mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-06 15:13:56 +02:00
chore: more fix ansible-lint 6.17.2
This commit is contained in:
juju4
parent
0fa40513cd
commit
d9fe5e8561
22 changed files with 134 additions and 97 deletions
|
|
@ -7,7 +7,7 @@
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Add the droplet to an inventory group
|
- name: Add the droplet to an inventory group
|
||||||
add_host:
|
ansible.builtin.add_host:
|
||||||
name: "{{ client_ip }}"
|
name: "{{ client_ip }}"
|
||||||
groups: client-host
|
groups: client-host
|
||||||
ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}"
|
ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}"
|
||||||
|
|
|
||||||
|
|
@ -141,4 +141,4 @@
|
||||||
{%- elif _store_pki.user_input is defined %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
|
{%- elif _store_pki.user_input is defined %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
|
||||||
{%- else %}false{% endif %}{% endif %}
|
{%- else %}false{% endif %}{% endif %}
|
||||||
rescue:
|
rescue:
|
||||||
- ansible.builtin.include_tasks: playbooks/rescue.yml
|
- ansible.builtin.include_tasks: tasks/rescue.yml
|
||||||
|
|
|
||||||
3
main.yml
3
main.yml
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
- hosts: localhost
|
- name: Main playbook
|
||||||
|
hosts: localhost
|
||||||
become: false
|
become: false
|
||||||
tasks:
|
tasks:
|
||||||
- name: Playbook dir stat
|
- name: Playbook dir stat
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: restart strongswan
|
- name: Restart strongswan
|
||||||
service: name={{ strongswan_service }} state=restarted
|
ansible.builtin.service:
|
||||||
|
name: "{{ strongswan_service }}"
|
||||||
|
state: restarted
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,13 @@
|
||||||
---
|
---
|
||||||
- name: Gather Facts
|
- name: Gather Facts
|
||||||
setup:
|
ansible.builtin.setup:
|
||||||
- name: Include system based facts and tasks
|
- name: Include system based facts and tasks
|
||||||
import_tasks: systems/main.yml
|
ansible.builtin.import_tasks: systems/main.yml
|
||||||
|
|
||||||
- name: Install prerequisites
|
- name: Install prerequisites
|
||||||
package: name="{{ item }}" state=present
|
ansible.builtin.package:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ prerequisites }}"
|
- "{{ prerequisites }}"
|
||||||
register: result
|
register: result
|
||||||
|
|
@ -14,34 +16,36 @@
|
||||||
delay: 3
|
delay: 3
|
||||||
|
|
||||||
- name: Install strongSwan
|
- name: Install strongSwan
|
||||||
package: name=strongswan state=present
|
ansible.builtin.package:
|
||||||
|
name: strongswan
|
||||||
|
state: present
|
||||||
register: result
|
register: result
|
||||||
until: result is succeeded
|
until: result is succeeded
|
||||||
retries: 10
|
retries: 10
|
||||||
delay: 3
|
delay: 3
|
||||||
|
|
||||||
- name: Setup the ipsec config
|
- name: Setup the ipsec config
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: roles/strongswan/templates/client_ipsec.conf.j2
|
src: roles/strongswan/templates/client_ipsec.conf.j2
|
||||||
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
|
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ vpn_user }}"
|
- "{{ vpn_user }}"
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- Restart strongswan
|
||||||
|
|
||||||
- name: Setup the ipsec secrets
|
- name: Setup the ipsec secrets
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: roles/strongswan/templates/client_ipsec.secrets.j2
|
src: roles/strongswan/templates/client_ipsec.secrets.j2
|
||||||
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
|
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ vpn_user }}"
|
- "{{ vpn_user }}"
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- Restart strongswan
|
||||||
|
|
||||||
- name: Include additional ipsec config
|
- name: Include additional ipsec config
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
create: true
|
create: true
|
||||||
|
|
@ -51,26 +55,30 @@
|
||||||
- dest: "{{ configs_prefix }}/ipsec.secrets"
