wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 15:43:54 +02:00
Code Issues Projects Releases Wiki Activity

Implementing blocks and additional fail hints #487 (#497)

Browse source 
change the troubleshooting url
This commit is contained in:
Jack Ivanov 2017-04-29 16:48:25 +02:00 committed by Dan Guido
parent 2f5c050fd2
commit bd348af9c2
13 changed files with 877 additions and 775 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config.cfg
View file

@ -78,3 +78,8 @@ cloud_providers:
size: f1-micro size: f1-micro
image: ubuntu-1604 # ubuntu-1604 / ubuntu-1704 image: ubuntu-1604 # ubuntu-1604 / ubuntu-1704
local: local:
fail_hint:
- Sorry, but something went wrong!
- Please check the troubleshooting guide.
- https://trailofbits.github.io/algo/troubleshooting.html

24
deploy.yml
View file

@ -5,6 +5,7 @@
- config.cfg - config.cfg
pre_tasks: pre_tasks:
- block:
- name: Local pre-tasks - name: Local pre-tasks
include: playbooks/local.yml include: playbooks/local.yml
tags: [ 'always' ] tags: [ 'always' ]
@ -14,6 +15,11 @@
become: false become: false
when: Deployed_By_Algo is defined and Deployed_By_Algo == "Y" when: Deployed_By_Algo is defined and Deployed_By_Algo == "Y"
tags: [ 'local' ] tags: [ 'local' ]
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles: roles:
- { role: cloud-digitalocean, tags: ['digitalocean'] } - { role: cloud-digitalocean, tags: ['digitalocean'] }
@ -23,10 +29,16 @@
- { role: local, tags: ['local'] } - { role: local, tags: ['local'] }
post_tasks: post_tasks:
- block:
- name: Local post-tasks - name: Local post-tasks
include: playbooks/post.yml include: playbooks/post.yml
become: false become: false
tags: [ 'cloud' ] tags: [ 'cloud' ]
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- name: Configure the server and install required software - name: Configure the server and install required software
hosts: vpn-host hosts: vpn-host
@ -37,9 +49,15 @@
- config.cfg - config.cfg
pre_tasks: pre_tasks:
- block:
- name: Common pre-tasks - name: Common pre-tasks
include: playbooks/common.yml include: playbooks/common.yml
tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ] tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ]
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles: roles:
- { role: security, tags: [ 'security' ] } - { role: security, tags: [ 'security' ] }
@ -48,6 +66,7 @@
- { role: vpn, tags: [ 'vpn' ] } - { role: vpn, tags: [ 'vpn' ] }
post_tasks: post_tasks:
- block:
- debug: - debug:
msg: msg:
- "{{ congrats.common.split('\n') }}" - "{{ congrats.common.split('\n') }}"
@ -70,3 +89,8 @@
become: no become: no
tags: always tags: always
when: Store_CAKEY is defined and Store_CAKEY == "N" when: Store_CAKEY is defined and Store_CAKEY == "N"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/cloud-azure/tasks/main.yml
View file

@ -1,5 +1,5 @@
--- ---
- block:
- set_fact: - set_fact:
resource_group: "Algo_{{ region }}" resource_group: "Algo_{{ region }}"
secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}" secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}"
@ -136,3 +136,8 @@
insertafter: '\[azure\]' insertafter: '\[azure\]'
regexp: "^{{ cloud_instance_ip }}.*" regexp: "^{{ cloud_instance_ip }}.*"
line: "{{ cloud_instance_ip }}" line: "{{ cloud_instance_ip }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/cloud-digitalocean/tasks/main.yml
View file

@ -1,3 +1,4 @@
- block:
- name: Set the DigitalOcean Access Token fact - name: Set the DigitalOcean Access Token fact
set_fact: set_fact:
do_token: "{{ do_access_token | default(lookup('env','DO_API_TOKEN'), true) }}" do_token: "{{ do_access_token | default(lookup('env','DO_API_TOKEN'), true) }}"
@ -100,3 +101,8 @@
line: "{{ item.networks.v4[0].ip_address }}" line: "{{ item.networks.v4[0].ip_address }}"
with_items: with_items:
- "{{ do_droplets.json.droplets }}" - "{{ do_droplets.json.droplets }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/cloud-ec2/tasks/main.yml
View file

@ -1,3 +1,4 @@
- block:
- set_fact: - set_fact:
access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}" access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}" secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
@ -61,3 +62,8 @@
line: "{{ item.public_ip_address }}" line: "{{ item.public_ip_address }}"
with_items: with_items:
- "{{ algo_instances.instances }}" - "{{ algo_instances.instances }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

6
roles/cloud-gce/tasks/main.yml
View file

@ -1,3 +1,4 @@
- block:
- set_fact: - set_fact:
credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}" credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}"
ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}" ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
@ -62,3 +63,8 @@
insertafter: '\[gce\]' insertafter: '\[gce\]'
regexp: "^{{ google_vm.instance_data[0].public_ip }}.*" regexp: "^{{ google_vm.instance_data[0].public_ip }}.*"
line: "{{ google_vm.instance_data[0].public_ip }}" line: "{{ google_vm.instance_data[0].public_ip }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

12
roles/common/tasks/main.yml
View file

@ -1,10 +1,5 @@
--- ---
- block:
- name: Gather Facts
setup:
tags:
- always
- include: ubuntu.yml - include: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
@ -26,3 +21,8 @@
- always - always
- meta: flush_handlers - meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/dns_adblocking/tasks/main.yml
View file

@ -1,5 +1,5 @@
--- ---
- block:
- name: Dnsmasq installed - name: Dnsmasq installed
package: name=dnsmasq package: name=dnsmasq
@ -39,3 +39,8 @@
- name: Dnsmasq enabled and started - name: Dnsmasq enabled and started
service: name=dnsmasq state=started enabled=yes service: name=dnsmasq state=started enabled=yes
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/local/tasks/main.yml
View file

@ -1,3 +1,5 @@
---
- block:
- name: Add the instance to an inventory group - name: Add the instance to an inventory group
add_host: add_host:
name: "{{ server_ip }}" name: "{{ server_ip }}"
@ -33,3 +35,8 @@
insertafter: '\[local\]' insertafter: '\[local\]'
regexp: "^{{ server_ip }}.*" regexp: "^{{ server_ip }}.*"
line: "{{ server_ip }}" line: "{{ server_ip }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/security/tasks/main.yml
View file

@ -1,5 +1,5 @@
--- ---
- block:
- name: Install tools - name: Install tools
apt: name="{{ item }}" state=latest apt: name="{{ item }}" state=latest
with_items: with_items:
@ -94,3 +94,8 @@
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
notify: notify:
- restart ssh - restart ssh
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/ssh_tunneling/tasks/main.yml
View file

@ -1,5 +1,5 @@
--- ---
- block:
- name: Ensure that the sshd_config file has desired options - name: Ensure that the sshd_config file has desired options
blockinfile: blockinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
@ -75,3 +75,8 @@
become: no become: no
with_items: with_items:
- "{{ users }}" - "{{ users }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

7
roles/vpn/tasks/main.yml
View file

@ -1,5 +1,5 @@
--- ---
- block:
- name: Ensure that the strongswan group exist - name: Ensure that the strongswan group exist
group: name=strongswan state=present group: name=strongswan state=present
@ -29,3 +29,8 @@
- name: strongSwan started - name: strongSwan started
service: name=strongswan state=started service: name=strongswan state=started
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

25
users.yml
View file

@ -6,6 +6,7 @@
- config.cfg - config.cfg
tasks: tasks:
- block:
- name: Add the server to the vpn-host group - name: Add the server to the vpn-host group
add_host: add_host:
hostname: "{{ server_ip }}" hostname: "{{ server_ip }}"
@ -27,6 +28,11 @@
timeout: 320 timeout: 320
state: present state: present
become: false become: false
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- name: User management - name: User management
hosts: vpn-host hosts: vpn-host
@ -37,14 +43,20 @@
- roles/vpn/defaults/main.yml - roles/vpn/defaults/main.yml
pre_tasks: pre_tasks:
- block:
- name: Common pre-tasks - name: Common pre-tasks
include: playbooks/common.yml include: playbooks/common.yml
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles: roles:
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
tasks: tasks:
- block:
- name: Gather Facts - name: Gather Facts
setup: setup:
@ -195,13 +207,24 @@
force: yes force: yes
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
with_items: "{{ valid_users.stdout_lines | default('null') }}" with_items: "{{ valid_users.stdout_lines | default('null') }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
post_tasks: post_tasks:
- block:
- debug: - debug:
msg: msg:
- "{{ congrats.common.split('\n') }}" - "{{ congrats.common.split('\n') }}"
- " {{ congrats.p12_pass }}" - " {{ congrats.p12_pass }}"
tags: always tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
handlers: handlers:
- name: rereadcrls - name: rereadcrls