424 lines
12 KiB
YAML
424 lines
12 KiB
YAML
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
|
|
|
---
|
|
|
|
- name: "proxy main.yml CORP_NTLM_PROXY={{ CORP_NTLM_PROXY | default('') }}"
|
|
debug:
|
|
verbosity: 1
|
|
msg: "DEBUG: Including proxy main.yml"
|
|
|
|
- name: include proxy by-platform vars
|
|
include_vars: "{{item}}.yml"
|
|
with_items:
|
|
- Unix
|
|
- "{{ ansible_distribution }}{{ ansible_distribution_major_version }}"
|
|
tags: always
|
|
|
|
- name: "rsync proxy root_overlay"
|
|
synchronize:
|
|
src: "roles/proxy/overlay/{{item}}/"
|
|
dest: /
|
|
compress: no
|
|
copy_links: yes
|
|
archive: no
|
|
recursive: yes
|
|
links: no
|
|
owner: no
|
|
perms: no
|
|
times: yes
|
|
rsync_opts: "{{base_rsync_opts}}"
|
|
with_items:
|
|
- Linux
|
|
- "{{ ansible_distribution }}"
|
|
notify:
|
|
#? - chmod /usr/local
|
|
- update-ca-certificates
|
|
when:
|
|
- not ansible_check_mode
|
|
# FixAns: This remote host is being accessed via chroot instead so it cannot work
|
|
- ansible_connection|default('') not in PLAY_NORSYNC_CONNECTIONS
|
|
tags:
|
|
- always
|
|
|
|
- name: rsync root_overlay - the tar gets made by a make before running
|
|
unarchive:
|
|
dest: /
|
|
src: "{{item}}.tar"
|
|
keep_newer: true
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
# extra_opts: "{{ BASE_UNTAR_ARGS }}"
|
|
ignore_errors: true
|
|
with_items:
|
|
- Linux
|
|
- "{{ ansible_distribution }}"
|
|
notify:
|
|
#? - chmod /usr/local
|
|
- update-ca-certificates
|
|
when:
|
|
- not ansible_check_mode
|
|
# FixAns: This remote host is being accessed via chroot instead so it cannot work
|
|
- ansible_connection|default('') in PLAY_NORSYNC_CONNECTIONS
|
|
|
|
- name: "grep -q root=/dev/vda /proc/cmdline "
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
grep -q root=/dev/vda /proc/cmdline
|
|
failed_when: false
|
|
register: proxy_vda_cmdline_fact
|
|
tags:
|
|
- always
|
|
|
|
- name: proxy post tasks first
|
|
include_tasks: "proxy_mode.yml"
|
|
|
|
# We are running these tasks here to set the proxy up to download and install packages
|
|
- name: proxy post tasks first
|
|
include_tasks: "proxy_post.yml"
|
|
|
|
- name: include proxy by-platform tasks
|
|
include_tasks: "{{ ansible_distribution }}.yml"
|
|
|
|
- name: "proxy gpg keys system"
|
|
# Option --keyserver must be used to
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
/usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \
|
|
/usr/bin/gpg --recv-keys "{{ item.uid }}"
|
|
# --keyserver "{{ TESTF_GPG_SERVER }}"
|
|
# deprecated - please use the --keyserver in ?dirmngr.conf? instead
|
|
with_items: "{{ proxy_gpg_keys_system }}"
|
|
when:
|
|
- proxy_gpg_keys_system|length > 0
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
# FixMe:
|
|
ignore_errors: true
|
|
|
|
- name: fix pip
|
|
shell: |
|
|
find /usr/local/lib*/python*/*-packages/pip \
|
|
-name filesystem.py | while read file ; do
|
|
[ -f $file.dst ] && continue
|
|
cp -p $file $file.dst
|
|
sed -e 's/path_uid == 0/os.access(path, os.W_OK)/' -i $file
|
|
done
|
|
exit 0
|
|
|
|
- block:
|
|
|
|
- name: /usr/local/patches/proxy
|
|
shell: |
|
|
[ -d /usr/local/patches/proxy/ ] || exit 0
|
|
cd /usr/local/patches/proxy/ || exit 1
|
|
ls || exit 2
|
|
/usr/local/sbin/base_patch_from_diff.bash *
|
|
|
|
when:
|
|
- false and ansible_distribution == 'Gentoo'
|
|
|
|
