kotoyuuko
/
ansible-proxy


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201
							---
- name: Create trojan service user
  ansible.builtin.user:
    name: "{{ trojan_user }}"
    system: yes
    shell: /usr/sbin/nologin
    create_home: no

- name: Create trojan config directory
  ansible.builtin.file:
    path: "{{ trojan_config_path | dirname }}"
    state: directory
    owner: "{{ trojan_user }}"
    group: "{{ trojan_user }}"
    mode: "0750"

- name: Download trojan-go binary
  ansible.builtin.get_url:
    url: "https://github.com/p4gefau1t/trojan-go/releases/download/v{{ trojan_version }}/trojan-go-linux-amd64.zip"
    dest: /tmp/trojan-go.zip
    mode: "0644"

- name: Create extraction directory
  ansible.builtin.file:
    path: /tmp/trojan-go-extract/
    state: directory
    mode: "0755"

- name: Extract trojan-go binary
  ansible.builtin.unarchive:
    src: /tmp/trojan-go.zip
    dest: /tmp/trojan-go-extract/
    remote_src: yes
    creates: /tmp/trojan-go-extract/trojan-go

- name: Install trojan-go binary
  ansible.builtin.copy:
    src: /tmp/trojan-go-extract/trojan-go
    dest: "{{ trojan_bin_path }}"
    remote_src: yes
    owner: root
    group: root
    mode: "0755"
  notify: restart trojan

- name: Grant CAP_NET_BIND_SERVICE to trojan-go
  community.general.capabilities:
    path: "{{ trojan_bin_path }}"
    capability: cap_net_bind_service=+ep
    state: present

- name: Clean up downloaded archive
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /tmp/trojan-go.zip
    - /tmp/trojan-go-extract

- name: Install certbot
  ansible.builtin.apt:
    name:
      - certbot
    state: present

- name: Obtain Let's Encrypt certificate
  ansible.builtin.command:
    cmd: >
      certbot certonly --standalone
      --non-interactive --agree-tos
      --email {{ certbot_email }}
      -d {{ trojan_domain }}
    creates: "/etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem"

- name: Grant trojan user read access to TLS certificates
  ansible.builtin.file:
    path: /etc/letsencrypt
    state: directory
    mode: "0755"

- name: Ensure live directory is accessible
  ansible.builtin.file:
    path: "/etc/letsencrypt/live/{{ trojan_domain }}"
    state: directory
    mode: "0755"

- name: Ensure archive directory is accessible
  ansible.builtin.file:
    path: "/etc/letsencrypt/archive/{{ trojan_domain }}"
    state: directory
    mode: "0755"

- name: Deploy certbot renewal hook for trojan
  ansible.builtin.copy:
    dest: /etc/letsencrypt/renewal-hooks/post/trojan-go.sh
    content: |
      #!/bin/bash
      mkdir -p /etc/trojan-go/tls
      cp /etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem /etc/trojan-go/tls/fullchain.pem
      cp /etc/letsencrypt/live/{{ trojan_domain }}/privkey.pem /etc/trojan-go/tls/privkey.pem
      chown -R {{ trojan_user }}:{{ trojan_user }} /etc/trojan-go/tls
      systemctl reload trojan-go
    owner: root
    group: root
    mode: "0755"

- name: Copy initial TLS certificates to trojan-owned directory
  ansible.builtin.shell: |
    mkdir -p /etc/trojan-go/tls
    cp /etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem /etc/trojan-go/tls/fullchain.pem
    cp /etc/letsencrypt/live/{{ trojan_domain }}/privkey.pem /etc/trojan-go/tls/privkey.pem
    chown -R {{ trojan_user }}:{{ trojan_user }} /etc/trojan-go/tls
  args:
    creates: /etc/trojan-go/tls/privkey.pem
  notify: restart trojan

- name: Deploy trojan-go configuration
  ansible.builtin.template:
    src: config.json.j2
    dest: "{{ trojan_config_path }}"
    owner: "{{ trojan_user }}"
    group: "{{ trojan_user }}"
    mode: "0640"
  notify: restart trojan

- name: Deploy trojan-go systemd unit
  ansible.builtin.template:
    src: trojan-go.service.j2
    dest: /etc/systemd/system/trojan-go.service
    owner: root
    group: root
    mode: "0644"
  notify: restart trojan

- name: Install nginx for Trojan fallback
  ansible.builtin.apt:
    name:
      - nginx
    state: present

- name: Deploy nginx fallback config
  ansible.builtin.template:
    src: nginx-fallback.conf.j2
    dest: /etc/nginx/conf.d/trojan-fallback.conf
    owner: root
    group: root
    mode: "0644"
  notify: restart nginx

- name: Create fallback web root
  ansible.builtin.file:
    path: /var/www/trojan-fallback
    state: directory
    owner: www-data
    group: www-data
    mode: "0755"

- name: Deploy fallback index page
  ansible.builtin.copy:
    content: |
      <!DOCTYPE html>
      <html>
      <head><title>Welcome</title></head>
      <body><h1>Welcome</h1></body>
      </html>
    dest: /var/www/trojan-fallback/index.html
    owner: www-data
    group: www-data
    mode: "0644"
  notify: restart nginx

- name: Remove default nginx site
  ansible.builtin.file:
    path: /etc/nginx/sites-enabled/default
    state: absent
  notify: restart nginx

- name: Enable and start nginx
  ansible.builtin.systemd:
    name: nginx
    enabled: yes
    state: started

- name: Enable and start trojan-go service
  ansible.builtin.systemd:
    name: trojan-go
    daemon_reload: yes
    enabled: yes
    state: started

- name: Enable certbot auto-renewal timer
  ansible.builtin.systemd:
    name: certbot.timer
    enabled: yes
    state: started

- name: Allow Trojan port through UFW
  community.general.ufw:
    rule: allow
    port: "{{ trojan_port }}"
    proto: tcp