sgratias/semaphore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

last chisel

Browse Source
This commit is contained in:
sgratias
2023-09-26 15:24:06 +02:00
parent d616fdbe55
commit 8f2eda318c
3 changed files with 234 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

267
chisel.yml
View File

@@ -4,111 +4,242 @@
become: true become: true
# # # #
# # @author Stéphane Gratias (2021). # # @author Stéphane Gratias (2023).
# #
pre_tasks:
# HACK to bypass role
- name: create file service | HACK role to load service before
ansible.builtin.file:
path: "{{ chisel_service_destination }}"
state: touch
mode: 0644
tags:
- always
- name: reload daemon systemd | HACK role to load service before
ansible.builtin.systemd:
daemon_reload: true
tags:
- always
# HACK to bypass role
- name: CHECK if binary chisel is already installed
shell: which /usr/local/bin/chisel
changed_when: false
failed_when: false
register: chisel_installed
tags:
- chisel
- name: Check if chisel service is started
ansible.builtin.service:
name: "{{ chisel_service_name }}"
state: started
changed_when: false
failed_when: false
register: chisel_service
tags:
- chisel
- name: Debug service state for ALL hosts
debug:
msg: "{{ chisel_service }}"
tags:
- chisel
- name: Read fingerprint chisel server in log file
ansible.builtin.slurp:
src: "/var/log/chisel/{{ chisel_config_name }}_error.log"
register: fingerprint
when:
- chisel_service.state is defined
- chisel_service.state == 'started'
- chisel_server|default(false) is true
tags:
- chisel
- name: Setting fingerprint host facts
ansible.builtin.set_fact:
chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}"
tags:
- chisel
when:
- chisel_service.state is defined
- chisel_service.state == 'started'
- chisel_server|default(false) is true
- name: Debug fingerprint for ALL hosts
debug:
msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}"
when: hostvars[groups['server'][0]].chisel_fingerprint is defined
tags:
- chisel
roles: roles:
- { role: justin_p.chisel, tags: chisel-server, when: "{{ chisel_server|default(false) }} is true" } - { role: justin_p.chisel, tags: chisel, when: chisel_service.state is undefined }
tasks: tasks:
# Need to install proxychains
- name: Change settings in chisel-server and proxychains conf files | Server
##########
# SERVER #
##########
# Need to install proxychains on server
- name: Change settings in proxychains conf files ONLY on server
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item.path }}" path: "{{ item.path }}"
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
state: "{{ item.state }}" state: "{{ item.state }}"
line: "{{ item.line|default(omit) }}" line: "{{ item.line|default(omit) }}"
loop: "{{ chisel_proxychains_conf }}" loop: "{{ chisel_proxychains_conf }}"
when: "{{ chisel_server|default(false) }} is true" when:
tags: chisel-server - chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
tags:
- chisel
- name: Reload service chisel-server | Server - name: Restart chisel-server to have new fingerprint ONLY on server
ansible.builtin.service: ansible.builtin.service:
name: chisel-server name: "{{ chisel_service_name }}"
state: restarted state: restarted
when: "{{ chisel_server|default(false) }} is true" when:
tags: chisel-server - chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
tags:
- chisel
- name: Read fingerprint chisel server in log file - name: Read fingerprint chisel server in log file
ansible.builtin.slurp: ansible.builtin.slurp:
src: "/var/log/chisel/{{ chisel_config_name }}_error.log" src: "/var/log/chisel/{{ chisel_config_name }}_error.log"
register: fingerprint register: fingerprint
when: "{{ chisel_server|default(false) }} is true" when:
- chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
tags: tags:
- chisel-server - chisel
- chisel-client
- name: Setting fingerprint host facts - name: Setting fingerprint host facts
ansible.builtin.set_fact: ansible.builtin.set_fact:
chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}" chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}"
tags: tags:
- chisel-server - chisel
- chisel-client when:
when: "{{ chisel_server|default(false) }} is true" - chisel_service.state is undefined
- "{{ chisel_server|default(false) }} is true"
- name: Debug fingerprint for ALL hosts - name: Debug fingerprint for ALL hosts
debug: debug:
msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}" msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}"
tags: tags:
- chisel-server - chisel
- chisel-client
- name: CHECK if binary chisel is already installed | Client ##########
shell: which /usr/local/bin/chisel # CLIENT #
changed_when: false ##########
failed_when: false
register: chisel_installed
tags: chisel-client
- name: install chisel from github source - name: Change settings in chisel conf files ONLY on client
block: ansible.builtin.lineinfile:
- name: Ensure gzip is installed | Client path: "{{ item.path }}"
ansible.builtin.apt: regexp: "{{ item.regexp }}"
name: gzip state: "{{ item.state }}"
state: present line: "{{ item.line|default(omit) }}"
when: when: "{{ chisel_server|default(false) }} is false"
- ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' loop: "{{ chisel_conf }}"
- chisel_server is false tags: chisel
- name: "Download chisel {{ chisel_version }}" - name: Restart chisel-client to have new fingerprint ONLY on client
ansible.builtin.get_url: ansible.builtin.service:
url: "https://github.com/jpillora/chisel/releases/download/v{{ chisel_version }}/chisel_{{ chisel_version }}_linux_amd64.gz" name: "{{ chisel_service_name }}"
dest: "/tmp/" state: restarted
mode: '0600' when: "{{ chisel_server|default(false) }} is false"
when: "{{ chisel_server }} is false" tags: chisel
- name: "Unpack chisel to {{ chisel_install_destination | default('/usr/local/bin/') }}"
ansible.builtin.shell: "gunzip -c /tmp/chisel_{{ chisel_version }}_linux_amd64.gz > {{ chisel_install_destination }}"
register: gunzip_output
when: "{{ chisel_server }} is false"
- name: "Set correct rights for {{ chisel_install_destination }}" ########################
ansible.builtin.file: # REMOVE CLIENT/SERVER #
path: "{{ chisel_install_destination }}" ########################
owner: root
group: root
mode: 0775
when: "{{ chisel_server }} is false"
- name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }}" - name: Stop service {{ chisel_service_name }} on CLIENT
ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks" ansible.builtin.service:
async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres) name: "{{ chisel_service_name }}"
poll: 0 state: stopped
#register: chisel_client_output when: "{{ chisel_server|default(false) }} is false"
when: "{{ chisel_server }} is false" tags:
- chisel-remove-client
- chisel-remove
when: chisel_installed.rc != 0 - name: Stop service {{ chisel_service_name }} on SERVER
tags: ansible.builtin.service:
- chisel-client name: "{{ chisel_service_name }}"
state: stopped
when: "{{ chisel_server|default(false) }} is true"
tags:
- chisel-remove-server
- chisel-remove
- name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }} with auth {{ chisel_basic_auth }}" - name: Find all ansible directories in tmp
ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks" find:
when: "{{ chisel_server }} is false" paths: /tmp/
async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres) patterns: 'ansible_*'
poll: 0 file_type: directory
#register: chisel_client_output register: ansible_files
tags: tags:
- chisel-client - chisel-remove-client
- chisel-remove-server
- chisel-remove
# TODO remove tmp/chisel_1.8.1_linux_amd64.gz /usr/local/bin/chisel /tmp/ansible_ansible.legacy.command_payload_XXXX and stop chisel-server # - name: Debug ansible files ALL hosts
# debug:
# msg: "{{ ansible_files.files }}"
# tags:
# - chisel-remove-client
# - chisel-remove
- name: Remove all files and directories ONLY on client
ansible.builtin.file:
path: "{{ item }}"
state: absent
notify: reload daemon systemd
loop: "{{ chisel_remove_all }}"
when: "{{ chisel_server|default(false) }} is false"
tags:
- chisel-remove-client
- chisel-remove
- name: Remove all files and directories ONLY on server
ansible.builtin.file:
path: "{{ item }}"
state: absent
notify: reload daemon systemd
loop: "{{ chisel_remove_all }}"
when: "{{ chisel_server|default(false) }} is true"
tags:
- chisel-remove-server
- chisel-remove
- name: Remove all ansible directories
ansible.builtin.file:
path: "{{ item.path }}"
state: absent
notify: reload daemon systemd
loop: "{{ ansible_files.files }}"
tags:
- chisel-remove-client
- chisel-remove-server
- chisel-remove
handlers:
- name: reload daemon systemd
ansible.builtin.systemd:
daemon_reload: true
# /lib/systemd/system/chisel-client.service -> chisel_service_destination
# /var/log/chisel
# /etc/chisel -> chisel_config_folder
# /tmp/chisel -> chisel_download_destination
# /usr/local/bin/chisel -> chisel_install_destination

