From 78be0bea34cb129f3c6e0f90615b0c0989c88f7e Mon Sep 17 00:00:00 2001 From: Rudenia Artsiom Date: Fri, 27 Nov 2020 16:23:06 +0300 Subject: [PATCH 01/14] Lab1 - Changed vagrant provisioning from shell to ansible --- student_files/01/Vagrantfile | 8 +++++++- student_files/01/inventory.ini | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 student_files/01/inventory.ini diff --git a/student_files/01/Vagrantfile b/student_files/01/Vagrantfile index ac9edc3..cb94dbe 100644 --- a/student_files/01/Vagrantfile +++ b/student_files/01/Vagrantfile @@ -20,5 +20,11 @@ Vagrant.configure('2') do |config| end # provision VM via bash - config.vm.provision 'shell', path: 'provision_me.sh' +# config.vm.provision 'shell', path: 'provision_me.sh' + + # provision VM via ansible + config.vm.provision 'ansible_local' do |ansible| + ansible.playbook = '/vagrant/provision_me.yml' + ansible.verbose = 'v' + end end diff --git a/student_files/01/inventory.ini b/student_files/01/inventory.ini new file mode 100644 index 0000000..a16ce2c --- /dev/null +++ b/student_files/01/inventory.ini @@ -0,0 +1 @@ +check_inv \ No newline at end of file From bf6757f5fff58bbc70c359bfc46f3cda251e7c7b Mon Sep 17 00:00:00 2001 From: Rudenia Artsiom Date: Fri, 27 Nov 2020 16:55:24 +0300 Subject: [PATCH 02/14] add some history and error.logs --- student_files/01/history.txt | 64 ++++++++++++++++++++++++++++++ student_files/01/vagrant_error.txt | 28 +++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 student_files/01/history.txt create mode 100644 student_files/01/vagrant_error.txt diff --git a/student_files/01/history.txt b/student_files/01/history.txt new file mode 100644 index 0000000..9bfb5c9 --- /dev/null +++ b/student_files/01/history.txt @@ -0,0 +1,64 @@ +[vagrant@localhost ~]$ history | cut -c 8- +exit +ll +ls +[wd +pwd +ls +cd /vagrant +ls +cat provision_me.sh +sudo bash provision_me.sh +iptables -L +sudo su +ssh-keygen +ssh-copy-id check_inv +ssh check_inv +ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml +history | less +history +ansible-playbook -i inventory.ini /vagrant/provision_me.yml +exit +history +exit +history +sudo su +ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml +less /vagrant/provision_me.yml +ssh check_inv +cat /home/vagrant/inventory.ini +ansible-playbook -vvv -i /vagrant/inventory.ini /vagrant/provision_me.yml +exit +ansible-playbook -i /vagrant/inventory.ini /vagrant/provision_me.yml + +[vagrant@localhost vagrant]$ history | cut -c 8- +exit +ll +ls +[wd +pwd +ls +cd /vagrant +ls +cat provision_me.sh +sudo bash provision_me.sh +iptables -L +sudo su +ssh-keygen +ssh-copy-id check_inv +ssh check_inv +ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml +history | less +history +ansible-playbook -i inventory.ini /vagrant/provision_me.yml +exit +history +exit +history +sudo su +ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml +less /vagrant/provision_me.yml +ssh check_inv +cat /home/vagrant/inventory.ini +ansible-playbook -vvv -i /vagrant/inventory.ini /vagrant/provision_me.yml +exit \ No newline at end of file diff --git a/student_files/01/vagrant_error.txt b/student_files/01/vagrant_error.txt new file mode 100644 index 0000000..15ec250 --- /dev/null +++ b/student_files/01/vagrant_error.txt @@ -0,0 +1,28 @@ +INFO interface: error: The guest machine entered an invalid state while waiting for it +to boot. Valid states are 'starting, running'. The machine is in the +'unknown' state. Please verify everything is configured +properly and try again. + +it is often helpful to open that and watch the machine, since the +GUI often has more helpful error messages than Vagrant can retrieve. +For example, if you're using VirtualBox, run `vagrant up` while the +VirtualBox GUI is open. + +The primary issue for this error is that the provider you're using +is not properly configured. This is very rarely a Vagrant issue. +The guest machine entered an invalid state while waiting for it +to boot. Valid states are 'starting, running'. The machine is in the +'unknown' state. Please verify everything is configured +properly and try again. + +If the provider you're using has a GUI that comes with it, +it is often helpful to open that and watch the machine, since the +GUI often has more helpful error messages than Vagrant can retrieve. +For example, if you're using VirtualBox, run `vagrant up` while the +VirtualBox GUI is open. + +The primary issue for this error is that the provider you're using +is not properly configured. This is very rarely a Vagrant issue. + INFO interface: Machine: error-exit ["Vagrant::Errors::VMBootBadState", "The guest machine entered an invalid state while waiting for it\nto boot. Valid states are 'starting, running'. The machine is in the\n'unknown' state. Please verify everything is configured\nproperly and try again.