wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 06:33:56 +02:00
Code Issues Projects Releases Wiki Activity

Ansible upgrade 6.1 (#14500)

Browse source 
* linting

* update ansible

* linters
This commit is contained in:
Jack Ivanov 2022-07-30 15:01:24 +03:00 committed by GitHub
parent a43de09437
commit 347f864abb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
59 changed files with 1140 additions and 1139 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.ansible-lint
View file

@ -1,6 +1,10 @@
skip_list: skip_list:
- yaml
- '204' - '204'
verbosity: 1 verbosity: 1
warn_list: warn_list:
- no-changed-when - no-changed-when
- no-handler
- fqcn-builtins
- var-spacing

2
.github/workflows/main.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
python -m pip install --upgrade pip python -m pip install --upgrade pip
pip install -r requirements.txt pip install -r requirements.txt
sudo snap install shellcheck sudo snap install shellcheck
pip install ansible-lint pip install ansible-lint==6.3.0
- name: Checks and linters - name: Checks and linters
run: | run: |

2
deploy_client.yml
View file

@ -13,7 +13,7 @@
ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}" ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}"
vpn_user: "{{ vpn_user }}" vpn_user: "{{ vpn_user }}"
IP_subject_alt_name: "{{ server_ip }}" IP_subject_alt_name: "{{ server_ip }}"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: /usr/bin/python3
- name: Configure the client and install required software - name: Configure the client and install required software
hosts: client-host hosts: client-host

5
input.yml
View file

@ -22,7 +22,7 @@
- { name: OpenStack (DreamCompute optimised), alias: openstack } - { name: OpenStack (DreamCompute optimised), alias: openstack }
- { name: CloudStack (Exoscale optimised), alias: cloudstack } - { name: CloudStack (Exoscale optimised), alias: cloudstack }
- { name: Linode, alias: linode } - { name: Linode, alias: linode }
- { name: "Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)", alias: local } - { name: Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users), alias: local }
vars_files: vars_files:
- config.cfg - config.cfg
@ -78,8 +78,7 @@
register: _ondemand_wifi_exclude register: _ondemand_wifi_exclude
when: when:
- ondemand_wifi_exclude is undefined - ondemand_wifi_exclude is undefined
- (ondemand_wifi|default(false)|bool) or - (ondemand_wifi|default(false)|bool) or (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
(booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
- name: Retain the PKI prompt - name: Retain the PKI prompt
pause: pause:

15
main.yml
View file

@ -23,12 +23,15 @@
- name: Set required ansible version as a fact - name: Set required ansible version as a fact
set_fact: set_fact:
required_ansible_version: required_ansible_version: "{{ item | regex_replace('^ansible[\\s+]?(?P<op>[=,>,<]+)[\\s+]?(?P<ver>\\d.\\d+(.\\d+)?)$', '{\"op\": \"\\g<op>\",\"ver\"\
"{{ item | regex_replace('^ansible-core[\\s+]?(?P<op>[=,>,<]+)[\\s+]?(?P<ver>\\d.\\d+(.\\d+)?)$', : \"\\g<ver>\" }') }}"
'{\"op\": \"\\g<op>\",\"ver\": \"\\g<ver>\" }') }}" when: '"ansible" in item'
when: '"ansible-core" in item'
with_items: "{{ lookup('file', 'requirements.txt').splitlines() }}" with_items: "{{ lookup('file', 'requirements.txt').splitlines() }}"
- name: Just get the list from default pip
community.general.pip_package_info:
register: pip_package_info
- name: Verify Python meets Algo VPN requirements - name: Verify Python meets Algo VPN requirements
assert: assert:
that: (ansible_python.version.major|string + '.' + ansible_python.version.minor|string) is version('3.8', '>=') that: (ansible_python.version.major|string + '.' + ansible_python.version.minor|string) is version('3.8', '>=')
@ -40,10 +43,10 @@
- name: Verify Ansible meets Algo VPN requirements - name: Verify Ansible meets Algo VPN requirements
assert: assert:
that: that:
- ansible_version.full is version(required_ansible_version.ver, required_ansible_version.op) - pip_package_info.packages.pip.ansible.0.version is version(required_ansible_version.ver, required_ansible_version.op)
- not ipaddr.failed - not ipaddr.failed
msg: > msg: >
Ansible version is {{ ansible_version.full }}. Ansible version is {{ pip_package_info.packages.pip.ansible.0.version }}.
You must update the requirements to use this version of Algo. You must update the requirements to use this version of Algo.
Try to run python3 -m pip install -U -r requirements.txt Try to run python3 -m pip install -U -r requirements.txt

