proxy_role/tasks/main.yml
2024-01-09 15:35:38 +00:00

424 lines
12 KiB
YAML

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
---
- name: "proxy main.yml CORP_NTLM_PROXY={{ CORP_NTLM_PROXY | default('') }}"
debug:
verbosity: 1
msg: "DEBUG: Including proxy main.yml"
- name: include proxy by-platform vars
include_vars: "{{item}}.yml"
with_items:
- Unix
- "{{ ansible_distribution }}{{ ansible_distribution_major_version }}"
tags: always
- name: "rsync proxy root_overlay"
synchronize:
src: "roles/proxy/overlay/{{item}}/"
dest: /
compress: no
copy_links: yes
archive: no
recursive: yes
links: no
owner: no
perms: no
times: yes
rsync_opts: "{{base_rsync_opts}}"
with_items:
- Linux
- "{{ ansible_distribution }}"
notify:
#? - chmod /usr/local
- update-ca-certificates
when:
- not ansible_check_mode
# FixAns: This remote host is being accessed via chroot instead so it cannot work
- ansible_connection|default('') not in PLAY_NORSYNC_CONNECTIONS
tags:
- always
- name: rsync root_overlay - the tar gets made by a make before running
unarchive:
dest: /
src: "{{item}}.tar"
keep_newer: true
owner: "{{BOX_ROOT_USER}}"
# extra_opts: "{{ BASE_UNTAR_ARGS }}"
ignore_errors: true
with_items:
- Linux
- "{{ ansible_distribution }}"
notify:
#? - chmod /usr/local
- update-ca-certificates
when:
- not ansible_check_mode
# FixAns: This remote host is being accessed via chroot instead so it cannot work
- ansible_connection|default('') in PLAY_NORSYNC_CONNECTIONS
- name: "grep -q root=/dev/vda /proc/cmdline "
environment: "{{ shell_proxy_env }}"
shell: |
grep -q root=/dev/vda /proc/cmdline
failed_when: false
register: proxy_vda_cmdline_fact
tags:
- always
- name: proxy post tasks first
include_tasks: "proxy_mode.yml"
# We are running these tasks here to set the proxy up to download and install packages
- name: proxy post tasks first
include_tasks: "proxy_post.yml"
- name: include proxy by-platform tasks
include_tasks: "{{ ansible_distribution }}.yml"
- name: "proxy gpg keys system"
# Option --keyserver must be used to
environment: "{{ shell_proxy_env }}"
shell: |
/usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \
/usr/bin/gpg --recv-keys "{{ item.uid }}"
# --keyserver "{{ TESTF_GPG_SERVER }}"
# deprecated - please use the --keyserver in ?dirmngr.conf? instead
with_items: "{{ proxy_gpg_keys_system }}"
when:
- proxy_gpg_keys_system|length > 0
- BASE_ARE_CONNECTED|default('') != ''
# FixMe:
ignore_errors: true
- name: fix pip
shell: |
find /usr/local/lib*/python*/*-packages/pip \
-name filesystem.py | while read file ; do
[ -f $file.dst ] && continue
cp -p $file $file.dst
sed -e 's/path_uid == 0/os.access(path, os.W_OK)/' -i $file
done
exit 0
- block:
- name: /usr/local/patches/proxy
shell: |
[ -d /usr/local/patches/proxy/ ] || exit 0
cd /usr/local/patches/proxy/ || exit 1
ls || exit 2
/usr/local/sbin/base_patch_from_diff.bash *
when:
- false and ansible_distribution == 'Gentoo'
- name: install proxy pips 2
changed_when: false
environment: "{{pip_proxy_env}}"
pip:
executable: "{{BASE_USR_LOCAL}}/bin/pip2.sh"
state: present
extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip2/proxy.log"
name: "{{ proxy_pips2_inst }}"
become: yes
become_user: "{{ BOX_USER_NAME }}"
notify: shebang after pip
when:
- false
# this must be empty aas shebang after pip is in testforge
- proxy_pips2_inst|length > 0
- BASE_ARE_CONNECTED|default('') != ''
- "BASE_PYTHON2_MINOR != ''"
ignore_errors: "{{ base_pip_ignore_errors }}"
- name: install proxy pips 3
changed_when: false
environment: "{{pip_proxy_env}}"
pip:
executable: "{{BASE_USR_LOCAL}}/bin/pip3.sh"
state: present
extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip3/proxy.log"
name: "{{ proxy_pips3_inst }}"
become: yes
become_user: "{{ BOX_USER_NAME }}"
notify: shebang after pip
when:
- false
# this must be empty aas shebang after pip is in testforge
- proxy_pips3_inst|length > 0
- BASE_ARE_CONNECTED|default('') != ''
ignore_errors: "{{ base_pip_ignore_errors }}"
- name: "/usr/local/etc/local.d/Whonix-Lati.rc"
blockinfile:
dest: /usr/local/etc/local.d/Whonix-Lati.rc
create: yes
mode: 0770
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml start"
insertafter: EOF
block: |
grep -q root=/dev/vda /proc/cmdline
PROXY_IS_VDA=$?
#? # this should not run as root
- name: "/usr/local/src/usr_local_python.bash"
environment: "{{ shell_proxy_env }}"
shell: |
umask 0002
[ ! -f usr_local_proxy.bash ] && exit 1
bash usr_local_python.bash \
{{ 'check' if ansible_check_mode }}
args:
chdir: "{{PROXY_USR_LOCAL}}/src"
become: yes
become_user: "{{ BOX_USER_NAME }}"
check_mode: false
# FixMe:
ignore_errors: true
# this should be run as root
- name: run usr_local_src item
environment: "{{ shell_proxy_env }}"
shell: |
umask 0002
bash /usr/local/src/{{item}}.bash
args:
chdir: "{{ PROXY_USR_LOCAL }}/src"
when:
- item != '' and item != []
with_items:
# - "{{ 'sdwdate' if ansible_distribution == 'Gentoo' else '' }}"
- []
- name: "enable and start services"
service:
name: "{{ item }}"
enabled: yes
state: restarted
failed_when: false
when:
- "item != ''"
- ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS
with_items: "{{ proxy_services }}"
# We are running these tasks here to work around handler issues with include_tasks
- name: "proxy post tasks end"
include_tasks: "proxy_post.yml"
- name: "proxy dirmngr tasks end"
include_tasks: "dirmngr.yml"
when:
- "http_proxy != '' or https_proxy != '' or socks_proxy != ''"
- name: "whonix host tasks end"
include_tasks: "{{LOOP_FILE}}.yml"
when:
- LOOP_FILE != '' and LOOP_FILE != []
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
with_items:
- "{{ 'whonix_host' if (PROXY_MODE == 'whonix' and BOX_WHONIX_PROXY_HOST != '' ) else [] }}"
loop_control:
loop_var: LOOP_FILE
- name: "whonix guest tasks end"
include_tasks: "whonix_guest.yml"
when:
- "PROXY_MODE in ['gateway','ws', 'vda', 'nat']"
# works?
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
- name: "include_tasks proxy users.yml"
include_tasks:
file: "users.yml"
apply:
environment: "{{ proxy_env }}"
become_user: "{{ LOOP_USER }}"
when:
- LOOP_USER != [] and LOOP_USER != ''
with_items:
# FixMe: need user groups fixing
- root
- "{{ base_system_users }}"
- "{{ proxy_also_users }}"
- "{{ 'portage' if ansible_distribution == 'Gentoo' else '' }}"
loop_control:
loop_var: LOOP_USER
- name: /usr/local/etc/testforge/testforge.ini proxy
blockinfile:
dest: /usr/local/etc/testforge/testforge.ini
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK ini [proxy]"
#? PROXY_VAR_LOCAL={{PROXY_VAR_LOCAL}}
block: |
[proxy]
HTTP_PROXYHOST="{{ HTTP_PROXYHOST }}"
HTTP_PROXYPORT={{HTTP_PROXYPORT}}
HTTP_PROXYTYPE="{{ HTTP_PROXYTYPE }}"
HTTPS_PROXYHOST="{{ HTTPS_PROXYHOST }}"
HTTPS_PROXYPORT={{HTTPS_PROXYPORT}}
HTTPS_PROXYTYPE="{{ HTTPS_PROXYTYPE }}"
SOCKS_PROXYHOST="{{ SOCKS_PROXYHOST }}"
SOCKS_PROXYPORT={{SOCKS_PROXYPORT}}
SOCKS_PROXYTYPE="{{ SOCKS_PROXYTYPE }}"
NO_PROXY="{{ NO_PROXY }}"
CORP_PROXY_PAC="{{ CORP_PROXY_PAC|default('') }}"
CORP_NTLM_PROXY="{{ CORP_NTLM_PROXY|default('') }}"
PROXY_FEATURES={{ PROXY_FEATURES }}
PROXY_DNS_PROXY="{{ PROXY_DNS_PROXY }}"
PROXY_DNS_NETMAN="{{ PROXY_DNS_NETMAN }}"
PROXY_HTTP_PROXY_NAME="{{ PROXY_HTTP_PROXY_NAME|default('privoxy')}}"
PROXY_HTTP_PROXY_PORT="{{ PROXY_HTTP_PROXY_PORT|default(3128)}}"
PROXY_HTTP_PROXY_HOST="{{ PROXY_HTTP_PROXY_HOST|default('127.0.0.1')}}"
notify: update facts
#? PLAY_PIP_CACHE="{{BASE_USR_LOCAL}}/net/Cache/Pip"
- name: /usr/local/etc/testforge/testforge.ini proxy gitconfig
blockinfile:
dest: /usr/local/etc/testforge/testforge.ini
create: yes
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml"
block: |
[gitconfig]
