From 7b61a7da7e95734c95d8fff9e63b9057cdf732b7 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 12 Aug 2024 17:44:10 -0500
Subject: [PATCH] r/useproxy: Configure system-wide proxy

The *useproxy* role configures the `http_proxy` et al. environmet
variables for systemd services and interactive shells.  Additionally, it
configures Yum repositories to use a single mirror via the `baseurl`
setting, rather than a list of mirrors via `metalink`, since the proxy
a) the proxy only allows access to _dl.fedoraproject.org_ and b) the
proxy caches RPM files, but this is only effective if all clients use
the same mirror all the time.

The `useproxy.yml` playbook applies this role to servers in the
*needproxy* group.
---
 group_vars/Fedora.yml                 | 10 ++++
 group_vars/needproxy.yml              |  4 ++
 hosts                                 |  2 +
 roles/useproxy/defaults/main.yml      |  1 +
 roles/useproxy/handlers/main.yml      |  6 +++
 roles/useproxy/tasks/main.yml         | 73 +++++++++++++++++++++++++++
 roles/useproxy/templates/proxy.env.j2 | 16 ++++++
 useproxy.yml                          |  5 ++
 8 files changed, 117 insertions(+)
 create mode 100644 group_vars/Fedora.yml
 create mode 100644 group_vars/needproxy.yml
 create mode 100644 roles/useproxy/defaults/main.yml
 create mode 100644 roles/useproxy/handlers/main.yml
 create mode 100644 roles/useproxy/tasks/main.yml
 create mode 100644 roles/useproxy/templates/proxy.env.j2
 create mode 100644 useproxy.yml

diff --git a/group_vars/Fedora.yml b/group_vars/Fedora.yml
new file mode 100644
index 0000000..2be3a47
--- /dev/null
+++ b/group_vars/Fedora.yml
@@ -0,0 +1,10 @@
+useproxy_yum_repos:
+  - file: fedora
+    name: fedora
+    baseurl: http://dl.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+  - file: fedora-cisco-openh264
+    name: fedora-cisco-openh264
+    baseurl: https://codecs.fedoraproject.org/openh264/$releasever/$basearch/os/
+  - file: fedora-updates
+    name: updates
+    baseurl: http://dl.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
diff --git a/group_vars/needproxy.yml b/group_vars/needproxy.yml
new file mode 100644
index 0000000..f7888b3
--- /dev/null
+++ b/group_vars/needproxy.yml
@@ -0,0 +1,4 @@
+http_proxy: http://proxy.pyrocufflink.blue:3128
+https_proxy: '{{ http_proxy }}'
+all_proxy: '{{ http_proxy }}'
+no_proxy: localhost,pyrocufflink.blue,*.pyrocufflink.blue,127.0.0.1,172.30.0.*,172.30.0.0/24
diff --git a/hosts b/hosts
index 0c83d2a..b70015b 100644
--- a/hosts
+++ b/hosts
@@ -81,6 +81,8 @@ burp-server
 [nfs-client:children]
 k8s-node
 
+[needproxy]
+
 [nextcloud]
 cloud0.pyrocufflink.blue
 
diff --git a/roles/useproxy/defaults/main.yml b/roles/useproxy/defaults/main.yml
new file mode 100644
index 0000000..56d5579
--- /dev/null
+++ b/roles/useproxy/defaults/main.yml
@@ -0,0 +1 @@
+useproxy_yum_repos: []
diff --git a/roles/useproxy/handlers/main.yml b/roles/useproxy/handlers/main.yml
new file mode 100644
index 0000000..41a6641
--- /dev/null
+++ b/roles/useproxy/handlers/main.yml
@@ -0,0 +1,6 @@
+- name: reload systemd
+  systemd:
+    daemon_reload: true
+
+- name: reset connection
+  meta: reset_connection
diff --git a/roles/useproxy/tasks/main.yml b/roles/useproxy/tasks/main.yml
new file mode 100644
index 0000000..049a7af
--- /dev/null
+++ b/roles/useproxy/tasks/main.yml
@@ -0,0 +1,73 @@
+- name: ensure environment.d directory exists
+  file:
+    path: /etc/environment.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - config
+- name: ensure proxy environment variables are set
+  template:
+    src: proxy.env.j2
+    dest: /etc/environment.d/40-proxy.env
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - config
+
+- name: ensure /etc/environment is assembled
+  assemble:
+    src: /etc/environment.d
+    dest: /etc/environment
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reset connection
+  tags:
+  - config
+
+- name: ensure systemd default service drop-in directory exists
+  file:
+    path: /etc/systemd/system/service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+- name: ensure proxy is configured for systemd services
+  copy:
+    dest: /etc/systemd/system/service.d/40-proxy.conf
+    content: |
+      [Service]
+      EnvironmentFile=-/etc/environment.d/40-proxy.env
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+
+- name: ensure yum repos are configured to use baseurl
+  ini_file:
+    path: /etc/yum.repos.d/{{ item.file }}.repo
+    section: '{{ item.name }}'
+    option: baseurl
+    value: '{{ item.baseurl }}'
+    state: present
+  loop: '{{ useproxy_yum_repos }}'
+  tags:
+  - yum
+- name: ensure yum repos are configured to not use metalink
+  ini_file:
+    path: /etc/yum.repos.d/{{ item.file }}.repo
+    section: '{{ item.name }}'
+    option: metalink
+    state: absent
+  loop: '{{ useproxy_yum_repos }}'
+  tags:
+  - yum
+
+- name: flush handlers
+  meta: flush_handlers
diff --git a/roles/useproxy/templates/proxy.env.j2 b/roles/useproxy/templates/proxy.env.j2
new file mode 100644
index 0000000..8ae17a8
--- /dev/null
+++ b/roles/useproxy/templates/proxy.env.j2
@@ -0,0 +1,16 @@
+{% if http_proxy|d %}
+http_proxy={{ http_proxy }}
+HTTP_PROXY={{ http_proxy }}
+{% endif %}
+{% if https_proxy|d %}
+https_proxy={{ https_proxy }}
+HTTPS_PROXY={{ https_proxy }}
+{% endif %}
+{% if all_proxy|d %}
+all_proxy={{ all_proxy }}
+ALL_PROXY={{ all_proxy }}
+{% endif %}
+{% if no_proxy %}
+no_proxy={{ no_proxy }}
+NO_PROXY={{ no_proxy }}
+{% endif %}
diff --git a/useproxy.yml b/useproxy.yml
new file mode 100644
index 0000000..471496e
--- /dev/null
+++ b/useproxy.yml
@@ -0,0 +1,5 @@
+- import_playbook: dyngroups.yml
+
+- hosts: needproxy
+  roles:
+  - useproxy