Merge pull request #356 from TheHADILP/ansible-otc

Added Ansible T-Pot Deployment on Open Telekom Cloud

CHANGELOG.md

@@ -33,3 +33,8 @@
   - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used.
 - **Improve install speed with apt-fast**
   - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.
+
+## 20190421
+- **Added Ansible T-Pot Deployment on Open Telekom Cloud**
+  - Reusable Ansible Playbooks for all cloud providers
+  - Example Showcase with our Open Telekom Cloud

README.md

@@ -52,6 +52,8 @@ Furthermore we use the following tools
   - [Running on Hardware](#hardware)
   - [Post Install User](#postinstall)
   - [Post Install Auto](#postinstallauto)
+  - [Cloud Deployments](#cloud)
+    - [Ansible Deployment on Open Telekom Cloud](#ansible-otc)
   - [First Run](#firstrun)
   - [System Placement](#placement)
 - [Updates](#updates)
@@ -117,6 +119,9 @@ Furthermore we use the following tools
 - **Improve install speed with apt-fast**
   - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. Wit
 h apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package.
+- **Added Ansible T-Pot Deployment on Open Telekom Cloud**
+  - Reusable Ansible Playbooks for all cloud providers
+  - Example Showcase with our Open Telekom Cloud
 
 <a name="concept"></a>
 # Technical Concept
@@ -316,6 +321,20 @@ cp tpot.conf.dist tpot.conf
 
 The installer will start automatically and guide you through the install process.
 
+<a name="cloud"></a>
+## Cloud Deployments
+Located in the [`cloud`](cloud) folder.  
+Currently there is an example with Ansible.  
+If you would like to contribute you can add other cloud deployments like Terraform, Chef or Puppet.
+
+<a name="ansible-otc"></a>
+### Ansible Deployment on Open Telekom Cloud
+You can find an Ansible Playbook based automated T-Pot Deployment in the [`cloud/open-telekom-cloud`](cloud/open-telekom-cloud) folder.  
+The Playbooks in the [`cloud/open-telekom-cloud/ansible`](cloud/open-telekom-cloud/ansible) folder are reusable across all cloud providers (like AWS, Azure, Digital Ocean).  
+The [`deploy_ansible_otc_t-pot.sh`](cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh) script is an example of how it works with our own Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).  
+It first creates a new Elastic Cloud Server via the Open Telekom Cloud API and then invokes the Ansible Playbooks to install and configure T-Pot.  
+You can have a look at the script and easily adapt it for other cloud providers.
+
 <a name="firstrun"></a>
 ## First Run
 The installation requires very little interaction, only a locale and keyboard setting have to be answered for the basic linux installation. The system will reboot and please maintain the active internet connection. The T-Pot installer will start and ask you for an installation type, password for the **tsec** user and credentials for a **web user**. Everything else will be configured automatically. All docker images and other componenents will be downloaded. Depending on your network connection and the chosen installation type, the installation may take some time. During our tests (250Mbit down, 40Mbit up), the installation was usually finished within a 15-30 minute timeframe.

cloud/open-telekom-cloud/.ecs_settings.sh

@@ -0,0 +1,15 @@
+# Set password for user linux
+linuxpass=LiNuXuSeRPaSs#
+
+# Custom EWS config
+custom_ews=false
+
+# Set ECS related stuff
+instance=s2.medium.8
+imagename=Standard_Debian_9_latest
+subnet=your-subnet
+vpcname=your-vpc
+secgroup=your-sg
+keyname=your-KeyPair
+disksize=128
+az=eu-de-03

cloud/open-telekom-cloud/.gitignore

@@ -0,0 +1,11 @@
+# Ansible
+*.retry
+
+# Generated hosts
+hosts/
+
+# Cloned git repository
+otc-tools/
+
+# All log files
+*.log

cloud/open-telekom-cloud/.hpfeeds_settings.sh

@@ -0,0 +1,8 @@
+myENABLE=false
+myHOST=host
+myPORT=port
+myCHANNEL=channels
+myIDENT=user
+mySECRET=secret
+myCERT=false
+myFORMAT=json

