mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-10-24 17:24:44 +00:00
944 lines
27 KiB
YAML
944 lines
27 KiB
YAML
---
|
|
################################
|
|
# T-Pot - Bootstrapping Python #
|
|
################################
|
|
|
|
- name: T-Pot - Bootstrapping Python
|
|
hosts: all
|
|
gather_facts: false
|
|
become: true
|
|
become_method: sudo
|
|
|
|
tasks:
|
|
- name: Get distribution name (All)
|
|
raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1
|
|
register: my_distribution
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Check if python3 is installed (All)
|
|
raw: echo $(command -v python3)
|
|
register: my_python3
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Add python package (Debian, Raspbian, Ubuntu)
|
|
raw: |
|
|
apt update
|
|
apt -y install python3
|
|
when: my_distribution.stdout | trim in ["Debian", "Raspbian", "Ubuntu"] and my_python3.stdout | trim == ""
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Add python package (Alma, Fedora, Rocky)
|
|
raw: |
|
|
dnf -y --refresh install python3
|
|
when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == ""
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
|
|
- name: Add python package (openSUSE Tumbleweed)
|
|
raw: |
|
|
zypper refresh
|
|
zypper -y install python3
|
|
when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == ""
|
|
tags:
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
|
|
#####################################################################
|
|
# T-Pot - Abort if run as tpot, root or on unsupported distribution #
|
|
#####################################################################
|
|
|
|
- name: T-Pot - Abort if run as tpot, root or on unsupported distribution
|
|
hosts: all
|
|
gather_facts: true
|
|
become: false
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
tasks:
|
|
- name: Check if running as root (All)
|
|
assert:
|
|
that: ansible_user_id != 'root'
|
|
fail_msg: "T-Pot playbook should not be run as root."
|
|
success_msg: "Running as user: {{ ansible_user_id }}."
|
|
|
|
- name: Check if running as tpot (All)
|
|
assert:
|
|
that: ansible_user_id != 'tpot'
|
|
fail_msg: "Reserved username `tpot` detected."
|
|
success_msg: "Running as user: {{ ansible_user_id }}."
|
|
|
|
- name: Check if supported distribution (All)
|
|
assert:
|
|
that: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
fail_msg: "T-Pot is not supported on this plattform: {{ ansible_distribution }}."
|
|
success_msg: "T-Pot will now install on {{ ansible_distribution }}."
|
|
|
|
############################################################
|
|
# T-Pot - Install recommended, remove conflicting packages #
|
|
############################################################
|
|
|
|
- name: T-Pot - Install recommended, remove conflicting packages
|
|
hosts: all
|
|
gather_facts: true
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Syncing clocks (All)
|
|
shell: "hwclock --hctosys"
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
ignore_errors: true
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Install recommended packages (Debian, Raspbian, Ubuntu)
|
|
package:
|
|
name:
|
|
- apache2-utils
|
|
- bash-completion
|
|
- ca-certificates
|
|
- cracklib-runtime
|
|
- cron
|
|
- curl
|
|
- git
|
|
- gnupg
|
|
- grc
|
|
- htop
|
|
- micro
|
|
- net-tools
|
|
- vim
|
|
- wget
|
|
state: latest
|
|
update_cache: yes
|
|
when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Install exa (Debian, Raspbian, Ubuntu)
|
|
package:
|
|
name:
|
|
- exa
|
|
state: latest
|
|
update_cache: yes
|
|
register: exa_install_result
|
|
ignore_errors: yes
|
|
when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Install eza (if exa failed)
|
|
package:
|
|
name:
|
|
- eza
|
|
state: latest
|
|
update_cache: yes
|
|
when: exa_install_result is failed
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Install grc from remote repo (AlmaLinux, Rocky)
|
|
ansible.builtin.dnf:
|
|
name: 'https://github.com/kriipke/grc/releases/download/1.13.8/grc-1.13.8-1.el7.noarch.rpm'
|
|
disable_gpg_check: true
|
|