- name: install proxy pips 2
|
|
changed_when: false
|
|
environment: "{{pip_proxy_env}}"
|
|
pip:
|
|
executable: "{{BASE_USR_LOCAL}}/bin/pip2.sh"
|
|
state: present
|
|
extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip2/proxy.log"
|
|
name: "{{ proxy_pips2_inst }}"
|
|
become: yes
|
|
become_user: "{{ BOX_USER_NAME }}"
|
|
notify: shebang after pip
|
|
when:
|
|
- false
|
|
# this must be empty aas shebang after pip is in testforge
|
|
- proxy_pips2_inst|length > 0
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
- "BASE_PYTHON2_MINOR != ''"
|
|
ignore_errors: "{{ base_pip_ignore_errors }}"
|
|
|
|
- name: install proxy pips 3
|
|
changed_when: false
|
|
environment: "{{pip_proxy_env}}"
|
|
pip:
|
|
executable: "{{BASE_USR_LOCAL}}/bin/pip3.sh"
|
|
state: present
|
|
extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip3/proxy.log"
|
|
name: "{{ proxy_pips3_inst }}"
|
|
become: yes
|
|
become_user: "{{ BOX_USER_NAME }}"
|
|
notify: shebang after pip
|
|
when:
|
|
- false
|
|
# this must be empty aas shebang after pip is in testforge
|
|
- proxy_pips3_inst|length > 0
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
ignore_errors: "{{ base_pip_ignore_errors }}"
|
|
|
|
- name: "/usr/local/etc/local.d/Whonix-Lati.rc"
|
|
blockinfile:
|
|
dest: /usr/local/etc/local.d/Whonix-Lati.rc
|
|
create: yes
|
|
mode: 0770
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml start"
|
|
insertafter: EOF
|
|
block: |
|
|
grep -q root=/dev/vda /proc/cmdline
|
|
PROXY_IS_VDA=$?
|
|
|
|
#? # this should not run as root
|
|
- name: "/usr/local/src/usr_local_python.bash"
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
umask 0002
|
|
[ ! -f usr_local_proxy.bash ] && exit 1
|
|
bash usr_local_python.bash \
|
|
{{ 'check' if ansible_check_mode }}
|
|
args:
|
|
chdir: "{{PROXY_USR_LOCAL}}/src"
|
|
become: yes
|
|
become_user: "{{ BOX_USER_NAME }}"
|
|
check_mode: false
|
|
# FixMe:
|
|
ignore_errors: true
|
|
|
|
# this should be run as root
|
|
- name: run usr_local_src item
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
umask 0002
|
|
bash /usr/local/src/{{item}}.bash
|
|
args:
|
|
chdir: "{{ PROXY_USR_LOCAL }}/src"
|
|
when:
|
|
- item != '' and item != []
|
|
with_items:
|
|
# - "{{ 'sdwdate' if ansible_distribution == 'Gentoo' else '' }}"
|
|
- []
|
|
|
|
- name: "enable and start services"
|
|
service:
|
|
name: "{{ item }}"
|
|
enabled: yes
|
|
state: restarted
|
|
failed_when: false
|
|
when:
|
|
- "item != ''"
|
|
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
|
|
with_items: "{{ proxy_services }}"
|
|
|
|
# We are running these tasks here to work around handler issues with include_tasks
|
|
- name: "proxy post tasks end"
|
|
include_tasks: "proxy_post.yml"
|
|
|
|
- name: "proxy dirmngr tasks end"
|
|
include_tasks: "dirmngr.yml"
|
|
when:
|
|
- "http_proxy != '' or https_proxy != '' or socks_proxy != ''"
|
|
|
|
- name: "whonix host tasks end"
|
|
include_tasks: "{{LOOP_FILE}}.yml"
|
|
when:
|
|
- LOOP_FILE != '' and LOOP_FILE != []
|
|
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
|
|
with_items:
|
|
- "{{ 'whonix_host' if (PROXY_MODE == 'whonix' and BOX_WHONIX_PROXY_HOST != '' ) else [] }}"
|
|
loop_control:
|
|
loop_var: LOOP_FILE
|
|
|
|
- name: "whonix guest tasks end"
|
|
include_tasks: "whonix_guest.yml"
|
|
when:
|
|
- "PROXY_MODE in ['gateway','ws', 'vda', 'nat']"
