# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- - name: "DEBUG: base base.yml ansible_distribution ansible_virtualization_role" debug: verbosity: 1 msg: "DEBUG: Including base base.yml {{ansible_distribution }} {{ ansible_virtualization_role|replace('NA', 'host') }}" - block: # now unused? - name: "set PATH env_env" set_fact: # all of these should now get replaced by env_env env_env: # PATH: "{{ PATH }}" PYTHONPATH: "" TERM: linux shell_env: # FixMe: CLARIFY - is this ONLY controller path when -c local? #was PATH: "{{ ansible_env.PATH +':' +VAR_LOCAL +'/bin'|replace('.:', '')}}" # PATH: "{{ PATH }}" PYTHONPATH: "" TERM: linux - name: "set PATH shell_env local" set_fact: shell_env: # FixMe: CLARIFY - is this ONLY controller path when -c local? PATH: "{{ ansible_env.PATH +':' +VAR_LOCAL +'/bin'|replace('.:', '')}}" PYTHONPATH: "" TERM: linux when: - ansible_connection in ['local'] - name: "set PATH shell_env not local" set_fact: shell_env: # PATH: "{{ PATH }}" PYTHONPATH: "" TERM: linux when: - ansible_connection not in ['local'] # FixMe: CLARIFY - is this ONLY controller path when -c local? - name: lynis objects to . on the PATH and I cant find whos adding it shell: | # clean path checks for /var/local/bin export PYTHONPATH= [ -f {{USR_LOCAL}}/bin/base_clean_path.bash ] && \ bash {{USR_LOCAL}}/bin/base_clean_path.bash || echo $PATH register: env_PATH - name: base /usr/local/src/usr_local_src.bash copy: src: "{{USR_LOCAL}}/src/usr_local_src.bash" dest: "{{USR_LOCAL}}/src/usr_local_src.bash" mode: '0755' when: - ansible_virtualization_role|replace('NA', 'host') != 'host' - block: - name: /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}} shell: | [ -e {{USR_LOCAL}}/bin/base_check_site_py.bash ] || exit 0 export PYTHONPATH='' {{USR_LOCAL}}/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}} || exit 3$? when: - "BASE_PYTHON3_MINOR != ''" - name: base /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}} shell: | [ -e {{USR_LOCAL}}/bin/base_check_site_py.bash ] || exit 0 export PYTHONPATH='' {{USR_LOCAL}}/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}} || exit 2$? when: - "BASE_PYTHON2_MINOR != ''" # wierd error - fails under ansible but not at the command line rescue: - debug: msg: "ERROR: RESCUE WTF {{USR_LOCAL}}/bin/base_check_site_py.bash" check_mode: false tags: - always - block: - name: get ipv6.disable=1 cmdline shell: | grep ipv6.disable=1 /proc/cmdline register : base_ipv6_disable_line failed_when: false check_mode: false - set_fact: BASE_IPV6_DISABLE: 0 when: base_ipv6_disable_line is failed - set_fact: BASE_IPV6_DISABLE: 1 when: base_ipv6_disable_line is success when: "BOX_IPV6_DISABLE != ''" - name: /etc/nsswitch.conf lineinfile: dest: /etc/nsswitch.conf regexp: "^{{item.name}}:.*" line: "{{item.name}}: {{item.val}}" state: present with_items: - { name: passwd, val: "compat files" } - { name: group, val: "compat files" } # oddball from Emacs doing a DNS lookup of hostname - force it to localhost - name: "/etc/hosts" shell: | umask 022 [ ! -f /etc/hosts ] && echo "127.0.0.1 localhost {{BOX_HOST_NAME}}" >> /etc/hosts && exit 0 grep -q "^127.0.0.1.* {{BOX_HOST_NAME}}" /etc/hosts && exit 0 sed -e 's/\(127.0.0.1.