citty/roswaal
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: citty:7adc598bef1082046288390f10833d0afa259952
Branches Tags
citty:master
...
compare: citty:master
Branches Tags
citty:master

20 Commits
7adc598bef ... master

Author SHA1 Message Date
citty
d38e3ba4e0 Backup authorized keys before nuking 2021-10-16 10:17:45 -04:00
citty
752a9de6df hosts 2021-10-16 10:13:55 -04:00
citty
5e2ad66dfb don't become while writing data to controller disk 2021-10-15 22:55:22 -04:00
citty
0a321f2acb collect process data 2021-10-15 22:53:23 -04:00
citty
6ad0af7134 get disk space data 2021-10-15 22:51:46 -04:00
citty
5b84cafa3d clean up ufw idempotently when rerunning setup (because if we are resetting passwords its probably in a bad state) 2021-10-15 22:37:21 -04:00
citty
a491074c4f prepare for using ansible to manage docker 2021-10-15 22:33:49 -04:00
citty
06b094e769 why won't this handler thing work 2021-10-15 22:20:55 -04:00
citty
62dd3230fb just become everything 2021-10-15 22:13:30 -04:00
citty
a3f45c0901 ansible please 2021-10-15 22:10:45 -04:00
citty
f0a6605f82 go away firewalld 2021-10-15 21:50:44 -04:00
citty
51057bb81e EPEL 2021-10-15 21:47:02 -04:00
citty
3261933cb0 Autopassword is too smart for me 2021-10-15 21:42:51 -04:00
citty
2e0bb20110 We want the name 2021-10-15 21:32:49 -04:00
citty
d705d8d194 CentOS 2021-10-15 21:31:39 -04:00
citty
656f822b1a yamllint decides not to work because it'd be funny i guess 2021-10-15 21:29:56 -04:00
citty
5894376128 Privileges are important 2021-10-15 21:28:33 -04:00
citty
7b9d345ed8 Drag and Drop doesn't work on vSphere :( 2021-10-15 21:25:36 -04:00
citty
0456f2a98a Syntax is hard. 2021-10-15 21:20:35 -04:00
citty
549df68b12 How did I already break git history bruh 2021-10-15 21:16:23 -04:00
8 changed files with 186 additions and 48 deletions
Expand all files Collapse all files

5
autopassword.sh Normal file
View File

@@ -0,0 +1,5 @@
#!/bin/bash
key=hello
name=$1
hash=$(echo -n "$name$key" | sha256sum | xxd -r -p | base64 | tr -d '+/')
echo "${hash:0:8}-${hash:8:8}"

3
handlers.yml
View File

@@ -1,2 +1,3 @@
- name: restart ufw
service: name=ufw state=restarted
service: name=ufw state=restarted
become: yes

17
hosts Normal file
View File

@@ -0,0 +1,17 @@
[forensics]
10.8.2.12 ansible_user=administrator
[database]
10.8.2.3 ansible_user=administrator
[workstations]
10.8.1.10 ansible_user=administrator
10.8.1.40 ansible_user=administrator
[workstations:children]
web
[web]
10.8.1.90 ansible_user=administrator

8
roles/database/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Allow MySQL traffic
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'allow', port: '3306', proto: 'tcp' }
notify:
- restart ufw
become: yes

3
roles/immortal/handlers/main.yml Normal file
View File

@@ -0,0 +1,3 @@
- name: restart ufw
service: name=ufw state=restarted
become: yes

153
roles/immortal/tasks/main.yml
View File

@@ -1,13 +1,14 @@
---
- name: Generate password
delegate_to: localhost
shell: bash autopassword.sh {{ inventory_hostname }}
register: genPass
# - name: Generate password
# delegate_to: localhost
# shell: bash autopassword.sh {{ inventory_hostname }}
# register: genPass
- name: Backup ssh config
fetch:
src: /etc/ssh/sshd_config
dest: "{{ inventory_hostname }}"
dest: "{{ inventory_hostname }}"
become: yes
- name: Backup os-release
fetch:
@@ -19,11 +20,57 @@
src: /etc/passwd
dest: "{{ inventory_hostname }}"
- name: Collect disk space data
block:
- name: lsblk
shell: lsblk
register: lsblk_output
become: yes
- name: Store results
copy:
content: "{{lsblk_output.stdout}}"
dest: "{{ inventory_hostname }}/lsblk.out"
delegate_to: localhost
become: no
- name: Collect netstat
block:
- name: Run command
shell: netstat -peanut
register: netstat_output
become: yes
- name: Store results
copy:
content: "{{netstat_output.stdout}}"
dest: "{{ inventory_hostname }}/netstat.out"
delegate_to: localhost
become: no
- name: Collect process data
block:
- name: Run command
shell: ps aux
register: ps_output
become: yes
- name: Store results
copy:
content: "{{ps_output.stdout}}"
dest: "{{ inventory_hostname }}/ps.out"
delegate_to: localhost
become: no
- name: Get users
get_users:
min_uid: {{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}
#min_uid: "{{ (ansible_os_family == 'RedHat') | ternary(500,1000) }}"
min_uid: 1000
max_uid: 65000
register: users_list
become: yes
register: users_list
- name: Backup all users authorized keys
fetch:
src: "{{item['dir']}}/.ssh/authorized_keys"
dest: "{{ inventory_hostname }}"
ignore_errors: yes
loop: "{{ users_list.users }}"
- name: Give root exclusively the current controller user's SSH key
ansible.posix.authorized_key:
@@ -31,54 +78,72 @@
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes
become: yes
become: yes
- name: Give all users exclusively the current controller user's SSH key
ansible.posix.authorized_key:
user: {{item}}
user: "{{item['name']}}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
exclusive: yes
become: yes
loop: "{{ users_list.users }}"
become: yes
loop: "{{ users_list.users }}"
- name: Ensure UFW is installed
package:
name: ufw
state: present
- block:
- name: Ensure EPEL if RHEL based
yum:
name: epel-release
state: present
when: ansible_os_family == "RedHat"
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
notify:
- restart ufw
- name: Disable firewalld if RHEL based
shell: "systemctl disable firewalld; systemctl stop firewalld"
when: ansible_os_family == "RedHat"
- name: Ensure UFW is installed
package:
name: ufw
state: present
- name: Configure ufw rules
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'limit', port: '22', proto: 'tcp' }
notify:
- restart ufw
- name: Ensure UFW is disabled
ufw: state=disabled
- name: Reset UFW
ufw: state=reset
- name: Enable ufw logging
ufw: logging=on
notify:
- restart ufw
- name: Configure ufw defaults
ufw: direction={{ item.direction }} policy={{ item.policy }}
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
notify:
- restart ufw
- name: Enable ufw
ufw: state=enabled
- name: Configure ufw rules
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'limit', port: '22', proto: 'tcp' }
notify:
- restart ufw
- name: Change root password
user:
name: root
shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}"
- name: Enable ufw logging
ufw: logging=on
notify:
- restart ufw
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
password: "{{ genPass.stdout | password_hash('sha512') }}"
- name: Enable ufw
ufw: state=enabled
- name: Change root password
user:
name: root
shell: /bin/bash
password: "{{ password | password_hash('sha512') }}"
- name: Change admin password
user:
name: "{{ ansible_user }}"
shell: /bin/bash
password: "{{ password | password_hash('sha512') }}"
become: yes

8
roles/web/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Allow Web traffic
ufw: rule={{ item.rule }} port={{ item.port }} proto={{ item.proto }}
with_items:
- { rule: 'allow', port: '80', proto: 'tcp' }
notify:
- restart ufw
become: yes

37
setup.yml
View File

@@ -1,4 +1,35 @@
---
hosts: all
roles:
- immortal
- hosts: all
handlers:
- import_tasks: handlers.yml
vars_prompt:
- name: password
prompt: "Enter new root and admin password"
roles:
- immortal
become: yes
- hosts: web
handlers:
- import_tasks: handlers.yml
roles:
- web
become: yes
- hosts: database
handlers:
- import_tasks: handlers.yml
roles:
- database
become: yes
- hosts: all
vars:
pip_install_packages:
- name: docker
roles:
- geerlingguy.pip
- geerlingguy.docker
become: yes