7
playbooks/cloud-post.yml
View file

@ -10,7 +10,7 @@
ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}" ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}"
ansible_ssh_user: "{{ ansible_ssh_user|default('root') }}" ansible_ssh_user: "{{ ansible_ssh_user|default('root') }}"
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}" ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: /usr/bin/python3
algo_provider: "{{ algo_provider }}" algo_provider: "{{ algo_provider }}"
algo_server_name: "{{ algo_server_name }}" algo_server_name: "{{ algo_server_name }}"
algo_ondemand_cellular: "{{ algo_ondemand_cellular }}" algo_ondemand_cellular: "{{ algo_ondemand_cellular }}"
@ -33,7 +33,7 @@
wait_for: wait_for:
port: "{{ ansible_ssh_port|default(22) }}" port: "{{ ansible_ssh_port|default(22) }}"
host: "{{ cloud_instance_ip }}" host: "{{ cloud_instance_ip }}"
search_regex: "OpenSSH" search_regex: OpenSSH
delay: 10 delay: 10
timeout: 320 timeout: 320
state: present state: present
@ -44,8 +44,7 @@
when: when:
- pki_in_tmpfs - pki_in_tmpfs
- not algo_store_pki - not algo_store_pki
- ansible_system == "Darwin" or - ansible_system == "Darwin" or ansible_system == "Linux"
ansible_system == "Linux"
- debug: - debug:
var: IP_subject_alt_name var: IP_subject_alt_name

2
playbooks/cloud-pre.yml
View file

@ -47,7 +47,7 @@
src: "{{ SSH_keys.private }}" src: "{{ SSH_keys.private }}"
dest: "{{ SSH_keys.private_tmp }}" dest: "{{ SSH_keys.private_tmp }}"
force: true force: true
mode: '0600' mode: "0600"
delegate_to: localhost delegate_to: localhost
become: false become: false
when: algo_provider != "local" when: algo_provider != "local"

2
playbooks/tmpfs/linux.yml
View file

@ -1,5 +1,5 @@
--- ---
- name: Linux | set OS specific facts - name: Linux | set OS specific facts
set_fact: set_fact:
tmpfs_volume_name: "AlgoVPN-{{ IP_subject_alt_name }}" tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
tmpfs_volume_path: /dev/shm tmpfs_volume_path: /dev/shm

4
playbooks/tmpfs/macos.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: MacOS | set OS specific facts - name: MacOS | set OS specific facts
set_fact: set_fact:
tmpfs_volume_name: "AlgoVPN-{{ IP_subject_alt_name }}" tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
tmpfs_volume_path: /Volumes tmpfs_volume_path: /Volumes
- name: MacOS | mount a ram disk - name: MacOS | mount a ram disk
@ -9,4 +9,4 @@
/usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" || /usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" ||
/usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000) /usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000)
args: args:
creates: "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}" creates: /{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}

2
playbooks/tmpfs/main.yml
View file

@ -9,7 +9,7 @@
- name: Set config paths as facts - name: Set config paths as facts
set_fact: set_fact:
ipsec_pki_path: "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/" ipsec_pki_path: /{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/
- name: Update config paths - name: Update config paths
add_host: add_host:

2
playbooks/tmpfs/umount.yml
View file

@ -1,7 +1,7 @@
--- ---
- name: Linux | Delete the PKI directory - name: Linux | Delete the PKI directory
file: file:
path: "/{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/" path: /{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/
state: absent state: absent
when: facts.ansible_system == "Linux" when: facts.ansible_system == "Linux"

3
requirements.txt
View file

@ -1,4 +1,3 @@
ansible-core==2.12.3 ansible==6.1.0
ansible==5.0.1
jinja2~=3.0.3 jinja2~=3.0.3
netaddr netaddr

22
roles/client/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: Gather Facts - name: Gather Facts
setup: setup:
- name: Include system based facts and tasks - name: Include system based facts and tasks
import_tasks: systems/main.yml import_tasks: systems/main.yml
@ -22,9 +22,9 @@
- name: Setup the ipsec config - name: Setup the ipsec config
template: template:
src: "roles/strongswan/templates/client_ipsec.conf.j2" src: roles/strongswan/templates/client_ipsec.conf.j2
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf" dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
mode: '0644' mode: "0644"
with_items: with_items:
- "{{ vpn_user }}" - "{{ vpn_user }}"
notify: notify:
@ -32,9 +32,9 @@
- name: Setup the ipsec secrets - name: Setup the ipsec secrets
template: template:
src: "roles/strongswan/templates/client_ipsec.secrets.j2" src: roles/strongswan/templates/client_ipsec.secrets.j2
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets" dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
mode: '0600' mode: "0600"
with_items: with_items:
- "{{ vpn_user }}" - "{{ vpn_user }}"
notify: notify:
@ -44,12 +44,12 @@
lineinfile: lineinfile:
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
line: "{{ item.line }}" line: "{{ item.line }}"
create: yes create: true
with_items: with_items:
- dest: "{{ configs_prefix }}/ipsec.conf" - dest: "{{ configs_prefix }}/ipsec.conf"
line: "include ipsec.{{ IP_subject_alt_name }}.conf" line: include ipsec.{{ IP_subject_alt_name }}.conf
- dest: "{{ configs_prefix }}/ipsec.secrets" - dest: "{{ configs_prefix }}/ipsec.secrets"
line: "include ipsec.{{ IP_subject_alt_name }}.secrets" line: include ipsec.{{ IP_subject_alt_name }}.secrets
notify: notify:
- restart strongswan - restart strongswan
@ -66,11 +66,11 @@
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
with_items: with_items:
- src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt" - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt" dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
- src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem" - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem" dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
- src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key" - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key" dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
notify: notify:
- restart strongswan - restart strongswan

