forked from freedomofpress/securedrop
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Vagrantfile
151 lines (139 loc) · 5.52 KB
/
Vagrantfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.require_version ">= 2.1.2"
Vagrant.configure("2") do |config|
# Vagrant 1.7.0+ removes the insecure_private_key by default
# and substitutes a dynamically generated SSH key for each box.
# Unfortunately this breaks Ansible provisioning with Vagrant,
# so the key insertion feature should be disabled.
config.ssh.insert_key = false
# The staging hosts are just like production but allow non-tor access
# for the web interfaces and ssh.
config.vm.define 'mon-staging', autostart: false do |staging|
if ENV['SECUREDROP_SSH_OVER_TOR']
config.ssh.host = find_ssh_aths("mon-ssh-aths")
config.ssh.proxy_command = tor_ssh_proxy_command
config.ssh.port = 22
elsif ARGV[0] == "ssh"
config.ssh.host = "10.0.1.3"
config.ssh.port = 22
end
staging.vm.hostname = "mon-staging"
staging.vm.box = "bento/ubuntu-16.04"
staging.vm.network "private_network", ip: "10.0.1.3"
staging.vm.synced_folder './', '/vagrant', disabled: true
end
config.vm.define 'app-staging', autostart: false do |staging|
if ENV['SECUREDROP_SSH_OVER_TOR']
config.ssh.host = find_ssh_aths("app-ssh-aths")
config.ssh.proxy_command = tor_ssh_proxy_command
config.ssh.port = 22
elsif ARGV[0] == "ssh"
config.ssh.host = "10.0.1.2"
config.ssh.port = 22
end
staging.vm.hostname = "app-staging"
staging.vm.box = "bento/ubuntu-16.04"
staging.vm.network "private_network", ip: "10.0.1.2"
staging.vm.synced_folder './', '/vagrant', disabled: true
staging.vm.provider "virtualbox" do |v|
v.memory = 1024
end
staging.vm.provider "libvirt" do |lv, override|
lv.memory = 1024
end
staging.vm.provision "ansible" do |ansible|
ansible.playbook = "install_files/ansible-base/securedrop-staging.yml"
ansible.inventory_path = "install_files/ansible-base/inventory-staging"
ansible.verbose = 'v'
# Taken from the parallel execution tips and tricks
# https://docs.vagrantup.com/v2/provisioning/ansible.html
ansible.limit = 'all,localhost'
ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS']
end
end
# The prod hosts are just like production but are virtualized.
# All access to SSH and the web interfaces is only over Tor.
config.vm.define 'mon-prod', autostart: false do |prod|
if ENV['SECUREDROP_SSH_OVER_TOR']
config.ssh.host = find_ssh_aths("mon-ssh-aths")
config.ssh.proxy_command = tor_ssh_proxy_command
config.ssh.port = 22
end
prod.vm.hostname = "mon-prod"
prod.vm.box = "bento/ubuntu-16.04"
prod.vm.network "private_network", ip: "10.0.1.5", virtualbox__intnet: internal_network_name
prod.vm.synced_folder './', '/vagrant', disabled: true
end
config.vm.define 'app-prod', autostart: false do |prod|
if ENV['SECUREDROP_SSH_OVER_TOR']
config.ssh.host = find_ssh_aths("app-ssh-aths")
config.ssh.proxy_command = tor_ssh_proxy_command
config.ssh.port = 22
end
prod.vm.hostname = "app-prod"
prod.vm.box = "bento/ubuntu-16.04"
prod.vm.network "private_network", ip: "10.0.1.4", virtualbox__intnet: internal_network_name
prod.vm.synced_folder './', '/vagrant', disabled: true
prod.vm.provider "virtualbox" do |v|
v.memory = 1024
end
prod.vm.provision "ansible" do |ansible|
ansible.playbook = "install_files/ansible-base/securedrop-prod.yml"
ansible.verbose = 'v'
# the production playbook verifies that staging default values are not
# used will need to skip the this role to run in Vagrant
ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS']
# Taken from the parallel execution tips and tricks
# https://docs.vagrantup.com/v2/provisioning/ansible.html
ansible.limit = 'all,localhost'
ansible.groups = {
'securedrop_application_server' => %w(app-prod),
'securedrop_monitor_server' => %w(mon-prod),
'securedrop' => %w(app-prod mon-prod)
}
end
end
end
# Get .onion URL for connecting to instances over Tor.
# The Ansible playbooks fetch these values back to the
# Admin Workstation (localhost) so they can be manually
# added to the inventory file. Possible values for filename
# are "app-ssh-aths" and "mon-ssh-aths".
def find_ssh_aths(filename)
repo_root = File.expand_path(File.dirname(__FILE__))
aths_file = File.join(repo_root, "install_files", "ansible-base", filename)
if FileTest.file?(aths_file)
File.open(aths_file).each do |line|
# Take second value for URL; format for the ATHS file is:
# /^HidServAuth \w{16}.onion \w{22} # client: admin$/
return line.split()[1]
end
else
puts "Failed to find ATHS file: #{filename}"
puts "Cannot connect via SSH."
exit(1)
end
end
# Build proxy command for connecting to prod instances over Tor.
def tor_ssh_proxy_command
def command?(command)
system("which #{command} > /dev/null 2>&1")
end
if command?("nc")
base_cmd = "nc -x"
else
puts "Failed to build proxy command for SSH over Tor."
puts "Install or 'netcat-openbsd'."
exit(1)
end
return "#{base_cmd} 127.0.0.1:9050 %h %p"
end
# Create a unique name for the VirtualBox internal network,
# based on the directory name of the repo. This is to avoid
# accidental IP collisions when running multiple instances
# of the staging or prod environment concurrently.
def internal_network_name
repo_root = File.expand_path(File.dirname(__FILE__))
return File.basename(repo_root)
end