400 lines
13 KiB
YAML
400 lines
13 KiB
YAML
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
|
|
|
---
|
|
|
|
# NB - dirmngr fails incomprehesibly if there are repeated commands in conf
|
|
|
|
- name: "DEBUG: proxy proxy_post.yml"
|
|
debug:
|
|
verbosity: 1
|
|
msg: "DEBUG: Including proxy proxy_post.yml"
|
|
|
|
- name: if there is no /etc/cntlm.conf it has not been installed
|
|
stat: path=/etc/cntlm.conf
|
|
register: cntlm_conf_fact
|
|
|
|
- block:
|
|
|
|
# make sure double quotes do not end up in the cntlm.conf
|
|
- lineinfile:
|
|
dest: /etc/cntlm.conf
|
|
regexp: "^#* *{{item.name}}.*"
|
|
line: "{{item.name}} {{item.val}}"
|
|
state: present
|
|
with_items:
|
|
- { name: Username, val: "{{ MY_CORP_USER }}" }
|
|
- { name: Domain, val: "{{ MY_CORP_DOMAIN }}" }
|
|
- { name: Password, val: "{{ MY_CORP_PASS }}" }
|
|
- { name: Proxy, val: "{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}" }
|
|
- { name: NoProxy, val: "{{ NO_PROXY }}" }
|
|
- { name: Listen, val: "{{CNTLM_BIND_IP}}:{{CNTLM_HTTP_PORT}}" }
|
|
- { name: SOCKS5Proxy, val: "{{ CNTLM_SOCKS_PORT }}"}
|
|
|
|
- lineinfile:
|
|
dest: /etc/cntlm.conf
|
|
regexp: "^Proxy.*8080"
|
|
state: absent
|
|
|
|
- name: enable and start cntlm
|
|
service:
|
|
name: cntlm
|
|
enabled: yes
|
|
state: restarted
|
|
register: retval
|
|
failed_when: false
|
|
when: ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
|
|
|
|
# FixMe: test to see if cntlm has started
|
|
- stat: path="{{ cntlm_pid_file }}"
|
|
register: cntlm_pid
|
|
|
|
# only if its started do we override
|
|
- name: override HTTP_PROXY with retval is success
|
|
set_fact: >
|
|
HTTP_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}}
|
|
HTTP_PROXYHOST=127.0.0.1
|
|
HTTP_PROXYPORT={{NTLM_PROXYPORT}}
|
|
HTTP_PROXYTYPE=http
|
|
HTTPS_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}}
|
|
HTTPS_PROXYHOST=127.0.0.1
|
|
HTTPS_PROXYPORT={{NTLM_PROXYPORT}}
|
|
HTTPS_PROXYTYPE=http
|
|
# this works with cntlm as we configured it
|
|
SOCKS_PROXY=socks5://127.0.0.1:{{CNTLM_SOCKS_PORT}}
|
|
SOCKS_PROXYHOST=127.0.0.1
|
|
SOCKS_PROXYPORT={{CNTLM_SOCKS_PORT}}
|
|
SOCKS_PROXYTYPE=socks5
|
|
when: retval.rc|default(0) == 0 and cntlm_pid.stat.exists == true
|
|
|
|
- name: override HTTP_PROXY with retval is failed
|
|
set_fact: >
|
|
HTTP_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}
|
|
HTTP_PROXYHOST={{NTLM_PROXYHOST}}
|
|
HTTP_PROXYPORT={{NTLM_PROXYPORT}}
|
|
HTTP_PROXYTYPE=http
|
|
HTTPS_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}
|
|
HTTPS_PROXYHOST={{NTLM_PROXYHOST}}
|
|
HTTPS_PROXYPORT={{NTLM_PROXYPORT}}
|
|
HTTPS_PROXYTYPE=http
|
|
# dunno if this works
|
|
SOCKS_PROXY=socks5://{{NTLM_PROXYHOST}}:9050
|
|
SOCKS_PROXYHOST={{NTLM_PROXYHOST}}
|
|
SOCKS_PROXYPORT=9050
|
|
SOCKS_PROXYTYPE=socks5
|
|
when: retval.rc|default(1) == 0 or cntlm_pid.stat.exists == false
|
|
|
|
#? does retval.rc exist?
