--- ################################ # T-Pot - Abort if run as root # ################################ - name: T-Pot Abort if run as root hosts: all gather_facts: true become: false pre_tasks: - name: Check if running as root assert: that: ansible_user_id != 'root' fail_msg: "T-Pot playbook should not be run as root." success_msg: "Running as user: {{ ansible_user_id }}." - name: Check if supported distribution assert: that: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] fail_msg: "T-Pot is not supported on this plattform: {{ ansible_distribution }}." success_msg: "T-Pot will now install on {{ ansible_distribution }}." ############################################################ # T-Pot - Install recommended, remove conflicting packages # ############################################################ - name: T-Pot - Install recommended, remove conflicting packages hosts: all gather_facts: true become: true tasks: - name: Syncing clocks (All) shell: "hwclock --hctosys" when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] - name: Install recommended packages (Debian, Ubuntu) package: name: - bash-completion - ca-certificates - curl - git - gnupg - grc - neovim - net-tools state: latest update_cache: yes when: ansible_distribution in ["Debian", "Ubuntu"] - name: Install recommended packages (Fedora) package: name: - bash-completion - ca-certificates - curl - dnf-plugins-core - git - grc - neovim - net-tools state: latest update_cache: yes when: ansible_distribution in ["Fedora"] - name: Remove conflicting packages (openSUSE Tumbleweed) package: name: - cups - net-tools - postfix - yast2-auth-client - yast2-auth-user state: absent update_cache: yes when: ansible_distribution in ["openSUSE Tumbleweed"] - name: Install recommended packages (openSUSE Tumbleweed) package: name: - bash-completion - busybox-net-tools - ca-certificates - curl - git - grc - neovim state: latest update_cache: yes when: ansible_distribution in ["openSUSE Tumbleweed"] ################################################# # T-Pot - Prepare for and install Docker Engine # ################################################# - name: T-Pot - Prepare for and install Docker Engine hosts: all gather_facts: true become: true tasks: - name: Remove distribution based Docker packages (Debian, Fedora, Ubuntu) package: name: - docker - docker-engine - docker.io - containerd - runc state: absent update_cache: yes when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] - name: Add folder for Docker Engine GPG key (Debian, Ubuntu) file: path: /etc/apt/keyrings state: directory mode: 0755 when: ansible_distribution in ["Debian", "Ubuntu"] - name: Download Docker Engine GPG key (Debian, Ubuntu) get_url: url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg dest: /etc/apt/keyrings/docker mode: 0755 when: ansible_distribution in ["Debian", "Ubuntu"] - name: Decrypt Docker Engine GPG key (Debian, Ubuntu) shell: gpg --dearmor /etc/apt/keyrings/docker args: creates: /etc/apt/keyrings/docker.gpg when: ansible_distribution in ["Debian", "Ubuntu"] - name: Add Docker Engine repository (Debian, Ubuntu) apt_repository: filename: docker repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" state: present update_cache: yes when: ansible_distribution in ["Debian", "Ubuntu"] - name: Add Docker repository (Fedora) shell: | if [ "$(dnf repolist docker-ce-stable)" == "" ]; then dnf -y config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo fi when: ansible_distribution in ["Fedora"] - name: Install Docker Engine packages (openSUSE Tumbleweed) package: name: - docker - docker-compose state: latest update_cache: yes when: ansible_distribution in ["openSUSE Tumbleweed"] - name: Install Docker Engine packages (Debian, Fedora, Ubuntu) package: name: - docker-ce - docker-ce-cli - containerd.io - docker-buildx-plugin - docker-compose-plugin state: latest update_cache: yes notify: Restart Docker when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] - name: Enable Docker Engine upon boot (Debian, Fedora, openSUSE Tumbleweed, Ubuntu) service: name: docker state: started enabled: true when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] handlers: - name: Restart Docker service: name: docker state: restarted enabled: true when: ansible_distribution in ["Debian", "Fedora","openSUSE Tumbleweed", "Ubuntu"] ###################################################### # T-Pot - Adjust configs, add users and groups, etc. # ###################################################### - name: T-Pot - Adjust configs, add users and groups, etc. hosts: all gather_facts: true become: true tasks: - name: Create T-Pot group (All) group: name: tpot gid: 2000 state: present when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] - name: Create T-Pot user (All) user: name: tpot uid: 2000 system: yes shell: /bin/false home: /nonexistent group: tpot when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] - name: Disable ssh.socket unit (Ubuntu) systemd: name: ssh.socket state: stopped enabled: false when: ansible_distribution in ["Ubuntu"] - name: Remove ssh.socket.conf file (Ubuntu) file: path: /etc/systemd/system/ssh.service.d/00-socket.conf state: absent when: ansible_distribution in ["Ubuntu"] - name: Change SSH Port to 64295 (Debian, Fedora, Ubuntu) lineinfile: path: /etc/ssh/sshd_config line: "Port 64295" insertafter: EOF notify: Restart SSH when: ansible_distribution in ["Debian", "Fedora", "Ubuntu"] - name: Change SSH Port to 64295 (openSUSE Tumbleweed) lineinfile: path: /etc/ssh/sshd_config.d/port.conf line: "Port 64295" create: yes notify: Restart SSH when: ansible_distribution in ["openSUSE Tumbleweed"] - name: Add T-Pot SSH port to Firewall (Fedora, openSUSE Tumbleweed) firewalld: port: 64295/tcp permanent: yes state: enabled when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] - name: Set T-Pot default target to ACCEPT (Fedora, openSUSE Tumbleweed) firewalld: zone: public target: ACCEPT permanent: yes state: enabled when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] - name: Get Firewall rules (Fedora, openSUSE Tumbleweed) command: "firewall-cmd --list-all" register: firewall_output when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] - name: Print Firewall rules (Fedora) debug: var: firewall_output.stdout_lines when: ansible_distribution in ["Fedora", "openSUSE Tumbleweed"] - name: Load kernel modules (Fedora) command: modprobe -v iptable_filter when: ansible_distribution in ["Fedora"] - name: Update iptables.conf (Fedora) lineinfile: path: /etc/modules-load.d/iptables.conf line: iptable_filter create: yes when: ansible_distribution in ["Fedora"] - name: Update SELinux config (Fedora) lineinfile: path: /etc/selinux/config regexp: '^SELINUX=' line: 'SELINUX=permissive' when: ansible_distribution in ["Fedora"] - name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu) lineinfile: path: /etc/systemd/resolved.conf regexp: '^.*DNSStubListener=.*' line: 'DNSStubListener=no' state: present notify: Restart Resolved when: ansible_distribution in ["Fedora", "Ubuntu"] handlers: - name: Restart Resolved service: name: systemd-resolved state: restarted when: ansible_distribution in ["Fedora", "Ubuntu"] - name: Restart SSH service: name: "{{ 'sshd' if ansible_distribution == 'Debian|openSUSE Tumbleweed' else 'ssh' }}" state: restarted enabled: true when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] ####################################################################### # T-Pot - Adjust group users, bashrc, clone / update T-Pot repository # ####################################################################### - name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository hosts: all gather_facts: true become: false tasks: - name: Add aliases (All) blockinfile: path: ~/.bashrc block: | alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\t{{'{{'}}.Status{{'}}'}}\t{{'{{'}}.Ports{{'}}'}}" | sort' alias dpsw='watch -c bash -ic dps' marker: "# {mark} ANSIBLE MANAGED BLOCK" insertafter: EOF state: present when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] - name: Clone / Update T-Pot repository (All) git: repo: 'https://github.com/telekom-security/tpotce' dest: '/home/{{ ansible_user_id }}/tpotce/' version: dev clone: yes update: no when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] - name: Add current user to Docker, T-Pot group (All) become: true user: name: "{{ ansible_user_id }}" groups: - docker - tpot append: yes when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] - name: Refresh user session so docker commands will work command: newgrp docker - name: Check for non-root user id (All) debug: msg: "Detected user: '{{ ansible_user_id }}'" when: ansible_distribution in ["Debian", "Fedora", "openSUSE Tumbleweed", "Ubuntu"] failed_when: ansible_user_id == "root"