state: present
|
|
when: ansible_distribution in ["AlmaLinux", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Rocky"
|
|
|
|
- name: Install recommended packages (AlmaLinux, Rocky)
|
|
package:
|
|
name:
|
|
- bash-completion
|
|
- ca-certificates
|
|
- cracklib
|
|
- curl
|
|
- dnf-plugins-core
|
|
- exa
|
|
- git
|
|
- grc
|
|
- htop
|
|
- httpd-tools
|
|
- net-tools
|
|
- tar
|
|
- vim
|
|
- wget
|
|
state: latest
|
|
update_cache: yes
|
|
register: exa_install_result
|
|
when: ansible_distribution in ["AlmaLinux", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Rocky"
|
|
|
|
- name: Download and install micro editor (AlmaLinux, openSUSE Tumbleweed, Rocky)
|
|
shell: "curl https://getmic.ro | bash && mv micro /usr/bin"
|
|
args:
|
|
executable: /bin/bash
|
|
when: ansible_distribution in ["AlmaLinux", "openSUSE Tumbleweed", "openSUSE Leap" , "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Rocky"
|
|
|
|
- name: Install recommended packages (Fedora)
|
|
package:
|
|
name:
|
|
- bash-completion
|
|
- ca-certificates
|
|
- cracklib
|
|
- cronie
|
|
- curl
|
|
- dnf-plugins-core
|
|
- exa
|
|
- git
|
|
- grc
|
|
- htop
|
|
- httpd-tools
|
|
- micro
|
|
- net-tools
|
|
- vim
|
|
- wget
|
|
state: latest
|
|
update_cache: yes
|
|
register: exa_install_result
|
|
when: ansible_distribution in ["Fedora"]
|
|
tags:
|
|
- "Fedora"
|
|
|
|
- name: Remove conflicting packages (openSUSE Tumbleweed)
|
|
package:
|
|
name:
|
|
- cups
|
|
- net-tools
|
|
- postfix
|
|
- yast2-auth-client
|
|
- yast2-auth-user
|
|
state: absent
|
|
update_cache: yes
|
|
when: ansible_distribution in ["openSUSE Tumbleweed"]
|
|
tags:
|
|
- "openSUSE Tumbleweed"
|
|
|
|
- name: Remove conflicting packages (openSUSE Leap)
|
|
package:
|
|
name:
|
|
- cups
|
|
- net-tools
|
|
- postfix
|
|
- yast2-auth-client
|
|
- yast2-auth-user
|
|
state: absent
|
|
update_cache: yes
|
|
when: ansible_distribution in ["openSUSE Leap"]
|
|
tags:
|
|
- "openSUSE Leap"
|
|
|
|
|
|
- name: Install recommended packages (openSUSE Tumbleweed)
|
|
package:
|
|
name:
|
|
- apache2-utils
|
|
- bash-completion
|
|
- busybox-net-tools
|
|
- ca-certificates
|
|
- cracklib
|
|
- curl
|
|
- exa
|
|
- git
|
|
- grc
|
|
- htop
|
|
- vim
|
|
- wget
|
|
state: latest
|
|
update_cache: yes
|
|
register: exa_install_result
|
|
when: ansible_distribution in ["openSUSE Tumbleweed"]
|
|
tags:
|
|
- "openSUSE Tumbleweed"
|
|
- name: Install recommended packages (openSUSE Leap)
|
|
package:
|
|
name:
|
|
- apache2-utils
|
|
- bash-completion
|
|
- busybox-net-tools
|
|
- ca-certificates
|
|
- cracklib
|
|
- curl
|
|
- exa
|
|
- git
|
|
- grc
|
|
- htop
|
|
- vim
|
|
- wget
|
|
state: latest
|
|
update_cache: yes
|
|
register: exa_install_result
|
|
when: ansible_distribution in ["openSUSE Leap"]
|
|
tags:
|
|
- "openSUSE Leap"
|
|
|
|
|
|
#####################################
|
|
# T-Pot - Prepare for Docker Engine #
|
|
#####################################
|
|
|
|
- name: T-Pot - Prepare for and install Docker Engine
|
|
hosts: all
|
|
gather_facts: true
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Remove distribution based Docker packages and podman-docker (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu)
|
|
package:
|
|
name:
|
|
- docker
|
|
- docker-engine
|
|
- docker.io
|
|
- containerd
|
|
- runc
|
|
- podman-docker
|
|
- podman
|
|
state: absent
|
|
update_cache: yes
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Add folder for Docker Engine GPG key (Debian, Raspbian, Ubuntu)
|
|
file:
|
|
path: /etc/apt/keyrings
|
|
state: directory
|
|
mode: 0755
|
|
when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Download Docker Engine GPG key (Debian, Raspbian, Ubuntu)
|
|
get_url:
|
|
url: https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg
|
|
dest: /etc/apt/keyrings/docker
|
|
mode: 0755
|
|
when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Decrypt Docker Engine GPG key (Debian, Raspbian, Ubuntu)
|
|
shell: gpg --dearmor /etc/apt/keyrings/docker
|
|
args:
|
|
creates: /etc/apt/keyrings/docker.gpg
|
|