|
|
# works?
|
|
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
|
|
|
|
- name: "include_tasks proxy users.yml"
|
|
include_tasks:
|
|
file: "users.yml"
|
|
apply:
|
|
environment: "{{ proxy_env }}"
|
|
become_user: "{{ LOOP_USER }}"
|
|
when:
|
|
- LOOP_USER != [] and LOOP_USER != ''
|
|
with_items:
|
|
# FixMe: need user groups fixing
|
|
- root
|
|
- "{{ base_system_users }}"
|
|
- "{{ proxy_also_users }}"
|
|
- "{{ 'portage' if ansible_distribution == 'Gentoo' else '' }}"
|
|
loop_control:
|
|
loop_var: LOOP_USER
|
|
|
|
- name: /usr/local/etc/testforge/testforge.ini proxy
|
|
blockinfile:
|
|
dest: /usr/local/etc/testforge/testforge.ini
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK ini [proxy]"
|
|
#? PROXY_VAR_LOCAL={{PROXY_VAR_LOCAL}}
|
|
block: |
|
|
[proxy]
|
|
HTTP_PROXYHOST="{{ HTTP_PROXYHOST }}"
|
|
HTTP_PROXYPORT={{HTTP_PROXYPORT}}
|
|
HTTP_PROXYTYPE="{{ HTTP_PROXYTYPE }}"
|
|
HTTPS_PROXYHOST="{{ HTTPS_PROXYHOST }}"
|
|
HTTPS_PROXYPORT={{HTTPS_PROXYPORT}}
|
|
HTTPS_PROXYTYPE="{{ HTTPS_PROXYTYPE }}"
|
|
SOCKS_PROXYHOST="{{ SOCKS_PROXYHOST }}"
|
|
SOCKS_PROXYPORT={{SOCKS_PROXYPORT}}
|
|
SOCKS_PROXYTYPE="{{ SOCKS_PROXYTYPE }}"
|
|
NO_PROXY="{{ NO_PROXY }}"
|
|
CORP_PROXY_PAC="{{ CORP_PROXY_PAC|default('') }}"
|
|
CORP_NTLM_PROXY="{{ CORP_NTLM_PROXY|default('') }}"
|
|
PROXY_FEATURES={{ PROXY_FEATURES }}
|
|
PROXY_DNS_PROXY="{{ PROXY_DNS_PROXY }}"
|
|
PROXY_DNS_NETMAN="{{ PROXY_DNS_NETMAN }}"
|
|
PROXY_HTTP_PROXY_NAME="{{ PROXY_HTTP_PROXY_NAME|default('privoxy')}}"
|
|
PROXY_HTTP_PROXY_PORT="{{ PROXY_HTTP_PROXY_PORT|default(3128)}}"
|
|
PROXY_HTTP_PROXY_HOST="{{ PROXY_HTTP_PROXY_HOST|default('127.0.0.1')}}"
|
|
|
|
notify: update facts
|
|
#? PLAY_PIP_CACHE="{{BASE_USR_LOCAL}}/net/Cache/Pip"
|
|
|
|
- name: /usr/local/etc/testforge/testforge.ini proxy gitconfig
|
|
blockinfile:
|
|
dest: /usr/local/etc/testforge/testforge.ini
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml"
|
|
block: |
|
|
[gitconfig]
|
|
# FixMe: this may not be needed
|
|
GIT_ALLOW_PROTOCOL="https"
|
|
# This may not be needed if you put it in ~/.gitconfig
|
|
GIT_SSL_CAINFO="/usr/local/etc/ssl/cacert-testforge.pem"
|
|
# FixMe: this may not be needed
|
|
# GIT_PROTOCOL_COMMAND="/usr/local/bin/gitproxy.bash"
|
|
when:
|
|
- true or CORP_NTLM_PROXY|default('') != ''
|
|
notify: update facts
|
|
|
|
- block:
|
|
|
|
- name: external
|
|
delegate_to: localhost
|
|
shell: |
|
|
grep ' external$' /etc/hosts | sed -e 's/ .*//'
|
|
register: external_out
|
|
check_mode: false
|
|
|
|
- name: BASE_EXTERNAL_IP
|
|
set_fact:
|
|
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
|
|
when: external_out.rc|default(1) == 0
|
|
check_mode: false
|
|
|
|
when:
|
|
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
|
|
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
|
|
|
|
- name: "include dns.yml tasks"
|
|
include_tasks: "dns.yml"
|
|
when:
|
|
- PROXY_DNS_PROXY != ''
|
|
|
|
- name: "include wicd.yml tasks"
|
|
include_tasks: "wicd.yml"