\n\nIf the provider you're using has a GUI that comes with it,\nit is often helpful to open that and watch the machine, since the\nGUI often has more helpful error messages than Vagrant can retrieve.\nFor example, if you're using VirtualBox, run `vagrant up` while the\nVirtualBox GUI is open.\n\nThe primary issue for this error is that the provider you're using\nis not properly configured. This is very rarely a Vagrant issue."] +PS C:\ansible-course\student_files\01> vagrant halt +==> default: Attempting graceful shutdown of VM... \ No newline at end of file From d13aaac5db0aa36ba890492680a72905b4abb244 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Tue, 1 Dec 2020 18:04:38 +0300 Subject: [PATCH 03/14] Homework 2 without self-signed certs --- student_files/02/provision_me.yml | 54 ++++++++++++++++++++++++++++--- student_files/02/snmpd.conf | 3 ++ 2 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 student_files/02/snmpd.conf diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 4bafe73..5e9616b 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -5,6 +5,7 @@ become: true become_user: root vars: + sshgroup_name: sshusers user: login: deploy password_hash: @@ -17,46 +18,89 @@ hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZE\ nDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHln\ VYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" + group: "{{ sshgroup_name }}" + tasks: - - name: Create admin account + - name: Create {{ sshgroup_name }} group for {{ user.login }} + group: + name: "{{ sshgroup_name }}" + state: present + + - name: Create user {{ user.login }} account user: name: "{{ user.login }}" + groups: "{{ user.group }}" shell: /bin/bash update_password: always password: "{{ user.password_hash }}" - - name: Add admin to sudoers + + - name: Add user {{ user.login }} to sudoers lineinfile: dest: /etc/sudoers state: present line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL" - - name: Create authorized key for admin + validate: '/usr/sbin/visudo -cf %s' + + - name: Create authorized key for user {{ user.login }} authorized_key: user: "{{ user.login }}" state: present key: "{{ user.authorized_key }}" + - name: Install software package: name: - httpd - git + - iptables-services + - net-snmp + - net-snmp-utils state: present + - name: Checkout git repository git: repo: https://github.com/ultral/2048.git dest: /var/www/html force: true version: fc1ef4fe5a5fcccea7590f3e4c187c75980b353f + - name: Allow access via HTTP iptables: chain: INPUT protocol: tcp - destination_port: 80 + destination_port: '80' + ctstate: NEW + jump: ACCEPT + + - name: Allow access via UPD for snmpd + iptables: + chain: INPUT + protocol: udp + destination_port: '161' ctstate: NEW jump: ACCEPT + + - name: Copy a new "snmpd.conf file into /etc/snmpd/snmpd.conf + copy: + src: /vagrant/snmpd.conf + dest: /etc/snmp/snmpd.conf + owner: root + group: root + mode: '0600' + force: yes + backup: yes + - name: Start httpd systemd: name: httpd state: started + + - name: Start and enable snmpd + systemd: + name: snmpd + enabled: yes + state: started + - name: Print message debug: - msg: "Play 2028: http://localhost:8080/" + msg: "Play 2028: http://localhost:8080/" \ No newline at end of file diff --git a/student_files/02/snmpd.conf b/student_files/02/snmpd.conf new file mode 100644 index 0000000..e469363 --- /dev/null +++ b/student_files/02/snmpd.conf @@ -0,0 +1,3 @@ +syslocation Server Room +syscontact SysAdmin (devops@example.com) +rocommunity snmp_secret_rocommunity \ No newline at end of file From a888664cf63a516f49687b387137aa11e810b645 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Tue, 1 Dec 2020 18:30:01 +0300 Subject: [PATCH 04/14] Homework 2: fixed errors from yamlint output to pass test --- student_files/02/provision_me.