From f501d440c824e3032a5829f1de279da267832c88 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 15:46:03 +0000 Subject: [PATCH 01/34] Delete old stuff --- cloud/open-telekom-cloud/.ecs_settings.sh | 15 --- cloud/open-telekom-cloud/.otc_env.sh | 5 - .../deploy_ansible_otc_t-pot.sh | 122 ------------------ 3 files changed, 142 deletions(-) delete mode 100644 cloud/open-telekom-cloud/.ecs_settings.sh delete mode 100644 cloud/open-telekom-cloud/.otc_env.sh delete mode 100755 cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh diff --git a/cloud/open-telekom-cloud/.ecs_settings.sh b/cloud/open-telekom-cloud/.ecs_settings.sh deleted file mode 100644 index bb4a8423..00000000 --- a/cloud/open-telekom-cloud/.ecs_settings.sh +++ /dev/null @@ -1,15 +0,0 @@ -# Set password for user linux -linuxpass=LiNuXuSeRPaSs# - -# Custom EWS config -custom_ews=false - -# Set ECS related stuff -instance=s2.medium.8 -imagename=Standard_Debian_9_latest -subnet=your-subnet -vpcname=your-vpc -secgroup=your-sg -keyname=your-KeyPair -disksize=128 -az=eu-de-03 diff --git a/cloud/open-telekom-cloud/.otc_env.sh b/cloud/open-telekom-cloud/.otc_env.sh deleted file mode 100644 index 337617c1..00000000 --- a/cloud/open-telekom-cloud/.otc_env.sh +++ /dev/null @@ -1,5 +0,0 @@ -export OS_USERNAME=your_api_user -export OS_PASSWORD=your_password -export OS_USER_DOMAIN_NAME=OTC-EU-DE-000000000010000XXXXX -export OS_PROJECT_NAME=eu-de_your_project -export OS_AUTH_URL=https://iam.eu-de.otc.t-systems.com/v3 diff --git a/cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh b/cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh deleted file mode 100755 index 9f3756f9..00000000 --- a/cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash - -# Check if required packages are installed -if ! hash ansible 2>/dev/null; then - echo "### Package 'ansible' is missing. Please install it with:" - echo " sudo apt-add-repository --yes --update ppa:ansible/ansible" - echo " sudo apt install ansible" - exit 1 -fi - -if ! hash pwgen 2>/dev/null; then - echo "### Package 'pwgen' is missing. Please install it with:" - echo " sudo apt install pwgen" - exit 1 -fi - -if ! hash jq 2>/dev/null; then - echo "### Package 'jq' is missing. Please install it with:" - echo " sudo apt install jq" - exit 1 -fi - -# Check for Agent Forwarding -if ! printenv | grep SSH_AUTH_SOCK > /dev/null; then - echo "### Agent forwarding seems to be disabled." - echo "### In order to let Ansible do its work, please enable it." - exit 1 -fi - -# Import ECS settings -source .ecs_settings.sh - -# Import OTC authentication credentials -source .otc_env.sh - -# Password is later used by Ansible -export LINUX_PASS=$linuxpass - -# Ignore ssh host keys as they are new anyway -export ANSIBLE_HOST_KEY_CHECKING=False - -# Create hosts directory -mkdir -p hosts - -# Create random ID -HPNAME=t-pot-otc-$(pwgen -ns 6 -1) - -# Get otc-tools -echo "### Cloning otc-tools..." -git clone https://github.com/OpenTelekomCloud/otc-tools.git 2>/dev/null - -# Create ECS via OTC API -echo "### Creating new ECS host via OTC API..." -./otc-tools/otc.sh ecs create \ - --instance-type $instance\ - --instance-name $HPNAME\ - --image-name $imagename\ - --subnet-name $subnet\ - --vpc-name $vpcname\ - --security-group-name $secgroup\ - --admin-pass $linuxpass\ - --key-name $keyname\ - --public true\ - --disksize $disksize\ - --disktype SATA\ - --az $az\ - --wait \ -2> otc_tools.log - -if [ $? -eq 0 ]; then - - if [ "$(uname)" == "Darwin" ]; then - PUBIP=$(./otc-tools/otc.sh ecs list 2>/dev/null | grep $HPNAME|cut -d "," -f2 |cut -d "\"" -f 2) - else - PUBIP=$(./otc-tools/otc.sh ecs list 2>/dev/null | grep $HPNAME|cut -d " " -f17) - fi - - echo "[TPOT]" > ./hosts/$HPNAME - echo $PUBIP HPNAME=$HPNAME>> ./hosts/$HPNAME - echo "### NEW HOST $HPNAME ON IP $PUBIP" - - ansible-playbook -i ./hosts/$HPNAME ./ansible/install.yaml - - if [ $custom_ews = true ]; then - - ansible-playbook -i ./hosts/$HPNAME ./ansible/custom_ews.yaml - - fi - - ansible-playbook -i ./hosts/$HPNAME ./ansible/reboot.yaml - - echo "***********************************************" - echo "***** SSH TO TARGET: " - echo "***** ssh linux@$PUBIP -p 64295" - echo "***********************************************" - -else - - if grep '401 Unauthorized' otc_tools.log > /dev/null; then - echo "### API username or password is incorrect" - elif grep 'Flavor' otc_tools.log > /dev/null; then - echo "### Specified ECS Flavor not found" - elif grep 'No image found by name' otc_tools.log > /dev/null; then - echo "### Specified Image not found" - elif grep 'No subnet found by name' otc_tools.log > /dev/null; then - echo "### Specified Subnet not found" - elif grep 'No VPC found by name' otc_tools.log > /dev/null; then - echo "### Specified VPC not found" - elif grep 'No security-group found by name' otc_tools.log > /dev/null; then - echo "### Specified Security Group not found" - elif grep 'Invalid key_name provided' otc_tools.log > /dev/null; then - echo "### Specified Key Pair not found" - elif grep 'availability_zone' otc_tools.log > /dev/null; then - echo "### Specified Availability Zone not found" - elif grep 'quota' otc_tools.log > /dev/null; then - echo "### Quota exceeded. Please check your available quotas online" - echo "### You can either delete unused resources or apply for a higher quota" - fi - - echo "### ECS creation unsuccessful. Aborting..." - -fi From 9b67c9e66ca165ec7e0813fc8190a0363d56076a Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 15:46:22 +0000 Subject: [PATCH 02/34] Update gitignore --- cloud/open-telekom-cloud/.gitignore | 9 --------- 1 file changed, 9 deletions(-) diff --git a/cloud/open-telekom-cloud/.gitignore b/cloud/open-telekom-cloud/.gitignore index 8d8f15eb..41f83492 100644 --- a/cloud/open-telekom-cloud/.gitignore +++ b/cloud/open-telekom-cloud/.gitignore @@ -1,11 +1,2 @@ # Ansible *.retry - -# Generated hosts -hosts/ - -# Cloned git repository -otc-tools/ - -# All log files -*.log From 1fab2a690a1da9143948fa599429f9a7d38ff87d Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 15:55:44 +0000 Subject: [PATCH 03/34] Remove old playbooks --- cloud/open-telekom-cloud/ansible/custom_ews.yaml | 10 ---------- cloud/open-telekom-cloud/ansible/install.yaml | 13 ------------- cloud/open-telekom-cloud/ansible/reboot.yaml | 12 ------------ 3 files changed, 35 deletions(-) delete mode 100644 cloud/open-telekom-cloud/ansible/custom_ews.yaml delete mode 100644 cloud/open-telekom-cloud/ansible/install.yaml delete mode 100644 cloud/open-telekom-cloud/ansible/reboot.yaml diff --git a/cloud/open-telekom-cloud/ansible/custom_ews.yaml b/cloud/open-telekom-cloud/ansible/custom_ews.yaml deleted file mode 100644 index a9fc39e0..00000000 --- a/cloud/open-telekom-cloud/ansible/custom_ews.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# This playbook sets a custom EWS config on the T-Pot - -- hosts: TPOT - remote_user: linux - become: yes - become_user: root - become_method: sudo - - roles: - - custom_ews diff --git a/cloud/open-telekom-cloud/ansible/install.yaml b/cloud/open-telekom-cloud/ansible/install.yaml deleted file mode 100644 index e0fe70ca..00000000 --- a/cloud/open-telekom-cloud/ansible/install.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# This playbook deploys a T-Pot - -- hosts: TPOT - remote_user: linux - become: yes - become_user: root - become_method: sudo - gather_facts: no - - roles: - - install - - diff --git a/cloud/open-telekom-cloud/ansible/reboot.yaml b/cloud/open-telekom-cloud/ansible/reboot.yaml deleted file mode 100644 index f4fc4f3f..00000000 --- a/cloud/open-telekom-cloud/ansible/reboot.