tpotce/installer/install/tpot.yml

---
################################
# T-Pot - Bootstrapping Python #
################################

- name: T-Pot - Bootstrapping Python
  hosts: all
  gather_facts: false
  become: true
  become_method: sudo

  tasks:
    - name: Get distribution name (All)
      raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1
      register: my_distribution
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Check if python3 is installed (All)
      raw: echo $(command -v python3)
      register: my_python3
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Add python package (Debian, Raspbian, Ubuntu)
      raw: |
        apt update
        apt -y install python3
      when: my_distribution.stdout | trim in ["Debian", "Raspbian", "Ubuntu"] and my_python3.stdout | trim == ""
      tags:
        - "Debian"
        - "Raspbian"
        - "Ubuntu"

    - name: Add python package (Alma, Fedora, Rocky)
      raw: |
        dnf -y --refresh install python3
      when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == ""
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"

    - name: Add python package (openSUSE Tumbleweed)
      raw: |
        zypper refresh
        zypper -y install python3
      when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == ""
      tags:
        - "openSUSE Tumbleweed"

#####################################################################
# T-Pot - Abort if run as tpot, root or on unsupported distribution #
#####################################################################

- name: T-Pot - Abort if run as tpot, root or on unsupported distribution
  hosts: all
  gather_facts: true
  become: false
  tags:
    - "AlmaLinux"
    - "Debian"
    - "Fedora"
    - "openSUSE Tumbleweed"
    - "Raspbian"
    - "Rocky"
    - "Ubuntu"

  tasks:
    - name: Check if running as root (All)
      assert:
        that: ansible_user_id != 'root'
        fail_msg: "T-Pot playbook should not be run as root."
        success_msg: "Running as user: {{ ansible_user_id }}."

    - name: Check if running as tpot (All)
      assert:
        that: ansible_user_id != 'tpot'
        fail_msg: "Reserved username `tpot` detected."
        success_msg: "Running as user: {{ ansible_user_id }}."

    - name: Check if supported distribution (All)
      assert:
        that: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
        fail_msg: "T-Pot is not supported on this plattform: {{ ansible_distribution }}."
        success_msg: "T-Pot will now install on {{ ansible_distribution }}."

############################################################
# T-Pot - Install recommended, remove conflicting packages #
############################################################

- name: T-Pot - Install recommended, remove conflicting packages 
  hosts: all
  gather_facts: true
  become: true

  tasks:
    - name: Syncing clocks (All)
      shell: "hwclock --hctosys"
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      ignore_errors: true
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Install recommended packages (Debian, Raspbian, Ubuntu)
      package:
        name:
          - apache2-utils
          - bash-completion
          - ca-certificates
          - cracklib-runtime
          - curl
          - exa
          - git
          - gnupg
          - grc
          - htop
          - micro
          - net-tools
          - vim
          - wget
        state: latest
        update_cache: yes
      when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
      tags:
        - "Debian"
        - "Raspbian"
        - "Ubuntu"

    - name: Install grc from remote repo (AlmaLinux, Rocky)
      ansible.builtin.dnf:
        name: 'https://github.com/kriipke/grc/releases/download/1.13.8/grc-1.13.8-1.el7.noarch.rpm'
        disable_gpg_check: true
        state: present
      when: ansible_distribution in ["AlmaLinux", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Rocky"

    - name: Install recommended packages (AlmaLinux, Fedora, Rocky)
      package:
        name:
          - bash-completion
          - ca-certificates
          - cracklib
          - curl
          - dnf-plugins-core
          - exa
          - git
          - grc
          - htop
          - httpd-tools
          - micro
          - net-tools
          - vim
          - wget
        state: latest
        update_cache: yes
      when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"

    - name: Remove conflicting packages (openSUSE Tumbleweed)
      package:
        name:
          - cups
          - net-tools
          - postfix
          - yast2-auth-client
          - yast2-auth-user
        state: absent 
        update_cache: yes
      when: ansible_distribution in ["openSUSE Tumbleweed"]
      tags:
        - "openSUSE Tumbleweed"

    - name: Install recommended packages (openSUSE Tumbleweed)
      package:
        name:
          - apache2-utils
          - bash-completion
          - busybox-net-tools
          - ca-certificates
          - cracklib
          - curl
          - exa
          - git
          - grc
          - htop
          - micro
          - vim
          - wget
        state: latest
        update_cache: yes
      when: ansible_distribution in ["openSUSE Tumbleweed"]
      tags:
        - "openSUSE Tumbleweed"

#####################################
# T-Pot - Prepare for Docker Engine #
#####################################

- name: T-Pot - Prepare for and install Docker Engine
  hosts: all
  gather_facts: true
  become: true

  tasks:
    - name: Remove distribution based Docker packages (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu)
      package:
        name:
          - docker
          - docker-engine
          - docker.io
          - containerd 
          - runc
        state: absent
        update_cache: yes
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Add folder for Docker Engine GPG key (Debian, Raspbian, Ubuntu)
      file:
        path: /etc/apt/keyrings
        state: directory
        mode: 0755
      when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
      tags:
        - "Debian"
        - "Raspbian"
        - "Ubuntu"

    - name: Download Docker Engine GPG key (Debian, Raspbian, Ubuntu)
      get_url:
        url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
        dest: /etc/apt/keyrings/docker
        mode: 0755
      when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
      tags:
        - "Debian"
        - "Raspbian"
        - "Ubuntu"

    - name: Decrypt Docker Engine GPG key (Debian, Raspbian, Ubuntu)
      shell: gpg --dearmor /etc/apt/keyrings/docker
      args:
        creates: /etc/apt/keyrings/docker.gpg
      when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
      tags:
        - "Debian"
        - "Raspbian"
        - "Ubuntu"

    - name: Add Docker Engine repository (Debian, Raspbian, Ubuntu)
      apt_repository:
        filename: docker
        repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') | replace('x86_64', 'amd64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
        state: present
        update_cache: yes
      when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
      tags:
        - "Debian"
        - "Raspbian"
        - "Ubuntu"

    - name: Add Docker repository (Fedora)
      shell: |
        if [ "$(dnf repolist docker-ce-stable)" == "" ];
          then
            dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
        fi
      when: ansible_distribution in ["Fedora"]
      tags:
        - "Fedora"

    - name: Add Docker repository (AlmaLinux, Rocky)
      shell: |
        if [ "$(dnf repolist docker-ce-stable)" == "" ];
          then
            dnf -y config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
        fi
      when: ansible_distribution in ["AlmaLinux", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Rocky"


#################################
# T-Pot - Install Docker Engine #
#################################

- name: T-Pot - Install Docker Engine
  hosts: all
  gather_facts: true
  become: true

  tasks:
    - name: Install Docker Engine packages (openSUSE Tumbleweed)
      package:
        name:
          - docker
          - docker-bash-completion
          - docker-buildx
          - docker-compose
          - docker-compose-switch
          - liblvm2cmd2_03
          - lvm2
        state: latest
        update_cache: yes
      when: ansible_distribution in ["openSUSE Tumbleweed"]
      tags:
        - "openSUSE Tumbleweed"

    - name: Install Docker Engine packages (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu)
      package:
        name:
          - docker-ce 
          - docker-ce-cli 
          - containerd.io
          - docker-buildx-plugin
          - docker-compose-plugin 
        state: latest
        update_cache: yes
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Stop Docker (All)
      service:
        name: docker
        state: stopped
        enabled: false
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

######################################################
# T-Pot - Adjust configs, add users and groups, etc. #
######################################################

- name: T-Pot - Adjust configs, add users and groups, etc.
  hosts: all
  gather_facts: true
  become: true

  tasks:
    - name: Create T-Pot group (All)
      group:
        name: tpot
        gid: 2000
        state: present
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Create T-Pot user (All)
      user:
        name: tpot
        uid: 2000
        system: yes
        shell: /bin/false
        home: /nonexistent
        group: tpot
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Disable ssh.socket unit (Ubuntu)
      systemd:
        name: ssh.socket
        state: stopped
        enabled: false
      when: ansible_distribution in ["Ubuntu"]
      tags:
        - "Ubuntu"

    - name: Remove ssh.socket.conf file (Ubuntu)
      file:
        path: /etc/systemd/system/ssh.service.d/00-socket.conf
        state: absent
      when: ansible_distribution in ["Ubuntu"]
      tags:
        - "Ubuntu"

    - name: Change SSH Port to 64295 (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu)
      lineinfile:
        path: /etc/ssh/sshd_config
        line: "Port 64295"
        insertafter: EOF
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Change SSH Port to 64295 (openSUSE Tumbleweed)
      lineinfile:
        path: /etc/ssh/sshd_config.d/port.conf
        line: "Port 64295"
        create: yes
      when: ansible_distribution in ["openSUSE Tumbleweed"]
      tags:
        - "openSUSE Tumbleweed"

    - name: Add T-Pot SSH port to Firewall (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
      firewalld:
        port: 64295/tcp
        permanent: yes
        state: enabled
      when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Rocky"

    - name: Set T-Pot default target to ACCEPT (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
      firewalld:
        zone: public
        target: ACCEPT
        permanent: yes
        state: enabled
      when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Rocky"

    - name: Load kernel modules (AlmaLinux, Fedora, Rocky)
      command: modprobe -v iptable_filter
      when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"

    - name: Update iptables.conf (AlmaLinux, Fedora, Rocky)
      lineinfile:
        path: /etc/modules-load.d/iptables.conf
        line: iptable_filter
        create: yes
      when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"

    - name: Set SELinux config to permissive (AlmaLinux, Fedora, Rocky)
      lineinfile:
        path: /etc/selinux/config
        regexp: '^SELINUX='
        line: 'SELINUX=permissive'
      when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"

    - name: Set SELinux to permissive (AlmaLinux, Fedora, Rocky)
      command: "setenforce Permissive"
      when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"

    - name: Stop Resolved (Fedora, Ubuntu)
      service:
        name: systemd-resolved
        state: stopped
      when: ansible_distribution in ["Fedora", "Ubuntu"]
      tags:
        - "Fedora"
        - "Ubuntu"

    - name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu)
      lineinfile:
        path: /etc/systemd/resolved.conf
        regexp: '^.*DNSStubListener=.*'
        line: 'DNSStubListener=no'
        state: present
      when: ansible_distribution in ["Fedora", "Ubuntu"]
      tags:
        - "Fedora"
        - "Ubuntu"

############################
# T-Pot - Restart services #
############################

- name: T-Pot - Restart services
  hosts: all
  gather_facts: true
  become: true

  tasks:
    - name: Start Resolved (Fedora, Ubuntu)
      service:
        name: systemd-resolved
        state: restarted
      when: ansible_distribution in ["Fedora", "Ubuntu"]
      tags:
        - "Fedora"
        - "Ubuntu"

    - name: Restart Firewalld (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
      service:
        name: firewalld
        state: restarted
      when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"
        - "openSUSE Tumbleweed"

    - name: Get Firewall rules (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
      command: "firewall-cmd --list-all"
      register: firewall_output
      when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "Rocky"
        - "openSUSE Tumbleweed"

    - name: Print Firewall rules (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
      debug:
        var: firewall_output.stdout_lines
      when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "Rocky"]
      tags:
        - "AlmaLinux"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Rocky"

    - name: Enable Docker Engine upon boot (All)
      service:
        name: docker
        state: restarted
        enabled: true
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

    - name: Restart SSH (All)
      service:
        name: "{{ 'ssh' if ansible_distribution in ['Ubuntu'] else 'sshd' }}"
        state: restarted
        enabled: true
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      tags:
        - "AlmaLinux"
        - "Debian"
        - "Fedora"
        - "openSUSE Tumbleweed"
        - "Raspbian"
        - "Rocky"
        - "Ubuntu"

#######################################################################
# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository #
#######################################################################

- name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository
  hosts: all
  gather_facts: true
  become: false
  tags:
    - "AlmaLinux"
    - "Debian"
    - "Fedora"
    - "openSUSE Tumbleweed"
    - "Raspbian"
    - "Rocky"
    - "Ubuntu"

  tasks:
    - name: Add aliases (All)
      blockinfile:
        path: ~/.bashrc
        block: |
          alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\\t{{'{{'}}.Status{{'}}'}}\\t{{'{{'}}.Ports{{'}}'}}" | sort'
          alias dpsw='watch -c bash -ic dps'
          alias mi='micro'
          alias sudo='sudo '
          alias ls='exa'
          alias ll='exa -hlg'
          alias la='exa -hlag'
        marker: "# {mark} ANSIBLE MANAGED BLOCK"
        insertafter: EOF
        state: present
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]

    - name: Clone / Update T-Pot repository (All)
      git:
        repo: 'https://github.com/telekom-security/tpotce'
        dest: '/home/{{ ansible_user_id }}/tpotce/'
        version: alpha
        clone: yes
        update: no
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]

    - name: Add current user to Docker, T-Pot group (All)
      become: true
      user:
        name: "{{ ansible_user_id }}"
        groups: 
          - docker
          - tpot
        append: yes
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]

    - name: Check for non-root user id (All)
      debug:
        msg: "Detected user: '{{ ansible_user_id }}'"
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
      failed_when: ansible_user_id == "root"

########################################
# T-Pot - Install service and cron job #
########################################

- name: T-Pot - Install service
  hosts: all
  gather_facts: true
  become: false
  tags:
    - "AlmaLinux"
    - "Debian"
    - "Fedora"
    - "openSUSE Tumbleweed"
    - "Raspbian"
    - "Rocky"
    - "Ubuntu"

  tasks:
    - name: Install systemd service (All)
      become: true
      ansible.builtin.template:
        src: '/home/{{ ansible_user_id }}/tpotce/installer/install/tpot.service'
        dest: '/etc/systemd/system/tpot.service'
        owner: root
        group: root
        mode: '0755'
      notify: Reload systemd and enable service
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]

  handlers:
    - name: Reload systemd and enable service
      become: true
      ansible.builtin.systemd:
        name: tpot.service
        daemon_reload: yes
        state: stopped
        enabled: yes
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]

- name: T-Pot - Setup a randomized daily reboot
  hosts: all
  gather_facts: true
  become: yes
  tags:
    - "AlmaLinux"
    - "Debian"
    - "Fedora"
    - "openSUSE Tumbleweed"
    - "Raspbian"
    - "Rocky"
    - "Ubuntu"

  vars:
    random_minute: "{{ range(0, 60) | random }}"
    random_hour: "{{ range(0, 5) | random }}" # We want the reboot randomly happen at night

  tasks:
    - name: Setup a randomized daily reboot (All)
      cron:
        name: "T-Pot Daily Reboot"
        user: root
        minute: "{{ random_minute }}"
        hour: "{{ random_hour }}"
        job: "bash -c 'systemctl stop tpot.service && docker container prune -f; docker image prune -f; docker volume prune -f; /usr/sbin/shutdown -r +1 \"T-Pot Daily Reboot\"'"
        state: present
      when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]