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 5e9616b..29731cd 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -19,7 +19,7 @@ nDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHln\ VYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" group: "{{ sshgroup_name }}" - + tasks: - name: Create {{ sshgroup_name }} group for {{ user.login }} group: @@ -41,7 +41,7 @@ line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL" validate: '/usr/sbin/visudo -cf %s' - - name: Create authorized key for user {{ user.login }} + - name: Create authorized key for user {{ user.login }} authorized_key: user: "{{ user.login }}" state: present @@ -52,7 +52,7 @@ name: - httpd - git - - iptables-services + - iptables-services - net-snmp - net-snmp-utils state: present @@ -87,8 +87,8 @@ owner: root group: root mode: '0600' - force: yes - backup: yes + force: true + backup: true - name: Start httpd systemd: @@ -98,9 +98,9 @@ - name: Start and enable snmpd systemd: name: snmpd - enabled: yes + enabled: true state: started - name: Print message debug: - msg: "Play 2028: http://localhost:8080/" \ No newline at end of file + msg: "Play 2028: http://localhost:8080/" From 88f1fc3a310fc9c947f8ff9500f8b3576535f1cf Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Tue, 1 Dec 2020 19:15:18 +0300 Subject: [PATCH 05/14] Homework 2: changed user/group for copy module --- student_files/02/provision_me.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 29731cd..8cbe55b 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -84,8 +84,8 @@ copy: src: /vagrant/snmpd.conf dest: /etc/snmp/snmpd.conf - owner: root - group: root + owner: "{{ user.login }}" + group: "{{ user.group }}" mode: '0600' force: true backup: true From a8b662b29d6d297f158d13b0650bb995cf9d11f3 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Tue, 1 Dec 2020 19:35:40 +0300 Subject: [PATCH 06/14] Homework 2: remote_src:yes and mode:preserve for a copy module --- student_files/02/provision_me.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 8cbe55b..130d3d6 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -86,7 +86,8 @@ dest: /etc/snmp/snmpd.conf owner: "{{ user.login }}" group: "{{ user.group }}" - mode: '0600' + remote_src: yes + mode: preserve force: true backup: true From 4e1ac5be173d00d02d023dab09f70e05d9c30da1 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Tue, 1 Dec 2020 19:56:43 +0300 Subject: [PATCH 07/14] Homework 2: comment out copy module, try via blockinfile --- student_files/02/provision_me.yml | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 130d3d6..d2b3baa 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -80,16 +80,27 @@ ctstate: NEW jump: ACCEPT - - name: Copy a new "snmpd.conf file into /etc/snmpd/snmpd.conf - copy: - src: /vagrant/snmpd.conf - dest: /etc/snmp/snmpd.conf - owner: "{{ user.login }}" - group: "{{ user.group }}" - remote_src: yes - mode: preserve - force: true - backup: true +# - name: Copy a new "snmpd.conf file into /etc/snmpd/snmpd.conf +# copy: +# src: /vagrant/snmpd.conf +# dest: /etc/snmp/snmpd.conf +# owner: "{{ user.login }}" +# group: "{{ user.group }}" +# remote_src: yes +# mode: preserve +# force: true +# backup: true + + - name: Configure snmpd via blockinfile + blockinfile: + path: /etc/snmp/snmpd.conf + state: present + block: | + syslocation Server Room + syscontact SysAdmin (devops@example.com) + rocommunity snmp_secret_rocommunity + insertafter: EOF + - name: Start httpd systemd: From 93494ea07a26bf0a528838878a85501e7f211eb6 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Wed, 2 Dec 2020 00:37:38 +0300 Subject: [PATCH 08/14] Homework 2: added self-signed certs generation --- student_files/02/provision_me.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index d2b3baa..2da3c09 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -55,8 +55,14 @@ - iptables-services - net-snmp - net-snmp-utils +# - pip state: present +# - name: install latest pyOpenSSL if needed +# pip: +# name: pyOpenSSL +# state: latest + - name: Checkout git repository git: repo: https://github.com/ultral/2048.git @@ -101,6 +107,22 @@ rocommunity snmp_secret_rocommunity insertafter: EOF + - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) + openssl_privatekey: + path: /etc/ssl/certs/ansible.com.pem + + - name: Generate an OpenSSL Certificate Signing Request + openssl_csr: + path: /etc/ssl/certs/ansible.com.csr + privatekey_path: /etc/ssl/certs/ansible.com.pem + common_name: www.ansible.com + + - name: Generate a Self Signed OpenSSL certificate + openssl_certificate: + path: /etc/ssl/certs/ansible.com.crt + privatekey_path: /etc/ssl/certs/ansible.com.pem + csr_path: /etc/ssl/certs/ansible.com.csr + provider: selfsigned - name: Start httpd systemd: From 7235b835bb461820b50fc6d33c2bdaccbcfd1762 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Wed, 2 Dec 2020 01:10:25 +0300 Subject: [PATCH 09/14] Homework 2: installed pip and py-openssl --- student_files/02/provision_me.