diff --git a/chisel.yml b/chisel.yml index 512f725..4c22cfa 100644 --- a/chisel.yml +++ b/chisel.yml @@ -9,7 +9,7 @@ roles: - - { role: justin_p.chisel, tags: chisel-server } + - { role: justin_p.chisel, tags: chisel-server, when: "{{ chisel_server|default(false) }} is true" } tasks: # Need to install proxychains @@ -30,64 +30,85 @@ when: "{{ chisel_server|default(false) }} is true" tags: chisel-server - - - name: Lire le contenu du fichier + - name: Read fingerprint chisel server in log file ansible.builtin.slurp: src: "/var/log/chisel/{{ chisel_config_name }}_error.log" - register: contenu_fichier - tags: chisel-server-test + register: fingerprint + when: "{{ chisel_server|default(false) }} is true" + tags: + - chisel-server + - chisel-client - # - name: Debug log chisel-server and register it for fingerprint - # ansible.builtin.command: - # cmd: 'cat "/var/log/chisel/"{{ chisel_config_name }}_error.log" | grep Fingerprint' - # register: chisel_fingerprint - # tags: chisel-server + - name: Setting fingerprint host facts + ansible.builtin.set_fact: + chisel_fingerprint: "{{ fingerprint['content'] | b64decode | regex_search('.*Fingerprint.*', multiline=True, ignorecase=True) | split(' ') }}" + tags: + - chisel-server + - chisel-client + when: "{{ chisel_server|default(false) }} is true" - - name: test + - name: Debug fingerprint for ALL hosts debug: - msg: "{{ contenu_fichier['content'] | b64decode }}" - tags: chisel-server-test + msg: "{{ hostvars[groups['server'][0]].chisel_fingerprint }}" + tags: + - chisel-server + - chisel-client - # - name: Ensure gzip is installed | Client - # ansible.builtin.apt: - # name: gzip - # state: present - # when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - - # - name: "Download chisel {{ chisel_version }}" - # ansible.builtin.get_url: - # url: "{{ chisel_download_url_linux_amd64 }}" - # dest: "{{ chisel_download_destination }}" - # checksum: "sha256:{{ chisel_linux_amd64_sha256 }}" - # mode: '0600' - # when: not chisel.stat.exists or chisel_version != chisel_installed_version - - - name: Unarchive a file that needs to be downloaded (added in 2.0) - ansible.builtin.unarchive: - src: https://example.com/example.zip - dest: /usr/local/bin - remote_src: yes + - name: CHECK if binary chisel is already installed | Client + shell: which /usr/local/bin/chisel + changed_when: false + failed_when: false + register: chisel_installed tags: chisel-client - # - name: Change the working directory to somedir/ and run the command as db_owner if /path/to/database does not exist - # ansible.builtin.command: /usr/bin/make_database.sh db_user db_name - # become: yes - # become_user: db_owner - # args: - # chdir: somedir/ - # creates: /path/to/database + - name: install chisel from github source + block: + - name: Ensure gzip is installed | Client + ansible.builtin.apt: + name: gzip + state: present + when: + - ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + - chisel_server is false - # - name: "Unpack chisel to {{ chisel_install_destination }}" # noqa: no-changed-when - # ansible.builtin.shell: "gunzip -c {{ chisel_download_destination }} > {{ chisel_install_destination }}" - # register: gunzip_output - # when: not chisel.stat.exists or chisel_version != chisel_installed_version + - name: "Download chisel {{ chisel_version }}" + ansible.builtin.get_url: + url: "https://github.com/jpillora/chisel/releases/download/v{{ chisel_version }}/chisel_{{ chisel_version }}_linux_amd64.gz" + dest: "/tmp/" + mode: '0600' + when: "{{ chisel_server }} is false" + - name: "Unpack chisel to {{ chisel_install_destination | default('/usr/local/bin/') }}" + ansible.builtin.shell: "gunzip -c /tmp/chisel_{{ chisel_version }}_linux_amd64.gz > {{ chisel_install_destination }}" + register: gunzip_output + when: "{{ chisel_server }} is false" -# Done chisel Server -# TODO client (no role) remove-client remove-server + - name: "Set correct rights for {{ chisel_install_destination }}" + ansible.builtin.file: + path: "{{ chisel_install_destination }}" + owner: root + group: root + mode: 0775 + when: "{{ chisel_server }} is false" + - name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }}" + ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks" + async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres) + poll: 0 + #register: chisel_client_output + when: "{{ chisel_server }} is false" -# TODO chisel in traefik -# port 8080 and 1080 (socks) -# docker run --rm -it jpillora/chisel client --auth "user:pass" --fingerprint dr5QNd5AIR9vFKATKQ/MYN441MF4av5Pipvg65camPo= 163.172.84.28:8080 R:163.172.84.28:socks -# /usr/local/bin/chisel server --host 163.172.84.28 --port 8080 --auth user:pass --reverse --socks5 -v \ No newline at end of file + when: chisel_installed.rc != 0 + tags: + - chisel-client + + - name: "Run chisel to : {{ chisel_server_host }}:{{ chisel_server_port }} with auth {{ chisel_basic_auth }}" + ansible.builtin.shell: "{{ chisel_install_destination }} client --fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4] }} --auth {{ chisel_basic_auth }} {{ chisel_server_host }}:{{ chisel_server_port }} R:{{ chisel_server_host }}:socks" + when: "{{ chisel_server }} is false" + async: 60 # Le temps maximal en secondes d'attente apres deco (chisel tournera quand meme apres) + poll: 0 + #register: chisel_client_output + tags: + - chisel-client + +# TODO remove tmp/chisel_1.8.1_linux_amd64.gz /usr/local/bin/chisel /tmp/ansible_ansible.legacy.command_payload_XXXX and stop chisel-server \ No newline at end of file diff --git a/group_vars/perso.yml b/group_vars/perso.yml index 7941b5f..ebe1747 100644 --- a/group_vars/perso.yml +++ b/group_vars/perso.yml @@ -111,9 +111,3 @@ alert_list_server: - '"163.172.84.28"' - '"37.187.127.90"' alert_server_ssl: gitea.jingoh.fr - - ########## - # CHISEL # - ########## - -chisel_basic_auth: "user:pass" \ No newline at end of file diff --git a/host_vars/ovh_fr.yml b/host_vars/ovh_fr.yml index d68f2fc..90c4143 100644 --- a/host_vars/ovh_fr.yml +++ b/host_vars/ovh_fr.yml @@ -11,6 +11,12 @@ apt_repositories_sources: - deb http://security.ubuntu.com/ubuntu focal-security universe - deb http://security.ubuntu.com/ubuntu focal-security multiverse + ########## + # CHISEL # + ########## - -chisel_server: false \ No newline at end of file +chisel_server: false +chisel_basic_auth: user:pass +chisel_version: 1.8.1 +chisel_server_host: 163.172.84.28 +chisel_server_port: 8080 \ No newline at end of file diff --git a/host_vars/scaleway_fr.yml b/host_vars/scaleway_fr.yml index e888f89..e4ce31f 100644 --- a/host_vars/scaleway_fr.yml +++ b/host_vars/scaleway_fr.yml @@ -129,10 +129,13 @@ logrotate_scripts: # CHISEL # ########## +# SHOULD BE IN [server] GROUP chisel_server: true +chisel_version: 1.8.1 +chisel_basic_auth: "user:pass" chisel_service_name: chisel-server -chisel_config_name: chisel-server chisel_server_host: 163.172.84.28 +chisel_config_name: chisel-server chisel_server_port: 8080 chisel_proxychains_conf: # chisel enable socks5, reverse and basic auth diff --git a/hosts b/hosts index 3518f2d..4fd0365 100644 --- a/hosts +++ b/hosts @@ -2,11 +2,15 @@ ovh_fr ansible_host=37.187.127.90 ansible_user=stephane scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane -[ovh] -ovh_fr ansible_host=37.187.127.90 ansible_user=stephane - -[scaleway] +# TO KNOW WHOIS CHISEL SERVER +[server] scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane -[local] -vagrant ansible_host=192.168.33.10 ansible_user=vagrant ansible_password=vagrant \ No newline at end of file +; [ovh] +; ovh_fr ansible_host=37.187.127.90 ansible_user=stephane + +; [scaleway] +; scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane + +; [local] +; vagrant ansible_host=192.168.33.10 ansible_user=vagrant ansible_password=vagrant \ No newline at end of file