1
roles/client/tasks/systems/main.yml
View file

@ -1,5 +1,4 @@
--- ---
- include_tasks: Debian.yml - include_tasks: Debian.yml
when: ansible_distribution == 'Debian' when: ansible_distribution == 'Debian'

1
roles/cloud-azure/defaults/main.yml
View file

@ -208,4 +208,3 @@ azure_regions:
- displayName: West US (Stage) - displayName: West US (Stage)
name: westusstage name: westusstage
regionalDisplayName: (US) West US (Stage) regionalDisplayName: (US) West US (Stage)

2
roles/cloud-azure/tasks/venv.yml
View file

@ -1,6 +1,6 @@
--- ---
- name: Install requirements - name: Install requirements
pip: pip:
requirements: https://raw.githubusercontent.com/ansible-collections/azure/v1.9.0/requirements-azure.txt requirements: https://raw.githubusercontent.com/ansible-collections/azure/v1.13.0/requirements-azure.txt
state: latest state: latest
virtualenv_python: python3 virtualenv_python: python3

2
roles/cloud-cloudstack/tasks/main.yml
View file

@ -26,7 +26,7 @@
end_port: "{{ item.end_port }}" end_port: "{{ item.end_port }}"
cidr: "{{ item.range }}" cidr: "{{ item.range }}"
with_items: with_items:
- { proto: tcp, start_port: '{{ ssh_port }}', end_port: '{{ ssh_port }}', range: 0.0.0.0/0 } - { proto: tcp, start_port: "{{ ssh_port }}", end_port: "{{ ssh_port }}", range: 0.0.0.0/0 }
- { proto: udp, start_port: 4500, end_port: 4500, range: 0.0.0.0/0 } - { proto: udp, start_port: 4500, end_port: 4500, range: 0.0.0.0/0 }
- { proto: udp, start_port: 500, end_port: 500, range: 0.0.0.0/0 } - { proto: udp, start_port: 500, end_port: 500, range: 0.0.0.0/0 }
- { proto: udp, start_port: "{{ wireguard_port }}", end_port: "{{ wireguard_port }}", range: 0.0.0.0/0 } - { proto: udp, start_port: "{{ wireguard_port }}", end_port: "{{ wireguard_port }}", range: 0.0.0.0/0 }

4
roles/cloud-cloudstack/tasks/prompts.yml
View file

@ -30,7 +30,8 @@
- set_fact: - set_fact:
algo_cs_key: "{{ cs_key | default(_cs_key.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_KEY'), true) }}" algo_cs_key: "{{ cs_key | default(_cs_key.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_KEY'), true) }}"
algo_cs_token: "{{ cs_secret | default(_cs_secret.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_SECRET'), true) }}" algo_cs_token: "{{ cs_secret | default(_cs_secret.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_SECRET'), true) }}"
algo_cs_url: "{{ cs_url | default(_cs_url.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) | default('https://api.exoscale.com/compute', true) }}" algo_cs_url: "{{ cs_url | default(_cs_url.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) | default('https://api.exoscale.com/compute',\
\ true) }}"
- name: Get zones on cloud - name: Get zones on cloud
cs_zone_info: cs_zone_info:
@ -62,4 +63,3 @@
[{{ default_zone }}] [{{ default_zone }}]
register: _algo_region register: _algo_region
when: region is undefined when: region is undefined

6
roles/cloud-digitalocean/tasks/main.yml
View file

@ -2,14 +2,14 @@
- name: Include prompts - name: Include prompts
import_tasks: prompts.yml import_tasks: prompts.yml
- name: "Upload the SSH key" - name: Upload the SSH key
digital_ocean_sshkey: digital_ocean_sshkey:
oauth_token: "{{ algo_do_token }}" oauth_token: "{{ algo_do_token }}"
name: "{{ SSH_keys.comment }}" name: "{{ SSH_keys.comment }}"
ssh_pub_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" ssh_pub_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
register: do_ssh_key register: do_ssh_key
- name: "Creating a droplet..." - name: Creating a droplet...
digital_ocean_droplet: digital_ocean_droplet:
state: present state: present
name: "{{ algo_server_name }}" name: "{{ algo_server_name }}"
@ -31,7 +31,7 @@
droplet: "{{ digital_ocean_droplet.data.droplet | default(digital_ocean_droplet.data) }}" droplet: "{{ digital_ocean_droplet.data.droplet | default(digital_ocean_droplet.data) }}"
- block: - block:
- name: "Create a Floating IP" - name: Create a Floating IP
digital_ocean_floating_ip: digital_ocean_floating_ip:
state: present state: present
oauth_token: "{{ algo_do_token }}" oauth_token: "{{ algo_do_token }}"

4
roles/cloud-digitalocean/tasks/prompts.yml
View file

@ -18,8 +18,8 @@
method: GET method: GET
status_code: 200 status_code: 200
headers: headers:
Content-Type: "application/json" Content-Type: application/json
Authorization: "Bearer {{ algo_do_token }}" Authorization: Bearer {{ algo_do_token }}
register: _do_regions register: _do_regions
- name: Set facts about the regions - name: Set facts about the regions

