Merge branch 'master' into add-aws-roles

.travis.yml

@@ -16,6 +16,7 @@ env:
  - RUN="ci" SITE="tests/site_vars/openvpn.yml"
  - RUN="ci" SITE="tests/site_vars/shadowsocks.yml"
  - RUN="ci" SITE="tests/site_vars/ssh.yml"
+ - RUN="ci" SITE="tests/site_vars/cloudflared.yml"
  - RUN="ci" SITE="random"
 
 before_install:
@@ -25,7 +26,7 @@ before_install:
  - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 762E3157
 
 install:
- - pip install ansible==2.6.5
+ - pip install ansible==2.8.0
  - pip install urllib3 yamllint
  - ansible --version
 

LICENSE

@@ -12,6 +12,11 @@ Modifications to the L2TP/IPsec configuration files are licensed
 under CC Attribution-ShareAlike 3.0 Unported
 (http://creativecommons.org/licenses/by-sa/3.0/).
 
+Cloudflared DNS-over-HTTPS role courtesy of Steven Foerster
+(https://github.com/sfoerster/ansible-cloudflared).
+Copyright 2019 Steven Foerster, and based on the work of
+Ben Dews (Copyright 2018).
+
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or

README-chs.md

@@ -1,5 +1,5 @@
 <p align="center">
- <img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/> 
+ <img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/>
 </p>
 
 - - -
@@ -141,7 +141,7 @@ Streisand 运行在**你自己的计算机上时（或者你电脑的虚拟机
  sudo pip install "apache-libcloud>=1.17.0"
  * Linode
 
- sudo pip install linode-python
+ sudo pip install linode-api4
  * Rackspace 云
 
  sudo pip install pyrax

README-ru.md

@@ -1,5 +1,5 @@
 <p align="center">
- <img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/> 
+ <img src="https://raw.githubusercontent.com/jlund/streisand/master/logo.jpg" alt="Automate the effect"/>
 </p>
 
 - - -
@@ -149,7 +149,7 @@
 
  * Linode
 
- sudo pip install linode-python
+ sudo pip install linode-api4
  * Rackspace Cloud
 
  sudo pip install pyrax

Services.md

@@ -20,7 +20,7 @@ Services Provided
  * When enabled, the high-performance [libev variant](https://github.com/shadowsocks/shadowsocks-libev) is installed. This version is capable of handling thousands of simultaneous connections.
  * A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag '8.8.8.8' on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead!
  * [AEAD](https://shadowsocks.org/en/spec/AEAD-Ciphers.html) support is enabled using ChaCha20 and Poly1305 for enhanced security and improved GFW evasion.
- * The [simple-obfs](https://github.com/shadowsocks/simple-obfs) plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling).
+ * The [v2ray-plugin](https://github.com/shadowsocks/v2ray-plugin) plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling).
 * [sslh](https://www.rutschle.net/tech/sslh/README.html)
  * Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports.
 * [Stunnel](https://www.stunnel.org/index.html)
@@ -37,3 +37,5 @@ Services Provided
  * Your Streisand server is configured to automatically install new security updates.
 * [WireGuard](https://www.wireguard.com/)
  * Linux users can take advantage of this next-gen, simple, kernel-based, state-of-the-art VPN that also happens to be ridiculously fast and uses modern cryptographic principles that all other highspeed VPN solutions lack.
+* [Cloudflared DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/dns-over-https/)
+ * Even when you are visiting a site using HTTPS, by default your DNS query is sent over an unencrypted connection (between the Streisand server and upstream DNS servers). With Streisand's DNS-over-HTTPS service provided by the cloudflared client enabled, your DNS queries are blocked from view by the cloud provider hosting your Streisand server and everyone in between them and the upstream DNS server. The DNS reply from the upstream server is also protected from both view and tampering on its way back to your Streisand server.

global_vars/default-site.yml

@@ -14,6 +14,7 @@ vpn_clients: 5
 streisand_openconnect_enabled: yes
 streisand_openvpn_enabled: yes
 streisand_shadowsocks_enabled: yes
+streisand_shadowsocks_v2ray_enabled: no
 streisand_ssh_forward_enabled: yes
 # By default sshuttle is disabled because it creates a `sshuttle` user that has
 # full shell privileges on the Streisand host
@@ -22,3 +23,4 @@ streisand_stunnel_enabled: yes
 streisand_tinyproxy_enabled: yes
 streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
+streisand_cloudflared_enabled: yes

global_vars/globals.yml

@@ -1,7 +1,12 @@
 ---
+
+# If using regular cleartext DNS then dnsmasq will set these upstream DNS servers
 upstream_dns_servers:
- - 8.8.8.8
- - 8.8.4.4
+ - 1.1.1.1
+ - 1.0.0.1
+
+# If using DNS-over-HTTPS with cloudflared then the upstream servers and queries can be set in:
+# playbooks/roles/cloudflared/defaults/main.yml
 
 streisand_client_test: no
 

global_vars/noninteractive/amazon-site.yml

@@ -27,25 +27,11 @@ streisand_tor_enabled: no
 streisand_wireguard_enabled: yes
 
 # The AWS region number.
-# 1. US East (N. Virginia)
-# 2. US East (Ohio)
-# 3. US West (N. California)
-# 4. US West (Oregon)
-# 5. Canada (Central)
-# 6. EU (Frankfurt)
-# 7. EU (Ireland)
-# 8. EU (London)
-# 9. EU (Paris)
-# 10. Asia Pacific (Tokyo)
-# 11. Asia Pacific (Seoul)
-# 12. Asia Pacific (Osaka-Local)
-# 13. Asia Pacific (Singapore)
-# 14. Asia Pacific (Sydney)
-# 15. Asia Pacific (Mumbai)
-# 16. South America (São Paulo)
+#
+# See ./playbooks/amazon.yml for numbering.
 #
 # Note: aws_region_var must be a number in quotes, e.g. "3" not 3.
-aws_region_var: "3"
+aws_region_var: "16"
 
 # The VPC and subnet IDs to use. They can be empty strings to indicate that a
 # VPC will not be used.

playbooks/amazon.yml

@@ -6,24 +6,26 @@
  gather_facts: yes
 
  vars:
+ # The region dict is generated from ./util/print-aws-regions.py
  regions:
- "1": "us-east-1"
- "2": "us-east-2"
- "3": "us-west-1"
- "4": "us-west-2"
- "5": "ca-central-1"
- "6": "eu-central-1"
- "7": "eu-west-1"
- "8": "eu-west-2"
- "9": "eu-west-3"
- "10": "ap-northeast-1"
- "11": "ap-northeast-2"
- "12": "ap-northeast-3"
- "13": "ap-southeast-1"
- "14": "ap-southeast-2"
- "15": "ap-south-1"
- "16": "sa-east-1"
- "17": "eu-north-1"
+ "1": "ap-east-1"
+ "2": "ap-northeast-1"
+ "3": "ap-northeast-2"
+ "4": "ap-northeast-3"
+ "5": "ap-south-1"
+ "6": "ap-southeast-1"
+ "7": "ap-southeast-2"
+ "8": "ca-central-1"
+ "9": "eu-central-1"
+ "10": "eu-north-1"
+ "11": "eu-west-1"
+ "12": "eu-west-2"
+ "13": "eu-west-3"
+ "14": "sa-east-1"
+ "15": "us-east-1"
+ "16": "us-east-2"
+ "17": "us-west-1"
+ "18": "us-west-2"
 
  # These variable files are included so the ec2-security-group role
  # knows which ports to open
@@ -39,28 +41,31 @@
  - roles/wireguard/defaults/main.yml
 
  vars_prompt:
+ # The region prompt is generated from ./util/print-aws-regions.py
+ # Don't forget to update the default if it changes.
  - name: "aws_region_var"
  prompt: |
  In what region should the server be located?
- 1. US East (N. Virginia)
- 2. US East (Ohio)
- 3. US West (N. California)
- 4. US West (Oregon)
- 5. Canada (Central)
- 6. EU (Frankfurt)
- 7. EU (Ireland)
- 8. EU (London)
- 9. EU (Paris)
- 10. Asia Pacific (Tokyo)
- 11. Asia Pacific (Seoul)
- 12. Asia Pacific (Osaka-Local)
- 13. Asia Pacific (Singapore)
- 14. Asia Pacific (Sydney)
- 15. Asia Pacific (Mumbai)
- 16. South America (São Paulo)
- 17. EU (Stockholm)
- Please choose the number of your region. Press enter for default (#13) region.
- default: "13"
+ 1. ap-east-1 Asia Pacific (Hong Kong)
+ 2. ap-northeast-1 Asia Pacific (Tokyo)
+ 3. ap-northeast-2 Asia Pacific (Seoul)
+ 4. ap-northeast-3 Asia Pacific (Osaka-Local)
+ 5. ap-south-1 Asia Pacific (Mumbai)
+ 6. ap-southeast-1 Asia Pacific (Singapore)
+ 7. ap-southeast-2 Asia Pacific (Sydney)
+ 8. ca-central-1 Canada (Central)
+ 9. eu-central-1 EU (Frankfurt)
+ 10. eu-north-1 EU (Stockholm)
+ 11. eu-west-1 EU (Ireland)
+ 12. eu-west-2 EU (London)
+ 13. eu-west-3 EU (Paris)
+ 14. sa-east-1 South America (São Paulo)
+ 15. us-east-1 US East (N. Virginia)
+ 16. us-east-2 US East (Ohio)
+ 17. us-west-1 US West (N. California)
+ 18. us-west-2 US West (Oregon)
+ Please choose the number of your region. Press enter for default (#16) region.
+ default: "16"
  private: no
 
  - name: "aws_vpc_id_var"

playbooks/customize.yml

@@ -28,6 +28,10 @@
  prompt: "Enable Shadowsocks? Press enter for default "
  default: "yes"
  private: no
+ - name: streisand_shadowsocks_v2ray_enabled
+ prompt: "Enable v2ray-plugin for Shadowsocks? Press enter for default "
+ default: "no"
+ private: no
  - name: streisand_ssh_forward_enabled
  prompt: "Enable SSH Forward User? (Note: A SOCKS proxy only user will be added, no shell). Press enter for default "
  default: "yes"
@@ -48,6 +52,10 @@
  prompt: "Enable WireGuard? Press enter for default "
  default: "yes"
  private: no
+ - name: streisand_cloudflared_enabled
+ prompt: "Enable DNS-over-HTTPS (cloudflared)? Press enter for default "
+ default: "yes"
+ private: no
 
  tasks:
  - lineinfile:
@@ -70,6 +78,10 @@
  path: "{{ streisand_site_vars }}"
  regexp: "^streisand_shadowsocks_enabled: (?:yes|no)$"
  line: "streisand_shadowsocks_enabled: {{ streisand_shadowsocks_enabled }}"
+ - lineinfile:
+ path: "{{ streisand_site_vars }}"
+ regexp: "^streisand_shadowsocks_v2ray_enabled: (?:yes|no)$"
+ line: "streisand_shadowsocks_v2ray_enabled: {{ streisand_shadowsocks_v2ray_enabled }}"
  - lineinfile:
  path: "{{ streisand_site_vars }}"
  regexp: "^streisand_ssh_forward_enabled: (?:yes|no)$"
@@ -94,3 +106,7 @@
  path: "{{ streisand_site_vars }}"
  regexp: "^streisand_wireguard_enabled: (?:yes|no)$"
  line: "streisand_wireguard_enabled: {{ streisand_wireguard_enabled }}"
+ - lineinfile:
+ path: "{{ streisand_site_vars }}"
+ regexp: "^streisand_cloudflared_enabled: (?:yes|no)$"
+ line: "streisand_cloudflared_enabled: {{ streisand_cloudflared_enabled }}"

playbooks/existing-server.yml

@@ -25,7 +25,7 @@
  changed_when: False
  rescue:
  - fail:
- msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_key }} to generate your key if it does not exist\n"
+ msg: "Unable to SSH to existing streisand-host.\nEnsure private key corresponding to \"{{ streisand_ssh_private_key }}\" is loaded in your SSH key agent.\nTry using `ssh-keygen -i {{ streisand_ssh_private_key }} to generate your key if it does not exist\n"
 