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# This playbook reboots a T-Pot - -- hosts: TPOT - remote_user: linux - become: yes - become_user: root - become_method: sudo - - tasks: - - name: Finally rebooting t-pot in one minute - make sure your next login is on port 64295 or via https:// on port 64297 - shell: /sbin/shutdown -r -t 1 - become: true From bcb6c7e6167824d2485df556251b8828ab1fce18 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 15:57:26 +0000 Subject: [PATCH 04/34] Added ansible config --- cloud/open-telekom-cloud/ansible/ansible.cfg | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 cloud/open-telekom-cloud/ansible/ansible.cfg diff --git a/cloud/open-telekom-cloud/ansible/ansible.cfg b/cloud/open-telekom-cloud/ansible/ansible.cfg new file mode 100644 index 00000000..0e7d2cb7 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +host_key_checking = false + +[ssh_connection] +scp_if_ssh = true From 0392517fa25c5c63a77fdad2096821f66c394415 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 16:21:47 +0000 Subject: [PATCH 05/34] Added new playbook and roles --- .../ansible/deploy_tpot.yaml | 25 ++++++++++++++ .../ansible/roles/check/tasks/main.yaml | 25 ++++++++++++++ .../ansible/roles/custom_ews/tasks/main.yaml | 11 ------ .../roles/custom_ews/templates/ews.cfg | 30 ++++++++-------- .../roles/custom_hpfeeds/tasks/main.yaml | 10 ++++++ .../templates/hpfeeds.cfg | 0 .../ansible/roles/deploy/tasks/main.yaml | 34 +++++++++++++++++++ .../ansible/roles/deploy/vars/main.yaml | 8 +++++ .../ansible/roles/deploy/vars/os_auth.yaml | 5 +++ .../ansible/roles/install/tasks/main.yaml | 6 ++-- .../ansible/roles/install/vars/main.yaml | 1 + .../ansible/roles/reboot/tasks/main.yaml | 3 ++ 12 files changed, 129 insertions(+), 29 deletions(-) create mode 100644 cloud/open-telekom-cloud/ansible/deploy_tpot.yaml create mode 100644 cloud/open-telekom-cloud/ansible/roles/check/tasks/main.yaml create mode 100644 cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/tasks/main.yaml rename cloud/open-telekom-cloud/ansible/roles/{custom_ews => custom_hpfeeds}/templates/hpfeeds.cfg (100%) create mode 100644 cloud/open-telekom-cloud/ansible/roles/deploy/tasks/main.yaml create mode 100644 cloud/open-telekom-cloud/ansible/roles/deploy/vars/main.yaml create mode 100644 cloud/open-telekom-cloud/ansible/roles/deploy/vars/os_auth.yaml create mode 100644 cloud/open-telekom-cloud/ansible/roles/install/vars/main.yaml create mode 100644 cloud/open-telekom-cloud/ansible/roles/reboot/tasks/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/deploy_tpot.yaml b/cloud/open-telekom-cloud/ansible/deploy_tpot.yaml new file mode 100644 index 00000000..88909b17 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/deploy_tpot.yaml @@ -0,0 +1,25 @@ +- name: Check host prerequisites + hosts: localhost + become: yes + become_user: root + become_method: sudo + roles: + - check + +- name: Deploy instance + hosts: localhost + roles: + - deploy + +- name: Install T-Pot on new instance + hosts: TPOT + remote_user: linux + become: yes + become_user: root + become_method: sudo + gather_facts: no + roles: + - install +# - custom_ews +# - custom_hpfeeds + - reboot diff --git a/cloud/open-telekom-cloud/ansible/roles/check/tasks/main.yaml b/cloud/open-telekom-cloud/ansible/roles/check/tasks/main.yaml new file mode 100644 index 00000000..1adac185 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/check/tasks/main.yaml @@ -0,0 +1,25 @@ +- name: Install pwgen + apt: + name: pwgen + +- name: Install setuptools + apt: + name: python-setuptools + +- name: Install pip + apt: + name: python-pip + +- name: Install openstacksdk + pip: + name: openstacksdk + +- name: Set fact for agent forwarding + set_fact: + agent_forwarding: "{{ lookup('env','SSH_AUTH_SOCK') }}" + +- name: Check if agent forwarding is enabled + fail: + msg: Please enable agent forwarding to allow Ansible to connect to the remote host! + ignore_errors: yes + when: agent_forwarding == "" diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml b/cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml index b49d4df4..197403bd 100644 --- a/cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml +++ b/cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml @@ -11,14 +11,3 @@ path: /opt/tpot/etc/tpot.yml insertafter: '/opt/ewsposter/ews.ip' line: ' - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg' - -- name: Copy hpfeeds configuration file - template: - src: ../templates/hpfeeds.cfg - dest: /data/ews/conf - owner: root - group: root - mode: 0644 - -- name: Applying hpfeeds settings - command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg b/cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg index 2dfc89e6..a775d04b 100644 --- a/cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg +++ b/cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg @@ -35,7 +35,7 @@ jsondir = /data/ews/json/ [GLASTOPFV3] glastopfv3 = true -nodeid = glastopfv3-{{ HPNAME }} +nodeid = glastopfv3-{{ ansible_hostname }} sqlitedb = /data/glastopf/db/glastopf.db malwaredir = /data/glastopf/data/files/ @@ -59,18 +59,18 @@ malwaredir = [COWRIE] cowrie = true -nodeid = cowrie-{{ HPNAME }} +nodeid = cowrie-{{ ansible_hostname }} logfile = /data/cowrie/log/cowrie.json [DIONAEA] dionaea = true -nodeid = dionaea-{{ HPNAME }} +nodeid = dionaea-{{ ansible_hostname }} malwaredir = /data/dionaea/binaries/ sqlitedb = /data/dionaea/log/dionaea.sqlite [HONEYTRAP] honeytrap = true -nodeid = honeytrap-{{ HPNAME }} +nodeid = honeytrap-{{ ansible_hostname }} newversion = true payloaddir = /data/honeytrap/attacks/ attackerfile = /data/honeytrap/log/attacker.log @@ -83,55 +83,55 @@ targetip = [EMOBILITY] eMobility = false -nodeid = emobility-{{ HPNAME }} +nodeid = emobility-{{ ansible_hostname }} logfile = /data/emobility/log/centralsystemEWS.log [CONPOT] conpot = true -nodeid = conpot-{{ HPNAME }} +nodeid = conpot-{{ ansible_hostname }} logfile = /data/conpot/log/conpot*.json [ELASTICPOT] elasticpot = true -nodeid = elasticpot-{{ HPNAME }} +nodeid = elasticpot-{{ ansible_hostname }} logfile = /data/elasticpot/log/elasticpot.log [SURICATA] suricata = true -nodeid = suricata-{{ HPNAME }} +nodeid = suricata-{{ ansible_hostname }} logfile = /data/suricata/log/eve.json [MAILONEY] mailoney = true -nodeid = mailoney-{{ HPNAME }} +nodeid = mailoney-{{ ansible_hostname }} logfile = /data/mailoney/log/commands.log [RDPY] rdpy = true -nodeid = rdpy-{{ HPNAME }} +nodeid = rdpy-{{ ansible_hostname }} logfile = /data/rdpy/log/rdpy.log [VNCLOWPOT] vnclowpot = true -nodeid = vnclowpot-{{ HPNAME }} +nodeid = vnclowpot-{{ ansible_hostname }} logfile = /data/vnclowpot/log/vnclowpot.log [HERALDING] heralding = true -nodeid = heralding-{{ HPNAME }} +nodeid = heralding-{{ ansible_hostname }} logfile = /data/heralding/log/auth.csv [CISCOASA] ciscoasa = true -nodeid = ciscoasa-{{ HPNAME }} +nodeid = ciscoasa-{{ ansible_hostname }} logfile = /data/ciscoasa/log/ciscoasa.log [TANNER] tanner = true -nodeid = tanner-{{ HPNAME }} +nodeid = tanner-{{ ansible_hostname }} logfile = /data/tanner/log/tanner_report.json [GLUTTON] glutton = true -nodeid = glutton-{{ HPNAME }} +nodeid = glutton-{{ ansible_hostname }} logfile = /data/glutton/log/glutton.log diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/tasks/main.yaml b/cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/tasks/main.yaml new file mode 100644 index 00000000..421d1ed6 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/tasks/main.yaml @@ -0,0 +1,10 @@ +- name: Copy hpfeeds configuration file + template: + src: ../templates/hpfeeds.cfg + dest: /data/ews/conf + owner: root + group: root + mode: 0644 + +- name: Applying hpfeeds settings + command: /opt/tpot/bin/hpfeeds_optin.sh --conf=/data/ews/conf/hpfeeds.cfg diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/hpfeeds.cfg b/cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/templates/hpfeeds.cfg similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/hpfeeds.cfg rename to cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/templates/hpfeeds.cfg diff --git a/cloud/open-telekom-cloud/ansible/roles/deploy/tasks/main.yaml b/cloud/open-telekom-cloud/ansible/roles/deploy/tasks/main.yaml new file mode 100644 index 00000000..884e1e49 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/deploy/tasks/main.yaml @@ -0,0 +1,34 @@ +- name: Create T-Pot name + shell: echo t-pot-otc-$(pwgen -ns 6 -1) + register: tpot_name + +- name: Import OpenStack authentication variables + include_vars: + file: roles/deploy/vars/os_auth.yaml + +- name: Launch an instance + os_server: + auth: + auth_url: "{{ auth_url }}" + username: "{{ username }}" + password: "{{ password }}" + project_name: "{{ project_name }}" + os_user_domain_name: "{{ os_user_domain_name }}" + name: "{{ tpot_name.stdout }}" + region_name: "{{ region_name }}" + availability_zone: "{{ availability_zone }}" + image: "{{ image }}" + boot_from_volume: yes + volume_size: "{{ volume_size }}" + key_name: "{{ key_name }}" + timeout: 200 + flavor: "{{ flavor }}" + security_groups: "{{ security_groups }}" + network: "{{ network }}" + register: tpot + +- name: Add instance to inventory + add_host: + hostname: "{{ tpot_name.stdout }}" + ansible_host: "{{ tpot.server.public_v4 }}" + groups: TPOT diff --git a/cloud/open-telekom-cloud/ansible/roles/deploy/vars/main.yaml b/cloud/open-telekom-cloud/ansible/roles/deploy/vars/main.yaml new file mode 100644 index 00000000..c0697442 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/deploy/vars/main.yaml @@ -0,0 +1,8 @@ +region_name: eu-de +availability_zone: eu-de-03 +image: Standard_Debian_9_latest +volume_size: 128 +key_name: your-KeyPair +flavor: s2.medium.8 +security_groups: your-sg +network: your-network-id diff --git a/cloud/open-telekom-cloud/ansible/roles/deploy/vars/os_auth.yaml b/cloud/open-telekom-cloud/ansible/roles/deploy/vars/os_auth.yaml new file mode 100644 index 00000000..fdb1a29b --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/deploy/vars/os_auth.yaml @@ -0,0 +1,5 @@ +auth_url: https://iam.eu-de.otc.t-systems.com/v3 +username: your_api_user +password: your_password +project_name: eu-de_your_project +os_user_domain_name: OTC-EU-DE-000000000010000XXXXX diff --git a/cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml b/cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml index 9e4fd51a..855fe615 100644 --- a/cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml +++ b/cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml @@ -8,13 +8,13 @@ - name: Cloning t-pot install directory git: - repo: 'https://github.com/dtag-dev-sec/tpotce.git' + repo: "https://github.com/dtag-dev-sec/tpotce.git" dest: /root/tpot - name: Prepare to set user password set_fact: - user_password: "{{ lookup('env', 'LINUX_PASS') }}" - user_salt: 's0mew1ck3dTpoT' + user_password: "{{ linux_pass }}" + user_salt: "s0mew1ck3dTpoT" - name: Changing password for user linux to {{ user_password }} user: diff --git a/cloud/open-telekom-cloud/ansible/roles/install/vars/main.yaml b/cloud/open-telekom-cloud/ansible/roles/install/vars/main.yaml new file mode 100644 index 00000000..48a12942 --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/install/vars/main.yaml @@ -0,0 +1 @@ +linux_pass: LiNuXuSeRPaSs# diff --git a/cloud/open-telekom-cloud/ansible/roles/reboot/tasks/main.yaml b/cloud/open-telekom-cloud/ansible/roles/reboot/tasks/main.yaml new file mode 100644 index 00000000..f0c338bc --- /dev/null +++ b/cloud/open-telekom-cloud/ansible/roles/reboot/tasks/main.yaml @@ -0,0 +1,3 @@ +- name: Finally rebooting t-pot in one minute - make sure your next login is on port 64295 or via https:// on port 64297 + shell: /sbin/shutdown -r -t 1 + become: true From 06407e42d790552970cabd974cc73785109036b8 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 16:32:45 +0000 Subject: [PATCH 06/34] Fx typo --- cloud/open-telekom-cloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/open-telekom-cloud/README.md b/cloud/open-telekom-cloud/README.md index e40acdd5..1c78c748 100644 --- a/cloud/open-telekom-cloud/README.md +++ b/cloud/open-telekom-cloud/README.md @@ -26,7 +26,7 @@ This example showcases the deployment on our own Public Cloud Offering [Open Tel # Installation of Ansible Master You can either run the deploy script locally on your Linux or MacOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too. -Ansible works over the SSH Port, so you don't have to add any special rules to you Security Group. +Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group. ## Packages From 2a4128d77c52866968322f404db851b29ddcf201 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 18:34:47 +0200 Subject: [PATCH 07/34] Remove legacy option --- cloud/open-telekom-cloud/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/open-telekom-cloud/README.md b/cloud/open-telekom-cloud/README.md index 1c78c748..c48030d8 100644 --- a/cloud/open-telekom-cloud/README.md +++ b/cloud/open-telekom-cloud/README.md @@ -164,7 +164,7 @@ Here you can choose: ``` # tpot configuration file -# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN, LEGACY] +# myCONF_TPOT_FLAVOR=[STANDARD, SENSOR, INDUSTRIAL, COLLECTOR, NEXTGEN] myCONF_TPOT_FLAVOR='STANDARD' myCONF_WEB_USER='webuser' myCONF_WEB_PW='w3b$ecret' From 7a5a732ece7dc53b41b2e21dcddd750889da2751 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 21:04:45 +0000 Subject: [PATCH 08/34] Update folder naming --- cloud/{open-telekom-cloud => ansible}/.gitignore | 0 cloud/{open-telekom-cloud => ansible}/README.md | 0 .../doc/otc_1_project.gif | Bin .../doc/otc_2_user.gif | Bin .../doc/otc_3_login.gif | Bin .../doc/otc_4_import_key.gif | Bin .../doc/otc_5_vpc_subnet.gif | Bin .../doc/otc_6_sec_group.gif | Bin .../doc/putty_agent_forwarding.png | Bin .../ansible => ansible/openstack}/ansible.cfg | 0 .../ansible => ansible/openstack}/deploy_tpot.yaml | 0 .../openstack}/roles/check/tasks/main.yaml | 0 .../openstack}/roles/custom_ews/tasks/main.yaml | 0 .../openstack}/roles/custom_ews/templates/ews.cfg | 0 .../openstack}/roles/custom_hpfeeds/tasks/main.yaml | 0 .../roles/custom_hpfeeds/templates/hpfeeds.cfg | 0 .../openstack}/roles/deploy/tasks/main.yaml | 0 .../openstack}/roles/deploy/vars/main.yaml | 0 .../openstack}/roles/deploy/vars/os_auth.yaml | 0 .../openstack}/roles/install/tasks/main.yaml | 0 .../openstack}/roles/install/vars/main.yaml | 0 .../openstack}/roles/reboot/tasks/main.yaml | 0 22 files changed, 0 insertions(+), 0 deletions(-) rename cloud/{open-telekom-cloud => ansible}/.gitignore (100%) rename cloud/{open-telekom-cloud => ansible}/README.md (100%) rename cloud/{open-telekom-cloud => ansible}/doc/otc_1_project.gif (100%) rename cloud/{open-telekom-cloud => ansible}/doc/otc_2_user.gif (100%) rename cloud/{open-telekom-cloud => ansible}/doc/otc_3_login.gif (100%) rename cloud/{open-telekom-cloud => ansible}/doc/otc_4_import_key.gif (100%) rename cloud/{open-telekom-cloud => ansible}/doc/otc_5_vpc_subnet.gif (100%) rename cloud/{open-telekom-cloud => ansible}/doc/otc_6_sec_group.gif (100%) rename cloud/{open-telekom-cloud => ansible}/doc/putty_agent_forwarding.png (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/ansible.cfg (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/deploy_tpot.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/check/tasks/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/custom_ews/tasks/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/custom_ews/templates/ews.cfg (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/custom_hpfeeds/tasks/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/custom_hpfeeds/templates/hpfeeds.cfg (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/deploy/tasks/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/deploy/vars/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/deploy/vars/os_auth.