|
|
when:
|
|
- false
|
|
|
|
- name: "find listening sockets for daily"
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
netstat -t inet -npl | grep LISTEN
|
|
register: proxy_netstat_nlp_fact
|
|
failed_when: false
|
|
tags:
|
|
- always
|
|
|
|
- name: proxy hourly include_tasks
|
|
include_tasks:
|
|
file: "hourly.yml"
|
|
apply:
|
|
environment: "{{ shell_proxy_env }}"
|
|
tags:
|
|
- always
|
|
tags:
|
|
- always
|
|
|
|
# maybe should be in testforge but may use them early
|
|
|
|
- stat: path=/etc/java-config-2/current-system-vm/jre/lib/net.properties
|
|
register: etc_x11_xsession_d
|
|
when:
|
|
- not ansible_check_mode
|
|
|
|
- name: "check arp length"
|
|
environment: "{{ shell_proxy_env }}"
|
|
shell: |
|
|
a=`arp -i wlan7|tail -n -1|wc -l`
|
|
[ $? -eq 0 ] || exit 1
|
|
[ $a -eq 1 ] || exit $a
|
|
exit 0
|
|
|
|
- name: "dnscrypt-proxy address already in use"
|
|
shell: |
|
|
tail -100 '{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log' | grep -q 'bind: address already in use' || \
|
|
{ echo 'ERROR: dnscrypt-proxy address already in use' ; exit 1 ; }
|
|
when:
|
|
- not ansible_check_mode
|
|
- PROXY_DNS_PROXY == "dnscrypt"
|
|
- PROXY_DNS_PORT != ''
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
- testforge_netstat_nlp_fact is defined
|
|
|
|
# FixMe: /etc/systemd/system/sntp.service.d/00gentoo.conf
|
|
- name: /etc/ntp.conf
|
|
blockinfile:
|
|
dest: /etc/ntp.conf
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK testforge"
|
|
mode: 0640
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
# group: ntp
|
|
create: yes
|
|
block: |
|
|
# conf.d interface ignore all wlan7
|
|
|
|
# If you want to deny all machines (including your own)
|
|
# from accessing the NTP server, uncomment:
|
|
restrict default ignore
|
|
|
|
# Default configuration:
|
|
# - Allow only time queries, at a limited rate, sending KoD when in excess.
|
|
# - Allow all local queries (IPv4, IPv6)
|
|
#restrict default nomodify nopeer noquery limited kod
|
|
restrict 127.0.0.1
|
|
restrict [::1]
|
|
|
|
# You do need to talk to an NTP server or two (or three).
|
|
{% for elt in PROXY_NTP_SERVERS %}
|
|
server {{ elt }}
|
|
{% endfor %}
|
|
# {{ PROXY_NTP_SERVERS|join('\n') }}
|
|
when:
|
|
- "BOX_TIME_DAEMON == 'ntp'"
|
|
|
|
- name: apt-get update
|
|
raw: |
|
|
[ -f /var/log/dpkg.log ] || apt-get update
|
|
when:
|
|
- ansible_distribution in ['Ubuntu', 'Debian', 'Deuvan']
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
ignore_errors: true
|
|
check_mode: false
|
|
|
|
- name: base gpg keys system
|
|
# Option --keyserver must be used to
|
|
environment: "{{ shell_env }}"
|
|
shell: |
|
|
/usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \
|
|
/usr/bin/gpg --recv-keys "{{ item.uid }}" --keyserver "{{ BASE_GPG_SERVER }}"
|
|
with_items: "{{ base_gpg_keys_system }}"
|
|
when:
|
|
- proxy_gpg_keys_system|length > 0
|
|
- BASE_ARE_CONNECTED|default('') != ''
|
|
# FixMe:
|
|
ignore_errors: true
|
|
|