From 625c1ee40a0a26a92b8e0e154675e8ca4e2a3027 Mon Sep 17 00:00:00 2001 From: Expand Date: Tue, 12 Sep 2023 08:19:39 +1000 Subject: [PATCH] aaa --- inventory | 8 ++++ main.ansible.yml | 93 +++++++++++++++++++++++++++++++++++++++ reverseproxy.ansible..yml | 53 ++++++++++++++++++++++ vars/default.yml | 11 +++++ 4 files changed, 165 insertions(+) create mode 100644 inventory create mode 100644 main.ansible.yml create mode 100644 reverseproxy.ansible..yml create mode 100644 vars/default.yml diff --git a/inventory b/inventory new file mode 100644 index 0000000..65fd882 --- /dev/null +++ b/inventory @@ -0,0 +1,8 @@ +hostnode: + hosts: + 10.10.0.209: + vars: ansible_ssh_user=root ansible_ssh_common_args='-o StrictHostKeyChecking=no' +clients: + hosts: + 10.10.0.209: + vars: ansible_ssh_user=root ansible_ssh_common_args='-o StrictHostKeyChecking=no' diff --git a/main.ansible.yml b/main.ansible.yml new file mode 100644 index 0000000..495ce3b --- /dev/null +++ b/main.ansible.yml @@ -0,0 +1,93 @@ +--- +- hosts: "hostnode" + name: Teleport setup + vars: + become: true + pre_tasks: + - name: Load variables + ansible.builtin.include_vars: '{{ item }}' + with_first_found: + - "vars/default.yml" + tasks: + - name: Check if teleport is installed. + ansible.builtin.stat: "path=/usr/local/bin/teleport" + register: teleport_bin + + - debug: + msg: "{{ teleport_bin }}" + + - name: install teleport + ansible.builtin.shell: + cmd: 'curl https://goteleport.com/static/install.sh | bash -s 13.3.8' + + + - name: + + - name: Ensure teleport has selected state and enabled on boot. + service: + name: 'teleport' + state: 'started' + enabled: yes + + - name: Get teleport token + ansible.builtin.shell: + cmd: '/usr/local/bin/tctl tokens add --type=node --format=text' + executable: /bin/bash + register: token + + - debug: + msg: token.stdout + +- hosts: "clients" + name: Client setup + vars: + become: true + pre_tasks: + - name: Load variables + ansible.builtin.include_vars: '{{ item }}' + with_first_found: + - "vars/default.yml" + + tasks: + - name: Check if teleport is installed. + ansible.builtin.stat: "path=/usr/local/bin/teleport" + register: teleport_bin_clients + + - name: install teleport + ansible.builtin.shell: + cmd: 'curl https://goteleport.com/static/install.sh | bash -s 13.3.8' + when: teleport_bin_clients.stat.exists == false + + - name: remove existing config if exists + ansible.builtin.file: + path: /etc/teleport.yaml + state: absent + + - name: Create teleport config + ansible.builtin.shell: + cmd: '/usr/local/bin/teleport node configure --output=file:///etc/teleport.yaml --token={{ token.stdout }} --proxy={{ groups["hostnode"] | map("extract", hostvars, ["inventory_hostname"]) }}:443' + executable: /bin/bash + + - name: Ensure teleport has selected state and enabled on boot. + service: + name: 'teleport' + state: 'started' + enabled: yes + + - name: open ports for teleport + ansible.builtin.shell: + cmd: 'ufw allow 3022/tcp && ufw allow 443/tcp' + + +- hosts: "hostnode" + name: reverse proxy setup + vars: + become: true + pre_tasks: + - name: Load variables + ansible.builtin.include_vars: '{{ item }}' + with_first_found: + - "vars/default.yml" + tasks: + - include_tasks: reverseproxy.ansible.yml + when: {{ REVERSE_PROXY }} diff --git a/reverseproxy.ansible..yml b/reverseproxy.ansible..yml new file mode 100644 index 0000000..2b77257 --- /dev/null +++ b/reverseproxy.ansible..yml @@ -0,0 +1,53 @@ +--- +- name: install caddy from binary + ansible.builtin.get_url: + url: https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&idempotency=54951177807414 + dest: /usr/bin/caddy + mode: '0751' + +- name: create caddyfile + ansible.builtin.blockinfile: + block: | + {{ SUBDOMAIN }} { + reverse_proxy https://{{ ansible_default_ipv4.address }}:3022 { + transport http { + tls_insecure_skip_verify + } + } + } + path: /etc/caddy/Caddyfile + create: true + +- name: creat Caddy systemd file + ansible.builtin.copy: + content: | + [Unit] + Description=Caddy + Documentation=https://caddyserver.com/docs/ + After=network.target network-online.target + Requires=network-online.target + + [Service] + Type=notify + User=root + Group=root + ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile + ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force + TimeoutStopSec=5s + LimitNOFILE=1048576 + LimitNPROC=512 + PrivateTmp=true + ProtectSystem=full + AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE + + [Install] + WantedBy=multi-user.target + dest: /etc/caddy/Caddyfile + +- name: Start Caddy on startup + ansible.builtin.systemd_service: + name: 'caddy' + state: 'started' + enabled: yes + daemon_reload: true + \ No newline at end of file diff --git a/vars/default.yml b/vars/default.yml new file mode 100644 index 0000000..53c321b --- /dev/null +++ b/vars/default.yml @@ -0,0 +1,11 @@ +--- +#If you dont enable reverse proxy you will need to set up your certificates after install and restart teleport +#key file location: /var/lib/teleport/webproxy_key.pem +#cert file location: /var/lib/teleport/webproxy_cert.pem +#run this when done("systemctl restart teleport") + +#if you do enable reverse proxy make sure your selected domain name is routed to that ip address and port forwarding is set to the teleport host for ports 80 and 443 +REVERSE_PROXY: true +#subdomain is the subdomain you want tied to teleport for the reverse proxy this should also be your hostname for your teleport hostnode(use {your teleport hostname}.localhost to use an internal certificate) +SUBDOMAIN: t.localhost +