sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

last chisel

Browse Source
This commit is contained in:
sgratias
2023-09-26 15:24:06 +02:00
parent d616fdbe55
commit 8f2eda318c
3 changed files with 234 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

267
chisel.yml
View File

@@ -4,111 +4,242 @@
become: true
# #
# # @author Stéphane Gratias (2021).
# # @author Stéphane Gratias (2023).
#
pre_tasks:
# HACK to bypass role
- name: create file service | HACK role to load service before
ansible.builtin.file:
path: "{{ chisel_service_destination }}"
state: touch
mode: 0644
tags:
- always
- name: reload daemon systemd | HACK role to load service before
ansible.builtin.systemd:
daemon_reload: true
tags:
- always
# HACK to bypass role
- name: CHECK if binary chisel is already installed
shell: which /usr/local/bin/chisel
changed_when: false
failed_when: false
register: chisel_installed
tags:
- chisel
- name: Check if chisel service is started
ansible.builtin.service:
name: "{{ chisel_service_name }}"
state: started
changed_when: false
failed_when: false
register: chisel_service
tags:
- chisel
- name: Debug service state for ALL hosts
debug:
msg: "{{ chisel_service }}"
tags:
- chisel
- name: Read fingerprint chisel server in log file
ansible.builtin.slurp:
src: "/var/log/chisel/{{ chisel_config_name }}_error.log"
register: fingerprint
when:
- chisel_service.state is defined
- chisel_service.state == 'started'
- chisel_server|default(false) is true
tags:
- chisel
- name: Setting fingerprint host facts
ansible.builtin.set_fact:
chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}"
tags:
- chisel
when:
- chisel_service.state is defined
- chisel_service.state == 'started'
- chisel_server|default(false) is true
- name: Debug fingerprint for ALL hosts
debug:
msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}"
when: hostvars[groups['server'][0]].chisel_fingerprint is defined
tags:
- chisel
roles:
- { role: justin_p.chisel, tags: chisel-server, when: "{{ chisel_server|default(false) }} is true" }
- { role: justin_p.chisel, tags: chisel, when: chisel_service.state is undefined }
tasks:
# Need to install proxychains
- name: Change settings in chisel-server and proxychains conf files | Server
##########
# SERVER #
##########
# Need to install proxychains on server
- name: Change settings in proxychains conf files ONLY on server
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: "{{ item.regexp }}"
state: "{{ item.state }}"
line: "{{ item.line|default(omit) }}"
loop: "{{ chisel_proxychains_conf }}"
when: "{{ chisel_server|default(false) }} is true"
tags: chisel-server
when:
- chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
tags:
- chisel
- name: Reload service chisel-server | Server
- name: Restart chisel-server to have new fingerprint ONLY on server
ansible.builtin.service:
name: chisel-server
name: "{{ chisel_service_name }}"
state: restarted
when: "{{ chisel_server|default(false) }} is true"
tags: chisel-server
when:
- chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
tags:
- chisel
- name: Read fingerprint chisel server in log file
ansible.builtin.slurp:
src: "/var/log/chisel/{{ chisel_config_name }}_error.log"
register: fingerprint
when: "{{ chisel_server|default(false) }} is true"
when:
- chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
tags:
- chisel-server
- chisel-client
- chisel
- name: Setting fingerprint host facts
ansible.builtin.set_fact:
chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}"
tags:
- chisel-server
- chisel-client
when: "{{ chisel_server|default(false) }} is true"
- chisel
when:
- chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
- name: Debug fingerprint for ALL hosts
debug:
msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}"
tags:
- chisel-server
- chisel-client
- chisel
- name: CHECK if binary chisel is already installed | Client
shell: which /usr/local/bin/chisel
changed_when: false
failed_when: false
register: chisel_installed
tags: chisel-client
##########
# CLIENT #
##########
- name: install chisel from github source
block:
- name: Ensure gzip is installed | Client
ansible.builtin.apt:
name: gzip
state: present
when:
- ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
- chisel_server is false
- name: Change settings in chisel conf files ONLY on client
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: "{{ item.regexp }}"
state: "{{ item.state }}"
line: "{{ item.line|default(omit) }}"
when: "{{ chisel_server|default(false) }} is false"
loop: "{{ chisel_conf }}"
tags: chisel
- name: "Download chisel {{ chisel_version }}"
ansible.builtin.get_url:
url: "https://github.com/jpillora/chisel/releases/download/v{{ chisel_version }}/chisel_{{ chisel_version }}_linux_amd64.gz"
dest: "/tmp/"
mode: '0600'
when: "{{ chisel_server }} is false"
- name: Restart chisel-client to have new fingerprint ONLY on client
ansible.builtin.service:
name: "{{ chisel_service_name }}"
state: restarted
when: "{{ chisel_server|default(false) }} is false"
tags: chisel
- name: "Unpack chisel to {{ chisel_install_destination | default('/usr/local/bin/') }}"
ansible.builtin.shell: "gunzip -c /tmp/chisel_{{ chisel_version }}_linux_amd64.gz > {{ chisel_install_destination }}"
register: gunzip_output
when: "{{ chisel_server }} is false"
- name: "Set correct rights for {{ chisel_install_destination }}"
ansible.builtin.file:
path: "{{ chisel_install_destination }}"
owner: root
group: root
mode: 0775
when: "{{ chisel_server }} is false"
########################
# REMOVE CLIENT/SERVER #
########################
- name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }}"
ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks"
async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres)
poll: 0
#register: chisel_client_output
when: "{{ chisel_server }} is false"
- name: Stop service {{ chisel_service_name }} on CLIENT
ansible.builtin.service:
name: "{{ chisel_service_name }}"
state: stopped
when: "{{ chisel_server|default(false) }} is false"
tags:
- chisel-remove-client
- chisel-remove
when: chisel_installed.rc != 0
tags:
- chisel-client
- name: Stop service {{ chisel_service_name }} on SERVER
ansible.builtin.service:
name: "{{ chisel_service_name }}"
state: stopped
when: "{{ chisel_server|default(false) }} is true"
tags:
- chisel-remove-server
- chisel-remove
- name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }} with auth {{ chisel_basic_auth }}"
ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks"
when: "{{ chisel_server }} is false"
async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres)
poll: 0
#register: chisel_client_output
tags:
- chisel-client
- name: Find all ansible directories in tmp
find:
paths: /tmp/
patterns: 'ansible_*'
file_type: directory
register: ansible_files
tags:
- chisel-remove-client
- chisel-remove-server
- chisel-remove
# TODO remove tmp/chisel_1.8.1_linux_amd64.gz /usr/local/bin/chisel /tmp/ansible_ansible.legacy.command_payload_XXXX and stop chisel-server
# - name: Debug ansible files ALL hosts
# debug:
# msg: "{{ ansible_files.files }}"
# tags:
# - chisel-remove-client
# - chisel-remove
- name: Remove all files and directories ONLY on client
ansible.builtin.file:
path: "{{ item }}"
state: absent
notify: reload daemon systemd
loop: "{{ chisel_remove_all }}"
when: "{{ chisel_server|default(false) }} is false"
tags:
- chisel-remove-client
- chisel-remove
- name: Remove all files and directories ONLY on server
ansible.builtin.file:
path: "{{ item }}"
state: absent
notify: reload daemon systemd
loop: "{{ chisel_remove_all }}"
when: "{{ chisel_server|default(false) }} is true"
tags:
- chisel-remove-server
- chisel-remove
- name: Remove all ansible directories
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
notify: reload daemon systemd
loop: "{{ ansible_files.files }}"
tags:
- chisel-remove-client
- chisel-remove-server
- chisel-remove
handlers:
- name: reload daemon systemd
ansible.builtin.systemd:
daemon_reload: true
# /lib/systemd/system/chisel-client.service -> chisel_service_destination
# /var/log/chisel
# /etc/chisel -> chisel_config_folder
# /tmp/chisel -> chisel_download_destination
# /usr/local/bin/chisel -> chisel_install_destination

