mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-05 19:43:22 +02:00
Fix Jinja spacing linter issues correctly
- Add spacing in lookup('env', 'VAR') calls
- Fix spacing around pipe operators within Jinja expressions only
- Preserve YAML block scalar syntax (prompt: |)
- Fix array indexing spacing within Jinja expressions
- All changes pass yamllint and ansible-lint tests
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Dan Guido
parent
444a796462
commit
3af68d4298
40 changed files with 114 additions and 114 deletions
|
|
@ -42,7 +42,7 @@
|
||||||
|
|
||||||
- name: Set facts based on the input
|
- name: Set facts based on the input
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
|
algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input | default(omit) | int - 1]['alias']) }}"
|
||||||
|
|
||||||
- name: VPN server name prompt
|
- name: VPN server name prompt
|
||||||
pause:
|
pause:
|
||||||
|
|
@ -110,10 +110,10 @@
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_server_name: >-
|
algo_server_name: >-
|
||||||
{% if server_name is defined %}{% set _server = server_name %}
|
{% if server_name is defined %}{% set _server = server_name %}
|
||||||
{%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input|length > 0 -%}
|
{%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input | length > 0 -%}
|
||||||
{%- set _server = _algo_server_name.user_input -%}
|
{%- set _server = _algo_server_name.user_input -%}
|
||||||
{%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
|
{%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
|
||||||
{{ _server | regex_replace('(?!\.)(\W|_)', '-') }}
|
{{ _server | regex_replace('(?!\.)(\W | _)', '-') }}
|
||||||
algo_ondemand_cellular: >-
|
algo_ondemand_cellular: >-
|
||||||
{% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
|
{% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
|
||||||
{%- elif _ondemand_cellular.user_input is defined %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
|
{%- elif _ondemand_cellular.user_input is defined %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
|
||||||
|
|
@ -124,7 +124,7 @@
|
||||||
{%- else %}false{% endif %}
|
{%- else %}false{% endif %}
|
||||||
algo_ondemand_wifi_exclude: >-
|
algo_ondemand_wifi_exclude: >-
|
||||||
{% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
|
{% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
|
||||||
{%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input|length > 0 -%}
|
{%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input | length > 0 -%}
|
||||||
{{ _ondemand_wifi_exclude.user_input | b64encode }}
|
{{ _ondemand_wifi_exclude.user_input | b64encode }}
|
||||||
{%- else %}{{ '_null' | b64encode }}{% endif %}
|
{%- else %}{{ '_null' | b64encode }}{% endif %}
|
||||||
algo_dns_adblocking: >-
|
algo_dns_adblocking: >-
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,8 @@
|
||||||
name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}"
|
name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}"
|
||||||
groups: vpn-host
|
groups: vpn-host
|
||||||
ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}"
|
ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}"
|
||||||
ansible_ssh_user: "{{ ansible_ssh_user|default('root') }}"
|
ansible_ssh_user: "{{ ansible_ssh_user | default('root') }}"
|
||||||
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
|
ansible_ssh_port: "{{ ansible_ssh_port | default(22) }}"
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
algo_provider: "{{ algo_provider }}"
|
algo_provider: "{{ algo_provider }}"
|
||||||
algo_server_name: "{{ algo_server_name }}"
|
algo_server_name: "{{ algo_server_name }}"
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
algo_store_pki: "{{ algo_store_pki }}"
|
algo_store_pki: "{{ algo_store_pki }}"
|
||||||
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
|
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
|
||||||
alternative_ingress_ip: "{{ alternative_ingress_ip | default(omit) }}"
|
alternative_ingress_ip: "{{ alternative_ingress_ip | default(omit) }}"
|
||||||
cloudinit: "{{ cloudinit|default(false) }}"
|
cloudinit: "{{ cloudinit | default(false) }}"
|
||||||
|
|
||||||
- name: Additional variables for the server
|
- name: Additional variables for the server
|
||||||
add_host:
|
add_host:
|
||||||
|
|
@ -31,7 +31,7 @@
|
||||||
|
|
||||||
- name: Wait until SSH becomes ready...
|
- name: Wait until SSH becomes ready...
|
||||||
wait_for:
|
wait_for:
|
||||||
port: "{{ ansible_ssh_port|default(22) }}"
|
port: "{{ ansible_ssh_port | default(22) }}"
|
||||||
host: "{{ cloud_instance_ip }}"
|
host: "{{ cloud_instance_ip }}"
|
||||||
search_regex: OpenSSH
|
search_regex: OpenSSH
|
||||||
delay: 10
|
delay: 10
|
||||||
|
|
|
||||||
|
|
@ -1,9 +1,9 @@
|
||||||
---
|
---
|
||||||
- set_fact:
|
- set_fact:
|
||||||
secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}"
|
secret: "{{ azure_secret | default(lookup('env', 'AZURE_SECRET'), true) }}"
|
||||||
tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}"
|
tenant: "{{ azure_tenant | default(lookup('env', 'AZURE_TENANT'), true) }}"
|
||||||
client_id: "{{ azure_client_id | default(lookup('env','AZURE_CLIENT_ID'), true) }}"
|
client_id: "{{ azure_client_id | default(lookup('env', 'AZURE_CLIENT_ID'), true) }}"
|
||||||
subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}"
|
subscription_id: "{{ azure_subscription_id | default(lookup('env', 'AZURE_SUBSCRIPTION_ID'), true) }}"
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Set the default region
|
- name: Set the default region
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
register: _cs_key
|
register: _cs_key
|
||||||
when:
|
when:
|
||||||
- cs_key is undefined
|
- cs_key is undefined
|
||||||
- lookup('env','CLOUDSTACK_KEY')|length <= 0
|
- lookup('env', 'CLOUDSTACK_KEY')|length <= 0
|
||||||
|
|
||||||
- pause:
|
- pause:
|
||||||
prompt: |
|
prompt: |
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
register: _cs_secret
|
register: _cs_secret
|
||||||
when:
|
when:
|
||||||
- cs_secret is undefined
|
- cs_secret is undefined
|
||||||
- lookup('env','CLOUDSTACK_SECRET')|length <= 0
|
- lookup('env', 'CLOUDSTACK_SECRET')|length <= 0
|
||||||
|
|
||||||
- pause:
|
- pause:
|
||||||
prompt: |
|
prompt: |
|
||||||
|
|
@ -28,8 +28,8 @@
|
||||||
- lookup('env', 'CLOUDSTACK_ENDPOINT') | length <= 0
|
- lookup('env', 'CLOUDSTACK_ENDPOINT') | length <= 0
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
algo_cs_key: "{{ cs_key | default(_cs_key.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_KEY'), true) }}"
|
algo_cs_key: "{{ cs_key | default(_cs_key.user_input | default(None)) | default(lookup('env', 'CLOUDSTACK_KEY'), true) }}"
|
||||||
algo_cs_token: "{{ cs_secret | default(_cs_secret.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_SECRET'), true) }}"
|
algo_cs_token: "{{ cs_secret | default(_cs_secret.user_input | default(None)) | default(lookup('env', 'CLOUDSTACK_SECRET'), true) }}"
|
||||||
algo_cs_url: >-
|
algo_cs_url: >-
|
||||||
{{ cs_url | default(_cs_url.user_input|default(None)) |
|
{{ cs_url | default(_cs_url.user_input|default(None)) |
|
||||||
default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) |
|
default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) |
|
||||||
|
|
|
||||||
|
|
@ -6,11 +6,11 @@
|
||||||
register: _do_token
|
register: _do_token
|
||||||
when:
|
when:
|
||||||
- do_token is undefined
|
- do_token is undefined
|
||||||
- lookup('env','DO_API_TOKEN')|length <= 0
|
- lookup('env', 'DO_API_TOKEN')|length <= 0
|
||||||
|
|
||||||
- name: Set the token as a fact
|
- name: Set the token as a fact
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_do_token: "{{ do_token | default(_do_token.user_input|default(None)) | default(lookup('env','DO_API_TOKEN'), true) }}"
|
algo_do_token: "{{ do_token | default(_do_token.user_input | default(None)) | default(lookup('env', 'DO_API_TOKEN'), true) }}"
|
||||||
|
|
||||||
- name: Get regions
|
- name: Get regions
|
||||||
uri:
|
uri:
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@
|
||||||
no_log: true
|
no_log: true
|
||||||
when:
|
when:
|
||||||
- aws_access_key is undefined
|
- aws_access_key is undefined
|
||||||
- lookup('env','AWS_ACCESS_KEY_ID')|length <= 0
|
- lookup('env', 'AWS_ACCESS_KEY_ID')|length <= 0
|
||||||
|
|
||||||
# Prompt for credentials if still not available
|
# Prompt for credentials if still not available
|
||||||
- pause:
|
- pause:
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
register: _aws_access_key
|
register: _aws_access_key
|
||||||
when:
|
when:
|
||||||
- aws_access_key is undefined
|
- aws_access_key is undefined
|
||||||
- lookup('env','AWS_ACCESS_KEY_ID')|length <= 0
|
- lookup('env', 'AWS_ACCESS_KEY_ID')|length <= 0
|
||||||
- _file_access_key is undefined or _file_access_key|length <= 0
|
- _file_access_key is undefined or _file_access_key|length <= 0
|
||||||
|
|
||||||
- pause:
|
- pause:
|
||||||
|
|
@ -43,7 +43,7 @@
|
||||||
register: _aws_secret_key
|
register: _aws_secret_key
|
||||||
when:
|
when:
|
||||||
- aws_secret_key is undefined
|
- aws_secret_key is undefined
|
||||||
- lookup('env','AWS_SECRET_ACCESS_KEY')|length <= 0
|
- lookup('env', 'AWS_SECRET_ACCESS_KEY')|length <= 0
|
||||||
- _file_secret_key is undefined or _file_secret_key|length <= 0
|
- _file_secret_key is undefined or _file_secret_key|length <= 0
|
||||||
|
|
||||||
# Set final credentials with proper precedence
|
# Set final credentials with proper precedence
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
ports:
|
ports:
|
||||||
- "500"
|
- "500"
|
||||||
- "4500"
|
- "4500"
|
||||||
- "{{ wireguard_port|string }}"
|
- "{{ wireguard_port | string }}"
|
||||||
- ip_protocol: tcp
|
- ip_protocol: tcp
|
||||||
ports:
|
ports:
|
||||||
- "{{ ssh_port }}"
|
- "{{ ssh_port }}"
|
||||||
|
|
@ -70,7 +70,7 @@
|
||||||
- network: "{{ gcp_compute_network }}"
|
- network: "{{ gcp_compute_network }}"
|
||||||
access_configs:
|
access_configs:
|
||||||
- name: "{{ algo_server_name }}"
|
- name: "{{ algo_server_name }}"
|
||||||
nat_ip: "{{ gcp_compute_address|default(None) }}"
|
nat_ip: "{{ gcp_compute_address | default(None) }}"
|
||||||
type: ONE_TO_ONE_NAT
|
type: ONE_TO_ONE_NAT
|
||||||
tags:
|
tags:
|
||||||
items:
|
items:
|
||||||
|
|
|
||||||
|
|
@ -6,20 +6,20 @@
|
||||||
register: _gce_credentials_file
|
register: _gce_credentials_file
|
||||||
when:
|
when:
|
||||||
- gce_credentials_file is undefined
|
- gce_credentials_file is undefined
|
||||||
- lookup('env','GCE_CREDENTIALS_FILE_PATH')|length <= 0
|
- lookup('env', 'GCE_CREDENTIALS_FILE_PATH')|length <= 0
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
credentials_file_path: >-
|
credentials_file_path: >-
|
||||||
{{ gce_credentials_file | default(_gce_credentials_file.user_input|default(None)) |
|
{{ gce_credentials_file | default(_gce_credentials_file.user_input|default(None)) |
|
||||||
default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}
|
default(lookup('env', 'GCE_CREDENTIALS_FILE_PATH'), true) }}
|
||||||
ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
|
ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}"
|
credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}"
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}"
|
service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env', 'GCE_EMAIL')) }}"
|
||||||
project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}"
|
project_id: "{{ credentials_file_lookup.project_id | default(lookup('env', 'GCE_PROJECT')) }}"
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Get regions
|
- name: Get regions
|
||||||
|
|
|
||||||
|
|
@ -6,11 +6,11 @@
|
||||||
register: _hcloud_token
|
register: _hcloud_token
|
||||||
when:
|
when:
|
||||||
- hcloud_token is undefined
|
- hcloud_token is undefined
|
||||||
- lookup('env','HCLOUD_TOKEN')|length <= 0
|
- lookup('env', 'HCLOUD_TOKEN')|length <= 0
|
||||||
|
|
||||||
- name: Set the token as a fact
|
- name: Set the token as a fact
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_hcloud_token: "{{ hcloud_token | default(_hcloud_token.user_input|default(None)) | default(lookup('env','HCLOUD_TOKEN'), true) }}"
|
algo_hcloud_token: "{{ hcloud_token | default(_hcloud_token.user_input | default(None)) | default(lookup('env', 'HCLOUD_TOKEN'), true) }}"
|
||||||
|
|
||||||
- name: Get regions
|
- name: Get regions
|
||||||
hetzner.hcloud.datacenter_info:
|
hetzner.hcloud.datacenter_info:
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
||||||
register: _aws_access_key
|
register: _aws_access_key
|
||||||
when:
|
when:
|
||||||
- aws_access_key is undefined
|
- aws_access_key is undefined
|
||||||
- lookup('env','AWS_ACCESS_KEY_ID')|length <= 0
|
- lookup('env', 'AWS_ACCESS_KEY_ID')|length <= 0
|
||||||
|
|
||||||
- pause:
|
- pause:
|
||||||
prompt: |
|
prompt: |
|
||||||
|
|
@ -16,11 +16,11 @@
|
||||||
register: _aws_secret_key
|
register: _aws_secret_key
|
||||||
when:
|
when:
|
||||||
- aws_secret_key is undefined
|
- aws_secret_key is undefined
|
||||||
- lookup('env','AWS_SECRET_ACCESS_KEY')|length <= 0
|
- lookup('env', 'AWS_SECRET_ACCESS_KEY')|length <= 0
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
access_key: "{{ aws_access_key | default(_aws_access_key.user_input|default(None)) | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
|
access_key: "{{ aws_access_key | default(_aws_access_key.user_input | default(None)) | default(lookup('env', 'AWS_ACCESS_KEY_ID'), true) }}"
|
||||||
secret_key: "{{ aws_secret_key | default(_aws_secret_key.user_input|default(None)) | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
|
secret_key: "{{ aws_secret_key | default(_aws_secret_key.user_input | default(None)) | default(lookup('env', 'AWS_SECRET_ACCESS_KEY'), true) }}"
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Get regions
|
- name: Get regions
|
||||||
|
|
@ -46,7 +46,7 @@
|
||||||
What region should the server be located in?