 # Ensure Python is installed on the system
 - import_playbook: python.yml

playbooks/linode.yml

@@ -7,29 +7,31 @@
 
  vars:
  regions:
- "1": 4
- "2": 2
- "3": 10
- "4": 3
- "5": 7
- "6": 6
- "7": 9
- "8": 8
- "9": 11
+ "1": "ca-central"
+ "2": "us-central"
+ "3": "us-west"
+ "4": "us-southeast"
+ "5": "us-east"
+ "6": "eu-west"
+ "7": "ap-south"
+ "8": "eu-central"
+ "9": "ap-northeast"
+ "10": "ap-west"
 
  vars_prompt:
  - name: "linode_datacenter"
  prompt: >
  What region should the server be located in?
- 1. Atlanta
+ 1. Toronto
  2. Dallas
- 3. Frankfurt
- 4. Fremont
- 5. London
- 6. Newark
+ 3. Fremont
+ 4. Atlanta
+ 5. Newark
+ 6. London
  7. Singapore
- 8. Tokyo
- 9. Tokyo 2
+ 8. Frankfurt
+ 9. Tokyo
+ 10. Mumbai
  Please choose the number of your region. Press enter for default (#7) region.
  default: "7"
  private: no
@@ -39,8 +41,8 @@
  default: "streisand"
  private: no
 
- - name: "linode_api_key"
- prompt: "\n\nThe following information can be found in the Linode Manager.\nhttps://manager.linode.com/profile/api\n\nNote: API keys originating from https://cloud.linode.com/profile/tokens are not yet compatible.\n\nWhat is your Linode API key?\n"
+ - name: "linode_api_token"
+ prompt: "\n\nThe following information can be found in the Linode Manager:\nhttps://cloud.linode.com/profile/tokens\n\nWhat is your Linode API Token?\n"
  private: no
 
  - name: "confirmation"

playbooks/roles/cloudflared/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+cloudflared_base_url: "https://bin.equinox.io/c/VdrWdbjqyF/"
+
+cloudflared_amd64_apt: "cloudflared-stable-linux-amd64.deb"
+cloudflared_amd64_yum: "cloudflared-stable-linux-amd64.rpm"
+cloudflared_amd64_binary: "cloudflared-stable-linux-amd64.tgz"
+cloudflared_arm_apt: "cloudflared-stable-linux-arm.deb"
+cloudflared_arm_yum: "cloudflared-stable-linux-arm.rpm"
+cloudflared_arm_binary: "cloudflared-stable-linux-arm.tgz"
+
+cloudflared_allow_firewall: false
+cloudflared_enable_service: true
+cloudflared_upstream1: "https://1.1.1.1/dns-query"
+cloudflared_upstream2: "https://1.0.0.1/dns-query"
+cloudflared_port: 5053
+
+cloudflared_options: "proxy-dns --port {{ cloudflared_port }} --upstream {{ cloudflared_upstream1 }} --upstream {{ cloudflared_upstream2 }}"
+
+cloudflared_bin_location: /usr/local/bin

playbooks/roles/cloudflared/files/cloudflared.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=cloudflared service
+After=syslog.target network-online.target
+
+[Service]
+Type=simple
+User=cloudflared
+EnvironmentFile=/etc/default/cloudflared
+ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS
+Restart=on-failure
+RestartSec=10
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

playbooks/roles/cloudflared/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart cloudflared service
+ systemd:
+ name: cloudflared.service
+ state: restarted

playbooks/roles/cloudflared/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+ - { role: dnsmasq }
+ - { role: ip-forwarding }