/
validate_tails_environment.yml
90 lines (80 loc) · 3 KB
/
validate_tails_environment.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
- name: Check /etc/os-release for Tails string
find:
name: "/etc"
patterns: "os-release"
contains: "^TAILS_PRODUCT_NAME="
register: tails_os_string
- name: Confirm host OS is Tails.
assert:
that:
- ansible_lsb.id == "Tails" or tails_os_string.matched
- ansible_lsb.major_release|int >= 9
msg: >-
SecureDrop requires Tails 3 or greater for workstation environments.
- name: Check for persistence volume.
stat:
path: /live/persistence/TailsData_unlocked/persistence.conf
register: tails_persistence_check_result
with_items:
- /live/persistence/TailsData_unlocked/persistence.conf
- /live/persistence/TailsData_unlocked/openssh-client
- /home/amnesia/Persistent/securedrop
- name: Confirm persistence volume is configured.
assert:
that:
- item.stat.exists
msg: >-
Persistence must configured on the Tails device for the Admin
Workstation, and the SSH option for persistent dotfiles must be enabled.
The SecureDrop git repository should be cloned
to `~/Persistent/securedrop`.
with_items: "{{ tails_persistence_check_result.results }}"
- name: Check for v3 SSH auth files
stat:
path: "/home/amnesia/Persistent/securedrop/install_files/ansible-base/{{ item }}"
register: v3_ssh_auth_files
with_items:
- app-ssh.auth_private
- mon-ssh.auth_private
- name: Count the number of v3 SSH auth files
set_fact:
v3_ssh_auth_file_count: "{{ v3_ssh_auth_files.results | selectattr('stat.exists') | list | count }}"
- name: Check for Journalist client auth file
stat:
path: "/home/amnesia/Persistent/securedrop/install_files/ansible-base/app-journalist.auth_private"
register: v3_journalist_auth_file
- name: Check for Tor v3 key file
stat:
path: "/home/amnesia/Persistent/securedrop/install_files/ansible-base/tor_v3_keys.json"
register: v3_tor_key
- name: Confirm that a valid set of SSH auth files is present
assert:
that:
- v3_ssh_auth_file_count == "0" or v3_ssh_auth_file_count == "2"
msg: >-
One of the SSH `.auth_private` files is missing. Please add the missing
file under `~/Persistent/securedrop/install_files/ansible-base/ and
retry the install command.
when:
- name: Confirm that the Journalist auth file is present
assert:
that:
- v3_journalist_auth_file.stat.exists
msg: >-
The `app-journalist.auth_private` file is missing. Please add the missing
file under `~/Persistent/securedrop/install_files/ansible-base/ and
retry the install command.
when:
- enable_ssh_over_tor
- v3_ssh_auth_file_count == "2"
- name: Confirm that the Tor keys file is present
assert:
that:
- v3_tor_key.stat.exists
msg: >-
Authentication files for v3 onion services were found, but the
corresponding `tor_v3_keys.json` file is missing. To enable updates
to an existing SecureDrop instance, please add this file under
`~/Persistent/securedrop/install_files/ansible-base`.
when:
- v3_journalist_auth_file.stat.exists