Initial commit

2022-07-13 12:52:07 +02:00 · 2022-07-13 12:52:07 +02:00 · 0c5ee3d3d1
commit 0c5ee3d3d1
12 changed files with 292 additions and 0 deletions
--- a/tasks/local.yml
+++ b/tasks/local.yml
@ -0,0 +1,45 @@
+---
+- name: Install autossh
+  apt:
+    name: autossh
+    state: present
+    update_cache: yes
+
+- name: Ensure unprivileged ssh user exists
+  user:
+    name: "{{ ssh_tunnel_autossh_system_user }}"
+    system: true
+    state: present
+
+- name: Set user's ssh config
+  template:
+    src: local/ssh_config.j2
+    dest: "{{ ssh_tunnel_local_sshdir }}config"
+    owner: "{{ ssh_tunnel_autossh_system_user }}"
+    mode: 0644
+
+- name: Set private key
+  copy:
+    dest: "{{ ssh_tunnel_local_sshdir }}tunnel-key"
+    content: "{{ ssh_tunnel_privkey }}"
+    owner: "{{ ssh_tunnel_autossh_system_user }}"
+    mode: 0600
+
+- name: Set public key
+  copy:
+    dest: "{{ ssh_tunnel_local_sshdir }}tunnel-key.pub"
+    content: "{{ ssh_tunnel_pubkey }}"
+    owner: "{{ ssh_tunnel_autossh_system_user }}"
+    mode: 0644
+
+- name: Set systemd service file
+  become: yes
+  template:
+    src: local/autossh.service.j2
+    dest: "{{ ssh_tunnel_autossh_service_file }}"
+
+- name: Enable service and run it
+  service:
+    name: autossh
+    state: restarted
+    enabled: yes
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,28 @@
+---
+- name: Set OS dependent variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+        - "{{ ansible_system | lower }}.yml"
+      paths:
+        - '{{ role_path }}/vars'
+  ignore_errors: True
+
+- name: OS is supported
+  ansible.builtin.assert:
+    that: __os_supported
+    quiet: True
+  vars:
+    __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}"
+
+
+- include_tasks: local.yml
+  when: location == "local"
+
+- include_tasks: remote.yml
+  when: location == "remote"
--- a/tasks/remote.yml
+++ b/tasks/remote.yml
@ -0,0 +1,125 @@
+---
+- name: Ensure unprivileged ssh user exists
+  user:
+    name: "{{ ssh_tunnel_sshd_unprivileged_user }}"
+    system: true
+    state: present
+
+- name: Set authorized_keys for unprivileged user
+  template:
+    src: remote/authorized_keys.j2
+    dest: "{{ ssh_tunnel_remote_sshdir }}authorized_keys"
+    owner: "{{ ssh_tunnel_sshd_unprivileged_user }}"
+    mode: 0600
+
+- name: Set sshd_config
+  become: yes
+  template:
+    src: remote/sshd_config.j2
+    dest: "{{ ssh_tunnel_sshd_conf_dir }}tunnel.conf"
+    mode: 0644
+    owner: root
+
+- name: Enable IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: Enable IPv6 forwarding
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: Enable IPv4 local network forwarding
+  sysctl:
+    name: net.ipv4.conf.all.route_localnet
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: Install iptables-persistent
+  apt:
+    name: iptables-persistent
+    update_cache: yes
+    state: present
+
+- name: Flush existing iptables entries (IPv4)
+  become: yes
+  iptables:
+    ip_version: ipv4
+    table: nat
+    flush: yes
+
+- name: Flush existing iptables entries (IPv6)
+  become: yes
+  iptables:
+    ip_version: ipv6
+    table: nat
+    flush: yes
+
+- name: Forward privileged ports to ephemeral localhost ports (IPv4, TCP)
+  become: yes
+  iptables:
+    ip_version: ipv4
+    table: nat
+    chain: PREROUTING
+    in_interface: eth0
+    protocol: tcp
+    destination_port: "{{ item.exposed_port }}"
+    jump: DNAT
+    to_destination: "127.0.0.1:{{ item.ephemeral_port }}"
+  loop: "{{ tunneled_ports }}"
+  when: "'tcp' in item.protocols"
+  notify: persist iptables
+
+- name: Forward privileged ports to ephemeral localhost ports (IPv4, UDP)
+  become: yes
+  iptables:
+    ip_version: ipv4
+    table: nat
+    chain: PREROUTING
+    in_interface: eth0
+    protocol: udp
+    destination_port: "{{ item.exposed_port }}"
+    jump: DNAT
+    to_destination: "127.0.0.1:{{ item.ephemeral_port }}"
+  loop: "{{ tunneled_ports }}"
+  when: "'udp' in item.protocols"
+  notify: persist iptables
+
+- name: Forward privileged ports to ephemeral localhost ports (IPv6, TCP)
+  become: yes
+  iptables:
+    ip_version: ipv6
+    table: nat
+    chain: PREROUTING
+    in_interface: eth0
+    protocol: tcp
+    destination_port: "{{ item.exposed_port }}"
+    jump: DNAT
+    to_destination: "[::1]:{{ item.ephemeral_port }}"
+  loop: "{{ tunneled_ports }}"
+  when: "'tcp' in item.protocols"
+  notify: persist iptables
+
+- name: Forward privileged ports to ephemeral localhost ports (IPv6, UDP)
+  become: yes
+  iptables:
+    ip_version: ipv6
+    table: nat
+    chain: PREROUTING
+    in_interface: eth0
+    protocol: udp
+    destination_port: "{{ item.exposed_port }}"
+    jump: DNAT
+    to_destination: "[::1]:{{ item.ephemeral_port }}"
+  loop: "{{ tunneled_ports }}"
+  when: "'udp' in item.protocols"
+  notify: persist iptables