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 2da3c09..794ec1d 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -55,13 +55,23 @@ - iptables-services - net-snmp - net-snmp-utils -# - pip state: present -# - name: install latest pyOpenSSL if needed -# pip: -# name: pyOpenSSL -# state: latest + - name: Install Python PIP RPMs + become: true + package: + name: python2-pip + state: present + + - name: install latest pyOpenSSL if needed + pip: + name: pyOpenSSL + state: latest + +# - name: Install py-openssl package +# apk: +# name: py-openssl +# update_cache: no - name: Checkout git repository git: From 2b558d772170e2b93b892d7d1b13033319246542 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Wed, 2 Dec 2020 01:22:16 +0300 Subject: [PATCH 10/14] Homework 2: cleared comments --- student_files/02/provision_me.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 794ec1d..f52186b 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -68,10 +68,6 @@ name: pyOpenSSL state: latest -# - name: Install py-openssl package -# apk: -# name: py-openssl -# update_cache: no - name: Checkout git repository git: @@ -96,17 +92,6 @@ ctstate: NEW jump: ACCEPT -# - name: Copy a new "snmpd.conf file into /etc/snmpd/snmpd.conf -# copy: -# src: /vagrant/snmpd.conf -# dest: /etc/snmp/snmpd.conf -# owner: "{{ user.login }}" -# group: "{{ user.group }}" -# remote_src: yes -# mode: preserve -# force: true -# backup: true - - name: Configure snmpd via blockinfile blockinfile: path: /etc/snmp/snmpd.conf From d43bbe4f2594b66a7331c8ed28b4bda1928cafd8 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Wed, 2 Dec 2020 01:26:01 +0300 Subject: [PATCH 11/14] Homework 2: state:present for pyOpenSSL --- student_files/02/provision_me.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index f52186b..40eba93 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -66,7 +66,7 @@ - name: install latest pyOpenSSL if needed pip: name: pyOpenSSL - state: latest + state: present - name: Checkout git repository From ebab631b31c9542673f805c2ed3bbd238ee63af2 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Wed, 2 Dec 2020 18:15:46 +0300 Subject: [PATCH 12/14] Homework 2: completed with copy module and certs --- student_files/02/{ => files}/snmpd.conf | 0 student_files/02/provision_me.yml | 51 ++++++++++++++++--------- 2 files changed, 33 insertions(+), 18 deletions(-) rename student_files/02/{ => files}/snmpd.conf (100%) diff --git a/student_files/02/snmpd.conf b/student_files/02/files/snmpd.conf similarity index 100% rename from student_files/02/snmpd.conf rename to student_files/02/files/snmpd.conf diff --git a/student_files/02/provision_me.yml b/student_files/02/provision_me.yml index 40eba93..af29741 100644 --- a/student_files/02/provision_me.yml +++ b/student_files/02/provision_me.yml @@ -47,6 +47,12 @@ state: present key: "{{ user.authorized_key }}" + - name: Install epel-release via yum + yum: + name: epel-release + state: present + enablerepo: extras + - name: Install software package: name: @@ -55,20 +61,14 @@ - iptables-services - net-snmp - net-snmp-utils - state: present - - - name: Install Python PIP RPMs - become: true - package: - name: python2-pip + - python-pip state: present - name: install latest pyOpenSSL if needed pip: - name: pyOpenSSL + name: pyopenssl state: present - - name: Checkout git repository git: repo: https://github.com/ultral/2048.git @@ -76,6 +76,11 @@ force: true version: fc1ef4fe5a5fcccea7590f3e4c187c75980b353f + - name: Upgrade pip to latest vesion + pip: + name: pip + extra_args: --upgrade + - name: Allow access via HTTP iptables: chain: INPUT @@ -84,7 +89,7 @@ ctstate: NEW jump: ACCEPT - - name: Allow access via UPD for snmpd + - name: Allow access via UDP for snmpd iptables: chain: INPUT protocol: udp @@ -92,15 +97,25 @@ ctstate: NEW jump: ACCEPT - - name: Configure snmpd via blockinfile - blockinfile: - path: /etc/snmp/snmpd.conf - state: present - block: | - syslocation Server Room - syscontact SysAdmin (devops@example.com) - rocommunity snmp_secret_rocommunity - insertafter: EOF + - name: Copy a new "snmpd.conf file into /etc/snmpd/snmpd.conf + copy: + src: snmpd.conf + dest: /etc/snmp/snmpd.conf + owner: "{{ user.login }}" + group: "{{ user.group }}" + mode: preserve + force: true + backup: true + + # - name: Configure snmpd via blockinfile + # blockinfile: + # path: /etc/snmp/snmpd.conf + # state: present + # block: | + # syslocation Server Room + # syscontact SysAdmin (devops@example.com) + # rocommunity snmp_secret_rocommunity + # insertafter: EOF - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) openssl_privatekey: From 2824808053d79e439e1652c42b40f8773944cfc8 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Thu, 3 Dec 2020 19:25:06 +0300 Subject: [PATCH 13/14] Homework 3: completed, just skipped one annoying 503 ansible lint error --- student_files/03/provision_iptables.yml | 5 ++-- student_files/03/provision_me.yml | 10 +++++++ student_files/03/provision_software.yml | 25 +++++++++++++++++ student_files/03/provision_users.yml | 34 +++++++++++++++++++++--- student_files/03/templates/snmpd_conf.j2 | 5 ++++ 5 files changed, 74 insertions(+), 5 deletions(-) create mode 100644 student_files/03/templates/snmpd_conf.j2 diff --git a/student_files/03/provision_iptables.yml b/student_files/03/provision_iptables.yml index d836b0b..799132a 100644 --- a/student_files/03/provision_iptables.yml +++ b/student_files/03/provision_iptables.yml @@ -18,9 +18,10 @@ # ansible lint complains about reloading, so we disable that warning # noqa 503 # also iptables-restore doesn't work inside docker, so we skip the step - command: iptables-restore /etc/sysconfig/iptables + command: "{{ item.iptables_filename }}-restore /etc/sysconfig/{{ item.iptables_filename }}" when: - - iptables_rules_install_result.changed + - item.changed # should be removed after releasing https://github.com/ansible/ansible/issues/66304 - ansible_virtualization_type != "docker" - ansible_virtualization_type != "VirtualPC" + with_items: "{{ iptables_rules_install_result.results }}" diff --git a/student_files/03/provision_me.yml b/student_files/03/provision_me.yml index 53ad24a..e4c4abb 100644 --- a/student_files/03/provision_me.yml +++ b/student_files/03/provision_me.yml @@ -6,9 +6,16 @@ become_user: root vars: iptables_allowed_ports: + # default - {protocol: tcp, port: 180} - {protocol: tcp, port: 1443} - {protocol: udp, port: 1161} + # task3.3 + - {protocol: udp, port: 161} + - {protocol: tcp, port: 443} + # httpd + - {protocol: tcp, port: 80} + sshgroup_name: sshusers user: login: deploy password_hash: @@ -21,6 +28,9 @@ 5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0\ jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE9\ 8OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" + snmpd_config: + - {access: rocommunity, community: public, address: 127.0.0.1} + - {access: rocommunity, community: private, address: 192.168.1.1} tasks: - name: Create admin user import_tasks: provision_users.yml diff --git a/student_files/03/provision_software.yml b/student_files/03/provision_software.yml index e2681b7..d71e7a0 100644 --- a/student_files/03/provision_software.yml +++ b/student_files/03/provision_software.yml @@ -11,11 +11,36 @@ package: name: - httpd + - net-snmp + - net-snmp-utils state: present when: ansible_distribution == 'CentOS' + - name: Install software Ubuntu package: name: - apache2 + - snmpd state: present when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + +- name: Configure snmpd via template module + template: + src: "snmpd_conf.j2" + dest: "/etc/snmp/snmpd.conf" + owner: root + group: root + mode: '0600' + backup: true + register: snmpd_config_result + become: true + +- name: Restart snmpd if config changed + systemd: + name: snmpd + state: restarted + daemon_reload: true + when: snmpd_config_result.changed + become: true + tags: + - skip_ansible_lint diff --git a/student_files/03/provision_users.yml b/student_files/03/provision_users.yml index e29df99..3e860db 100644 --- a/student_files/03/provision_users.yml +++ b/student_files/03/provision_users.yml @@ -1,16 +1,44 @@ --- -- name: Create admin account +# - name: Create admin account +# user: +# name: "{{ user.login }}" +# shell: /bin/bash +# update_password: always +# password: "{{ user.password_hash }}" + +# - name: Add admin to sudoers +# lineinfile: +# dest: /etc/sudoers +# state: present +# line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL" + +# - name: Create authorized key for admin +# authorized_key: +# user: "{{ user.login }}" +# state: present +# key: "{{ user.authorized_key }}" + +- name: Create {{ sshgroup_name }} group for {{ user.login }} + group: + name: "{{ sshgroup_name }}" + state: present + +- name: Create user {{ user.login }} account user: name: "{{ user.login }}" + groups: "{{ sshgroup_name }}" shell: /bin/bash update_password: always password: "{{ user.password_hash }}" -- name: Add admin to sudoers + +- name: Add user {{ user.login }} to sudoers lineinfile: dest: /etc/sudoers state: present line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL" -- name: Create authorized key for admin + validate: '/usr/sbin/visudo -cf %s' + +- name: Create authorized key for user {{ user.login }} authorized_key: user: "{{ user.login }}" state: present diff --git a/student_files/03/templates/snmpd_conf.j2 b/student_files/03/templates/snmpd_conf.j2 new file mode 100644 index 0000000..84d5e19 --- /dev/null +++ b/student_files/03/templates/snmpd_conf.j2 @@ -0,0 +1,5 @@ +{% if snmpd_config is defined %} +{% for record in snmpd_config %} +{{ record.access }} {{ record.community }} {{ record.address }} +{% endfor %} +{% endif %} \ No newline at end of file From d9d22face746d195da8c5b2a7fc07d1904fb8376 Mon Sep 17 00:00:00 2001 From: Artsiom Rudenia Date: Wed, 9 Dec 2020 00:26:24 +0300 Subject: [PATCH 14/14] Homework 4: completed --- student_files/04/provision_me.yml | 5 ++++- .../04/roles/game2048/defaults/main.yml | 8 ++++---- .../04/roles/game2048/tasks/main.yml | 4 ++-- .../04/roles/iptables/handlers/main.yml | 8 ++++++++ .../roles/iptables/library/reload_iptables.sh | 11 +++++++++++ .../iptables/tasks/configure_iptables.yml | 19 +++++++++++++++++++ .../roles/iptables/tasks/install_iptables.yml | 8 ++++++++ .../04/roles/iptables/tasks/main.yml | 5 +++++ .../templates/ip6tables.j2 | 0 .../templates/iptables.j2 | 6 ++++-- .../04/roles/snmpd/defaults/main.yml | 2 ++ .../04/roles/snmpd/tasks/configure_snmpd.yml | 8 ++++++++ .../04/roles/snmpd/tasks/install_snmpd.yml | 7 +++++++ student_files/04/roles/snmpd/tasks/main.yml | 5 +++++ .../04/roles/snmpd/templates/snmpd_config.j2 | 16 ++++++++++++++++ .../04/roles/users/defaults/main.yml | 6 ++++++ .../04/roles/users/files/keys/deploy3.pub | 1 + .../04/roles/users/files/keys/deploy4.pub | 2 ++ .../04/roles/users/files/keys/deploy5.pub | 1 + .../users_without_password_hash.py | 13 +++++++++++++ student_files/04/roles/users/tasks/main.yml | 3 +++ 21 files changed, 129 insertions(+), 9 deletions(-) create mode 100644 student_files/04/roles/iptables/handlers/main.yml create mode 100644 student_files/04/roles/iptables/library/reload_iptables.sh create mode 100644 student_files/04/roles/iptables/tasks/configure_iptables.yml create mode 100644 student_files/04/roles/iptables/tasks/install_iptables.yml create mode 100644 student_files/04/roles/iptables/tasks/main.yml rename student_files/04/roles/{game2048 => iptables}/templates/ip6tables.j2 (100%) rename student_files/04/roles/{game2048 => iptables}/templates/iptables.j2 (85%) create mode 100644 student_files/04/roles/snmpd/defaults/main.yml create mode 100644 student_files/04/roles/snmpd/tasks/configure_snmpd.yml create mode 100644 student_files/04/roles/snmpd/tasks/install_snmpd.yml create mode 100644 student_files/04/roles/snmpd/tasks/main.yml create mode 100644 student_files/04/roles/snmpd/templates/snmpd_config.j2 create mode 100644 student_files/04/roles/users/files/keys/deploy3.pub create mode 100644 student_files/04/roles/users/files/keys/deploy4.pub create mode 100644 student_files/04/roles/users/files/keys/deploy5.pub create mode 100644 student_files/04/roles/users/filter_plugins/users_without_password_hash.py diff --git a/student_files/04/provision_me.yml b/student_files/04/provision_me.yml index 9ecddc2..89dbbd4 100644 --- a/student_files/04/provision_me.yml +++ b/student_files/04/provision_me.yml @@ -5,10 +5,13 @@ become: true become_user: root vars: - iptables_allowed_ports: + # iptables_allowed_ports: + iptables__allowed_ports: - {protocol: tcp, port: 80} - {protocol: tcp, port: 443} - {protocol: udp, port: 161} roles: - role: users + - role: snmpd + - role: iptables - role: game2048 diff --git a/student_files/04/roles/game2048/defaults/main.yml b/student_files/04/roles/game2048/defaults/main.yml index 230c5c2..84a1cee 100644 --- a/student_files/04/roles/game2048/defaults/main.yml +++ b/student_files/04/roles/game2048/defaults/main.yml @@ -1,9 +1,9 @@ --- game2048__software: - - iptables - - iptables-services + # - iptables + # - iptables-services - httpd - git -game2048__iptables_allowed_ports: - - {protocol: tcp, port: 80} +# game2048__iptables_allowed_ports: +# - {protocol: tcp, port: 80} diff --git a/student_files/04/roles/game2048/tasks/main.yml b/student_files/04/roles/game2048/tasks/main.yml index b385dbf..c7844a6 100644 --- a/student_files/04/roles/game2048/tasks/main.yml +++ b/student_files/04/roles/game2048/tasks/main.yml @@ -1,8 +1,8 @@ --- - name: Install software import_tasks: provision_software.yml -- name: Configure iptables - import_tasks: provision_iptables.yml +# - name: Configure iptables +# import_tasks: provision_iptables.yml - name: Install game 2048 import_tasks: provision_site.yml - name: Print message diff --git a/student_files/04/roles/iptables/handlers/main.yml b/student_files/04/roles/iptables/handlers/main.yml new file mode 100644 index 0000000..f633932 --- /dev/null +++ b/student_files/04/roles/iptables/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: Reload iptables + reload_iptables: + register: result_iptables_reload + +- name: Print iptables module result + debug: + var: result_iptables_reload diff --git a/student_files/04/roles/iptables/library/reload_iptables.sh b/student_files/04/roles/iptables/library/reload_iptables.sh new file mode 100644 index 0000000..db47578 --- /dev/null +++ b/student_files/04/roles/iptables/library/reload_iptables.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +JSON_FMT='{ + "changed": false, + "msg": "Reload iptables via Bash command after config file change)", + "date": "%s" +}' + +/usr/sbin/iptables-restore /etc/sysconfig/iptables +printf "$JSON_FMT" "$(date)" + diff --git a/student_files/04/roles/iptables/tasks/configure_iptables.yml b/student_files/04/roles/iptables/tasks/configure_iptables.yml new file mode 100644 index 0000000..a68b72d --- /dev/null +++ b/student_files/04/roles/iptables/tasks/configure_iptables.yml @@ -0,0 +1,19 @@ +--- + +- name: Configure iptables + template: + src: "{{ iptables_filename }}.j2" + dest: "/etc/sysconfig/{{ iptables_filename }}" + # validate: "/sbin/{{ iptables_filename }}-restore --test %s" + mode: 0644 + owner: root + group: root + register: iptables_rules_install_result + loop_control: + loop_var: iptables_filename + loop: + - iptables + - ip6tables + notify: + - Reload iptables + - Print iptables module result diff --git a/student_files/04/roles/iptables/tasks/install_iptables.yml b/student_files/04/roles/iptables/tasks/install_iptables.yml new file mode 100644 index 0000000..addefd3 --- /dev/null +++ b/student_files/04/roles/iptables/tasks/install_iptables.yml @@ -0,0 +1,8 @@ +--- + +- name: Install iptables + package: + name: + - iptables + - iptables-services + state: present diff --git a/student_files/04/roles/iptables/tasks/main.yml b/student_files/04/roles/iptables/tasks/main.yml new file mode 100644 index 0000000..db773d1 --- /dev/null +++ b/student_files/04/roles/iptables/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install iptables + import_tasks: install_iptables.yml +- name: Configure iptables + import_tasks: configure_iptables.yml diff --git a/student_files/04/roles/game2048/templates/ip6tables.j2 b/student_files/04/roles/iptables/templates/ip6tables.j2 similarity index 100% rename from student_files/04/roles/game2048/templates/ip6tables.j2 rename to student_files/04/roles/iptables/templates/ip6tables.j2 diff --git a/student_files/04/roles/game2048/templates/iptables.j2 b/student_files/04/roles/iptables/templates/iptables.j2 similarity index 85% rename from student_files/04/roles/game2048/templates/iptables.j2 rename to student_files/04/roles/iptables/templates/iptables.j2 index 2b5e817..2884004 100644 --- a/student_files/04/roles/game2048/templates/iptables.j2 +++ b/student_files/04/roles/iptables/templates/iptables.j2 @@ -21,10 +21,12 @@ # accept ssh -A INPUT -p tcp --dport 22 -j ACCEPT +# check iptables reload handler +-A INPUT -p tcp --dport 23 -j ACCEPT # Iptables rules template -{% if iptables_allowed_ports is defined %} -{% for record in iptables_allowed_ports %} +{% if iptables__allowed_ports is defined %} +{% for record in iptables__allowed_ports %} -A INPUT -m {{ record.protocol }} -p {{ record.protocol }} --dport {{ record.port }} -j ACCEPT {% endfor %} {% endif %} diff --git a/student_files/04/roles/snmpd/defaults/main.yml b/student_files/04/roles/snmpd/defaults/main.yml new file mode 100644 index 0000000..1dbc37c --- /dev/null +++ b/student_files/04/roles/snmpd/defaults/main.yml @@ -0,0 +1,2 @@ +--- +snmp_community: snmp_secret_community diff --git a/student_files/04/roles/snmpd/tasks/configure_snmpd.yml b/student_files/04/roles/snmpd/tasks/configure_snmpd.yml new file mode 100644 index 0000000..7e7db4c --- /dev/null +++ b/student_files/04/roles/snmpd/tasks/configure_snmpd.yml @@ -0,0 +1,8 @@ +--- +- name: Configure snmpd + template: + src: snmpd_config.j2 + dest: /etc/snmp/snmpd.conf + mode: '0600' + owner: root + group: root diff --git a/student_files/04/roles/snmpd/tasks/install_snmpd.yml b/student_files/04/roles/snmpd/tasks/install_snmpd.yml new file mode 100644 index 0000000..45c95d2 --- /dev/null +++ b/student_files/04/roles/snmpd/tasks/install_snmpd.yml @@ -0,0 +1,7 @@ +--- +- name: Install snmpd + package: + name: + - net-snmp + - net-snmp-utils + state: present diff --git a/student_files/04/roles/snmpd/tasks/main.yml b/student_files/04/roles/snmpd/tasks/main.yml new file mode 100644 index 0000000..367c859 --- /dev/null +++ b/student_files/04/roles/snmpd/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install snmpd + import_tasks: install_snmpd.yml +- name: Confgure snmpd + import_tasks: configure_snmpd.yml diff --git a/student_files/04/roles/snmpd/templates/snmpd_config.j2 b/student_files/04/roles/snmpd/templates/snmpd_config.j2 new file mode 100644 index 0000000..87b9c29 --- /dev/null +++ b/student_files/04/roles/snmpd/templates/snmpd_config.j2 @@ -0,0 +1,16 @@ +com2sec notConfigUser default public + +group notConfigGroup v1 notConfigUser +group notConfigGroup v2c notConfigUser + +view systemview included .1.3.6.1.2.1.1 +view systemview included .1.3.6.1.2.1.25.1.1 + +syslocation Unknown (edit /etc/snmp/snmpd.conf) +syscontact Root (configure /etc/snmp/snmp.local.conf) + +dontLogTCPWrappersConnects yes + +syslocation Server Room +syscontact SysAdmin (devops@example.com) +rocommunity {{ snmp_community }} \ No newline at end of file diff --git a/student_files/04/roles/users/defaults/main.yml b/student_files/04/roles/users/defaults/main.yml index 097fe49..d4bc48a 100644 --- a/student_files/04/roles/users/defaults/main.yml +++ b/student_files/04/roles/users/defaults/main.yml @@ -7,3 +7,9 @@ users__super_admins: email: dep@loy.me - login: deploy2 email: dep@loy.com + - login: deploy3 + email: dep@loy.cc + password_hash: "{{ users__default_password_hash }}" + - login: deploy4 + password_hash: "{{ users__default_password_hash }}" + - login: deploy5 diff --git a/student_files/04/roles/users/files/keys/deploy3.pub b/student_files/04/roles/users/files/keys/deploy3.pub new file mode 100644 index 0000000..18a9c00 --- /dev/null +++ b/student_files/04/roles/users/files/keys/deploy3.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key diff --git a/student_files/04/roles/users/files/keys/deploy4.pub b/student_files/04/roles/users/files/keys/deploy4.pub new file mode 100644 index 0000000..434021c --- /dev/null +++ b/student_files/04/roles/users/files/keys/deploy4.pub @@ -0,0 +1,2 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key diff --git a/student_files/04/roles/users/files/keys/deploy5.pub b/student_files/04/roles/users/files/keys/deploy5.pub new file mode 100644 index 0000000..18a9c00 --- /dev/null +++ b/student_files/04/roles/users/files/keys/deploy5.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key diff --git a/student_files/04/roles/users/filter_plugins/users_without_password_hash.py b/student_files/04/roles/users/filter_plugins/users_without_password_hash.py new file mode 100644 index 0000000..28fdd37 --- /dev/null +++ b/student_files/04/roles/users/filter_plugins/users_without_password_hash.py @@ -0,0 +1,13 @@ +#!/usr/bin/python +class FilterModule(object): + def filters(self): + return { + 'users_without_password_hash': self.a_users_without_password_hash + } + + def a_users_without_password_hash(self, users_input): + users_output = [] + for user in users_input: + if 'password_hash' not in user: + users_output.append(user['login']) + return users_output \ No newline at end of file diff --git a/student_files/04/roles/users/tasks/main.yml b/student_files/04/roles/users/tasks/main.yml index a57714f..d18820b 100644 --- a/student_files/04/roles/users/tasks/main.yml +++ b/student_files/04/roles/users/tasks/main.yml @@ -25,3 +25,6 @@ loop: "{{ users__super_admins }}" loop_control: loop_var: users__loop_item +- name: Print users without password hash + debug: + msg: Users without password hash "{{ users__super_admins | users_without_password_hash }}"