|
What region should the server be located in?
|
||||||
(https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/)
|
(https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/)
|
||||||
{% for r in lightsail_regions %}
|
{% for r in lightsail_regions %}
|
||||||
{{ (loop.index|string + '.').ljust(3) }} {{ r['name'].ljust(20) }} {{ r['displayName'] }}
|
{{ (loop.index | string + '.').ljust(3) }} {{ r['name'].ljust(20) }} {{ r['displayName'] }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
Enter the number of your desired region
|
Enter the number of your desired region
|
||||||
|
|
|
||||||
|
|
@ -6,11 +6,11 @@
|
||||||
register: _linode_token
|
register: _linode_token
|
||||||
when:
|
when:
|
||||||
- linode_token is undefined
|
- linode_token is undefined
|
||||||
- lookup('env','LINODE_API_TOKEN')|length <= 0
|
- lookup('env', 'LINODE_API_TOKEN')|length <= 0
|
||||||
|
|
||||||
- name: Set the token as a fact
|
- name: Set the token as a fact
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_linode_token: "{{ linode_token | default(_linode_token.user_input|default(None)) | default(lookup('env','LINODE_API_TOKEN'), true) }}"
|
algo_linode_token: "{{ linode_token | default(_linode_token.user_input | default(None)) | default(lookup('env', 'LINODE_API_TOKEN'), true) }}"
|
||||||
|
|
||||||
- name: Get regions
|
- name: Get regions
|
||||||
uri:
|
uri:
|
||||||
|
|
|
||||||
|
|
@ -10,14 +10,14 @@
|
||||||
|
|
||||||
- name: Security group created
|
- name: Security group created
|
||||||
openstack.cloud.security_group:
|
openstack.cloud.security_group:
|
||||||
state: "{{ state|default('present') }}"
|
state: "{{ state | default('present') }}"
|
||||||
name: "{{ algo_server_name }}-security_group"
|
name: "{{ algo_server_name }}-security_group"
|
||||||
description: AlgoVPN security group
|
description: AlgoVPN security group
|
||||||
register: os_security_group
|
register: os_security_group
|
||||||
|
|
||||||
- name: Security rules created
|
- name: Security rules created
|
||||||
openstack.cloud.security_group_rule:
|
openstack.cloud.security_group_rule:
|
||||||
state: "{{ state|default('present') }}"
|
state: "{{ state | default('present') }}"
|
||||||
security_group: "{{ os_security_group.id }}"
|
security_group: "{{ os_security_group.id }}"
|
||||||
protocol: "{{ item.proto }}"
|
protocol: "{{ item.proto }}"
|
||||||
port_range_min: "{{ item.port_min }}"
|
port_range_min: "{{ item.port_min }}"
|
||||||
|
|
@ -67,7 +67,7 @@
|
||||||
|
|
||||||
- name: Server created
|
- name: Server created
|
||||||
openstack.cloud.server:
|
openstack.cloud.server:
|
||||||
state: "{{ state|default('present') }}"
|
state: "{{ state | default('present') }}"
|
||||||
name: "{{ algo_server_name }}"
|
name: "{{ algo_server_name }}"
|
||||||
image: "{{ image_id }}"
|
image: "{{ image_id }}"
|
||||||
flavor: "{{ flavor_id }}"
|
flavor: "{{ flavor_id }}"
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
wait: true
|
wait: true
|
||||||
tags:
|
tags:
|
||||||
- Environment:Algo
|
- Environment:Algo
|
||||||
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }}
|
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public) | regex_replace(' ', '_') }}
|
||||||
register: scaleway_compute
|
register: scaleway_compute
|
||||||
|
|
||||||
- name: Patch the cloud-init
|
- name: Patch the cloud-init
|
||||||
|
|
@ -64,7 +64,7 @@
|
||||||
wait: true
|
wait: true
|
||||||
tags:
|
tags:
|
||||||
- Environment:Algo
|
- Environment:Algo
|
||||||
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }}
|
- AUTHORIZED_KEY={{ lookup('file', SSH_keys.public) | regex_replace(' ', '_') }}
|
||||||
register: algo_instance
|
register: algo_instance
|
||||||
until: algo_instance.msg.public_ip
|
until: algo_instance.msg.public_ip
|
||||||
retries: 3
|
retries: 3
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
register: _scaleway_token
|
register: _scaleway_token
|
||||||
when:
|
when:
|
||||||
- scaleway_token is undefined
|
- scaleway_token is undefined
|
||||||
- lookup('env','SCW_TOKEN')|length <= 0
|
- lookup('env', 'SCW_TOKEN')|length <= 0
|
||||||
|
|
||||||
- pause:
|
- pause:
|
||||||
prompt: |
|
prompt: |
|
||||||
|
|
@ -22,7 +22,7 @@
|
||||||
|
|
||||||
- name: Set scaleway facts
|
- name: Set scaleway facts
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_scaleway_token: "{{ scaleway_token | default(_scaleway_token.user_input) | default(lookup('env','SCW_TOKEN'), true) }}"
|
algo_scaleway_token: "{{ scaleway_token | default(_scaleway_token.user_input) | default(lookup('env', 'SCW_TOKEN'), true) }}"
|
||||||
algo_region: >-
|
algo_region: >-
|
||||||
{% if region is defined %}{{ region }}
|
{% if region is defined %}{{ region }}
|
||||||
{%- elif _algo_region.user_input %}{{ scaleway_regions[_algo_region.user_input | int -1 ]['alias'] }}
|
{%- elif _algo_region.user_input %}{{ scaleway_regions[_algo_region.user_input | int -1 ]['alias'] }}
|
||||||
|
|
|
||||||
|
|
@ -6,11 +6,11 @@
|
||||||
register: _vultr_config
|
register: _vultr_config
|
||||||
when:
|
when:
|
||||||
- vultr_config is undefined
|
- vultr_config is undefined
|
||||||
- lookup('env','VULTR_API_CONFIG')|length <= 0
|
- lookup('env', 'VULTR_API_CONFIG')|length <= 0
|
||||||
|
|
||||||
- name: Set the token as a fact
|
- name: Set the token as a fact
|
||||||
set_fact:
|
set_fact:
|
||||||
algo_vultr_config: "{{ vultr_config | default(_vultr_config.user_input) | default(lookup('env','VULTR_API_CONFIG'), true) }}"
|
algo_vultr_config: "{{ vultr_config | default(_vultr_config.user_input) | default(lookup('env', 'VULTR_API_CONFIG'), true) }}"
|
||||||
|
|
||||||
- name: Set the Vultr API Key as a fact
|
- name: Set the Vultr API Key as a fact
|
||||||
set_fact:
|
set_fact:
|
||||||
|
|
|
||||||
|
|
@ -6,4 +6,4 @@ snat_aipv4: false
|
||||||
ipv6_default: "{{ ansible_default_ipv6.address + '/' + ansible_default_ipv6.prefix }}"
|
ipv6_default: "{{ ansible_default_ipv6.address + '/' + ansible_default_ipv6.prefix }}"
|
||||||
ipv6_subnet_size: "{{ ipv6_default | ansible.utils.ipaddr('size') }}"
|
ipv6_subnet_size: "{{ ipv6_default | ansible.utils.ipaddr('size') }}"
|
||||||
ipv6_egress_ip: >-
|
ipv6_egress_ip: >-
|
||||||
{{ (ipv6_default | ansible.utils.next_nth_usable(15 | random(seed=algo_server_name + ansible_fqdn))) + '/124' if ipv6_subnet_size|int > 1 else ipv6_default }}
