95 lines
2.9 KiB
YAML
95 lines
2.9 KiB
YAML
---
|
|
- name: Ensure cron is installed
|
|
package:
|
|
name: "{{ 'cron' if ansible_facts.os_family == 'Debian' else 'cronie' }}"
|
|
state: present
|
|
|
|
- name: Ensure /opt/nebula directory exists
|
|
file:
|
|
path: /opt/nebula
|
|
state: directory
|
|
mode: '0755'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Check for existing Nebula install
|
|
stat:
|
|
path: '/opt/nebula/nebula'
|
|
register: installed_nebula_stats
|
|
|
|
- name: Get Nebula version (if installed)
|
|
command: "/opt/nebula/nebula -version"
|
|
register: installed_nebula_version_out
|
|
changed_when: False
|
|
failed_when: False
|
|
when: installed_nebula_stats.stat.exists
|
|
|
|
- name: Extract Nebula version from command output
|
|
set_fact:
|
|
installed_nebula_version: "{{ installed_nebula_version_out.stdout.split(' ')[1] }}"
|
|
when: installed_nebula_stats.stat.exists
|
|
|
|
# ✅ FIX START
|
|
- name: Download Nebula archive
|
|
get_url:
|
|
url: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-{{ nebula_architectures[ansible_facts.architecture] }}.tar.gz"
|
|
dest: "/tmp/nebula-{{ nebula_version }}.tar.gz"
|
|
mode: '0644'
|
|
when: (installed_nebula_version | default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)
|
|
|
|
- name: Extract Nebula
|
|
unarchive:
|
|
src: "/tmp/nebula-{{ nebula_version }}.tar.gz"
|
|
dest: "/opt/nebula"
|
|
remote_src: yes
|
|
when: (installed_nebula_version | default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)
|
|
notify: restart nebula
|
|
# ✅ FIX END
|
|
|
|
- name: Ensure Nebula binaries permissions are correct
|
|
file:
|
|
path: "/opt/nebula/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0700'
|
|
loop:
|
|
- nebula
|
|
- nebula-cert
|
|
|
|
- name: Generate SSH host key for Nebula debug console
|
|
command: ssh-keygen -t ed25519 -f /opt/nebula/ssh_host_ed25519_key -N ""
|
|
args:
|
|
creates: /opt/nebula/ssh_host_ed25519_key
|
|
when: nebula_sshd_enabled
|
|
|
|
- name: Set SSH host key permissions
|
|
file:
|
|
path: "{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
loop:
|
|
- /opt/nebula/ssh_host_ed25519_key
|
|
- /opt/nebula/ssh_host_ed25519_key.pub
|
|
when: nebula_sshd_enabled
|
|
|
|
- name: Read SSH key files and build registry
|
|
block:
|
|
- name: Read all SSH key files
|
|
slurp:
|
|
src: "{{ item.1 }}"
|
|
register: ssh_key_files
|
|
failed_when: false
|
|
loop: "{{ nebula_sshd_authorized_users | subelements('key_files', skip_missing=True) }}"
|
|
|
|
- name: Build SSH key registry by username
|
|
set_fact:
|
|
nebula_sshd_key_registry: >-
|
|
{{ nebula_sshd_key_registry | default({}) | combine({
|
|
result.item.0.user: (nebula_sshd_key_registry | default({})).get(result.item.0.user, []) +
|
|
[result.content | b64decode | trim]
|
|
}) }}
|
|
loop: "{{ ssh_key_files.results | selectattr('content', 'defined') | list }}"
|
|
loop_control:
|
|
loop_var: result
|
|
when: nebula_sshd_enabled |