple threads. Default is enabled (True). diff --git a/publicdb/settings_docker.py b/publicdb/settings_docker.py index 558e50e3e..43a47189d 100644 --- a/publicdb/settings_docker.py +++ b/publicdb/settings_docker.py @@ -1,4 +1,4 @@ -# Django settings for when dunning publicdb via docker-compose. +# Django settings for when running publicdb via docker-compose. from .settings_develop import * # noqa: F403 @@ -21,11 +21,9 @@ CSRF_COOKIE_SECURE = False SECURE_SSL_REDIRECT = False -# VPN and datastore XML-RPC Proxies -# These are None in tests/development to disable attempts at connections -VPN_PROXY = 'http://vpn:8001' +# Datastore XML-RPC Proxy +# This is None in tests/development to disable attempts at connections DATASTORE_PROXY = 'http://datastore:8002' -# VPN and datastore host names -VPN_HOST = 'publicdb_vpn_1.publicdb_default' +# Datastore host name DATASTORE_HOST = 'publicdb_datastore_1.publicdb_default' diff --git a/publicdb/urls.py b/publicdb/urls.py index 782eaa4b2..bad3e72ad 100644 --- a/publicdb/urls.py +++ b/publicdb/urls.py @@ -2,7 +2,7 @@ from django.urls import include, path from django.views.generic import RedirectView, TemplateView -from .inforecords.views import create_datastore_config, keys +from .inforecords.views import create_datastore_config urlpatterns = [ path('', RedirectView.as_view(url='show/stations', permanent=False)), @@ -16,6 +16,5 @@ path('raw_data/', include('publicdb.raw_data.urls', namespace='raw_data')), path('data/', include('publicdb.raw_data.urls')), path('config/datastore', create_datastore_config, name='datastore_config'), - path('keys//', keys, name='keys'), path('admin/', admin.site.urls), ] diff --git a/pyproject.toml b/pyproject.toml index fe21dffa3..793b36dd2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -106,9 +106,6 @@ skip_covered = true [tool.typos.files] extend-exclude = [ 'publicdb/default/static/scripts/', - 'provisioning/roles/openvpn/files/dnsmasq.conf', - 'provisioning/roles/openvpn/files/openvpn/', - 'provisioning/roles/openvpn/files/openvpn/README.md', # Dutch ] [tool.typos.default.extend-words] diff --git a/scripts/fake-vpn-xmlrpc-server.py b/scripts/fake-vpn-xmlrpc-server.py deleted file mode 100644 index c9eeac68f..000000000 --- a/scripts/fake-vpn-xmlrpc-server.py +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/python -""" Simple XML-RPC Server to run on the VPN server - - This daemon should be run on HiSPARC's VPN server. It will handle the - creation of hosts and keys and the retrieval of HiSPARC certificates. - - The basis for this code was ripped from the python SimpleXMLRPCServer - library documentation and extended. - -""" -import base64 - -from xmlrpc.server import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer - -HOSTS_FILE = '/tmp/hosts-hisparc' - - -def create_key(host, type, ip): - """create keys for a host and set up openvpn""" - - if type == 'client': - print("create key Type was client") - elif type == 'admin': - print("create key Type was admin") - else: - print("Unexpected key {type=}") - # raise ValueError(f'Unsupported type; {type}') - - return True - - -def register_hosts_ip(host_list): - """Register all hosts ips""" - - with open(HOSTS_FILE, 'w') as file: - for host, ip in host_list: - file.write(f'{ip}\t{host}.his\n') - print(f"Writing {ip}, {host} to hosts file") - - return True - - -def get_key(host, type): - """Get a zip-archive containing all relevant keys""" - - if type == 'client': - print("Get key type was client") - elif type == 'admin': - print("Get key type was admin") - else: - print("Unexpected key {type=}") - # raise ValueError(f'Unsupported type; {type}') - - return base64.b64encode(b'test') - - -class RequestHandler(SimpleXMLRPCRequestHandler): - # Restrict to a particular path. - rpc_paths = ('/RPC2',) - - -if __name__ == '__main__': - # Create server - server = SimpleXMLRPCServer(("0.0.0.0", 8001), requestHandler=RequestHandler) - server.register_introspection_functions() - - server.register_function(create_key) - server.register_function(register_hosts_ip) - server.register_function(get_key) - - # Run the server's main loop - server.serve_forever() diff --git a/scripts/vpn-xmlrpc-client.py b/scripts/vpn-xmlrpc-client.py deleted file mode 100644 index a69e655d3..000000000 --- a/scripts/vpn-xmlrpc-client.py +++ /dev/null @@ -1,16 +0,0 @@ -""" Simple XML-RPC Client to test VPN server response - - This client can be used to test the VPN XML-RPC server. - -""" -import base64 - -from xmlrpc.client import ServerProxy - -vpn_server = ServerProxy('http://localhost:8001') -print(vpn_server.system.listMethods()) -print(vpn_server.create_key('sciencepark501', 'client', '192.168.0.1')) -print(vpn_server.register_hosts_ip([('nikhef1', '192.168.0.1'), ('nikhef2', '192.168.0.2')])) -zip = base64.b64decode(vpn_server.get_key('sciencepark501', 'client').data) -with open('/tmp/test.zip', 'wb') as file: - file.write(zip)