|
|
- debug:
|
|
msg: "proxy/tasks/main.yml cntlm.rc={{cntlm_pid.stat.exists}} HTTP_PROXY={{ HTTP_PROXY }}"
|
|
|
|
when: NTLM_PROXYPORT != '' and cntlm_conf_fact.stat.exists == true
|
|
|
|
- name: gather the http_proxy information together for subsequent roles
|
|
set_fact:
|
|
proxy_env:
|
|
TERM: "linux"
|
|
http_proxy: "{{ HTTP_PROXY }}"
|
|
https_proxy: "{{ HTTPS_PROXY }}"
|
|
socks_proxy: "{{ SOCKS_PROXY }}"
|
|
ftp_proxy: "{{ HTTP_PROXY }}"
|
|
no_proxy: "{{ NO_PROXY }}"
|
|
SSL_CERT_FILE: "{{ SSL_CERT_FILE|default(PLAY_CA_CERT) }}"
|
|
RSYNC_PROXY: "{{ HTTP_PROXY|replace('http://', '') }}"
|
|
no_proxy_env:
|
|
TERM: "linux"
|
|
http_proxy: "http://127.0.0.1:9999"
|
|
https_proxy: "http://127.0.0.1:9999"
|
|
socks_proxy: "socks4://127.0.0.1:9999"
|
|
ftp_proxy: "ftp://127.0.0.1:9999"
|
|
no_proxy: "{{ NO_PROXY|default('127.0.0.1,localhost') }}"
|
|
RSYNC_PROXY: "http://127.0.0.1:9999"
|
|
|
|
- set_fact:
|
|
# allowed out {'PATH': PATH, 'PYTHONPATH': '' }
|
|
shell_proxy_env: "{{ proxy_env|combine(shell_env) }}"
|
|
# forbidden out {'PATH': PATH, 'PYTHONPATH': '' }
|
|
shell_no_proxy_env: "{{ no_proxy_env|combine(shell_env) }}"
|
|
apt_env: {'RUNLEVEL': 1}
|
|
|
|
- set_fact:
|
|
portage_proxy_env: "{{ shell_proxy_env }}"
|
|
# we're letting pip out to install but with --nodeps
|
|
# so that we must list a prerequisites expcitly
|
|
# and to prevent it from having a free hand.
|
|
pip_proxy_env: "{{ shell_proxy_env }}"
|
|
apt_proxy_env: "{{ proxy_env|combine(apt_env) }}"
|
|
|
|
#- name: "roles/proxy/tasks/main.yml"
|
|
# debug: msg="roles/proxy/tasks/main.yml NTLM_PROXYPORT={{ NTLM_PROXYPORT }}"
|
|
|
|
- name: roles/proxy/tasks/ _post.yml
|
|
include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}_post.yml"
|
|
|
|
# sync this with ../../roles/base/overlay/Linux/usr/local/share/scripts/bootstrap_proxy.bash
|
|
# no global setting for this now
|
|
- name: /etc/wgetrc without proxy
|
|
blockinfile:
|
|
dest: /etc/wgetrc
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy"
|
|
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
#http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
|
#https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
|
|
no_proxy={{ NO_PROXY }}
|
|
ca-certificate = /usr/local/etc/ssl/cacert-testforge.pem
|
|
check_certificate = on
|
|
|
|
# dont change the environment for everyon with env.d/70proxy
|
|
# maually include box_proxy_tor.bash -> ~/bin/tor.sh
|
|
- name: proxy http export
|
|
blockinfile:
|
|
dest: "{{ item.dest }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http"
|
|
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
export http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
|
export https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
|
|
export no_proxy="{{ NO_PROXY }}"
|
|
export RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
|
with_items:
|
|
- {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0755" }
|
|
when: false
|
|
|
|
- name: /usr/local/share/scripts/box_proxy_tor.bash socks
|
|
blockinfile:
|
|
dest: "{{ item.dest }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks"
|
|
state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
export socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
|
|
with_items:
|
|
- {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0644" }
|
|
when: false
|
|
|
|
- name: /etc/privoxy/config.whonix socks
|
|
blockinfile:
|
|
dest: "{{ item.dest }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks"
|
|
state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
# https://tor.stackexchange.com/questions/947/socks-server-with-dynamic-traffic-routing-trought-tor-i2p-depending-on-the-e
|
|
forward .i2p 127.0.0.1:4444
|
|
forward-socks5t / {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} .
