From b3f1b71054f3c5da52e8da97cb7b8dadb8553d6f Mon Sep 17 00:00:00 2001 From: Marco Ochse Date: Wed, 5 Jul 2023 17:55:59 +0200 Subject: [PATCH] Tweaking: - Ansible Playbooks refinement - Add Ansible Bootstrapping - Add some notes --- PREVIEW.md | 2 +- install.sh | 6 +-- installer/install/inventory.yml | 8 ++++ installer/install/sudo.yml | 69 ++++++++++++++++++++++----------- installer/install/tpot.yml | 68 +++++++++++++++++++++++++++++++- installer/remove/inventory.yml | 8 ++++ installer/remove/sudo.yml | 43 ++++++++++++++++---- 7 files changed, 167 insertions(+), 37 deletions(-) create mode 100644 installer/install/inventory.yml create mode 100644 installer/remove/inventory.yml diff --git a/PREVIEW.md b/PREVIEW.md index 8e05554f..2691f35a 100644 --- a/PREVIEW.md +++ b/PREVIEW.md @@ -88,7 +88,7 @@ Choose a supported distro of your choice. It is recommended to use the minimum / | Distribution Name | x64 | arm64 |:-----------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|:-------------- | [AlmaLinux](https://almalinux.org) | [download](https://mirrors.almalinux.org/isos/x86_64/9.2.html) | [download](https://mirrors.almalinux.org/isos/aarch64/9.2.html) -| [Debian](https://www.debian.org/index.en.html) | [download](http://ftp.debian.org/debian/dists/stable/main/installer-amd64/current/images/netboot/mini.iso) | [download](http://ftp.debian.org/debian/dists/stable/main/installer-arm64/current/images/netboot/mini.iso) +| [Debian](https://www.debian.org/index.en.html) | [download](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-12.0.0-amd64-netinst.iso) | [download](https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-12.0.0-arm64-netinst.iso) | [Fedora](https://fedoraproject.org) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/x86_64/iso/Fedora-Server-netinst-x86_64-38-1.6.iso) | [download](https://download.fedoraproject.org/pub/fedora/linux/releases/38/Server/aarch64/iso/Fedora-Server-netinst-aarch64-38-1.6.iso) | [OpenSuse](https://www.opensuse.org) | [download](https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-Current.iso) | [download](https://download.opensuse.org/ports/aarch64/tumbleweed/iso/openSUSE-Tumbleweed-NET-aarch64-Current.iso) | [Rocky Linux](https://rockylinux.org) | [download](https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.2-x86_64-minimal.iso) | [download](https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.2-aarch64-minimal.iso) diff --git a/install.sh b/install.sh index 7ef87d63..58bf8fe0 100755 --- a/install.sh +++ b/install.sh @@ -62,8 +62,7 @@ case ${myCURRENT_DISTRIBUTION} in echo echo ${myINSTALL_NOTIFICATION} echo - sudo dnf update -y - sudo dnf install -y ${myPACKAGES_FEDORA} + sudo dnf -y --refresh install ${myPACKAGES_FEDORA} ;; "Debian GNU/Linux"|"Ubuntu") echo @@ -100,8 +99,7 @@ case ${myCURRENT_DISTRIBUTION} in echo echo ${myINSTALL_NOTIFICATION} echo - sudo dnf update -y - sudo dnf install -y ${myPACKAGES_ROCKY} + sudo dnf -y --refresh install ${myPACKAGES_ROCKY} ansible-galaxy collection install ansible.posix ;; esac diff --git a/installer/install/inventory.yml b/installer/install/inventory.yml new file mode 100644 index 00000000..3ad479ce --- /dev/null +++ b/installer/install/inventory.yml @@ -0,0 +1,8 @@ +tpotce: + hosts: + # Remote IP address, host name or alias: + 192.168.100.100: + # Remote SSH port: + ansible_port: 22 + # Remote SSH user: + ansible_user: tsec \ No newline at end of file diff --git a/installer/install/sudo.yml b/installer/install/sudo.yml index 028168cb..220d6605 100644 --- a/installer/install/sudo.yml +++ b/installer/install/sudo.yml @@ -1,30 +1,53 @@ --- -# Become needs to happen in the task or root will be added to the sudo group instead of the user -- name: On Debian, check if sudo is installed +####################################### +# T-Pot - Debian Bootstrapping (sudo) # +####################################### + +# Be sure to use root password as become password +- name: T-Pot - Debian Bootstrapping (sudo) hosts: all - gather_facts: true + gather_facts: false become: false - pre_tasks: - - name: Check for non-root user id - debug: - msg: "Detected user: '{{ ansible_user_id }}'" - failed_when: ansible_user_id == "root" + tasks: + - name: Check if running as root + assert: + that: ansible_user != 'root' + fail_msg: "T-Pot playbook should not be run as root." + success_msg: "Running as user: {{ ansible_user }}." + tags: + - "Debian" - - name: Install sudo package if not present already + - name: Check if running as tpot + assert: + that: ansible_user != 'tpot' + fail_msg: "Reserved username `tpot` detected." + success_msg: "Running as user: {{ ansible_user }}." + tags: + - "Debian" + + - name: Get distribution name + raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1 + register: my_distribution + tags: + - "Debian" + + - name: Check if sudo is installed + # Use echo, or task will fail if sudo not found + raw: echo -n $(command -v sudo) + register: my_sudo + tags: + - "Debian" + + - name: Add sudo package and add ansible_user to sudo group (Debian) become: true become_method: su - apt: - name: sudo - state: present - update-cache: yes - when: ansible_distribution == "Debian" - - - name: Add current user to sudo group - become: true - become_method: su - user: - name: "{{ ansible_user_id }}" - groups: sudo - append: yes - when: ansible_distribution == "Debian" + raw: | + apt update + apt -y install sudo + /usr/sbin/usermod -aG sudo {{ ansible_user }} + echo '{{ ansible_user }} ALL=(ALL:ALL) ALL' | tee /etc/sudoers.d/{{ ansible_user }} + chmod 440 /etc/sudoers.d/{{ ansible_user }} + when: my_distribution.stdout | trim in ["Debian"] and my_sudo.stdout | trim == "" + tags: + - "Debian" diff --git a/installer/install/tpot.yml b/installer/install/tpot.yml index bf3b8c28..110e763f 100644 --- a/installer/install/tpot.yml +++ b/installer/install/tpot.yml @@ -1,4 +1,63 @@ --- +################################ +# T-Pot - Bootstrapping Python # +################################ + +- name: T-Pot - Bootstrapping Python + hosts: all + gather_facts: false + become: true + become_method: sudo + + tasks: + - name: Get distribution name (All) + raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1 + register: my_distribution + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "Rocky" + - "Ubuntu" + + - name: Check if python3 is installed (All) + raw: echo $(command -v python3) + register: my_python3 + tags: + - "AlmaLinux" + - "Debian" + - "Fedora" + - "openSUSE Tumbleweed" + - "Rocky" + - "Ubuntu" + + - name: Add python package (Debian, Ubuntu) + raw: | + apt update + apt -y install python3 + when: my_distribution.stdout | trim in ["Debian", "Ubuntu"] and my_python3.stdout | trim == "" + tags: + - "Debian" + - "Ubuntu" + + - name: Add python package (Alma, Fedora, Rocky) + raw: | + dnf -y --refresh install python3 + when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == "" + tags: + - "AlmaLinux" + - "Fedora" + - "Rocky" + + - name: Add python package (openSUSE Tumbleweed) + raw: | + zypper refresh + zypper -y install python3 + when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == "" + tags: + - "openSUSE Tumbleweed" + ################################ # T-Pot - Abort if run as root # ################################ @@ -15,12 +74,19 @@ - "Rocky" - "Ubuntu" - pre_tasks: + tasks: - name: Check if running as root (All) assert: that: ansible_user_id != 'root' fail_msg: "T-Pot playbook should not be run as root." success_msg: "Running as user: {{ ansible_user_id }}." + + - name: Check if running as tpot (All) + assert: + that: ansible_user != 'tpot' + fail_msg: "Reserved username `tpot` detected." + success_msg: "Running as user: {{ ansible_user_id }}." + - name: Check if supported distribution (All) assert: that: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Rocky", "Ubuntu"] diff --git a/installer/remove/inventory.yml b/installer/remove/inventory.yml new file mode 100644 index 00000000..3ad479ce --- /dev/null +++ b/installer/remove/inventory.yml @@ -0,0 +1,8 @@ +tpotce: + hosts: + # Remote IP address, host name or alias: + 192.168.100.100: + # Remote SSH port: + ansible_port: 22 + # Remote SSH user: + ansible_user: tsec \ No newline at end of file diff --git a/installer/remove/sudo.yml b/installer/remove/sudo.yml index c6f4201d..6d135f40 100644 --- a/installer/remove/sudo.yml +++ b/installer/remove/sudo.yml @@ -1,28 +1,55 @@ --- -# Become needs to happen in the task or root will be added to the sudo group instead of the user -- name: On Debian, remove sudo +################################ +# T-Pot - Debian Remove (sudo) # +################################ + +# Be sure to use root password as become password +- name: T-Pot - Debian Remove (sudo) hosts: all gather_facts: true become: false - pre_tasks: - - name: Check for non-root user id - debug: - msg: "Detected user: '{{ ansible_user_id }}'" - failed_when: ansible_user_id == "root" + tasks: + - name: Check if running as root + assert: + that: ansible_user != 'root' + fail_msg: "T-Pot playbook should not be run as root." + success_msg: "Running as user: {{ ansible_user }}." + tags: + - "Debian" + + - name: Check if running as tpot + assert: + that: ansible_user != 'tpot' + fail_msg: "Reserved username `tpot` detected." + success_msg: "Running as user: {{ ansible_user }}." + tags: + - "Debian" - name: Remove current user from sudo group become: true become_method: su command: gpasswd -d "{{ ansible_user_id }}" sudo when: ansible_distribution == "Debian" + tags: + - "Debian" - name: Uninstall sudo package if present become: true become_method: su - apt: + package: name: sudo state: absent update-cache: no when: ansible_distribution == "Debian" + tags: + - "Debian" + - name: Remove sudoers file for ansible_user_id + become: true + become_method: su + file: + path: /etc/sudoers.d/{{ ansible_user_id }} + state: absent + tags: + - "Debian"