2
roles/cloud-ec2/tasks/cloudformation.yml
View file

@ -4,7 +4,7 @@
aws_access_key: "{{ access_key }}" aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ secret_key }}" aws_secret_key: "{{ secret_key }}"
stack_name: "{{ stack_name }}" stack_name: "{{ stack_name }}"
state: "present" state: present
region: "{{ algo_region }}" region: "{{ algo_region }}"
template: roles/cloud-ec2/files/stack.yaml template: roles/cloud-ec2/files/stack.yaml
template_parameters: template_parameters:

2
roles/cloud-ec2/tasks/main.yml
View file

@ -13,7 +13,7 @@
region: "{{ algo_region }}" region: "{{ algo_region }}"
filters: filters:
architecture: "{{ cloud_providers.ec2.image.arch }}" architecture: "{{ cloud_providers.ec2.image.arch }}"
name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-*64-server-*" name: ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-*64-server-*
register: ami_search register: ami_search
- name: Set the ami id as a fact - name: Set the ami id as a fact

14
roles/cloud-gce/tasks/main.yml
View file

@ -27,12 +27,12 @@
allowed: allowed:
- ip_protocol: udp - ip_protocol: udp
ports: ports:
- '500' - "500"
- '4500' - "4500"
- '{{ wireguard_port|string }}' - "{{ wireguard_port|string }}"
- ip_protocol: tcp - ip_protocol: tcp
ports: ports:
- '{{ ssh_port }}' - "{{ ssh_port }}"
- ip_protocol: icmp - ip_protocol: icmp
- block: - block:
@ -62,9 +62,9 @@
- auto_delete: true - auto_delete: true
boot: true boot: true
initialize_params: initialize_params:
source_image: "projects/ubuntu-os-cloud/global/images/family/{{ cloud_providers.gce.image }}" source_image: projects/ubuntu-os-cloud/global/images/family/{{ cloud_providers.gce.image }}
metadata: metadata:
ssh-keys: "algo:{{ ssh_public_key_lookup }}" ssh-keys: algo:{{ ssh_public_key_lookup }}
user-data: "{{ lookup('template', 'files/cloud-init/base.yml') }}" user-data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
network_interfaces: network_interfaces:
- network: "{{ gcp_compute_network }}" - network: "{{ gcp_compute_network }}"
@ -74,7 +74,7 @@
type: ONE_TO_ONE_NAT type: ONE_TO_ONE_NAT
tags: tags:
items: items:
- "environment-algo" - environment-algo
register: gcp_compute_instance register: gcp_compute_instance
- set_fact: - set_fact:

7
roles/cloud-gce/tasks/prompts.yml
View file

@ -9,7 +9,8 @@
- lookup('env','GCE_CREDENTIALS_FILE_PATH')|length <= 0 - lookup('env','GCE_CREDENTIALS_FILE_PATH')|length <= 0
- set_fact: - set_fact:
credentials_file_path: "{{ gce_credentials_file | default(_gce_credentials_file.user_input|default(None)) | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}" credentials_file_path: "{{ gce_credentials_file | default(_gce_credentials_file.user_input|default(None)) | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'),\
\ true) }}"
ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}" ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
- set_fact: - set_fact:
@ -70,8 +71,8 @@
project: "{{ project_id }}" project: "{{ project_id }}"
scope: zones scope: zones
filters: filters:
- "name={{ algo_region }}-*" - name={{ algo_region }}-*
- "status=UP" - status=UP
register: gcp_compute_zone_info register: gcp_compute_zone_info
- name: Set random available zone as a fact - name: Set random available zone as a fact

2
roles/cloud-hetzner/tasks/main.yml
View file

@ -7,7 +7,7 @@
- name: Create an ssh key - name: Create an ssh key
hcloud_ssh_key: hcloud_ssh_key:
name: "algo-{{ 999999 | random(seed=lookup('file', SSH_keys.public)) }}" name: algo-{{ 999999 | random(seed=lookup('file', SSH_keys.public)) }}
public_key: "{{ lookup('file', SSH_keys.public) }}" public_key: "{{ lookup('file', SSH_keys.public) }}"
state: present state: present
api_token: "{{ algo_hcloud_token }}" api_token: "{{ algo_hcloud_token }}"

2
roles/cloud-lightsail/tasks/cloudformation.yml
View file

@ -4,7 +4,7 @@
aws_access_key: "{{ access_key }}" aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ secret_key }}" aws_secret_key: "{{ secret_key }}"
stack_name: "{{ stack_name }}" stack_name: "{{ stack_name }}"
state: "present" state: present
region: "{{ algo_region }}" region: "{{ algo_region }}"
template: roles/cloud-lightsail/files/stack.yaml template: roles/cloud-lightsail/files/stack.yaml
template_parameters: template_parameters:

6
roles/cloud-linode/tasks/main.yml
View file

@ -26,7 +26,7 @@
- name: Update the stackscript - name: Update the stackscript
uri: uri:
url: "https://api.linode.com/v4/linode/stackscripts/{{ _linode_stackscript.stackscript.id }}" url: https://api.linode.com/v4/linode/stackscripts/{{ _linode_stackscript.stackscript.id }}
method: PUT method: PUT
body_format: json body_format: json
body: body:
@ -34,10 +34,10 @@
{{ stackscript }} {{ stackscript }}
headers: headers:
Content-Type: application/json Content-Type: application/json
Authorization: "Bearer {{ algo_linode_token }}" Authorization: Bearer {{ algo_linode_token }}
when: (_linode_stackscript.stackscript.script | hash('md5')) != (stackscript | hash('md5')) when: (_linode_stackscript.stackscript.script | hash('md5')) != (stackscript | hash('md5'))
- name: "Creating an instance..." - name: Creating an instance...
linode_v4: linode_v4:
access_token: "{{ algo_linode_token }}" access_token: "{{ algo_linode_token }}"
label: "{{ algo_server_name }}" label: "{{ algo_server_name }}"

2
roles/cloud-openstack/tasks/main.yml
View file

@ -22,7 +22,7 @@
port_range_max: "{{ item.port_max }}" port_range_max: "{{ item.port_max }}"
remote_ip_prefix: "{{ item.range }}" remote_ip_prefix: "{{ item.range }}"
with_items: with_items:
- { proto: tcp, port_min: '{{ ssh_port }}', port_max: '{{ ssh_port }}', range: 0.0.0.0/0 } - { proto: tcp, port_min: "{{ ssh_port }}", port_max: "{{ ssh_port }}", range: 0.0.0.0/0 }
- { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 } - { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 }
- { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 } - { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 }
- { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 } - { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 }

5
roles/cloud-scaleway/tasks/main.yml
View file

@ -1,3 +1,4 @@
---
- name: Include prompts - name: Include prompts
import_tasks: prompts.yml import_tasks: prompts.yml
@ -41,12 +42,12 @@
- name: Patch the cloud-init - name: Patch the cloud-init
uri: uri:
url: "https://cp-{{ algo_region }}.scaleway.com/servers/{{ scaleway_compute.msg.id }}/user_data/cloud-init" url: https://cp-{{ algo_region }}.scaleway.com/servers/{{ scaleway_compute.msg.id }}/user_data/cloud-init
method: PATCH method: PATCH
body: "{{ lookup('template', 'files/cloud-init/base.yml') }}" body: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
status_code: 204 status_code: 204
headers: headers:
Content-Type: "text/plain" Content-Type: text/plain
X-Auth-Token: "{{ algo_scaleway_token }}" X-Auth-Token: "{{ algo_scaleway_token }}"
- name: Start the server - name: Start the server

8
roles/cloud-vultr/tasks/main.yml
View file

@ -15,13 +15,13 @@
ip_version: "{{ item.ip }}" ip_version: "{{ item.ip }}"
cidr: "{{ item.cidr }}" cidr: "{{ item.cidr }}"
with_items: with_items:
- { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: "0.0.0.0/0" } - { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: 0.0.0.0/0 }
- { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" } - { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" }
- { protocol: udp, port: 500, ip: v4, cidr: "0.0.0.0/0" } - { protocol: udp, port: 500, ip: v4, cidr: 0.0.0.0/0 }
- { protocol: udp, port: 500, ip: v6, cidr: "::/0" } - { protocol: udp, port: 500, ip: v6, cidr: "::/0" }
- { protocol: udp, port: 4500, ip: v4, cidr: "0.0.0.0/0" } - { protocol: udp, port: 4500, ip: v4, cidr: 0.0.0.0/0 }
- { protocol: udp, port: 4500, ip: v6, cidr: "::/0" } - { protocol: udp, port: 4500, ip: v6, cidr: "::/0" }
- { protocol: udp, port: "{{ wireguard_port }}", ip: v4, cidr: "0.0.0.0/0" } - { protocol: udp, port: "{{ wireguard_port }}", ip: v4, cidr: 0.0.0.0/0 }
- { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" } - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" }
- name: Upload the startup script - name: Upload the startup script

1
roles/common/handlers/main.yml
View file

@ -1,3 +1,4 @@
---
- name: restart rsyslog - name: restart rsyslog
service: name=rsyslog state=restarted service: name=rsyslog state=restarted

5
roles/common/tasks/freebsd.yml
View file

@ -13,13 +13,12 @@
- name: Gather facts - name: Gather facts
setup: setup:
- name: Gather additional facts - name: Gather additional facts
import_tasks: facts.yml import_tasks: facts.yml
- name: Set OS specific facts - name: Set OS specific facts
set_fact: set_fact:
config_prefix: "/usr/local/" config_prefix: /usr/local/
strongswan_shell: /usr/sbin/nologin strongswan_shell: /usr/sbin/nologin
strongswan_home: /var/empty strongswan_home: /var/empty
root_group: wheel root_group: wheel
@ -50,7 +49,7 @@
- name: Loopback included into the rc config - name: Loopback included into the rc config
blockinfile: blockinfile:
dest: /etc/rc.conf dest: /etc/rc.conf
create: yes create: true
block: | block: |
cloned_interfaces="lo100" cloned_interfaces="lo100"
ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255" ifconfig_lo100="inet {{ local_service_ip }} netmask 255.255.255.255"

1
roles/common/tasks/iptables.yml
View file

@ -1,5 +1,4 @@
--- ---
- name: Iptables configured - name: Iptables configured
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"

