emdee
/
proxy_role
1
0
Fork 0
Code Issues Pull Requests Wiki Activity
proxy_role/tasks/proxy_post.yml

400 lines
13 KiB
YAML
Raw Permalink Blame History

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
# NB - dirmngr fails incomprehesibly if there are repeated commands in conf
- name: "DEBUG: proxy proxy_post.yml"
debug:
verbosity: 1
msg: "DEBUG: Including proxy proxy_post.yml"
- name: if there is no /etc/cntlm.conf it has not been installed
stat: path=/etc/cntlm.conf
register: cntlm_conf_fact
- block:
# make sure double quotes do not end up in the cntlm.conf
- lineinfile:
dest: /etc/cntlm.conf
regexp: "^#* *{{item.name}}.*"
line: "{{item.name}} {{item.val}}"
state: present
with_items:
- { name: Username, val: "{{ MY_CORP_USER }}" }
- { name: Domain, val: "{{ MY_CORP_DOMAIN }}" }
- { name: Password, val: "{{ MY_CORP_PASS }}" }
- { name: Proxy, val: "{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}" }
- { name: NoProxy, val: "{{ NO_PROXY }}" }
- { name: Listen, val: "{{CNTLM_BIND_IP}}:{{CNTLM_HTTP_PORT}}" }
- { name: SOCKS5Proxy, val: "{{ CNTLM_SOCKS_PORT }}"}
- lineinfile:
dest: /etc/cntlm.conf
regexp: "^Proxy.*8080"
state: absent
- name: enable and start cntlm
service:
name: cntlm
enabled: yes
state: restarted
register: retval
failed_when: false
when: ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
# FixMe: test to see if cntlm has started
- stat: path="{{ cntlm_pid_file }}"
register: cntlm_pid
# only if its started do we override
- name: override HTTP_PROXY with retval is success
set_fact: >
HTTP_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}}
HTTP_PROXYHOST=127.0.0.1
HTTP_PROXYPORT={{NTLM_PROXYPORT}}
HTTP_PROXYTYPE=http
HTTPS_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}}
HTTPS_PROXYHOST=127.0.0.1
HTTPS_PROXYPORT={{NTLM_PROXYPORT}}
HTTPS_PROXYTYPE=http
# this works with cntlm as we configured it
SOCKS_PROXY=socks5://127.0.0.1:{{CNTLM_SOCKS_PORT}}
SOCKS_PROXYHOST=127.0.0.1
SOCKS_PROXYPORT={{CNTLM_SOCKS_PORT}}
SOCKS_PROXYTYPE=socks5
when: retval.rc|default(0) == 0 and cntlm_pid.stat.exists == true
- name: override HTTP_PROXY with retval is failed
set_fact: >
HTTP_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}
HTTP_PROXYHOST={{NTLM_PROXYHOST}}
HTTP_PROXYPORT={{NTLM_PROXYPORT}}
HTTP_PROXYTYPE=http
HTTPS_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}
HTTPS_PROXYHOST={{NTLM_PROXYHOST}}
HTTPS_PROXYPORT={{NTLM_PROXYPORT}}
HTTPS_PROXYTYPE=http
# dunno if this works
SOCKS_PROXY=socks5://{{NTLM_PROXYHOST}}:9050
SOCKS_PROXYHOST={{NTLM_PROXYHOST}}
SOCKS_PROXYPORT=9050
SOCKS_PROXYTYPE=socks5
when: retval.rc|default(1) == 0 or cntlm_pid.stat.exists == false
#? does retval.rc exist?