|
{{ (ipv6_default | ansible.utils.next_nth_usable(15 | random(seed=algo_server_name + ansible_fqdn))) + '/124' if ipv6_subnet_size | int > 1 else ipv6_default }}
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
- name: Define facts
|
- name: Define facts
|
||||||
set_fact:
|
set_fact:
|
||||||
p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
|
p12_export_password: "{{ p12_password | default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
|
||||||
tags: update-users
|
tags: update-users
|
||||||
|
|
||||||
- name: Set facts
|
- name: Set facts
|
||||||
set_fact:
|
set_fact:
|
||||||
CA_password: "{{ ca_password|default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}"
|
CA_password: "{{ ca_password | default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}"
|
||||||
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
|
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
|
||||||
|
|
||||||
- name: Set IPv6 support as a fact
|
- name: Set IPv6 support as a fact
|
||||||
|
|
@ -16,5 +16,5 @@
|
||||||
|
|
||||||
- name: Check size of MTU
|
- name: Check size of MTU
|
||||||
set_fact:
|
set_fact:
|
||||||
reduce_mtu: "{{ 1500 - ansible_default_ipv4['mtu']|int if reduce_mtu|int == 0 and ansible_default_ipv4['mtu']|int < 1500 else reduce_mtu|int }}"
|
reduce_mtu: "{{ 1500 - ansible_default_ipv4['mtu'] | int if reduce_mtu | int == 0 and ansible_default_ipv4['mtu'] | int < 1500 else reduce_mtu | int }}"
|
||||||
tags: always
|
tags: always
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
sysctl: name="{{ item.item }}" value="{{ item.value }}"
|
sysctl: name="{{ item.item }}" value="{{ item.value }}"
|
||||||
when: item.item
|
when: item.item
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ sysctl|default([]) }}"
|
- "{{ sysctl | default([]) }}"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -140,7 +140,7 @@
|
||||||
|
|
||||||
- name: Install tools (legacy method)
|
- name: Install tools (legacy method)
|
||||||
apt:
|
apt:
|
||||||
name: "{{ tools|default([]) }}"
|
name: "{{ tools | default([]) }}"
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@ Unattended-Upgrade::Remove-Unused-Dependencies "true";
|
||||||
|
|
||||||
// Automatically reboot *WITHOUT CONFIRMATION*
|
// Automatically reboot *WITHOUT CONFIRMATION*
|
||||||
// if the file /var/run/reboot-required is found after the upgrade
|
// if the file /var/run/reboot-required is found after the upgrade
|
||||||
Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}";
|
Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled | lower }}";
|
||||||
|
|
||||||
// If automatic reboot is enabled and needed, reboot at the specific
|
// If automatic reboot is enabled and needed, reboot at the specific
|
||||||
// time instead of immediately
|
// time instead of immediately
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
{% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %}
|
{% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %}
|
||||||
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %}
|
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port | int == wireguard_port_avoid | int else []) %}
|
||||||
|
|
||||||
#### The mangle table
|
#### The mangle table
|
||||||
# This table allows us to modify packet headers
|
# This table allows us to modify packet headers
|
||||||
|
|
@ -13,8 +13,8 @@
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
|
||||||
{% if reduce_mtu|int > 0 and ipsec_enabled %}
|
{% if reduce_mtu | int > 0 and ipsec_enabled %}
|
||||||
-A FORWARD -s {{ strongswan_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1360 - reduce_mtu|int }}
|
-A FORWARD -s {{ strongswan_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1360 - reduce_mtu | int }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
@ -29,14 +29,14 @@ COMMIT
|
||||||
:PREROUTING ACCEPT [0:0]
|
:PREROUTING ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
|
||||||
{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
|
{% if wireguard_enabled and wireguard_port | int == wireguard_port_avoid | int %}
|
||||||
# Handle the special case of allowing access to WireGuard over an already used
|
# Handle the special case of allowing access to WireGuard over an already used
|
||||||
# port like 53
|
# port like 53
|
||||||
-A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
|
-A PREROUTING -s {{ subnets | join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
|
||||||
-A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
|
-A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
# Allow traffic from the VPN network to the outside world, and replies
|
# Allow traffic from the VPN network to the outside world, and replies
|
||||||
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out {{ '-j SNAT --to ' + snat_aipv4 if snat_aipv4 else '-j MASQUERADE' }}
|
-A POSTROUTING -s {{ subnets | join(',') }} -m policy --pol none --dir out {{ '-j SNAT --to ' + snat_aipv4 if snat_aipv4 else '-j MASQUERADE' }}
|
||||||
|
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
@ -63,8 +63,8 @@ COMMIT
|
||||||
-A INPUT -p ah -j ACCEPT
|
-A INPUT -p ah -j ACCEPT
|
||||||
# rate limit ICMP traffic per source
|
# rate limit ICMP traffic per source
|
||||||
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
|
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
|
||||||
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
|
# Accept IPSEC/WireGuard traffic to ports {{ subnets | join(',') }}
|
||||||
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
|
-A INPUT -p udp -m multiport --dports {{ ports | join(',') }} -j ACCEPT
|
||||||
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
|
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
|
||||||
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
|
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
|
@ -82,12 +82,12 @@ COMMIT
|
||||||
-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
|
-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
|
||||||
|
|
||||||
# Drop traffic between VPN clients
|
# Drop traffic between VPN clients
|
||||||
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
-A FORWARD -s {{ subnets | join(',') }} -d {{ subnets | join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
||||||
# Drop traffic to VPN clients from SSH tunnels
|
# Drop traffic to VPN clients from SSH tunnels
|