cloud/open-telekom-cloud/.otc_env.sh

@@ -0,0 +1,5 @@
+export OS_USERNAME=your_api_user
+export OS_PASSWORD=your_password
+export OS_USER_DOMAIN_NAME=OTC-EU-DE-000000000010000XXXXX
+export OS_PROJECT_NAME=eu-de_your_project
+export OS_AUTH_URL=https://iam.eu-de.otc.t-systems.com/v3

cloud/open-telekom-cloud/README.md

@@ -0,0 +1,228 @@
+# Ansible T-Pot Deployment on Open Telekom Cloud :cloud:
+
+Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/).  
+It consists of multiple Ansible Playbooks, which can be reused across all Cloud Providers (like AWS, Azure, Digital Ocean).  
+This example showcases the deployment on our own Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en).
+
+# Table of contents
+- [Installation of Ansible Master](#installation)
+  - [Packages](#packages)
+  - [Agent Forwarding](#agent-forwarding)
+- [Preparations in Open Telekom Cloud Console](#preparation)
+  - [Create new project](#project)
+  - [Create API user](#api-user)
+  - [Import Key Pair](#key-pair)
+  - [Create VPC, Subnet and Security Group](#vpc-subnet-securitygroup)
+- [Clone Git Repository](#clone-git)
+- [Settings and recommended values](#settings)
+  - [Configure `.otc_env.sh`](#otc-env)
+  - [Configure `.ecs_settings.sh`](#ecs-settings)
+  - [Configure `tpot.conf.dist`](#tpot-conf)
+  - [Optional: Custom `ews.cfg`](#ews-cfg)
+  - [Optional: Configure `.hpfeeds_settings.sh`](#hpfeeds)
+- [Deploying a T-Pot](#deploy)
+- [Further documentation](#documentation)
+
+<a name="installation"></a>
+# Installation of Ansible Master
+You can either run the deploy script locally on your Linux or MacOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did.  
+I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too.  
+Ansible works over the SSH Port, so you don't have to add any special rules to you Security Group.
+
+<a name="packages"></a>
+## Packages
+At first we need to add the repository and install Ansible:  
+`sudo apt-add-repository --yes --update ppa:ansible/ansible`  
+`sudo apt install ansible`
+
+Also we need **pwegen** (for creating T-Pot names) and **jq** (a JSON processor):  
+`sudo apt install pwgen jq`
+
+<a name="agent-forwarding"></a>
+## Agent Forwarding
+Agent forwarding must be enabled in order to let Ansible do its work.  
+- On Linux or MacOS:  
+  - Create or edit `~/.ssh/config`
+  - If you execute the script remotely on your Ansible Master Server:
+    ```
+    Host ANSIBLE_MASTER_IP
+    ForwardAgent yes
+    ```
+  - If you execute the script locally, enable it for all Hosts, as this includes newly generated T-Pots:
+    ```
+    Host *
+    ForwardAgent yes
+    ```
+- On Windows using Putty:  
+![Putty Agent Forwarding](doc/putty_agent_forwarding.png)
+
+<a name="preparation"></a>
+# Preparations in Open Telekom Cloud Console
+(You can skip this if you have already set up an API account, VPC and ...)  
+(Just make sure you know the naming for everything, as you will need it to configure the script.)
+
+Before we can start deploying, we have to prepare the Open Telekom Cloud Tennant.  
+For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user.
+
+<a name="project"></a>
+## Create new project
+I strongly advise you, to create a separate project for the T-Pots in your tennant.  
+In my case I named it `tpot`.
+
+![Create new project](doc/otc_1_project.gif)
+
+<a name="api-user"></a>
+## Create API user
+The next step is to create a new user account, which is restricted to the project.  
+This ensures that the API access is limited to that project.
+
+![Create API user](doc/otc_2_user.gif)
+
+<a name="key-pair"></a>
+## Import Key Pair
+:warning: Now log in with the newly created user account and select your project.
+
+![Login as API user](doc/otc_3_login.gif)
+
+
+Import your SSH public key.
+
+![Import SSH Public Key](doc/otc_4_import_key.gif)
+
+<a name="vpc-subnet-securitygroup"></a>
+## Create VPC, Subnet and Security Group
+- VPC (Virtual Private Cloud) and Subnet:
+
+![Create VPC and Subnet](doc/otc_5_vpc_subnet.gif)
+
+- Security Group:  
+The configured Security Group should allow all incoming TCP / UDP traffic.  
+If you want to secure the management interfaces, you can limit the incoming "allow all" traffic to the port range of 1-64000 and allow access to ports > 64000 only from your trusted IPs.
+
+![Create Security Group](doc/otc_6_sec_group.gif)
+
+<a name="clone-git"></a>
+# Clone Git Repository
+Clone the `tpotce` repository to your Ansible Master:  
+`git clone https://github.com/dtag-dev-sec/tpotce.git`  