|
- dest: "{{ configs_prefix }}/ipsec.secrets"
|
||||||
line: include ipsec.{{ IP_subject_alt_name }}.secrets
|
line: include ipsec.{{ IP_subject_alt_name }}.secrets
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- Restart strongswan
|
||||||
|
|
||||||
- name: Configure libstrongswan to relax CA constraints
|
- name: Configure libstrongswan to relax CA constraints
|
||||||
copy:
|
ansible.builtin.copy:
|
||||||
src: libstrongswan-relax-constraints.conf
|
src: libstrongswan-relax-constraints.conf
|
||||||
dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
|
dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: "0644"
|
||||||
|
|
||||||
- name: Setup the certificates and keys
|
- name: Setup the certificates and keys
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
with_items:
|
with_items:
|
||||||
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
|
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
|
||||||
dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
|
dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
|
||||||
|
mode: "0644"
|
||||||
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
|
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
|
||||||
dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
|
dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
|
||||||
|
mode: "0644"
|
||||||
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
|
- src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
|
||||||
dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
|
dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
|
||||||
|
mode: "0600"
|
||||||
notify:
|
notify:
|
||||||
- restart strongswan
|
- Restart strongswan
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Set OS specific facts
|
- name: Set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
prerequisites:
|
prerequisites:
|
||||||
- epel-release
|
- epel-release
|
||||||
configs_prefix: /etc/strongswan
|
configs_prefix: /etc/strongswan
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Set OS specific facts
|
- name: Set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
prerequisites:
|
prerequisites:
|
||||||
- libstrongswan-standard-plugins
|
- libstrongswan-standard-plugins
|
||||||
configs_prefix: /etc
|
configs_prefix: /etc
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Set OS specific facts
|
- name: Set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
prerequisites:
|
prerequisites:
|
||||||
- libselinux-python
|
- libselinux-python
|
||||||
configs_prefix: /etc/strongswan
|
configs_prefix: /etc/strongswan
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: Set OS specific facts
|
- name: Set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
prerequisites:
|
prerequisites:
|
||||||
- libstrongswan-standard-plugins
|
- libstrongswan-standard-plugins
|
||||||
configs_prefix: /etc
|
configs_prefix: /etc
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,16 @@
|
||||||
---
|
---
|
||||||
- include_tasks: Debian.yml
|
- name: Include Debian
|
||||||
|
ansible.builtin.include_tasks: Debian.yml
|
||||||
when: ansible_distribution == 'Debian'
|
when: ansible_distribution == 'Debian'
|
||||||
|
|
||||||
- include_tasks: Ubuntu.yml
|
- name: Include Ubuntu
|
||||||
|
ansible.builtin.include_tasks: Ubuntu.yml
|
||||||
when: ansible_distribution == 'Ubuntu'
|
when: ansible_distribution == 'Ubuntu'
|
||||||
|
|
||||||
- include_tasks: CentOS.yml
|
- name: Include CentOS
|
||||||
|
ansible.builtin.include_tasks: CentOS.yml
|
||||||
when: ansible_distribution == 'CentOS'
|
when: ansible_distribution == 'CentOS'
|
||||||
|
|
||||||
- include_tasks: Fedora.yml
|
- name: Include Fedora
|
||||||
|
ansible.builtin.include_tasks: Fedora.yml
|
||||||
when: ansible_distribution == 'Fedora'
|
when: ansible_distribution == 'Fedora'
|
||||||
|
|
|
||||||
|
|
@ -1,20 +1,20 @@
|
||||||
---
|
---
|
||||||
- name: Define facts
|
- name: Define facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
|
p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
|
||||||
tags: update-users
|
tags: update-users
|
||||||
|
|
||||||
- name: Set facts
|
- name: Set facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
CA_password: "{{ ca_password|default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}"
|
CA_password: "{{ ca_password|default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}"
|
||||||
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
|
IP_subject_alt_name: "{{ IP_subject_alt_name }}"
|
||||||
|
|
||||||
- name: Set IPv6 support as a fact
|
- name: Set IPv6 support as a fact
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}"
|
ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}"
|
||||||
tags: always
|
tags: always
|
||||||
|
|
||||||
- name: Check size of MTU
|
- name: Check size of MTU
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
reduce_mtu: "{{ 1500 - ansible_default_ipv4['mtu']|int if reduce_mtu|int == 0 and ansible_default_ipv4['mtu']|int < 1500 else reduce_mtu|int }}"
|
reduce_mtu: "{{ 1500 - ansible_default_ipv4['mtu']|int if reduce_mtu|int == 0 and ansible_default_ipv4['mtu']|int < 1500 else reduce_mtu|int }}"
|
||||||
tags: always
|
tags: always
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
- name: FreeBSD | Install prerequisites
|
- name: FreeBSD | Install prerequisites
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- python3
|
- python3
|
||||||
- sudo
|
- sudo
|
||||||
|
|
@ -8,16 +8,16 @@
|
||||||
ansible_python_interpreter: /usr/local/bin/python2.7
|
ansible_python_interpreter: /usr/local/bin/python2.7
|
||||||
|
|
||||||
- name: Set python3 as the interpreter to use
|
- name: Set python3 as the interpreter to use
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ansible_python_interpreter: /usr/local/bin/python3
|
ansible_python_interpreter: /usr/local/bin/python3
|
||||||
|
|
||||||
- name: Gather facts
|
- name: Gather facts
|
||||||
setup:
|
ansible.builtin.setup:
|
||||||
- name: Gather additional facts
|
- name: Gather additional facts
|
||||||
import_tasks: facts.yml
|
ansible.builtin.import_tasks: facts.yml
|
||||||
|
|
||||||
- name: Set OS specific facts
|
- name: Set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
config_prefix: /usr/local/
|
config_prefix: /usr/local/
|
||||||
strongswan_shell: /usr/sbin/nologin
|
strongswan_shell: /usr/sbin/nologin
|
||||||
strongswan_home: /var/empty
|
strongswan_home: /var/empty
|
||||||
|
|
@ -42,12 +42,14 @@
|
||||||
value: 1
|
value: 1
|
||||||
|
|
||||||
- name: Install tools
|
- name: Install tools
|
||||||
package: name="{{ item }}" state=present
|
ansible.builtin.package:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ tools|default([]) }}"
|
- "{{ tools|default([]) }}"
|
||||||
|
|
||||||
- name: Loopback included into the rc config
|
- name: Loopback included into the rc config
|
||||||
blockinfile:
|
ansible.builtin.blockinfile:
|
||||||
dest: /etc/rc.conf
|
dest: /etc/rc.conf
|
||||||
create: true
|
create: true
|
||||||
block: |
|
block: |
|
||||||
|
|
@ -58,7 +60,10 @@
|
||||||
- restart loopback bsd
|
- restart loopback bsd
|
||||||
|
|
||||||
- name: Enable the gateway features
|
- name: Enable the gateway features
|
||||||
lineinfile: dest=/etc/rc.conf regexp='^{{ item.param }}.*' line='{{ item.param }}={{ item.value }}'
|
ansible.builtin.lineinfile:
|
||||||
|
dest: /etc/rc.conf
|
||||||
|
regexp: '^{{ item.param }}.*'
|
||||||
|
line: '{{ item.param }}={{ item.value }}'
|
||||||
with_items:
|
with_items:
|
||||||
- { param: firewall_enable, value: '"YES"' }
|
- { param: firewall_enable, value: '"YES"' }
|
||||||
- { param: firewall_type, value: '"open"' }
|
- { param: firewall_type, value: '"open"' }
|
||||||
|
|
@ -70,9 +75,10 @@
|
||||||
- restart ipfw
|
- restart ipfw
|
||||||
|
|
||||||
- name: FreeBSD | Activate IPFW
|
- name: FreeBSD | Activate IPFW
|
||||||
shell: >
|
ansible.builtin.shell: >
|
||||||
kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
|
kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
|
||||||
bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
|
bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
- meta: flush_handlers
|
- name: Flush handlers
|
||||||
|
ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,23 @@
|
||||||
---
|
---
|
||||||
- name: Iptables configured
|
- name: Iptables configured
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0640
|
mode: "0640"
|
||||||
with_items:
|
with_items:
|
||||||
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
|
- { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
|
||||||
notify:
|
notify:
|
||||||
- restart iptables
|
- restart iptables
|
||||||
|
|
||||||
- name: Iptables configured
|
- name: Iptables configured
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0640
|
mode: "0640"
|
||||||
when: ipv6_support
|
when: ipv6_support
|
||||||
with_items:
|
with_items:
|
||||||
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
|
- { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
|
||||||
|
|
|
||||||
|
|
@ -1,30 +1,35 @@
|
||||||
---
|
---
|
||||||
- name: Check the system
|
- name: Check the system
|
||||||
raw: uname -a
|
ansible.builtin.raw: uname -a
|
||||||
register: OS
|
register: OS
|
||||||
changed_when: false
|
changed_when: false
|
||||||
tags:
|
tags:
|
||||||
- update-users
|
- update-users
|
||||||
|
|
||||||
- fail:
|
- name: Fail
|
||||||
|
ansible.builtin.fail:
|
||||||
when: cloud_test|default(false)|bool
|
when: cloud_test|default(false)|bool
|
||||||
|
|
||||||
- include_tasks: ubuntu.yml
|
- name: Include ubuntu
|
||||||
|
ansible.builtin.include_tasks: ubuntu.yml
|
||||||
when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout'
|
when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout'
|
||||||
tags:
|
tags:
|
||||||
- update-users
|
- update-users
|
||||||
|
|
||||||
- include_tasks: freebsd.yml
|
- name: Include freebsd
|
||||||
|
ansible.builtin.include_tasks: freebsd.yml
|
||||||
when: '"FreeBSD" in OS.stdout'
|
when: '"FreeBSD" in OS.stdout'
|
||||||
tags:
|
tags:
|
||||||
- update-users
|
- update-users
|
||||||
|
|
||||||
- name: Sysctl tuning
|
- name: Sysctl tuning
|
||||||
sysctl: name="{{ item.item }}" value="{{ item.value }}"
|
ansible.posix.sysctl:
|
||||||
|
name: "{{ item.item }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
when: item.item
|
when: item.item
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ sysctl|default([]) }}"
|
- "{{ sysctl|default([]) }}"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,10 @@
|
||||||
---
|
---
|
||||||
- name: Gather facts
|
- name: Gather facts
|
||||||
setup:
|
ansible.builtin.setup:
|
||||||
- name: Cloud only tasks
|
- name: Cloud only tasks
|
||||||
block:
|
block:
|
||||||
- name: Install software updates
|
- name: Install software updates
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
update_cache: true
|
update_cache: true
|
||||||
install_recommends: true
|
install_recommends: true
|
||||||
upgrade: dist
|
upgrade: dist
|
||||||
|
|
@ -14,21 +14,21 @@
|
||||||
delay: 10
|
delay: 10
|
||||||
|
|
||||||
- name: Check if reboot is required
|
- name: Check if reboot is required
|
||||||
shell: >
|
ansible.builtin.shell: >
|
||||||
if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
|
if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
|
||||||
args:
|
args:
|
||||||
executable: /bin/bash
|
executable: /bin/bash
|
||||||
register: reboot_required
|
register: reboot_required
|
||||||
|
|
||||||
- name: Reboot
|
- name: Reboot
|
||||||
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
|
ansible.builtin.shell: sleep 2 && shutdown -r now "Ansible updates triggered"
|
||||||
async: 1
|
async: 1
|
||||||
poll: 0
|
poll: 0
|
||||||
when: reboot_required is defined and reboot_required.stdout == 'required'
|
when: reboot_required is defined and reboot_required.stdout == 'required'
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
|
|
||||||
- name: Wait until the server becomes ready...
|
- name: Wait until the server becomes ready...
|
||||||
wait_for_connection:
|
ansible.builtin.wait_for_connection:
|
||||||
delay: 20
|
delay: 20
|
||||||
timeout: 320
|
timeout: 320
|
||||||
when: reboot_required is defined and reboot_required.stdout == 'required'
|
when: reboot_required is defined and reboot_required.stdout == 'required'
|
||||||
|
|
@ -36,16 +36,19 @@
|
||||||
when: algo_provider != "local"
|
when: algo_provider != "local"
|
||||||
|
|
||||||
- name: Include unattended upgrades configuration
|
- name: Include unattended upgrades configuration
|
||||||
import_tasks: unattended-upgrades.yml
|
ansible.builtin.import_tasks: unattended-upgrades.yml
|
||||||
|
|
||||||
- name: Disable MOTD on login and SSHD
|
- name: Disable MOTD on login and SSHD
|
||||||
replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
|
ansible.builtin.replace:
|
||||||
|
dest: "{{ item.file }}"
|
||||||
|
regexp: "{{ item.regexp }}"
|
||||||
|
replace: "{{ item.line }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/login }
|
- { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/login }
|
||||||
- { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/sshd }
|
- { regexp: ^session.*optional.*pam_motd.so.*, line: "# MOTD DISABLED", file: /etc/pam.d/sshd }
|
||||||
|
|
||||||
- name: Ensure fallback resolvers are set
|
- name: Ensure fallback resolvers are set
|
||||||
ini_file:
|
community.general.ini_file:
|
||||||
path: /etc/systemd/resolved.conf
|
path: /etc/systemd/resolved.conf
|
||||||
section: Resolve
|
section: Resolve
|
||||||
option: FallbackDNS
|
option: FallbackDNS
|
||||||
|
|
@ -54,14 +57,14 @@
|
||||||
- restart systemd-resolved
|
- restart systemd-resolved
|
||||||
|
|
||||||
- name: Loopback for services configured
|
- name: Loopback for services configured
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 10-algo-lo100.network.j2
|
src: 10-algo-lo100.network.j2
|
||||||
dest: /etc/systemd/network/10-algo-lo100.network
|
dest: /etc/systemd/network/10-algo-lo100.network
|
||||||
notify:
|
notify:
|
||||||
- restart systemd-networkd
|
- restart systemd-networkd
|
||||||
|
|
||||||
- name: systemd services enabled and started
|
- name: systemd services enabled and started
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: started
|
state: started
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
@ -70,24 +73,24 @@
|
||||||
- systemd-networkd
|
- systemd-networkd
|
||||||
- systemd-resolved
|
- systemd-resolved
|
||||||
|
|
||||||
- meta: flush_handlers
|
- ansible.builtin.meta: flush_handlers
|
||||||
|
|
||||||
- name: Check apparmor support
|
- name: Check apparmor support
|
||||||
command: apparmor_status
|
ansible.builtin.command: apparmor_status
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: apparmor_status
|
register: apparmor_status
|
||||||
|
|
||||||
- name: Set fact if apparmor enabled
|
- name: Set fact if apparmor enabled
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
apparmor_enabled: true
|
apparmor_enabled: true
|
||||||
when: '"profiles are in enforce mode" in apparmor_status.stdout'
|
when: '"profiles are in enforce mode" in apparmor_status.stdout'
|
||||||
|
|
||||||
- name: Gather additional facts
|
- name: Gather additional facts
|
||||||
import_tasks: facts.yml
|
ansible.builtin.import_tasks: facts.yml
|
||||||
|
|
||||||
- name: Set OS specific facts
|
- name: Set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
tools:
|
tools:
|
||||||
- git
|
- git
|
||||||
- screen
|
- screen
|
||||||
|
|
@ -107,13 +110,13 @@
|
||||||
value: 1
|
value: 1
|
||||||
|
|
||||||
- name: Install tools
|
- name: Install tools
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: "{{ tools|default([]) }}"
|
name: "{{ tools|default([]) }}"
|
||||||
state: present
|
state: present
|
||||||
update_cache: true
|
update_cache: true
|
||||||
|
|
||||||
- name: Install headers
|
- name: Install headers
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name:
|
name:
|
||||||
- linux-headers-generic
|
- linux-headers-generic
|
||||||
- linux-headers-{{ ansible_kernel }}
|
- linux-headers-{{ ansible_kernel }}
|
||||||
|
|
@ -121,8 +124,9 @@
|
||||||
when: install_headers | bool
|
when: install_headers | bool
|
||||||
|
|
||||||
- name: Configure the alternative ingress ip
|
- name: Configure the alternative ingress ip
|
||||||
include_tasks: aip/main.yml
|
ansible.builtin.include_tasks: aip/main.yml
|
||||||
when: alternative_ingress_ip
|
when: alternative_ingress_ip
|
||||||
|
|
||||||
- include_tasks: iptables.yml
|
- name: Include iptables
|
||||||
|
ansible.builtin.include_tasks: iptables.yml
|
||||||
tags: iptables
|
tags: iptables
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,21 @@
|
||||||
---
|
---
|
||||||
- name: Install unattended-upgrades
|
- name: Install unattended-upgrades
|
||||||
apt:
|
ansible.builtin.apt:
|
||||||
name: unattended-upgrades
|
name: unattended-upgrades
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Configure unattended-upgrades
|
- name: Configure unattended-upgrades
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 50unattended-upgrades.j2
|
src: 50unattended-upgrades.j2
|
||||||
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: "0644"
|
||||||
|
|
||||||
- name: Periodic upgrades configured
|
- name: Periodic upgrades configured
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: 10periodic.j2
|
src: 10periodic.j2
|
||||||
dest: /etc/apt/apt.conf.d/10periodic
|
dest: /etc/apt/apt.conf.d/10periodic
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: "0644"
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: cloud-pre
|
- name: cloud-pre
|
||||||
|
delegate_to: localhost
|
||||||
|
become: false
|
||||||
block:
|
block:
|
||||||
- name: Display the invocation environment
|
- name: Display the invocation environment
|
||||||
ansible.builtin.shell: >
|
ansible.builtin.shell: >
|
||||||
|
|
@ -26,21 +28,19 @@
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
- skip_ansible_lint
|
- skip_ansible_lint
|
||||||
delegate_to: localhost
|
|
||||||
become: false
|
|
||||||
|
|
||||||
- name: Provider not local
|
- name: Provider not local
|
||||||
when: algo_provider != "local"
|
when: algo_provider != "local"
|
||||||
block:
|
block:
|
||||||
- name: Generate the SSH private key
|
- name: Generate the SSH private key
|
||||||
ansible.builtin.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
path: "{{ SSH_keys.private }}"
|
path: "{{ SSH_keys.private }}"
|
||||||
size: 2048
|
size: 2048
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
type: RSA
|
type: RSA
|
||||||
|
|
||||||
- name: Generate the SSH public key
|
- name: Generate the SSH public key
|
||||||
ansible.builtin.openssl_publickey:
|
community.crypto.openssl_publickey:
|
||||||
path: "{{ SSH_keys.public }}"
|
path: "{{ SSH_keys.public }}"
|
||||||
privatekey_path: "{{ SSH_keys.private }}"
|
privatekey_path: "{{ SSH_keys.private }}"
|
||||||
format: OpenSSH
|
format: OpenSSH
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
---
|
---
|
||||||
- name: Linux | set OS specific facts
|
- name: Linux | set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
|
tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
|
||||||
tmpfs_volume_path: /dev/shm
|
tmpfs_volume_path: /dev/shm
|
||||||
|
|
|
||||||
|
|
@ -1,11 +1,11 @@
|
||||||
---
|
---
|
||||||
- name: MacOS | set OS specific facts
|
- name: MacOS | set OS specific facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
|
tmpfs_volume_name: AlgoVPN-{{ IP_subject_alt_name }}
|
||||||
tmpfs_volume_path: /Volumes
|
tmpfs_volume_path: /Volumes
|
||||||
|
|
||||||
- name: MacOS | mount a ram disk
|
- name: MacOS | mount a ram disk
|
||||||
shell: >
|
ansible.builtin.shell: >
|
||||||
/usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" ||
|
/usr/sbin/diskutil info "/{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/" ||
|
||||||
/usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000)
|
/usr/sbin/diskutil erasevolume HFS+ "{{ tmpfs_volume_name }}" $(hdiutil attach -nomount ram://64000)
|
||||||
args:
|
args:
|
||||||
|
|
|
||||||
|
|
@ -1,17 +1,17 @@
|
||||||
---
|
---
|
||||||
- name: Include tasks for MacOS
|
- name: Include tasks for MacOS
|
||||||
import_tasks: macos.yml
|
ansible.builtin.import_tasks: macos.yml
|
||||||
when: ansible_system == "Darwin"
|
when: ansible_system == "Darwin"
|
||||||
|
|
||||||
- name: Include tasks for Linux
|
- name: Include tasks for Linux
|
||||||
import_tasks: linux.yml
|
ansible.builtin.import_tasks: linux.yml
|
||||||
when: ansible_system == "Linux"
|
when: ansible_system == "Linux"
|
||||||
|
|
||||||
- name: Set config paths as facts
|
- name: Set config paths as facts
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
ipsec_pki_path: /{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/
|
ipsec_pki_path: /{{ tmpfs_volume_path }}/{{ tmpfs_volume_name }}/IPsec/
|
||||||
|
|
||||||
- name: Update config paths
|
- name: Update config paths
|
||||||
add_host:
|
ansible.builtin.add_host:
|
||||||
name: "{{ 'localhost' if cloud_instance_ip == 'localhost' else cloud_instance_ip }}"
|
name: "{{ 'localhost' if cloud_instance_ip == 'localhost' else cloud_instance_ip }}"
|
||||||
ipsec_pki_path: "{{ ipsec_pki_path }}"
|
ipsec_pki_path: "{{ ipsec_pki_path }}"
|
||||||
|
|
|
||||||
|
|
@ -1,19 +1,22 @@
|
||||||
---
|
---
|
||||||
- name: Linux | Delete the PKI directory
|
- name: Linux | Delete the PKI directory
|
||||||
file:
|
ansible.builtin.file:
|
||||||
path: /{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/
|
path: /{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/
|
||||||
state: absent
|
state: absent
|
||||||
when: facts.ansible_system == "Linux"
|
when: facts.ansible_system == "Linux"
|
||||||
|
|
||||||
- block:
|
- name: Darwin
|
||||||
|
when:
|
||||||
|
- facts.ansible_system == "Darwin"
|
||||||
|
block:
|
||||||
- name: MacOS | check fs the ramdisk exists
|
- name: MacOS | check fs the ramdisk exists
|
||||||
command: /usr/sbin/diskutil info "{{ facts.tmpfs_volume_name }}"
|
ansible.builtin.command: /usr/sbin/diskutil info "{{ facts.tmpfs_volume_name }}"
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
register: diskutil_info
|
register: diskutil_info
|
||||||
|
|
||||||
- name: MacOS | unmount and eject the ram disk
|
- name: MacOS | unmount and eject the ram disk
|
||||||
shell: >
|
ansible.builtin.shell: >
|
||||||
/usr/sbin/diskutil umount force "/{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/" &&
|
/usr/sbin/diskutil umount force "/{{ facts.tmpfs_volume_path }}/{{ facts.tmpfs_volume_name }}/" &&
|
||||||
/usr/sbin/diskutil eject "{{ facts.tmpfs_volume_name }}"
|
/usr/sbin/diskutil eject "{{ facts.tmpfs_volume_name }}"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
@ -22,5 +25,4 @@
|
||||||
until: result.rc == 0
|
until: result.rc == 0
|
||||||
retries: 5
|
retries: 5
|
||||||
delay: 3
|
delay: 3
|
||||||
when:
|
|
||||||
- facts.ansible_system == "Darwin"
|
|
||||||
|
|
|
||||||
15
users.yml
15
users.yml
|
|
@ -98,23 +98,28 @@
|
||||||
tasks:
|
tasks:
|
||||||
- name: Play roles
|
- name: Play roles
|
||||||
block:
|
block:
|
||||||
- ansible.builtin.import_role:
|
- name: Import common
|
||||||
|
ansible.builtin.import_role:
|
||||||
name: common
|
name: common
|
||||||
|
|
||||||
- ansible.builtin.import_role:
|
- name: Import wireguard
|
||||||
|
ansible.builtin.import_role:
|
||||||
name: wireguard
|
name: wireguard
|
||||||
when: wireguard_enabled
|
when: wireguard_enabled
|
||||||
|
|
||||||
- ansible.builtin.import_role:
|
- name: Import strongswan
|
||||||
|
ansible.builtin.import_role:
|
||||||
name: strongswan
|
name: strongswan
|
||||||
when: ipsec_enabled
|
when: ipsec_enabled
|
||||||
tags: ipsec
|
tags: ipsec
|
||||||
|
|
||||||
- ansible.builtin.import_role:
|
- name: Import ssh_tunneling
|
||||||
|
ansible.builtin.import_role:
|
||||||
name: ssh_tunneling
|
name: ssh_tunneling
|
||||||
when: algo_ssh_tunneling
|
when: algo_ssh_tunneling
|
||||||
|
|
||||||
- ansible.builtin.debug:
|
- name: End message
|
||||||
|
ansible.builtin.debug:
|
||||||
msg:
|
msg:
|
||||||
- "{{ congrats.common.split('\n') }}"
|
- "{{ congrats.common.split('\n') }}"
|
||||||
- " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"
|
- " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue