-
Notifications
You must be signed in to change notification settings - Fork 696
/
Copy pathsecuredrop-staging.yml
executable file
·108 lines (99 loc) · 3.01 KB
/
securedrop-staging.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/env ansible-playbook
---
- name: Scrape build directory
hosts: localhost
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
tasks:
- name: Establish list of files in build/
find:
paths: "../../build/{{ securedrop_staging_install_target_distro }}"
register: search_deb_results
- set_fact:
expected_debs: "{{hostvars['app-staging']['local_deb_packages'] + hostvars['mon-staging']['local_deb_packages']}}"
found_debs: "{{ search_deb_results.files | map(attribute='path') | list }}"
ci_builder: "{{ ansible_user_id }}"
- name: Fail if package is missing from build dir
fail:
msg: "run 'make build-debs' - ../../build/{{ securedrop_staging_install_target_distro }}/{{item}} missing"
when: "'../../build/'+securedrop_staging_install_target_distro+'/'+item not in found_debs"
with_items: "{{ expected_debs }}"
- name: Prepare servers for installation
hosts: staging
environment:
LC_ALL: C
gather_facts: no
max_fail_percentage: 0
any_errors_fatal: yes
become: yes
roles:
- { role: prepare-servers }
- name: Add FPF apt repository and install base packages.
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
- role: ci-tweaks
when: "'sdci' == hostvars['localhost']['ansible_user_id']"
- { role: install-fpf-repo, tags: [fpfrepo] }
- { role: grsecurity, when: grsecurity, tags: [grsec, grsecurity] }
- { role: common, tags: common }
- { role: tor-hidden-services, tags: tor }
- { role: install-local-packages, tags: [install_local_packages, rebuild],
when: install_local_packages }
become: yes
- name: Configure OSSEC.
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
- role: ossec
tags: ossec
become: yes
- name: Configure mailing utilities.
hosts: mon-staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
- role: postfix
tags: postfix
become: yes
- name: Configure SecureDrop Application Server.
hosts: app-staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
- { role: app, tags: app }
- { role: app-test, tags: app-test }
become: yes
# Set iptables rules with exemptions for staging that permit direct access for SSH.
# The overrides that permit direct access are managed in group_vars/staging.yml,
# and default false in production environments, in order to force SSH traffic over Tor.
- name: Configure host firewalls (with direct access for staging).
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
- { role: restrict-direct-access, tags: [ common, restrict-direct-access ] }
become: yes
- name: Reboot Application and Monitor Servers.
hosts: staging
environment:
LC_ALL: C
max_fail_percentage: 0
any_errors_fatal: yes
roles:
- role: reboot-if-first-install
become: yes