├── .travis.yml ├── LICENSE ├── README.md ├── defaults └── main.yml ├── files └── cloudflared.service ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── install_binary.yml ├── install_package.yml └── main.yml ├── templates └── cloudflared.j2 ├── tests ├── inventory └── test.yml └── vars └── main.yml /.travis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | language: python 3 | python: "2.7" 4 | 5 | env: 6 | - TESTBOOK=test.yml 7 | 8 | before_install: 9 | - sudo apt-get update -qq 10 | 11 | install: 12 | #Workaround for ssl exception 13 | - wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb -P /tmp/ 14 | 15 | # Install Ansible. 16 | - pip install ansible 17 | 18 | # Add ansible.cfg to pick up roles path. 19 | - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg" 20 | 21 | script: 22 | # Check the role/playbook's syntax. 23 | - "ansible-playbook -i tests/inventory tests/$TESTBOOK --syntax-check" 24 | # Run role and ensure it completes successfully. 25 | - "ansible-playbook -i tests/inventory tests/$TESTBOOK --skip-tags systemd" 26 | # Check setting ansible port 27 | - "ansible-playbook -i tests/inventory tests/$TESTBOOK --extra-vars 'cloudflared_port=53' --skip-tags systemd" 28 | # Run role again and check for idempotence. 29 | - "ansible-playbook -i tests/inventory tests/$TESTBOOK --skip-tags systemd | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)" 30 | # Check cloudflared has been installed correctly 31 | - "cloudflared" 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Ben Dews 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Build Status](https://travis-ci.org/bendews/ansible-cloudflared.svg?branch=master)](https://travis-ci.org/bendews/ansible-cloudflared) 2 | 3 | # cloudflared 4 | 5 | This role simplifies the process of installing and enabling the `cloudflared` package. Commonly used as a DNS-Over-HTTPS proxy for the Cloudflare [1.1.1.1 service](https://blog.cloudflare.com/announcing-1111/). 6 | 7 | ## Requirements 8 | 9 | - Python >= 2.6 10 | - Ansible >= 2.4 11 | - systemd 12 | 13 | ## Role Variables 14 | 15 | Available variables are listed below, along with default values (see `defaults/main.yml` for more variables that can be modified) 16 | 17 | ```yaml 18 | cloudflared_allow_firewall: false 19 | cloudflared_enable_service: true 20 | cloudflared_upstream: "https://1.1.1.1/dns-query" 21 | cloudflared_port: 5053 22 | cloudflared_options: "proxy-dns --port {{ cloudflared_port }} --upstream {{ cloudflared_upstream }}" 23 | cloudflared_bin_location: "/usr/local/bin" 24 | ``` 25 | 26 | # Example Playbook 27 | 28 | - hosts: servers 29 | tasks: 30 | - name: Install and Configure cloudflared 31 | include_role: 32 | name: bendews.cloudflared 33 | vars: 34 | cloudflared_allow_firewall: false 35 | cloudflared_enable_service: false 36 | cloudflared_port: 5053 37 | 38 | 39 | # TODO: 40 | 41 | - None 42 | 43 | # License 44 | 45 | MIT 46 | 47 | # Author Information 48 | 49 | Created in 2018 by [Ben Dews](https://bendews.com) 50 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | cloudflared_base_url: "https://bin.equinox.io/c/VdrWdbjqyF/" 3 | 4 | cloudflared_amd64_apt: "cloudflared-stable-linux-amd64.deb" 5 | cloudflared_amd64_yum: "cloudflared-stable-linux-amd64.rpm" 6 | cloudflared_amd64_binary: "cloudflared-stable-linux-amd64.tgz" 7 | 8 | cloudflared_arm_apt: "cloudflared-stable-linux-arm.deb" 9 | cloudflared_arm_yum: "cloudflared-stable-linux-arm.rpm" 10 | cloudflared_arm_binary: "cloudflared-stable-linux-arm.tgz" 11 | 12 | cloudflared_allow_firewall: false 13 | cloudflared_enable_service: true 14 | cloudflared_upstream: "https://1.1.1.1/dns-query" 15 | cloudflared_port: 5053 16 | 17 | cloudflared_options: "proxy-dns --port {{ cloudflared_port }} --upstream {{ cloudflared_upstream }}" 18 | 19 | cloudflared_bin_location: /usr/local/bin 20 | -------------------------------------------------------------------------------- /files/cloudflared.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=cloudflared service 3 | After=syslog.target network-online.target 4 | 5 | [Service] 6 | Type=simple 7 | User=nobody 8 | EnvironmentFile=/etc/default/cloudflared 9 | ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS 10 | Restart=on-failure 11 | RestartSec=10 12 | KillMode=process 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart cloudflared service 3 | service: 4 | name: cloudflared 5 | enabled: "{{ cloudflared_enable_service }}" 6 | state: restarted 7 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Ben Dews 4 | description: Install cloudflared and systemd service for DNS-Over-HTTPS 5 | company: https://bendews.com 6 | license: MIT 7 | 8 | min_ansible_version: 2.4 9 | 10 | platforms: 11 | - name: EL 12 | versions: 13 | - 6 14 | - 7 15 | - name: Debian 16 | versions: 17 | - all 18 | - name: Ubuntu 19 | versions: 20 | - all 21 | 22 | galaxy_tags: 23 | - "cloudflare" 24 | - "cloudflared" 25 | - "https" 26 | - "dns" 27 | - "DoH" 28 | - "DNS-Over-HTTPS" 29 | - "systemd" 30 | - "init" 31 | 32 | dependencies: [] 33 | -------------------------------------------------------------------------------- /tasks/install_binary.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: build filename of file to be downloaded 3 | set_fact: 4 | cloudflared_file: "{{ vars['cloudflared_'+device_arch+'_binary'] }}" 5 | 6 | - name: download correct file for device 7 | get_url: 8 | url: "{{ cloudflared_base_url }}{{ cloudflared_file }}" 9 | dest: "/tmp/{{ cloudflared_file }}" 10 | 11 | - name: extract cloudflared into /usr/local/bin 12 | unarchive: 13 | src: "/tmp/{{ cloudflared_file }}" 14 | dest: "{{ cloudflared_bin_location }}" 15 | remote_src: yes 16 | -------------------------------------------------------------------------------- /tasks/install_package.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: build filename of file to be downloaded 3 | set_fact: 4 | cloudflared_file: "{{ vars['cloudflared_'+device_arch+'_'+ansible_pkg_mgr] }}" 5 | 6 | - name: download correct file for device 7 | get_url: 8 | url: "{{ cloudflared_base_url }}{{ cloudflared_file }}" 9 | dest: "/tmp/{{ cloudflared_file }}" 10 | 11 | - name: Install a .deb package 12 | apt: 13 | deb: "/tmp/{{ cloudflared_file }}" 14 | state: present 15 | register: pkg_mgr_output 16 | ignore_errors: true 17 | when: ansible_pkg_mgr == 'apt' 18 | 19 | - name: Install a .rpm package 20 | yum: 21 | name: "/tmp/{{ cloudflared_file }}" 22 | state: present 23 | register: pkg_mgr_output 24 | ignore_errors: true 25 | when: ansible_pkg_mgr == 'yum' 26 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - stat: 3 | path: "{{ cloudflared_bin_location }}/cloudflared" 4 | register: cloudflared_binary 5 | 6 | - set_fact: 7 | cloudflared_installed: "{{ cloudflared_binary.stat.exists | default(false) }}" 8 | 9 | - name: set device architecture and package manager vars 10 | set_fact: 11 | device_arch: "{{ 'amd64' if ansible_architecture == 'x86_64' else 'arm' }}" 12 | 13 | - name: install package 14 | import_tasks: install_package.yml 15 | when: (not cloudflared_installed) and (ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'apt') and (ansible_architecture == 'x86_64' or ansible_architecture == 'arm') 16 | 17 | - name: install binary 18 | import_tasks: install_binary.yml 19 | when: (not cloudflared_installed) and ((pkg_mgr_output is undefined or pkg_mgr_output is failed) or ansible_architecture == 'armv7l') 20 | 21 | - name: Set network capabilities for cloudflared 22 | capabilities: 23 | path: "{{ cloudflared_bin_location }}/cloudflared" 24 | capability: cap_net_bind_service+ep 25 | state: present 26 | when: cloudflared_port|int < 1024 27 | 28 | - command: cloudflared update 29 | register: update_command 30 | changed_when: update_command.rc == '64' 31 | 32 | - name: template config file 33 | template: 34 | src: cloudflared.j2 35 | dest: /etc/default/cloudflared 36 | owner: nobody 37 | group: nogroup 38 | notify: restart cloudflared service 39 | tags: systemd 40 | 41 | - name: copy systemd service 42 | copy: 43 | src: cloudflared.service 44 | dest: /etc/systemd/system/ 45 | owner: root 46 | group: root 47 | mode: 0644 48 | notify: restart cloudflared service 49 | register: service 50 | tags: systemd 51 | 52 | - name: enable systemd service 53 | service: 54 | name: cloudflared 55 | enabled: "{{ cloudflared_enable_service }}" 56 | when: service.changed 57 | tags: systemd 58 | 59 | - name: Allow port in firewall 60 | ufw: 61 | rule: allow 62 | port: "{{ cloudflared_port }}" 63 | comment: "allow cloudflared" 64 | when: cloudflared_allow_firewall 65 | -------------------------------------------------------------------------------- /templates/cloudflared.j2: -------------------------------------------------------------------------------- 1 | # Commandline args for cloudflared 2 | CLOUDFLARED_OPTS={{ cloudflared_options }} 3 | -------------------------------------------------------------------------------- /tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | -------------------------------------------------------------------------------- /tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | connection: local 4 | become: yes 5 | tasks: 6 | 7 | - name: Test role with variables 8 | include_role: 9 | name: ../ansible-cloudflared 10 | vars: 11 | cloudflared_allow_firewall: false 12 | cloudflared_enable_service: false 13 | cloudflared_port: 5053 14 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- --------------------------------------------------------------------------------