wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-07 07:33:52 +02:00
Code Issues Projects Releases Wiki Activity

Implementing blocks and additional fail hints #487 (#497)

Browse source 
change the troubleshooting url
This commit is contained in:
Jack Ivanov 2017-04-29 16:48:25 +02:00 committed by Dan Guido
parent 2f5c050fd2
commit bd348af9c2
13 changed files with 877 additions and 775 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config.cfg
View file

@ -78,3 +78,8 @@ cloud_providers:
size: f1-micro
image: ubuntu-1604 # ubuntu-1604 / ubuntu-1704
local:
fail_hint:
- Sorry, but something went wrong!
- Please check the troubleshooting guide.
- https://trailofbits.github.io/algo/troubleshooting.html

24
deploy.yml
View file

@ -5,6 +5,7 @@
- config.cfg
pre_tasks:
- block:
- name: Local pre-tasks
include: playbooks/local.yml
tags: [ 'always' ]
@ -14,6 +15,11 @@
become: false
when: Deployed_By_Algo is defined and Deployed_By_Algo == "Y"
tags: [ 'local' ]
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- { role: cloud-digitalocean, tags: ['digitalocean'] }
@ -23,10 +29,16 @@
- { role: local, tags: ['local'] }
post_tasks:
- block:
- name: Local post-tasks
include: playbooks/post.yml
become: false
tags: [ 'cloud' ]
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- name: Configure the server and install required software
hosts: vpn-host
@ -37,9 +49,15 @@
- config.cfg
pre_tasks:
- block:
- name: Common pre-tasks
include: playbooks/common.yml
tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ]
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- { role: security, tags: [ 'security' ] }
@ -48,6 +66,7 @@
- { role: vpn, tags: [ 'vpn' ] }
post_tasks:
- block:
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
@ -70,3 +89,8 @@
become: no
tags: always
when: Store_CAKEY is defined and Store_CAKEY == "N"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

31
roles/cloud-azure/tasks/main.yml
View file

@ -1,13 +1,13 @@
---
- set_fact:
- block:
- set_fact:
resource_group: "Algo_{{ region }}"
secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}"
tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}"
client_id: "{{ azure_client_id | default(lookup('env','AZURE_CLIENT_ID'), true) }}"
subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}"
- name: Create a resource group
- name: Create a resource group
azure_rm_resourcegroup:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
@ -18,7 +18,7 @@
tags:
Environment: Algo
- name: Create a virtual network
- name: Create a virtual network
azure_rm_virtualnetwork:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
@ -30,7 +30,7 @@
tags:
Environment: Algo
- name: Create a security group
- name: Create a security group
azure_rm_securitygroup:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
@ -59,7 +59,7 @@
priority: 120
direction: Inbound
- name: Create a subnet
- name: Create a subnet
azure_rm_subnet:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
@ -73,7 +73,7 @@
tags:
Environment: Algo
- name: Create an instance
- name: Create an instance
azure_rm_virtualmachine:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
@ -94,11 +94,11 @@
# To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt?
- set_fact:
- set_fact:
ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}"
networkinterface_name: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].name }}"
- name: Ensure the network interface includes all required parameters
- name: Ensure the network interface includes all required parameters
azure_rm_networkinterface:
secret: "{{ secret }}"
tenant: "{{ tenant }}"
@ -110,7 +110,7 @@
subnet_name: algo_subnet
security_group_name: AlgoSecGroup
- name: Add the instance to an inventory group
- name: Add the instance to an inventory group
add_host:
name: "{{ ip_address }}"
groups: vpn-host
@ -120,19 +120,24 @@
cloud_provider: azure
ipv6_support: no
- set_fact:
- set_fact:
cloud_instance_ip: "{{ ip_address }}"
- name: Ensure the group azure exists in the dynamic inventory file
- name: Ensure the group azure exists in the dynamic inventory file
lineinfile:
state: present
dest: configs/inventory.dynamic
line: '[azure]'
- name: Populate the dynamic inventory
- name: Populate the dynamic inventory
lineinfile:
state: present
dest: configs/inventory.dynamic
insertafter: '\[azure\]'
regexp: "^{{ cloud_instance_ip }}.*"
line: "{{ cloud_instance_ip }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

