Refactor ansible-apply.yaml to include playbook_login.yml
This commit is contained in:
@@ -80,6 +80,7 @@ jobs:
|
|||||||
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
||||||
run: |
|
run: |
|
||||||
cd ansible
|
cd ansible
|
||||||
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml
|
||||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid
|
||||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml
|
||||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
|
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
|
||||||
|
|||||||
@@ -3,20 +3,3 @@
|
|||||||
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this
|
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this
|
||||||
code DELETE immediately. We have been warned.
|
code DELETE immediately. We have been warned.
|
||||||
|
|
||||||
# Download SecTool
|
|
||||||
|
|
||||||
Download SecTool from https://github.com/a13labs/sectool/releases
|
|
||||||
|
|
||||||
# Install Apps
|
|
||||||
|
|
||||||
```
|
|
||||||
export VAULT_MASTER_PASSWORD=<Password here>
|
|
||||||
|
|
||||||
# get the kubernetes configuration file
|
|
||||||
ssh provision@<ip_address> -i ssh-keys/ansible/id_rsa microk8s config > ~/.kube/config
|
|
||||||
|
|
||||||
# deploy the applications
|
|
||||||
cd terraform/k8s_apps
|
|
||||||
sectool exec terraform init
|
|
||||||
sectool exec terraform apply
|
|
||||||
```
|
|
||||||
|
|||||||
+6
-2
@@ -16,6 +16,11 @@ function help {
|
|||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if [ -z $ANSIBLE_USER ]; then
|
||||||
|
echo "ANSIBLE_USER environment variable not set"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# parse arguments
|
# parse arguments
|
||||||
while [ "$1" != "" ]; do
|
while [ "$1" != "" ]; do
|
||||||
case $1 in
|
case $1 in
|
||||||
@@ -47,5 +52,4 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# execute ansible-playbook
|
# execute ansible-playbook
|
||||||
sectool exec ansible-playbook -i inventory/hosts $DRY_RUN $PLAYBOOK
|
sectool exec ansible-playbook -u $ANSIBLE_USER $DRY_RUN $PLAYBOOK
|
||||||
|
|
||||||
|
|||||||
+1
@@ -0,0 +1 @@
|
|||||||
|
../../../ssh-keys/ansible/id_ecdsa.pub
|
||||||
+21
-11
@@ -1,17 +1,15 @@
|
|||||||
# Hostname and other host settings
|
|
||||||
hostname: contabo01.a13labs.pt
|
hostname: contabo01.a13labs.pt
|
||||||
|
|
||||||
# SSH Connection and security
|
|
||||||
sshd_port: 22
|
|
||||||
ssh_allowed_networks:
|
|
||||||
- "0.0.0.0/0"
|
|
||||||
sshd_admin_net: "0.0.0.0/0"
|
|
||||||
sshd_allow_groups: "provision git users"
|
|
||||||
sshd_permit_root_login: "no"
|
|
||||||
sshd_password_authentication: "no"
|
|
||||||
sshd_allow_tcp_forwarding: "yes"
|
|
||||||
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||||||
|
|
||||||
|
# Users
|
||||||
login_users:
|
login_users:
|
||||||
|
- username: "{{ ansible_user }}"
|
||||||
|
comment: "Managed by Ansible"
|
||||||
|
sudoer: true
|
||||||
|
sudoer_root_only: true
|
||||||
|
sudoer_no_password: true
|
||||||
|
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
|
||||||
|
password_disabled: true
|
||||||
- username: operator
|
- username: operator
|
||||||
comment: "Managed by Ansible"
|
comment: "Managed by Ansible"
|
||||||
sudoer: true
|
sudoer: true
|
||||||
@@ -19,6 +17,18 @@ login_users:
|
|||||||
- username: git
|
- username: git
|
||||||
comment: "Managed by Ansible"
|
comment: "Managed by Ansible"
|
||||||
shell: "/usr/local/bin/gitea-shell"
|
shell: "/usr/local/bin/gitea-shell"
|
||||||
|
password_disabled: true
|
||||||
|
password_expiration: false
|
||||||
|
|
||||||
|
# SSH Connection and security
|
||||||
|
sshd_port: 22
|
||||||
|
ssh_allowed_networks:
|
||||||
|
- "0.0.0.0/0"
|
||||||
|
sshd_admin_net: "0.0.0.0/0"
|
||||||
|
