Centralize Streisand configuration/secrets in filesystem.

[pjrobertson]

If deploying multiple servers or re-deploying an existing server, it is sometimes useful to keep the same config files (to avoid users having to change their connection details). I am going through this today as I want to update one server that is running on Debian (what Streisand previously ran on) to Ubuntu, and on another server where I want to get openconnect availability.

It would be great if it was made easier to replace the config files & certs for each connection method in one easy go. My idea is that all config files would be stored in the home folder on the server, and symlinked from the respective places. e.g.:

/etc/openvpn -> /home/streisand/openvpn
/etc/shadowsocks-libev -> /home/streisand/shadowsocks-libev
/etc/nginx -> /home/streisand/nginx
...etc.

That way, if I wanted to deploy my settings to a brand new server, or to backup all the existing settings of a current server I would just need to copy over that one /home/streisand folder, and everything else would be taken care of.

Edit: I understand a few things like the IP address etc. may need to be changed across files, but a simple 'README' file could be auto-generated (by ansible) which would give simple instructions like:

In order to change your IP address in these config files, run the following command:
`perl -pi -e s/{ansible_ip_address}/NEW_IP_ADDRESS/g` (or whatever)

[nickolasclarke]

There are a few settings that need to be manually updated to reflect the IP of the instance. In those cases, some more thought will be required. I already do some of this programmatically for a few configurations in a node script I wrote to redeploy on DO, probably not appropriate to add to this project though.

All that said, I would love to see this happen! I redeploy frequently here in China and would love to be able to spin new instances with the latest commits without getting all new creds for everything On Jun 4, 2016 9:46 AM, "Patrick Robertson" notifications@github.com wrote:

If deploying multiple servers or re-deploying an existing server, it is sometimes useful to keep the same config files (to avoid users having to change their connection details). I am going through this today as I want to update one server that is running on Debian (what Streisand previously ran on) to Ubuntu, and on another server where I want to get openconnect availability.

It would be great if it was made easier to replace the config files & certs for each connection method in one easy go. My idea is that all config files would be stored in the home folder on the server, and symlinked from the respective places. e.g.:

/etc/openvpn -> /home/streisand/openvpn /etc/shadowsocks-libev -> /home/streisand/shadowsocks-libev /etc/nginx -> /home/streisand/nginx ...etc.

That way, if I wanted to deploy my settings to a brand new server, or to backup all the existing settings of a current server I would just need to copy over that one /home/streisand folder, and everything else would be taken care of.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jlund/streisand/issues/319, or mute the thread https://github.com/notifications/unsubscribe/ACE5KGMOGiOnwPtwdvGc5AjXAtlQjhNwks5qINjogaJpZM4IuBhD .

[jlund]

Are there certain services where this type of thing would be more helpful than others?

If I have to do a search-and-replace on an .ovpn file, for instance, and then reinstall it on my phone, what's the advantage of that versus just installing a new .ovpn file? I'm sure that's a bad example though.

I understand the need to rotate IP addresses on a regular basis while in China. I'll be thinking about some ways to help make that easier.

[pjrobertson]

I think you’re referring more to rotating IP addresses? My thoughts are for when you want to upgrade a server/use the same credentials across servers. So for example if I re-installed Streisand on a server and could keep the OpenVPN/Shadowsocks config files/certs all the same, my clients would not need to re-download/install the profiles.

Think for example where you have a server with 20 clients using Shadowsocks. My server is currently running an older version of Streisand and so doesn’t have Openconnect on it. I want to install Openconnect (and all the HTML documentation files that go with it from Stresiand) by upgrading Streisand, but I don’t want my existing 20 clients using Shadowsocks to be affected. It would be great if I could just drop the old config files/Shadowsocks HTML files back in place (in a specific folder)

On 7 Meh 2016, at 08:23, Joshua Lund notifications@github.com wrote:

Are there certain services where this type of thing would be more helpful than others?

If I have to do a search-and-replace on an .ovpn file, for instance, and then reinstall it on my phone, what's the advantage of that versus just installing a new .ovpn file? I'm sure that's a bad example though.

I understand the need to rotate IP addresses on a regular basis while in China. I'll be thinking about some ways to help make that easier.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jlund/streisand/issues/319#issuecomment-224127848, or mute the thread https://github.com/notifications/unsubscribe/AAJLnw3qEV8VfaI8-thJ-7ommlk8Awapks5qJLnugaJpZM4IuBhD.

[nickolasclarke]

@jlund I already do this for Shadowsocks, in a very hamfisted way with a node.js script I use for redeploy new droplets on DO. Currently, when I spin a brand new instance of Streisand with the latest commits, I then immediately make a snapshot. That snapshot becomes the base image I then use to redeploy when a new IP is needed, part of that node script reaches out, grabs the SS config.json from the soon-to-die server, updates the json to reflect the new host IP, and then places the new config.json on the new host, updates the DO dns A record with the new IP and off it goes. Since I am using a domain to point the droplet, no one is the wiser 30 seconds later once the TTL expires, the record updates, and SS starts pointing at a new IP. I then tear down the old instance.

However, if I want to pull in all the new commits that have come through, (say..like last week) I now have to spin a new instance and either update configs by hand to reflect the old values, or distribute new keys, IP's, and passwords to all my devices as well as my friends/family who use the server. To be able to specify a .zip or a directory or something at creation time that contains all the relevant configs from the old host, or better yet, simply a variable that has the host IP for the old host that ansible can then reach out and pull relevant passwords/configs/certs as needed to drop into the new host would be A+. Large project obviously, and some interesting security implications.

Edit: premature enter

[jlund]

With the 16.04 upgrade done, I'm starting to think about this again.