Refactor ansible-apply.yaml to include playbook_login.yml

This commit is contained in:
2024-09-29 11:42:32 +02:00
parent 5324ef7ec0
commit a03aca39df
11 changed files with 68 additions and 52 deletions
+1
View File
@@ -80,6 +80,7 @@ jobs:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock SSH_AUTH_SOCK: /tmp/ssh_agent.sock
run: | run: |
cd ansible cd ansible
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
-17
View File
@@ -3,20 +3,3 @@
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this
code DELETE immediately. We have been warned. code DELETE immediately. We have been warned.
# Download SecTool
Download SecTool from https://github.com/a13labs/sectool/releases
# Install Apps
```
export VAULT_MASTER_PASSWORD=<Password here>
# get the kubernetes configuration file
ssh provision@<ip_address> -i ssh-keys/ansible/id_rsa microk8s config > ~/.kube/config
# deploy the applications
cd terraform/k8s_apps
sectool exec terraform init
sectool exec terraform apply
```
+6 -2
View File
@@ -16,6 +16,11 @@ function help {
exit 1 exit 1
} }
if [ -z $ANSIBLE_USER ]; then
echo "ANSIBLE_USER environment variable not set"
exit 1
fi
# parse arguments # parse arguments
while [ "$1" != "" ]; do while [ "$1" != "" ]; do
case $1 in case $1 in
@@ -47,5 +52,4 @@ else
fi fi
# execute ansible-playbook # execute ansible-playbook
sectool exec ansible-playbook -i inventory/hosts $DRY_RUN $PLAYBOOK sectool exec ansible-playbook -u $ANSIBLE_USER $DRY_RUN $PLAYBOOK
+1
View File
@@ -0,0 +1 @@
../../../ssh-keys/ansible/id_ecdsa.pub
@@ -1,17 +1,15 @@
# Hostname and other host settings
hostname: contabo01.a13labs.pt hostname: contabo01.a13labs.pt
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "0.0.0.0/0"
sshd_admin_net: "0.0.0.0/0"
sshd_allow_groups: "provision git users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}" ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
# Users
login_users: login_users:
- username: "{{ ansible_user }}"
comment: "Managed by Ansible"
sudoer: true
sudoer_root_only: true
sudoer_no_password: true
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
password_disabled: true
- username: operator - username: operator
comment: "Managed by Ansible" comment: "Managed by Ansible"
sudoer: true sudoer: true
@@ -19,6 +17,18 @@ login_users:
- username: git - username: git
comment: "Managed by Ansible" comment: "Managed by Ansible"
shell: "/usr/local/bin/gitea-shell" shell: "/usr/local/bin/gitea-shell"
password_disabled: true
password_expiration: false
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "0.0.0.0/0"
sshd_admin_net: "0.0.0.0/0"
sshd_allow_groups: "{{ ansible_user }} git users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
# Due to an issue increase the number of max auth tries # Due to an issue increase the number of max auth tries
sshd_max_auth_tries: 10 sshd_max_auth_tries: 10
-9
View File
@@ -1,21 +1,12 @@
[all] [all]
contabo01.a13labs.pt contabo01.a13labs.pt
[a13labs]
contabo01.a13labs.pt
[vms]
contabo01.a13labs.pt
[linux] [linux]
contabo01.a13labs.pt contabo01.a13labs.pt
[ubuntu] [ubuntu]
contabo01.a13labs.pt contabo01.a13labs.pt
[contabo]
contabo01.a13labs.pt
[gitea] [gitea]
contabo01.a13labs.pt contabo01.a13labs.pt
+1 -9
View File
@@ -1,17 +1,9 @@
--- ---
- name: CIS Hardening - name: CIS Hardening
hosts: contabo hosts: linux
gather_facts: true gather_facts: true
roles: roles:
- role: "bootstrap"
tags:
- roles
- roles::bootstrap
- role: "login"
tags:
- roles
- roles::users
- role: "cis" - role: "cis"
tags: tags:
- roles - roles
+1 -1
View File
@@ -1,6 +1,6 @@
--- ---
- name: Setup encrypted volume for a13labs - name: Setup encrypted volume for a13labs
hosts: contabo hosts: linux
become: true become: true
vars: vars:
disk_image_path: /a13labs.img disk_image_path: /a13labs.img
+10
View File
@@ -0,0 +1,10 @@
---
- name: Login setup
hosts: linux
gather_facts: true
roles:
- role: "login"
tags:
- roles
- roles::users
+25 -1
View File
@@ -13,6 +13,18 @@
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}" shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
loop: "{{ login_users }}" loop: "{{ login_users }}"
- name: Disable password expiration
command: chage -M -1 "{{ item.username }}"
become: yes
when: item.password_expiration is defined and not item.password_expiration
loop: "{{ login_users }}"
- name: Disable password login
command: passwd -d "{{ item.username }}"
become: yes
when: item.password_disabled is defined and item.password_disabled
loop: "{{ login_users }}"
- name: "Add SSH Authorized key" - name: "Add SSH Authorized key"
become: true become: true
ansible.posix.authorized_key: ansible.posix.authorized_key:
@@ -27,9 +39,21 @@
ansible.builtin.copy: ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ item.username }}" dest: "/etc/sudoers.d/{{ item.username }}"
content: | content: |
{{ item.username }} ALL=(ALL) ALL {{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL
owner: root owner: root
group: root group: root
mode: "0600" mode: "0600"
when: item.sudoer is defined and item.sudoer when: item.sudoer is defined and item.sudoer
loop: "{{ login_users }}" loop: "{{ login_users }}"
- name: Disable user history
become: true
ansible.builtin.copy:
dest: "/etc/profile.d/disable_history.sh"
content: |
#!/bin/bash
readonly PROMPT_COMMAND='history -a'
readonly HISTFILE=/dev/null
owner: root
group: root
mode: "0755"