From 8f2eda318cc1e3bcddc9ab8c87dd4dd40c45c763 Mon Sep 17 00:00:00 2001 From: staffadmin Date: Tue, 26 Sep 2023 15:24:06 +0200 Subject: [PATCH] last chisel --- chisel.yml | 267 ++++++++++++++++++++++++++++++++----------- group_vars/perso.yml | 11 ++ host_vars/ovh_fr.yml | 27 ++++- 3 files changed, 234 insertions(+), 71 deletions(-) diff --git a/chisel.yml b/chisel.yml index 4c22cfa..26ff689 100644 --- a/chisel.yml +++ b/chisel.yml @@ -4,111 +4,242 @@ become: true # # -# # @author Stéphane Gratias (2021). +# # @author Stéphane Gratias (2023). # + pre_tasks: + +# HACK to bypass role + + - name: create file service | HACK role to load service before + ansible.builtin.file: + path: "{{ chisel_service_destination }}" + state: touch + mode: 0644 + tags: + - always + + - name: reload daemon systemd | HACK role to load service before + ansible.builtin.systemd: + daemon_reload: true + tags: + - always + +# HACK to bypass role + + - name: CHECK if binary chisel is already installed + shell: which /usr/local/bin/chisel + changed_when: false + failed_when: false + register: chisel_installed + tags: + - chisel + + - name: Check if chisel service is started + ansible.builtin.service: + name: "{{ chisel_service_name }}" + state: started + changed_when: false + failed_when: false + register: chisel_service + tags: + - chisel + + - name: Debug service state for ALL hosts + debug: + msg: "{{ chisel_service }}" + tags: + - chisel + + - name: Read fingerprint chisel server in log file + ansible.builtin.slurp: + src: "/var/log/chisel/{{ chisel_config_name }}_error.log" + register: fingerprint + when: + - chisel_service.state is defined + - chisel_service.state == 'started' + - chisel_server|default(false) is true + tags: + - chisel + + - name: Setting fingerprint host facts + ansible.builtin.set_fact: + chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}" + tags: + - chisel + when: + - chisel_service.state is defined + - chisel_service.state == 'started' + - chisel_server|default(false) is true + + - name: Debug fingerprint for ALL hosts + debug: + msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}" + when: hostvars[groups['server'][0]].chisel_fingerprint is defined + tags: + - chisel roles: - - { role: justin_p.chisel, tags: chisel-server, when: "{{ chisel_server|default(false) }} is true" } + - { role: justin_p.chisel, tags: chisel, when: chisel_service.state is undefined } tasks: - # Need to install proxychains - - name: Change settings in chisel-server and proxychains conf files | Server + + + ########## + # SERVER # + ########## + + # Need to install proxychains on server + - name: Change settings in proxychains conf files ONLY on server ansible.builtin.lineinfile: path: "{{ item.path }}" regexp: "{{ item.regexp }}" state: "{{ item.state }}" line: "{{ item.line|default(omit) }}" loop: "{{ chisel_proxychains_conf }}" - when: "{{ chisel_server|default(false) }} is true" - tags: chisel-server + when: + - chisel_service.state is undefined + - "{{ chisel_server|default(false) }} is true" + tags: + - chisel - - name: Reload service chisel-server | Server + - name: Restart chisel-server to have new fingerprint ONLY on server ansible.builtin.service: - name: chisel-server + name: "{{ chisel_service_name }}" state: restarted - when: "{{ chisel_server|default(false) }} is true" - tags: chisel-server + when: + - chisel_service.state is undefined + - "{{ chisel_server|default(false) }} is true" + tags: + - chisel - name: Read fingerprint chisel server in log file ansible.builtin.slurp: src: "/var/log/chisel/{{ chisel_config_name }}_error.log" register: fingerprint - when: "{{ chisel_server|default(false) }} is true" + when: + - chisel_service.state is undefined + - "{{ chisel_server|default(false) }} is true" tags: - - chisel-server - - chisel-client + - chisel - name: Setting fingerprint host facts ansible.builtin.set_fact: chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}" tags: - - chisel-server - - chisel-client - when: "{{ chisel_server|default(false) }} is true" + - chisel + when: + - chisel_service.state is undefined + - "{{ chisel_server|default(false) }} is true" - name: Debug fingerprint for ALL hosts debug: msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}" tags: - - chisel-server - - chisel-client + - chisel - - name: CHECK if binary chisel is already installed | Client - shell: which /usr/local/bin/chisel - changed_when: false - failed_when: false - register: chisel_installed - tags: chisel-client + ########## + # CLIENT # + ########## - - name: install chisel from github source - block: - - name: Ensure gzip is installed | Client - ansible.builtin.apt: - name: gzip - state: present - when: - - ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - - chisel_server is false + - name: Change settings in chisel conf files ONLY on client + ansible.builtin.lineinfile: + path: "{{ item.path }}" + regexp: "{{ item.regexp }}" + state: "{{ item.state }}" + line: "{{ item.line|default(omit) }}" + when: "{{ chisel_server|default(false) }} is false" + loop: "{{ chisel_conf }}" + tags: chisel - - name: "Download chisel {{ chisel_version }}" - ansible.builtin.get_url: - url: "https://github.com/jpillora/chisel/releases/download/v{{ chisel_version }}/chisel_{{ chisel_version }}_linux_amd64.gz" - dest: "/tmp/" - mode: '0600' - when: "{{ chisel_server }} is false" + - name: Restart chisel-client to have new fingerprint ONLY on client + ansible.builtin.service: + name: "{{ chisel_service_name }}" + state: restarted + when: "{{ chisel_server|default(false) }} is false" + tags: chisel - - name: "Unpack chisel to {{ chisel_install_destination | default('/usr/local/bin/') }}" - ansible.builtin.shell: "gunzip -c /tmp/chisel_{{ chisel_version }}_linux_amd64.gz > {{ chisel_install_destination }}" - register: gunzip_output - when: "{{ chisel_server }} is false" - - name: "Set correct rights for {{ chisel_install_destination }}" - ansible.builtin.file: - path: "{{ chisel_install_destination }}" - owner: root - group: root - mode: 0775 - when: "{{ chisel_server }} is false" + ######################## + # REMOVE CLIENT/SERVER # + ######################## - - name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }}" - ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks" - async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres) - poll: 0 - #register: chisel_client_output - when: "{{ chisel_server }} is false" + - name: Stop service {{ chisel_service_name }} on CLIENT + ansible.builtin.service: + name: "{{ chisel_service_name }}" + state: stopped + when: "{{ chisel_server|default(false) }} is false" + tags: + - chisel-remove-client + - chisel-remove - when: chisel_installed.rc != 0 - tags: - - chisel-client + - name: Stop service {{ chisel_service_name }} on SERVER + ansible.builtin.service: + name: "{{ chisel_service_name }}" + state: stopped + when: "{{ chisel_server|default(false) }} is true" + tags: + - chisel-remove-server + - chisel-remove - - name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }} with auth {{ chisel_basic_auth }}" - ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks" - when: "{{ chisel_server }} is false" - async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres) - poll: 0 - #register: chisel_client_output - tags: - - chisel-client + - name: Find all ansible directories in tmp + find: + paths: /tmp/ + patterns: 'ansible_*' + file_type: directory + register: ansible_files + tags: + - chisel-remove-client + - chisel-remove-server + - chisel-remove -# TODO remove tmp/chisel_1.8.1_linux_amd64.gz /usr/local/bin/chisel /tmp/ansible_ansible.legacy.command_payload_XXXX and stop chisel-server \ No newline at end of file + # - name: Debug ansible files ALL hosts + # debug: + # msg: "{{ ansible_files.files }}" + # tags: + # - chisel-remove-client + # - chisel-remove + + - name: Remove all files and directories ONLY on client + ansible.builtin.file: + path: "{{ item }}" + state: absent + notify: reload daemon systemd + loop: "{{ chisel_remove_all }}" + when: "{{ chisel_server|default(false) }} is false" + tags: + - chisel-remove-client + - chisel-remove + + - name: Remove all files and directories ONLY on server + ansible.builtin.file: + path: "{{ item }}" + state: absent + notify: reload daemon systemd + loop: "{{ chisel_remove_all }}" + when: "{{ chisel_server|default(false) }} is true" + tags: + - chisel-remove-server + - chisel-remove + + - name: Remove all ansible directories + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + notify: reload daemon systemd + loop: "{{ ansible_files.files }}" + tags: + - chisel-remove-client + - chisel-remove-server + - chisel-remove + + handlers: + - name: reload daemon systemd + ansible.builtin.systemd: + daemon_reload: true + +# /lib/systemd/system/chisel-client.service -> chisel_service_destination +# /var/log/chisel +# /etc/chisel -> chisel_config_folder +# /tmp/chisel -> chisel_download_destination +# /usr/local/bin/chisel -> chisel_install_destination \ No newline at end of file diff --git a/group_vars/perso.yml b/group_vars/perso.yml index ebe1747..d0110e6 100644 --- a/group_vars/perso.yml +++ b/group_vars/perso.yml @@ -111,3 +111,14 @@ alert_list_server: - '"163.172.84.28"' - '"37.187.127.90"' alert_server_ssl: gitea.jingoh.fr + + ########## + # CHISEL # + ########## + +chisel_remove_all: + - "{{ chisel_service_destination }}" + - "{{ chisel_config_folder }}" + - "{{ chisel_download_destination }}" + - "{{ chisel_install_destination }}" + - /var/log/chisel diff --git a/host_vars/ovh_fr.yml b/host_vars/ovh_fr.yml index 90c4143..71db419 100644 --- a/host_vars/ovh_fr.yml +++ b/host_vars/ovh_fr.yml @@ -16,7 +16,28 @@ apt_repositories_sources: ########## chisel_server: false -chisel_basic_auth: user:pass +chisel_client_auth_username: user +chisel_client_auth_password: pass chisel_version: 1.8.1 -chisel_server_host: 163.172.84.28 -chisel_server_port: 8080 \ No newline at end of file +chisel_client_server_url: 163.172.84.28:8080 +chisel_client_remotes: R:163.172.84.28:socks +chisel_server_port: 8080 + + +chisel_service_name: chisel-client +chisel_config_name: chisel-client + +chisel_conf: +# chisel enable auth and finder + - path: "/etc/chisel/{{ chisel_config_name }}.conf" + regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" + state: present + line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" + # - path: "/etc/chisel/{{ chisel_config_name }}.conf" + # regexp: "^HOSTNAME=--hostname {{ chisel_client_server_url }}" + # state: present + # line: "HOSTNAME=--hostname {{ chisel_client_server_url }}" + - path: "/etc/chisel/{{ chisel_config_name }}.conf" + regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" + state: present + line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}"