11
group_vars/perso.yml
View File

@@ -111,3 +111,14 @@ alert_list_server:
- '"163.172.84.28"'
- '"37.187.127.90"'
alert_server_ssl: gitea.jingoh.fr
##########
# CHISEL #
##########
chisel_remove_all:
- "{{ chisel_service_destination }}"
- "{{ chisel_config_folder }}"
- "{{ chisel_download_destination }}"
- "{{ chisel_install_destination }}"
- /var/log/chisel

27
host_vars/ovh_fr.yml
View File

@@ -16,7 +16,28 @@ apt_repositories_sources:
##########
chisel_server: false
chisel_basic_auth: user:pass
chisel_client_auth_username: user
chisel_client_auth_password: pass
chisel_version: 1.8.1
chisel_server_host: 163.172.84.28
chisel_server_port: 8080
chisel_client_server_url: 163.172.84.28:8080
chisel_client_remotes: R:163.172.84.28:socks
chisel_server_port: 8080
chisel_service_name: chisel-client
chisel_config_name: chisel-client
chisel_conf:
# chisel enable auth and finder
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
state: present
line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
# - path: "/etc/chisel/{{ chisel_config_name }}.conf"
# regexp: "^HOSTNAME=--hostname {{ chisel_client_server_url }}"
# state: present
# line: "HOSTNAME=--hostname {{ chisel_client_server_url }}"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}"
state: present
line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}"