# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- --- # NB - dirmngr fails incomprehesibly if there are repeated commands in conf - name: "DEBUG: proxy proxy_post.yml" debug: verbosity: 1 msg: "DEBUG: Including proxy proxy_post.yml" - name: if there is no /etc/cntlm.conf it has not been installed stat: path=/etc/cntlm.conf register: cntlm_conf_fact - block: # make sure double quotes do not end up in the cntlm.conf - lineinfile: dest: /etc/cntlm.conf regexp: "^#* *{{item.name}}.*" line: "{{item.name}} {{item.val}}" state: present with_items: - { name: Username, val: "{{ MY_CORP_USER }}" } - { name: Domain, val: "{{ MY_CORP_DOMAIN }}" } - { name: Password, val: "{{ MY_CORP_PASS }}" } - { name: Proxy, val: "{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}" } - { name: NoProxy, val: "{{ NO_PROXY }}" } - { name: Listen, val: "{{CNTLM_BIND_IP}}:{{CNTLM_HTTP_PORT}}" } - { name: SOCKS5Proxy, val: "{{ CNTLM_SOCKS_PORT }}"} - lineinfile: dest: /etc/cntlm.conf regexp: "^Proxy.*8080" state: absent - name: enable and start cntlm service: name: cntlm enabled: yes state: restarted register: retval failed_when: false when: ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS # FixMe: test to see if cntlm has started - stat: path="{{ cntlm_pid_file }}" register: cntlm_pid # only if its started do we override - name: override HTTP_PROXY with retval is success set_fact: > HTTP_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}} HTTP_PROXYHOST=127.0.0.1 HTTP_PROXYPORT={{NTLM_PROXYPORT}} HTTP_PROXYTYPE=http HTTPS_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}} HTTPS_PROXYHOST=127.0.0.1 HTTPS_PROXYPORT={{NTLM_PROXYPORT}} HTTPS_PROXYTYPE=http # this works with cntlm as we configured it SOCKS_PROXY=socks5://127.0.0.1:{{CNTLM_SOCKS_PORT}} SOCKS_PROXYHOST=127.0.0.1 SOCKS_PROXYPORT={{CNTLM_SOCKS_PORT}} SOCKS_PROXYTYPE=socks5 when: retval.rc|default(0) == 0 and cntlm_pid.stat.exists == true - name: override HTTP_PROXY with retval is failed set_fact: > HTTP_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}} HTTP_PROXYHOST={{NTLM_PROXYHOST}} HTTP_PROXYPORT={{NTLM_PROXYPORT}} HTTP_PROXYTYPE=http HTTPS_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}} HTTPS_PROXYHOST={{NTLM_PROXYHOST}} HTTPS_PROXYPORT={{NTLM_PROXYPORT}} HTTPS_PROXYTYPE=http # dunno if this works SOCKS_PROXY=socks5://{{NTLM_PROXYHOST}}:9050 SOCKS_PROXYHOST={{NTLM_PROXYHOST}} SOCKS_PROXYPORT=9050 SOCKS_PROXYTYPE=socks5 when: retval.rc|default(1) == 0 or cntlm_pid.stat.exists == false #? does retval.rc exist? - debug: msg: "proxy/tasks/main.yml cntlm.rc={{cntlm_pid.stat.exists}} HTTP_PROXY={{ HTTP_PROXY }}" when: NTLM_PROXYPORT != '' and cntlm_conf_fact.stat.exists == true - name: gather the http_proxy information together for subsequent roles set_fact: proxy_env: TERM: "linux" http_proxy: "{{ HTTP_PROXY }}" https_proxy: "{{ HTTPS_PROXY }}" socks_proxy: "{{ SOCKS_PROXY }}" ftp_proxy: "{{ HTTP_PROXY }}" no_proxy: "{{ NO_PROXY }}" SSL_CERT_FILE: "{{ SSL_CERT_FILE|default(PLAY_CA_CERT) }}" RSYNC_PROXY: "{{ HTTP_PROXY|replace('http://', '') }}" no_proxy_env: TERM: "linux" http_proxy: "http://127.0.0.1:9999" https_proxy: "http://127.0.0.1:9999" socks_proxy: "socks4://127.0.0.1:9999" ftp_proxy: "ftp://127.0.0.1:9999" no_proxy: "{{ NO_PROXY|default('127.0.0.1,localhost') }}" RSYNC_PROXY: "http://127.0.0.1:9999" - set_fact: # allowed out {'PATH': PATH, 'PYTHONPATH': '' } shell_proxy_env: "{{ proxy_env|combine(shell_env) }}" # forbidden out {'PATH': PATH, 'PYTHONPATH': '' } shell_no_proxy_env: "{{ no_proxy_env|combine(shell_env) }}" apt_env: {'RUNLEVEL': 1} - set_fact: portage_proxy_env: "{{ shell_proxy_env }}" # we're letting pip out to install but with --nodeps # so that we must list a prerequisites expcitly # and to prevent it from having a free hand. pip_proxy_env: "{{ shell_proxy_env }}" apt_proxy_env: "{{ proxy_env|combine(apt_env) }}" #- name: "roles/proxy/tasks/main.yml" # debug: msg="roles/proxy/tasks/main.yml NTLM_PROXYPORT={{ NTLM_PROXYPORT }}" - name: roles/proxy/tasks/ _post.yml include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}_post.yml" # sync this with ../../roles/base/overlay/Linux/usr/local/share/scripts/bootstrap_proxy.bash # no global setting for this now - name: /etc/wgetrc without proxy blockinfile: dest: /etc/wgetrc create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" block: | #http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} #https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} no_proxy={{ NO_PROXY }} ca-certificate = /usr/local/etc/ssl/cacert-testforge.pem check_certificate = on # dont change the environment for everyon with env.d/70proxy # maually include box_proxy_tor.bash -> ~/bin/tor.sh - name: proxy http export blockinfile: dest: "{{ item.dest }}" owner: "{{ item.owner }}" group: "{{ item.group }}" create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http" state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" block: | export http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} export https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} export no_proxy="{{ NO_PROXY }}" export RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} with_items: - {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0755" } when: false - name: /usr/local/share/scripts/box_proxy_tor.bash socks blockinfile: dest: "{{ item.dest }}" owner: "{{ item.owner }}" group: "{{ item.group }}" create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks" state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}" block: | export socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} with_items: - {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0644" } when: false - name: /etc/privoxy/config.whonix socks blockinfile: dest: "{{ item.dest }}" owner: "{{ item.owner }}" group: "{{ item.group }}" create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks" state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}" block: | # https://tor.stackexchange.com/questions/947/socks-server-with-dynamic-traffic-routing-trought-tor-i2p-depending-on-the-e forward .i2p 127.0.0.1:4444 forward-socks5t / {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} . with_items: - { dest: "/etc/privoxy/config.whonix", owner: "root", group: "root", mode: "0644" } - { dest: "/etc/privoxy/config.tor", owner: "root", group: "root", mode: "0644" } - { dest: "/etc/privoxy/config.nat", owner: "root", group: "root", mode: "0644" } - { dest: "/etc/privoxy/config.selektor", owner: "root", group: "root", mode: "0644" } when: - SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != '' - "PROXY_MODE|default('') in ['tor', 'whonix', 'selektor']" - name: check if /etc/gnupg/gpgconf.conf exists stat: path=/etc/gnupg/gpgconf.conf register: etc_gpgconf_fact - name: /etc/gnupg/gpgconf.conf lineinfile: dest: "/etc/gnupg/gpgconf.conf" # insertbefore: BOF mode: 0755 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" create: yes state: "{{item.state}}" regexp: "^#*{{item.key}} {{item.val}}.*" line: "{{item.key}} {{item.val}}{{item.value}}" with_items: - key: keyserver-options val: http-proxy= value: "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}" # gpg: keyserver option 'https-proxy' is unknown state: absent # "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" - key: keyserver-options val: https-proxy= value: "{{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}" # gpg: keyserver option 'https-proxy' is unknown state: absent # "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}" - key: keyserver val: hkp://keys.gnupg.net value: "" state: "present" - key: keyserver-options val: verbose value: "" state: absent # is unknown "present" - key: keyserver-options val: "options " value: "/etc/dirmngr/dirmngr.conf" state: absent # is unknown "present" when: - not ansible_check_mode - etc_gpgconf_fact.stat.exists == true - name: check if /etc/npmrc exists stat: path=/etc/npmrc register: npm_npmrc_fact #? do I want these in /etc/environment? # FixMe: harden/templates/etc/example-dnscrypt-proxy.toml # force_tcp = true #? ~/.gnupg/gnupg.conf # https://github.com/riseupnet/riseup_help/issues/294 # keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem # .repo_.gitconfig.json # handle setting up an ssh server in proxy - for libvirt_qemu (or chroot?) - name: /etc/conf.d/sshd blockinfile: dest: "/etc/{{ETC_CONF_D}}/sshd" create: yes marker: "# {mark} ANSIBLE MANAGED BLOCK testforge" block: | SSHD_OPTS="-4 -E /var/log/sshd.log" - name: /etc/dirmngr/dirmngr.conf shell: | [ -d /etc/dirmngr ] || mkdir /etc/dirmngr [ -f /etc/dirmngr/dirmngr.conf ] && [ -h /etc/gnupg/dirmngr.conf ] && exit 0 [ -f /etc/dirmngr/dirmngr.conf ] && [ ! -f /etc/gnupg/dirmngr.conf ] && \ mv /etc/dirmngr/dirmngr.conf /etc/gnupg/dirmngr.conf && \ ln -s /etc/gnupg/dirmngr.conf /etc/dirmngr/dirmngr.conf exit 0 - name: /etc/dirmngr/dirmngr.conf lineinfile: dest: "/etc/dirmngr/dirmngr.conf" insertbefore: BOF mode: 0755 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" create: yes regexp: "#*keyserver-options http-proxy.*" line: "keyserver-options http-proxy=http://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}" when: - not ansible_check_mode - HTTP_PROXYHOST == '' and HTTP_PROXYPORT == '' - name: /etc/dirmngr/dirmngr.conf lineinfile: dest: "/etc/dirmngr/dirmngr.conf" mode: 0755 owner: "{{BOX_ROOT_USER}}" group: "{{BOX_ROOT_GROUP}}" create: yes regexp: "^keyserver-options no-try-dns-srv" line: "keyserver-options no-try-dns-srv" state: "{{ 'present' if ansible_distribution == 'never' else 'absent' }}" when: - not ansible_check_mode - name: /etc/dirmngr/dirmngr.conf dnsmasq blockinfile: dest: "/etc/dirmngr/dirmngr.conf" create: true marker: "# {mark} ANSIBLE MANAGED BLOCK proxy_post.yml dnsmasq" block: | debug-level 5 log-file /var/log/dirmngr.log nameserver 127.0.0.1 when: - not ansible_check_mode - "'run_dnsmasq' in PROXY_FEATURES" - block: - name: /etc/dirmngr/dirmngr.conf no proxy blockinfile: dest: "/etc/dirmngr/dirmngr.conf" create: false marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy" block: | # honor-http-proxy # may not exist ignore_errors: true when: - HTTP_PROXYHOST == '' and HTTP_PROXYPORT == '' - block: - name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-https blockinfile: dest: "{{item}}" create: true marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml https" state: "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}" block: | #! debian10: /etc/dirmngr/dirmngr.conf:3: invalid option #! https-proxy {{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} with_items: - /etc/dirmngr/dirmngr.conf - /etc/dirmngr/dirmngr.conf.whonix # may not exist ignore_errors: true when: - HTTPS_PROXYHOST != '' and HTTPS_PROXYPORT != '' - block: - name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-proxy blockinfile: dest: /etc/dirmngr/dirmngr.conf create: true marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy" block: | honor-http-proxy # may not exist ignore_errors: true - name: /etc/dirmngr/dirmngr.conf proxy_post.yml http blockinfile: dest: /etc/dirmngr/dirmngr.conf create: true marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http" state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" block: | honor-http-proxy http-proxy {{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} - block: # FixMe: should be lineinfile - name: /etc/npmrc with proxy http blockinfile: dest: /etc/npmrc create: false mode: 0644 marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http" state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" block: | proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} https-proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} cafile=/usr/local/etc/ssl/cacert-testforge.pem progress=false when: - npm_npmrc_fact.stat.exists == true