From c5054fd5d7b9cdda011f4f9615e36874927d2ad6 Mon Sep 17 00:00:00 2001 From: nbaranov Date: Fri, 3 Jul 2020 11:58:04 +0300 Subject: [PATCH 1/5] testing --- student_files/02/inventory.ini | 1 + student_files/02/provision_me.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 student_files/02/inventory.ini diff --git a/student_files/02/inventory.ini b/student_files/02/inventory.ini new file mode 100644 index 0000000..bf7e899 --- /dev/null +++ b/student_files/02/inventory.ini @@ -0,0 +1 @@ +asdasd diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 4d00788..7b2d0ec 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -73,7 +73,7 @@ systemd: name: httpd enabled: true - state: restarted + state: started daemon_reload: true - name: Print message From b48772acdeb10b9eeaa72b398615029404d089c6 Mon Sep 17 00:00:00 2001 From: nbaranov Date: Tue, 7 Jul 2020 13:52:00 +0300 Subject: [PATCH 2/5] new playbook with homework added --- student_files/02/NB_playbook.yml | 117 +++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 student_files/02/NB_playbook.yml diff --git a/student_files/02/NB_playbook.yml b/student_files/02/NB_playbook.yml new file mode 100644 index 0000000..19093a8 --- /dev/null +++ b/student_files/02/NB_playbook.yml @@ -0,0 +1,117 @@ +--- + +- name: lesson 2 - homework + hosts: all + become: true + become_user: root + vars: + sshgroup_name: sshusers + user: + login: deploy + password_hash: + "$6$NwI7op8FHR1VQta6$zuQXHtNtM/7SRQsf1./18WbBrHMq4mT88nWh67ThmlWcqyVX3F\ + BTY9uj/07tR9ViDEvjg6/bh0y3mSjeDQYe3." + authorized_key: + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr\ + +kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6I\ + edplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2\ + hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZE\ + nDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHln\ + VYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" + group: "{{ sshgroup_name }}" + tasks: + - name: sshusers group is presented + group: + name: "{{ sshgroup_name }}" + state: present + + - name: Admin account {{ user.login }} is presented + user: + name: "{{ user.login }}" + groups: "{{ user.group }}" + shell: /bin/bash + update_password: always + password: "{{ user.password_hash }}" + + - name: Admins {{ user.login }} can sudo without password + lineinfile: + dest: /etc/sudoers + state: present + line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL" + + - name: Authorized key for {{ user.login }} user is presented + authorized_key: + user: "{{ user.login }}" + state: present + key: "{{ user.authorized_key }}" + + - name: Software are installed + yum: + name: + - httpd + - git + state: present + + - name: by NBaranov ************* snmp daemon installation + yum: + name: + - net-snmp + - net-snmp-utils + state: present + + - name: by NBaranov ************* snmpd daemon configuration + copy: + dest: /etc/snmp/snmpd.conf + content: | + syslocation Server Room + syscontact SysAdmin (devops@example.com) + rocommunity snmp_secret_rocommunity + + - name: by NBaranov ************* snmp port opening + iptables: + chain: INPUT + protocol: udp + destination_port: 161 + jump: ACCEPT + + - name: by NBaranov ************* snmpd daemon starting + systemd: + name: snmpd + enabled: true + state: started + daemon_reload: true + + - name: by NBaranov ************* validation sudo file + lineinfile: + dest: /etc/sudoers + state: present + line: "snmp ALL=(ALL:ALL) NOPASSWD:ALL" + + - name: by NBaranov ************* certificate creation + openssl_certificate: + path: /etc/ssl/test-ansible.crt +# privatekey_path: /etc/ssl/private/ansible.com.pem + csr_path: /etc/ssl/test-ansible.csr + provider: selfsigned + + + - name: Access via HTTP is allowed + iptables: + chain: INPUT + protocol: tcp + destination_port: '80' + ctstate: NEW + syn: match + jump: ACCEPT + comment: Accept new http connections. + + - name: Httpd is restarted + systemd: + name: httpd + enabled: true + state: started + daemon_reload: true + + - name: Print message + debug: + msg: "Site locates at http://localhost:8080/" From fdecd6e991600ff7406a65b039524ce68e4c9296 Mon Sep 17 00:00:00 2001 From: nbaranov Date: Tue, 7 Jul 2020 13:58:07 +0300 Subject: [PATCH 3/5] changes in certificate --- student_files/02/NB_playbook.