首页 发现 帮助
登录
kotoyuuko
/
ansible-proxy
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 5053ace211
分支列表 标签列表
ansible-proxy
/
openspec
/
changes
/
archive
/
2026-04-29-ansible-trojan-proxy
/
tasks.md

tasks.md 3.1 KB
文件历史 原始文件

1. Project Scaffolding

  • 1.1 Initialize Ansible project structure (ansible.cfg, site.yml, roles/)
  • 1.2 Create .gitignore (inventory files, credentials, users.yml, output/)
  • 1.3 Create inventory/hosts.yml.example with servers, snell, trojan groups
  • 1.4 Create group_vars/all.yml with base variables and Python interpreter setting
  • 1.5 Create users.yml.example with trojan_users list template
  • 1.6 Create credentials/ directory placeholder with .gitkeep
  • 1.7 Create README.md with project overview and usage instructions

2. Base Role (roles/base/)

  • 2.1 Create roles/base/tasks/main.yml with package installation task
  • 2.2 Implement SSH hardening tasks (disable password auth, disable root login, set custom port)
  • 2.3 Implement UFW configuration tasks (default deny, allow SSH port)
  • 2.4 Implement fail2ban configuration and SSH jail
  • 2.5 Implement unattended-upgrades configuration
  • 2.6 Add SSH handler for sshd restart
  • 2.7 Add UFW handler for firewall reload

3. Snell Role (roles/snell/)

  • 3.1 Create roles/snell/tasks/main.yml with Snell binary download and install task
  • 3.2 Create roles/snell/templates/snell-server.conf.j2 with listen, psk, ipv6 settings
  • 3.3 Implement configuration file deployment task with proper permissions
  • 3.4 Create roles/snell/templates/snell.service.j2 systemd unit file
  • 3.5 Implement systemd service creation and start tasks
  • 3.6 Add UFW rule for Snell port
  • 3.7 Add auto-generated PSK logic via credentials/snell_psk lookup
  • 3.8 Add Snell service restart handler

4. Trojan Role (roles/trojan/)

  • 4.1 Create roles/trojan/tasks/main.yml with trojan-go binary download and install task
  • 4.2 Implement users.yml loading via include_vars at playbook level
  • 4.3 Create roles/trojan/templates/config.json.j2 with multi-user password array
  • 4.4 Implement configuration file deployment task with proper permissions
  • 4.5 Implement certbot TLS certificate provisioning tasks
  • 4.6 Implement certificate deploy-hook for auto-renewal copy and service reload
  • 4.7 Create roles/trojan/templates/trojan-go.service.j2 systemd unit with CAP_NET_BIND_SERVICE
  • 4.8 Implement systemd service creation and start tasks
  • 4.9 Add UFW rule for port 443
  • 4.10 Add Trojan service restart handler

5. Playbook Integration

  • 5.1 Create site.yml with plays: bootstrap, base (all), snell (snell group), trojan (trojan group)
  • 5.2 Add include_vars for users.yml in the Trojan play
  • 5.3 Verify handler triggers work correctly across roles
  • 5.4 Add ansible_python_interpreter: auto_silent to group_vars/all.yml

6. Testing and Validation

  • 6.1 Run ansible-playbook --check to validate syntax and task structure
  • 6.2 Verify all Jinja2 templates render without errors
  • 6.3 Confirm .gitignore covers all sensitive files (credentials/, users.yml, inventory/hosts.yml)
  • 6.4 Review that all spec requirements have corresponding task coverage