Hi guys, worked on this last night. Thought it may be useful or cool to deploy a .onion url automatically in 7 commands.
I'm also aware it's not particularly good formatting but should work fine.
Notes/suggestions, in the interest of helping you get better at Ansible. I hope you find them helpful:
* It leaves your Apache bound on all interfaces, exposing where your files are really hosted. Security fail. (And because of the port conflict I doubt it even works in its current state.)
* It doesn't even work, due to the double "command" in "add keys". Only the second one will actually be run. (It's obvious you never tested on a fresh system. Learn about Vagrant next. It also has super-easy ansible integration. That fits the scenario really well too. Wouldn't that be awesome? "vagrant up" from any machine, wait a minute, and you have an .onion server in the Tor network?)
* Please spend 10 minutes and read the module list at https://docs.ansible.com/ansible/modules_by_category.html completely and use them. If you have to use "command" tasks (seldom the case), at least implement "changed_when" and think about if you need "when" and "failed_when". Also consider --check mode. You used command in cases where you could have used: apt, apt_repository, apt_key, service,
* Use the long key id in the --recv command too. The short will work even when there are conflicts, but it'll leave the additional (probably malicious) key in your local keyring, which may or may not confuse you later.
* The apparmor restart should be done in a handler, conditionally the config actually being changed. It also should use the "service" task.
* /home isn't the right place. Read the Filesystem Hierarchy Standard. Put the directory somwhere under /var or /srv.
* Add some blank lines for readability.
* As it is, your play isn't really reusable and not modular at all. It's ok since your intention clearly was just to show how easy it was to get Tor running. But if you want you could still turn it into a role.
* "state=directory owner=debian-tor mode=0700 recurse=yes" isn't really a good idea; it'll make all files executable too.
Getting automation right (whether via ansible, puppet, or whatever) requires careful attention to detail.
I didn't know you policed HN and determined what was a waste of time. Last I recall, Upvoting's purpose was that. Your arrogance is a detractor for others to grow and clearly you invested so much time to critique that you wasted your own time on something you didn't care about?
Kudos to you OP, you made something interesting and worth sharing. You've got this guy's attention. Please don't let other detractors mute your hacking.
What I meant isn't "don't share it". I meant "get it right before you share it".
I'd have thought the fact I spent a significant amount of time reviewing his implementation and giving well-meant comments would have made that clear. I have no interest in suppressing anyones development -- the more everyone learns, the better for everyone. And do I care about that.
1. HN submissions are 1:many communication. Like, say, mailing lists. For which I've been taught that the sender should make an effort to send a good message. freddiearch didn't put in that effort (see post #11098621). I care about HN, and I'd prefer to see high-quality articles here.
2. Beginners learning about new techniques and then immediately going on to write a low-quality tutorial is a very common phenomenon on the internet. It makes it unnecessarily harder for other beginners, who can't tell. The code didn't work and had several major flaws. It's just not good code to learn Ansible from. (Except for freddiearch of course -- writing bad code, then improving it, is part of learning. Nothing wrong with that! Everyone starts small!)
(@freddiearch: If you read this: I really hope I didn't discourage you from learning about Ansible or anything.)
Also rndmh3ro i'm just testing your pull request on a fresh ubuntu machine to make sure it works but thanks for the improvements!
Thanks for all the positive responses to this. Hopefully i'll have time to work on some server hardening and similar improvements soon.
curl 'https://raw.githubusercontent.com/freddiebarrsmith/Ansible-Hidden-Service-Deployment/master/darkweb.yml' |grep -elinein -ecommand -e action|sed -e 's/command//' -e 's/action://' -e 's/ //g' -e 's/: //' -e 's/lineinfil.*t=/cat >>/' -e 's/line=/<<</' -e 's/ pkg=/-get -y --force-yes install /' -e 's/state=latest//' -e 's/t u/t-get -y u/' -e 's/_cache=yes//'