summaryrefslogtreecommitdiff
path: root/roles/base/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/base/tasks')
-rw-r--r--roles/base/tasks/add_pubkeys.yaml9
-rw-r--r--roles/base/tasks/base_setup.yaml58
-rw-r--r--roles/base/tasks/main.yaml12
-rw-r--r--roles/base/tasks/pre_execution_checks.yaml11
-rw-r--r--roles/base/tasks/setup_user_expiration.yaml19
5 files changed, 109 insertions, 0 deletions
diff --git a/roles/base/tasks/add_pubkeys.yaml b/roles/base/tasks/add_pubkeys.yaml
new file mode 100644
index 00000000..9f0e7c59
--- /dev/null
+++ b/roles/base/tasks/add_pubkeys.yaml
@@ -0,0 +1,9 @@
+---
+- name: "add pubkeys to root user"
+ ansible.builtin.lineinfile:
+ path: /root/.ssh/authorized_keys
+ create: true
+ line: "{{ item | trim }}"
+ search_string: "{{ (item | trim | split(' '))[2:-1]|join(' ') }}"
+ when: "root_keys is defined"
+ loop: "{{ root_keys }}"
diff --git a/roles/base/tasks/base_setup.yaml b/roles/base/tasks/base_setup.yaml
new file mode 100644
index 00000000..f1ed062a
--- /dev/null
+++ b/roles/base/tasks/base_setup.yaml
@@ -0,0 +1,58 @@
+---
+- name: "Create vpns user"
+ ansible.builtin.user:
+ name: _vpn
+ create_home: no
+ comment: Project VPN user
+ state: present
+ shell: /sbin/nologin
+ notify: restart_notification
+
+- name: "Create root directory of vpn services"
+ ansible.builtin.file:
+ path: /var/reactance/
+ state: directory
+ owner: _vpn
+ group: _vpn
+ mode: 0755
+
+- name: "templating out ip forwarding rules in sysctl.conf"
+ ansible.builtin.blockinfile:
+ path: /etc/sysctl.conf
+ create: true
+ backup: true
+ marker: "### REACTANCE - IP Forwarding - {mark} ###"
+ insertafter: "EOF"
+ block: |
+ net.inet.ip.forwarding=1
+ net.inet6.ip6.forwarding=1
+
+- name: "templating out sysctl.conf"
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ mode: '0644'
+ notify: syslogd_restart
+ loop:
+ - src: syslog.conf.j2
+ dest: /etc/syslog.conf
+ - src: newsyslog.conf.j2
+ dest: /etc/newsyslog.conf
+
+
+# openbsd_pkg cant be run parallely otherwise there could be package locks and pipeline would fail
+- name: "install necessary utils"
+ community.general.openbsd_pkg:
+ name:
+ - unzip--
+ - curl--
+ - rsync--
+ - jq--
+ state: present
+ when: inventory_hostname in (groups['vless']|default([]) + groups['vmess']|default([]) + groups['trojan']|default([]) + groups['all_vpns']|default([]))
+
+- name: "tune unbound performance"
+ community.general.openbsd_pkg:
+ name: ripgrep
+ state: present
+ when: not disable_dns|default(False)
diff --git a/roles/base/tasks/main.yaml b/roles/base/tasks/main.yaml
new file mode 100644
index 00000000..5ab9bf45
--- /dev/null
+++ b/roles/base/tasks/main.yaml
@@ -0,0 +1,12 @@
+---
+- name: "add root pubkeys"
+ ansible.builtin.include_tasks: add_pubkeys.yaml
+
+- name: "run pre execution checks"
+ ansible.builtin.include_tasks: pre_execution_checks.yaml
+
+- name: "run base setup"
+ ansible.builtin.include_tasks: base_setup.yaml
+
+- name: "template out user expiration script and cronjob"
+ ansible.builtin.include_tasks: setup_user_expiration.yaml
diff --git a/roles/base/tasks/pre_execution_checks.yaml b/roles/base/tasks/pre_execution_checks.yaml
new file mode 100644
index 00000000..f6a969a7
--- /dev/null
+++ b/roles/base/tasks/pre_execution_checks.yaml
@@ -0,0 +1,11 @@
+---
+- name: "pre execution test : check os"
+ ansible.builtin.fail:
+ msg: "Reactance can only be ran on OpenBSD"
+ when: ansible_facts["os_family"]|lower != "openbsd"
+
+- name: "pre execution test : looking for invalid usernames"
+ ansible.builtin.fail:
+ msg: "Username cannot be 'server' or 'ca'"
+ when: item.user in ["server", "ca"]
+ loop: "{{ all_users|default([]) + ocserv_users|default([]) + vless_users|default([]) + vmess_users|default([]) + trojan_users|default([]) + sshvpn_users|default([]) + hysteria_users|default([]) }}"
diff --git a/roles/base/tasks/setup_user_expiration.yaml b/roles/base/tasks/setup_user_expiration.yaml
new file mode 100644
index 00000000..977977f9
--- /dev/null
+++ b/roles/base/tasks/setup_user_expiration.yaml
@@ -0,0 +1,19 @@
+---
+- name: "Template out user expiration script"
+ ansible.builtin.template:
+ src: user_expiration_control.py.j2
+ dest: /root/.user_expiration_control.py
+ mode: "0400"
+ owner: root
+ group: nogroup
+
+- name: "write user expiration information to file"
+ user_expiration:
+ users: "{{ all_users|default([]) + ocserv_users|default([]) + vless_users|default([]) + vmess_users|default([]) + trojan_users|default([]) + sshvpn_users|default([]) + hysteria_users|default([]) }}"
+
+- name: "setup daily user expiration cronjob"
+ ansible.builtin.cron:
+ name: "daily run user expiration script"
+ user: root
+ job: "python3 /root/.user_expiration_control.py"
+ special_time: daily
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 22:56:51 +0000