26
roles/cloud-digitalocean/tasks/main.yml
View file

@ -1,9 +1,10 @@
- name: Set the DigitalOcean Access Token fact
- block:
- name: Set the DigitalOcean Access Token fact
set_fact:
do_token: "{{ do_access_token | default(lookup('env','DO_API_TOKEN'), true) }}"
public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
- block:
- block:
- name: "Delete the existing Algo SSH keys"
digital_ocean:
state: absent
@ -30,7 +31,7 @@
- fail:
msg: "Please, ensure that your API token is not read-only."
- name: "Upload the SSH key"
- name: "Upload the SSH key"
digital_ocean:
state: present
command: ssh
@ -39,7 +40,7 @@
name: "{{ SSH_keys.comment }}"
register: do_ssh_key
- name: "Creating a droplet..."
- name: "Creating a droplet..."
digital_ocean:
state: present
command: droplet
@ -53,7 +54,7 @@
ipv6: yes
register: do
- name: Add the droplet to an inventory group
- name: Add the droplet to an inventory group
add_host:
name: "{{ do.droplet.ip_address }}"
groups: vpn-host
@ -65,17 +66,17 @@
cloud_provider: digitalocean
ipv6_support: true
- set_fact:
- set_fact:
cloud_instance_ip: "{{ do.droplet.ip_address }}"
- name: Tag the droplet
- name: Tag the droplet
digital_ocean_tag:
name: "Environment:Algo"
resource_id: "{{ do.droplet.id }}"
api_token: "{{ do_token }}"
state: present
- name: Get droplets
- name: Get droplets
uri:
url: "https://api.digitalocean.com/v2/droplets?tag_name=Environment:Algo"
method: GET
@ -85,13 +86,13 @@
Authorization: "Bearer {{ do_token }}"
register: do_droplets
- name: Ensure the group digitalocean exists in the dynamic inventory file
- name: Ensure the group digitalocean exists in the dynamic inventory file
lineinfile:
state: present
dest: configs/inventory.dynamic
line: '[digitalocean]'
- name: Populate the dynamic inventory
- name: Populate the dynamic inventory
lineinfile:
state: present
dest: configs/inventory.dynamic
@ -100,3 +101,8 @@
line: "{{ item.networks.v4[0].ip_address }}"
with_items:
- "{{ do_droplets.json.droplets }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

26
roles/cloud-ec2/tasks/main.yml
View file

@ -1,9 +1,10 @@
- set_fact:
- block:
- set_fact:
access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
stack_name: "{{ aws_server_name | replace('.', '-') }}"
- name: Locate official AMI for region
- name: Locate official AMI for region
ec2_ami_find:
aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ secret_key }}"
@ -15,15 +16,15 @@
region: "{{ region }}"
register: ami_search
- set_fact:
- set_fact:
ami_image: "{{ ami_search.results[0].ami_id }}"
- include: encrypt_image.yml
- include: encrypt_image.yml
tags: [encrypted]
- include: cloudformation.yml
- include: cloudformation.yml
- name: Add new instance to host group
- name: Add new instance to host group
add_host:
hostname: "{{ stack.stack_outputs.PublicIP }}"
groupname: vpn-host
@ -33,10 +34,10 @@
cloud_provider: ec2
ipv6_support: yes
- set_fact:
- set_fact:
cloud_instance_ip: "{{ stack.stack_outputs.PublicIP }}"
- name: Get EC2 instances
- name: Get EC2 instances
ec2_remote_facts:
aws_access_key: "{{ access_key }}"
aws_secret_key: "{{ secret_key }}"
@ -46,13 +47,13 @@
"tag:Environment": Algo
register: algo_instances
- name: Ensure the group ec2 exists in the dynamic inventory file
- name: Ensure the group ec2 exists in the dynamic inventory file
lineinfile:
state: present
dest: configs/inventory.dynamic
line: '[ec2]'
- name: Populate the dynamic inventory
- name: Populate the dynamic inventory
lineinfile:
state: present
dest: configs/inventory.dynamic
@ -61,3 +62,8 @@
line: "{{ item.public_ip_address }}"
with_items:
- "{{ algo_instances.instances }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

