base_role/tasks/base.yml
embed@git.macaw.me b50fd16591 first
2024-01-06 01:38:28 +00:00

681 lines
20 KiB
YAML
Executable File

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "DEBUG: base base.yml ansible_distribution ansible_virtualization_role"
debug:
verbosity: 1
msg: "DEBUG: Including base base.yml {{ansible_distribution }} {{ ansible_virtualization_role|replace('NA', 'host') }}"
- block:
# now unused?
- name: "set PATH env_env"
set_fact:
# all of these should now get replaced by env_env
env_env:
# PATH: "{{ PATH }}"
PYTHONPATH: ""
TERM: linux
shell_env:
# FixMe: CLARIFY - is this ONLY controller path when -c local?
#was PATH: "{{ ansible_env.PATH +':' +VAR_LOCAL +'/bin'|replace('.:', '')}}"
# PATH: "{{ PATH }}"
PYTHONPATH: ""
TERM: linux
- name: "set PATH shell_env local"
set_fact:
shell_env:
# FixMe: CLARIFY - is this ONLY controller path when -c local?
PATH: "{{ ansible_env.PATH +':' +VAR_LOCAL +'/bin'|replace('.:', '')}}"
PYTHONPATH: ""
TERM: linux
when:
- ansible_connection in ['local']
- name: "set PATH shell_env not local"
set_fact:
shell_env:
# PATH: "{{ PATH }}"
PYTHONPATH: ""
TERM: linux
when:
- ansible_connection not in ['local']
# FixMe: CLARIFY - is this ONLY controller path when -c local?
- name: lynis objects to . on the PATH and I cant find whos adding it
shell: |
# clean path checks for /var/local/bin
export PYTHONPATH=
[ -f {{USR_LOCAL}}/bin/base_clean_path.bash ] && \
bash {{USR_LOCAL}}/bin/base_clean_path.bash || echo $PATH
register: env_PATH
- name: base /usr/local/src/usr_local_src.bash
copy:
src: /usr/local/src/usr_local_src.bash
dest: /usr/local/src/usr_local_src.bash
mode: '0755'
- block:
- name: /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}}
shell: |
[ -e /usr/local/bin/base_check_site_py.bash ] || exit 0
export PYTHONPATH=''
/usr/local/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}} || exit 3$?
when:
- "BASE_PYTHON3_MINOR != ''"
- name: base /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}}
shell: |
[ -e /usr/local/bin/base_check_site_py.bash ] || exit 0
export PYTHONPATH=''
/usr/local/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}} || exit 2$?
when:
- "BASE_PYTHON2_MINOR != ''"
# wierd error - fails under ansible but not at the command line
rescue:
- debug:
msg: "ERROR: WTF /usr/local/bin/base_check_site_py.bash"
check_mode: false
tags:
- always
- block:
- name: get ipv6.disable=1 cmdline
shell: |
grep ipv6.disable=1 /proc/cmdline
register : base_ipv6_disable_line
failed_when: false
check_mode: false
- set_fact:
BASE_IPV6_DISABLE: 0
when: base_ipv6_disable_line is failed
- set_fact:
BASE_IPV6_DISABLE: 1
when: base_ipv6_disable_line is success
when: "BOX_IPV6_DISABLE != ''"
- name: /etc/nsswitch.conf
lineinfile:
dest: /etc/nsswitch.conf
regexp: "^{{item.name}}:.*"
line: "{{item.name}}: {{item.val}}"
state: present
with_items:
- { name: passwd, val: "compat files" }
- { name: group, val: "compat files" }
# oddball from Emacs doing a DNS lookup of hostname - force it to localhost
- name: "/etc/hosts"
shell: |
umask 022
[ ! -f /etc/hosts ] && echo "127.0.0.1 localhost {{BOX_HOST_NAME}}" >> /etc/hosts && exit 0
grep -q "^127.0.0.1.* {{BOX_HOST_NAME}}" /etc/hosts && exit 0
sed -e 's/\(127.0.0.1.* localhost\)/\1 {{BOX_HOST_NAME}}/' -i /etc/hosts
exit 0
when: BOX_HOST_NAME|default('') != ''
- name: dunno where
shell: |
[ -d /tmp/.ansible/tmp ] || mkdir -p /tmp/.ansible/tmp
chmod 1777 /tmp/.ansible/tmp
- block:
- debug:
msg: "WARN: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived"
when:
- BOX_USER_NAME|default('') == 'root'
- name: setting BOX_USER_NAME to vagrant
