Refactor ansible-apply.yaml to include playbook_login.yml
This commit is contained in:
@@ -80,6 +80,7 @@ jobs:
|
||||
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
|
||||
run: |
|
||||
cd ansible
|
||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_login.yml
|
||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_cis.yml --skip-tags roles::cis::suid
|
||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_encryption.yml
|
||||
sectool exec ansible-playbook -u $ANSIBLE_USER playbook_microk8s.yml
|
||||
|
||||
@@ -3,20 +3,3 @@
|
||||
This is part of A13Labs project, any unauthorized copy is no allowed. If you got access to this
|
||||
code DELETE immediately. We have been warned.
|
||||
|
||||
# Download SecTool
|
||||
|
||||
Download SecTool from https://github.com/a13labs/sectool/releases
|
||||
|
||||
# Install Apps
|
||||
|
||||
```
|
||||
export VAULT_MASTER_PASSWORD=<Password here>
|
||||
|
||||
# get the kubernetes configuration file
|
||||
ssh provision@<ip_address> -i ssh-keys/ansible/id_rsa microk8s config > ~/.kube/config
|
||||
|
||||
# deploy the applications
|
||||
cd terraform/k8s_apps
|
||||
sectool exec terraform init
|
||||
sectool exec terraform apply
|
||||
```
|
||||
|
||||
+6
-2
@@ -16,6 +16,11 @@ function help {
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [ -z $ANSIBLE_USER ]; then
|
||||
echo "ANSIBLE_USER environment variable not set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# parse arguments
|
||||
while [ "$1" != "" ]; do
|
||||
case $1 in
|
||||
@@ -47,5 +52,4 @@ else
|
||||
fi
|
||||
|
||||
# execute ansible-playbook
|
||||
sectool exec ansible-playbook -i inventory/hosts $DRY_RUN $PLAYBOOK
|
||||
|
||||
sectool exec ansible-playbook -u $ANSIBLE_USER $DRY_RUN $PLAYBOOK
|
||||
|
||||
+1
@@ -0,0 +1 @@
|
||||
../../../ssh-keys/ansible/id_ecdsa.pub
|
||||
+21
-11
@@ -1,17 +1,15 @@
|
||||
# Hostname and other host settings
|
||||
hostname: contabo01.a13labs.pt
|
||||
|
||||
# SSH Connection and security
|
||||
sshd_port: 22
|
||||
ssh_allowed_networks:
|
||||
- "0.0.0.0/0"
|
||||
sshd_admin_net: "0.0.0.0/0"
|
||||
sshd_allow_groups: "provision git users"
|
||||
sshd_permit_root_login: "no"
|
||||
sshd_password_authentication: "no"
|
||||
sshd_allow_tcp_forwarding: "yes"
|
||||
ansible_user: "{{ lookup('env', 'ANSIBLE_USER') }}"
|
||||
|
||||
# Users
|
||||
login_users:
|
||||
- username: "{{ ansible_user }}"
|
||||
comment: "Managed by Ansible"
|
||||
sudoer: true
|
||||
sudoer_root_only: true
|
||||
sudoer_no_password: true
|
||||
pubkey: "{{ lookup('file', 'keys/ansible_user.pub') }}"
|
||||
password_disabled: true
|
||||
- username: operator
|
||||
comment: "Managed by Ansible"
|
||||
sudoer: true
|
||||
@@ -19,6 +17,18 @@ login_users:
|
||||
- username: git
|
||||
comment: "Managed by Ansible"
|
||||
shell: "/usr/local/bin/gitea-shell"
|
||||
password_disabled: true
|
||||
password_expiration: false
|
||||
|
||||
# SSH Connection and security
|
||||
sshd_port: 22
|
||||
ssh_allowed_networks:
|
||||
- "0.0.0.0/0"
|
||||
sshd_admin_net: "0.0.0.0/0"
|
||||
sshd_allow_groups: "{{ ansible_user }} git users"
|
||||
sshd_permit_root_login: "no"
|
||||
sshd_password_authentication: "no"
|
||||
sshd_allow_tcp_forwarding: "yes"
|
||||
|
||||
# Due to an issue increase the number of max auth tries
|
||||
sshd_max_auth_tries: 10
|
||||
@@ -1,21 +1,12 @@
|
||||
[all]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
[a13labs]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
[vms]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
[linux]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
[ubuntu]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
[contabo]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
[gitea]
|
||||
contabo01.a13labs.pt
|
||||
|
||||
|
||||
@@ -1,17 +1,9 @@
|
||||
---
|
||||
- name: CIS Hardening
|
||||
hosts: contabo
|
||||
hosts: linux
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
- role: "bootstrap"
|
||||
tags:
|
||||
- roles
|
||||
- roles::bootstrap
|
||||
- role: "login"
|
||||
tags:
|
||||
- roles
|
||||
- roles::users
|
||||
- role: "cis"
|
||||
tags:
|
||||
- roles
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
---
|
||||
- name: Setup encrypted volume for a13labs
|
||||
hosts: contabo
|
||||
hosts: linux
|
||||
become: true
|
||||
vars:
|
||||
disk_image_path: /a13labs.img
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
- name: Login setup
|
||||
hosts: linux
|
||||
gather_facts: true
|
||||
|
||||
roles:
|
||||
- role: "login"
|
||||
tags:
|
||||
- roles
|
||||
- roles::users
|
||||
@@ -86,7 +86,7 @@
|
||||
- name: Configure login.defs
|
||||
ansible.builtin.include_tasks: logindefs.yml
|
||||
tags:
|
||||
- roles::cis::logindefs
|
||||
- roles::cis::logindefs
|
||||
|
||||
- name: Set limits
|
||||
ansible.builtin.include_tasks: limits.yml
|
||||
@@ -224,4 +224,4 @@
|
||||
- name: Miscellaneous tasks after all handlers
|
||||
ansible.builtin.include_tasks: post.yml
|
||||
tags:
|
||||
- always
|
||||
- always
|
||||
|
||||
@@ -13,6 +13,18 @@
|
||||
shell: "{{ item.shell if item.shell is defined else '/bin/bash' }}"
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
- name: Disable password expiration
|
||||
command: chage -M -1 "{{ item.username }}"
|
||||
become: yes
|
||||
when: item.password_expiration is defined and not item.password_expiration
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
- name: Disable password login
|
||||
command: passwd -d "{{ item.username }}"
|
||||
become: yes
|
||||
when: item.password_disabled is defined and item.password_disabled
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
- name: "Add SSH Authorized key"
|
||||
become: true
|
||||
ansible.posix.authorized_key:
|
||||
@@ -27,9 +39,21 @@
|
||||
ansible.builtin.copy:
|
||||
dest: "/etc/sudoers.d/{{ item.username }}"
|
||||
content: |
|
||||
{{ item.username }} ALL=(ALL) ALL
|
||||
{{ item.username }} ALL=({{ 'root' if item.sudoer_root_only is defined and item.sudoer_root_only else 'ALL' }}) {{ 'NOPASSWD:' if item.sudoer_no_password is defined and item.sudoer_no_password else '' }}ALL
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
when: item.sudoer is defined and item.sudoer
|
||||
loop: "{{ login_users }}"
|
||||
|
||||
- name: Disable user history
|
||||
become: true
|
||||
ansible.builtin.copy:
|
||||
dest: "/etc/profile.d/disable_history.sh"
|
||||
content: |
|
||||
#!/bin/bash
|
||||
readonly PROMPT_COMMAND='history -a'
|
||||
readonly HISTFILE=/dev/null
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
Reference in New Issue
Block a user