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/install/tasks/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/install/vars/main.yaml (100%) rename cloud/{open-telekom-cloud/ansible => ansible/openstack}/roles/reboot/tasks/main.yaml (100%) diff --git a/cloud/open-telekom-cloud/.gitignore b/cloud/ansible/.gitignore similarity index 100% rename from cloud/open-telekom-cloud/.gitignore rename to cloud/ansible/.gitignore diff --git a/cloud/open-telekom-cloud/README.md b/cloud/ansible/README.md similarity index 100% rename from cloud/open-telekom-cloud/README.md rename to cloud/ansible/README.md diff --git a/cloud/open-telekom-cloud/doc/otc_1_project.gif b/cloud/ansible/doc/otc_1_project.gif similarity index 100% rename from cloud/open-telekom-cloud/doc/otc_1_project.gif rename to cloud/ansible/doc/otc_1_project.gif diff --git a/cloud/open-telekom-cloud/doc/otc_2_user.gif b/cloud/ansible/doc/otc_2_user.gif similarity index 100% rename from cloud/open-telekom-cloud/doc/otc_2_user.gif rename to cloud/ansible/doc/otc_2_user.gif diff --git a/cloud/open-telekom-cloud/doc/otc_3_login.gif b/cloud/ansible/doc/otc_3_login.gif similarity index 100% rename from cloud/open-telekom-cloud/doc/otc_3_login.gif rename to cloud/ansible/doc/otc_3_login.gif diff --git a/cloud/open-telekom-cloud/doc/otc_4_import_key.gif b/cloud/ansible/doc/otc_4_import_key.gif similarity index 100% rename from cloud/open-telekom-cloud/doc/otc_4_import_key.gif rename to cloud/ansible/doc/otc_4_import_key.gif diff --git a/cloud/open-telekom-cloud/doc/otc_5_vpc_subnet.gif b/cloud/ansible/doc/otc_5_vpc_subnet.gif similarity index 100% rename from cloud/open-telekom-cloud/doc/otc_5_vpc_subnet.gif rename to cloud/ansible/doc/otc_5_vpc_subnet.gif diff --git a/cloud/open-telekom-cloud/doc/otc_6_sec_group.gif b/cloud/ansible/doc/otc_6_sec_group.gif similarity index 100% rename from cloud/open-telekom-cloud/doc/otc_6_sec_group.gif rename to cloud/ansible/doc/otc_6_sec_group.gif diff --git a/cloud/open-telekom-cloud/doc/putty_agent_forwarding.png b/cloud/ansible/doc/putty_agent_forwarding.png similarity index 100% rename from cloud/open-telekom-cloud/doc/putty_agent_forwarding.png rename to cloud/ansible/doc/putty_agent_forwarding.png diff --git a/cloud/open-telekom-cloud/ansible/ansible.cfg b/cloud/ansible/openstack/ansible.cfg similarity index 100% rename from cloud/open-telekom-cloud/ansible/ansible.cfg rename to cloud/ansible/openstack/ansible.cfg diff --git a/cloud/open-telekom-cloud/ansible/deploy_tpot.yaml b/cloud/ansible/openstack/deploy_tpot.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/deploy_tpot.yaml rename to cloud/ansible/openstack/deploy_tpot.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/check/tasks/main.yaml b/cloud/ansible/openstack/roles/check/tasks/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/check/tasks/main.yaml rename to cloud/ansible/openstack/roles/check/tasks/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml rename to cloud/ansible/openstack/roles/custom_ews/tasks/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg b/cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg rename to cloud/ansible/openstack/roles/custom_ews/templates/ews.cfg diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/tasks/main.yaml b/cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/tasks/main.yaml rename to cloud/ansible/openstack/roles/custom_hpfeeds/tasks/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/templates/hpfeeds.cfg b/cloud/ansible/openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/custom_hpfeeds/templates/hpfeeds.cfg rename to cloud/ansible/openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg diff --git a/cloud/open-telekom-cloud/ansible/roles/deploy/tasks/main.yaml b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/deploy/tasks/main.yaml rename to cloud/ansible/openstack/roles/deploy/tasks/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/deploy/vars/main.yaml b/cloud/ansible/openstack/roles/deploy/vars/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/deploy/vars/main.yaml rename to cloud/ansible/openstack/roles/deploy/vars/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/deploy/vars/os_auth.yaml b/cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/deploy/vars/os_auth.yaml rename to cloud/ansible/openstack/roles/deploy/vars/os_auth.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml rename to cloud/ansible/openstack/roles/install/tasks/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/install/vars/main.yaml b/cloud/ansible/openstack/roles/install/vars/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/install/vars/main.yaml rename to cloud/ansible/openstack/roles/install/vars/main.yaml diff --git a/cloud/open-telekom-cloud/ansible/roles/reboot/tasks/main.yaml b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml similarity index 100% rename from cloud/open-telekom-cloud/ansible/roles/reboot/tasks/main.yaml rename to cloud/ansible/openstack/roles/reboot/tasks/main.yaml From f2dd83840fbc52f8e999455b75b8561edcb16bdb Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 23:26:34 +0200 Subject: [PATCH 09/34] Update README.md --- README.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 77b8958b..2158c446 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ Furthermore we use the following tools - [Post Install User](#postinstall) - [Post Install Auto](#postinstallauto) - [Cloud Deployments](#cloud) - - [Ansible Deployment on Open Telekom Cloud](#ansible-otc) + - [Ansible](#ansible) - [Terraform](#terraform) - [First Run](#firstrun) - [System Placement](#placement) @@ -329,16 +329,17 @@ The installer will start automatically and guide you through the install process ## Cloud Deployments Located in the [`cloud`](cloud) folder. -Currently there is an example with Ansible. -If you would like to contribute you can add other cloud deployments like Terraform, Chef or Puppet. +Currently there are examples with Ansible & Terraform. +If you would like to contribute, you can add other cloud deployments like Chef or Puppet or extend current methods with other cloud providers. - -### Ansible Deployment on Open Telekom Cloud -You can find an Ansible Playbook based automated T-Pot Deployment in the [`cloud/open-telekom-cloud`](cloud/open-telekom-cloud) folder. -The Playbooks in the [`cloud/open-telekom-cloud/ansible`](cloud/open-telekom-cloud/ansible) folder are reusable across all cloud providers (like AWS, Azure, Digital Ocean). -The [`deploy_ansible_otc_t-pot.sh`](cloud/open-telekom-cloud/deploy_ansible_otc_t-pot.sh) script is an example of how it works with our own Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en). -It first creates a new Elastic Cloud Server via the Open Telekom Cloud API and then invokes the Ansible Playbooks to install and configure T-Pot. -You can have a look at the script and easily adapt it for other cloud providers. + +### Ansible Deployment +You can find an [Ansible](https://www.ansible.com/) based T-Pot Deployment in the [`cloud/ansible`](cloud/ansible) folder. +The Playbook in the [`cloud/ansible/openstack`](cloud/ansible/openstack) folder is reusable for all OpenStack clouds out of the box. + +It first creates a new server and then installs and configures T-Pot. + +You can have a look at the Playbook and easily adapt the deploy role for other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html). ### Terraform Configuration From d63e9356ba04f4f8ca802499321051de16ebc388 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 23:38:15 +0200 Subject: [PATCH 10/34] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2158c446..4553bdf5 100644 --- a/README.md +++ b/README.md @@ -334,7 +334,7 @@ If you would like to contribute, you can add other cloud deployments like Chef o ### Ansible Deployment -You can find an [Ansible](https://www.ansible.com/) based T-Pot Deployment in the [`cloud/ansible`](cloud/ansible) folder. +You can find an [Ansible](https://www.ansible.com/) based T-Pot deployment in the [`cloud/ansible`](cloud/ansible) folder. The Playbook in the [`cloud/ansible/openstack`](cloud/ansible/openstack) folder is reusable for all OpenStack clouds out of the box. It first creates a new server and then installs and configures T-Pot. From e7f577200b25908307c084e1f942917a3f60ce07 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 23:42:24 +0200 Subject: [PATCH 11/34] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 4553bdf5..6cfc0186 100644 --- a/README.md +++ b/README.md @@ -118,8 +118,7 @@ Furthermore we use the following tools - **Fix #332** - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used. - **Improve install speed with apt-fast** - - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. Wit -h apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package. + - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package. - **Added Ansible T-Pot Deployment on Open Telekom Cloud** - Reusable Ansible Playbooks for all cloud providers - Example Showcase with our Open Telekom Cloud From fe7f6ad510ca9118dac8fddc1da3f2ed712daf10 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sat, 29 Jun 2019 22:36:34 +0000 Subject: [PATCH 12/34] Useful output for login options --- .../ansible/openstack/roles/reboot/tasks/main.