set_fact:
# this should be seat on the command line - vagrant
BOX_USER_NAME: "vagrant"
# this should be set on the command line - /home/vagrant
BOX_USER_HOME: "/home/vagrant"
BOX_USER_GROUP: "vagrant"
# adm group 4 is the same on on Gentoo and Ubuntu -
# group 4 on Gentoo and Ubuntu is a conveience to be my group and the NTFS group
BOX_ALSO_GROUP: "adm"
when: BOX_USER_NAME|default('') == '' or BOX_USER_NAME|default('') == 'root'
- assert:
that:
- BOX_USER_NAME|default('') != 'root'
fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived"
- name: msg BOX_USER_HOME
debug:
msg: "BOX_USER_HOME {{ BOX_USER_HOME|default('') }}"
- name: assert BOX_USER_HOME is not null
assert:
that:
- "{{ BOX_USER_HOME|default('') != '' }}"
- block:
- name: "create adm group - optional"
group:
name: "{{ BOX_ALSO_GROUP }}"
system: yes
when: "BOX_ALSO_GROUP != ''"
- name: "create vagrant group"
group:
name: "{{ BOX_USER_GROUP }}"
# "ensure an non-priv account like vagrant exists"
# FixMe: useradd: Can't get unique subordinate UID range
# useradd: can't create subordinate user IDs
- name: "add vagrant user"
user:
name: "{{ BOX_USER_NAME }}"
group: "{{ BOX_USER_GROUP }}"
append: true
groups: ["{{ BOX_ALSO_GROUP }}"]
home: "{{ BOX_USER_HOME }}"
create_home: yes
shell: /bin/bash
#? usermod: user vagrant is currently used by process 2190
ignore_errors: true
- name: "make vagrant HOME directory"
file:
path: "{{BOX_USER_HOME}}"
state: directory
mode: 0700
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_USER_GROUP }}"
when: BOX_USER_NAME|default('') != ''
check_mode: false
- block:
- name: get passwd line
shell: |
[ -f /etc/passwd ] || exit 0
grep ^{{BOX_USER_NAME}} /etc/passwd
register : base_boxuser_passwd_line
failed_when: false
check_mode: false
- block:
- assert:
that:
- base_boxuser_passwd_line is success
fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} not found in /etc/passwd"
# ansible will null this if you run user: without a home:
- assert:
that:
- "{{ base_boxuser_passwd_line.stdout.split(':')[5] != '' }}"
fail_msg: "BOX_USER_HOME is not null in /etc/passwd"
- name: BOX_USER_HOME
set_fact:
BOX_USER_HOME: "{{ base_boxuser_passwd_line['stdout'].split(':')[5] }}"
when: BOX_USER_HOME|default('') == ''
- name: msg BOX_USER_HOME
debug:
msg: "BOX_USER_HOME {{ BOX_USER_HOME|default('') }}"
- name: BOX_USER_GROUP
set_fact:
BOX_USER_GROUP: "{{ base_boxuser_passwd_line['stdout'].split(':')[3]|int }}"
when: BOX_USER_GROUP|default('') == ''
check_mode: false
when:
- BOX_USER_NAME|default('') != ''
- ansible_distribution != 'Msys'
- block:
- name: "are we connected? - old ip route default"
# FixMe: maybe change this to nmap - sometimes ICMP is blocked and its blocked by firewall.conf
# nmap -Pn -sU -p U:53 208.67.220.220 ' 0 hosts up'
# ping -n -c 1 -I "$wlan" 8.8.8.8 >/dev/null - wont work in a vbox or behind a firewall
shell: |
a=`route | grep -q ^default` || exit 1
[ - z "$a" ] && exit 2
wlan=`echo $a | sed -e 's@.* @@'` && \
ifconfig "$wlan" | grep -q UP && echo $wlan
register: wlan_up
failed_when: false
when: false
- name: "are we connected? - base_get_if.bash"
shell: |
ip route | grep -q ^default || exit 1$?
wlan=`/usr/local/bin/base_get_if.bash` || exit 3
if [ -n "$wlan" ] ; then
ifconfig "$wlan" | grep -q UP && echo $wlan || true
else
a=`route | grep ^default` && \
[ -n "$a" ] && \
wlan=`echo $a | sed -e 's@.* @@'` && \
[ -n "$wlan" ] && \
ifconfig "$wlan" | grep -q UP && \
echo $wlan
fi
register: wlan_up
failed_when: false
when: true
- name: "are we connected? - new wifi"
shell: |
ip route | grep -q ^default || exit 1$?