# FixMe: this may not be needed
GIT_ALLOW_PROTOCOL="https"
# This may not be needed if you put it in ~/.gitconfig
GIT_SSL_CAINFO="/usr/local/etc/ssl/cacert-testforge.pem"
# FixMe: this may not be needed
# GIT_PROTOCOL_COMMAND="/usr/local/bin/gitproxy.bash"
when:
- true or CORP_NTLM_PROXY|default('') != ''
notify: update facts
- block:
- name: external
delegate_to: localhost
shell: |
grep ' external$' /etc/hosts | sed -e 's/ .*//'
register: external_out
check_mode: false
- name: BASE_EXTERNAL_IP
set_fact:
BASE_EXTERNAL_IP: "{{external_out.stdout}}"
when: external_out.rc|default(1) == 0
check_mode: false
when:
- "ansible_virtualization_role|replace('NA', 'host') == 'guest'"
- BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo']
- name: "include dns.yml tasks"
include_tasks: "dns.yml"
when:
- PROXY_DNS_PROXY != ''
- name: "include wicd.yml tasks"
include_tasks: "wicd.yml"
when:
- false
- name: "find listening sockets for daily"
environment: "{{ shell_proxy_env }}"
shell: |
netstat -t inet -npl | grep LISTEN
register: proxy_netstat_nlp_fact
failed_when: false
tags:
- always
- name: proxy hourly include_tasks
include_tasks:
file: "hourly.yml"
apply:
environment: "{{ shell_proxy_env }}"
tags:
- always
tags:
- always
# maybe should be in testforge but may use them early
- stat: path=/etc/java-config-2/current-system-vm/jre/lib/net.properties
register: etc_x11_xsession_d
when:
- not ansible_check_mode
- name: "check arp length"
environment: "{{ shell_proxy_env }}"
shell: |
a=`arp -i wlan7|tail -n -1|wc -l`
[ $? -eq 0 ] || exit 1
[ $a -eq 1 ] || exit $a
exit 0
- name: "dnscrypt-proxy address already in use"
shell: |
tail -100 '{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log' | grep -q 'bind: address already in use' || \
{ echo 'ERROR: dnscrypt-proxy address already in use' ; exit 1 ; }
when:
- not ansible_check_mode
- PROXY_DNS_PROXY == "dnscrypt"
- PROXY_DNS_PORT != ''
- BASE_ARE_CONNECTED|default('') != ''
- testforge_netstat_nlp_fact is defined
# FixMe: /etc/systemd/system/sntp.service.d/00gentoo.conf
- name: /etc/ntp.conf
blockinfile:
dest: /etc/ntp.conf
marker: "# {mark} ANSIBLE MANAGED BLOCK testforge"
mode: 0640
owner: "{{BOX_ROOT_USER}}"
# group: ntp
create: yes
block: |
# conf.d interface ignore all wlan7
# If you want to deny all machines (including your own)
# from accessing the NTP server, uncomment:
restrict default ignore
# Default configuration:
# - Allow only time queries, at a limited rate, sending KoD when in excess.
# - Allow all local queries (IPv4, IPv6)
#restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
restrict [::1]
# You do need to talk to an NTP server or two (or three).
{% for elt in PROXY_NTP_SERVERS %}
server {{ elt }}
{% endfor %}
# {{ PROXY_NTP_SERVERS|join('\n') }}
when:
- "BOX_TIME_DAEMON == 'ntp'"
- name: apt-get update
raw: |
[ -f /var/log/dpkg.log ] || apt-get update
when:
- ansible_distribution in ['Ubuntu', 'Debian', 'Deuvan']
- BASE_ARE_CONNECTED|default('') != ''
ignore_errors: true
check_mode: false
- name: base gpg keys system
# Option --keyserver must be used to
environment: "{{ shell_env }}"
shell: |
/usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \
/usr/bin/gpg --recv-keys "{{ item.uid }}" --keyserver "{{ BASE_GPG_SERVER }}"
with_items: "{{ base_gpg_keys_system }}"
when:
- proxy_gpg_keys_system|length > 0
- BASE_ARE_CONNECTED|default('') != ''
# FixMe:
ignore_errors: true