From 5d121fb79ef941577fe0e843ff5b5c390dfbd1ab Mon Sep 17 00:00:00 2001 From: KooshaYeganeh Date: Wed, 22 Jan 2025 18:50:03 +0330 Subject: [PATCH 1/2] add openSUSE Leap to project --- install.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index bffde8d4..5d8bc1c2 100755 --- a/install.sh +++ b/install.sh @@ -27,7 +27,7 @@ if [ ${EUID} -eq 0 ]; fi # Check if running on a supported distribution -mySUPPORTED_DISTRIBUTIONS=("AlmaLinux" "Debian GNU/Linux" "Fedora Linux" "openSUSE Tumbleweed" "Raspbian GNU/Linux" "Rocky Linux" "Ubuntu") +mySUPPORTED_DISTRIBUTIONS=("AlmaLinux" "Debian GNU/Linux" "Fedora Linux" "oapenSUSE Tumbleweed" "openSUSE Leap" "Raspbian GNU/Linux" "Rocky Linux" "Ubuntu") myCURRENT_DISTRIBUTION=$(awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"') if [[ ! " ${mySUPPORTED_DISTRIBUTIONS[@]} " =~ " ${myCURRENT_DISTRIBUTION} " ]]; @@ -96,6 +96,15 @@ case ${myCURRENT_DISTRIBUTION} in echo "export ANSIBLE_PYTHON_INTERPRETER=/bin/python3" | sudo tee /etc/profile.d/ansible.sh >/dev/null source /etc/profile.d/ansible.sh ;; + "openSUSE Leap") + echo + echo ${myINSTALL_NOTIFICATION} + echo + sudo zypper refresh + sudo zypper install -y ${myPACKAGES_OPENSUSE} + echo "export ANSIBLE_PYTHON_INTERPRETER=/bin/python3" | sudo tee /etc/profile.d/ansible.sh >/dev/null + source /etc/profile.d/ansible.sh + ;; "AlmaLinux"|"Rocky Linux") echo echo ${myINSTALL_NOTIFICATION} From d6489b7435705508318efc1f224f778d9d6c4706 Mon Sep 17 00:00:00 2001 From: KooshaYeganeh Date: Wed, 22 Jan 2025 18:50:32 +0330 Subject: [PATCH 2/2] add openSUSE leap to yml Installer File --- tpot.yml | 944 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 944 insertions(+) create mode 100644 tpot.yml diff --git a/tpot.yml b/tpot.yml new file mode 100644 index 00000000..8ad2bf79 --- /dev/null +++ b/tpot.yml @@ -0,0 +1,944 @@ +--- +################################ +# T-Pot - Bootstrapping Python # +################################ + +- name: T-Pot - Bootstrapping Python + hosts: all + gather_facts: false + become: true + become_method: sudo + + tasks: + - name: Get distribution name (All) + raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1 + register: my_distribution + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Check if python3 is installed (All) + raw: echo $(command -v python3) + register: my_python3 + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Add python package (Debian, Raspbian, Ubuntu) + raw: | + apt update + apt -y install python3 + when: my_distribution.stdout | trim in ["Debian", "Raspbian", "Ubuntu"] and my_python3.stdout | trim == "" + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Add python package (Alma, Fedora, Rocky) + raw: | + dnf -y --refresh install python3 + when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == "" + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + + - name: Add python package (openSUSE Tumbleweed) + raw: | + zypper refresh + zypper -y install python3 + when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == "" + tags: + - "openSUSE Tumbleweed" + - "openSUSE Leap" + +##################################################################### +# T-Pot - Abort if run as tpot, root or on unsupported distribution # +##################################################################### + +- name: T-Pot - Abort if run as tpot, root or on unsupported distribution + hosts: all + gather_facts: true + become: false + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + tasks: + - name: Check if running as root (All) + assert: + that: ansible_user_id != 'root' + fail_msg: "T-Pot playbook should not be run as root." + success_msg: "Running as user: {{ ansible_user_id }}." + + - name: Check if running as tpot (All) + assert: + that: ansible_user_id != 'tpot' + fail_msg: "Reserved username `tpot` detected." + success_msg: "Running as user: {{ ansible_user_id }}." + + - name: Check if supported distribution (All) + assert: + that: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + fail_msg: "T-Pot is not supported on this plattform: {{ ansible_distribution }}." + success_msg: "T-Pot will now install