9
roles/common/tasks/ubuntu.yml
View file

@ -1,7 +1,6 @@
--- ---
- name: Gather facts - name: Gather facts
setup: setup:
- name: Cloud only tasks - name: Cloud only tasks
block: block:
- name: Install software updates - name: Install software updates
@ -42,8 +41,8 @@
- name: Disable MOTD on login and SSHD - name: Disable MOTD on login and SSHD
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
with_items: with_items:
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/login }
- { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } - { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/sshd }
- name: Ensure fallback resolvers are set - name: Ensure fallback resolvers are set
ini_file: ini_file:
@ -75,7 +74,7 @@
- name: Check apparmor support - name: Check apparmor support
command: apparmor_status command: apparmor_status
ignore_errors: yes ignore_errors: true
changed_when: false changed_when: false
register: apparmor_status register: apparmor_status
@ -117,7 +116,7 @@
apt: apt:
name: name:
- linux-headers-generic - linux-headers-generic
- "linux-headers-{{ ansible_kernel }}" - linux-headers-{{ ansible_kernel }}
state: present state: present
when: install_headers | bool when: install_headers | bool

2
roles/dns/tasks/freebsd.yml
View file

@ -6,4 +6,4 @@
- name: Enable mac_portacl - name: Enable mac_portacl
lineinfile: lineinfile:
path: /etc/rc.conf path: /etc/rc.conf
line: 'dnscrypt_proxy_mac_portacl_enable="YES"' line: dnscrypt_proxy_mac_portacl_enable="YES"

2
roles/ssh_tunneling/defaults/main.yml
View file

@ -1,2 +1,2 @@
--- ---
ssh_tunnels_config_path: "configs/{{ IP_subject_alt_name }}/ssh-tunnel/" ssh_tunnels_config_path: configs/{{ IP_subject_alt_name }}/ssh-tunnel/

1
roles/ssh_tunneling/handlers/main.yml
View file

@ -1,2 +1,3 @@
---
- name: restart ssh - name: restart ssh
service: name="{{ ssh_service_name|default('ssh') }}" state=restarted service: name="{{ ssh_service_name|default('ssh') }}" state=restarted

18
roles/ssh_tunneling/tasks/main.yml
View file

@ -2,7 +2,7 @@
- name: Ensure that the sshd_config file has desired options - name: Ensure that the sshd_config file has desired options
blockinfile: blockinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role' marker: "# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role"
block: | block: |
Match Group algo Match Group algo
AllowTcpForwarding local AllowTcpForwarding local
@ -32,12 +32,12 @@
user: user:
name: "{{ item }}" name: "{{ item }}"
group: algo group: algo
home: '/var/jail/{{ item }}' home: /var/jail/{{ item }}
createhome: yes createhome: true
generate_ssh_key: false generate_ssh_key: false
shell: /bin/false shell: /bin/false
state: present state: present
append: yes append: true
with_items: "{{ users }}" with_items: "{{ users }}"
- block: - block:
@ -51,8 +51,8 @@
file: file:
dest: "{{ ssh_tunnels_config_path }}" dest: "{{ ssh_tunnels_config_path }}"
state: directory state: directory
recurse: yes recurse: true
mode: '0700' mode: "0700"
- name: Check if the private keys exist - name: Check if the private keys exist
stat: stat:
@ -104,14 +104,14 @@
getent: getent:
database: group database: group
key: algo key: algo
split: ':' split: ":"
- name: Delete non-existing users - name: Delete non-existing users
user: user:
name: "{{ item }}" name: "{{ item }}"
state: absent state: absent
remove: yes remove: true
force: yes force: true
when: item not in users when: item not in users
with_items: "{{ getent_group['algo'][2].split(',') }}" with_items: "{{ getent_group['algo'][2].split(',') }}"
tags: update-users tags: update-users

6
roles/strongswan/defaults/main.yml
View file

@ -1,5 +1,5 @@
--- ---
ipsec_config_path: "configs/{{ IP_subject_alt_name }}/ipsec/" ipsec_config_path: configs/{{ IP_subject_alt_name }}/ipsec/
ipsec_pki_path: "{{ ipsec_config_path }}/.pki/" ipsec_pki_path: "{{ ipsec_config_path }}/.pki/"
strongswan_shell: /usr/sbin/nologin strongswan_shell: /usr/sbin/nologin
strongswan_home: /var/lib/strongswan strongswan_home: /var/lib/strongswan
@ -7,7 +7,7 @@ strongswan_service: "{{ 'strongswan-starter' if ansible_facts['distribution_vers
BetweenClients_DROP: true BetweenClients_DROP: true
algo_ondemand_cellular: false algo_ondemand_cellular: false
algo_ondemand_wifi: false algo_ondemand_wifi: false
algo_ondemand_wifi_exclude: '_null' algo_ondemand_wifi_exclude: _null
algo_dns_adblocking: false algo_dns_adblocking: false
ipv6_support: false ipv6_support: false
dns_encryption: true dns_encryption: true
@ -16,7 +16,7 @@ subjectAltName_type: "{{ 'DNS' if IP_subject_alt_name|regex_search('[a-z]') else
subjectAltName: >- subjectAltName: >-
{{ subjectAltName_type }}:{{ IP_subject_alt_name }} {{ subjectAltName_type }}:{{ IP_subject_alt_name }}
{%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%} {%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%}
subjectAltName_USER: "email:{{ item }}@{{ openssl_constraint_random_id }}" subjectAltName_USER: email:{{ item }}@{{ openssl_constraint_random_id }}
nameConstraints: >- nameConstraints: >-
critical,permitted;{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{- '/255.255.255.255' if subjectAltName_type == 'IP' else '' -}} critical,permitted;{{ subjectAltName_type }}:{{ IP_subject_alt_name }}{{- '/255.255.255.255' if subjectAltName_type == 'IP' else '' -}}
{%- if subjectAltName_type == 'IP' -%} {%- if subjectAltName_type == 'IP' -%}

