Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-01 20:42:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add support for Ubuntu, begin work on Fedora

Browse source
This commit is contained in:
t3chn0m4g3 2023-06-22 18:30:18 +00:00
parent d7bcfda109
commit 95c6a8e28a
2 changed files with 267 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
installer/ansible/debian.yml
View file

@ -156,7 +156,7 @@
- name: Clone / Update T-Pot repository
git:
repo: 'https://github.com/telekom-security/tpotce'
dest: '/home/{{ ansible_user_id }}/tpot/'
dest: '/home/{{ ansible_user_id }}/tpotce/'
version: dev
clone: yes
update: no

266
installer/ansible/multi.yml Normal file
View file

@ -0,0 +1,266 @@
---
########################################
# T-Pot - Install recommended packages #
########################################
- name: T-Pot - Install recommended packages
hosts: all
gather_facts: true
become: true
tasks:
- name: Syncing clocks
shell: "hwclock --hctosys"
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Install recommended packages
package:
name:
- bash-completion
- ca-certificates
- curl
- git
- gnupg
- grc
- neovim
- net-tools
state: present
update-cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"]
#################################################
# T-Pot - Prepare for and install Docker Engine #
#################################################
- name: T-Pot - Prepare for and install Docker Engine
hosts: all
gather_facts: true
become: true
tasks:
- name: Remove distribution based Docker packages
package:
name:
- docker
- docker-engine
- docker.io
- containerd
- runc
state: absent
update-cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Add folder for Docker Engine GPG key
file:
path: /etc/apt/keyrings
state: directory
mode: 0755
when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Download Docker Engine GPG key
get_url:
url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
dest: /etc/apt/keyrings/docker
mode: 0755
when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Decrypt Docker Engine GPG key
shell: gpg --dearmor /etc/apt/keyrings/docker
args:
creates: /etc/apt/keyrings/docker.gpg
when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Add Docker Engine repository
apt_repository:
filename: docker
repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
state: present
update-cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Install Docker Engine packages
package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update-cache: yes
notify: Restart Docker
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Enable Docker Engine upon boot
systemd:
name: docker
state: started
enabled: yes
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
handlers:
- name: Restart Docker
ansible.builtin.service:
name: docker
state: restarted
enabled: true
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
######################################################
# T-Pot - Adjust configs, add users and groups, etc. #
######################################################
- name: T-Pot - Adjust configs, add users and groups, etc.
hosts: all
gather_facts: true
become: true
tasks:
- name: Create T-Pot group
group:
name: tpot
gid: 2000
state: present
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Create T-Pot user
user:
name: tpot
uid: 2000
system: yes
shell: /bin/false
home: /nonexistent
group: tpot
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Disable ssh.socket unit
systemd:
name: ssh.socket
state: stopped
enabled: false
when: ansible_distribution in ["Ubuntu"]
- name: Remove ssh.socket.conf file
file:
path: /etc/systemd/system/ssh.service.d/00-socket.conf
state: absent
when: ansible_distribution in ["Ubuntu"]
- name: Change SSH Port to 64295
lineinfile:
path: /etc/ssh/sshd_config
line: "Port 64295"
insertafter: EOF
notify: Restart SSH
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Add T-Pot SSH port to Firewall
firewalld:
port: 64295/tcp
permanent: yes
state: enabled
when: ansible_distribution in ["Fedora"]
- name: Set T-Pot default target to ACCEPT
firewalld:
default_zone: public
target: ACCEPT
permanent: yes
when: ansible_distribution in ["Fedora"]
- name: Get Firewall rules
command: "firewall-cmd --list-all"
register: firewall_output
when: ansible_distribution in ["Fedora"]
- name: Print Firewall rules
debug:
var: firewall_output.stdout_lines
when: ansible_distribution in ["Fedora"]
- name: Load kernel modules
command: modprobe -v iptable_filter
when: ansible_distribution in ["Fedora"]
- name: Update iptables.conf
lineinfile:
path: /etc/modules-load.d/iptables.conf
line: iptable_filter
create: yes
when: ansible_distribution in ["Fedora"]
- name: Update SELinux config
lineinfile:
path: /etc/selinux/config
regexp: '^SELINUX='
line: 'SELINUX=permissive'
when: ansible_distribution in ["Fedora"]
- name: Modify DNSStubListener in resolved.conf
lineinfile:
path: /etc/systemd/resolved.conf
regexp: '^.*DNSStubListener=.*'
line: 'DNSStubListener=no'
state: present
notify: Restart Resolved
when: ansible_distribution in ["Fedora", "Ubuntu"]
handlers:
- name: Restart Resolved
ansible.builtin.service:
name: systemd-resolved
state: restarted
when: ansible_distribution in ["Fedora", "Ubuntu"]
- name: Restart SSH
ansible.builtin.service:
name: "{{ 'sshd' if ansible_distribution == 'Debian' else 'ssh' }}"
state: restarted
enabled: true
when: ansible_distribution in ["Debian", "Ubuntu"]
#######################################################################
# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository #
#######################################################################
- name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository
hosts: all
gather_facts: true
tasks:
- name: Add aliases
blockinfile:
path: ~/.bashrc
block: |
alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\t{{'{{'}}.Status{{'}}'}}\t{{'{{'}}.Ports{{'}}'}}" | sort'
alias dpsw='watch -c bash -ic dps'
marker: "# {mark} ANSIBLE MANAGED BLOCK"
insertafter: EOF
state: present
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Clone / Update T-Pot repository
git:
repo: 'https://github.com/telekom-security/tpotce'
dest: '/home/{{ ansible_user_id }}/tpotce/'
version: dev
clone: yes
update: no
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Add current user to Docker, T-Pot group
become: true
user:
name: "{{ ansible_user_id }}"
groups:
- docker
- tpot
append: yes
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Check for non-root user id
debug:
msg: "Detected user: '{{ ansible_user_id }}'"
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
failed_when: ansible_user_id == "root"