From 95c6a8e28aebd0d49eec54de3a0c27f6d4890e4a Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Thu, 22 Jun 2023 18:30:18 +0000 Subject: [PATCH] add support for Ubuntu, begin work on Fedora --- installer/ansible/debian.yml | 2 +- installer/ansible/multi.yml | 266 +++++++++++++++++++++++++++++++++++ 2 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 installer/ansible/multi.yml diff --git a/installer/ansible/debian.yml b/installer/ansible/debian.yml index c64be9cf..88871813 100644 --- a/installer/ansible/debian.yml +++ b/installer/ansible/debian.yml @@ -156,7 +156,7 @@ - name: Clone / Update T-Pot repository git: repo: 'https://github.com/telekom-security/tpotce' - dest: '/home/{{ ansible_user_id }}/tpot/' + dest: '/home/{{ ansible_user_id }}/tpotce/' version: dev clone: yes update: no diff --git a/installer/ansible/multi.yml b/installer/ansible/multi.yml new file mode 100644 index 00000000..6e7843c3 --- /dev/null +++ b/installer/ansible/multi.yml @@ -0,0 +1,266 @@ +--- +######################################## +# T-Pot - Install recommended packages # +######################################## + +- name: T-Pot - Install recommended packages + hosts: all + gather_facts: true + become: true + + tasks: + - name: Syncing clocks + shell: "hwclock --hctosys" + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Install recommended packages + package: + name: + - bash-completion + - ca-certificates + - curl + - git + - gnupg + - grc + - neovim + - net-tools + state: present + update-cache: yes + when: ansible_distribution in ["Debian", "Ubuntu"] + + +################################################# +# T-Pot - Prepare for and install Docker Engine # +################################################# + +- name: T-Pot - Prepare for and install Docker Engine + hosts: all + gather_facts: true + become: true + + tasks: + - name: Remove distribution based Docker packages + package: + name: + - docker + - docker-engine + - docker.io + - containerd + - runc + state: absent + update-cache: yes + when: ansible_distribution in ["Debian", "Ubuntu"] + + - name: Add folder for Docker Engine GPG key + file: + path: /etc/apt/keyrings + state: directory + mode: 0755 + when: ansible_distribution in ["Debian", "Ubuntu"] + + - name: Download Docker Engine GPG key + get_url: + url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg + dest: /etc/apt/keyrings/docker + mode: 0755 + when: ansible_distribution in ["Debian", "Ubuntu"] + + - name: Decrypt Docker Engine GPG key + shell: gpg --dearmor /etc/apt/keyrings/docker + args: + creates: /etc/apt/keyrings/docker.gpg + when: ansible_distribution in ["Debian", "Ubuntu"] + + - name: Add Docker Engine repository + apt_repository: + filename: docker + repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" + state: present + update-cache: yes + when: ansible_distribution in ["Debian", "Ubuntu"] + + - name: Install Docker Engine packages + package: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-buildx-plugin + - docker-compose-plugin + state: present + update-cache: yes + notify: Restart Docker + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Enable Docker Engine upon boot + systemd: + name: docker + state: started + enabled: yes + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + handlers: + - name: Restart Docker + ansible.builtin.service: + name: docker + state: restarted + enabled: true + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + +###################################################### +# T-Pot - Adjust configs, add users and groups, etc. # +###################################################### + +- name: T-Pot - Adjust configs, add users and groups, etc. + hosts: all + gather_facts: true + become: true + + tasks: + - name: Create T-Pot group + group: + name: tpot + gid: 2000 + state: present + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Create T-Pot user + user: + name: tpot + uid: 2000 + system: yes + shell: /bin/false + home: /nonexistent + group: tpot + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Disable ssh.socket unit + systemd: + name: ssh.socket + state: stopped + enabled: false + when: ansible_distribution in ["Ubuntu"] + + - name: Remove ssh.socket.conf file + file: + path: /etc/systemd/system/ssh.service.d/00-socket.conf + state: absent + when: ansible_distribution in ["Ubuntu"] + + - name: Change SSH Port to 64295 + lineinfile: + path: /etc/ssh/sshd_config + line: "Port 64295" + insertafter: EOF + notify: Restart SSH + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Add T-Pot SSH port to Firewall + firewalld: + port: 64295/tcp + permanent: yes + state: enabled + when: ansible_distribution in ["Fedora"] + + - name: Set T-Pot default target to ACCEPT + firewalld: + default_zone: public + target: ACCEPT + permanent: yes + when: ansible_distribution in ["Fedora"] + + - name: Get Firewall rules + command: "firewall-cmd --list-all" + register: firewall_output + when: ansible_distribution in ["Fedora"] + + - name: Print Firewall rules + debug: + var: firewall_output.stdout_lines + when: ansible_distribution in ["Fedora"] + + - name: Load kernel modules + command: modprobe -v iptable_filter + when: ansible_distribution in ["Fedora"] + + - name: Update iptables.conf + lineinfile: + path: /etc/modules-load.d/iptables.conf + line: iptable_filter + create: yes + when: ansible_distribution in ["Fedora"] + + - name: Update SELinux config + lineinfile: + path: /etc/selinux/config + regexp: '^SELINUX=' + line: 'SELINUX=permissive' + when: ansible_distribution in ["Fedora"] + + - name: Modify DNSStubListener in resolved.conf + lineinfile: + path: /etc/systemd/resolved.conf + regexp: '^.*DNSStubListener=.*' + line: 'DNSStubListener=no' + state: present + notify: Restart Resolved + when: ansible_distribution in ["Fedora", "Ubuntu"] + + handlers: + - name: Restart Resolved + ansible.builtin.service: + name: systemd-resolved + state: restarted + when: ansible_distribution in ["Fedora", "Ubuntu"] + + - name: Restart SSH + ansible.builtin.service: + name: "{{ 'sshd' if ansible_distribution == 'Debian' else 'ssh' }}" + state: restarted + enabled: true + when: ansible_distribution in ["Debian", "Ubuntu"] + +####################################################################### +# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository # +####################################################################### + +- name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository + hosts: all + gather_facts: true + + tasks: + - name: Add aliases + blockinfile: + path: ~/.bashrc + block: | + alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\t{{'{{'}}.Status{{'}}'}}\t{{'{{'}}.Ports{{'}}'}}" | sort' + alias dpsw='watch -c bash -ic dps' + marker: "# {mark} ANSIBLE MANAGED BLOCK" + insertafter: EOF + state: present + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Clone / Update T-Pot repository + git: + repo: 'https://github.com/telekom-security/tpotce' + dest: '/home/{{ ansible_user_id }}/tpotce/' + version: dev + clone: yes + update: no + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Add current user to Docker, T-Pot group + become: true + user: + name: "{{ ansible_user_id }}" + groups: + - docker + - tpot + append: yes + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + + - name: Check for non-root user id + debug: + msg: "Detected user: '{{ ansible_user_id }}'" + when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] + failed_when: ansible_user_id == "root"