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/student_files/02/NB_playbook.yml b/student_files/02/NB_playbook.yml index 19093a8..8bd077e 100644 --- a/student_files/02/NB_playbook.yml +++ b/student_files/02/NB_playbook.yml @@ -87,10 +87,9 @@ state: present line: "snmp ALL=(ALL:ALL) NOPASSWD:ALL" - - name: by NBaranov ************* certificate creation + - name: by NBaranov ************* certificate creation - not ready yet openssl_certificate: path: /etc/ssl/test-ansible.crt -# privatekey_path: /etc/ssl/private/ansible.com.pem csr_path: /etc/ssl/test-ansible.csr provider: selfsigned From c86a4344752ab59503df83b29bb6e8de55eb7f0d Mon Sep 17 00:00:00 2001 From: nbaranov Date: Tue, 14 Jul 2020 10:49:57 +0300 Subject: [PATCH 4/5] Homework for 3 module --- student_files/03/NB_provision_me.yml | 45 ++++++++++++++++++++++ student_files/03/inventory.ini | 1 + student_files/03/provision_config_snmp.yml | 15 ++++++++ student_files/03/templates/snmpd.conf.j2 | 16 ++++++++ 4 files changed, 77 insertions(+) create mode 100644 student_files/03/NB_provision_me.yml create mode 100644 student_files/03/inventory.ini create mode 100644 student_files/03/provision_config_snmp.yml create mode 100644 student_files/03/templates/snmpd.conf.j2 diff --git a/student_files/03/NB_provision_me.yml b/student_files/03/NB_provision_me.yml new file mode 100644 index 0000000..32ffbbe --- /dev/null +++ b/student_files/03/NB_provision_me.yml @@ -0,0 +1,45 @@ +--- + +- name: provision server + hosts: all + become: true + become_user: root + vars: + # added by NBaranov + community_string: my_secret_string + + sshgroup_name: sshusers + iptables_allowed_ports: + - {protocol: tcp, port: 80} + user: + login: deploy + password_hash: + "$6$NwI7op8FHR1VQta6$zuQXHtNtM/7SRQsf1./18WbBrHMq4mT88nWh67ThmlWcqyVX3\ + FBTY9uj/07tR9ViDEvjg6/bh0y3mSjeDQYe3." + authorized_key: + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YV\ + r+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv\ + 6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn\ + 5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0\ + jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE9\ + 8OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" + tasks: + - import_tasks: provision_1_users.yml + - import_tasks: provision_2_software.yml + - import_tasks: provision_config_snmp.yml +# - include_tasks: provision_config_ports.yml + - name: Apply iptables settings and override defult variable value + import_tasks: provision_3_iptables.yml + vars: + iptables_allowed_ports: + - {protocol: tcp, port: 180} + - {protocol: tcp, port: 1443} + - {protocol: udp, port: 1161} + # added by NBaranov + - {protocol: tcp, port: 443} + - {protocol: udp, port: 161} + + - import_tasks: provision_4_site.yml + - name: Print message + debug: + msg: "Site locates at http://localhost:8080/" diff --git a/student_files/03/inventory.ini b/student_files/03/inventory.ini new file mode 100644 index 0000000..bf7e899 --- /dev/null +++ b/student_files/03/inventory.ini @@ -0,0 +1 @@ +asdasd diff --git a/student_files/03/provision_config_snmp.yml b/student_files/03/provision_config_snmp.yml new file mode 100644 index 0000000..2aaa558 --- /dev/null +++ b/student_files/03/provision_config_snmp.yml @@ -0,0 +1,15 @@ +--- +- name: install snmpd + yum: + name: + - net-snmp + - net-snmp-utils + state: present + when: ansible_distribution == 'CentOS' + +- name: configure snmpd + template: + src: snmpd.conf.j2 + dest: "/etc/snmp/snmpd.conf" + become: yes + when: ansible_distribution == 'CentOS' diff --git a/student_files/03/templates/snmpd.conf.j2 b/student_files/03/templates/snmpd.conf.j2 new file mode 100644 index 0000000..b4c317e --- /dev/null +++ b/student_files/03/templates/snmpd.conf.j2 @@ -0,0 +1,16 @@ +############################################################################### +# System contact information +# + +# It is also possible to set the sysContact and sysLocation system +# variables through the snmpd.conf file: + +syslocation Unknown (edit /etc/snmp/snmpd.conf) +syscontact Root (configure /etc/snmp/snmp.local.conf) + +#### +# First, map the community name "public" into a "security name" + +# sec.name source community +com2sec notConfigUser default {{ community_string }} + From 2603d3344aaa0d55d821e2321df1ab852861bac2 Mon Sep 17 00:00:00 2001 From: nbaranov Date: Tue, 14 Jul 2020 10:54:46 +0300 Subject: [PATCH 5/5] homework for module 4 --- student_files/04/NB_provision_me.yml | 29 +++++++++++++++++++ student_files/04/example_plugins.yml | 4 +++ student_files/04/inventory.ini | 1 + .../filter_plugins/users_without_hash.py | 13 +++++++++ .../04/roles/iptables_role/defaults/main.yml | 4 +++ .../library/iptables_reload_module.sh | 9 ++++++ .../04/roles/iptables_role/tasks/main.yml | 19 ++++++++++++ .../04/roles/snmpd_role/defaults/main.yml | 4 +++ .../04/roles/snmpd_role/tasks/main.yml | 5 ++++ 9 files changed, 88 insertions(+) create mode 100644 student_files/04/NB_provision_me.yml create mode 100644 student_files/04/inventory.ini create mode 100644 student_files/04/roles/example_plugins/filter_plugins/users_without_hash.py create mode 100644 student_files/04/roles/iptables_role/defaults/main.yml create mode 100644 student_files/04/roles/iptables_role/library/iptables_reload_module.sh create mode 100644 student_files/04/roles/iptables_role/tasks/main.yml create mode 100644 student_files/04/roles/snmpd_role/defaults/main.yml create mode 100644 student_files/04/roles/snmpd_role/tasks/main.yml diff --git a/student_files/04/NB_provision_me.yml b/student_files/04/NB_provision_me.yml new file mode 100644 index 0000000..469885d --- /dev/null +++ b/student_files/04/NB_provision_me.yml @@ -0,0 +1,29 @@ +--- + +- name: provision server + hosts: all + become: true + become_user: root + vars: + - snmpd_packages: + - net-snmp + - net-snmp-utils + roles: + - role: game2048 + vars: + iptables_allowed_ports: + - {protocol: tcp, port: 80} + - {protocol: tcp, port: 443} + - {protocol: udp, port: 161} + - role: users + + # added by NBaranov + - role: snmpd_role + - role: iptables_role + + # use filter +- debug: + msg: "{{ admins | users_without_hash }}" + + + \ No newline at end of file diff --git a/student_files/04/example_plugins.yml b/student_files/04/example_plugins.yml index 5bea27a..4e720ed 100644 --- a/student_files/04/example_plugins.yml +++ b/student_files/04/example_plugins.yml @@ -45,3 +45,7 @@ - debug: msg: "{{ admins | users_without_email }}" + # use filter from NBaranov + - debug: + msg: "{{ admins | users_without_hash }}" + diff --git a/student_files/04/inventory.ini b/student_files/04/inventory.ini new file mode 100644 index 0000000..bf7e899 --- /dev/null +++ b/student_files/04/inventory.ini @@ -0,0 +1 @@ +asdasd diff --git a/student_files/04/roles/example_plugins/filter_plugins/users_without_hash.py b/student_files/04/roles/example_plugins/filter_plugins/users_without_hash.py new file mode 100644 index 0000000..d09f713 --- /dev/null +++ b/student_files/04/roles/example_plugins/filter_plugins/users_without_hash.py @@ -0,0 +1,13 @@ +#!/usr/bin/python +class FilterModule(object): + def filters(self): + return { + 'users_without_hash': self.a_users_without_hash + } + + def a_users_without_hash(self, users_input): + users_output = [] + for user in users_input: + if 'password_hash' not in user: + users_output.append(user['login']) + return users_output diff --git a/student_files/04/roles/iptables_role/defaults/main.yml b/student_files/04/roles/iptables_role/defaults/main.yml new file mode 100644 index 0000000..a25e12c --- /dev/null +++ b/student_files/04/roles/iptables_role/defaults/main.yml @@ -0,0 +1,4 @@ +--- +iptables_port_list: + - {protocol: tcp, port: 80} + - {protocol: udp, port: 161} \ No newline at end of file diff --git a/student_files/04/roles/iptables_role/library/iptables_reload_module.sh b/student_files/04/roles/iptables_role/library/iptables_reload_module.sh new file mode 100644 index 0000000..d48083b --- /dev/null +++ b/student_files/04/roles/iptables_role/library/iptables_reload_module.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +if iptables-restore /etc/sysconfig/iptables; then + JSON='{ "changed": true, "msg": "iptables is reloaded", "date": "%s" }' +else + JSON='{ "changed": false, "msg": "iptables is not reloaded", "date": "%s" }' +fi + +printf "$JSON" "$(date)" diff --git a/student_files/04/roles/iptables_role/tasks/main.yml b/student_files/04/roles/iptables_role/tasks/main.yml new file mode 100644 index 0000000..f887584 --- /dev/null +++ b/student_files/04/roles/iptables_role/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: ports configure + iptables: + chain: INPUT + protocol: "{{ snmp_port.protocol }}" + destination_port: "{{ snmp_port.port }}" + jump: ACCEPT + register: port_change_result + loop: "{{ iptables_port_list }}" + loop_control: + loop_var: snmp_port + +- name: Execute iptables test bash module + iptables_reload_module: + register: result_of_reload + when: port_change_result.changed + +- debug: + var: result_of_reload \ No newline at end of file diff --git a/student_files/04/roles/snmpd_role/defaults/main.yml b/student_files/04/roles/snmpd_role/defaults/main.yml new file mode 100644 index 0000000..fce215e --- /dev/null +++ b/student_files/04/roles/snmpd_role/defaults/main.yml @@ -0,0 +1,4 @@ +--- +snmpd_packages: + - net-snmp + - net-snmp-utils diff --git a/student_files/04/roles/snmpd_role/tasks/main.yml b/student_files/04/roles/snmpd_role/tasks/main.yml new file mode 100644 index 0000000..fd1b5ba --- /dev/null +++ b/student_files/04/roles/snmpd_role/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Installation snmpd + yum: + name: "{{ snmpd_packages }}" + state: present