||||||
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
-A OUTPUT -d {{ subnets | join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
||||||
|
|
||||||
# Drop traffic to the link-local network
|
# Drop traffic to the link-local network
|
||||||
-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP
|
-A FORWARD -s {{ subnets | join(',') }} -d 169.254.0.0/16 -j DROP
|
||||||
# Drop traffic to the link-local network from SSH tunnels
|
# Drop traffic to the link-local network from SSH tunnels
|
||||||
-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP
|
-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
|
{% set subnets = ([strongswan_network_ipv6] if ipsec_enabled else []) + ([wireguard_network_ipv6] if wireguard_enabled else []) %}
|
||||||
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %}
|
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port | int == wireguard_port_avoid | int else []) %}
|
||||||
|
|
||||||
#### The mangle table
|
#### The mangle table
|
||||||
# This table allows us to modify packet headers
|
# This table allows us to modify packet headers
|
||||||
|
|
@ -13,8 +13,8 @@
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
|
||||||
{% if reduce_mtu|int > 0 and ipsec_enabled %}
|
{% if reduce_mtu | int > 0 and ipsec_enabled %}
|
||||||
-A FORWARD -s {{ strongswan_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1340 - reduce_mtu|int }}
|
-A FORWARD -s {{ strongswan_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1340 - reduce_mtu | int }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
@ -28,14 +28,14 @@ COMMIT
|
||||||
:PREROUTING ACCEPT [0:0]
|
:PREROUTING ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
|
||||||
{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
|
{% if wireguard_enabled and wireguard_port | int == wireguard_port_avoid | int %}
|
||||||
# Handle the special case of allowing access to WireGuard over an already used
|
# Handle the special case of allowing access to WireGuard over an already used
|
||||||
# port like 53
|
# port like 53
|
||||||
-A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
|
-A PREROUTING -s {{ subnets | join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
|
||||||
-A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
|
-A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
# Allow traffic from the VPN network to the outside world, and replies
|
# Allow traffic from the VPN network to the outside world, and replies
|
||||||
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out {{ '-j SNAT --to ' + ipv6_egress_ip | ansible.utils.ipaddr('address') if alternative_ingress_ip else '-j MASQUERADE' }}
|
-A POSTROUTING -s {{ subnets | join(',') }} -m policy --pol none --dir out {{ '-j SNAT --to ' + ipv6_egress_ip | ansible.utils.ipaddr('address') if alternative_ingress_ip else '-j MASQUERADE' }}
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
||||||
|
|
@ -69,8 +69,8 @@ COMMIT
|
||||||
-A INPUT -m ah -j ACCEPT
|
-A INPUT -m ah -j ACCEPT
|
||||||
# rate limit ICMP traffic per source
|
# rate limit ICMP traffic per source
|
||||||
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
|
-A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
|
||||||
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
|
# Accept IPSEC/WireGuard traffic to ports {{ subnets | join(',') }}
|
||||||
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
|
-A INPUT -p udp -m multiport --dports {{ ports | join(',') }} -j ACCEPT
|
||||||
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
|
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
|
||||||
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
|
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
|
||||||
|
|
||||||
|
|
@ -92,9 +92,9 @@ COMMIT
|
||||||
-A INPUT -d {{ local_service_ipv6 }}/128 -p udp --dport 53 -j ACCEPT
|
-A INPUT -d {{ local_service_ipv6 }}/128 -p udp --dport 53 -j ACCEPT
|
||||||
|
|
||||||
# Drop traffic between VPN clients
|
# Drop traffic between VPN clients
|
||||||
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
-A FORWARD -s {{ subnets | join(',') }} -d {{ subnets | join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
||||||
# Drop traffic to VPN clients from SSH tunnels
|
# Drop traffic to VPN clients from SSH tunnels
|
||||||
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
-A OUTPUT -d {{ subnets | join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
||||||
|
|
||||||
-A FORWARD -j ICMPV6-CHECK
|
-A FORWARD -j ICMPV6-CHECK
|
||||||
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
|
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@
|
||||||
src: adblock.sh.j2
|
src: adblock.sh.j2
|
||||||
dest: /usr/local/sbin/adblock.sh
|
dest: /usr/local/sbin/adblock.sh
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: Adblock script added to cron
|
- name: Adblock script added to cron
|
||||||
|
|
|
||||||
|
|
@ -7,14 +7,14 @@
|
||||||
- name: dnscrypt-proxy ip-blacklist configured
|
- name: dnscrypt-proxy ip-blacklist configured
|
||||||
template:
|
template:
|
||||||
src: ip-blacklist.txt.j2
|
src: ip-blacklist.txt.j2
|
||||||
dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt"
|
dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt"
|
||||||
notify:
|
notify:
|
||||||
- restart dnscrypt-proxy
|
- restart dnscrypt-proxy
|
||||||
|
|
||||||
- name: dnscrypt-proxy configured
|
- name: dnscrypt-proxy configured
|
||||||
template:
|
template:
|
||||||
src: dnscrypt-proxy.toml.j2
|
src: dnscrypt-proxy.toml.j2
|
||||||
dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml"
|
dest: "{{ config_prefix | default('/') }}etc/dnscrypt-proxy/dnscrypt-proxy.toml"
|
||||||
notify:
|
notify:
|
||||||
- restart dnscrypt-proxy
|
- restart dnscrypt-proxy
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@ TEMP="$(mktemp)"
|
||||||
TEMP_SORTED="$(mktemp)"
|
TEMP_SORTED="$(mktemp)"
|
||||||
WHITELIST="/etc/dnscrypt-proxy/white.list"
|
WHITELIST="/etc/dnscrypt-proxy/white.list"
|
||||||
BLACKLIST="/etc/dnscrypt-proxy/black.list"
|
BLACKLIST="/etc/dnscrypt-proxy/black.list"
|
||||||
BLOCKHOSTS="{{ config_prefix|default('/') }}etc/dnscrypt-proxy/blacklist.txt"
|
BLOCKHOSTS="{{ config_prefix | default('/') }}etc/dnscrypt-proxy/blacklist.txt"
|
||||||
BLOCKLIST_URLS="{% for url in adblock_lists %}{{ url }} {% endfor %}"
|
BLOCKLIST_URLS="{% for url in adblock_lists %}{{ url }} {% endfor %}"
|
||||||
|
|
||||||
#Delete the old block.hosts to make room for the updates
|
#Delete the old block.hosts to make room for the updates
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,3 @@
|
||||||
---
|
---
|
||||||
- name: restart ssh
|
- name: restart ssh
|
||||||
service: name="{{ ssh_service_name|default('ssh') }}" state=restarted
|
service: name="{{ ssh_service_name | default('ssh') }}" state=restarted
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0755
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: Ensure that the SSH users exist
|
- name: Ensure that the SSH users exist
|
||||||
|
|
@ -67,7 +67,7 @@
|
||||||
passphrase: "{{ p12_export_password }}"
|
passphrase: "{{ p12_export_password }}"
|
||||||
cipher: auto
|
cipher: auto
|
||||||
force: false
|
force: false
|
||||||
no_log: "{{ algo_no_log|bool }}"
|
no_log: "{{ algo_no_log | bool }}"
|
||||||
when: not item.stat.exists
|
when: not item.stat.exists
|
||||||
with_items: "{{ privatekey.results }}"
|
with_items: "{{ privatekey.results }}"
|
||||||
register: openssl_privatekey
|
register: openssl_privatekey
|
||||||
|
|
@ -79,7 +79,7 @@
|
||||||
privatekey_passphrase: "{{ p12_export_password }}"
|
privatekey_passphrase: "{{ p12_export_password }}"
|
||||||
format: OpenSSH
|
format: OpenSSH
|
||||||
force: true
|
force: true
|
||||||
no_log: "{{ algo_no_log|bool }}"
|
no_log: "{{ algo_no_log | bool }}"
|
||||||
when: item.changed
|
when: item.changed
|
||||||
with_items: "{{ openssl_privatekey.results }}"
|
with_items: "{{ openssl_privatekey.results }}"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,7 @@ openssl_constraint_random_id: "{{ IP_subject_alt_name | to_uuid }}.algo"
|
||||||
# Subject Alternative Name (SAN) configuration - CRITICAL for client compatibility
|
# Subject Alternative Name (SAN) configuration - CRITICAL for client compatibility
|
||||||
# Modern clients (especially macOS/iOS) REQUIRE SAN extension in server certificates
|
# Modern clients (especially macOS/iOS) REQUIRE SAN extension in server certificates
|
||||||
# Without SAN, IKEv2 connections will fail with certificate validation errors
|
# Without SAN, IKEv2 connections will fail with certificate validation errors
|
||||||
subjectAltName_type: "{{ 'DNS' if IP_subject_alt_name|regex_search('[a-z]') else 'IP' }}"
|
subjectAltName_type: "{{ 'DNS' if IP_subject_alt_name | regex_search('[a-z]') else 'IP' }}"
|
||||||
subjectAltName: >-
|
subjectAltName: >-
|
||||||
{{ subjectAltName_type }}:{{ IP_subject_alt_name }}
|
{{ subjectAltName_type }}:{{ IP_subject_alt_name }}
|
||||||
{%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%}
|
{%- if ipv6_support -%},IP:{{ ansible_default_ipv6['address'] }}{%- endif -%}
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
with_together:
|
with_together:
|
||||||
- "{{ users }}"
|
- "{{ users }}"
|
||||||
- "{{ PayloadContent.results }}"
|
- "{{ PayloadContent.results }}"
|
||||||
no_log: "{{ algo_no_log|bool }}"
|
no_log: "{{ algo_no_log | bool }}"
|
||||||
|
|
||||||
- name: Build the client ipsec config file
|
- name: Build the client ipsec config file
|
||||||
template:
|
template:
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
- name: Copy the keys to the strongswan directory
|
- name: Copy the keys to the strongswan directory
|
||||||
copy:
|
copy:
|
||||||
src: "{{ ipsec_pki_path }}/{{ item.src }}"
|
src: "{{ ipsec_pki_path }}/{{ item.src }}"
|
||||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/{{ item.dest }}"
|
dest: "{{ config_prefix | default('/') }}etc/ipsec.d/{{ item.dest }}"
|
||||||
owner: "{{ item.owner }}"
|
owner: "{{ item.owner }}"
|
||||||
group: "{{ item.group }}"
|
group: "{{ item.group }}"
|
||||||
mode: "{{ item.mode }}"
|
mode: "{{ item.mode }}"
|
||||||
|
|
@ -10,17 +10,17 @@
|
||||||
- src: cacert.pem
|
- src: cacert.pem
|
||||||
dest: cacerts/ca.crt
|
dest: cacerts/ca.crt
|
||||||
owner: strongswan
|
owner: strongswan
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
- src: certs/{{ IP_subject_alt_name }}.crt
|
- src: certs/{{ IP_subject_alt_name }}.crt
|
||||||
dest: certs/{{ IP_subject_alt_name }}.crt
|
dest: certs/{{ IP_subject_alt_name }}.crt
|
||||||
owner: strongswan
|
owner: strongswan
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
- src: private/{{ IP_subject_alt_name }}.key
|
- src: private/{{ IP_subject_alt_name }}.key
|
||||||
dest: private/{{ IP_subject_alt_name }}.key
|
dest: private/{{ IP_subject_alt_name }}.key
|
||||||
owner: strongswan
|
owner: strongswan
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- restart strongswan
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
- name: Setup the config files from our templates
|
- name: Setup the config files from our templates
|
||||||
template:
|
template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ config_prefix|default('/') }}etc/{{ item.dest }}"
|
dest: "{{ config_prefix | default('/') }}etc/{{ item.dest }}"
|
||||||
owner: "{{ item.owner }}"
|
owner: "{{ item.owner }}"
|
||||||
group: "{{ item.group }}"
|
group: "{{ item.group }}"
|
||||||
mode: "{{ item.mode }}"
|
mode: "{{ item.mode }}"
|
||||||
|
|
@ -10,22 +10,22 @@
|
||||||
- src: strongswan.conf.j2
|
- src: strongswan.conf.j2
|
||||||
dest: strongswan.conf
|
dest: strongswan.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
- src: ipsec.conf.j2
|
- src: ipsec.conf.j2
|
||||||
dest: ipsec.conf
|
dest: ipsec.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
- src: ipsec.secrets.j2
|
- src: ipsec.secrets.j2
|
||||||
dest: ipsec.secrets
|
dest: ipsec.secrets
|
||||||
owner: strongswan
|
owner: strongswan
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
- src: charon.conf.j2
|
- src: charon.conf.j2
|
||||||
dest: strongswan.d/charon.conf
|
dest: strongswan.d/charon.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: "{{ root_group|default('root') }}"
|
group: "{{ root_group | default('root') }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- restart strongswan
|
||||||
|
|
@ -33,7 +33,7 @@
|
||||||
- name: Get loaded plugins
|
- name: Get loaded plugins
|
||||||
shell: |
|
shell: |
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; |
|
find {{ config_prefix | default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; |
|
||||||
cut -f1 -d.