when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Add Docker Engine repository (Debian, Raspbian, Ubuntu)
|
|
apt_repository:
|
|
filename: docker
|
|
repo: "deb [arch={{ ansible_architecture | replace('aarch64', 'arm64') | replace('x86_64', 'amd64') }} signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
|
|
state: present
|
|
update_cache: yes
|
|
when: ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Add Docker repository (Fedora)
|
|
shell: |
|
|
if [ "$(dnf repolist docker-ce-stable)" == "" ];
|
|
then
|
|
dnf -y config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo
|
|
fi
|
|
when: ansible_distribution in ["Fedora"]
|
|
tags:
|
|
- "Fedora"
|
|
|
|
- name: Add Docker repository (AlmaLinux, Rocky)
|
|
shell: |
|
|
if [ "$(dnf repolist docker-ce-stable)" == "" ];
|
|
then
|
|
dnf -y config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
|
|
fi
|
|
when: ansible_distribution in ["AlmaLinux", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Rocky"
|
|
|
|
|
|
#################################
|
|
# T-Pot - Install Docker Engine #
|
|
#################################
|
|
|
|
- name: T-Pot - Install Docker Engine
|
|
hosts: all
|
|
gather_facts: true
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Install Docker Engine packages (openSUSE Tumbleweed)
|
|
package:
|
|
name:
|
|
- docker
|
|
- docker-bash-completion
|
|
- docker-buildx
|
|
- docker-compose
|
|
- docker-compose-switch
|
|
- liblvm2cmd2_03
|
|
- lvm2
|
|
state: latest
|
|
update_cache: yes
|
|
when: ansible_distribution in ["openSUSE Tumbleweed"]
|
|
tags:
|
|
- "openSUSE Tumbleweed"
|
|
- name: Install Docker Engine packages (openSUSE Leap)
|
|
package:
|
|
name:
|
|
- docker
|
|
- docker-bash-completion
|
|
- docker-buildx
|
|
- docker-compose
|
|
- docker-compose-switch
|
|
- liblvm2cmd2_03
|
|
- lvm2
|
|
state: latest
|
|
update_cache: yes
|
|
when: ansible_distribution in ["openSUSE Leap"]
|
|
tags:
|
|
- "openSUSE Leap"
|
|
|
|
|
|
- name: Install Docker Engine packages (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu)
|
|
package:
|
|
name:
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- containerd.io
|
|
- docker-buildx-plugin
|
|
- docker-compose-plugin
|
|
state: latest
|
|
update_cache: yes
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Stop Docker (All)
|
|
service:
|
|
name: docker
|
|
state: stopped
|
|
enabled: false
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
######################################################
|
|
# T-Pot - Adjust configs, add users and groups, etc. #
|
|
######################################################
|
|
|
|
- name: T-Pot - Adjust configs, add users and groups, etc.
|
|
hosts: all
|
|
gather_facts: true
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Create T-Pot group (All)
|
|
group:
|
|
name: tpot
|
|
gid: 2000
|
|
state: present
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Create T-Pot user (All)
|
|
user:
|
|
name: tpot
|
|
uid: 2000
|
|
system: yes
|
|
shell: /bin/false
|
|
home: /nonexistent
|
|
group: tpot
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Ensure vm.max_map_count is set (All)
|
|
lineinfile:
|
|
path: /etc/sysctl.conf
|
|
line: "vm.max_map_count=262144"
|
|
state: present
|
|
create: yes
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Disable ssh.socket unit (Ubuntu)
|
|
systemd:
|
|
name: ssh.socket
|
|
state: stopped
|
|
enabled: false
|
|
when: ansible_distribution in ["Ubuntu"]
|
|
tags:
|
|
- "Ubuntu"
|
|
|
|
- name: Remove ssh.socket.conf file (Ubuntu)
|
|
file:
|
|
path: /etc/systemd/system/ssh.service.d/00-socket.conf
|
|
state: absent
|
|
when: ansible_distribution in ["Ubuntu"]
|
|
tags:
|
|
- "Ubuntu"
|
|
|
|
- name: Change SSH Port to 64295 (AlmaLinux, Debian, Fedora, Raspbian, Rocky, Ubuntu)
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
line: "Port 64295"
|
|
insertafter: EOF
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Change SSH Port to 64295 (openSUSE Tumbleweed)
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config.d/port.conf
|
|
line: "Port 64295"
|
|
create: yes
|
|
