Refactor ansible-apply.yaml to include playbook_login.yml

This commit is contained in:
2024-09-29 11:42:32 +02:00
parent 5324ef7ec0
commit a03aca39df
11 changed files with 68 additions and 52 deletions
+1
View File
@@ -80,6 +80,7 @@ jobs:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
run: |
cd ansible
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
-17
View File
@@ -3,20 +3,3 @@
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this
code DELETE immediately. We have been warned.
# Download SecTool
Download SecTool from https://github.com/a13labs/sectool/releases
# Install Apps
```
export VAULT_MASTER_PASSWORD=<Password here>
# get the kubernetes configuration file
ssh provision@<ip_address> -i ssh-keys/ansible/id_rsa microk8s config > ~/.kube/config
# deploy the applications
cd terraform/k8s_apps
sectool exec terraform init
sectool exec terraform apply
```
+6 -2
View File
@@ -16,6 +16,11 @@ function help {
exit 1
}
if [ -z $ANSIBLE_USER ]; then
echo "ANSIBLE_USER environment variable not set"
exit 1
fi
# parse arguments
while [ "$1" != "" ]; do
case $1 in
@@ -47,5 +52,4 @@ else
fi
# execute ansible-playbook
sectool exec ansible-playbook -i inventory/hosts $DRY_RUN $PLAYBOOK
sectool exec ansible-playbook -u $ANSIBLE_USER $DRY_RUN $PLAYBOOK
+1
View File
@@ -0,0 +1 @@
../../../ssh-keys/ansible/id_ecdsa.pub
@@ -1,17 +1,15 @@
# Hostname and other host settings
hostname: contabo01.a13labs.pt
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "0.0.0.0/0"
sshd_admin_net: "0.0.0.0/0"
sshd_allow_groups: "provision git users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
# Users
login_users:
- username: "{{ ansible_user }}"
comment: "Managed by Ansible"
sudoer: true
sudoer_root_only: true
sudoer_no_password: true
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
password_disabled: true
- username: operator
comment: "Managed by Ansible"
sudoer: true
@@ -19,6 +17,18 @@ login_users:
- username: git
comment: "Managed by Ansible"
shell: "/usr/local/bin/gitea-shell"
password_disabled: true
password_expiration: false
# SSH Connection and security
sshd_port: 22
ssh_allowed_networks:
- "0.0.0.0/0"
sshd_admin_net: "0.0.0.0/0"
sshd_allow_groups: "{{ ansible_user }} git users"
sshd_permit_root_login: "no"
sshd_password_authentication: "no"
sshd_allow_tcp_forwarding: "yes"
# Due to an issue increase the number of max auth tries
sshd_max_auth_tries: 10
-9
View File
@@ -1,21 +1,12 @@
[all]
contabo01.a13labs.pt
[a13labs]
contabo01.a13labs.pt
[vms]
contabo01.a13labs.pt
[linux]
contabo01.a13labs.pt
[ubuntu]
contabo01.a13labs.pt
[contabo]
contabo01.a13labs.pt
[gitea]
contabo01.a13labs.pt
+1 -9
View File
@@ -1,17 +1,9 @@
---
- name: CIS Hardening
hosts: contabo
hosts: linux
gather_facts: true
roles:
- role: "bootstrap"
tags:
- roles
- roles::bootstrap
- role: "login"
tags:
- roles
- roles::users
- role: "cis"
tags:
- roles
+1 -1
View File
@@ -1,6 +1,6 @@
---
- name: Setup encrypted volume for a13labs
hosts: contabo
hosts: linux
become: true
vars:
disk_image_path: /a13labs.img
+10
View File
@@ -0,0 +1,10 @@
---
- name: Login setup
hosts: linux
gather_facts: true
roles:
- role: "login"
tags:
- roles
- roles::users
+2 -2
View File
@@ -86,7 +86,7 @@
- name: Configure login.defs
ansible.builtin.include_tasks: logindefs.yml
tags:
- roles::cis::logindefs
- roles::cis::logindefs
- name: Set limits
ansible.builtin.include_tasks: limits.yml
@@ -224,4 +224,4 @@
- name: Miscellaneous tasks after all handlers
ansible.builtin.include_tasks: post.yml
tags:
- always
- always
+25 -1
View File
@@ -13,6 +13,18 @@
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
loop: "{{ login_users }}"
- name: Disable password expiration
command: chage -M -1 "{{ item.username }}"
become: yes
when: item.password_expiration is defined and not item.password_expiration
loop: "{{ login_users }}"
- name: Disable password login
command: passwd -d "{{ item.username }}"
become: yes
when: item.password_disabled is defined and item.password_disabled
loop: "{{ login_users }}"
- name: "Add SSH Authorized key"
become: true
ansible.posix.authorized_key:
@@ -27,9 +39,21 @@
ansible.builtin.copy:
dest: "/etc/sudoers.d/{{ item.username }}"
content: |
{{ item.username }} ALL=(ALL) ALL
{{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL
owner: root
group: root
mode: "0600"
when: item.sudoer is defined and item.sudoer
loop: "{{ login_users }}"
- name: Disable user history
become: true
ansible.builtin.copy:
dest: "/etc/profile.d/disable_history.sh"
content: |
#!/bin/bash
readonly PROMPT_COMMAND='history -a'
readonly HISTFILE=/dev/null
owner: root
group: root
mode: "0755"