From 69acb7a82a68eeb439e55b994281056df52c81b1 Mon Sep 17 00:00:00 2001 From: repliqa Date: Wed, 23 Jul 2025 14:06:15 +0600 Subject: v0.0.1alpha --- roles/hysteria/tasks/check_hysteria_exists.yaml | 21 ++++++++ roles/hysteria/tasks/configure_hysteria.yaml | 51 ++++++++++++++++++++ roles/hysteria/tasks/create_users_hysteria.yaml | 13 +++++ roles/hysteria/tasks/install_hysteria.yaml | 64 +++++++++++++++++++++++++ roles/hysteria/tasks/main.yaml | 7 +++ roles/hysteria/tasks/setup_hysteria.yaml | 17 +++++++ 6 files changed, 173 insertions(+) create mode 100644 roles/hysteria/tasks/check_hysteria_exists.yaml create mode 100644 roles/hysteria/tasks/configure_hysteria.yaml create mode 100644 roles/hysteria/tasks/create_users_hysteria.yaml create mode 100644 roles/hysteria/tasks/install_hysteria.yaml create mode 100644 roles/hysteria/tasks/main.yaml create mode 100644 roles/hysteria/tasks/setup_hysteria.yaml (limited to 'roles/hysteria/tasks') diff --git a/roles/hysteria/tasks/check_hysteria_exists.yaml b/roles/hysteria/tasks/check_hysteria_exists.yaml new file mode 100644 index 00000000..3c8f85c7 --- /dev/null +++ b/roles/hysteria/tasks/check_hysteria_exists.yaml @@ -0,0 +1,21 @@ +--- +- name: "Check if hysteria is already installed" + ansible.builtin.stat: + path: /var/reactance/hysteria + register: hysteria_directory + +- name: "Check if hysteria is configured" + ansible.builtin.stat: + path: /var/reactance/hysteria/etc/config.json + register: hysteria_config + +- name: "Install hysteria if directory doesn't exist" + ansible.builtin.include_tasks: install_hysteria.yaml + when: hysteria_directory.stat.exists == false + +- name: "Configure hysteria" + ansible.builtin.include_tasks: configure_hysteria.yaml + when: hysteria_config.stat.exists == false + +- name: "Create hysteria users" + ansible.builtin.include_tasks: create_users_hysteria.yaml diff --git a/roles/hysteria/tasks/configure_hysteria.yaml b/roles/hysteria/tasks/configure_hysteria.yaml new file mode 100644 index 00000000..3495f336 --- /dev/null +++ b/roles/hysteria/tasks/configure_hysteria.yaml @@ -0,0 +1,51 @@ +--- +# check if salamander password file exists +- name: "check if obfuscation password file exists " + ansible.builtin.stat: + path: "/var/reactance/hysteria/salamander_password" + register: salamander_password_file + +# generate salamander password +- name: "generate salamander password for obfuscation " + ansible.builtin.shell: "openssl rand -hex 32" + register: random_string + when: salamander_password_file.stat.exists != true + +# retrieve password from file, if exists +- name: "use previous password, if it exists" + ansible.builtin.set_fact: + salamander_password: "{{ lookup('file', '/var/reactance/hysteria/salamander_password') }}" + when: salamander_password_file.stat.exists + +- name: "set salamander password as var" + ansible.builtin.set_fact: + salamander_password: "{{ random_string.stdout }}" + when: salamander_password_file.stat.exists != true + +- name: "write obfuscation password to file" + ansible.builtin.copy: + content: "{{ salamander_password }}" + dest: "/var/reactance/hysteria/salamander_password" + + when: salamander_password_file.stat.exists != true + +- name: "template out configs" + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + loop: + - src: config.json.j2 + dest: "/var/reactance/hysteria/etc/config.json" + - src: ca.tmpl.j2 + dest: /var/reactance/hysteria/certs/ca.tmpl + - src: server.tmpl.j2 + dest: /var/reactance/hysteria/certs/server.tmpl + +# generate ca, server certs, crl file +- name: "generate ca, server certs" + ansible.builtin.shell: "{{ item }}" + loop: + - "certtool --generate-privkey --outfile /var/reactance/hysteria/certs/ca-key.pem" +R - "certtool --generate-self-signed --load-privkey /var/reactance/hysteria/certs/ca-key.pem --template /var/reactance/hysteria/certs/ca.tmpl --outfile /var/reactance/hysteria/certs/ca-cert.pem" + - "certtool --generate-privkey --outfile /var/reactance/hysteria/certs/server-key.pem" + - "certtool --generate-certificate --load-privkey /var/reactance/hysteria/certs/server-key.pem --load-ca-certificate /var/reactance/hysteria/certs/ca-cert.pem --load-ca-privkey /var/reactance/hysteria/certs/ca-key.pem --template /var/reactance/hysteria/certs/server.tmpl --outfile /var/reactance/hysteria/certs/server-cert.pem" diff --git a/roles/hysteria/tasks/create_users_hysteria.yaml b/roles/hysteria/tasks/create_users_hysteria.yaml new file mode 100644 index 00000000..a6881413 --- /dev/null +++ b/roles/hysteria/tasks/create_users_hysteria.yaml @@ -0,0 +1,13 @@ +--- +- name: "hysteria user management" + hysteria: + users: "{{ all_users|default([]) + hysteria_users|default([]) }}" + register: hysteria_user_pass_dict + no_log: true + notify: + - restart_hysteria + +- name: "add hysteria user password pair to dict" + set_fact: + user_pass_dict: "{{ user_pass_dict|default({}) | combine(hysteria_user_pass_dict['msg'], recursive=true, list_merge='append') }}" + no_log: true diff --git a/roles/hysteria/tasks/install_hysteria.yaml b/roles/hysteria/tasks/install_hysteria.yaml new file mode 100644 index 00000000..59dcd7b9 --- /dev/null +++ b/roles/hysteria/tasks/install_hysteria.yaml @@ -0,0 +1,64 @@ +--- +- name: "create directory" + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: _vpn + group: _vpn + mode: 0700 + loop: + - "/var/reactance/hysteria" + - "/var/reactance/hysteria/bin" + - "/var/reactance/hysteria/etc" + - "/var/reactance/hysteria/certs" + +- name: "setup log file" + ansible.builtin.file: + path: /var/log/hysteria.log + state: touch + mode: "0600" + changed_when: false + +# this can remain here while hysteria is not being used +- name: "install necessary utils" + community.general.openbsd_pkg: + name: + - git-- + - go-- + - rsync-- + state: present + +- name: "create temporary directory" + ansible.builtin.tempfile: + state: directory + suffix: temp + register: hysteria_tempdir + notify: + - remove_hysteria_tempdir + +- name: "clone hysteria" + ansible.builtin.shell: "git clone https://github.com/apernet/hysteria.git" + args: + chdir: "{{ hysteria_tempdir.path }}" + +- name: "build hysteria" + ansible.builtin.shell: "python3 hyperbole.py build" + args: + chdir: "{{ hysteria_tempdir.path }}/hysteria" + +- name: "install hysteria" + ansible.builtin.shell: "{{ item }}" + loop: + - "install -m 750 -o _vpn -g bin {{ hysteria_tempdir.path }}/hysteria/build/hysteria-openbsd-* /var/reactance/hysteria/bin/hysteria" + +# Find the list of dependences through ldd and copy them over +- name: "copy chroot dependencies" + ansible.builtin.shell: "deps=$(ldd /var/reactance/hysteria/bin/hysteria | awk 'FNR > 3 {print $7}'); for dep in $deps; do rsync -av --relative $dep /var/reactance/hysteria; done" + +- name: "template out init script" + ansible.builtin.template: + src: hysteria.rc.j2 + dest: "{{ hysteria_tempdir.path }}/hysteria.rc" + +- name: "install init script" + ansible.builtin.shell: "install -m 755 -g bin {{ hysteria_tempdir.path }}/hysteria.rc /etc/rc.d/hysteria" diff --git a/roles/hysteria/tasks/main.yaml b/roles/hysteria/tasks/main.yaml new file mode 100644 index 00000000..258c01d7 --- /dev/null +++ b/roles/hysteria/tasks/main.yaml @@ -0,0 +1,7 @@ +--- +- name: "ignore hysteria" + ansible.builtin.debug: + msg: "Hysteria2 sing-box clients do not support any system for verifying server identity and thus Hysteria2 is prone to MITM attacks thus should not be used. The role may not be fully developed. Check README.md for more info." + +# - name: "setup hysteria" +# ansible.builtin.include_tasks: check_hysteria_exists.yaml diff --git a/roles/hysteria/tasks/setup_hysteria.yaml b/roles/hysteria/tasks/setup_hysteria.yaml new file mode 100644 index 00000000..64161b43 --- /dev/null +++ b/roles/hysteria/tasks/setup_hysteria.yaml @@ -0,0 +1,17 @@ +--- +- name: "create certificate dir" + ansible.builtin.file: + path: /var/reactance/ocserv/certs/ + state: directory + owner: _vpn + group: _vpn + +- name: "generate server certs and key" + ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/hysteria/certs/server-key.pem -out /var/reactance/hysteria/certs/server-cert.pem -sha256 -days 3650 -nodes -subj '/CN=JohnDane'" + +- name: "template out ocserv config" + ansible.builtin.template: + src: ocserv.conf.j2 + dest: /var/reactance/ocserv/ocserv.conf + notify: + - hysteria_start -- cgit v1.2.3