- debug:
msg: "proxy/tasks/main.yml cntlm.rc={{cntlm_pid.stat.exists}} HTTP_PROXY={{ HTTP_PROXY }}"
when: NTLM_PROXYPORT != '' and cntlm_conf_fact.stat.exists == true
- name: gather the http_proxy information together for subsequent roles
set_fact:
proxy_env:
TERM: "linux"
http_proxy: "{{ HTTP_PROXY }}"
https_proxy: "{{ HTTPS_PROXY }}"
socks_proxy: "{{ SOCKS_PROXY }}"
ftp_proxy: "{{ HTTP_PROXY }}"
no_proxy: "{{ NO_PROXY }}"
SSL_CERT_FILE: "{{ SSL_CERT_FILE|default(PLAY_CA_CERT) }}"
RSYNC_PROXY: "{{ HTTP_PROXY|replace('http://', '') }}"
no_proxy_env:
TERM: "linux"
http_proxy: "http://127.0.0.1:9999"
https_proxy: "http://127.0.0.1:9999"
socks_proxy: "socks4://127.0.0.1:9999"
ftp_proxy: "ftp://127.0.0.1:9999"
no_proxy: "{{ NO_PROXY|default('127.0.0.1,localhost') }}"
RSYNC_PROXY: "http://127.0.0.1:9999"
- set_fact:
# allowed out {'PATH': PATH, 'PYTHONPATH': '' }
shell_proxy_env: "{{ proxy_env|combine(shell_env) }}"
# forbidden out {'PATH': PATH, 'PYTHONPATH': '' }
shell_no_proxy_env: "{{ no_proxy_env|combine(shell_env) }}"
apt_env: {'RUNLEVEL': 1}
- set_fact:
portage_proxy_env: "{{ shell_proxy_env }}"
# we're letting pip out to install but with --nodeps
# so that we must list a prerequisites expcitly
# and to prevent it from having a free hand.
pip_proxy_env: "{{ shell_proxy_env }}"
apt_proxy_env: "{{ proxy_env|combine(apt_env) }}"
#- name: "roles/proxy/tasks/main.yml"
# debug: msg="roles/proxy/tasks/main.yml NTLM_PROXYPORT={{ NTLM_PROXYPORT }}"
- name: roles/proxy/tasks/ _post.yml
include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}_post.yml"
# sync this with ../../roles/base/overlay/Linux/usr/local/share/scripts/bootstrap_proxy.bash
# no global setting for this now
- name: /etc/wgetrc without proxy
blockinfile:
dest: /etc/wgetrc
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
#http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
#https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
no_proxy={{ NO_PROXY }}
ca-certificate = /usr/local/etc/ssl/cacert-testforge.pem
check_certificate = on
# dont change the environment for everyon with env.d/70proxy
# maually include box_proxy_tor.bash -> ~/bin/tor.sh
- name: proxy http export
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
export http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
export https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
export no_proxy="{{ NO_PROXY }}"
export RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
with_items:
- {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0755" }
when: false
- name: /usr/local/share/scripts/box_proxy_tor.bash socks
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks"
state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}"
block: |
export socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
with_items:
- {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0644" }
when: false
- name: /etc/privoxy/config.whonix socks
blockinfile:
dest: "{{ item.dest }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks"
state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}"
block: |
# https://tor.stackexchange.com/questions/947/socks-server-with-dynamic-traffic-routing-trought-tor-i2p-depending-on-the-e
forward .i2p 127.0.0.1:4444
forward-socks5t / {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} .
with_items:
- { dest: "/etc/privoxy/config.whonix", owner: "root", group: "root", mode: "0644" }
- { dest: "/etc/privoxy/config.tor", owner: "root", group: "root", mode: "0644" }
- { dest: "/etc/privoxy/config.nat", owner: "root", group: "root", mode: "0644" }
- { dest: "/etc/privoxy/config.selektor", owner: "root", group: "root", mode: "0644" }
when:
- SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''
- "PROXY_MODE|default('') in ['tor', 'whonix', 'selektor']"
- name: check if /etc/gnupg/gpgconf.conf exists
stat: path=/etc/gnupg/gpgconf.conf
register: etc_gpgconf_fact
- name: /etc/gnupg/gpgconf.conf
lineinfile:
dest: "/etc/gnupg/gpgconf.conf"
# insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
state: "{{item.state}}"
regexp: "^#*{{item.key}} {{item.val}}.*"
line: "{{item.key}} {{item.val}}{{item.value}}"
with_items:
- key: keyserver-options
val: http-proxy=
value: "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"
# gpg: keyserver option 'https-proxy' is unknown
state: absent # "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
- key: keyserver-options
val: https-proxy=
value: "{{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}"
# gpg: keyserver option 'https-proxy' is unknown
state: absent # "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}"
- key: keyserver
val: hkp://keys.gnupg.net
value: ""
state: "present"
- key: keyserver-options
val: verbose
value: ""
state: absent # is unknown "present"
- key: keyserver-options
val: "options "
value: "/etc/dirmngr/dirmngr.conf"
state: absent # is unknown "present"
when:
- not ansible_check_mode
- etc_gpgconf_fact.stat.exists == true
- name: check if /etc/npmrc exists
stat: path=/etc/npmrc
register: npm_npmrc_fact
#? do I want these in /etc/environment?
