forked from teamniteo/niteoweb.fabfile
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of git://github.com/niteoweb/niteoweb.fabfile
- Loading branch information
Showing
15 changed files
with
300 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
See `docs/README.rst <https://github.com/nzupan/niteoweb.fabfile/blob/master/docs/README.rst>`_. | ||
See `docs/README.rst <https://github.com/niteoweb/niteoweb.fabfile/blob/master/docs/README.rst>`_. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# group group-secret | ||
sudo ${pass:ipsec} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# The listen group specifies the IP’s to bind on. | ||
# The path directives tell racoon where to find its other configuration files. | ||
path pre_shared_key "/etc/racoon/psk.txt"; | ||
|
||
# Next up is a remote section, specifying the phase 1 settings. Normal IPsec | ||
# tunnels are point-to-point. You can configure the tunnel statically on both | ||
# ends. Here we are setting up a roaming tunnel: we don’t know where the client | ||
# is. This has some implications: | ||
# * the server can never initiate the connection (since the IP of the client(s) | ||
# are unknown) | ||
# * The client’s tunnel-IP needs to be assigned from the server. This minimizes | ||
# client-side configuration | ||
# * The client must authenticate itself using a username/password combo. | ||
remote anonymous { # Do not filter on source IP, anyone can connect to this tunnel | ||
passive on; # Don't initiate, only listen | ||
exchange_mode main,aggressive; # Accept both modes | ||
my_identifier fqdn "ipsec"; # Identify ourselves with this name | ||
mode_cfg on; # configure the client's IP address using mode configuration | ||
verify_cert off; # Don't check client certificate | ||
ike_frag on; # Announce IKE-fragmentation support | ||
generate_policy on; # automatically install SPD's | ||
nat_traversal on; # Support NAT traversal | ||
dpd_delay 20; # Disconnect dead clients after 20 seconds | ||
proposal { # Phase 1 parameters | ||
encryption_algorithm aes; | ||
hash_algorithm sha1; | ||
authentication_method xauth_psk_server; # Require PreSharedKey group authentication and username/password user authentication | ||
dh_group 2; | ||
} | ||
} | ||
|
||
# Next section is the mode configuration. This is sometimes called phase 1.5, | ||
# because it happens between phase 1 and phase 2. In this step, the client is | ||
# authenticated. | ||
mode_cfg { | ||
auth_source system; # Authenticate against Linux users | ||
save_passwd on; # Allow users to save passwords | ||
|
||
group_source system; # Verify group membership in Linux groups | ||
auth_groups "sudo"; # Require users to be member of this group in order to connect | ||
|
||
network4 10.0.0.0; # Give clients addresses starting from this address | ||
pool_size 255; # up to 255 addresses higher | ||
|
||
dns4 8.8.8.8; # Use Google's public DNS | ||
dns4 8.8.4.4; | ||
} | ||
|
||
# The sainfo section specifies the parameters to use for phase 2, the actual | ||
# data-encryption | ||
sainfo anonymous { | ||
encryption_algorithm aes; | ||
authentication_algorithm hmac_sha1; | ||
compression_algorithm deflate; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,7 @@ Table of Contents | |
hq.rst | ||
projects.rst | ||
bacula.rst | ||
ipsec.rst | ||
api.rst | ||
|
||
.. include:: FUTURE.rst | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
============ | ||
IPsec server | ||
============ | ||
|
||
This is how to setup an IPsec server in your office so you can remotely | ||
access your internal LAN when you are on the road and also have all | ||
traffic encrypted when sitting in a cafe and using a public network. | ||
|
||
Prerequisities | ||
-------------- | ||
|
||
You router needs to forward ports 500 and 4500 to your IPsec server. | ||
|
||
|
||
Sample fabfile | ||
-------------- | ||
|
||
Below is a ``fabfile.py.in`` buildout template that uses commands from `Server` | ||
group to set up an IPsec server (based on Ubuntu 10.04). | ||
|
||
.. sourcecode:: python | ||
|
||
import os | ||
from fabric.api import env | ||
from fabric.api import settings | ||
from fabric.api import sudo | ||
|
||
from niteoweb.fabfile.server import * | ||
|
||
env.path = os.getcwd() | ||
env.hosts = ['${ips:server}'] | ||
env.server_ip = '${ips:server}' | ||
env.shortname = '${config:shortname}' | ||
env.hostname = '${config:hostname}' | ||
env.temp_root_pass = '${pass:temp_root}' | ||
|
||
env.email = 'maintenance@company.com' | ||
env.admins = ['bob', 'jane', ] | ||
|
||
def deploy(): | ||
"""The highest-level meta-command for deploying Plone to the server. | ||
Use this command only on a fresh and clean server.""" | ||
|
||
with settings(user='root', password=env.temp_root_pass): | ||
create_admin_accounts(default_password='secret123') | ||
|
||
# security | ||
harden_sshd() | ||
disable_root_login() | ||
|
||
# bootstrap server | ||
set_hostname() | ||
set_system_time() | ||
install_unattended_upgrades() | ||
install_sendmail() | ||
install_rkhunter() | ||
|
||
# install software stack | ||
install_ipsec() | ||
|
||
|
||
Sample buildout.cfg | ||
------------------- | ||
|
||
This ``fabfile.py`` template has a dependency on the `niteoweb.fabfile` package | ||
and also expects to find certain buildout values and config files in certain | ||
directories. Here's a sample ``buildout.cfg`` that you can use to prepare an | ||
environment for using this ``fabfile.py.in``. Save the ``fabfile.py.in`` in | ||
``etc/`` directory in your buildout. | ||
|
||
:: | ||
|
||
[buildout] | ||
unzip = true | ||
newest = false | ||
extensions = buildout.dumppickedversions | ||
prefer-final = true | ||
|
||
parts = | ||
fabfile | ||
fabric | ||
racoon.conf | ||
psk.txt | ||
|
||
[config] | ||
# Project shortname | ||
shortname = ipsec | ||
|
||
# Main domain on which this project runs on | ||
hostname = ipsec.company.com | ||
|
||
# Various IPs needed for deployment | ||
[ips] | ||
server = ?.?.?.? | ||
|
||
[pass] | ||
# Temporary root password assigned to us by hosting provider | ||
temp_root = some_password_here | ||
ipsec = strong_password_here | ||
|
||
# Prepare Fabric | ||
[fabric] | ||
recipe = zc.recipe.egg | ||
eggs = | ||
Fabric | ||
niteoweb.fabfile | ||
|
||
[fabfile] | ||
recipe = collective.recipe.template | ||
input = ${buildout:directory}/etc/fabfile.py.in | ||
output = ${buildout:directory}/fabfile.py | ||
|
||
# Generate config files from templates in ./etc | ||
[racoon.conf] | ||
recipe = collective.recipe.template | ||
input = ${buildout:directory}/etc/racoon.conf.in | ||
output = ${buildout:directory}/etc/racoon.conf | ||
|
||
[psk.txt] | ||
recipe = collective.recipe.template | ||
input = ${buildout:directory}/etc/psk.txt.in | ||
output = ${buildout:directory}/etc/psk.txt | ||
|
||
Config files | ||
------------ | ||
|
||
Samples of config files that you need to put inside ``etc/`` directory in your | ||
buildout: | ||
|
||
* :download:`racoon.conf.in <etc/racoon.conf.in>`. | ||
* :download:`psk.txt.in <etc/psk.txt.in>`. | ||
|
||
|
||
Client configuration | ||
-------------------- | ||
|
||
Configuring a client to use this IPsec server is fairly easy. For iOS, | ||
go to Settings -> Network -> VPN and add a new IPsec VPN with the following | ||
settings: | ||
|
||
* Description: whatever | ||
* Server: Public IP of your router behind which the IPsec server sits | ||
* Account: a Linux user on the machine that is in the ``sudo`` group | ||
* Group name: ``sudo`` (it's specified in ``racoon.conf``) | ||
* Secret: secret set for group ``sudo`` in ``psk.txt`` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.