|
|
with_items:
|
|
- { dest: "/etc/privoxy/config.whonix", owner: "root", group: "root", mode: "0644" }
|
|
- { dest: "/etc/privoxy/config.tor", owner: "root", group: "root", mode: "0644" }
|
|
- { dest: "/etc/privoxy/config.nat", owner: "root", group: "root", mode: "0644" }
|
|
- { dest: "/etc/privoxy/config.selektor", owner: "root", group: "root", mode: "0644" }
|
|
when:
|
|
- SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''
|
|
- "PROXY_MODE|default('') in ['tor', 'whonix', 'selektor']"
|
|
|
|
- name: check if /etc/gnupg/gpgconf.conf exists
|
|
stat: path=/etc/gnupg/gpgconf.conf
|
|
register: etc_gpgconf_fact
|
|
|
|
- name: /etc/gnupg/gpgconf.conf
|
|
lineinfile:
|
|
dest: "/etc/gnupg/gpgconf.conf"
|
|
# insertbefore: BOF
|
|
mode: 0755
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
create: yes
|
|
state: "{{item.state}}"
|
|
regexp: "^#*{{item.key}} {{item.val}}.*"
|
|
line: "{{item.key}} {{item.val}}{{item.value}}"
|
|
with_items:
|
|
- key: keyserver-options
|
|
val: http-proxy=
|
|
value: "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"
|
|
# gpg: keyserver option 'https-proxy' is unknown
|
|
state: absent # "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
|
|
|
- key: keyserver-options
|
|
val: https-proxy=
|
|
value: "{{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}"
|
|
# gpg: keyserver option 'https-proxy' is unknown
|
|
state: absent # "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}"
|
|
|
|
- key: keyserver
|
|
val: hkp://keys.gnupg.net
|
|
value: ""
|
|
state: "present"
|
|
|
|
- key: keyserver-options
|
|
val: verbose
|
|
value: ""
|
|
state: absent # is unknown "present"
|
|
|
|
- key: keyserver-options
|
|
val: "options "
|
|
value: "/etc/dirmngr/dirmngr.conf"
|
|
state: absent # is unknown "present"
|
|
|
|
when:
|
|
- not ansible_check_mode
|
|
- etc_gpgconf_fact.stat.exists == true
|
|
|
|
- name: check if /etc/npmrc exists
|
|
stat: path=/etc/npmrc
|
|
register: npm_npmrc_fact
|
|
|
|
|
|
#? do I want these in /etc/environment?
|
|
|
|
# FixMe: harden/templates/etc/example-dnscrypt-proxy.toml
|
|
# force_tcp = true
|
|
|
|
#? ~/.gnupg/gnupg.conf
|
|
# https://github.com/riseupnet/riseup_help/issues/294
|
|
# keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
|
|
|
|
# .repo_.gitconfig.json
|
|
|
|
# handle setting up an ssh server in proxy - for libvirt_qemu (or chroot?)
|
|
- name: /etc/conf.d/sshd
|
|
blockinfile:
|
|
dest: "/etc/{{ETC_CONF_D}}/sshd"
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK testforge"
|
|
block: |
|
|
SSHD_OPTS="-4 -E /var/log/sshd.log"
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf
|
|
shell: |
|
|
[ -d /etc/dirmngr ] || mkdir /etc/dirmngr
|
|
[ -f /etc/dirmngr/dirmngr.conf ] && [ -h /etc/gnupg/dirmngr.conf ] && exit 0
|
|
[ -f /etc/dirmngr/dirmngr.conf ] && [ ! -f /etc/gnupg/dirmngr.conf ] && \
|
|
mv /etc/dirmngr/dirmngr.conf /etc/gnupg/dirmngr.conf && \
|
|
ln -s /etc/gnupg/dirmngr.conf /etc/dirmngr/dirmngr.conf
|
|
exit 0
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf
|
|
lineinfile:
|
|
dest: "/etc/dirmngr/dirmngr.conf"
|
|
insertbefore: BOF
|
|
mode: 0755
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
create: yes
|
|
regexp: "#*keyserver-options http-proxy.*"
|
|
line: "keyserver-options http-proxy=http://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"
|
|
when:
|
|
- not ansible_check_mode
|
|
- HTTP_PROXYHOST == '' and HTTP_PROXYPORT == ''
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf
|
|
lineinfile:
|
|
dest: "/etc/dirmngr/dirmngr.conf"
|
|
mode: 0755
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
create: yes
|
|
regexp: "^keyserver-options no-try-dns-srv"
|
|
line: "keyserver-options no-try-dns-srv"
|
|
state: "{{ 'present' if ansible_distribution == 'never' else 'absent' }}"
|
|
when:
|
|
- not ansible_check_mode
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf dnsmasq
|
|
blockinfile:
|
|
dest: "/etc/dirmngr/dirmngr.conf"
|
|
create: true
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy_post.yml dnsmasq"
|
|
block: |
|
|
debug-level 5
|
|
log-file /var/log/dirmngr.log
|
|
nameserver 127.0.0.1
|
|
when:
|
|
- not ansible_check_mode
|
|
- "'run_dnsmasq' in PROXY_FEATURES"
|
|
|
|
|
|
- block:
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf no proxy
|
|
blockinfile:
|
|
dest: "/etc/dirmngr/dirmngr.conf"
|
|
create: false
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy"
|
|
block: |
|
|
# honor-http-proxy
|
|
# may not exist
|
|
ignore_errors: true
|
|
|
|
when:
|
|
- HTTP_PROXYHOST == '' and HTTP_PROXYPORT == ''
|
|
|
|
|
|
- block:
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-https
|
|
blockinfile:
|
|
dest: "{{item}}"
|
|
create: true
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml https"
|
|
state: "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
#! debian10: /etc/dirmngr/dirmngr.conf:3: invalid option
|
|
#! https-proxy {{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
|
|
with_items:
|
|
- /etc/dirmngr/dirmngr.conf
|
|
- /etc/dirmngr/dirmngr.conf.whonix
|
|
# may not exist
|
|
ignore_errors: true
|
|
|
|
when:
|
|
- HTTPS_PROXYHOST != '' and HTTPS_PROXYPORT != ''
|
|
|
|
- block:
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-proxy
|
|
blockinfile:
|
|
dest: /etc/dirmngr/dirmngr.conf
|
|
create: true
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy"
|
|
block: |
|
|
honor-http-proxy
|
|
# may not exist
|
|
ignore_errors: true
|
|
|
|
- name: /etc/dirmngr/dirmngr.conf proxy_post.yml http
|
|
blockinfile:
|
|
dest: /etc/dirmngr/dirmngr.conf
|
|
create: true
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http"
|
|
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
honor-http-proxy
|
|
http-proxy {{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
|
|
|
- block:
|
|
|
|
|
|
# FixMe: should be lineinfile
|
|
- name: /etc/npmrc with proxy http
|
|
blockinfile:
|
|
dest: /etc/npmrc
|
|
create: false
|
|
mode: 0644
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http"
|
|
state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}"
|
|
block: |
|
|
proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}
|
|
https-proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}
|
|
cafile=/usr/local/etc/ssl/cacert-testforge.pem
|
|
progress=false
|
|
when:
|
|
- npm_npmrc_fact.stat.exists == true
|