summaryrefslogtreecommitdiff
path: root/roles/hysteria/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/hysteria/tasks')
-rw-r--r--roles/hysteria/tasks/check_hysteria_exists.yaml21
-rw-r--r--roles/hysteria/tasks/configure_hysteria.yaml51
-rw-r--r--roles/hysteria/tasks/create_users_hysteria.yaml13
-rw-r--r--roles/hysteria/tasks/install_hysteria.yaml64
-rw-r--r--roles/hysteria/tasks/main.yaml7
-rw-r--r--roles/hysteria/tasks/setup_hysteria.yaml17
6 files changed, 173 insertions, 0 deletions
diff --git a/roles/hysteria/tasks/check_hysteria_exists.yaml b/roles/hysteria/tasks/check_hysteria_exists.yaml
new file mode 100644
index 00000000..3c8f85c7
--- /dev/null
+++ b/roles/hysteria/tasks/check_hysteria_exists.yaml
@@ -0,0 +1,21 @@
+---
+- name: "Check if hysteria is already installed"
+ ansible.builtin.stat:
+ path: /var/reactance/hysteria
+ register: hysteria_directory
+
+- name: "Check if hysteria is configured"
+ ansible.builtin.stat:
+ path: /var/reactance/hysteria/etc/config.json
+ register: hysteria_config
+
+- name: "Install hysteria if directory doesn't exist"
+ ansible.builtin.include_tasks: install_hysteria.yaml
+ when: hysteria_directory.stat.exists == false
+
+- name: "Configure hysteria"
+ ansible.builtin.include_tasks: configure_hysteria.yaml
+ when: hysteria_config.stat.exists == false
+
+- name: "Create hysteria users"
+ ansible.builtin.include_tasks: create_users_hysteria.yaml
diff --git a/roles/hysteria/tasks/configure_hysteria.yaml b/roles/hysteria/tasks/configure_hysteria.yaml
new file mode 100644
index 00000000..3495f336
--- /dev/null
+++ b/roles/hysteria/tasks/configure_hysteria.yaml
@@ -0,0 +1,51 @@
+---
+# check if salamander password file exists
+- name: "check if obfuscation password file exists "
+ ansible.builtin.stat:
+ path: "/var/reactance/hysteria/salamander_password"
+ register: salamander_password_file
+
+# generate salamander password
+- name: "generate salamander password for obfuscation "
+ ansible.builtin.shell: "openssl rand -hex 32"
+ register: random_string
+ when: salamander_password_file.stat.exists != true
+
+# retrieve password from file, if exists
+- name: "use previous password, if it exists"
+ ansible.builtin.set_fact:
+ salamander_password: "{{ lookup('file', '/var/reactance/hysteria/salamander_password') }}"
+ when: salamander_password_file.stat.exists
+
+- name: "set salamander password as var"
+ ansible.builtin.set_fact:
+ salamander_password: "{{ random_string.stdout }}"
+ when: salamander_password_file.stat.exists != true
+
+- name: "write obfuscation password to file"
+ ansible.builtin.copy:
+ content: "{{ salamander_password }}"
+ dest: "/var/reactance/hysteria/salamander_password"
+
+ when: salamander_password_file.stat.exists != true
+
+- name: "template out configs"
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ loop:
+ - src: config.json.j2
+ dest: "/var/reactance/hysteria/etc/config.json"
+ - src: ca.tmpl.j2
+ dest: /var/reactance/hysteria/certs/ca.tmpl
+ - src: server.tmpl.j2
+ dest: /var/reactance/hysteria/certs/server.tmpl
+
+# generate ca, server certs, crl file
+- name: "generate ca, server certs"
+ ansible.builtin.shell: "{{ item }}"
+ loop:
+ - "certtool --generate-privkey --outfile /var/reactance/hysteria/certs/ca-key.pem"
+R - "certtool --generate-self-signed --load-privkey /var/reactance/hysteria/certs/ca-key.pem --template /var/reactance/hysteria/certs/ca.tmpl --outfile /var/reactance/hysteria/certs/ca-cert.pem"
+ - "certtool --generate-privkey --outfile /var/reactance/hysteria/certs/server-key.pem"
+ - "certtool --generate-certificate --load-privkey /var/reactance/hysteria/certs/server-key.pem --load-ca-certificate /var/reactance/hysteria/certs/ca-cert.pem --load-ca-privkey /var/reactance/hysteria/certs/ca-key.pem --template /var/reactance/hysteria/certs/server.tmpl --outfile /var/reactance/hysteria/certs/server-cert.pem"
diff --git a/roles/hysteria/tasks/create_users_hysteria.yaml b/roles/hysteria/tasks/create_users_hysteria.yaml