24
roles/cloud-gce/tasks/main.yml
View file

@ -1,15 +1,16 @@
- set_fact:
- block:
- set_fact:
credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}"
ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
- set_fact:
- set_fact:
credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}"
- set_fact:
- set_fact:
service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}"
project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}"
- name: "Creating a new instance..."
- name: "Creating a new instance..."
gce:
instance_names: "{{ server_name }}"
zone: "{{ zone }}"
@ -24,7 +25,7 @@
- "environment-algo"
register: google_vm
- name: Add the instance to an inventory group
- name: Add the instance to an inventory group
add_host:
name: "{{ google_vm.instance_data[0].public_ip }}"
groups: vpn-host
@ -34,7 +35,7 @@
cloud_provider: gce
ipv6_support: no
- name: Firewall configured
- name: Firewall configured
local_action:
module: gce_net
name: "{{ google_vm.instance_data[0].network }}"
@ -46,19 +47,24 @@
credentials_file: "{{ credentials_file }}"
project_id: "{{ credentials_file_lookup.project_id }}"
- set_fact:
- set_fact:
cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}"
- name: Ensure the group gce exists in the dynamic inventory file
- name: Ensure the group gce exists in the dynamic inventory file
lineinfile:
state: present
dest: configs/inventory.dynamic
line: '[gce]'
- name: Populate the dynamic inventory
- name: Populate the dynamic inventory
lineinfile:
state: present
dest: configs/inventory.dynamic
insertafter: '\[gce\]'
regexp: "^{{ google_vm.instance_data[0].public_ip }}.*"
line: "{{ google_vm.instance_data[0].public_ip }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

22
roles/common/tasks/main.yml
View file

@ -1,28 +1,28 @@
---
- name: Gather Facts
setup:
tags:
- always
- include: ubuntu.yml
- block:
- include: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- include: freebsd.yml
- include: freebsd.yml
when: ansible_distribution == 'FreeBSD'
- name: Install tools
- name: Install tools
package: name="{{ item }}" state=present
with_items:
- "{{ tools|default([]) }}"
tags:
- always
- name: Sysctl tuning
- name: Sysctl tuning
sysctl: name="{{ item.item }}" value="{{ item.value }}"
with_items:
- "{{ sysctl|default([]) }}"
tags:
- always
- meta: flush_handlers
- meta: flush_handlers
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

29
roles/dns_adblocking/tasks/main.yml
View file

@ -1,29 +1,29 @@
---
- name: Dnsmasq installed
- block:
- name: Dnsmasq installed
package: name=dnsmasq
- name: Ensure that the dnsmasq user exist
- name: Ensure that the dnsmasq user exist
user: name=dnsmasq groups=nogroup append=yes state=present
- name: The dnsmasq directory created
- name: The dnsmasq directory created
file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup
- include: ubuntu.yml
- include: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- include: freebsd.yml
- include: freebsd.yml
when: ansible_distribution == 'FreeBSD'
- name: Dnsmasq configured
- name: Dnsmasq configured
template: src=dnsmasq.conf.j2 dest="{{ config_prefix|default('/') }}etc/dnsmasq.conf"
notify:
- restart dnsmasq
- name: Adblock script created
- name: Adblock script created
template: src=adblock.sh dest=/usr/local/sbin/adblock.sh owner=root group="{{ root_group|default('root') }}" mode=0755
- name: Adblock script added to cron
- name: Adblock script added to cron
cron:
name: Adblock hosts update
minute: 10
@ -31,11 +31,16 @@
job: /usr/local/sbin/adblock.sh
user: dnsmasq
- name: Update adblock hosts
- name: Update adblock hosts
shell: >
sudo -u dnsmasq "/usr/local/sbin/adblock.sh"
- meta: flush_handlers
- meta: flush_handlers
- name: Dnsmasq enabled and started
- name: Dnsmasq enabled and started
service: name=dnsmasq state=started enabled=yes
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

17
roles/local/tasks/main.yml
View file

@ -1,4 +1,6 @@
- name: Add the instance to an inventory group
---
- block:
- name: Add the instance to an inventory group
add_host:
name: "{{ server_ip }}"
groups: vpn-host
@ -7,7 +9,7 @@
cloud_provider: local
when: server_ip != "localhost"
- name: Add the instance to an inventory group
- name: Add the instance to an inventory group
add_host:
name: "{{ server_ip }}"
groups: vpn-host
@ -17,19 +19,24 @@
cloud_provider: local
when: server_ip == "localhost"
- set_fact:
- set_fact:
cloud_instance_ip: "{{ server_ip }}"
- name: Ensure the group local exists in the dynamic inventory file
- name: Ensure the group local exists in the dynamic inventory file
lineinfile:
state: present
dest: configs/inventory.dynamic
line: '[local]'
- name: Populate the dynamic inventory
- name: Populate the dynamic inventory
lineinfile:
state: present
dest: configs/inventory.dynamic
insertafter: '\[local\]'
regexp: "^{{ server_ip }}.*"
line: "{{ server_ip }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

45
roles/security/tasks/main.yml
View file

@ -1,17 +1,17 @@
---
- name: Install tools
- block:
- name: Install tools
apt: name="{{ item }}" state=latest
with_items:
- unattended-upgrades
- name: Configure unattended-upgrades
- name: Configure unattended-upgrades
template: src=50unattended-upgrades.j2 dest=/etc/apt/apt.conf.d/50unattended-upgrades owner=root group=root mode=0644
- name: Periodic upgrades configured
- name: Periodic upgrades configured
template: src=10periodic.j2 dest=/etc/apt/apt.conf.d/10periodic owner=root group=root mode=0644
- name: Find directories for minimizing access
- name: Find directories for minimizing access
stat:
path: "{{ item }}"
register: minimize_access_directories
@ -23,36 +23,36 @@
- '/sbin'
- '/bin'
- name: Minimize access
- name: Minimize access
file: path='{{ item.stat.path }}' mode='go-w' recurse=yes
when: item.stat.isdir
with_items: "{{ minimize_access_directories.results }}"
no_log: True
- name: Change shadow ownership to root and mode to 0600
- name: Change shadow ownership to root and mode to 0600
file: dest='/etc/shadow' owner=root group=root mode=0600
- name: change su-binary to only be accessible to user and group root
- name: change su-binary to only be accessible to user and group root
file: dest='/bin/su' owner=root group=root mode=0750
- name: Collect Use of privileged commands
- name: Collect Use of privileged commands
shell: >
/usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
args:
executable: /bin/bash
register: privileged_programs
# Core dumps
# Core dumps
- name: Restrict core dumps (with PAM)
- name: Restrict core dumps (with PAM)
lineinfile: dest=/etc/security/limits.conf line="* hard core 0" state=present
- name: Restrict core dumps (with sysctl)
- name: Restrict core dumps (with sysctl)
sysctl: name=fs.suid_dumpable value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
# Kernel fixes
# Kernel fixes
- name: Disable Source Routed Packet Acceptance
- name: Disable Source Routed Packet Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
- net.ipv4.conf.all.accept_source_route
@ -60,13 +60,13 @@
notify:
- flush routing cache
- name: Disable ICMP Redirect Acceptance
- name: Disable ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- name: Disable Secure ICMP Redirect Acceptance
- name: Disable Secure ICMP Redirect Acceptance
sysctl: name="{{item}}" value=0 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
- net.ipv4.conf.all.secure_redirects
@ -74,12 +74,12 @@
notify:
- flush routing cache
- name: Enable Bad Error Message Protection
- name: Enable Bad Error Message Protection
sysctl: name=net.ipv4.icmp_ignore_bogus_error_responses value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present
notify:
- flush routing cache
- name: Enable RFC-recommended Source Route Validation
- name: Enable RFC-recommended Source Route Validation
sysctl: name="{{item}}" value=1 ignoreerrors=yes sysctl_set=yes reload=yes state=present
with_items:
- net.ipv4.conf.all.rp_filter
@ -87,10 +87,15 @@
notify:
- flush routing cache
- name: Do not send ICMP redirects (we are not a router)
- name: Do not send ICMP redirects (we are not a router)
sysctl: name=net.ipv4.conf.all.send_redirects value=0
- name: SSH config
- name: SSH config
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
notify:
- restart ssh
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

27
roles/ssh_tunneling/tasks/main.yml
View file

@ -1,6 +1,6 @@
---
- name: Ensure that the sshd_config file has desired options
- block:
- name: Ensure that the sshd_config file has desired options
blockinfile:
dest: /etc/ssh/sshd_config
marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
@ -14,13 +14,13 @@
notify:
- restart ssh
- name: Ensure that the algo group exist
- name: Ensure that the algo group exist
group: name=algo state=present
- name: Ensure that the jail directory exist
- name: Ensure that the jail directory exist
file: path=/var/jail/ state=directory mode=0755 owner=root group="{{ root_group|default('root') }}"
- name: Ensure that the SSH users exist
- name: Ensure that the SSH users exist
user:
name: "{{ item }}"
groups: algo
@ -36,7 +36,7 @@
append: yes
with_items: "{{ users }}"
- name: The authorized keys file created
- name: The authorized keys file created
file:
src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
@ -45,28 +45,28 @@
state: link
with_items: "{{ users }}"
- name: Generate SSH fingerprints
- name: Generate SSH fingerprints
shell: >
ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
register: ssh_fingerprints
- name: Fetch users SSH private keys
- name: Fetch users SSH private keys
fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes
with_items: "{{ users }}"
- name: Change mode for SSH private keys
- name: Change mode for SSH private keys
local_action: file path=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem mode=0600
with_items: "{{ users }}"
become: false
- name: Fetch the known_hosts file
- name: Fetch the known_hosts file
local_action:
module: template
src: known_hosts.j2
dest: configs/{{ IP_subject_alt_name }}/known_hosts
become: no
- name: Build the client ssh config
- name: Build the client ssh config
local_action:
module: template
src: ssh_config.j2
@ -75,3 +75,8 @@
become: no
with_items:
- "{{ users }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

31
roles/vpn/tasks/main.yml
View file

@ -1,31 +1,36 @@
---
- name: Ensure that the strongswan group exist
- block:
- name: Ensure that the strongswan group exist
group: name=strongswan state=present
- name: Ensure that the strongswan user exist
- name: Ensure that the strongswan user exist
user: name=strongswan group=strongswan state=present
- include: ubuntu.yml
- include: ubuntu.yml
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- include: freebsd.yml
- include: freebsd.yml
when: ansible_distribution == 'FreeBSD'
- name: Install strongSwan
- name: Install strongSwan
package: name=strongswan state=present
- name: Get StrongSwan versions
- name: Get StrongSwan versions
shell: >
ipsec --versioncode | grep -oE "^U([0-9]*|\.)*" | sed "s/^U\|\.//g"
register: strongswan_version
- include: ipec_configuration.yml
- include: openssl.yml
- include: distribute_keys.yml
- include: client_configs.yml
- include: ipec_configuration.yml
- include: openssl.yml
- include: distribute_keys.yml
- include: client_configs.yml
- meta: flush_handlers
- meta: flush_handlers
- name: strongSwan started
- name: strongSwan started
service: name=strongswan state=started
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always

25
users.yml
View file

@ -6,6 +6,7 @@
- config.cfg
tasks:
- block:
- name: Add the server to the vpn-host group
add_host:
hostname: "{{ server_ip }}"
@ -27,6 +28,11 @@
timeout: 320
state: present
become: false
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
- name: User management
hosts: vpn-host
@ -37,14 +43,20 @@
- roles/vpn/defaults/main.yml
pre_tasks:
- block:
- name: Common pre-tasks
include: playbooks/common.yml
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
roles:
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
tasks:
- block:
- name: Gather Facts
setup:
@ -195,13 +207,24 @@
force: yes
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
with_items: "{{ valid_users.stdout_lines | default('null') }}"
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
post_tasks:
- block:
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {{ congrats.p12_pass }}"
tags: always
rescue:
- debug: var=fail_hint
tags: always
- fail:
tags: always
handlers:
- name: rereadcrls