-
Notifications
You must be signed in to change notification settings - Fork 11
/
main.yml
181 lines (160 loc) · 5.61 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
---
- name: Ensure gpg is present
ansible.builtin.apt:
pkg: gnupg
update_cache: True
- name: Ensure tor is installed
ansible.builtin.apt:
pkg: tor
state: "{{ onion_tor_apt_state }}"
- name: Install extra tor packages
ansible.builtin.apt:
pkg: "{{ onion_apt_packages }}"
state: present
- name: Ensure onion directory is present
ansible.builtin.file:
path: "/var/lib/tor/{{ item.key }}/"
owner: debian-tor
group: debian-tor
mode: "0700"
state: directory
with_dict: "{{ onion_services }}"
when: item.value.onion_state|default('present') == 'present'
notify: Restart tor
- name: Ensure onion configuration is latest
ansible.builtin.template:
src: torrc.j2
dest: /etc/tor/torrc
owner: root
group: root
mode: 0644
notify: Restart tor
- name: Ensure hostname file are present
ansible.builtin.template:
src: hostname.j2
dest: "/var/lib/tor/{{ item.key }}/hostname"
owner: debian-tor
group: debian-tor
mode: "0600"
backup: yes
with_dict: "{{ onion_services }}"
when:
- item.value.onion_hostname is defined
- item.value.onion_hostname
- item.value.onion_state|default('present') == 'present'
notify: Restart tor
- name: Copy encoded public_key (only for onion v3)
ansible.builtin.shell:
cmd: "set -o pipefail &&\
echo \"{{ item.value.onion_public_key_b64encoded }}\" | base64 -d >/var/lib/tor/{{ item.key }}/hs_ed25519_public_key"
executable: /bin/bash
creates: "/var/lib/tor/{{ item.key }}/hs_ed25519_public_key"
with_dict: "{{ onion_services }}"
when:
- item.value.onion_public_key_b64encoded is defined
- item.value.onion_public_key_b64encoded
- item.value.onion_state|default('present') == 'present'
notify: Restart tor
- name: Ensure file permissions are correct
ansible.builtin.file:
path: "/var/lib/tor/{{ item.key }}/hs_ed25519_public_key"
owner: debian-tor
group: debian-tor
mode: 0600
with_dict: "{{ onion_services }}"
when:
- item.value.onion_public_key_b64encoded is defined
- item.value.onion_public_key_b64encoded
- item.value.onion_state|default('present') == 'present'
- name: Copy encoded secret_key (only for onion v3)
ansible.builtin.shell:
cmd: "set -o pipefail &&\
echo \"{{ item.value.onion_secret_key_b64encoded }}\" | base64 -d >/var/lib/tor/{{ item.key }}/hs_ed25519_secret_key"
executable: /bin/bash
creates: "/var/lib/tor/{{ item.key }}/hs_ed25519_secret_key"
with_dict: "{{ onion_services }}"
when:
- item.value.onion_secret_key_b64encoded is defined
- item.value.onion_secret_key_b64encoded
- item.value.onion_state|default('present') == 'present'
notify: Restart tor
- name: Ensure file permissions are correct
ansible.builtin.file:
path: "/var/lib/tor/{{ item.key }}/hs_ed25519_secret_key"
owner: debian-tor
group: debian-tor
mode: "0600"
with_dict: "{{ onion_services }}"
when:
- item.value.onion_secret_key_b64encoded is defined
- item.value.onion_secret_key_b64encoded
- item.value.onion_state|default('present') == 'present'
- name: Ensure onion directory is absent
ansible.builtin.file:
path: "/var/lib/tor/{{ item.key }}/"
mode: "0700"
state: absent
with_dict: "{{ onion_services }}"
when: item.value.onion_state|default('present') == "absent"
# The hostname file won't be created until the tor service
# is restarted, so bounce it before the `wait_for` task.
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Wait for onion
ansible.builtin.wait_for:
path: "/var/lib/tor/{{ item.key }}/hostname"
with_dict: "{{ onion_services }}"
when: item.value.onion_state|default('present') != "absent"
- name: Read onion url
ansible.builtin.command: cat "/var/lib/tor/{{ item.key }}/hostname"
register: onion_hostname_results
changed_when: false
with_dict: "{{ onion_services }}"
when:
- not item.value.onion_hostname|default(false)
- item.value.onion_state|default('present') != "absent"
- name: Read onion v3 secret key
ansible.builtin.command: base64 "/var/lib/tor/{{ item.key }}/hs_ed25519_secret_key"
register: onion_v3_secret_key_results
changed_when: false
with_dict: "{{ onion_services }}"
when:
- not item.value.onion_secret_key_b64encoded|default(false)
- item.value.onion_state|default('present') != "absent"
- name: Read onion v3 public key
ansible.builtin.command: base64 "/var/lib/tor/{{ item.key }}/hs_ed25519_public_key"
register: onion_v3_public_key_results
changed_when: false
with_dict: "{{ onion_services }}"
when:
- not item.value.onion_public_key_b64encoded|default(false)
- item.value.onion_state|default('present') != "absent"
- name: Display onion url
ansible.builtin.debug:
msg: >-
{{ lookup('template', role_path + '/templates/display_hostnames.j2') }}
- name: Display public key for v3 host
ansible.builtin.debug:
msg: >-
{{ lookup('template', role_path + '/templates/display_v3_public_keys.j2') }}
- name: Display secret key for v3 host
ansible.builtin.debug:
msg: >-
{{ lookup('template', role_path + '/templates/display_v3_secret_keys.j2') }}
# dirty hack to stop tor, when server is not the current onion server,
# restart handler above , would start tor with
# same url and private key on two hosts
- name: Stop tor, (two servers are up, only one should act as HS)
ansible.builtin.systemd:
name: tor
enabled: no
state: stopped
notify: Stop tor
when: not onion_active
- name: Import monit tasks
ansible.builtin.import_tasks: monit.yml
when: onion_monit_enabled
- name: Import goss tasks
ansible.builtin.import_tasks: goss.yml
tags:
- goss