when: ansible_distribution in ["openSUSE Tumbleweed"]
|
|
tags:
|
|
- "openSUSE Tumbleweed"
|
|
|
|
- name: Change SSH Port to 64295 (openSUSE Leap)
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config.d/port.conf
|
|
line: "Port 64295"
|
|
create: yes
|
|
when: ansible_distribution in ["openSUSE Leap"]
|
|
tags:
|
|
- "openSUSE Leap"
|
|
|
|
|
|
- name: Add T-Pot SSH port to Firewall (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
|
|
firewalld:
|
|
port: 64295/tcp
|
|
permanent: yes
|
|
state: enabled
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Rocky"
|
|
|
|
- name: Set T-Pot default target to ACCEPT (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
|
|
firewalld:
|
|
zone: public
|
|
target: ACCEPT
|
|
permanent: yes
|
|
state: enabled
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Rocky"
|
|
|
|
- name: Load kernel modules (AlmaLinux, Fedora, Rocky)
|
|
command: modprobe -v iptable_filter
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
|
|
- name: Update iptables.conf (AlmaLinux, Fedora, Rocky)
|
|
lineinfile:
|
|
path: /etc/modules-load.d/iptables.conf
|
|
line: iptable_filter
|
|
create: yes
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
|
|
- name: Set SELinux config to permissive (AlmaLinux, Fedora, Rocky)
|
|
lineinfile:
|
|
path: /etc/selinux/config
|
|
regexp: '^SELINUX='
|
|
line: 'SELINUX=permissive'
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
|
|
- name: Set SELinux to permissive (AlmaLinux, Fedora, Rocky)
|
|
command: "setenforce Permissive"
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
|
|
- name: Stop Resolved (Fedora, Ubuntu)
|
|
service:
|
|
name: systemd-resolved
|
|
state: stopped
|
|
when: ansible_distribution in ["Fedora", "Ubuntu"]
|
|
tags:
|
|
- "Fedora"
|
|
- "Ubuntu"
|
|
|
|
- name: Copy resolved.conf to /etc/systemd (Fedora)
|
|
copy:
|
|
src: /usr/lib/systemd/resolved.conf
|
|
dest: /etc/systemd/resolved.conf
|
|
when: ansible_distribution in ["Fedora"]
|
|
ignore_errors: true
|
|
tags:
|
|
- "Fedora"
|
|
|
|
- name: Modify DNSStubListener in resolved.conf (Fedora, Ubuntu)
|
|
lineinfile:
|
|
path: /etc/systemd/resolved.conf
|
|
regexp: '^.*DNSStubListener=.*'
|
|
line: 'DNSStubListener=no'
|
|
state: present
|
|
when: ansible_distribution in ["Fedora", "Ubuntu"]
|
|
tags:
|
|
- "Fedora"
|
|
- "Ubuntu"
|
|
|
|
############################
|
|
# T-Pot - Restart services #
|
|
############################
|
|
|
|
- name: T-Pot - Restart services
|
|
hosts: all
|
|
gather_facts: true
|
|
become: true
|
|
|
|
tasks:
|
|
- name: Start Resolved (Fedora, Ubuntu)
|
|
service:
|
|
name: systemd-resolved
|
|
state: restarted
|
|
when: ansible_distribution in ["Fedora", "Ubuntu"]
|
|
tags:
|
|
- "Fedora"
|
|
- "Ubuntu"
|
|
|
|
- name: Restart Firewalld (AlmaLinux, Fedora, openSUSE Tumbleweed, openSUSE Leap , Rocky)
|
|
service:
|
|
name: firewalld
|
|
state: restarted
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
|
|
- name: Get Firewall rules (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
|
|
command: "firewall-cmd --list-all"
|
|
register: firewall_output
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "Rocky"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
|
|
- name: Print Firewall rules (AlmaLinux, Fedora, openSUSE Tumbleweed, Rocky)
|
|
debug:
|
|
var: firewall_output.stdout_lines
|
|
when: ansible_distribution in ["AlmaLinux", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Rocky"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Rocky"
|
|
|
|
- name: Enable Docker Engine upon boot (All)
|
|
service:
|
|
name: docker
|
|
state: restarted
|
|
enabled: true
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Restart SSH (All)
|
|
service:
|
|
name: "{{ 'ssh' if ansible_distribution in ['Ubuntu'] else 'sshd' }}"
|
|
state: restarted
|
|
enabled: true
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
#######################################################################
|
|
# T-Pot - Adjust group users, bashrc, clone / update T-Pot repository #
|
|
#######################################################################
|
|
|
|
- name: T-Pot - Adjust group users, bashrc, clone / update T-Pot repository
|
|
hosts: all
|
|
gather_facts: true
|
|
become: false
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
tasks:
|
|
- name: Check for non-root user id (All)
|
|
debug:
|
|
msg: "Detected user: '{{ ansible_user_id }}'"
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
failed_when: ansible_user_id == "root"
|
|
|
|
- name: Add aliases with exa (All)
|
|
blockinfile:
|
|
path: ~/.bashrc
|
|
block: |
|
|
alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\\t{{'{{'}}.Status{{'}}'}}\\t{{'{{'}}.Ports{{'}}'}}" | sort'
|
|
alias dpsw='watch -c bash -ic dps'
|
|
alias mi='micro'
|
|
alias sudo='sudo '
|
|
alias ls='exa'
|
|
alias ll='exa -hlg'
|
|
alias la='exa -hlag'
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
insertafter: EOF
|
|
state: present
|
|
when: exa_install_result is succeeded and ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Raspbian", "Rocky", "Ubuntu"]
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
- name: Add aliases with eza (Debian, Raspbian, Ubuntu)
|
|
blockinfile:
|
|
path: ~/.bashrc
|
|
block: |
|
|
alias dps='grc --colour=on docker ps -f status=running -f status=exited --format "table {{'{{'}}.Names{{'}}'}}\\t{{'{{'}}.Status{{'}}'}}\\t{{'{{'}}.Ports{{'}}'}}" | sort'
|
|
alias dpsw='watch -c bash -ic dps'
|
|
alias mi='micro'
|
|
alias sudo='sudo '
|
|
alias ls='eza'
|
|
alias ll='eza -hlg'
|
|
alias la='eza -hlag'
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
|
insertafter: EOF
|
|
state: present
|
|
when: exa_install_result is failed and ansible_distribution in ["Debian", "Raspbian", "Ubuntu"]
|
|
tags:
|
|
- "Debian"
|
|
- "Raspbian"
|
|
- "Ubuntu"
|
|
|
|
- name: Clone / Update T-Pot repository (All)
|
|
git:
|
|
repo: 'https://github.com/telekom-security/tpotce'
|
|
dest: '/home/{{ ansible_user_id }}/tpotce/'
|
|
version: master
|
|
clone: yes
|
|
update: no
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
|
|
- name: Add current user to Docker, T-Pot group (All)
|
|
become: true
|
|
user:
|
|
name: "{{ ansible_user_id }}"
|
|
groups:
|
|
- docker
|
|
- tpot
|
|
append: yes
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|
|
|
|
########################################
|
|
# T-Pot - Install service and cron job #
|
|
########################################
|
|
|
|
- name: T-Pot - Install service
|
|
hosts: all
|
|
gather_facts: true
|
|
become: false
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
tasks:
|
|
- name: Install systemd service (All)
|
|
become: true
|
|
ansible.builtin.template:
|
|
src: '/home/{{ ansible_user_id }}/tpotce/installer/install/tpot.service'
|
|
dest: '/etc/systemd/system/tpot.service'
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
notify: Reload systemd and enable service
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap", "Raspbian", "Rocky", "Ubuntu"]
|
|
|
|
handlers:
|
|
- name: Reload systemd and enable service
|
|
become: true
|
|
ansible.builtin.systemd:
|
|
name: tpot.service
|
|
daemon_reload: yes
|
|
state: stopped
|
|
enabled: yes
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" ,"Raspbian", "Rocky", "Ubuntu"]
|
|
|
|
- name: T-Pot - Setup a randomized daily reboot
|
|
hosts: all
|
|
gather_facts: true
|
|
become: yes
|
|
tags:
|
|
- "AlmaLinux"
|
|
- "Debian"
|
|
- "Fedora"
|
|
- "openSUSE Tumbleweed"
|
|
- "openSUSE Leap"
|
|
- "Raspbian"
|
|
- "Rocky"
|
|
- "Ubuntu"
|
|
|
|
vars:
|
|
random_minute: "{{ range(0, 60) | random }}"
|
|
random_hour: "{{ range(0, 5) | random }}" # We want the reboot randomly happen at night
|
|
|
|
tasks:
|
|
- name: Setup a randomized daily reboot (All)
|
|
cron:
|
|
name: "T-Pot Daily Reboot"
|
|
user: root
|
|
minute: "{{ random_minute }}"
|
|
hour: "{{ random_hour }}"
|
|
job: "bash -c 'systemctl stop tpot.service && docker container prune -f; docker image prune -f; docker volume prune -f; /usr/sbin/shutdown -r +1 \"T-Pot Daily Reboot\"'"
|
|
state: present
|
|
when: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "openSUSE Leap" , "Raspbian", "Rocky", "Ubuntu"]
|