+All Ansible and automatic deployment related files are located in the [`cloud/open-telekom-cloud`](../../cloud/open-telekom-cloud) folder.
+
+<a name="settings"></a>
+# Settings and recommended values
+You can configure all aspects of your ECS and T-Pot before using the script.  
+The settings are located in the following files:
+
+<a name="otc-env"></a>
+## Configure `.otc_env.sh`
+Enter your Open Telekom Cloud API user credentials here (username, password, tennant-ID, project name):  
+```
+export OS_USERNAME=your_api_user
+export OS_PASSWORD=your_password
+export OS_USER_DOMAIN_NAME=OTC-EU-DE-000000000010000XXXXX
+export OS_PROJECT_NAME=eu-de_your_project
+export OS_AUTH_URL=https://iam.eu-de.otc.t-systems.com/v3
+```
+
+<a name="ecs-settings"></a>
+## Configure `.ecs_settings.sh`
+Here you can customize your Elastic Cloud Server (ECS):
+  - Password for the user `linux` (**you should definitely change that**)  
+    You may have to adjust the `remote_user` in the Ansible Playbooks under [ansible](ansible) if you are using a normal/default Debian base image
+  - (Optional) For using a custom `ews.cfg` set to `true`; See here: [Optional: Custom `ews.cfg`](#ews-cfg)
+  - (Optional) Change the instance type (flavor) of the ECS.  
+    `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.  
+    A full list of flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html).
+  - Change the OS (Don't touch; for T-Pot we need Debian 9)
+  - Specify the VPC, Subnet, Security Group and Key Pair you created before
+  - (Optional) Change the disk size
+  - You can choose from multiple Availibility Zones (AZ). For reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html).
+
+```
+# Set password for user linux
+linuxpass=LiNuXuSeRPaSs#
+
+# Custom EWS config
+custom_ews=false
+
+# Set ECS related stuff
+instance=s2.medium.8
+imagename=Standard_Debian_9_latest
+subnet=your-subnet
+vpcname=your-vpc
+secgroup=your-sg
+keyname=your-KeyPair
+disksize=128
+az=eu-de-03
+```
+
+<a name="tpot-conf"></a>
+## Configure `tpot.conf.dist`
+The file is located in [`iso/installer/tpot.conf.dist`](../../iso/installer/tpot.conf.dist).  
+Here you can choose:
+  - between the various T-Pot editions
+  - a username for the web interface
+  - a password for the web interface (**you should definitely change that**)
+
+```
+# tpot configuration file
+# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, LEGACY]
+myCONF_TPOT_FLAVOR='STANDARD'
+myCONF_WEB_USER='webuser'
+myCONF_WEB_PW='w3b$ecret'
+```
+
+<a name="ews-cfg"></a>
+## Optional: Custom `ews.cfg`
+To enable this feature, set `custom_ews=true` in `.ecs_settings.sh`; See here:  [Configure `.ecs_settings.sh`](#ecs-settings)  
+
+Here you can create a custom config file for `ewsposter`.  
+e.g. when you have your own credentials for delivering data to our [Sicherheitstacho](https://sicherheitstacho.eu/start/main).  
+You can find the `ews.cfg` template file here: [`ansible/roles/custom_ews/templates/ews.cfg`](ansible/roles/custom_ews/templates/ews.cfg) and adapt it for your needs.
+
+For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is):  
+```
+[MAIN]
+...
+contact = your_email_address
+...
+
+[EWS]
+...
+username = your_username
+token = your_token
+...
+```
+
+<a name="hpfeeds"></a>
+## Optional: Configure `.hpfeeds_settings.sh`
+When the `custom_ews=true` setting is set in`.ecs_settings.sh` (see here:  [Configure `.ecs_settings.sh`](#ecs-settings)), you can also specify custom HPFEEDS in `.hpfeeds_settings.sh`.  
+e.g. for SISSDEN: 
+```
+myENABLE=true
+myHOST=hpfeeds.sissden.eu
+myPORT=10000
+myCHANNEL=t-pot.events
+myIDENT=your_user
+mySECRET=your_secret
+myCERT=/opt/ewsposter/sissden.pem
+myFORMAT=json
+```
+
+<a name="deploy"></a>
+# Deploying a T-Pot :honey_pot::honeybee:
+Now, after configuring everything, we can finally start deploying T-Pots:  
+`./deploy_ansible_otc_t-pot.sh`  
+(Yes, it is as easy as that :smile:)
+
+The script will first create an Open Telekom Cloud ECS via the API.  
+After that, the Ansible Playbooks are executed on the newly created Host to install the T-Pot and configure everything.
+
+You can see the progress of every step in the console output.  
+If something should go wrong, you will be provided with an according error message, that you can hopefully act upon and retry.
+
+<a name="documentation"></a>
+# Further documentation
+- [Ansible Documentation](https://docs.ansible.com/ansible/latest/)
+- [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/)
+- [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html)
+- [otc-tools](https://github.com/OpenTelekomCloud/otc-tools) on GitHub

cloud/open-telekom-cloud/ansible/custom_ews.yaml

@@ -0,0 +1,10 @@
+# This playbook sets a custom EWS config on the T-Pot
+
+- hosts: TPOT
+  remote_user: linux
+  become: yes
+  become_user: root
+  become_method: sudo
+
+  roles:
+    - custom_ews

cloud/open-telekom-cloud/ansible/install.yaml

@@ -0,0 +1,13 @@
+# This playbook deploys a T-Pot
+
+- hosts: TPOT
+  remote_user: linux
+  become: yes
+  become_user: root
+  become_method: sudo
+  gather_facts: no
+
+  roles:
+    - install
+
+

cloud/open-telekom-cloud/ansible/reboot.yaml

@@ -0,0 +1,12 @@
+# This playbook reboots a T-Pot
+
+- hosts: TPOT
+  remote_user: linux
+  become: yes
+  become_user: root
+  become_method: sudo
+
+  tasks:
+    - name: Finally rebooting t-pot in one minute - make sure your next login is on port 64295 or via https:// on port 64297
+      shell: /sbin/shutdown -r -t 1
+      become: true

cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml

@@ -0,0 +1,40 @@
+- name: Copy ews configuration file
+  template:
+    src: ../templates/ews.cfg
+    dest: /data/ews/conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Patching tpot.yml with custom ews configuration file
+  lineinfile:
+    path: /opt/tpot/etc/tpot.yml
+    insertafter: '/opt/ewsposter/ews.ip'
+    line: '     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg'
+
+- name: Lookup HPFEED environment variables
+  set_fact:
+    myENABLE: "{{ lookup('env', 'myENABLE') }}"
+    myHOST: "{{ lookup('env', 'myHOST') }}"
+    myPORT: "{{ lookup('env', 'myPORT') }}"
+    myCHANNEL: "{{ lookup('env', 'myCHANNEL') }}"
+    myIDENT: "{{ lookup('env', 'myIDENT') }}"
+    mySECRET: "{{ lookup('env', 'mySECRET') }}"
+    myCERT: "{{ lookup('env', 'myCERT') }}"
+    myFORMAT: "{{ lookup('env', 'myFORMAT') }}"
+
+- name: Apply HPFEED settings in tpot.yml
+  lineinfile:
+    path: /opt/tpot/etc/tpot.yml
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - { regexp: 'EWS_HPFEEDS_ENABLE.*', line: '     - EWS_HPFEEDS_ENABLE={{ myENABLE | lower }}' }
+    - { regexp: 'EWS_HPFEEDS_HOST.*', line: '     - EWS_HPFEEDS_HOST={{ myHOST }}' }
+    - { regexp: 'EWS_HPFEEDS_PORT.*', line: '     - EWS_HPFEEDS_PORT={{ myPORT }}' }
+    - { regexp: 'EWS_HPFEEDS_CHANNELS.*', line: '     - EWS_HPFEEDS_CHANNELS={{ myCHANNEL }}' }
+    - { regexp: 'EWS_HPFEEDS_IDENT.*', line: '     - EWS_HPFEEDS_IDENT={{ myIDENT }}' }
+    - { regexp: 'EWS_HPFEEDS_SECRET.*', line: '     - EWS_HPFEEDS_SECRET={{ mySECRET }}' }
+    - { regexp: 'EWS_HPFEEDS_TLSCERT.*', line: '     - EWS_HPFEEDS_TLSCERT={{ myCERT }}' }
+    - { regexp: 'EWS_HPFEEDS_TLSCERT.False', line: '     - EWS_HPFEEDS_TLSCERT={{ myCERT | lower }}' }
+    - { regexp: 'EWS_HPFEEDS_FORMAT.*', line: '     - EWS_HPFEEDS_FORMAT={{ myFORMAT }}' }

cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg

@@ -0,0 +1,137 @@
+[MAIN]
+homedir = /opt/ewsposter/
+spooldir = /opt/ewsposter/spool/
+logdir = /opt/ewsposter/log/
+del_malware_after_send = false
+send_malware = true
+sendlimit = 500
+contact = your_email_address
+proxy =
+ip =
+
+[EWS]
+ews = true
+username = your_username
+token = your_token
+rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
+rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
+ignorecert = false
+
+[HPFEED]
+hpfeed = %(EWS_HPFEEDS_ENABLE)s
+host = %(EWS_HPFEEDS_HOST)s
+port = %(EWS_HPFEEDS_PORT)s
+channels = %(EWS_HPFEEDS_CHANNELS)s
+ident = %(EWS_HPFEEDS_IDENT)s
+secret= %(EWS_HPFEEDS_SECRET)s
+# path/to/certificate for tls broker - or "false" for non-tls broker
+tlscert = %(EWS_HPFEEDS_TLSCERT)s
+# hpfeeds submission format: "ews" (xml) or "json"
+hpfformat = %(EWS_HPFEEDS_FORMAT)s
+
+[EWSJSON]
+json = false
+jsondir = /data/ews/json/
+
+[GLASTOPFV3]
+glastopfv3 = true
+nodeid = glastopfv3-{{ HPNAME }}
+sqlitedb = /data/glastopf/db/glastopf.db
+malwaredir = /data/glastopf/data/files/
+
+[GLASTOPFV2]
+glastopfv2 = false
+nodeid =
+mysqlhost =
+mysqldb =
+mysqluser =
+mysqlpw =
+malwaredir =
+
+[KIPPO]
+kippo = false
+nodeid =
+mysqlhost =
+mysqldb =
+mysqluser =
+mysqlpw =
+malwaredir =
+
+[COWRIE]
+cowrie = true
+nodeid = cowrie-{{ HPNAME }}
+logfile = /data/cowrie/log/cowrie.json
+
+[DIONAEA]
+dionaea = true
+nodeid = dionaea-{{ HPNAME }}
+malwaredir = /data/dionaea/binaries/
+sqlitedb = /data/dionaea/log/dionaea.sqlite
+
+[HONEYTRAP]
+honeytrap = true
+nodeid = honeytrap-{{ HPNAME }}
+newversion = true
+payloaddir = /data/honeytrap/attacks/
+attackerfile = /data/honeytrap/log/attacker.log
+
+[RDPDETECT]
+rdpdetect = false
+nodeid =
+iptableslog =
+targetip =
+
+[EMOBILITY]
+eMobility = false
+nodeid = emobility-{{ HPNAME }}
+logfile = /data/emobility/log/centralsystemEWS.log
+
+[CONPOT]
+conpot = true
+nodeid = conpot-{{ HPNAME }}
+logfile = /data/conpot/log/conpot*.json
+
+[ELASTICPOT]
+elasticpot = true
+nodeid = elasticpot-{{ HPNAME }}
+logfile = /data/elasticpot/log/elasticpot.log
+
+[SURICATA]
+suricata = true
+nodeid = suricata-{{ HPNAME }}
+logfile = /data/suricata/log/eve.json
+
+[MAILONEY]
+mailoney = true
+nodeid = mailoney-{{ HPNAME }}
+logfile = /data/mailoney/log/commands.log
+
+[RDPY]
+rdpy = true
+nodeid = rdpy-{{ HPNAME }}
+logfile = /data/rdpy/log/rdpy.log
+
+[VNCLOWPOT]
+vnclowpot = true
+nodeid = vnclowpot-{{ HPNAME }}
+logfile = /data/vnclowpot/log/vnclowpot.log
+
+[HERALDING]
+heralding = true
+nodeid = heralding-{{ HPNAME }}
+logfile = /data/heralding/log/auth.csv
+
+[CISCOASA]
+ciscoasa = true
+nodeid = ciscoasa-{{ HPNAME }}
+logfile = /data/ciscoasa/log/ciscoasa.log
+
+[TANNER]
+tanner = true
+nodeid = tanner-{{ HPNAME }}
+logfile = /data/tanner/log/tanner_report.json
+
+[GLUTTON]
+glutton = true
+nodeid = glutton-{{ HPNAME }}
+logfile = /data/glutton/log/glutton.log

cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml

@@ -0,0 +1,50 @@
+- name: Waiting for SSH connection
+  wait_for_connection:
+    delay: 30
+    timeout: 300
+
+- name: Gathering Facts
+  setup:
+
+- name: Cloning t-pot install directory
+  git:
+    repo: 'https://github.com/dtag-dev-sec/tpotce.git'
+    dest: /root/tpot
+
+- name: Prepare to set user password 
+  set_fact:
+    user_password: "{{ lookup('env', 'LINUX_PASS') }}"
+    user_salt: 's0mew1ck3dTpoT'
+
+- name: Changing password for user linux to {{ user_password }}
+  user:
+   name: "linux"
+   password: "{{ user_password | password_hash('sha512', user_salt) }}"
+   state: present
+   shell: /bin/bash
+   update_password: always
+
+- name: Copy t-pot configuration file
+  template:
+    src: ../../../../../../iso/installer/tpot.conf.dist
+    dest: /root/tpot.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Install t-pot on ECS -  be patient, this might take 15 to 30 minutes depending on the connection speed. No further output is given. 
+  command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+
+- name: Delete t-pot configuration file
+  file:
+    path: /root/tpot.conf
+    state: absent
+
+- name: Change unattended-upgrades to take default action
+  blockinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    block: |
+      Dpkg::Options {
+        "--force-confdef";
+        "--force-confold";
+      }

cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+
+# Check if required packages are installed
+if ! hash ansible 2>/dev/null; then
+    echo "### Package 'ansible' is missing. Please install it with:"
+    echo "    sudo apt-add-repository --yes --update ppa:ansible/ansible"
+    echo "    sudo apt install ansible"
+    exit 1
+fi
+
+if ! hash pwgen 2>/dev/null; then
+    echo "### Package 'pwgen' is missing. Please install it with:"
+    echo "    sudo apt install pwgen"
+    exit 1
+fi
+
+if ! hash jq 2>/dev/null; then
+    echo "### Package 'jq' is missing. Please install it with:"
+    echo "    sudo apt install jq"
+    exit 1
+fi
+
+# Check for Agent Forwarding
+if ! printenv | grep SSH_AUTH_SOCK > /dev/null; then
+    echo "### Agent forwarding seems to be disabled."
+    echo "### In order to let Ansible do its work, please enable it."
+    exit 1
+fi
+
+# Import ECS settings
+source .ecs_settings.sh
+
+# Import OTC authentication credentials
+source .otc_env.sh
+
+# Import HPFEED settings
+source .hpfeeds_settings.sh
+
+# Password is later used by Ansible
+export LINUX_PASS=$linuxpass
+
+# HPFEED settings are later used by Ansible
+export myENABLE=$myENABLE
+export myHOST=$myHOST
+export myPORT=$myPORT
+export myCHANNEL=$myCHANNEL
+export myIDENT=$myIDENT
+export mySECRET=$mySECRET
+export myCERT=$myCERT
+export myFORMAT=$myFORMAT
+
+# Ignore ssh host keys as they are new anyway
+export ANSIBLE_HOST_KEY_CHECKING=False
+
+# Create hosts directory
+mkdir -p hosts
+
+# Create random ID
+HPNAME=t-pot-otc-$(pwgen -ns 6 -1)
+
+# Get otc-tools
+echo "### Cloning otc-tools..."
+git clone https://github.com/OpenTelekomCloud/otc-tools.git  2>/dev/null
+
+# Create ECS via OTC API
+echo "### Creating new ECS host via OTC API..."
+./otc-tools/otc.sh ecs create \
+    --instance-type       $instance\
+    --instance-name       $HPNAME\
+    --image-name          $imagename\
+    --subnet-name         $subnet\
+    --vpc-name            $vpcname\
+    --security-group-name $secgroup\
+    --admin-pass          $linuxpass\
+    --key-name            $keyname\
+    --public              true\
+    --disksize            $disksize\
+    --disktype            SATA\
+    --az	          $az\
+    --wait \
+2> otc_tools.log
+
+if [ $? -eq 0 ]; then
+
+    if [ "$(uname)" == "Darwin" ]; then
+        PUBIP=$(./otc-tools/otc.sh ecs list 2>/dev/null | grep $HPNAME|cut -d "," -f2 |cut -d "\"" -f 2)
+    else
+        PUBIP=$(./otc-tools/otc.sh ecs list 2>/dev/null | grep $HPNAME|cut -d " " -f17)
+    fi
+
+    echo "[TPOT]" > ./hosts/$HPNAME
+    echo $PUBIP  HPNAME=$HPNAME>> ./hosts/$HPNAME
+    echo "### NEW HOST $HPNAME ON IP $PUBIP"
+
+    ansible-playbook -i ./hosts/$HPNAME ./ansible/install.yaml
+
+    if [ $custom_ews = true ]; then
+
+        ansible-playbook -i ./hosts/$HPNAME ./ansible/custom_ews.yaml
+
+    fi
+
+    ansible-playbook -i ./hosts/$HPNAME ./ansible/reboot.yaml
+
+    echo "***********************************************"
+    echo "*****        SSH TO TARGET: "
+    echo "*****        ssh linux@$PUBIP -p 64295"
+    echo "***********************************************"
+
+else
+
+    if grep 'Flavor' otc_tools.log > /dev/null; then
+        echo "### Specified ECS Flavor not found"
+    elif grep 'No image found by name' otc_tools.log > /dev/null; then
+        echo "### Specified Image not found"
+    elif grep 'No subnet found by name' otc_tools.log > /dev/null; then
+        echo "### Specified Subnet not found"
+    elif grep 'No VPC found by name' otc_tools.log > /dev/null; then
+        echo "### Specified VPC not found"
+    elif grep 'No security-group found by name' otc_tools.log > /dev/null; then
+        echo "### Specified Security Group not found"
+    elif grep 'Invalid key_name provided' otc_tools.log > /dev/null; then
+        echo "### Specified Key Pair not found"
+    elif grep 'availability_zone' otc_tools.log > /dev/null; then
+        echo "### Specified Availability Zone not found"
+    elif grep 'quota' otc_tools.log > /dev/null; then
+        echo "### Quota exceeded. Please check your available quotas online"
+        echo "### You can either delete unused resources or apply for a higher quota"
+    fi
+
+    echo "### ECS creation unsuccessful. Aborting..."
+
+fi

iso/installer/install.sh

@@ -692,6 +692,11 @@ fuBANNER "Set hostname"
 hostnamectl set-hostname $myHOST
 sed -i 's#127.0.1.1.*#127.0.1.1\t'"$myHOST"'#g' /etc/hosts
 
+# Prevent cloud-init from overwriting our new hostname
+if [ -f '/etc/cloud/cloud.cfg' ]; then
+    sed -i 's/preserve_hostname.*/preserve_hostname: true/g' /etc/cloud/cloud.cfg
+fi
+
 # Let's patch cockpit.socket, sshd_config
 fuBANNER "Adjust ports"
 mkdir -p /etc/systemd/system/cockpit.socket.d

update.sh

@@ -258,6 +258,13 @@ echo "### Please reboot."
 echo
 }
 
+function fuRESTORE_EWSCFG () {
+if [ -f '/data/ews/conf/ews.cfg' ] && ! grep 'ews.cfg' /opt/tpot/etc/tpot.yml > /dev/null; then
+    echo "### Restoring volume mount for ews.cfg in tpot.yml"
+    sed -i '/\/opt\/ewsposter\/ews.ip/a\\ \ \ \ \ - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg' /opt/tpot/etc/tpot.yml
+fi
+}
+
 
 ################
 # Main section #
@@ -289,3 +296,4 @@ fuSTOP_TPOT
 fuBACKUP
 fuSELFUPDATE "$0" "$@"
 fuUPDATER
+fuRESTORE_EWSCFG