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/cloud/ansible/openstack/roles/reboot/tasks/main.yaml b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml index f0c338bc..1490ebfb 100644 --- a/cloud/ansible/openstack/roles/reboot/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/reboot/tasks/main.yaml @@ -1,3 +1,15 @@ -- name: Finally rebooting t-pot in one minute - make sure your next login is on port 64295 or via https:// on port 64297 +- name: Finally rebooting T-Pot in one minute shell: /sbin/shutdown -r -t 1 become: true + +- name: Next login options + debug: + msg: + - "***** SSH Access:" + - "***** ssh {{ ansible_user }}@{{ ansible_host }} -p 64295" + - "" + - "***** Web UI:" + - "***** https://{{ ansible_host }}:64297" + - "" + - "***** Admin UI:" + - "***** https://{{ ansible_host }}:64294" From d25bbd0032d7d9a1e21126f1416d33d2eb0b1a90 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 30 Jun 2019 14:36:59 +0200 Subject: [PATCH 13/34] Update README.md --- cloud/ansible/README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index c48030d8..b3cd409c 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -1,8 +1,12 @@ -# Ansible T-Pot Deployment on Open Telekom Cloud :cloud: +# T-Pot Ansible Here you can find a ready-to-use solution for your automated T-Pot deployment using [Ansible](https://www.ansible.com/). -It consists of multiple Ansible Playbooks, which can be reused across all Cloud Providers (like AWS, Azure, Digital Ocean). -This example showcases the deployment on our own Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en). +It consists of an Ansible Playbook with multiple roles, which is reusable for all [OpenStack](https://www.openstack.org/) based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box. +Apart from that you can easily adapt the deploy role to use other [cloud providers](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) (e.g. AWS, Azure, Digital Ocean, Google). + +The Playbook first creates a new server and then installs and configures T-Pot. + +This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en). # Table of contents - [Installation of Ansible Master](#installation) @@ -113,7 +117,7 @@ The settings are located in the following files: ## Configure `.otc_env.sh` -Enter your Open Telekom Cloud API user credentials here (username, password, tennant-ID, project name): +Enter your Open Telekom Cloud API user credentials here (username, password, tenant-ID, project name): ``` export OS_USERNAME=your_api_user export OS_PASSWORD=your_password From ec7c6a4ba4f1059bcc5e930f05efdf5104737ed4 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 30 Jun 2019 15:18:44 +0200 Subject: [PATCH 14/34] Update README.md --- cloud/ansible/README.md | 54 ++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index b3cd409c..d9923338 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -9,8 +9,8 @@ The Playbook first creates a new server and then installs and configures T-Pot. This example showcases the deployment on our own OpenStack based Public Cloud Offering [Open Telekom Cloud](https://open-telekom-cloud.com/en). # Table of contents -- [Installation of Ansible Master](#installation) - - [Packages](#packages) +- [Preparation of Ansible Master](#ansible-master) + - [Ansible Installation](#ansible) - [Agent Forwarding](#agent-forwarding) - [Preparations in Open Telekom Cloud Console](#preparation) - [Create new project](#project) @@ -19,28 +19,25 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of - [Create VPC, Subnet and Security Group](#vpc-subnet-securitygroup) - [Clone Git Repository](#clone-git) - [Settings and recommended values](#settings) - - [Configure `.otc_env.sh`](#otc-env) + - [OpenStack authentication variables](#os-auth) - [Configure `.ecs_settings.sh`](#ecs-settings) - [Configure `tpot.conf.dist`](#tpot-conf) - [Optional: Custom `ews.cfg` and HPFEEDS](#ews-hpfeeds) - [Deploying a T-Pot](#deploy) - [Further documentation](#documentation) - -# Installation of Ansible Master + +# Preparation of Ansible Master You can either run the deploy script locally on your Linux or MacOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too. Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group. - -## Packages + +## Ansible Installation At first we need to add the repository and install Ansible: `sudo apt-add-repository --yes --update ppa:ansible/ansible` `sudo apt install ansible` -Also we need **pwegen** (for creating T-Pot names) and **jq** (a JSON processor): -`sudo apt install pwgen jq` - ## Agent Forwarding Agent forwarding must be enabled in order to let Ansible do its work. @@ -51,7 +48,7 @@ Agent forwarding must be enabled in order to let Ansible do its work. Host ANSIBLE_MASTER_IP ForwardAgent yes ``` - - If you execute the script locally, enable it for all Hosts, as this includes newly generated T-Pots: + - If you execute the script locally, enable it for all hosts, as this includes newly generated T-Pots: ``` Host * ForwardAgent yes @@ -61,15 +58,15 @@ Agent forwarding must be enabled in order to let Ansible do its work. # Preparations in Open Telekom Cloud Console -(You can skip this if you have already set up an API account, VPC and ...) -(Just make sure you know the naming for everything, as you will need it to configure the script.) +(You can skip this if you have already set up an API account, VPC, Subnet and Security Group) +(Just make sure you know the naming for everything, as you will need it to configure the Ansible variables.) -Before we can start deploying, we have to prepare the Open Telekom Cloud Tennant. +Before we can start deploying, we have to prepare the Open Telekom Cloud tenant. For that, go to the [Web Console](https://auth.otc.t-systems.com/authui/login) and log in with an admin user. ## Create new project -I strongly advise you, to create a separate project for the T-Pots in your tennant. +I strongly advise you to create a separate project for the T-Pots in your tenant. In my case I named it `tpot`. ![Create new project](doc/otc_1_project.gif) @@ -83,7 +80,7 @@ This ensures that the API access is limited to that project. ## Import Key Pair -:warning: Now log in with the newly created user account and select your project. +:warning: Now log in with the newly created API user account and select your project. ![Login as API user](doc/otc_3_login.gif) @@ -108,23 +105,26 @@ If you want to secure the management interfaces, you can limit the incoming "all # Clone Git Repository Clone the `tpotce` repository to your Ansible Master: `git clone https://github.com/dtag-dev-sec/tpotce.git` -All Ansible and automatic deployment related files are located in the [`cloud/open-telekom-cloud`](../../cloud/open-telekom-cloud) folder. +All Ansible related files are located in the [`cloud/ansible/openstack`](../../cloud/ansible/openstack) folder. # Settings and recommended values -You can configure all aspects of your ECS and T-Pot before using the script. -The settings are located in the following files: +You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook. +The settings are located in the following Ansible vars files: - -## Configure `.otc_env.sh` -Enter your Open Telekom Cloud API user credentials here (username, password, tenant-ID, project name): + +## OpenStack authentication variables +Located in [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml). +Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name): ``` -export OS_USERNAME=your_api_user -export OS_PASSWORD=your_password -export OS_USER_DOMAIN_NAME=OTC-EU-DE-000000000010000XXXXX -export OS_PROJECT_NAME=eu-de_your_project -export OS_AUTH_URL=https://iam.eu-de.otc.t-systems.com/v3 +auth_url: https://iam.eu-de.otc.t-systems.com/v3 +username: your_api_user +password: your_password +project_name: eu-de_your_project +os_user_domain_name: OTC-EU-DE-000000000010000XXXXX ``` +You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file. +For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation. ## Configure `.ecs_settings.sh` From 399d0e1e6ebaa8e0cea5bd86de17f95dc61661ec Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 30 Jun 2019 14:25:24 +0000 Subject: [PATCH 15/34] Generic remote user name set_fact: user_name is needed to display the var value in the task name --- cloud/ansible/openstack/roles/install/tasks/main.