/usr/local/bin/proxy_ping_test.bash wifi || exit 2$?
wlan=`/usr/local/bin/base_get_if.bash`
echo $wlan
register: wlan_up_no
failed_when: false
when: false
- name: debug wlan_up
debug:
var: wlan_up
- name: "we are connected device wlan_up.stdout"
set_fact:
BASE_ARE_CONNECTED="{{ wlan_up.stdout }}"
when:
- wlan_up is success
#? - wlan_up.stdout|default("") != ""
- name: "we are connected device - unconnected n"
set_fact:
BASE_ARE_CONNECTED=""
when:
- wlan_up.rc|default(1) != 0 or wlan_up.stdout|default('') == ''
check_mode: false
when:
- BOX_OS_FAMILY != 'Windows'
- block:
- name: "we are connected device - WGate106"
set_fact:
BASE_ARE_CONNECTED=""
when:
- BOX_OS_FLAVOR|default('') == 'WGate106' or BOX_OS_FAMILY == 'Windows'
- debug:
verbosity: 1
msg: "DEBUG: BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"
- name: set the default route device if we are connected
set_fact:
BASE_OUTPUT_IF: "{{BASE_ARE_CONNECTED}}"
when:
- "BASE_ARE_CONNECTED != ''"
- ansible_distribution != 'Msys'
- name: set the default route device if we are not connected
set_fact:
BASE_OUTPUT_IF: "{{BASE_DEFAULT_OUTPUT_IF}}"
when:
- "BASE_ARE_CONNECTED == ''"
- ansible_distribution != 'Msys'
- block:
- name: "make /usr/local"
file:
path: "{{BASE_USR_LOCAL}}/{{item}}"
state: directory
mode: 0775
group: "{{ BOX_ALSO_GROUP }}"
with_items:
- bin
- data
- etc/testforge
- etc/ssl
- "{{LIB}}"
- lib/ruby
- lib/sysctl.d
- net/Http
- net/Git
- sbin
- share/info
- share/man/man1
- src
- var
check_mode: false
- block:
# sitecustomize is not getting made on 3.8
- name: /usr/local/bin/pyver.sh 2
shell: |
export BASE_PYTHON2_MINOR={{BASE_PYTHON2_MINOR}}
export PYVER=2
/usr/local/bin/pyver.sh
# sitecustomize is not getting made on 3.8
- name: /usr/local/bin/pyver.sh 3
shell: |
export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}}
export PYVER=3
/usr/local/bin/pyver.sh
# only site - not dist on Ubuntu?
- name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"
shell: |
umask 0002
[ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0
touch "{{BASE_USR_LOCAL}}/{{item}}"
[ "{{ansible_distribution}}" != 'Msys' ] || \
chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}"
with_items:
- "{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"
- name: "set_fact BASE_PYVENV2_ARGS"
set_fact:
BASE_PYVENV2_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python2.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages"
when:
- "BASE_PYTHON2_MINOR != ''"
- block:
- name: "set_fact BASE_PYVENV3_ARGS"
set_fact:
BASE_PYVENV3_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python3.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages"