# FixMe: harden/templates/etc/example-dnscrypt-proxy.toml
# force_tcp = true
#? ~/.gnupg/gnupg.conf
# https://github.com/riseupnet/riseup_help/issues/294
# keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
# .repo_.gitconfig.json
# handle setting up an ssh server in proxy - for libvirt_qemu (or chroot?)
- name: /etc/conf.d/sshd
blockinfile:
dest: "/etc/{{ETC_CONF_D}}/sshd"
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK testforge"
block: |
SSHD_OPTS="-4 -E /var/log/sshd.log"
- name: /etc/dirmngr/dirmngr.conf
shell: |
[ -d /etc/dirmngr ] || mkdir /etc/dirmngr
[ -f /etc/dirmngr/dirmngr.conf ] && [ -h /etc/gnupg/dirmngr.conf ] && exit 0
[ -f /etc/dirmngr/dirmngr.conf ] && [ ! -f /etc/gnupg/dirmngr.conf ] && \
mv /etc/dirmngr/dirmngr.conf /etc/gnupg/dirmngr.conf && \
ln -s /etc/gnupg/dirmngr.conf /etc/dirmngr/dirmngr.conf
exit 0
- name: /etc/dirmngr/dirmngr.conf
lineinfile:
dest: "/etc/dirmngr/dirmngr.conf"
insertbefore: BOF
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "#*keyserver-options http-proxy.*"
line: "keyserver-options http-proxy=http://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"
when:
- not ansible_check_mode
- HTTP_PROXYHOST == '' and HTTP_PROXYPORT == ''
- name: /etc/dirmngr/dirmngr.conf
lineinfile:
dest: "/etc/dirmngr/dirmngr.conf"
mode: 0755
owner: "{{BOX_ROOT_USER}}"
group: "{{BOX_ROOT_GROUP}}"
create: yes
regexp: "^keyserver-options no-try-dns-srv"
line: "keyserver-options no-try-dns-srv"
state: "{{ 'present' if ansible_distribution == 'never' else 'absent' }}"
when:
- not ansible_check_mode
- name: /etc/dirmngr/dirmngr.conf dnsmasq
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy_post.yml dnsmasq"
block: |
debug-level 5
log-file /var/log/dirmngr.log
nameserver 127.0.0.1
when:
- not ansible_check_mode
- "'run_dnsmasq' in PROXY_FEATURES"
- block:
- name: /etc/dirmngr/dirmngr.conf no proxy
blockinfile:
dest: "/etc/dirmngr/dirmngr.conf"
create: false
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy"
block: |
# honor-http-proxy
# may not exist
ignore_errors: true
when:
- HTTP_PROXYHOST == '' and HTTP_PROXYPORT == ''
- block:
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-https
blockinfile:
dest: "{{item}}"
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml https"
state: "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}"
block: |
#! debian10: /etc/dirmngr/dirmngr.conf:3: invalid option
#! https-proxy {{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
with_items:
- /etc/dirmngr/dirmngr.conf
- /etc/dirmngr/dirmngr.conf.whonix
# may not exist
ignore_errors: true
when:
- HTTPS_PROXYHOST != '' and HTTPS_PROXYPORT != ''
- block:
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-proxy
blockinfile:
dest: /etc/dirmngr/dirmngr.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy"
block: |
honor-http-proxy
# may not exist
ignore_errors: true
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http
blockinfile:
dest: /etc/dirmngr/dirmngr.conf
create: true
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
honor-http-proxy
http-proxy {{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
- block:
# FixMe: should be lineinfile
- name: /etc/npmrc with proxy http
blockinfile:
dest: /etc/npmrc
create: false
mode: 0644
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http"
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
block: |
proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
https-proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
cafile=/usr/local/etc/ssl/cacert-testforge.pem
progress=false
when:
- npm_npmrc_fact.stat.exists == true
Reference in New Issue View Git Blame Copy Permalink