Merge branch 'ocserv_cli_instructions' of github.com:alimakki/streisand into ocserv_cli_instructions

Author: alimakki

README-fr.md

@@ -109,64 +109,36 @@ Effectuez toutes ces tâches sur votre machine locale.
   * Sur Debian et Ubuntu
 
             sudo apt-get install git
-  * Sur Fedora
+  * Sur Fedora 27, certains progiciels sont nécessaires plus tard
 
-            sudo yum install git
-  * Sur macOS (via [Homebrew](https://brew.sh/))
+          sudo yum install git python2-pip gcc python2-devel python2-crypto python2-pycurl libcurl-devel
+  * Sur CentOS 7, `pip` est disponible dans le dépôt EPEL; certains progiciels supplémentaires sont nécessaires plus tard.
 
-            brew install git
-* Installez le système de gestion de paquets [pip](https://pip.pypa.io/en/latest/) pour Python.
-  * Sur Debian et Ubuntu (installe également les dépendances qui sont nécessaires pour construire Ansible et qui sont requises par certains modules)
+          sudo yum -y update && sudo yum install -y epel-release
+          sudo yum -y update && sudo yum install -y git gcc python-devel python-crypto python-pycurl python-pip libcurl-devel
+  * Sur macOS, `git` fait partie des outils de développement et sera installé la première fois que vous l'exécuterez. S'il n'y a pas déjà une commande `pip` installée, installez-la avec:
 
-            sudo apt-get install python-paramiko python-pip python-pycurl python-dev build-essential
-  * Sur Fedora
+         sudo python2.7 -m ensurepip
 
-            sudo yum install python-pip
-  * Sur macOS
-
-            sudo easy_install pip
-            sudo pip install pycurl
-
-* Installez [Ansible](https://www.ansible.com/).
-  * Sur macOS (via [Homebrew](https://brew.sh/))
-
-            brew install ansible
-  * Sur BSD ou Linux (via pip)
-
-            sudo pip install ansible markupsafe
-* Installez les bibliothèques Python nécessaires pour votre fournisseur de cloud.
-  * Amazon EC2
-
-            sudo pip install boto boto3
-  * Azure
-
-            sudo pip install ansible[azure]
-  * DigitalOcean
-
-            sudo pip install dopy==0.3.5
-  * Google
+### Exécution ###
+1. Clonez le répertoire Streisand et entrez dans le répertoire.
 
-            sudo pip install "apache-libcloud>=0.17.0"
-  * Linode
+        git clone https://github.com/StreisandEffect/streisand.git && cd streisand
 
-            sudo pip install linode-python
-  * Rackspace Cloud
+2. Exécutez le programme d'installation pour Ansible et ses dépendances.
 
-            sudo pip install pyrax
-  * Si vous utilisez une version de Python installée avec Homebrew, vous devez également exécuter ces commandes pour vous assurer qu'il peut trouver les bibliothèques nécessaires:
+        ./util/venv-dependencies.sh ./venv
+    * Le programme d'installation détectera les progiciels manquants et imprimera les commandes nécessaires pour les installer.
 
-            mkdir -p ~/Library/Python/2.7/lib/python/site-packages
-            echo '/usr/local/lib/python2.7/site-packages' > ~/Library/Python/2.7/lib/python/site-packages/homebrew.pth
+3. Activez les progciels Ansible installés.
 
-### Exécution ###
-1. Clonez le répertoire Streisand et entrez dans le répertoire.
-
-        git clone https://github.com/StreisandEffect/streisand.git && cd streisand
-2. Exécuter le script Streisand.
+        source ./venv/bin/activate
+      
+4. Exécutez le script Streisand.
 
         ./streisand
-3. Suivez les instructions pour choisir votre fournisseur, la région physique du serveur, et son nom. Vous serez également invité à entrer les informations de l'API.
-4. Une fois les informations de connexion et les clés d'API saisies, Streisand commencera à faire tourner un nouveau serveur distant.
+5. Suivez les instructions pour choisir votre fournisseur, la région physique du serveur, et son nom. Vous serez également invité à entrer les informations de l'API.
+6. Une fois les informations de connexion et les clés d'API saisies, Streisand commencera à faire tourner un nouveau serveur distant.
 5. Attendez que l'installation soit terminée (cela prend habituellement environ dix minutes) et recherchez les fichiers correspondants dans le dossier 'generated-docs' dans le répertoire du dépôt Streisand. Le fichier HTML expliquera comment se connecter à la passerelle via SSL ou via le service caché Tor. Toutes les instructions, les fichiers, les clients en miroir et les clés du nouveau serveur se trouvent alors sur la passerelle. Vous avez fini!
 