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index 855fe615..5abb7c29 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -13,12 +13,13 @@ - name: Prepare to set user password set_fact: + user_name: "{{ ansible_user }}" user_password: "{{ linux_pass }}" user_salt: "s0mew1ck3dTpoT" -- name: Changing password for user linux to {{ user_password }} +- name: Changing password for user {{ user_name }} to {{ user_password }} user: - name: "linux" + name: "{{ ansible_user }}" password: "{{ user_password | password_hash('sha512', user_salt) }}" state: present shell: /bin/bash From d29a30d79d27a3080a378310c27bcdce5e01a452 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Sun, 30 Jun 2019 14:35:02 +0000 Subject: [PATCH 16/34] Generic password var name --- cloud/ansible/openstack/roles/install/tasks/main.yaml | 2 +- cloud/ansible/openstack/roles/install/vars/main.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index 5abb7c29..bd255b78 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -14,7 +14,7 @@ - name: Prepare to set user password set_fact: user_name: "{{ ansible_user }}" - user_password: "{{ linux_pass }}" + user_password: "{{ user_password }}" user_salt: "s0mew1ck3dTpoT" - name: Changing password for user {{ user_name }} to {{ user_password }} diff --git a/cloud/ansible/openstack/roles/install/vars/main.yaml b/cloud/ansible/openstack/roles/install/vars/main.yaml index 48a12942..ce234a97 100644 --- a/cloud/ansible/openstack/roles/install/vars/main.yaml +++ b/cloud/ansible/openstack/roles/install/vars/main.yaml @@ -1 +1 @@ -linux_pass: LiNuXuSeRPaSs# +user_password: LiNuXuSeRPaSs# From d8378e73d4168f19de429ddcbe8b4232e7051ed8 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 00:57:42 +0200 Subject: [PATCH 17/34] Update README.md --- cloud/ansible/README.md | 64 +++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 28 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index d9923338..67d04d7b 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -20,7 +20,9 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of - [Clone Git Repository](#clone-git) - [Settings and recommended values](#settings) - [OpenStack authentication variables](#os-auth) - - [Configure `.ecs_settings.sh`](#ecs-settings) + - [Ansible remote user](#remote-user) + - [Instance settings](#instance-settings) + - [User password](#user-password) - [Configure `tpot.conf.dist`](#tpot-conf) - [Optional: Custom `ews.cfg` and HPFEEDS](#ews-hpfeeds) - [Deploying a T-Pot](#deploy) @@ -114,7 +116,7 @@ The settings are located in the following Ansible vars files: ## OpenStack authentication variables -Located in [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml). +Located at [`openstack/roles/deploy/vars/os_auth.yaml`](openstack/roles/deploy/vars/os_auth.yaml). Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name): ``` auth_url: https://iam.eu-de.otc.t-systems.com/v3 @@ -126,36 +128,42 @@ os_user_domain_name: OTC-EU-DE-000000000010000XXXXX You can also perform different authentication methods like sourcing your `.ostackrc` file or using the OpenStack `clouds.yaml` file. For more information have a look in the [os_server](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) Ansible module documentation. - -## Configure `.ecs_settings.sh` -Here you can customize your Elastic Cloud Server (ECS): - - Password for the user `linux` (**you should definitely change that**) - You may have to adjust the `remote_user` in the Ansible Playbooks under [ansible](ansible) if you are using a normal/default Debian base image - - (Optional) For using a custom `ews.cfg` set to `true`; See here: [Optional: Custom `ews.cfg`](#ews-cfg) - - (Optional) Change the instance type (flavor) of the ECS. + +## Ansible remote user +You may have to adjust the `remote_user` in the Ansible Playbook under [`openstack/deploy_tpot.yaml`](openstack/deploy_tpot.yaml) depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is `linux`). + + +## Instance settings +Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml). +Here you can customize your virtual machine specifications: + - Specify the region name + - Choose an availibility zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). + - Change the OS image (For T-Pot we need Debian 9) + - (Optional) Change the volume size + - Specify your key pair + - (Optional) Change the instance type (flavor) `s2.medium.8` corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor. - A full list of flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html). - - Change the OS (Don't touch; for T-Pot we need Debian 9) - - Specify the VPC, Subnet, Security Group and Key Pair you created before - - (Optional) Change the disk size - - You can choose from multiple Availibility Zones (AZ). For reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). + A full list of Open telekom Cloud flavors can be found [here](https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0035470096.html). + - Specify the security group + - Specify the network ID (For Open Telekom Cloud you can find the ID in the Web Console under `Virtual Private Cloud --> your-vpc --> your-subnet --> Network ID`; In general for OpenStack clouds you can use the `python-openstackclient` to retrieve information about your resources) ``` -# Set password for user linux -linuxpass=LiNuXuSeRPaSs# +region_name: eu-de +availability_zone: eu-de-03 +image: Standard_Debian_9_latest +volume_size: 128 +key_name: your-KeyPair +flavor: s2.medium.8 +security_groups: your-sg +network: your-network-id +``` -# Custom EWS config -custom_ews=false - -# Set ECS related stuff -instance=s2.medium.8 -imagename=Standard_Debian_9_latest -subnet=your-subnet -vpcname=your-vpc -secgroup=your-sg -keyname=your-KeyPair -disksize=128 -az=eu-de-03 + +## User password +Located at [`openstack/roles/install/vars/main.yaml`](openstack/roles/install/vars/main.yaml). +Here you can set the password for your Debian user (**you should definitely change that**). +``` +user_password: LiNuXuSeRPaSs# ``` From 16179b3ed9bbfb8b8845ff8da2f7c228f539a509 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 01:27:48 +0200 Subject: [PATCH 18/34] Update README.md --- cloud/ansible/README.md | 39 +++++++++++++++++++++++---------------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 67d04d7b..2723f9bc 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -24,7 +24,8 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of - [Instance settings](#instance-settings) - [User password](#user-password) - [Configure `tpot.conf.dist`](#tpot-conf) - - [Optional: Custom `ews.cfg` and HPFEEDS](#ews-hpfeeds) + - [Optional: Custom `ews.cfg`](#ews-cfg) + - [Optional: Custom HPFEEDS](#hpfeeds) - [Deploying a T-Pot](#deploy) - [Further documentation](#documentation) @@ -182,14 +183,16 @@ myCONF_WEB_USER='webuser' myCONF_WEB_PW='w3b$ecret' ``` - -## Optional: Custom `ews.cfg` and HPFEEDS -To enable these features, set `custom_ews=true` in `.ecs_settings.sh`; See here: [Configure `.ecs_settings.sh`](#ecs-settings) + +## Optional: Custom `ews.cfg` +Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook. +``` +# - custom_ews +``` -### ews.cfg You can use a custom config file for `ewsposter`. e.g. when you have your own credentials for delivering data to our [Sicherheitstacho](https://sicherheitstacho.eu/start/main). -You can find the `ews.cfg` template file here: [`ansible/roles/custom_ews/templates/ews.cfg`](ansible/roles/custom_ews/templates/ews.cfg) and adapt it for your needs. +You can find the `ews.cfg` template file here: [`openstack/roles/custom_ews/templates/ews.cfg`](openstack/roles/custom_ews/templates/ews.cfg) and adapt it for your needs. For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is): ``` @@ -205,8 +208,14 @@ token = your_token ... ``` -### HPFEEDS -You can also specify HPFEEDS in [`ansible/roles/custom_ews/templates/hpfeeds.cfg`](ansible/roles/custom_ews/templates/hpfeeds.cfg). + +## Optional: Custom HPFEEDS +Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_tpot.yaml) playbook. +``` +# - custom_hpfeeds +``` + +You can also specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg). That file constains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN: ``` myENABLE=true @@ -219,22 +228,20 @@ mySECRET=your_secret myFORMAT=json ``` - # Deploying a T-Pot :honey_pot::honeybee: Now, after configuring everything, we can finally start deploying T-Pots: -`./deploy_ansible_otc_t-pot.sh` +Go to the [`openstack`](openstack) folder and run the Anible Playbook with +`ansible-playbook deploy_tpot.yaml` (Yes, it is as easy as that :smile:) -The script will first create an Open Telekom Cloud ECS via the API. -After that, the Ansible Playbooks are executed on the newly created Host to install the T-Pot and configure everything. - -You can see the progress of every step in the console output. -If something should go wrong, you will be provided with an according error message, that you can hopefully act upon and retry. +The Playbook will first install required packages on the Anible Master and then deploy a new server instance. +After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots. # Further documentation - [Ansible Documentation](https://docs.ansible.com/ansible/latest/) +- [Cloud modules — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/list_of_cloud_modules.html) +- [os_server – Create/Delete Compute Instances from OpenStack — Ansible Documentation](https://docs.ansible.com/ansible/latest/modules/os_server_module.html) - [Open Telekom Cloud Help Center](https://docs.otc.t-systems.com/) - [Open Telekom Cloud API Overview](https://docs.otc.t-systems.com/en-us/api/wp/en-us_topic_0052070394.html) -- [otc-tools](https://github.com/OpenTelekomCloud/otc-tools) on GitHub From f70f1a7f70314d0f757d0dfb82bbbaf721eaf7ea Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 01:33:13 +0200 Subject: [PATCH 19/34] Update README.md --- cloud/ansible/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 2723f9bc..3030380b 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -230,8 +230,8 @@ myFORMAT=json # Deploying a T-Pot :honey_pot::honeybee: -Now, after configuring everything, we can finally start deploying T-Pots: -Go to the [`openstack`](openstack) folder and run the Anible Playbook with +Now, after configuring everything, we can finally start deploying T-Pots! +Go to the [`openstack`](openstack) folder and run the Anible Playbook with: `ansible-playbook deploy_tpot.yaml` (Yes, it is as easy as that :smile:) From b6f18cf5f1a8afa7a86c29c9667b0940f041fdac Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 01:37:34 +0200 Subject: [PATCH 20/34] Update README.md --- cloud/ansible/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 3030380b..4aaa11e5 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -215,7 +215,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_ # - custom_hpfeeds ``` -You can also specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg). +You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg). That file constains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN: ``` myENABLE=true From c613c48c7551788b41b7f002b5058f4e09def6ed Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 01:38:16 +0200 Subject: [PATCH 21/34] Update README.md --- cloud/ansible/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 4aaa11e5..b6d0860a 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -216,7 +216,7 @@ Enable this by uncommenting the role in the [deploy_tpot.yaml](openstack/deploy_ ``` You can specify custom HPFEEDS in [`openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg`](openstack/roles/custom_hpfeeds/templates/hpfeeds.cfg). -That file constains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN: +That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN: ``` myENABLE=true myHOST=hpfeeds.sissden.eu From c5f1c94674761d21f12ccc2ef404b958b9c86fd8 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 01:44:43 +0200 Subject: [PATCH 22/34] Update README.md --- cloud/ansible/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index b6d0860a..03cf6531 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -31,7 +31,7 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of # Preparation of Ansible Master -You can either run the deploy script locally on your Linux or MacOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. +You can either run the deploy script locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too. Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group. @@ -43,8 +43,8 @@ At first we need to add the repository and install Ansible: ## Agent Forwarding -Agent forwarding must be enabled in order to let Ansible do its work. -- On Linux or MacOS: +Agent Forwarding must be enabled in order to let Ansible do its work. +- On Linux or macOS: - Create or edit `~/.ssh/config` - If you execute the script remotely on your Ansible Master Server: ``` @@ -138,7 +138,7 @@ You may have to adjust the `remote_user` in the Ansible Playbook under [`opensta Located at [`openstack/roles/deploy/vars/main.yaml`](openstack/roles/deploy/vars/main.yaml). Here you can customize your virtual machine specifications: - Specify the region name - - Choose an availibility zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). + - Choose an availability zone. For Open Telekom Cloud reference see [here](https://docs.otc.t-systems.com/en-us/endpoint/index.html). - Change the OS image (For T-Pot we need Debian 9) - (Optional) Change the volume size - Specify your key pair From 54ed268041ab75cb01bbf5b941f84c10ec8c9489 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 00:01:11 +0000 Subject: [PATCH 23/34] Use generic package module --- cloud/ansible/openstack/roles/check/tasks/main.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/cloud/ansible/openstack/roles/check/tasks/main.yaml b/cloud/ansible/openstack/roles/check/tasks/main.yaml index 1adac185..bc020151 100644 --- a/cloud/ansible/openstack/roles/check/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/check/tasks/main.yaml @@ -1,14 +1,17 @@ - name: Install pwgen - apt: + package: name: pwgen + state: present - name: Install setuptools - apt: + package: name: python-setuptools + state: present - name: Install pip - apt: + package: name: python-pip + state: present - name: Install openstacksdk pip: From 640d74a85199e9c7093edb1b65dc6048cb6e4366 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 02:15:14 +0200 Subject: [PATCH 24/34] Update README.md --- cloud/ansible/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 03cf6531..378431b8 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -37,10 +37,13 @@ Ansible works over the SSH Port, so you don't have to add any special rules to y ## Ansible Installation +Example for Ubuntu 18.04: At first we need to add the repository and install Ansible: `sudo apt-add-repository --yes --update ppa:ansible/ansible` `sudo apt install ansible` +For other OSes and Distros have a look at the official [Ansible Documentation](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). + ## Agent Forwarding Agent Forwarding must be enabled in order to let Ansible do its work. From 76ec8ae20ecc345616ce7fc947e0b8a8bdb4b623 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 02:24:32 +0200 Subject: [PATCH 25/34] Update README.md --- cloud/ansible/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 378431b8..a3ba0cfc 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -31,7 +31,7 @@ This example showcases the deployment on our own OpenStack based Public Cloud Of # Preparation of Ansible Master -You can either run the deploy script locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. +You can either run the Ansible Playbook locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did. I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too. Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group. From a5856082c8967788ff4f93c38ca16923c9a89f43 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 02:26:55 +0200 Subject: [PATCH 26/34] Update README.md --- cloud/ansible/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index a3ba0cfc..850de3fd 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -49,17 +49,17 @@ For other OSes and Distros have a look at the official [Ansible Documentation](h Agent Forwarding must be enabled in order to let Ansible do its work. - On Linux or macOS: - Create or edit `~/.ssh/config` - - If you execute the script remotely on your Ansible Master Server: + - If you run the Ansible Playbook remotely on your Ansible Master Server: ``` Host ANSIBLE_MASTER_IP ForwardAgent yes ``` - - If you execute the script locally, enable it for all hosts, as this includes newly generated T-Pots: + - If you run the Ansible Playbook locally, enable it for all hosts, as this includes newly generated T-Pots: ``` Host * ForwardAgent yes ``` -- On Windows using Putty: +- On Windows using Putty for connecting to your Ansible Master Server: ![Putty Agent Forwarding](doc/putty_agent_forwarding.png) From b7769df794ab8050584c9f6954469c0c954c8e2a Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 08:16:08 +0200 Subject: [PATCH 27/34] Update README.md --- cloud/ansible/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 850de3fd..8317dc92 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -238,6 +238,9 @@ Go to the [`openstack`](openstack) folder and run the Anible Playbook with: `ansible-playbook deploy_tpot.yaml` (Yes, it is as easy as that :smile:) +If you are running on a machine which asks for a sudo password, you can use: +`ansible-playbook --ask-become-pass deploy_tpot.yaml` + The Playbook will first install required packages on the Anible Master and then deploy a new server instance. After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots. From 43376d94b087cd60f55119fede8e14719ecf7cb5 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 08:20:58 +0200 Subject: [PATCH 28/34] Update README.md --- cloud/ansible/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloud/ansible/README.md b/cloud/ansible/README.md index 8317dc92..07668865 100644 --- a/cloud/ansible/README.md +++ b/cloud/ansible/README.md @@ -234,14 +234,14 @@ myFORMAT=json # Deploying a T-Pot :honey_pot::honeybee: Now, after configuring everything, we can finally start deploying T-Pots! -Go to the [`openstack`](openstack) folder and run the Anible Playbook with: +Go to the [`openstack`](openstack) folder and run the Ansible Playbook with: `ansible-playbook deploy_tpot.yaml` (Yes, it is as easy as that :smile:) If you are running on a machine which asks for a sudo password, you can use: `ansible-playbook --ask-become-pass deploy_tpot.yaml` -The Playbook will first install required packages on the Anible Master and then deploy a new server instance. +The Playbook will first install required packages on the Ansible Master and then deploy a new server instance. After that, T-Pot gets installed and configured on the newly created host, optionally custom configs are applied and finally it reboots. From 5e926a092fbbff383e4859fef03f8488eff69d39 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 08:28:45 +0200 Subject: [PATCH 29/34] Update CHANGELOG.md --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bfabca1..69e8a3e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## 20190701 +- **Reworked Ansible T-Pot Deployment** + - Transitioned from bash script to all Ansible + - Reusable Ansible Playbooks for OpenStack clouds + - Example Showcase with our Open Telekom Cloud + - Adaptable for other cloud providers + ## 20190626 - **HPFEEDS Opt-In commandline option** - Pass a hpfeeds config file as a commandline argument From 8815d139039c5da537606320ef8b8b12e9ef41e9 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 08:29:50 +0200 Subject: [PATCH 30/34] Update README.md --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6cfc0186..d3fcbc73 100644 --- a/README.md +++ b/README.md @@ -119,13 +119,15 @@ Furthermore we use the following tools - If T-Pot, opposed to the requirements, does not have full internet access netselect-apt fails to determine the fastest mirror as it needs ICMP and UDP outgoing. Should netselect-apt fail the default mirrors will be used. - **Improve install speed with apt-fast** - Migrating from a stable base install to Debian (Sid) requires downloading lots of packages. Depending on your geo location the download speed was already improved by introducing netselect-apt to determine the fastest mirror. With apt-fast the downloads will be even faster by downloading packages not only in parallel but also with multiple connections per package. -- **Added Ansible T-Pot Deployment on Open Telekom Cloud** - - Reusable Ansible Playbooks for all cloud providers - - Example Showcase with our Open Telekom Cloud - **HPFEEDS Opt-In commandline option** - Pass a hpfeeds config file as a commandline argument - hpfeeds config is saved in `/data/ews/conf/hpfeeds.cfg` - Update script restores hpfeeds config +- **Ansible T-Pot Deployment** + - Transitioned from bash script to all Ansible + - Reusable Ansible Playbooks for OpenStack clouds + - Example Showcase with our Open Telekom Cloud + - Adaptable for other cloud providers # Technical Concept From 0dac77036bda0964b5694a9267398ae96cb9684c Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 06:52:29 +0000 Subject: [PATCH 31/34] Update task naming --- cloud/ansible/openstack/roles/install/tasks/main.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cloud/ansible/openstack/roles/install/tasks/main.yaml b/cloud/ansible/openstack/roles/install/tasks/main.yaml index bd255b78..f6e65e2f 100644 --- a/cloud/ansible/openstack/roles/install/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/install/tasks/main.yaml @@ -3,10 +3,10 @@ delay: 30 timeout: 300 -- name: Gathering Facts +- name: Gathering facts setup: -- name: Cloning t-pot install directory +- name: Cloning T-Pot install directory git: repo: "https://github.com/dtag-dev-sec/tpotce.git" dest: /root/tpot @@ -25,7 +25,7 @@ shell: /bin/bash update_password: always -- name: Copy t-pot configuration file +- name: Copy T-Pot configuration file template: src: ../../../../../../iso/installer/tpot.conf.dist dest: /root/tpot.conf @@ -33,10 +33,10 @@ group: root mode: 0644 -- name: Install t-pot on ECS - be patient, this might take 15 to 30 minutes depending on the connection speed. No further output is given. +- name: Install T-Pot on instance - be patient, this might take 15 to 30 minutes depending on the connection speed. No further output is given. command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf -- name: Delete t-pot configuration file +- name: Delete T-Pot configuration file file: path: /root/tpot.conf state: absent From 413fe4704a1badafeec81149dd817698c0cf3bb0 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 10:21:05 +0200 Subject: [PATCH 32/34] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69e8a3e4..32a21a92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ ## 20190701 - **Reworked Ansible T-Pot Deployment** - Transitioned from bash script to all Ansible - - Reusable Ansible Playbooks for OpenStack clouds + - Reusable Ansible Playbook for OpenStack clouds - Example Showcase with our Open Telekom Cloud - Adaptable for other cloud providers From c8bd84316fecad931161f1813db6fb3bd3ad9e61 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Mon, 1 Jul 2019 10:21:31 +0200 Subject: [PATCH 33/34] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d3fcbc73..1f68c4bd 100644 --- a/README.md +++ b/README.md @@ -125,7 +125,7 @@ Furthermore we use the following tools - Update script restores hpfeeds config - **Ansible T-Pot Deployment** - Transitioned from bash script to all Ansible - - Reusable Ansible Playbooks for OpenStack clouds + - Reusable Ansible Playbook for OpenStack clouds - Example Showcase with our Open Telekom Cloud - Adaptable for other cloud providers From 15ebffa58f06ddd3742a355032d88a7d9dc0c694 Mon Sep 17 00:00:00 2001 From: Sebastian Haderecker Date: Tue, 2 Jul 2019 08:44:58 +0000 Subject: [PATCH 34/34] Generic random name --- cloud/ansible/openstack/roles/deploy/tasks/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml index 884e1e49..78f26742 100644 --- a/cloud/ansible/openstack/roles/deploy/tasks/main.yaml +++ b/cloud/ansible/openstack/roles/deploy/tasks/main.yaml @@ -1,5 +1,5 @@ - name: Create T-Pot name - shell: echo t-pot-otc-$(pwgen -ns 6 -1) + shell: echo t-pot-ansible-$(pwgen -ns 6 -1) register: tpot_name - name: Import OpenStack authentication variables