* localhost\)/\1 {{BOX_HOST_NAME}}/' -i /etc/hosts exit 0 when: BOX_HOST_NAME|default('') != '' - name: dunno where shell: | [ -d /tmp/.ansible/tmp ] || mkdir -p /tmp/.ansible/tmp chmod 1777 /tmp/.ansible/tmp - block: - debug: msg: "WARN: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived" when: - BOX_USER_NAME|default('') == 'root' - name: setting BOX_USER_NAME to vagrant set_fact: # this should be seat on the command line - vagrant BOX_USER_NAME: "vagrant" # this should be set on the command line - /home/vagrant BOX_USER_HOME: "/home/vagrant" BOX_USER_GROUP: "vagrant" # adm group 4 is the same on on Gentoo and Ubuntu - # group 4 on Gentoo and Ubuntu is a conveience to be my group and the NTFS group BOX_ALSO_GROUP: "adm" when: BOX_USER_NAME|default('') == '' or BOX_USER_NAME|default('') == 'root' - assert: that: - BOX_USER_NAME|default('') != 'root' fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived" - name: msg BOX_USER_HOME debug: msg: "BOX_USER_HOME {{ BOX_USER_HOME|default('') }}" - name: assert BOX_USER_HOME is not null assert: that: - "{{ BOX_USER_HOME|default('') != '' }}" - block: - name: "create adm group - optional" group: name: "{{ BOX_ALSO_GROUP }}" system: yes when: "BOX_ALSO_GROUP != ''" - name: "create vagrant group" group: name: "{{ BOX_USER_GROUP }}" # "ensure an non-priv account like vagrant exists" # FixMe: useradd: Can't get unique subordinate UID range # useradd: can't create subordinate user IDs - name: "add vagrant user" user: name: "{{ BOX_USER_NAME }}" group: "{{ BOX_USER_GROUP }}" append: true groups: ["{{ BOX_ALSO_GROUP }}"] home: "{{ BOX_USER_HOME }}" create_home: yes shell: /bin/bash #? usermod: user vagrant is currently used by process 2190 ignore_errors: true - name: "make vagrant HOME directory" file: path: "{{BOX_USER_HOME}}" state: directory mode: 0700 owner: "{{ BOX_USER_NAME }}" group: "{{ BOX_USER_GROUP }}" when: BOX_USER_NAME|default('') != '' check_mode: false - block: - name: get passwd line shell: | [ -f /etc/passwd ] || exit 0 grep ^{{BOX_USER_NAME}} /etc/passwd register : base_boxuser_passwd_line failed_when: false check_mode: false - block: - assert: that: - base_boxuser_passwd_line is success fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} not found in /etc/passwd" # ansible will null this if you run user: without a home: - assert: that: - "{{ base_boxuser_passwd_line.stdout.split(':')[5] != '' }}" fail_msg: "BOX_USER_HOME is not null in /etc/passwd" - name: BOX_USER_HOME set_fact: BOX_USER_HOME: "{{ base_boxuser_passwd_line['stdout'].split(':')[5] }}" when: BOX_USER_HOME|default('') == '' - name: msg BOX_USER_HOME debug: msg: "BOX_USER_HOME {{ BOX_USER_HOME|default('') }}" - name: BOX_USER_GROUP set_fact: BOX_USER_GROUP: "{{ base_boxuser_passwd_line['stdout'].split(':')[3]|int }}" when: BOX_USER_GROUP|default('') == '' check_mode: false when: - BOX_USER_NAME|default('') != '' - ansible_distribution != 'Msys' - block: - name: "are we connected? - old ip route default" # FixMe: maybe change this to nmap - sometimes ICMP is blocked and its blocked by firewall.conf # nmap -Pn -sU -p U:53 208.67.220.220 ' 0 hosts up' # ping -n -c 1 -I "$wlan" 8.8.8.8 >/dev/null - wont work in a vbox or behind a firewall shell: | a=`route | grep -q ^default` || exit 1 [ - z "$a" ] && exit 2 wlan=`echo $a | sed -e 's@.* @@'` && \ ifconfig "$wlan" | grep -q UP && echo $wlan register: wlan_up failed_when: false when: false - name: "are we connected? - base_get_if.bash" shell: | ip route | grep -q ^default || exit 1$? wlan=`{{USR_LOCAL}}/bin/base_get_if.bash` || exit 3 if [ -n "$wlan" ] ; then ifconfig "$wlan" | grep -q UP && echo $wlan || true else a=`route | grep ^default` && \ [ -n "$a" ] && \ wlan=`echo $a | sed -e 's@.