11
group_vars/perso.yml
View File

@@ -111,3 +111,14 @@ alert_list_server:
- '"163.172.84.28"' - '"163.172.84.28"'
- '"37.187.127.90"' - '"37.187.127.90"'
alert_server_ssl: gitea.jingoh.fr alert_server_ssl: gitea.jingoh.fr
##########
# CHISEL #
##########
chisel_remove_all:
- "{{ chisel_service_destination }}"
- "{{ chisel_config_folder }}"
- "{{ chisel_download_destination }}"
- "{{ chisel_install_destination }}"
- /var/log/chisel

27
host_vars/ovh_fr.yml
View File

@@ -16,7 +16,28 @@ apt_repositories_sources:
########## ##########
chisel_server: false chisel_server: false
chisel_basic_auth: user:pass chisel_client_auth_username: user
chisel_client_auth_password: pass
chisel_version: 1.8.1 chisel_version: 1.8.1
chisel_server_host: 163.172.84.28 chisel_client_server_url: 163.172.84.28:8080
chisel_server_port: 8080 chisel_client_remotes: R:163.172.84.28:socks
chisel_server_port: 8080
chisel_service_name: chisel-client
chisel_config_name: chisel-client
chisel_conf:
# chisel enable auth and finder
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
state: present
line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}"
# - path: "/etc/chisel/{{ chisel_config_name }}.conf"
# regexp: "^HOSTNAME=--hostname {{ chisel_client_server_url }}"
# state: present
# line: "HOSTNAME=--hostname {{ chisel_client_server_url }}"
- path: "/etc/chisel/{{ chisel_config_name }}.conf"
regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}"
state: present
line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}"