new file mode 100644
index 00000000..a6881413
--- /dev/null
+++ b/roles/hysteria/tasks/create_users_hysteria.yaml
@@ -0,0 +1,13 @@
+---
+- name: "hysteria user management"
+ hysteria:
+ users: "{{ all_users|default([]) + hysteria_users|default([]) }}"
+ register: hysteria_user_pass_dict
+ no_log: true
+ notify:
+ - restart_hysteria
+
+- name: "add hysteria user password pair to dict"
+ set_fact:
+ user_pass_dict: "{{ user_pass_dict|default({}) | combine(hysteria_user_pass_dict['msg'], recursive=true, list_merge='append') }}"
+ no_log: true
diff --git a/roles/hysteria/tasks/install_hysteria.yaml b/roles/hysteria/tasks/install_hysteria.yaml
new file mode 100644
index 00000000..59dcd7b9
--- /dev/null
+++ b/roles/hysteria/tasks/install_hysteria.yaml
@@ -0,0 +1,64 @@
+---
+- name: "create directory"
+ ansible.builtin.file:
+ path: "{{ item }}"
+ state: directory
+ owner: _vpn
+ group: _vpn
+ mode: 0700
+ loop:
+ - "/var/reactance/hysteria"
+ - "/var/reactance/hysteria/bin"
+ - "/var/reactance/hysteria/etc"
+ - "/var/reactance/hysteria/certs"
+
+- name: "setup log file"
+ ansible.builtin.file:
+ path: /var/log/hysteria.log
+ state: touch
+ mode: "0600"
+ changed_when: false
+
+# this can remain here while hysteria is not being used
+- name: "install necessary utils"
+ community.general.openbsd_pkg:
+ name:
+ - git--
+ - go--
+ - rsync--
+ state: present
+
+- name: "create temporary directory"
+ ansible.builtin.tempfile:
+ state: directory
+ suffix: temp
+ register: hysteria_tempdir
+ notify:
+ - remove_hysteria_tempdir
+
+- name: "clone hysteria"
+ ansible.builtin.shell: "git clone https://github.com/apernet/hysteria.git"
+ args:
+ chdir: "{{ hysteria_tempdir.path }}"
+
+- name: "build hysteria"
+ ansible.builtin.shell: "python3 hyperbole.py build"
+ args:
+ chdir: "{{ hysteria_tempdir.path }}/hysteria"
+
+- name: "install hysteria"
+ ansible.builtin.shell: "{{ item }}"
+ loop:
+ - "install -m 750 -o _vpn -g bin {{ hysteria_tempdir.path }}/hysteria/build/hysteria-openbsd-* /var/reactance/hysteria/bin/hysteria"
+
+# Find the list of dependences through ldd and copy them over
+- name: "copy chroot dependencies"
+ ansible.builtin.shell: "deps=$(ldd /var/reactance/hysteria/bin/hysteria | awk 'FNR > 3 {print $7}'); for dep in $deps; do rsync -av --relative $dep /var/reactance/hysteria; done"
+
+- name: "template out init script"
+ ansible.builtin.template:
+ src: hysteria.rc.j2
+ dest: "{{ hysteria_tempdir.path }}/hysteria.rc"
+
+- name: "install init script"
+ ansible.builtin.shell: "install -m 755 -g bin {{ hysteria_tempdir.path }}/hysteria.rc /etc/rc.d/hysteria"
diff --git a/roles/hysteria/tasks/main.yaml b/roles/hysteria/tasks/main.yaml
new file mode 100644
index 00000000..258c01d7
--- /dev/null
+++ b/roles/hysteria/tasks/main.yaml
@@ -0,0 +1,7 @@
+---
+- name: "ignore hysteria"
+ ansible.builtin.debug:
+ msg: "Hysteria2 sing-box clients do not support any system for verifying server identity and thus Hysteria2 is prone to MITM attacks thus should not be used. The role may not be fully developed. Check README.md for more info."
+
+# - name: "setup hysteria"
+# ansible.builtin.include_tasks: check_hysteria_exists.yaml
diff --git a/roles/hysteria/tasks/setup_hysteria.yaml b/roles/hysteria/tasks/setup_hysteria.yaml
new file mode 100644
index 00000000..64161b43
--- /dev/null
+++ b/roles/hysteria/tasks/setup_hysteria.yaml
@@ -0,0 +1,17 @@
+---
+- name: "create certificate dir"
+ ansible.builtin.file:
+ path: /var/reactance/ocserv/certs/
+ state: directory
+ owner: _vpn
+ group: _vpn
+
+- name: "generate server certs and key"
+ ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/hysteria/certs/server-key.pem -out /var/reactance/hysteria/certs/server-cert.pem -sha256 -days 3650 -nodes -subj '/CN=JohnDane'"
+
+- name: "template out ocserv config"
+ ansible.builtin.template:
+ src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
+ notify:
+ - hysteria_start
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 22:46:52 +0000