* @@'` && \ [ -n "$wlan" ] && \ ifconfig "$wlan" | grep -q UP && \ echo $wlan fi register: wlan_up failed_when: false when: true - name: "are we connected? - new wifi" shell: | ip route | grep -q ^default || exit 1$? {{USR_LOCAL}}/bin/proxy_ping_test.bash wifi || exit 2$? wlan=`{{USR_LOCAL}}/bin/base_get_if.bash` echo $wlan register: wlan_up_no failed_when: false when: false - name: debug wlan_up debug: var: wlan_up - name: "we are connected device wlan_up.stdout" set_fact: BASE_ARE_CONNECTED="{{ wlan_up.stdout }}" when: - wlan_up is success #? - wlan_up.stdout|default("") != "" - name: "we are connected device - unconnected n" set_fact: BASE_ARE_CONNECTED="" when: - wlan_up.rc|default(1) != 0 or wlan_up.stdout|default('') == '' check_mode: false when: - BOX_OS_FAMILY != 'Windows' - block: - name: "we are connected device - WGate106" set_fact: BASE_ARE_CONNECTED="" when: - BOX_OS_FLAVOR|default('') == 'WGate106' or BOX_OS_FAMILY == 'Windows' - debug: verbosity: 1 msg: "DEBUG: BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}" - name: set the default route device if we are connected set_fact: BASE_OUTPUT_IF: "{{BASE_ARE_CONNECTED}}" when: - "BASE_ARE_CONNECTED != ''" - ansible_distribution != 'Msys' - name: set the default route device if we are not connected set_fact: BASE_OUTPUT_IF: "{{BASE_DEFAULT_OUTPUT_IF}}" when: - "BASE_ARE_CONNECTED == ''" - ansible_distribution != 'Msys' - block: - name: "make /usr/local" file: path: "{{BASE_USR_LOCAL}}/{{item}}" state: directory mode: 0775 group: "{{ BOX_ALSO_GROUP }}" with_items: - bin - data - etc/testforge - etc/ssl - "{{LIB}}" - lib/ruby - lib/sysctl.d - net/Http - net/Git - sbin - share/info - share/man/man1 - src - var check_mode: false - block: # sitecustomize is not getting made on 3.8 - name: /usr/local/bin/pyver.sh 2 shell: | export BASE_PYTHON2_MINOR={{BASE_PYTHON2_MINOR}} export PYVER=2 {{USR_LOCAL}}/bin/pyver.sh # sitecustomize is not getting made on 3.8 - name: /usr/local/bin/pyver.sh 3 shell: | export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}} export PYVER=3 {{USR_LOCAL}}/bin/pyver.sh # only site - not dist on Ubuntu? - name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py" shell: | umask 0002 [ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0 touch "{{BASE_USR_LOCAL}}/{{item}}" [ "{{ansible_distribution}}" != 'Msys' ] || \ chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}" with_items: - "{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py" - name: "set_fact BASE_PYVENV2_ARGS" set_fact: BASE_PYVENV2_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python2.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages" when: - "BASE_PYTHON2_MINOR != ''" - block: - name: "set_fact BASE_PYVENV3_ARGS" set_fact: BASE_PYVENV3_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python3.