|
cut -f1 -d.
|
||||||
changed_when: false
|
changed_when: false
|
||||||
args:
|
args:
|
||||||
|
|
@ -42,7 +42,7 @@
|
||||||
|
|
||||||
- name: Disable unneeded plugins
|
- name: Disable unneeded plugins
|
||||||
lineinfile:
|
lineinfile:
|
||||||
dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
|
dest: "{{ config_prefix | default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
|
||||||
regexp: .*load.*
|
regexp: .*load.*
|
||||||
line: load = no
|
line: load = no
|
||||||
state: present
|
state: present
|
||||||
|
|
@ -52,7 +52,7 @@
|
||||||
with_items: "{{ strongswan_plugins.stdout_lines }}"
|
with_items: "{{ strongswan_plugins.stdout_lines }}"
|
||||||
|
|
||||||
- name: Ensure that required plugins are enabled
|
- name: Ensure that required plugins are enabled
|
||||||
lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
|
lineinfile: dest="{{ config_prefix | default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- restart strongswan
|
||||||
when: item in strongswan_enabled_plugins or item in strongswan_additional_plugins
|
when: item in strongswan_enabled_plugins or item in strongswan_additional_plugins
|
||||||
|
|
|
||||||
|
|
@ -269,6 +269,6 @@
|
||||||
- name: Copy the CRL to the vpn server
|
- name: Copy the CRL to the vpn server
|
||||||
copy:
|
copy:
|
||||||
src: "{{ ipsec_pki_path }}/crl.pem"
|
src: "{{ ipsec_pki_path }}/crl.pem"
|
||||||
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/algo.root.pem"
|
dest: "{{ config_prefix | default('/') }}etc/ipsec.d/crls/algo.root.pem"
|
||||||
notify:
|
notify:
|
||||||
- rereadcrls
|
- rereadcrls
|
||||||
|
|
|
||||||
|
|
@ -13,8 +13,8 @@
|
||||||
<key>OnDemandRules</key>
|
<key>OnDemandRules</key>
|
||||||
<array>
|
<array>
|
||||||
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
|
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
|
||||||
{% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
|
{% if algo_ondemand_wifi_exclude | b64decode != '_null' %}
|
||||||
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
|
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude | b64decode | string).split(',') %}
|
||||||
<dict>
|
<dict>
|
||||||
<key>Action</key>
|
<key>Action</key>
|
||||||
<string>Disconnect</string>
|
<string>Disconnect</string>
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
<key>SSIDMatch</key>
|
<key>SSIDMatch</key>
|
||||||
<array>
|
<array>
|
||||||
{% for network_name in WIFI_EXCLUDE_LIST %}
|
{% for network_name in WIFI_EXCLUDE_LIST %}
|
||||||
<string>{{ network_name|e }}</string>
|
<string>{{ network_name | e }}</string>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
</array>
|
</array>
|
||||||
</dict>
|
</dict>
|
||||||
|
|
|
||||||
|
|
@ -7,15 +7,15 @@ wireguard_port_avoid: 53
|
||||||
wireguard_port_actual: 51820
|
wireguard_port_actual: 51820
|
||||||
keys_clean_all: false
|
keys_clean_all: false
|
||||||
wireguard_dns_servers: >-
|
wireguard_dns_servers: >-
|
||||||
{% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %}
|
{% if algo_dns_adblocking | default(false) | bool or dns_encryption | default(false) | bool %}
|
||||||
{{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }}
|
{{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
|
{% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||||
{%- if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
|
{%- if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
wireguard_client_ip: >-
|
wireguard_client_ip: >-
|
||||||
{{ wireguard_network_ipv4 | ansible.utils.ipmath(index|int+2) }}
|
{{ wireguard_network_ipv4 | ansible.utils.ipmath(index | int+2) }}
|
||||||
{{ ',' + wireguard_network_ipv6 | ansible.utils.ipmath(index|int+2) if ipv6_support else '' }}
|
{{ ',' + wireguard_network_ipv6 | ansible.utils.ipmath(index | int+2) if ipv6_support else '' }}
|
||||||
wireguard_server_ip: >-
|
wireguard_server_ip: >-
|
||||||
{{ wireguard_network_ipv4 | ansible.utils.ipaddr('1') }}
|
{{ wireguard_network_ipv4 | ansible.utils.ipaddr('1') }}
|
||||||
{{ ',' + wireguard_network_ipv6 | ansible.utils.ipaddr('1') if ipv6_support else '' }}
|
{{ ',' + wireguard_network_ipv6 | ansible.utils.ipaddr('1') if ipv6_support else '' }}
|
||||||
|
|
|
||||||
|
|
@ -78,7 +78,7 @@
|
||||||
- name: WireGuard configured
|
- name: WireGuard configured
|
||||||
template:
|
template:
|
||||||
src: server.conf.j2
|
src: server.conf.j2
|
||||||
dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf"
|
dest: "{{ config_prefix | default('/') }}etc/wireguard/{{ wireguard_interface }}.conf"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
notify: restart wireguard
|
notify: restart wireguard
|
||||||
tags: update-users
|
tags: update-users
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + item.1) }}
|
PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + item.1) }}
|
||||||
Address = {{ wireguard_client_ip }}
|
Address = {{ wireguard_client_ip }}
|
||||||
DNS = {{ wireguard_dns_servers }}
|
DNS = {{ wireguard_dns_servers }}
|
||||||
{% if reduce_mtu|int > 0 %}MTU = {{ 1420 - reduce_mtu|int }}
|
{% if reduce_mtu | int > 0 %}MTU = {{ 1420 - reduce_mtu | int }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
[Peer]
|
[Peer]
|
||||||
|
|
@ -10,4 +10,4 @@ PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_n
|
||||||
PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
|
PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
|
||||||
AllowedIPs = 0.0.0.0/0,::/0
|
AllowedIPs = 0.0.0.0/0,::/0
|
||||||
Endpoint = {% if ':' in IP_subject_alt_name %}[{{ IP_subject_alt_name }}]:{{ wireguard_port }}{% else %}{{ IP_subject_alt_name }}:{{ wireguard_port }}{% endif %}
|
Endpoint = {% if ':' in IP_subject_alt_name %}[{{ IP_subject_alt_name }}]:{{ wireguard_port }}{% else %}{{ IP_subject_alt_name }}:{{ wireguard_port }}{% endif %}
|
||||||
{{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}
|
{{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive | string if wireguard_PersistentKeepalive > 0 else '' }}
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
[Interface]
|
[Interface]
|
||||||
Address = {{ wireguard_server_ip }}
|
Address = {{ wireguard_server_ip }}
|
||||||
ListenPort = {{ wireguard_port_actual if wireguard_port|int == wireguard_port_avoid|int else wireguard_port }}
|
ListenPort = {{ wireguard_port_actual if wireguard_port | int == wireguard_port_avoid | int else wireguard_port }}
|
||||||
PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + IP_subject_alt_name) }}
|
PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + IP_subject_alt_name) }}
|
||||||
SaveConfig = false
|
SaveConfig = false
|
||||||
|
|
||||||
|
|
@ -12,6 +12,6 @@ SaveConfig = false
|
||||||
# {{ u }}
|
# {{ u }}
|
||||||
PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + u) }}
|
PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + u) }}
|
||||||
PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + u) }}
|
PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + u) }}
|
||||||
AllowedIPs = {{ wireguard_network_ipv4 | ansible.utils.ipmath(index|int+1) | ansible.utils.ipv4('address') }}/32{{ ',' + wireguard_network_ipv6 | ansible.utils.ipmath(index|int+1) | ansible.utils.ipv6('address') + '/128' if ipv6_support else '' }}
|
AllowedIPs = {{ wireguard_network_ipv4 | ansible.utils.ipmath(index | int+1) | ansible.utils.ipv4('address') }}/32{{ ',' + wireguard_network_ipv6 | ansible.utils.ipmath(index | int+1) | ansible.utils.ipv6('address') + '/128' if ipv6_support else '' }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
|
|
@ -32,8 +32,8 @@
|
||||||
<key>OnDemandRules</key>
|
<key>OnDemandRules</key>
|
||||||
<array>
|
<array>
|
||||||
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
|
{% if algo_ondemand_wifi or algo_ondemand_cellular %}
|
||||||
{% if algo_ondemand_wifi_exclude|b64decode != '_null' %}
|
{% if algo_ondemand_wifi_exclude | b64decode != '_null' %}
|
||||||
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|b64decode|string).split(',') %}
|
{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude | b64decode | string).split(',') %}
|
||||||
<dict>
|
<dict>
|
||||||
<key>Action</key>
|
<key>Action</key>
|
||||||
<string>Disconnect</string>
|
<string>Disconnect</string>
|
||||||
|
|
@ -42,7 +42,7 @@
|
||||||
<key>SSIDMatch</key>
|
<key>SSIDMatch</key>
|
||||||
<array>
|
<array>
|
||||||
{% for network_name in WIFI_EXCLUDE_LIST %}
|
{% for network_name in WIFI_EXCLUDE_LIST %}
|
||||||
<string>{{ network_name|e }}</string>
|
<string>{{ network_name | e }}</string>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
</array>
|
</array>
|
||||||
</dict>
|
</dict>
|
||||||
|
|
|
||||||
|
|
@ -184,7 +184,7 @@
|
||||||
content: |
|
content: |
|
||||||
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
|
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
|
||||||
server_user: {{ ansible_ssh_user }}
|
server_user: {{ ansible_ssh_user }}
|
||||||
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
|
ansible_ssh_port: "{{ ansible_ssh_port | default(22) }}"
|
||||||
{% if algo_provider != "local" %}
|
{% if algo_provider != "local" %}
|
||||||
ansible_ssh_private_key_file: {{ SSH_keys.private }}
|
ansible_ssh_private_key_file: {{ SSH_keys.private }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -199,7 +199,7 @@
|
||||||
IP_subject_alt_name: {{ IP_subject_alt_name }}
|
IP_subject_alt_name: {{ IP_subject_alt_name }}
|
||||||
ipsec_enabled: {{ ipsec_enabled }}
|
ipsec_enabled: {{ ipsec_enabled }}
|
||||||
wireguard_enabled: {{ wireguard_enabled }}
|
wireguard_enabled: {{ wireguard_enabled }}
|
||||||
{% if tests|default(false)|bool %}
|
{% if tests | default(false) | bool %}
|
||||||
ca_password: '{{ CA_password }}'
|
ca_password: '{{ CA_password }}'
|
||||||
p12_password: '{{ p12_export_password }}'
|
p12_password: '{{ p12_export_password }}'
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
||||||
|
|
@ -76,10 +76,10 @@
|
||||||
add_host:
|
add_host:
|
||||||
name: "{{ algo_server }}"
|
name: "{{ algo_server }}"
|
||||||
groups: vpn-host
|
groups: vpn-host
|
||||||
ansible_ssh_user: "{{ server_user|default('root') }}"
|
ansible_ssh_user: "{{ server_user | default('root') }}"
|
||||||
ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}"
|
ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}"
|
||||||
ansible_python_interpreter: /usr/bin/python3
|
ansible_python_interpreter: /usr/bin/python3
|
||||||
CA_password: "{{ CA_password|default(omit) }}"
|
CA_password: "{{ CA_password | default(omit) }}"
|
||||||
rescue:
|
rescue:
|
||||||
- include_tasks: playbooks/rescue.yml
|
- include_tasks: playbooks/rescue.yml
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue