Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-05-13 11:48:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update Installer / Playbooks

Browse source 
- add tags
- reorder
- fix errors
This commit is contained in:
Marco Ochse 2023-07-02 14:52:06 +02:00
parent cbcfa6d1f0
commit f7fc81a8ad
2 changed files with 167 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
install.sh
View file

@ -91,6 +91,14 @@ case ${myCURRENT_DISTRIBUTION} in
esac esac
echo echo
# Define tag for Ansible
if [ "${myCURRENT_DISTRIBUTION}" == "Debian GNU/Linux" ];
then
myANSIBLE_TAG="Debian"
else
myANSIBLE_TAG=${myCURRENT_DISTRIBUTION}
fi
# Check type of sudo access # Check type of sudo access
sudo -n true > /dev/null 2>&1 sudo -n true > /dev/null 2>&1
if [ $? -eq 1 ]; if [ $? -eq 1 ];
@ -120,7 +128,7 @@ fi
echo "### Now running T-Pot Ansible Installation Playbook ..." echo "### Now running T-Pot Ansible Installation Playbook ..."
echo "### Ansible will ask for the BECOME password which is typically the password you sudo with." echo "### Ansible will ask for the BECOME password which is typically the password you sudo with."
echo echo
ANSIBLE_LOG_PATH=${PWD}/install_tpot.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i 127.0.0.1, -c local ${myANSIBLE_BECOME_OPTION} ANSIBLE_LOG_PATH=${PWD}/install_tpot.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i 127.0.0.1, -c local --tags "${myANSIBLE_TAG}" ${myANSIBLE_BECOME_OPTION}
# Asking for web user name # Asking for web user name
myWEB_USER="" myWEB_USER=""

197
installer/install/tpot.yml
View file

@ -3,18 +3,23 @@
# T-Pot - Abort if run as root # # T-Pot - Abort if run as root #
################################ ################################
- name: T-Pot Abort if run as root - name: T-Pot - Abort if run as root
hosts: all hosts: all
gather_facts: true gather_facts: true
become: false become: false
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
pre_tasks: pre_tasks:
- name: Check if running as root - name: Check if running as root (All)
assert: assert:
that: ansible_user_id != 'root' that: ansible_user_id != 'root'
fail_msg: "T-Pot playbook should not be run as root." fail_msg: "T-Pot playbook should not be run as root."
success_msg: "Running as user: {{ ansible_user_id }}." success_msg: "Running as user: {{ ansible_user_id }}."
- name: Check if supported distribution - name: Check if supported distribution (All)
assert: assert:
that: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] that: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
fail_msg: "T-Pot is not supported on this plattform: {{ ansible_distribution }}." fail_msg: "T-Pot is not supported on this plattform: {{ ansible_distribution }}."
@ -33,6 +38,11 @@
- name: Syncing clocks (All) - name: Syncing clocks (All)
shell: "hwclock --hctosys" shell: "hwclock --hctosys"
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
- name: Install recommended packages (Debian, Ubuntu) - name: Install recommended packages (Debian, Ubuntu)
package: package:
@ -48,6 +58,9 @@
state: latest state: latest
update_cache: yes update_cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
tags:
- "Debian"
- "Ubuntu"
- name: Install recommended packages (Fedora) - name: Install recommended packages (Fedora)
package: package:
@ -63,6 +76,8 @@
state: latest state: latest
update_cache: yes update_cache: yes
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
tags:
- "Fedora"
- name: Remove conflicting packages (openSUSE Tumbleweed) - name: Remove conflicting packages (openSUSE Tumbleweed)
package: package:
@ -75,6 +90,8 @@
state: absent state: absent
update_cache: yes update_cache: yes
when: ansible_distribution in ["openSUSE Tumbleweed"] when: ansible_distribution in ["openSUSE Tumbleweed"]
tags:
- "openSUSE Tumbleweed"
- name: Install recommended packages (openSUSE Tumbleweed) - name: Install recommended packages (openSUSE Tumbleweed)
package: package:
@ -89,10 +106,12 @@
state: latest state: latest
update_cache: yes update_cache: yes
when: ansible_distribution in ["openSUSE Tumbleweed"] when: ansible_distribution in ["openSUSE Tumbleweed"]
tags:
- "openSUSE Tumbleweed"
################################################# #####################################
# T-Pot - Prepare for and install Docker Engine # # T-Pot - Prepare for Docker Engine #
################################################# #####################################
- name: T-Pot - Prepare for and install Docker Engine - name: T-Pot - Prepare for and install Docker Engine
hosts: all hosts: all
@ -111,6 +130,10 @@
state: absent state: absent
update_cache: yes update_cache: yes
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "Ubuntu"
- name: Add folder for Docker Engine GPG key (Debian, Ubuntu) - name: Add folder for Docker Engine GPG key (Debian, Ubuntu)
file: file:
@ -118,6 +141,9 @@
state: directory state: directory
mode: 0755 mode: 0755
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
tags:
- "Debian"
- "Ubuntu"
- name: Download Docker Engine GPG key (Debian, Ubuntu) - name: Download Docker Engine GPG key (Debian, Ubuntu)
get_url: get_url:
@ -125,12 +151,18 @@
dest: /etc/apt/keyrings/docker dest: /etc/apt/keyrings/docker
mode: 0755 mode: 0755
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
tags:
- "Debian"
- "Ubuntu"
- name: Decrypt Docker Engine GPG key (Debian, Ubuntu) - name: Decrypt Docker Engine GPG key (Debian, Ubuntu)
shell: gpg --dearmor /etc/apt/keyrings/docker shell: gpg --dearmor /etc/apt/keyrings/docker
args: args:
creates: /etc/apt/keyrings/docker.gpg creates: /etc/apt/keyrings/docker.gpg
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
tags:
- "Debian"
- "Ubuntu"
- name: Add Docker Engine repository (Debian, Ubuntu) - name: Add Docker Engine repository (Debian, Ubuntu)
apt_repository: apt_repository:
@ -139,6 +171,9 @@
state: present state: present
update_cache: yes update_cache: yes
when: ansible_distribution in ["Debian", "Ubuntu"] when: ansible_distribution in ["Debian", "Ubuntu"]
tags:
- "Debian"
- "Ubuntu"
- name: Add Docker repository (Fedora) - name: Add Docker repository (Fedora)
shell: | shell: |
@ -147,7 +182,19 @@
dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
fi fi
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
tags:
- "Fedora"
#################################
# T-Pot - Install Docker Engine #
#################################
- name: T-Pot - Install Docker Engine
hosts: all
gather_facts: true
become: true
tasks:
- name: Install Docker Engine packages (openSUSE Tumbleweed) - name: Install Docker Engine packages (openSUSE Tumbleweed)
package: package:
name: name:
@ -161,6 +208,8 @@
state: latest state: latest
update_cache: yes update_cache: yes
when: ansible_distribution in ["openSUSE Tumbleweed"] when: ansible_distribution in ["openSUSE Tumbleweed"]
tags:
- "openSUSE Tumbleweed"
- name: Install Docker Engine packages (Debian, Fedora, Ubuntu) - name: Install Docker Engine packages (Debian, Fedora, Ubuntu)
package: package:
@ -172,23 +221,23 @@
- docker-compose-plugin - docker-compose-plugin
state: latest state: latest
update_cache: yes update_cache: yes
notify: Restart Docker
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "Ubuntu"
- name: Enable Docker Engine upon boot (Debian, Fedora, openSUSE Tumbleweed, Ubuntu) - name: Stop Docker (All)
service: service:
name: docker name: docker
state: started state: stopped
enabled: true enabled: false
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
handlers:
- name: Restart Docker
service:
name: docker
state: restarted
enabled: true
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
###################################################### ######################################################
# T-Pot - Adjust configs, add users and groups, etc. # # T-Pot - Adjust configs, add users and groups, etc. #
@ -206,6 +255,11 @@
gid: 2000 gid: 2000
state: present state: present
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
- name: Create T-Pot user (All) - name: Create T-Pot user (All)
user: user:
@ -216,6 +270,11 @@
home: /nonexistent home: /nonexistent
group: tpot group: tpot
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
- name: Disable ssh.socket unit (Ubuntu) - name: Disable ssh.socket unit (Ubuntu)
systemd: systemd:
@ -223,28 +282,36 @@
state: stopped state: stopped
enabled: false enabled: false
when: ansible_distribution in ["Ubuntu"] when: ansible_distribution in ["Ubuntu"]
tags:
- "Ubuntu"
- name: Remove ssh.socket.conf file (Ubuntu) - name: Remove ssh.socket.conf file (Ubuntu)
file: file:
path: /etc/systemd/system/ssh.service.d/00-socket.conf path: /etc/systemd/system/ssh.service.d/00-socket.conf
state: absent state: absent
when: ansible_distribution in ["Ubuntu"] when: ansible_distribution in ["Ubuntu"]
tags:
- "Ubuntu"
- name: Change SSH Port to 64295 (Debian, Fedora, Ubuntu) - name: Change SSH Port to 64295 (Debian, Fedora, Ubuntu)
lineinfile: lineinfile:
path: /etc/ssh/sshd_config path: /etc/ssh/sshd_config
line: "Port 64295" line: "Port 64295"
insertafter: EOF insertafter: EOF
notify: Restart SSH
when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "Ubuntu"
- name: Change SSH Port to 64295 (openSUSE Tumbleweed) - name: Change SSH Port to 64295 (openSUSE Tumbleweed)
lineinfile: lineinfile:
path: /etc/ssh/sshd_config.d/port.conf path: /etc/ssh/sshd_config.d/port.conf
line: "Port 64295" line: "Port 64295"
create: yes create: yes
notify: Restart SSH
when: ansible_distribution in ["openSUSE Tumbleweed"] when: ansible_distribution in ["openSUSE Tumbleweed"]
tags:
- "openSUSE Tumbleweed"
- name: Add T-Pot SSH port to Firewall (Fedora, openSUSE Tumbleweed) - name: Add T-Pot SSH port to Firewall (Fedora, openSUSE Tumbleweed)
firewalld: firewalld:
@ -252,6 +319,9 @@
permanent: yes permanent: yes
state: enabled state: enabled
when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"]
tags:
- "Fedora"
- "openSUSE Tumbleweed"
- name: Set T-Pot default target to ACCEPT (Fedora, openSUSE Tumbleweed) - name: Set T-Pot default target to ACCEPT (Fedora, openSUSE Tumbleweed)
firewalld: firewalld:
@ -260,20 +330,31 @@
permanent: yes permanent: yes
state: enabled state: enabled
when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"]
tags:
- "Fedora"
- "openSUSE Tumbleweed"
- name: Get Firewall rules (Fedora, openSUSE Tumbleweed) - name: Get Firewall rules (Fedora, openSUSE Tumbleweed)
command: "firewall-cmd --list-all" command: "firewall-cmd --list-all"
register: firewall_output register: firewall_output
when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"]
tags:
- "Fedora"
- "openSUSE Tumbleweed"
- name: Print Firewall rules (Fedora) - name: Print Firewall rules (Fedora, openSUSE Tumbleweed)
debug: debug:
var: firewall_output.stdout_lines var: firewall_output.stdout_lines
when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"]
tags:
- "Fedora"
- "openSUSE Tumbleweed"
- name: Load kernel modules (Fedora) - name: Load kernel modules (Fedora)
command: modprobe -v iptable_filter command: modprobe -v iptable_filter
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
tags:
- "Fedora"
- name: Update iptables.conf (Fedora) - name: Update iptables.conf (Fedora)
lineinfile: lineinfile:
@ -281,6 +362,8 @@
line: iptable_filter line: iptable_filter
create: yes create: yes
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
tags:
- "Fedora"
- name: Update SELinux config (Fedora) - name: Update SELinux config (Fedora)
lineinfile: lineinfile:
@ -288,18 +371,17 @@
regexp: '^SELINUX=' regexp: '^SELINUX='
line: 'SELINUX=permissive' line: 'SELINUX=permissive'
when: ansible_distribution in ["Fedora"] when: ansible_distribution in ["Fedora"]
tags:
- "Fedora"
- name: Stop Docker - name: Stop Resolved (Fedora, Ubuntu)
service:
name: docker
state: stopped
when: ansible_distribution in ["Fedora", "Ubuntu"]
- name: Stop Resolved
service: service:
name: systemd-resolved name: systemd-resolved
state: stopped state: stopped
when: ansible_distribution in ["Fedora", "Ubuntu"] when: ansible_distribution in ["Fedora", "Ubuntu"]
tags:
- "Fedora"
- "Ubuntu"
- name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu) - name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu)
lineinfile: lineinfile:
@ -308,26 +390,61 @@
line: 'DNSStubListener=no' line: 'DNSStubListener=no'
state: present state: present
when: ansible_distribution in ["Fedora", "Ubuntu"] when: ansible_distribution in ["Fedora", "Ubuntu"]
tags:
- "Fedora"
- "Ubuntu"
- name: Start Resolved ############################
# T-Pot - Restart services #
############################
- name: T-Pot - Restart services
hosts: all
gather_facts: true
become: true
tasks:
- name: Start Resolved (Fedora, Ubuntu)
service: service:
name: systemd-resolved name: systemd-resolved
state: started state: restarted
when: ansible_distribution in ["Fedora", "Ubuntu"] when: ansible_distribution in ["Fedora", "Ubuntu"]
tags:
- "Fedora"
- "Ubuntu"
- name: Start Docker - name: Restart Firewalld (Fedora, openSUSE Tumbleweed)
service:
name: firewalld
state: restarted
when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"]
tags:
- "Fedora"
- "openSUSE Tumbleweed"
- name: Enable Docker Engine upon boot (All)
service: service:
name: docker name: docker
state: started state: restarted
when: ansible_distribution in ["Fedora", "Ubuntu"] enabled: true
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
handlers: - name: Restart SSH (All)
- name: Restart SSH
service: service:
name: "{{ 'sshd' if ansible_distribution in ['Debian', 'openSUSE Tumbleweed'] else 'ssh' }}" name: "{{ 'sshd' if ansible_distribution in ['Debian', 'openSUSE Tumbleweed'] else 'ssh' }}"
state: restarted state: restarted
enabled: true enabled: true
when: ansible_distribution in ["Debian", "openSUSE Tumbleweed", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
####################################################################### #######################################################################
# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository # # T-Pot - Adjust group users, bashrc, clone / update T-Pot repository #
@ -337,6 +454,11 @@
hosts: all hosts: all
gather_facts: true gather_facts: true
become: false become: false
tags:
- "Debian"
- "Fedora"
- "openSUSE Tumbleweed"
- "Ubuntu"
tasks: tasks:
- name: Add aliases (All) - name: Add aliases (All)
@ -369,9 +491,6 @@
append: yes append: yes
when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"]
- name: Refresh user session so docker commands will work
command: newgrp docker
- name: Check for non-root user id (All) - name: Check for non-root user id (All)
debug: debug:
msg: "Detected user: '{{ ansible_user_id }}'" msg: "Detected user: '{{ ansible_user_id }}'"