1
roles/strongswan/handlers/main.yml
View file

@ -1,3 +1,4 @@
---
- name: restart strongswan - name: restart strongswan
service: name={{ strongswan_service }} state=restarted service: name={{ strongswan_service }} state=restarted

13
roles/strongswan/tasks/distribute_keys.yml
View file

@ -1,5 +1,4 @@
--- ---
- name: Copy the keys to the strongswan directory - name: Copy the keys to the strongswan directory
copy: copy:
src: "{{ ipsec_pki_path }}/{{ item.src }}" src: "{{ ipsec_pki_path }}/{{ item.src }}"
@ -8,18 +7,18 @@
group: "{{ item.group }}" group: "{{ item.group }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
with_items: with_items:
- src: "cacert.pem" - src: cacert.pem
dest: "cacerts/ca.crt" dest: cacerts/ca.crt
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"
- src: "certs/{{ IP_subject_alt_name }}.crt" - src: certs/{{ IP_subject_alt_name }}.crt
dest: "certs/{{ IP_subject_alt_name }}.crt" dest: certs/{{ IP_subject_alt_name }}.crt
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"
- src: "private/{{ IP_subject_alt_name }}.key" - src: private/{{ IP_subject_alt_name }}.key
dest: "private/{{ IP_subject_alt_name }}.key" dest: private/{{ IP_subject_alt_name }}.key
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"

13
roles/strongswan/tasks/ipsec_configuration.yml
View file

@ -1,5 +1,4 @@
--- ---
- name: Setup the config files from our templates - name: Setup the config files from our templates
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
@ -9,22 +8,22 @@
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
with_items: with_items:
- src: strongswan.conf.j2 - src: strongswan.conf.j2
dest: "strongswan.conf" dest: strongswan.conf
owner: root owner: root
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0644" mode: "0644"
- src: ipsec.conf.j2 - src: ipsec.conf.j2
dest: "ipsec.conf" dest: ipsec.conf
owner: root owner: root
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0644" mode: "0644"
- src: ipsec.secrets.j2 - src: ipsec.secrets.j2
dest: "ipsec.secrets" dest: ipsec.secrets
owner: strongswan owner: strongswan
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0600" mode: "0600"
- src: charon.conf.j2 - src: charon.conf.j2
dest: "strongswan.d/charon.conf" dest: strongswan.d/charon.conf
owner: root owner: root
group: "{{ root_group|default('root') }}" group: "{{ root_group|default('root') }}"
mode: "0644" mode: "0644"
@ -44,8 +43,8 @@
- name: Disable unneeded plugins - name: Disable unneeded plugins
lineinfile: lineinfile:
dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
regexp: '.*load.*' regexp: .*load.*
line: 'load = no' line: load = no
state: present state: present
notify: notify:
- restart strongswan - restart strongswan

2
roles/strongswan/tasks/main.yml
View file

@ -19,7 +19,7 @@
- import_tasks: distribute_keys.yml - import_tasks: distribute_keys.yml
- import_tasks: client_configs.yml - import_tasks: client_configs.yml
delegate_to: localhost delegate_to: localhost
become: no become: false
tags: update-users tags: update-users
- name: strongSwan started - name: strongSwan started

20
roles/strongswan/tasks/openssl.yml
View file

@ -12,8 +12,8 @@
file: file:
dest: "{{ ipsec_pki_path }}/{{ item }}" dest: "{{ ipsec_pki_path }}/{{ item }}"
state: directory state: directory
recurse: yes recurse: true
mode: '0700' mode: "0700"
with_items: with_items:
- ecparams - ecparams
- certs - certs
@ -27,8 +27,8 @@
file: file:
dest: "{{ ipsec_config_path }}/{{ item }}" dest: "{{ ipsec_config_path }}/{{ item }}"
state: directory state: directory
recurse: yes recurse: true
mode: '0700' mode: "0700"
with_items: with_items:
- apple - apple
- manual - manual
@ -38,11 +38,11 @@
dest: "{{ ipsec_pki_path }}/{{ item }}" dest: "{{ ipsec_pki_path }}/{{ item }}"
state: touch state: touch
with_items: with_items:
- ".rnd" - .rnd
- "private/.rnd" - private/.rnd
- "index.txt" - index.txt
- "index.txt.attr" - index.txt.attr
- "serial" - serial
- name: Generate the openssl server configs - name: Generate the openssl server configs
template: template:
@ -233,7 +233,7 @@
chdir: "{{ ipsec_pki_path }}" chdir: "{{ ipsec_pki_path }}"
executable: bash executable: bash
delegate_to: localhost delegate_to: localhost
become: no become: false
vars: vars:
ansible_python_interpreter: "{{ ansible_playbook_python }}" ansible_python_interpreter: "{{ ansible_playbook_python }}"

