Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-19 21:52:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add fedora to installer, tweaking

Browse source
This commit is contained in:
t3chn0m4g3 2023-06-24 14:05:13 +02:00
parent 95c6a8e28a
commit e2e20e3684
2 changed files with 77 additions and 214 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

176
installer/ansible/debian.yml
View file

@ -1,176 +0,0 @@
---
########################################
# T-Pot - Install recommended packages #
########################################
- name: T-Pot - Install recommended packages
hosts: all
gather_facts: true
become: true
tasks:
- name: Syncing clocks
shell: "hwclock --hctosys"
- name: Install recommended packages
package:
name:
- bash-completion
- ca-certificates
- curl
- git
- gnupg
- grc
- neovim
- net-tools
state: present
update-cache: yes
#################################################
# T-Pot - Prepare for and install Docker Engine #
#################################################
- name: T-Pot - Prepare for and install Docker Engine
hosts: all
gather_facts: true
become: true
tasks:
- name: Remove distribution based Docker packages
package:
name:
- docker
- docker-engine
- docker.io
- containerd
- runc
state: absent
update-cache: yes
- name: Add folder for Docker Engine GPG key
file:
path: /etc/apt/keyrings
state: directory
mode: 0755
- name: Download Docker Engine GPG key
get_url:
url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
dest: /etc/apt/keyrings/docker
mode: 0755
- name: Decrypt Docker Engine GPG key
shell: gpg --dearmor /etc/apt/keyrings/docker
args:
creates: /etc/apt/keyrings/docker.gpg
- name: Add Docker Engine repository
apt_repository:
filename: docker
repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
state: present
update-cache: yes
- name: Install Docker Engine packages
package:
name:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
state: present
update-cache: yes
notify: Restart Docker
- name: Enable Docker Engine upon boot
systemd:
name: docker
state: started
enabled: yes
handlers:
- name: Restart Docker
ansible.builtin.service:
name: docker
state: restarted
enabled: true
######################################################
# T-Pot - Adjust configs, add users and groups, etc. #
######################################################
- name: T-Pot - Adjust configs, add users and groups, etc.
hosts: all
gather_facts: true
become: true
tasks:
- name: Create T-Pot group
group:
name: tpot
gid: 2000
state: present
- name: Create T-Pot user
user:
name: tpot
uid: 2000
system: yes
shell: /bin/false
home: /nonexistent
group: tpot
- name: Change SSH Port to 64295
lineinfile:
path: /etc/ssh/sshd_config
line: "Port 64295"
insertafter: EOF
notify: Restart SSH
handlers:
- name: Restart SSH
ansible.builtin.service:
name: sshd
state: restarted
#######################################################################
# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository #
#######################################################################
- name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository
hosts: all
gather_facts: true
tasks:
- name: Add aliases
blockinfile:
path: ~/.bashrc
block: |
alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\t{{'{{'}}.Status{{'}}'}}\t{{'{{'}}.Ports{{'}}'}}" | sort'
alias dpsw='watch -c bash -ic dps'
marker: "# {mark} ANSIBLE MANAGED BLOCK"
insertafter: EOF
state: present
- name: Clone / Update T-Pot repository
git:
repo: 'https://github.com/telekom-security/tpotce'
dest: '/home/{{ ansible_user_id }}/tpotce/'
version: dev
clone: yes
update: no
- name: Add current user to Docker, T-Pot group
become: true
user:
name: "{{ ansible_user_id }}"
groups:
- docker
- tpot
append: yes
- name: Check for non-root user id
debug:
msg: "Detected user: '{{ ansible_user_id }}'"
failed_when: ansible_user_id == "root"

115
installer/ansible/multi.yml → installer/ansible/tpot.yml
View file

@ -1,4 +1,18 @@
--- ---
################################
# T-Pot - Abort if run as root #
################################
- name: T-Pot Abort if run as root
hosts: all
gather_facts: true
pre_tasks:
- name: Check if running as root
assert:
that: ansible_user_id != 'root'
fail_msg: "T-Pot playbook should not be run as root."
success_msg: "Running as user: {{ ansible_user_id }}."
######################################## ########################################
# T-Pot - Install recommended packages # # T-Pot - Install recommended packages #
######################################## ########################################
@ -9,11 +23,11 @@
become: true become: true
tasks: tasks:
- name: Syncing clocks - name: Syncing clocks (All)
shell: "hwclock --hctosys" shell: "hwclock --hctosys"
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Install recommended packages - name: Install recommended packages (Debian, Ubuntu)
package: package:
name: name:
- bash-completion - bash-completion
@ -24,10 +38,25 @@
- grc - grc
- neovim - neovim
- net-tools - net-tools
state: present state: latest
update-cache: yes update_cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Install recommended packages (Fedora)
package:
name:
- bash-completion
- ca-certificates
- curl
- dnf-plugins-core
- git
- grc
- neovim
- net-tools
state: latest
update_cache: yes
when: ansible_distribution in ["Fedora"]
################################################# #################################################
# T-Pot - Prepare for and install Docker Engine # # T-Pot - Prepare for and install Docker Engine #
@ -39,7 +68,7 @@
become: true become: true
tasks: tasks:
- name: Remove distribution based Docker packages - name: Remove distribution based Docker packages (Debian, Fedora, Ubuntu)
package: package:
name: name:
- docker - docker
@ -48,38 +77,47 @@
- containerd - containerd
- runc - runc
state: absent state: absent
update-cache: yes update_cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Add folder for Docker Engine GPG key - name: Add folder for Docker Engine GPG key (Debian, Ubuntu)
file: file:
path: /etc/apt/keyrings path: /etc/apt/keyrings
state: directory state: directory
mode: 0755 mode: 0755
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Download Docker Engine GPG key - name: Download Docker Engine GPG key (Debian, Ubuntu)
get_url: get_url:
url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
dest: /etc/apt/keyrings/docker dest: /etc/apt/keyrings/docker
mode: 0755 mode: 0755
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Decrypt Docker Engine GPG key - name: Decrypt Docker Engine GPG key (Debian, Ubuntu)
shell: gpg --dearmor /etc/apt/keyrings/docker shell: gpg --dearmor /etc/apt/keyrings/docker
args: args:
creates: /etc/apt/keyrings/docker.gpg creates: /etc/apt/keyrings/docker.gpg
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Add Docker Engine repository - name: Add Docker Engine repository (Debian, Ubuntu)
apt_repository: apt_repository:
filename: docker filename: docker
repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
state: present state: present
update-cache: yes update_cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
- name: Install Docker Engine packages - name: Check if Docker repository exists (Fedora)
command: dnf repolist docker-ce-stable
register: docker_repo_info
when: ansible_distribution in ["Fedora"]
- name: Add Docker repository (Fedora)
command: dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
when: docker_repo_info.rc != 0 and ansible_distribution in ["Fedora"]
- name: Install Docker Engine packages (Debian, Fedora, Ubuntu)
package: package:
name: name:
- docker-ce - docker-ce
@ -87,12 +125,12 @@
- containerd.io - containerd.io
- docker-buildx-plugin - docker-buildx-plugin
- docker-compose-plugin - docker-compose-plugin
state: present state: latest
update-cache: yes update_cache: yes
notify: Restart Docker notify: Restart Docker
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Enable Docker Engine upon boot - name: Enable Docker Engine upon boot (Debia, Fedora, Ubuntu)
systemd: systemd:
name: docker name: docker
state: started state: started
@ -101,7 +139,7 @@
handlers: handlers:
- name: Restart Docker - name: Restart Docker
ansible.builtin.service: service:
name: docker name: docker
state: restarted state: restarted
enabled: true enabled: true
@ -117,14 +155,14 @@
become: true become: true
tasks: tasks:
- name: Create T-Pot group - name: Create T-Pot group (All)
group: group:
name: tpot name: tpot
gid: 2000 gid: 2000
state: present state: present
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Create T-Pot user - name: Create T-Pot user (All)
user: user:
name: tpot name: tpot
uid: 2000 uid: 2000
@ -134,20 +172,20 @@
group: tpot group: tpot
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Disable ssh.socket unit - name: Disable ssh.socket unit (Ubuntu)
systemd: systemd:
name: ssh.socket name: ssh.socket
state: stopped state: stopped
enabled: false enabled: false
when: ansible_distribution in ["Ubuntu"] when: ansible_distribution in ["Ubuntu"]
- name: Remove ssh.socket.conf file - name: Remove ssh.socket.conf file (Ubuntu)
file: file:
path: /etc/systemd/system/ssh.service.d/00-socket.conf path: /etc/systemd/system/ssh.service.d/00-socket.conf
state: absent state: absent
when: ansible_distribution in ["Ubuntu"] when: ansible_distribution in ["Ubuntu"]
- name: Change SSH Port to 64295 - name: Change SSH Port to 64295 (All)
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
line: "Port 64295" line: "Port 64295"
@ -155,49 +193,50 @@
notify: Restart SSH notify: Restart SSH
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Add T-Pot SSH port to Firewall - name: Add T-Pot SSH port to Firewall (Fedora)
firewalld: firewalld:
port: 64295/tcp port: 64295/tcp
permanent: yes permanent: yes
state: enabled state: enabled
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Set T-Pot default target to ACCEPT - name: Set T-Pot default target to ACCEPT (Fedora)
firewalld: firewalld:
default_zone: public zone: public
target: ACCEPT target: ACCEPT
permanent: yes permanent: yes
state: enabled
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Get Firewall rules - name: Get Firewall rules (Fedora)
command: "firewall-cmd --list-all" command: "firewall-cmd --list-all"
register: firewall_output register: firewall_output
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Print Firewall rules - name: Print Firewall rules (Fedora)
debug: debug:
var: firewall_output.stdout_lines var: firewall_output.stdout_lines
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Load kernel modules - name: Load kernel modules (Fedora)
command: modprobe -v iptable_filter command: modprobe -v iptable_filter
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Update iptables.conf - name: Update iptables.conf (Fedora)
lineinfile: lineinfile:
path: /etc/modules-load.d/iptables.conf path: /etc/modules-load.d/iptables.conf
line: iptable_filter line: iptable_filter
create: yes create: yes
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Update SELinux config - name: Update SELinux config (Fedora)
lineinfile: lineinfile:
path: /etc/selinux/config path: /etc/selinux/config
regexp: '^SELINUX=' regexp: '^SELINUX='
line: 'SELINUX=permissive' line: 'SELINUX=permissive'
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
- name: Modify DNSStubListener in resolved.conf - name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu)
lineinfile: lineinfile:
path: /etc/systemd/resolved.conf path: /etc/systemd/resolved.conf
regexp: '^.*DNSStubListener=.*' regexp: '^.*DNSStubListener=.*'
@ -207,14 +246,14 @@
when: ansible_distribution in ["Fedora", "Ubuntu"] when: ansible_distribution in ["Fedora", "Ubuntu"]
handlers: handlers:
- name: Restart Resolved - name: Restart Resolved
ansible.builtin.service: service:
name: systemd-resolved name: systemd-resolved
state: restarted state: restarted
when: ansible_distribution in ["Fedora", "Ubuntu"] when: ansible_distribution in ["Fedora", "Ubuntu"]
- name: Restart SSH - name: Restart SSH
ansible.builtin.service: service:
name: "{{ 'sshd' if ansible_distribution == 'Debian' else 'ssh' }}" name: "{{ 'sshd' if ansible_distribution == 'Debian' else 'ssh' }}"
state: restarted state: restarted
enabled: true enabled: true
@ -229,7 +268,7 @@
gather_facts: true gather_facts: true
tasks: tasks:
- name: Add aliases - name: Add aliases (All)
blockinfile: blockinfile:
path: ~/.bashrc path: ~/.bashrc
block: | block: |
@ -240,7 +279,7 @@
state: present state: present
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Clone / Update T-Pot repository - name: Clone / Update T-Pot repository (All)
git: git:
repo: 'https://github.com/telekom-security/tpotce' repo: 'https://github.com/telekom-security/tpotce'
dest: '/home/{{ ansible_user_id }}/tpotce/' dest: '/home/{{ ansible_user_id }}/tpotce/'
@ -249,7 +288,7 @@
update: no update: no
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Add current user to Docker, T-Pot group - name: Add current user to Docker, T-Pot group (All)
become: true become: true
user: user:
name: "{{ ansible_user_id }}" name: "{{ ansible_user_id }}"
@ -259,7 +298,7 @@
append: yes append: yes
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
- name: Check for non-root user id - name: Check for non-root user id (All)
debug: debug:
msg: "Detected user: '{{ ansible_user_id }}'" msg: "Detected user: '{{ ansible_user_id }}'"
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]