sshd_allow_groups: "{{ ansible_user }} git users"
|
||||||
|
sshd_permit_root_login: "no"
|
||||||
|
sshd_password_authentication: "no"
|
||||||
|
sshd_allow_tcp_forwarding: "yes"
|
||||||
|
|
||||||
# Due to an issue increase the number of max auth tries
|
# Due to an issue increase the number of max auth tries
|
||||||
sshd_max_auth_tries: 10
|
sshd_max_auth_tries: 10
|
||||||
@@ -1,21 +1,12 @@
|
|||||||
[all]
|
[all]
|
||||||
contabo01.a13labs.pt
|
contabo01.a13labs.pt
|
||||||
|
|
||||||
[a13labs]
|
|
||||||
contabo01.a13labs.pt
|
|
||||||
|
|
||||||
[vms]
|
|
||||||
contabo01.a13labs.pt
|
|
||||||
|
|
||||||
[linux]
|
[linux]
|
||||||
contabo01.a13labs.pt
|
contabo01.a13labs.pt
|
||||||
|
|
||||||
[ubuntu]
|
[ubuntu]
|
||||||
contabo01.a13labs.pt
|
contabo01.a13labs.pt
|
||||||
|
|
||||||
[contabo]
|
|
||||||
contabo01.a13labs.pt
|
|
||||||
|
|
||||||
[gitea]
|
[gitea]
|
||||||
contabo01.a13labs.pt
|
contabo01.a13labs.pt
|
||||||
|
|
||||||
|
|||||||
@@ -1,17 +1,9 @@
|
|||||||
---
|
---
|
||||||
- name: CIS Hardening
|
- name: CIS Hardening
|
||||||
hosts: contabo
|
hosts: linux
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
- role: "bootstrap"
|
|
||||||
tags:
|
|
||||||
- roles
|
|
||||||
- roles::bootstrap
|
|
||||||
- role: "login"
|
|
||||||
tags:
|
|
||||||
- roles
|
|
||||||
- roles::users
|
|
||||||
- role: "cis"
|
- role: "cis"
|
||||||
tags:
|
tags:
|
||||||
- roles
|
- roles
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
- name: Setup encrypted volume for a13labs
|
- name: Setup encrypted volume for a13labs
|
||||||
hosts: contabo
|
hosts: linux
|
||||||
become: true
|
become: true
|
||||||
vars:
|
vars:
|
||||||
disk_image_path: /a13labs.img
|
disk_image_path: /a13labs.img
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
- name: Login setup
|
||||||
|
hosts: linux
|
||||||
|
gather_facts: true
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- role: "login"
|
||||||
|
tags:
|
||||||
|
- roles
|
||||||
|
- roles::users
|
||||||
@@ -13,6 +13,18 @@
|
|||||||
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
|
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
|
||||||
loop: "{{ login_users }}"
|
loop: "{{ login_users }}"
|
||||||
|
|
||||||
|
- name: Disable password expiration
|
||||||
|
command: chage -M -1 "{{ item.username }}"
|
||||||
|
become: yes
|
||||||
|
when: item.password_expiration is defined and not item.password_expiration
|
||||||
|
loop: "{{ login_users }}"
|
||||||
|
|
||||||
|
- name: Disable password login
|
||||||
|
command: passwd -d "{{ item.username }}"
|
||||||
|
become: yes
|
||||||
|
when: item.password_disabled is defined and item.password_disabled
|
||||||
|
loop: "{{ login_users }}"
|
||||||
|
|
||||||
- name: "Add SSH Authorized key"
|
- name: "Add SSH Authorized key"
|
||||||
become: true
|
become: true
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
@@ -27,9 +39,21 @@
|
|||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
dest: "/etc/sudoers.d/{{ item.username }}"
|
dest: "/etc/sudoers.d/{{ item.username }}"
|
||||||
content: |
|
content: |
|
||||||
{{ item.username }} ALL=(ALL) ALL
|
{{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
when: item.sudoer is defined and item.sudoer
|
when: item.sudoer is defined and item.sudoer
|
||||||
loop: "{{ login_users }}"
|
loop: "{{ login_users }}"
|
||||||
|
|
||||||
|
- name: Disable user history
|
||||||
|
become: true
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "/etc/profile.d/disable_history.sh"
|
||||||
|
content: |
|
||||||
|
#!/bin/bash
|
||||||
|
readonly PROMPT_COMMAND='history -a'
|
||||||
|
readonly HISTFILE=/dev/null
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: "0755"
|
||||||
|
|||||||
Reference in New Issue
Block a user