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages" # sitecustomize is not getting made on 3.8 - name: /usr/local/bin/pyver.sh shell: | export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}} export PYVER=3 {{USR_LOCAL}}/bin/pyver.sh # only site - not dist on Ubuntu? - name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py" shell: | umask 0002 [ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0 touch "{{BASE_USR_LOCAL}}/{{item}}" [ "{{ansible_distribution}}" != 'Msys' ] || \ chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}" with_items: - "{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages/__init__.py" when: - "BASE_PYTHON3_MINOR != ''" - block: - name: "make root log directory" file: path: "{{BASE_ROOT_LOG_DIR}}" state: directory mode: 0775 owner: "root" group: "{{ BOX_ALSO_GROUP }}" - name: "/etc/locale.gen" lineinfile: dest: "/etc/locale.gen" mode: 0755 owner: root group: root create: yes regexp: "^#* *{{item}}" line: "{{item}}" insertafter: EOF with_items: "{{env_locales}}" notify: update locales - name: "Let vagrant su without a password /etc/sudoers" blockinfile: dest: /etc/sudoers create: yes mode: 0440 marker: "# {mark} ANSIBLE MANAGED BLOCK base" insertafter: "## Same thing without a password" block: | %{{ base_sudo_group }} ALL=(ALL) NOPASSWD: ALL when: - "base_sudo_group != ''" - "'insecure_sudo' in BASE_FEATURES" # validate: /usr/sbin/visudo -cf /etc/sudoers - name: "Let vagrant su without a password /etc/group" user: name: "{{ BOX_USER_NAME }}" group: "{{ BOX_USER_GROUP }}" shell: /bin/bash groups: - "{{ base_sudo_group}}" append: true when: - "base_sudo_group != ''" - "'insecure_sudo' in BASE_FEATURES" #? msg: module (user) is missing interpreter line ignore_errors: true - name: "/usr/local/etc/local.d/Whonix-Lati.rc" lineinfile: dest: "{{USR_LOCAL}}/etc/local.d/Whonix-Lati.rc" create: yes mode: 0770 insertafter: BOF regexp: "^#.*mode:" line: "# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-" - name: "/usr/local/etc/local.d/Whonix-Lati.rc" blockinfile: dest: "{{USR_LOCAL}}/etc/local.d/Whonix-Lati.rc" create: yes mode: 0770 marker: "# {mark} ANSIBLE MANAGED BLOCK base initctl" insertafter: EOF block: | [ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0 [ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p when: - BOX_SERVICE_MGR != "systemd" - name: "make /usr/local/lib linkx" shell: | dest="{{BASE_USR_LOCAL}}/{{BASE_LIB}}" [ {{BASE_LIB}} = 'lib' ] && src="{{BASE_USR_LOCAL}}/lib64" || src="{{BASE_USR_LOCAL}}/lib" [ -d $src ] || mkdir $src [ -d $dest ] || mkdir $dest cd $src || exit 1 [ -e "python{{ BASE_PYTHON2_MINOR }}" ] || ln -s "../{{LIB}}/python{{ BASE_PYTHON2_MINOR }}" . [ -e "python{{ BASE_PYTHON3_MINOR }}" ] || ln -s "../{{LIB}}/python{{ BASE_PYTHON3_MINOR }}" . # our model is that user and group adm can pip install into {{USR_LOCAL}} # failsafe but often required and not covered elsewhere chown -R "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" $src/python* $dest/python* chmod -R g+rw $src/python* $dest/python* ignore_errors: true when: false - name: "make /dev/loop" shell: | # CONFIG_BLK_DEV_LOOP i=-1 while [ $i -lt 16 ] ; do i=$( expr $i + 1 ) [ -e /dev/loop$i ] && continue mknod /dev/loop$i b 7 $i chown root:disk /dev/loop$i chmod 660 /dev/loop$i done exit 0 - name: "make /usr/local/var 1777 dirs" file: path: "{{BASE_USR_LOCAL}}/{{item}}" state: directory mode: 01777 owner: "{{ BOX_USER_NAME }}" group: "{{ BOX_ALSO_GROUP }}" with_items: - var/cache - var/log - var/tmp - tmp check_mode: false # FixMe: change this to a user.yml; this should be run as vagrant and per sytem_user - name: "/usr/local/src/usr_local_base.sh" shell: | umask 0002 {{BASE_USR_LOCAL}}/src/usr_local_base.bash args: chdir: "{{BASE_USR_LOCAL}}/src" become: yes become_user: "{{ BOX_USER_NAME }}" # FixME: ignore_errors: true when: - not ansible_check_mode - name: "base base {{ansible_distribution}}" # roles/base/tasks/ include_tasks: base_{{ansible_distribution}}.yml - name: "make mountpoint dirs" shell: | umask 0022 for elt in {{BOX_HOST_CONTAINER_MOUNTS|join(' ')}} ; do df | grep -q " $elt$" && continue [ -d $elt/tmp ] && continue [ -d $elt ] && continue mkdir $elt done exit 0 when: "BOX_HOST_CONTAINER_MOUNTS|default([])|length > 0" # this should be run as root? no? - name: "/usr/local/src/usr_local_python.bash" shell: | umask 0002 {{BASE_USR_LOCAL}}/src/usr_local_python.bash args: chdir: "{{BASE_USR_LOCAL}}/src" creates: - "{{BASE_USR_LOCAL}}/bin/python3.sh" become: yes become_user: "{{ BOX_USER_NAME }}" # FixMe ignore_errors: true # FixMe: pip doesnt buy this - name: "make /usr/local/net/Cache/Pip" file: path: "{{BASE_USR_LOCAL}}/{{item}}" state: directory # pip doesnt buy this - 01777 mode: 0775 owner: "{{ BOX_USER_NAME }}" group: "{{ BOX_ALSO_GROUP }}" with_items: - net/Cache/Pip # could be a symlink ignore_errors: true - name: "make home dirs" file: path: "{{ item.dest }}" owner: "{{ item.owner }}" group: "{{ item.group }}" state: directory mode: "{{ item.mode }}" with_items: - {dest: "{{BOX_USER_HOME}}/etc/ssl/keys", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0700" } - {dest: "/root/etc/ssl/keys", owner: "root", group: "root", mode: "0700" } - {dest: "{{BOX_USER_HOME}}/bin", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0755" } - {dest: "{{BASE_SCRIPT_DIR}}", owner: "root", group: "root", mode: "0755" } - name: "/etc/wgetrc - needs coordinating with BASE_WGET_ARGS" blockinfile: dest: /etc/wgetrc create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK base" block: | timestamping = on tries = 2 # man wget Using --ca-directory is more efficient than --ca-certificate with many certificates #? Should we --ca-certificate={{PLAY_CA_CERT}} instead of default --ca-directory=/etc/ssl/certs/ # link it as a backup but it may get removed # figure out how to extend apt and ansible's cert paths # 'Failed to validate the SSL certificate for sourceforge.net443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. - name: "make SSL_CERT_FILE link" file: src: "{{ SSL_CERT_FILE }}" dest: "/etc/ssl/certs/cacert-testserver.pem" state: link force: no when: false # https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/GnuPG # keys.indymedia.org HKP (11371), HTTPS (443), HKPS (443), HTTP (80) qtt2yl5jocgrk7nu.onion 2eghzlv2wwcq7u7y.onion HTTPS (443), HTTP (80), HKP (11371) HKP (11371), HTTP (80) # {{ groups['x']|map('extract', hostvars, 'ec2_ip_address')|list }} # A frequently used idiom is walking a group to find all IP addresses in that group: # {% for host in groups['app_servers'] %} # {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} # {% endfor %} # old base - name: "/etc/localtime" shell: | BASE_timezone="{{ BASE_TIMEZONE|default('Etc/UTC') }}" [ -f "/usr/share/zoneinfo/$BASE_timezone" ] || exit 0 [ -e /etc/localtime ] && exit 0 ln -s /usr/share/zoneinfo/$BASE_timezone /etc/localtime ignore_errors: true - name: "/etc/BASE_timezone" copy: content: "{{ BASE_TIMEZONE|default('Etc/UTC') }}\n" dest: "/etc/timezone" - name: "setup hwclock" template: src: "hwclock.j2" dest: "/etc/{{ETC_CONF_D}}/hwclock" owner: "{{BASE_ROOT_USER}}" mode: 0644 force: no # unfinished when: false when: - ansible_distribution != 'Msys'