# sitecustomize is not getting made on 3.8
- name: /usr/local/bin/pyver.sh
shell: |
export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}}
export PYVER=3
/usr/local/bin/pyver.sh
# only site - not dist on Ubuntu?
- name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"
shell: |
umask 0002
[ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0
touch "{{BASE_USR_LOCAL}}/{{item}}"
[ "{{ansible_distribution}}" != 'Msys' ] || \
chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}"
with_items:
- "{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages/__init__.py"
when:
- "BASE_PYTHON3_MINOR != ''"
- block:
- name: "make root log directory"
file:
path: "{{BASE_ROOT_LOG_DIR}}"
state: directory
mode: 0775
owner: "root"
group: "{{ BOX_ALSO_GROUP }}"
- name: "/etc/locale.gen"
lineinfile:
dest: "/etc/locale.gen"
mode: 0755
owner: root
group: root
create: yes
regexp: "^#* *{{item}}"
line: "{{item}}"
insertafter: EOF
with_items: "{{env_locales}}"
notify: update locales
- name: "Let vagrant su without a password /etc/sudoers"
blockinfile:
dest: /etc/sudoers
create: yes
mode: 0440
marker: "# {mark} ANSIBLE MANAGED BLOCK base"
insertafter: "## Same thing without a password"
block: |
%{{ base_sudo_group }} ALL=(ALL) NOPASSWD: ALL
when:
- "base_sudo_group != ''"
- "'insecure_sudo' in BASE_FEATURES"
# validate: /usr/sbin/visudo -cf /etc/sudoers
- name: "Let vagrant su without a password /etc/group"
user:
name: "{{ BOX_USER_NAME }}"
group: "{{ BOX_USER_GROUP }}"
shell: /bin/bash
groups:
- "{{ base_sudo_group}}"
append: true
when:
- "base_sudo_group != ''"
- "'insecure_sudo' in BASE_FEATURES"
#? msg: module (user) is missing interpreter line
ignore_errors: true
- name: "/usr/local/etc/local.d/Whonix-Lati.rc"
lineinfile:
dest: /usr/local/etc/local.d/Whonix-Lati.rc
create: yes
mode: 0770
insertafter: BOF
regexp: "^#.*mode:"
line: "# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-"
- name: "/usr/local/etc/local.d/Whonix-Lati.rc"
blockinfile:
dest: /usr/local/etc/local.d/Whonix-Lati.rc
create: yes
mode: 0770
marker: "# {mark} ANSIBLE MANAGED BLOCK base initctl"
insertafter: EOF
block: |
[ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0
[ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p
when:
- BOX_SERVICE_MGR != "systemd"
- name: "make /usr/local/lib linkx"
shell: |
dest="{{BASE_USR_LOCAL}}/{{BASE_LIB}}"
[ {{BASE_LIB}} = 'lib' ] && src="{{BASE_USR_LOCAL}}/lib64" || src="{{BASE_USR_LOCAL}}/lib"
[ -d $src ] || mkdir $src
[ -d $dest ] || mkdir $dest
cd $src || exit 1
[ -e "python{{ BASE_PYTHON2_MINOR }}" ] || ln -s "../{{LIB}}/python{{ BASE_PYTHON2_MINOR }}" .
[ -e "python{{ BASE_PYTHON3_MINOR }}" ] || ln -s "../{{LIB}}/python{{ BASE_PYTHON3_MINOR }}" .
# our model is that user and group adm can pip install into /usr/local
# failsafe but often required and not covered elsewhere
chown -R "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" $src/python* $dest/python*
chmod -R g+rw $src/python* $dest/python*
ignore_errors: true
when: false
- name: "make /dev/loop"
shell: |
# CONFIG_BLK_DEV_LOOP
i=-1
while [ $i -lt 16 ] ; do
i=$( expr $i + 1 )
[ -e /dev/loop$i ] && continue
mknod /dev/loop$i b 7 $i
chown root.disk /dev/loop$i
chmod 660 /dev/loop$i
done
exit 0
- name: "make /usr/local/var 1777 dirs"
file:
path: "{{BASE_USR_LOCAL}}/{{item}}"
state: directory
mode: 01777
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
with_items:
- var/cache
- var/log
- var/tmp
- tmp
check_mode: false
- name: base /usr/local/src/usr_local_base.bash
copy:
src: /usr/local/src/usr_local_base.bash
dest: /usr/local/src/usr_local_base.bash
mode: '755'
# FixMe: change this to a user.yml; this should be run as vagrant and per sytem_user
- name: "/usr/local/src/usr_local_base.sh"
shell: |
umask 0002
{{BASE_USR_LOCAL}}/src/usr_local_base.bash
args:
chdir: "{{BASE_USR_LOCAL}}/src"
become: yes
become_user: "{{ BOX_USER_NAME }}"
# FixME:
ignore_errors: true
when:
- not ansible_check_mode
- name: "base base {{ansible_distribution}}"
# roles/base/tasks/
include_tasks: base_{{ansible_distribution}}.yml
- name: "make mountpoint dirs"
shell: |
umask 0022
for elt in {{BOX_HOST_CONTAINER_MOUNTS|join(' ')}} ; do
df | grep -q " $elt$" && continue
[ -d $elt/tmp ] && continue
[ -d $elt ] && continue
mkdir $elt
done
exit 0
when: "BOX_HOST_CONTAINER_MOUNTS|default([])|length > 0"
# this should be run as root? no?
- name: "/usr/local/src/usr_local_python.bash"
shell: |
umask 0002
{{BASE_USR_LOCAL}}/src/usr_local_python.bash
args:
chdir: "{{BASE_USR_LOCAL}}/src"
creates:
- "{{BASE_USR_LOCAL}}/bin/python2.sh"
- "{{BASE_USR_LOCAL}}/bin/python3.sh"
become: yes
become_user: "{{ BOX_USER_NAME }}"
# FixMe: pip doesnt buy this
- name: "make /usr/local/net/Cache/Pip"
file:
path: "{{BASE_USR_LOCAL}}/{{item}}"
state: directory
# pip doesnt buy this - 01777
mode: 0775
owner: "{{ BOX_USER_NAME }}"
group: "{{ BOX_ALSO_GROUP }}"
with_items:
- net/Cache/Pip
# could be a symlink
ignore_errors: true
- name: "make home dirs"
file:
path: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
state: directory
mode: "{{ item.mode }}"
with_items:
- {dest: "{{BOX_USER_HOME}}/etc/ssl/keys", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0700" }
- {dest: "/root/etc/ssl/keys", owner: "root", group: "root", mode: "0700" }
- {dest: "{{BOX_USER_HOME}}/bin", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0755" }
- {dest: "{{BASE_SCRIPT_DIR}}", owner: "root", group: "root", mode: "0755" }
- name: "/etc/wgetrc - needs coordinating with BASE_WGET_ARGS"
blockinfile:
dest: /etc/wgetrc
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK base"
block: |
timestamping = on
tries = 2
# man wget Using --ca-directory is more efficient than --ca-certificate with many certificates
#? Should we --ca-certificate={{PLAY_CA_CERT}} instead of default --ca-directory=/etc/ssl/certs/
# link it as a backup but it may get removed
# figure out how to extend apt and ansible's cert paths
# 'Failed to validate the SSL certificate for sourceforge.net443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible.
- name: "make SSL_CERT_FILE link"
file:
src: "{{ SSL_CERT_FILE }}"
dest: "/etc/ssl/certs/cacert-testserver.pem"
state: link
force: no
when: false
# https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/GnuPG
# keys.indymedia.org HKP (11371), HTTPS (443), HKPS (443), HTTP (80) qtt2yl5jocgrk7nu.onion 2eghzlv2wwcq7u7y.onion HTTPS (443), HTTP (80), HKP (11371) HKP (11371), HTTP (80)
# {{ groups['x']|map('extract', hostvars, 'ec2_ip_address')|list }}
# A frequently used idiom is walking a group to find all IP addresses in that group:
# {% for host in groups['app_servers'] %}
# {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }}
# {% endfor %}
# old base
- name: "/etc/localtime"
shell: |
BASE_timezone="{{ BASE_TIMEZONE|default('Etc/UTC') }}"
[ -f "/usr/share/zoneinfo/$BASE_timezone" ] || exit 0
[ -e /etc/localtime ] && exit 0
ln -s /usr/share/zoneinfo/$BASE_timezone /etc/localtime
ignore_errors: true
- name: "/etc/BASE_timezone"
copy:
content: "{{ BASE_TIMEZONE|default('Etc/UTC') }}\n"
dest: "/etc/timezone"
- name: "setup hwclock"
template:
src: "hwclock.j2"
dest: "/etc/{{ETC_CONF_D}}/hwclock"
owner: "{{BASE_ROOT_USER}}"
mode: 0644
force: no
# unfinished
when: false
when:
- ansible_distribution != 'Msys'