7
roles/strongswan/tasks/ubuntu.yml
View file

@ -2,20 +2,19 @@
- name: Set OS specific facts - name: Set OS specific facts
set_fact: set_fact:
strongswan_additional_plugins: [] strongswan_additional_plugins: []
- name: Ubuntu | Install strongSwan - name: Ubuntu | Install strongSwan
apt: apt:
name: strongswan name: strongswan
state: present state: present
update_cache: yes update_cache: true
install_recommends: yes install_recommends: true
- block: - block:
# https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238 # https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238
- name: Ubuntu | Charon profile for apparmor configured - name: Ubuntu | Charon profile for apparmor configured
copy: copy:
dest: /etc/apparmor.d/local/usr.lib.ipsec.charon dest: /etc/apparmor.d/local/usr.lib.ipsec.charon
content: ' capability setpcap,' content: " capability setpcap,"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644

5
roles/wireguard/defaults/main.yml
View file

@ -1,6 +1,6 @@
--- ---
wireguard_PersistentKeepalive: 0 wireguard_PersistentKeepalive: 0
wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/" wireguard_config_path: configs/{{ IP_subject_alt_name }}/wireguard/
wireguard_pki_path: "{{ wireguard_config_path }}/.pki/" wireguard_pki_path: "{{ wireguard_config_path }}/.pki/"
wireguard_interface: wg0 wireguard_interface: wg0
wireguard_port_avoid: 53 wireguard_port_avoid: 53
@ -10,7 +10,8 @@ wireguard_dns_servers: >-
{% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %} {% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %}
{{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }}
{% else %} {% else %}
{% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if
not loop.last %},{% endif %}{% endfor %}{% endif %}
{% endif %} {% endif %}
wireguard_client_ip: >- wireguard_client_ip: >-
{{ wireguard_network_ipv4 | ipmath(index|int+2) }} {{ wireguard_network_ipv4 | ipmath(index|int+2) }}

2
roles/wireguard/tasks/ubuntu.yml
View file

@ -7,5 +7,5 @@
- name: Set OS specific facts - name: Set OS specific facts
set_fact: set_fact:
service_name: "wg-quick@{{ wireguard_interface }}" service_name: wg-quick@{{ wireguard_interface }}
tags: always tags: always

9
server.yml
View file

@ -19,13 +19,13 @@
- block: - block:
- name: Ensure the config directory exists - name: Ensure the config directory exists
file: file:
dest: "configs/{{ IP_subject_alt_name }}" dest: configs/{{ IP_subject_alt_name }}
state: directory state: directory
mode: "0700" mode: "0700"
- name: Dump the ssh config - name: Dump the ssh config
copy: copy:
dest: "configs/{{ IP_subject_alt_name }}/ssh_config" dest: configs/{{ IP_subject_alt_name }}/ssh_config
mode: "0600" mode: "0600"
content: | content: |
Host {{ IP_subject_alt_name }} {{ algo_server_name }} Host {{ IP_subject_alt_name }} {{ algo_server_name }}
@ -46,8 +46,7 @@
- import_role: - import_role:
name: dns name: dns
when: when:
- algo_dns_adblocking or - algo_dns_adblocking or dns_encryption
dns_encryption
tags: dns tags: dns
- import_role: - import_role:
@ -68,7 +67,7 @@
- block: - block:
- name: Dump the configuration - name: Dump the configuration
copy: copy:
dest: "configs/{{ IP_subject_alt_name }}/.config.yml" dest: configs/{{ IP_subject_alt_name }}/.config.yml
content: | content: |
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }} server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
server_user: {{ ansible_ssh_user }} server_user: {{ ansible_ssh_user }}

10
users.yml
View file

@ -1,6 +1,6 @@
--- ---
- hosts: localhost - hosts: localhost
gather_facts: False gather_facts: false
tags: always tags: always
vars_files: vars_files:
- config.cfg - config.cfg
@ -13,7 +13,7 @@
depth: 2 depth: 2
recurse: true recurse: true
hidden: true hidden: true
patterns: ".config.yml" patterns: .config.yml
register: _configs_list register: _configs_list
- name: Verify servers - name: Verify servers
@ -50,7 +50,7 @@
- name: Import host specific variables - name: Import host specific variables
include_vars: include_vars:
file: "configs/{{ algo_server }}/.config.yml" file: configs/{{ algo_server }}/.config.yml
- when: ipsec_enabled - when: ipsec_enabled
block: block:
@ -78,7 +78,7 @@
groups: vpn-host groups: vpn-host
ansible_ssh_user: "{{ server_user|default('root') }}" ansible_ssh_user: "{{ server_user|default('root') }}"
ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}" ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}"
ansible_python_interpreter: "/usr/bin/python3" ansible_python_interpreter: /usr/bin/python3
CA_password: "{{ CA_password|default(omit) }}" CA_password: "{{ CA_password|default(omit) }}"
rescue: rescue:
- include_tasks: playbooks/rescue.yml - include_tasks: playbooks/rescue.yml
@ -89,7 +89,7 @@
become: true become: true
vars_files: vars_files:
- config.cfg - config.cfg
- "configs/{{ inventory_hostname }}/.config.yml" - configs/{{ inventory_hostname }}/.config.yml
tasks: tasks:
- block: - block: