mirror of https://github.com/trailofbits/algo
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
4.3 KiB
YAML
124 lines
4.3 KiB
YAML
---
|
|
- name: Configure the server and install required software
|
|
hosts: vpn-host
|
|
gather_facts: false
|
|
become: true
|
|
vars_files:
|
|
- config.cfg
|
|
tasks:
|
|
- block:
|
|
- name: Wait until the cloud-init completed
|
|
wait_for:
|
|
path: /var/lib/cloud/data/result.json
|
|
delay: 10
|
|
timeout: 600
|
|
state: present
|
|
become: false
|
|
when: cloudinit
|
|
|
|
- block:
|
|
- name: Ensure the config directory exists
|
|
file:
|
|
dest: configs/{{ IP_subject_alt_name }}
|
|
state: directory
|
|
mode: "0700"
|
|
|
|
- name: Dump the ssh config
|
|
copy:
|
|
dest: configs/{{ IP_subject_alt_name }}/ssh_config
|
|
mode: "0600"
|
|
content: |
|
|
Host {{ IP_subject_alt_name }} {{ algo_server_name }}
|
|
HostName {{ IP_subject_alt_name }}
|
|
User {{ ansible_ssh_user }}
|
|
Port {{ ansible_ssh_port }}
|
|
IdentitiesOnly yes
|
|
IdentityFile {{ SSH_keys.private | realpath }}
|
|
KeepAlive yes
|
|
ServerAliveInterval 30
|
|
when: inventory_hostname != 'localhost'
|
|
become: false
|
|
delegate_to: localhost
|
|
|
|
- import_role:
|
|
name: common
|
|
tags: common
|
|
|
|
- import_role:
|
|
name: dns
|
|
when:
|
|
- algo_dns_adblocking or dns_encryption
|
|
tags: dns
|
|
|
|
- import_role:
|
|
name: wireguard
|
|
when: wireguard_enabled
|
|
tags: wireguard
|
|
|
|
- import_role:
|
|
name: strongswan
|
|
when: ipsec_enabled
|
|
tags: ipsec
|
|
|
|
- import_role:
|
|
name: ssh_tunneling
|
|
when: algo_ssh_tunneling
|
|
tags: ssh_tunneling
|
|
|
|
- block:
|
|
- name: Dump the configuration
|
|
copy:
|
|
dest: configs/{{ IP_subject_alt_name }}/.config.yml
|
|
content: |
|
|
server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
|
|
server_user: {{ ansible_ssh_user }}
|
|
ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
|
|
{% if algo_provider != "local" %}
|
|
ansible_ssh_private_key_file: {{ SSH_keys.private }}
|
|
{% endif %}
|
|
algo_provider: {{ algo_provider }}
|
|
algo_server_name: {{ algo_server_name }}
|
|
algo_ondemand_cellular: {{ algo_ondemand_cellular }}
|
|
algo_ondemand_wifi: {{ algo_ondemand_wifi }}
|
|
algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }}
|
|
algo_dns_adblocking: {{ algo_dns_adblocking }}
|
|
algo_ssh_tunneling: {{ algo_ssh_tunneling }}
|
|
algo_store_pki: {{ algo_store_pki }}
|
|
IP_subject_alt_name: {{ IP_subject_alt_name }}
|
|
ipsec_enabled: {{ ipsec_enabled }}
|
|
wireguard_enabled: {{ wireguard_enabled }}
|
|
{% if tests|default(false)|bool %}
|
|
ca_password: '{{ CA_password }}'
|
|
p12_password: '{{ p12_export_password }}'
|
|
{% endif %}
|
|
become: false
|
|
delegate_to: localhost
|
|
|
|
- name: Create a symlink if deploying to localhost
|
|
file:
|
|
src: "{{ IP_subject_alt_name }}"
|
|
dest: configs/localhost
|
|
state: link
|
|
force: true
|
|
when: inventory_hostname == 'localhost'
|
|
|
|
- name: Import tmpfs tasks
|
|
import_tasks: playbooks/tmpfs/umount.yml
|
|
become: false
|
|
delegate_to: localhost
|
|
vars:
|
|
facts: "{{ hostvars['localhost'] }}"
|
|
when:
|
|
- pki_in_tmpfs
|
|
- not algo_store_pki
|
|
|
|
- debug:
|
|
msg:
|
|
- "{{ congrats.common.split('\n') }}"
|
|
- " {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"
|
|
- " {{ congrats.ca_key_pass if algo_store_pki and ipsec_enabled else '' }}"
|
|
- " {{ congrats.ssh_access if algo_provider != 'local' else ''}}"
|
|
tags: always
|
|
rescue:
|
|
- include_tasks: playbooks/rescue.yml
|