Encryption and major changes

This commit is contained in:
2024-09-28 23:12:19 +02:00
parent 1f060541c3
commit 6248286ad2
159 changed files with 153 additions and 129 deletions
+10
View File
@@ -0,0 +1,10 @@
---
exclude_paths:
- .git/
- .github/
- tests/
enable_list:
- fqcn-builtins # opt-in
warn_list:
- line-length
- yaml[line-length]
+15
View File
@@ -0,0 +1,15 @@
---
extends: default
ignore: ".tox*\n.git*"
rules:
line-length:
max: 120
level: warning
comments:
min-spaces-from-content: 1
comments-indentation: false
braces:
max-spaces-inside: 1
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
+38
View File
@@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
+8
View File
@@ -0,0 +1,8 @@
---
# defaults file for duo_security
duo_users: ["*"]
duo_integration_key: "{{ lookup('env', 'DUO_INTEGRATION_KEY') | default('') }}"
duo_secret_key: "{{ lookup('env', 'DUO_SECRET_KEY') | default('') }}"
duo_api_hostname: "{{ lookup('env', 'DUO_API_HOSTNAME') | default('') }}"
_duo_pkg_url: https://pkg.duosecurity.com
+7
View File
@@ -0,0 +1,7 @@
---
- name: Restart sshd service
become: true
ansible.builtin.service:
name: ssh
state: restarted
when: molecule_yml is not defined
+39
View File
@@ -0,0 +1,39 @@
---
galaxy_info:
author: Alexandre Pires
description: Role to confiure Duo Security on Linux
company: A13Labs
role_name: duo_security
namespace: a13labs
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: MIT
min_ansible_version: "2.1"
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
galaxy_tags:
[]
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies:
[]
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
@@ -0,0 +1,8 @@
---
- name: Converge
hosts: all
gather_facts: true
tasks:
- name: Include duo_security
ansible.builtin.include_role:
name: "duo_security"
@@ -0,0 +1,21 @@
---
driver:
name: podman
platforms:
- name: instance
image: ubuntu:20.04
pre_build_image: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
provisioner:
name: ansible
env:
DUO_INTEGRATION_KEY: "TEST_INTEGRATION_KEY"
DUO_SECRET_KEY: "TEST_SECRET_KEY"
DUO_API_HOSTNAME: "api-7cda1654.duosecurity.com"
playbooks:
converge: converge.yml
prepare: prepare.yml
verifier:
name: ansible
@@ -0,0 +1,18 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Update cache # noqa no-changed-when
ansible.builtin.raw: apt update
- name: Install required packages # noqa no-changed-when
ansible.builtin.raw: apt install -y python3 sudo openssh-server
- name: Create required directories # noqa no-changed-when
ansible.builtin.file:
path: var/run/sshd
state: directory
mode: "0755"
owner: root
group: root
@@ -0,0 +1,9 @@
---
- name: Verify
hosts: all
any_errors_fatal: true
gather_facts: true
tasks:
- name: Example assertion
ansible.builtin.assert:
that: true
+101
View File
@@ -0,0 +1,101 @@
---
- name: Install Duo Security on Debian
when: ansible_os_family == 'Debian'
block:
- name: Add required packages
become: true
ansible.builtin.apt:
name:
- gpg
state: present
update_cache: true
- name: Add Duo Key
become: true
ansible.builtin.apt_key:
url: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
state: present
# set architecture specific repo based on ansible_architecture
- name: Set Duo Architecture (X86_64)
ansible.builtin.set_fact:
duo_arch: "[arch=amd64]"
when: ansible_architecture == 'x86_64'
- name: Set Duo Architecture (ARM64)
ansible.builtin.set_fact:
duo_arch: "[arch=arm64]"
when: ansible_architecture == 'aarch64'
- name: Add Duo source repository
become: true
ansible.builtin.apt_repository:
filename: duo-security.list
repo: deb {{ duo_arch }} {{ _duo_pkg_url }}/{{ ansible_distribution }} {{ ansible_distribution_release }} main
state: present
- name: Install Duo Unix Application Integration
become: true
ansible.builtin.apt:
name: duo-unix
state: present
update_cache: true
- name: Install Duo Security on RedHat
when: ansible_os_family == 'RedHat'
block:
- name: Add Duo Source (RedHat)
become: true
ansible.builtin.yum_repository:
name: Duo Security
description: Duo Security Repository
baseurl: https://pkg.duosecurity.com/RHEL/$releasever/$basearch
gpgcheck: true
gpgkey: https://duo.com/DUO-GPG-PUBLIC-KEY.asc
enabled: true
- name: Install Duo Unix Application Integration
become: true
ansible.builtin.dnf:
name: duo-unix
state: present
- name: Install Duo config
become: true
ansible.builtin.template:
src: login_duo.conf.j2
dest: /etc/duo/login_duo.conf
owner: sshd
group: root
mode: "0600"
- name: Get sshd Include config
become: true
ansible.builtin.command: grep -E "^Include " /etc/ssh/sshd_config
register: grep_include
changed_when: false
failed_when: false
- name: Check if sshd_config.d exits
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d
register: sshd_config_d
- name: Fail if sshd_config.d does not exist
when: not sshd_config_d.stat.exists or grep_include.rc != 0
ansible.builtin.fail:
msg: "sshd_config.d does not exist"
- name: Enable duo security for remote logins (sshd_config.d)
become: true
ansible.builtin.template:
src: duo-security.conf.j2
dest: /etc/ssh/sshd_config.d/02-duo-security.conf
backup: true
mode: "0600"
owner: root
group: root
validate: sshd -t -f %s
when: sshd_config_d.stat.exists and grep_include.rc == 0
notify:
- Restart sshd service
@@ -0,0 +1,2 @@
Match User {{ duo_users | join(',') }}
ForceCommand /usr/sbin/login_duo
@@ -0,0 +1,8 @@
[duo]
; Duo integration key
ikey = {{ duo_integration_key }}
; Duo secret key
skey = {{ duo_secret_key }}
; Duo API hostname
host = {{ duo_api_hostname }}
pushinfo = yes
+2
View File
@@ -0,0 +1,2 @@
localhost
+5
View File
@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- duo_security
+2
View File
@@ -0,0 +1,2 @@
---
# vars file for duo_security