Refactoring to support roles inclusion (trailofbits#1365)

Author: jackivanov

ansible.cfg

@@ -4,7 +4,8 @@ pipelining = True
 retry_files_enabled = False
 host_key_checking = False
 timeout = 60
-stdout_callback = full_skip
+stdout_callback = default
+display_skipped_hosts = no
 
 [paramiko_connection]
 record_host_keys = False

cloud.yml

@@ -2,48 +2,20 @@
 - name: Provision the server
   hosts: localhost
   tags: always
+  become: false
   vars_files:
     - config.cfg
 
-  pre_tasks:
+  tasks:
     - block:
       - name: Local pre-tasks
         import_tasks: playbooks/cloud-pre.yml
-        tags: always
-      rescue:
-        - debug: var=fail_hint
-          tags: always
-        - fail:
-          tags: always
 
-  roles:
-    - role: cloud-digitalocean
-      when: algo_provider == "digitalocean"
-    - role: cloud-ec2
-      when: algo_provider == "ec2"
-    - role: cloud-vultr
-      when: algo_provider == "vultr"
-    - role: cloud-gce
-      when: algo_provider == "gce"
-    - role: cloud-azure
-      when: algo_provider == "azure"
-    - role: cloud-lightsail
-      when: algo_provider == "lightsail"
-    - role: cloud-scaleway
-      when: algo_provider == "scaleway"
-    - role: cloud-openstack
-      when: algo_provider == "openstack"
-    - role: local
-      when: algo_provider == "local"
+      - name: Include a provisioning role
+        include_role:
+          name: "{{ 'local' if algo_provider == 'local' else 'cloud-' + algo_provider }}"
 
-  post_tasks:
-    - block:
       - name: Local post-tasks
         import_tasks: playbooks/cloud-post.yml
-        become: false
-        tags: cloud
       rescue:
-        - debug: var=fail_hint
-          tags: always
-        - fail:
-          tags: always
+        - include_tasks: playbooks/rescue.yml

config.cfg

@@ -25,6 +25,12 @@ ipsec_enabled: true
 # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
 strongswan_log_level: 2
 
+# rightsourceip for ipsec
+# ipv4
+strongswan_network: 10.19.48.0/24
+# ipv6
+strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
+
 # Deploy WireGuard
 wireguard_enabled: true
 wireguard_port: 51820
@@ -33,6 +39,22 @@ wireguard_port: 51820
 # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
 wireguard_PersistentKeepalive: 0
 
+# WireGuard network configuration
+_wireguard_network_ipv4:
+  subnet: 10.19.49.0
+  prefix: 24
+  gateway: 10.19.49.1
+  clients_range: 10.19.49
+  clients_start: 2
+_wireguard_network_ipv6:
+  subnet: 'fd9d:bc11:4021::'
+  prefix: 48
+  gateway: 'fd9d:bc11:4021::1'
+  clients_range: 'fd9d:bc11:4021::'
+  clients_start: 2
+wireguard_network_ipv4: "{{ _wireguard_network_ipv4['subnet'] }}/{{ _wireguard_network_ipv4['prefix'] }}"
+wireguard_network_ipv6: "{{ _wireguard_network_ipv6['subnet'] }}/{{ _wireguard_network_ipv6['prefix'] }}"
+
 # Reduce the MTU of the VPN tunnel
 # Some cloud and internet providers use a smaller MTU (Maximum Transmission
 # Unit) than the normal value of 1500 and if you don't reduce the MTU of your

input.yml

@@ -25,115 +25,118 @@
     - config.cfg
 
   tasks:
-    - pause:
-        prompt: |
-          What provider would you like to use?
-            {% for p in providers_map %}
-            {{ loop.index }}. {{ p['name']}}
-            {% endfor %}
-
-          Enter the number of your desired provider
-      register: _algo_provider
-      when: provider is undefined
-
-    - name: Set facts based on the input
-      set_fact:
-        algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
-
-    - pause:
-        prompt: |
-          Name the vpn server
-          [algo]
-      register: _algo_server_name
-      when:
-        - server_name is undefined
-        - algo_provider != "local"
     - block:
       - pause:
           prompt: |
-            Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
-            [y/N]
-        register: _ondemand_cellular
-        when: ondemand_cellular is undefined
+            What provider would you like to use?
+              {% for p in providers_map %}
+              {{ loop.index }}. {{ p['name']}}
+              {% endfor %}
 
-      - pause:
-          prompt: |
-            Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
-            [y/N]
-        register: _ondemand_wifi
-        when: ondemand_wifi is undefined
+            Enter the number of your desired provider
+        register: _algo_provider
+        when: provider is undefined
+
+      - name: Set facts based on the input
+        set_fact:
+          algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
 
       - pause:
           prompt: |
-            List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
-            (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
-        register: _ondemand_wifi_exclude
+            Name the vpn server
+            [algo]
+        register: _algo_server_name
         when:
-          - ondemand_wifi_exclude is undefined
-          - (ondemand_wifi|default(false)|bool) or
-            (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
+          - server_name is undefined
+          - algo_provider != "local"
+      - block:
+        - pause:
+            prompt: |
+              Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
+              [y/N]
+          register: _ondemand_cellular
+          when: ondemand_cellular is undefined
+
+        - pause:
+            prompt: |
+              Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
+              [y/N]
+          register: _ondemand_wifi
+          when: ondemand_wifi is undefined
+
+        - pause:
+            prompt: |
+              List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
+              (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
+          register: _ondemand_wifi_exclude
+          when:
+            - ondemand_wifi_exclude is undefined
+            - (ondemand_wifi|default(false)|bool) or
+              (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
+
+        - pause:
+            prompt: |
+              Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
+              [y/N]
+          register: _windows
+          when: windows is undefined
+
+        - pause:
+            prompt: |
+              Do you want to retain the CA key? (required to add users in the future, but less secure)
+              [y/N]
+          register: _store_cakey
+          when: store_cakey is undefined
+        when: ipsec_enabled
 