on {{ ansible_distribution }}." + +############################################################ +# T-Pot - Install recommended, remove conflicting packages # +############################################################ + +- name: T-Pot - Install recommended, remove conflicting packages + hosts: all + gather_facts: true + become: true + + tasks: + - name: Syncing clocks (All) + shell: "hwclock --hctosys" + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + ignore_errors: true + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Install recommended packages (Debian, Raspbian, Ubuntu) + package: + name: + - apache2-utils + - bash-completion + - ca-certificates + - cracklib-runtime + - cron + - curl + - git + - gnupg + - grc + - htop + - micro + - net-tools + - vim + - wget + state: latest + update_cache: yes + when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Install exa (Debian, Raspbian, Ubuntu) + package: + name: + - exa + state: latest + update_cache: yes + register: exa_install_result + ignore_errors: yes + when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Install eza (if exa failed) + package: + name: + - eza + state: latest + update_cache: yes + when: exa_install_result is failed + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Install grc from remote repo (AlmaLinux, Rocky) + ansible.builtin.dnf: + name: 'https://github.com/kriipke/grc/releases/download/1.13.8/grc-1.13.8-1.el7.noarch.rpm' + disable_gpg_check: true + state: present + when: ansible_distribution in ["AlmaLinux", "Rocky"] + tags: + - "AlmaLinux" + - "Rocky" + + - name: Install recommended packages (AlmaLinux, Rocky) + package: + name: + - bash-completion + - ca-certificates + - cracklib + - curl + - dnf-plugins-core + - exa + - git + - grc + - htop + - httpd-tools + - net-tools + - tar + - vim + - wget + state: latest + update_cache: yes + register: exa_install_result + when: ansible_distribution in ["AlmaLinux", "Rocky"] + tags: + - "AlmaLinux" + - "Rocky" + + - name: Download and install micro editor (AlmaLinux, openSUSE Tumbleweed, Rocky) + shell: "curl https://getmic.ro | bash && mv micro /usr/bin" + args: + executable: /bin/bash + when: ansible_distribution in ["AlmaLinux", "openSUSE Tumbleweed", "openSUSE Leap" , "Rocky"] + tags: + - "AlmaLinux" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Rocky" + + - name: Install recommended packages (Fedora) + package: + name: + - bash-completion + - ca-certificates + - cracklib + - cronie + - curl + - dnf-plugins-core + - exa + - git + - grc + - htop + - httpd-tools + - micro + - net-tools + - vim + - wget + state: latest + update_cache: yes + register: exa_install_result + when: ansible_distribution in ["Fedora"] + tags: + - "Fedora" + + - name: Remove conflicting packages (openSUSE Tumbleweed) + package: + name: + - cups + - net-tools + - postfix + - yast2-auth-client + - yast2-auth-user + state: absent + update_cache: yes + when: ansible_distribution in ["openSUSE Tumbleweed"] + tags: + - "openSUSE Tumbleweed" + + - name: Remove conflicting packages (openSUSE Leap) + package: + name: + - cups + - net-tools + - postfix + - yast2-auth-client + - yast2-auth-user + state: absent + update_cache: yes + when: ansible_distribution in ["openSUSE Leap"] + tags: + - "openSUSE Leap" + + + - name: Install recommended packages (openSUSE Tumbleweed) + package: + name: + - apache2-utils + - bash-completion + - busybox-net-tools + - ca-certificates + - cracklib + - curl + - exa + - git + - grc + - htop + - vim + - wget + state: latest + update_cache: yes + register: exa_install_result + when: ansible_distribution in ["openSUSE Tumbleweed"] + tags: + - "openSUSE Tumbleweed" + - name: Install recommended packages (openSUSE Leap) + package: + name: + - apache2-utils + - bash-completion + - busybox-net-tools + - ca-certificates + - cracklib + - curl + - exa + - git + - grc + - htop + - vim + - wget + state: latest + update_cache: yes + register: exa_install_result + when: ansible_distribution in ["openSUSE Leap"] + tags: + - "openSUSE Leap" + + +##################################### +# T-Pot - Prepare for Docker Engine # +##################################### + +- name: T-Pot - Prepare for and install Docker Engine + hosts: all + gather_facts: true + become: true + + tasks: + - name: Remove distribution based Docker packages and podman-docker (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu) + package: + name: + - docker + - docker-engine + - docker.io + - containerd + - runc + - podman-docker + - podman + state: absent + update_cache: yes + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Add folder for Docker Engine GPG key (Debian, Raspbian, Ubuntu) + file: + path: /etc/apt/keyrings + state: directory + mode: 0755 + when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Download Docker Engine GPG key (Debian, Raspbian, Ubuntu) + get_url: + url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + dest: /etc/apt/keyrings/docker + mode: 0755 + when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Decrypt Docker Engine GPG key (Debian, Raspbian, Ubuntu) + shell: gpg --dearmor /etc/apt/keyrings/docker + args: + creates: /etc/apt/keyrings/docker.gpg + when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Add Docker Engine repository (Debian, Raspbian, Ubuntu) + apt_repository: + filename: docker + repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') | replace('x86_64', 'amd64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + state: present + update_cache: yes + when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Add Docker repository (Fedora) + shell: | + if [ "$(dnf repolist docker-ce-stable)" == "" ]; + then + dnf -y config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo + fi + when: ansible_distribution in ["Fedora"] + tags: + - "Fedora" + + - name: Add Docker repository (AlmaLinux, Rocky) + shell: | + if [ "$(dnf repolist docker-ce-stable)" == "" ]; + then + dnf -y config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo + fi + when: ansible_distribution in ["AlmaLinux", "Rocky"] + tags: + - "AlmaLinux" + - "Rocky" + + +################################# +# T-Pot - Install Docker Engine # +################################# + +- name: T-Pot - Install Docker Engine + hosts: all + gather_facts: true + become: true + + tasks: + - name: Install Docker Engine packages (openSUSE Tumbleweed) + package: + name: + - docker + - docker-bash-completion + - docker-buildx + - docker-compose + - docker-compose-switch + - liblvm2cmd2_03 + - lvm2 + state: latest + update_cache: yes + when: ansible_distribution in ["openSUSE Tumbleweed"] + tags: + - "openSUSE Tumbleweed" + - name: Install Docker Engine packages (openSUSE Leap) + package: + name: + - docker + - docker-bash-completion + - docker-buildx + - docker-compose + - docker-compose-switch + - liblvm2cmd2_03 + - lvm2 + state: latest + update_cache: yes + when: ansible_distribution in ["openSUSE Leap"] + tags: + - "openSUSE Leap" + + + - name: Install Docker Engine packages (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu) + package: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: latest + update_cache: yes + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Stop Docker (All) + service: + name: docker + state: stopped + enabled: false + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + +###################################################### +# T-Pot - Adjust configs, add users and groups, etc. # +###################################################### + +- name: T-Pot - Adjust configs, add users and groups, etc. + hosts: all + gather_facts: true + become: true + + tasks: + - name: Create T-Pot group (All) + group: + name: tpot + gid: 2000 + state: present + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Create T-Pot user (All) + user: + name: tpot + uid: 2000 + system: yes + shell: /bin/false + home: /nonexistent + group: tpot + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Ensure vm.max_map_count is set (All) + lineinfile: + path: /etc/sysctl.conf + line: "vm.max_map_count=262144" + state: present + create: yes + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Disable ssh.socket unit (Ubuntu) + systemd: + name: ssh.socket + state: stopped + enabled: false + when: ansible_distribution in ["Ubuntu"] + tags: + - "Ubuntu" + + - name: Remove ssh.socket.conf file (Ubuntu) + file: + path: /etc/systemd/system/ssh.service.d/00-socket.conf + state: absent + when: ansible_distribution in ["Ubuntu"] + tags: + - "Ubuntu" + + - name: Change SSH Port to 64295 (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu) + lineinfile: + path: /etc/ssh/sshd_config + line: "Port 64295" + insertafter: EOF + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Change SSH Port to 64295 (openSUSE Tumbleweed) + lineinfile: + path: /etc/ssh/sshd_config.d/port.conf + line: "Port 64295" + create: yes + when: ansible_distribution in ["openSUSE Tumbleweed"] + tags: + - "openSUSE Tumbleweed" + + - name: Change SSH Port to 64295 (openSUSE Leap) + lineinfile: + path: /etc/ssh/sshd_config.d/port.conf + line: "Port 64295" + create: yes + when: ansible_distribution in ["openSUSE Leap"] + tags: + - "openSUSE Leap" + + + - name: Add T-Pot SSH port to Firewall (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky) + firewalld: + port: 64295/tcp + permanent: yes + state: enabled + when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Rocky" + + - name: Set T-Pot default target to ACCEPT (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky) + firewalld: + zone: public + target: ACCEPT + permanent: yes + state: enabled + when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Rocky" + + - name: Load kernel modules (AlmaLinux, Fedora, Rocky) + command: modprobe -v iptable_filter + when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + + - name: Update iptables.conf (AlmaLinux, Fedora, Rocky) + lineinfile: + path: /etc/modules-load.d/iptables.conf + line: iptable_filter + create: yes + when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + + - name: Set SELinux config to permissive (AlmaLinux, Fedora, Rocky) + lineinfile: + path: /etc/selinux/config + regexp: '^SELINUX=' + line: 'SELINUX=permissive' + when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + + - name: Set SELinux to permissive (AlmaLinux, Fedora, Rocky) + command: "setenforce Permissive" + when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + + - name: Stop Resolved (Fedora, Ubuntu) + service: + name: systemd-resolved + state: stopped + when: ansible_distribution in ["Fedora", "Ubuntu"] + tags: + - "Fedora" + - "Ubuntu" + + - name: Copy resolved.conf to /etc/systemd (Fedora) + copy: + src: /usr/lib/systemd/resolved.conf + dest: /etc/systemd/resolved.conf + when: ansible_distribution in ["Fedora"] + ignore_errors: true + tags: + - "Fedora" + + - name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu) + lineinfile: + path: /etc/systemd/resolved.conf + regexp: '^.*DNSStubListener=.*' + line: 'DNSStubListener=no' + state: present + when: ansible_distribution in ["Fedora", "Ubuntu"] + tags: + - "Fedora" + - "Ubuntu" + +############################ +# T-Pot - Restart services # +############################ + +- name: T-Pot - Restart services + hosts: all + gather_facts: true + become: true + + tasks: + - name: Start Resolved (Fedora, Ubuntu) + service: + name: systemd-resolved + state: restarted + when: ansible_distribution in ["Fedora", "Ubuntu"] + tags: + - "Fedora" + - "Ubuntu" + + - name: Restart Firewalld (AlmaLinux, Fedora, openSUSE Tumbleweed, openSUSE Leap , Rocky) + service: + name: firewalld + state: restarted + when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + + - name: Get Firewall rules (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky) + command: "firewall-cmd --list-all" + register: firewall_output + when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + + - name: Print Firewall rules (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky) + debug: + var: firewall_output.stdout_lines + when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Rocky"] + tags: + - "AlmaLinux" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Rocky" + + - name: Enable Docker Engine upon boot (All) + service: + name: docker + state: restarted + enabled: true + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Restart SSH (All) + service: + name: "{{ 'ssh' if ansible_distribution in ['Ubuntu'] else 'sshd' }}" + state: restarted + enabled: true + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + +####################################################################### +# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository # +####################################################################### + +- name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository + hosts: all + gather_facts: true + become: false + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + tasks: + - name: Check for non-root user id (All) + debug: + msg: "Detected user: '{{ ansible_user_id }}'" + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + failed_when: ansible_user_id == "root" + + - name: Add aliases with exa (All) + blockinfile: + path: ~/.bashrc + block: | + alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\\t{{'{{'}}.Status{{'}}'}}\\t{{'{{'}}.Ports{{'}}'}}" | sort' + alias dpsw='watch -c bash -ic dps' + alias mi='micro' + alias sudo='sudo ' + alias ls='exa' + alias ll='exa -hlg' + alias la='exa -hlag' + marker: "# {mark} ANSIBLE MANAGED BLOCK" + insertafter: EOF + state: present + when: exa_install_result is succeeded and ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"] + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + - name: Add aliases with eza (Debian, Raspbian, Ubuntu) + blockinfile: + path: ~/.bashrc + block: | + alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\\t{{'{{'}}.Status{{'}}'}}\\t{{'{{'}}.Ports{{'}}'}}" | sort' + alias dpsw='watch -c bash -ic dps' + alias mi='micro' + alias sudo='sudo ' + alias ls='eza' + alias ll='eza -hlg' + alias la='eza -hlag' + marker: "# {mark} ANSIBLE MANAGED BLOCK" + insertafter: EOF + state: present + when: exa_install_result is failed and ansible_distribution in ["Debian", "Raspbian", "Ubuntu"] + tags: + - "Debian" + - "Raspbian" + - "Ubuntu" + + - name: Clone / Update T-Pot repository (All) + git: + repo: 'https://github.com/telekom-security/tpotce' + dest: '/home/{{ ansible_user_id }}/tpotce/' + version: master + clone: yes + update: no + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + + - name: Add current user to Docker, T-Pot group (All) + become: true + user: + name: "{{ ansible_user_id }}" + groups: + - docker + - tpot + append: yes + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"] + +######################################## +# T-Pot - Install service and cron job # +######################################## + +- name: T-Pot - Install service + hosts: all + gather_facts: true + become: false + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + tasks: + - name: Install systemd service (All) + become: true + ansible.builtin.template: + src: '/home/{{ ansible_user_id }}/tpotce/installer/install/tpot.service' + dest: '/etc/systemd/system/tpot.service' + owner: root + group: root + mode: '0755' + notify: Reload systemd and enable service + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap", "Raspbian", "Rocky", "Ubuntu"] + + handlers: + - name: Reload systemd and enable service + become: true + ansible.builtin.systemd: + name: tpot.service + daemon_reload: yes + state: stopped + enabled: yes + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Raspbian", "Rocky", "Ubuntu"] + +- name: T-Pot - Setup a randomized daily reboot + hosts: all + gather_facts: true + become: yes + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "openSUSE Leap" + - "Raspbian" + - "Rocky" + - "Ubuntu" + + vars: + random_minute: "{{ range(0, 60) | random }}" + random_hour: "{{ range(0, 5) | random }}" # We want the reboot randomly happen at night + + tasks: + - name: Setup a randomized daily reboot (All) + cron: + name: "T-Pot Daily Reboot" + user: root + minute: "{{ random_minute }}" + hour: "{{ random_hour }}" + job: "bash -c 'systemctl stop tpot.service && docker container prune -f; docker image prune -f; docker volume prune -f; /usr/sbin/shutdown -r +1 \"T-Pot Daily Reboot\"'" + state: present + when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]