 ### Installation de Streisand sur localhost (Avancé) ###

global_vars/default-site.yml

@@ -20,5 +20,5 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes

global_vars/integration/test-site.yml

@@ -16,7 +16,7 @@ streisand_ssh_forward_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_wireguard_enabled: yes
 streisand_openconnect_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
 # TODO(@cpu): The services below need some manner of integration test written

global_vars/noninteractive/amazon-site.yml

@@ -23,7 +23,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # The AWS region number.

global_vars/noninteractive/azure-site.yml

@@ -23,7 +23,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # The region to deploy into.

global_vars/noninteractive/digitalocean-site.yml

@@ -27,7 +27,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # The Digital Ocean region number.

global_vars/noninteractive/google-site.yml

@@ -22,7 +22,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # Server location:

global_vars/noninteractive/linode-site.yml

@@ -21,7 +21,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # Choose the server location.

global_vars/noninteractive/local-site.yml

@@ -22,7 +22,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # Definitions needed for Let's Encrypt HTTPS (or TLS) certificate setup.

global_vars/noninteractive/rackspace-site.yml

@@ -21,7 +21,7 @@ streisand_ssh_forward_enabled: yes
 streisand_sshuttle_enabled: no
 streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
-streisand_tor_enabled: yes
+streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # Choose the region to deploy into.

playbooks/customize.yml

@@ -41,8 +41,8 @@
       default: "yes"
       private: no
     - name: streisand_tor_enabled
-      prompt: "Enable Tor? Press enter for default "
-      default: "yes"
+      prompt: "Enable Tor? (UPSTREAM IS BROKEN) Press enter for default "
+      default: "no"
       private: no
     - name: streisand_wireguard_enabled
       prompt: "Enable WireGuard? Press enter for default "

playbooks/roles/common/tasks/detect-public-ip.yml

@@ -0,0 +1,51 @@
+---
+# detect-public-ip.yml will attempt to identify whether the server's public
+# IP address is different from what is visible on the host and, if
+# successfully detected, ask to update the address for documentation and
+# configuration profiles
+- name: "Install dns module"
+  apt:
+    name: dnsutils
+
+- name: "Initialize lookup variable"
+  set_fact:
+    external_ipv4_address: "presumed_failed"
+
+- name: "Check external IP Address through Google"
+  command: dig +short myip.opendns.com @resolver1.opendns.com A
+  register: dig_output
+
+- name: "Set the variable to the value"
+  set_fact:
+    external_ipv4_address: "{{ dig_output.stdout | regex_replace('\"', '') }}"
+    when: (dig_output.rc == 0)
+
+# Enter this block only when when the IPs are different and query user for updating
+# to public ip
+- block:
+    - name: "Initialize the prompt"
+      set_fact:
+        prompt_external_ip: |
+          We have found another public IP address of your server
+
+          Some cloud providers use load balancers or SDN to make servers externally
+          reachable. It seems
+          - {{ external_ipv4_address }} is publicly visible
+          - {{ streisand_ipv4_address }} is visible on the server
+
+          Type 'yes' to use {{ external_ipv4_address }} for the VPN
+          Hit 'enter' to skip and use {{ streisand_ipv4_address }}.
+
+          Skip with 'enter' if you do not know {{ external_ipv4_address }}
+
+    - name: "Ask user to update to public IP address"
+      pause:
+        prompt: "{{ prompt_external_ip }}"
+      register: publish_external
+
+    - name: "Change streisand_ipv4_address to public if requested"
+      set_fact:
+        streisand_ipv4_address: "{{ external_ipv4_address }}"
+      when: ((publish_external.user_input == "yes") or (publish_external.user_input == "Yes") or (publish_external.user_input == "YES") or (publish_external.user_input == "Y") or (publish_external.user_input == "y"))
+  when: (external_ipv4_address != "presumed_failed") and (streisand_ipv4_address != external_ipv4_address)
+...

playbooks/roles/common/tasks/set-default-variables.yml

@@ -36,3 +36,6 @@
   set_fact:
     streisand_server_name: "{{ ansible_hostname }}"
   when: streisand_server_name is not defined
+
+- import_tasks: detect-public-ip.yml
+  when: (hostvars['127.0.0.1']['streisand_genesis_role'] is defined and ((hostvars['127.0.0.1']['streisand_genesis_role'] == "localhost") or (hostvars['127.0.0.1']['streisand_genesis_role'] == "existing-server")))

playbooks/roles/common/vars/main.yml

@@ -126,3 +126,6 @@ streisand_my_ip_url: https://duckduckgo.com/?q=ip+address
 # Ciphersuites recommended from Mozilla's Modern compatibility profile
 # https://wiki.mozilla.org/Security/Server_Side_TLS
 streisand_tls_ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+
+apt_repository_retries: 10
+apt_repository_delay: 20

playbooks/roles/lets-encrypt/tasks/install.yml

@@ -8,6 +8,10 @@
 - name: Add the official acmetool repository
   apt_repository:
     repo: "deb http://ppa.launchpad.net/hlandau/rhea/{{ ansible_distribution|lower }} {{ ansible_lsb.codename }} main"
+  register: le_add_apt_repository
+  until: not le_add_apt_repository.failed
+  retries: "{{ apt_repository_retries }}"
+  delay: "{{ apt_repository_delay }}"
 
 - name: Install acmetool
   apt:

playbooks/roles/nginx/tasks/main.yml

@@ -15,6 +15,11 @@
 - name: Add the official Nginx repository
   apt_repository:
     repo: "deb https://nginx.org/packages/{{ ansible_distribution|lower }}/ {{ ansible_lsb.codename }} nginx"
+  register: nginx_add_apt_repository
+  until: not nginx_add_apt_repository.failed
+  retries: "{{ apt_repository_retries }}"
+  delay: "{{ apt_repository_delay }}"
+
 
 - name: Install Nginx
   apt:

playbooks/roles/openconnect/tasks/install.yml

@@ -1,8 +1,18 @@
 ---
+
+# It *shouldn't* be necessary to run this particular apt_repository
+# call in a "retry" loop; enabling Universe doesn't reach out to the
+# network, so this shouldn't have transient failures. For the sake of
+# consistency with the other apt_repository calls, it does retry.
+
 - name: Enable the Universe repository
   apt_repository:
     repo: "deb http://archive.ubuntu.com/ubuntu {{ ansible_distribution_release }} universe"
     state: present
+  register: openconnect_add_apt_repository
+  until: not openconnect_add_apt_repository.failed
+  retries: "{{ apt_repository_retries }}"
+  delay: "{{ apt_repository_delay }}"
 
 - name: Install ocserv
   apt:

playbooks/roles/openvpn/tasks/install.yml

@@ -10,6 +10,10 @@
   apt_repository:
     repo: 'deb https://build.openvpn.net/debian/openvpn/stable {{ ansible_lsb.codename }} main'
     state: present
+  register: openvpn_add_apt_repository
+  until: not openvpn_add_apt_repository.failed
+  retries: "{{ apt_repository_retries }}"
+  delay: "{{ apt_repository_delay }}"
 
 - name: Install OpenVPN and its dependencies from APT
   apt:

playbooks/roles/openvpn/templates/client-common.j2

@@ -8,7 +8,7 @@ persist-tun
 remote-cert-tls server
 verify-x509-name {{ openvpn_server_common_name.stdout }} name
 tls-version-min 1.2
-compress lz4
+compress
 verb 3
 route {{ streisand_ipv4_address }} 255.255.255.255 net_gateway
 

playbooks/roles/openvpn/templates/etc_openvpn_server_common.j2

@@ -28,7 +28,7 @@ tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
 
 auth {{ openvpn_auth_digest }}
 tls-version-min 1.2
-compress lz4
+compress
 user nobody
 group nogroup
 persist-key