       - pause:
           prompt: |
-            Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
+            Do you want to install an ad blocking DNS resolver on this VPN server?
             [y/N]
-        register: _windows
-        when: windows is undefined
+        register: _local_dns
+        when: local_dns is undefined
 
       - pause:
           prompt: |
-            Do you want to retain the CA key? (required to add users in the future, but less secure)
+            Do you want each user to have their own account for SSH tunneling?
             [y/N]
-        register: _store_cakey
-        when: store_cakey is undefined
-      when: ipsec_enabled
-
-    - pause:
-        prompt: |
-          Do you want to install an ad blocking DNS resolver on this VPN server?
-          [y/N]
-      register: _local_dns
-      when: local_dns is undefined
-
-    - pause:
-        prompt: |
-          Do you want each user to have their own account for SSH tunneling?
-          [y/N]
-      register: _ssh_tunneling
-      when: ssh_tunneling is undefined
+        register: _ssh_tunneling
+        when: ssh_tunneling is undefined
 
-    - name: Set facts based on the input
-      set_fact:
-        algo_server_name: >-
-          {% if server_name is defined %}{% set _server = server_name %}
-          {%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input != "" %}{% set _server = _algo_server_name.user_input %}
-          {%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
-          {{ _server | regex_replace('(?!\.)(\W|_)', '-') }}
-        algo_ondemand_cellular: >-
-          {% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
-          {%- elif _ondemand_cellular.user_input is defined and _ondemand_cellular.user_input != "" %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
-          {%- else %}false{% endif %}
-        algo_ondemand_wifi: >-
-          {% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }}
-          {%- elif _ondemand_wifi.user_input is defined and _ondemand_wifi.user_input != "" %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }}
-          {%- else %}false{% endif %}
-        algo_ondemand_wifi_exclude: >-
-          {% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
-          {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input != "" %}{{ _ondemand_wifi_exclude.user_input | b64encode }}
-          {%- else %}{{ '_null' | b64encode }}{% endif %}
-        algo_local_dns: >-
-          {% if local_dns is defined %}{{ local_dns | bool }}
-          {%- elif _local_dns.user_input is defined and _local_dns.user_input != "" %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }}
-          {%- else %}false{% endif %}
-        algo_ssh_tunneling: >-
-          {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
-          {%- elif _ssh_tunneling.user_input is defined and _ssh_tunneling.user_input != "" %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}
-          {%- else %}false{% endif %}
-        algo_windows: >-
-          {% if windows is defined %}{{ windows | bool }}
-          {%- elif _windows.user_input is defined and _windows.user_input != "" %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }}
-          {%- else %}false{% endif %}
-        algo_store_cakey: >-
-          {% if store_cakey is defined %}{{ store_cakey | bool }}
-          {%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
-          {%- else %}false{% endif %}
+      - name: Set facts based on the input
+        set_fact:
+          algo_server_name: >-
+            {% if server_name is defined %}{% set _server = server_name %}
+            {%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input != "" %}{% set _server = _algo_server_name.user_input %}
+            {%- else %}{% set _server = defaults['server_name'] %}{% endif -%}
+            {{ _server | regex_replace('(?!\.)(\W|_)', '-') }}
+          algo_ondemand_cellular: >-
+            {% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }}
+            {%- elif _ondemand_cellular.user_input is defined and _ondemand_cellular.user_input != "" %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }}
+            {%- else %}false{% endif %}
+          algo_ondemand_wifi: >-
+            {% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }}
+            {%- elif _ondemand_wifi.user_input is defined and _ondemand_wifi.user_input != "" %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }}
+            {%- else %}false{% endif %}
+          algo_ondemand_wifi_exclude: >-
+            {% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude | b64encode }}
+            {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input != "" %}{{ _ondemand_wifi_exclude.user_input | b64encode }}
+            {%- else %}{{ '_null' | b64encode }}{% endif %}
+          algo_local_dns: >-
+            {% if local_dns is defined %}{{ local_dns | bool }}
+            {%- elif _local_dns.user_input is defined and _local_dns.user_input != "" %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }}
+            {%- else %}false{% endif %}
+          algo_ssh_tunneling: >-
+            {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
+            {%- elif _ssh_tunneling.user_input is defined and _ssh_tunneling.user_input != "" %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}
+            {%- else %}false{% endif %}
+          algo_windows: >-
+            {% if windows is defined %}{{ windows | bool }}
+            {%- elif _windows.user_input is defined and _windows.user_input != "" %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }}
+            {%- else %}false{% endif %}
+          algo_store_cakey: >-
+            {% if store_cakey is defined %}{{ store_cakey | bool }}
+            {%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }}
+            {%- else %}false{% endif %}
+      rescue:
+        - include_tasks: playbooks/rescue.yml          

playbooks/rescue.yml

@@ -0,0 +1,5 @@
+---
+- debug:
+    var: fail_hint
+
+- fail: