PKI to tmpfs (#1496)

* PKI to tmpfs

* Fixes
- diskutil to full path
- unmount and eject fixes

* Umount fix

* run diskutil info only on Darwin kernels

* fix shell tasks

Author: jackivanov

config.cfg

@@ -11,6 +11,10 @@ users:
 
 ### Advanced users only below this line ###
 
+# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
+# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
+pki_in_tmpfs: true
+
 # If True re-init all existing certificates. Boolean
 keys_clean_all: False
 

docs/cloud-do.md

@@ -87,7 +87,7 @@ ansible-playbook main.yml -e "provider=digitalocean
                                 dns_adblocking=false
                                 ssh_tunneling=false
                                 windows=false
-                                store_cakey=true
+                                store_pki=true
                                 region=nyc3
                                 do_token=token"
 ```

docs/deploy-from-ansible.md

@@ -18,7 +18,7 @@ ansible-playbook main.yml -e "provider=digitalocean
                                 dns_adblocking=true
                                 ssh_tunneling=true
                                 windows=false
-                                store_cakey=true
+                                store_pki=true
                                 region=ams3
                                 do_token=token"
 ```

docs/deploy-from-script-or-cloud-init-to-localhost.md

@@ -19,7 +19,7 @@ The command will prepare the environment and install AlgoVPN with the default pa
 `ONDEMAND_WIFI` - "Connect On Demand" when connected to Wi-Fi. Default: false.
 `ONDEMAND_WIFI_EXCLUDE` - List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand". Comma-separated list.
 `WINDOWS` - To support Windows 10 or Linux Desktop clients. Default: false.
-`STORE_CAKEY` - To retain the CA key. (required to add users in the future, but less secure). Default: false.
+`STORE_PKI` - To retain the PKI. (required to add users in the future, but less secure). Default: false.
 `DNS_ADBLOCKING` - To install an ad blocking DNS resolver. Default: false.
 `SSH_TUNNELING` -  Enable SSH tunneling for each user. Default: false.
 `ENDPOINT` - The public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate). It will be gathered automatically for DigitalOcean, AWS, GCE, Azure or Vultr if the `METHOD` is cloud. Otherwise you need to define this variable according to your public IP address.  

input.yml

@@ -10,7 +10,7 @@
       dns_adblocking: false
       ssh_tunneling: false
       windows: false
-      store_cakey: false
+      store_pki: false
     providers_map:
       - { name: DigitalOcean, alias: digitalocean }
       - { name: Amazon Lightsail, alias: lightsail }
@@ -87,13 +87,13 @@
           register: _windows
           when: windows is undefined
 
-        - name: Retain the CA key prompt
+        - name: Retain the PKI prompt
           pause:
             prompt: |
-              Do you want to retain the CA key? (required to add users in the future, but less secure)
+              Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
               [y/N]
-          register: _store_cakey
-          when: store_cakey is undefined
+          register: _store_pki
+          when: store_pki is undefined
         when: ipsec_enabled
 
       - name: DNS adblocking prompt
@@ -145,9 +145,9 @@
             {% if windows is defined %}{{ windows | bool }}
             {%- elif _windows.user_input is defined %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }}
             {%- else %}false{% endif %}
-          algo_store_cakey: >-
-            {% if ipsec_enabled %}{%- if store_cakey is defined %}{{ store_cakey | bool }}
-            {%- elif _store_cakey.user_input is defined  %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
+          algo_store_pki: >-
+            {% if ipsec_enabled %}{%- if store_pki is defined %}{{ store_pki | bool }}
+            {%- elif _store_pki.user_input is defined  %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
             {%- else %}false{% endif %}{% endif %}
       rescue:
         - include_tasks: playbooks/rescue.yml

install.sh

@@ -7,7 +7,7 @@ ONDEMAND_CELLULAR="${2:-${ONDEMAND_CELLULAR:-false}}"
 ONDEMAND_WIFI="${3:-${ONDEMAND_WIFI:-false}}"
 ONDEMAND_WIFI_EXCLUDE="${4:-${ONDEMAND_WIFI_EXCLUDE:-_null}}"
 WINDOWS="${5:-${WINDOWS:-false}}"
-STORE_CAKEY="${6:-${STORE_CAKEY:-false}}"
+STORE_PKI="${6:-${STORE_PKI:-false}}"
 DNS_ADBLOCKING="${7:-${DNS_ADBLOCKING:-false}}"
 SSH_TUNNELING="${8:-${SSH_TUNNELING:-false}}"
 ENDPOINT="${9:-${ENDPOINT:-localhost}}"
@@ -92,7 +92,7 @@ deployAlgo() {
     -e "ondemand_wifi=${ONDEMAND_WIFI}" \
     -e "ondemand_wifi_exclude=${ONDEMAND_WIFI_EXCLUDE}" \
     -e "windows=${WINDOWS}" \
-    -e "store_cakey=${STORE_CAKEY}" \
+    -e "store_pki=${STORE_PKI}" \
     -e "dns_adblocking=${DNS_ADBLOCKING}" \
     -e "ssh_tunneling=${SSH_TUNNELING}" \
     -e "endpoint=$ENDPOINT" \

playbooks/cloud-post.yml

@@ -18,7 +18,7 @@
     algo_dns_adblocking: "{{ algo_dns_adblocking }}"
     algo_ssh_tunneling: "{{ algo_ssh_tunneling }}"
     algo_windows: "{{ algo_windows }}"
-    algo_store_cakey: "{{ algo_store_cakey }}"
+    algo_store_pki: "{{ algo_store_pki }}"
     IP_subject_alt_name: "{{ IP_subject_alt_name }}"
 
 - name: Additional variables for the server
@@ -37,6 +37,14 @@
     state: present
   when: cloud_instance_ip != "localhost"
 
+- name: Mount tmpfs
+  import_tasks: tmpfs/main.yml
+  when:
+    - pki_in_tmpfs
+    - not algo_store_pki
+    - ansible_system == "Darwin" or
+      ansible_system == "Linux"
+
 - debug:
     var: IP_subject_alt_name
 

playbooks/tmpfs/linux.yml

@@ -0,0 +1,5 @@
+---
+- name: Linux | set OS specific facts
+  set_fact:
+    tmpfs_volume_name: "AlgoVPN-{{ IP_subject_alt_name }}"
+    tmpfs_volume_path: /dev/shm

playbooks/tmpfs/macos.yml

@@ -0,0 +1,12 @@
+---
+- name: MacOS | set OS specific facts
+  set_fact:
+    tmpfs_volume_name: "AlgoVPN-{{ IP_subject_alt_name }}"
+    tmpfs_volume_path: /Volumes
+
+- name: MacOS | mount a ram disk
+  shell: >
+    /usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" ||
+    /usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000)
+  args:
+    creates: "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}"

playbooks/tmpfs/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Include tasks for MacOS
+  import_tasks: macos.yml
+  when: ansible_system == "Darwin"
+
+- name: Include tasks for Linux
+  import_tasks: linux.yml
+  when: ansible_system == "Linux"
+
+- name: Set config paths as facts
+  set_fact:
+    wireguard_pki_path: "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/WireGuard/"
+    ipsec_pki_path: "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/"
+
+- name: Update config paths
+  add_host:
+    name: "{{ 'localhost' if cloud_instance_ip == 'localhost' else cloud_instance_ip }}"
+    wireguard_pki_path: "{{ wireguard_pki_path }}"
+    ipsec_pki_path: "{{ ipsec_pki_path }}"