Homework 1,2,3,4

student_files/01/Vagrantfile

@@ -20,5 +20,11 @@ Vagrant.configure('2') do |config|
   end
 
   # provision VM via bash
-  config.vm.provision 'shell', path: 'provision_me.sh'
+#  config.vm.provision 'shell', path: 'provision_me.sh'
+
+  # provision VM via ansible
+    config.vm.provision 'ansible_local' do |ansible|
+    ansible.playbook = '/vagrant/provision_me.yml'
+    ansible.verbose = 'v'
+  end
 end

student_files/01/history.txt

@@ -0,0 +1,64 @@
+[vagrant@localhost ~]$ history | cut -c 8-
+exit
+ll
+ls
+[wd
+pwd
+ls
+cd /vagrant
+ls
+cat provision_me.sh
+sudo bash provision_me.sh
+iptables -L
+sudo su
+ssh-keygen
+ssh-copy-id check_inv
+ssh check_inv
+ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml
+history | less
+history
+ansible-playbook -i inventory.ini /vagrant/provision_me.yml
+exit
+history
+exit
+history
+sudo su
+ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml
+less /vagrant/provision_me.yml
+ssh check_inv
+cat /home/vagrant/inventory.ini
+ansible-playbook -vvv -i /vagrant/inventory.ini /vagrant/provision_me.yml
+exit
+ansible-playbook  -i /vagrant/inventory.ini /vagrant/provision_me.yml
+
+[vagrant@localhost vagrant]$ history | cut -c 8-
+exit
+ll
+ls
+[wd
+pwd
+ls
+cd /vagrant
+ls
+cat provision_me.sh
+sudo bash provision_me.sh
+iptables -L
+sudo su
+ssh-keygen
+ssh-copy-id check_inv
+ssh check_inv
+ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml
+history | less
+history
+ansible-playbook -i inventory.ini /vagrant/provision_me.yml
+exit
+history
+exit
+history
+sudo su
+ansible-playbook -vvv -i inventory.ini /vagrant/provision_me.yml
+less /vagrant/provision_me.yml
+ssh check_inv
+cat /home/vagrant/inventory.ini
+ansible-playbook -vvv -i /vagrant/inventory.ini /vagrant/provision_me.yml
+exit

student_files/01/inventory.ini

@@ -0,0 +1 @@
+check_inv

student_files/01/vagrant_error.txt

@@ -0,0 +1,28 @@
+INFO interface: error: The guest machine entered an invalid state while waiting for it
+to boot. Valid states are 'starting, running'. The machine is in the
+'unknown' state. Please verify everything is configured
+properly and try again.
+
+it is often helpful to open that and watch the machine, since the
+GUI often has more helpful error messages than Vagrant can retrieve.
+For example, if you're using VirtualBox, run `vagrant up` while the
+VirtualBox GUI is open.
+
+The primary issue for this error is that the provider you're using
+is not properly configured. This is very rarely a Vagrant issue.
+The guest machine entered an invalid state while waiting for it
+to boot. Valid states are 'starting, running'. The machine is in the
+'unknown' state. Please verify everything is configured
+properly and try again.
+
+If the provider you're using has a GUI that comes with it,
+it is often helpful to open that and watch the machine, since the
+GUI often has more helpful error messages than Vagrant can retrieve.
+For example, if you're using VirtualBox, run `vagrant up` while the
+VirtualBox GUI is open.
+
+The primary issue for this error is that the provider you're using
+is not properly configured. This is very rarely a Vagrant issue.
+ INFO interface: Machine: error-exit ["Vagrant::Errors::VMBootBadState", "The guest machine entered an invalid state while waiting for it\nto boot. Valid states are 'starting, running'. The machine is in the\n'unknown' state. Please verify everything is configured\nproperly and try again.\n\nIf the provider you're using has a GUI that comes with it,\nit is often helpful to open that and watch the machine, since the\nGUI often has more helpful error messages than Vagrant can retrieve.\nFor example, if you're using VirtualBox, run `vagrant up` while the\nVirtualBox GUI is open.\n\nThe primary issue for this error is that the provider you're using\nis not properly configured. This is very rarely a Vagrant issue."]
+PS C:\ansible-course\student_files\01> vagrant halt      
+==> default: Attempting graceful shutdown of VM...

student_files/02/files/snmpd.conf

@@ -0,0 +1,3 @@
+syslocation Server Room
+syscontact SysAdmin (devops@example.com)
+rocommunity snmp_secret_rocommunity

student_files/02/provision_me.yml

@@ -5,6 +5,7 @@
   become: true
   become_user: root
   vars:
+    sshgroup_name: sshusers
     user:
       login: deploy
       password_hash:
@@ -17,46 +18,133 @@
         hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZE\
         nDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHln\
         VYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
+      group: "{{ sshgroup_name }}"
+
   tasks:
-    - name: Create admin account
+    - name: Create {{ sshgroup_name }} group for {{ user.login }}
+      group:
+        name: "{{ sshgroup_name }}"
+        state: present
+
+    - name: Create user {{ user.login }} account
       user:
         name: "{{ user.login }}"
+        groups: "{{ user.group }}"
         shell: /bin/bash
         update_password: always
         password: "{{ user.password_hash }}"
-    - name: Add admin to sudoers
+
+    - name: Add user {{ user.login }} to sudoers
       lineinfile:
         dest: /etc/sudoers
         state: present
         line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL"
-    - name: Create authorized key for admin
+        validate: '/usr/sbin/visudo -cf %s'
+
+    - name: Create authorized key for user {{ user.login }}
       authorized_key:
         user: "{{ user.login }}"
         state: present
         key: "{{ user.authorized_key }}"
+
+    - name: Install epel-release via yum
+      yum:
+        name: epel-release
+        state: present
+        enablerepo: extras
+
     - name: Install software
       package:
         name:
           - httpd
           - git
+          - iptables-services
+          - net-snmp
+          - net-snmp-utils
+          - python-pip
         state: present
+
+    - name: install latest pyOpenSSL if needed
+      pip:
+        name: pyopenssl
+        state: present
+
     - name: Checkout git repository
       git:
         repo: https://github.com/ultral/2048.git
         dest: /var/www/html
         force: true
         version: fc1ef4fe5a5fcccea7590f3e4c187c75980b353f
+
+    - name: Upgrade pip to latest vesion
+      pip:
+        name: pip
+        extra_args: --upgrade
+
     - name: Allow access via HTTP
       iptables:
         chain: INPUT
         protocol: tcp
-        destination_port: 80
+        destination_port: '80'
         ctstate: NEW
         jump: ACCEPT
+
+    - name: Allow access via UDP for snmpd
+      iptables:
+        chain: INPUT
+        protocol: udp
+        destination_port: '161'
+        ctstate: NEW
+        jump: ACCEPT
+
+    - name: Copy a new "snmpd.conf file into /etc/snmpd/snmpd.conf
+      copy:
+        src: snmpd.conf
+        dest: /etc/snmp/snmpd.conf
+        owner: "{{ user.login }}"
+        group: "{{ user.group }}"
+        mode: preserve
+        force: true
+        backup: true
+
+    # - name: Configure snmpd via blockinfile
+    #   blockinfile:
+    #     path: /etc/snmp/snmpd.conf
+    #     state: present
+    #     block: |
+    #       syslocation Server Room
+    #       syscontact SysAdmin (devops@example.com)
+    #       rocommunity snmp_secret_rocommunity
+    #     insertafter: EOF
+
+    - name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+      openssl_privatekey:
+        path: /etc/ssl/certs/ansible.com.pem
+
+    - name: Generate an OpenSSL Certificate Signing Request
+      openssl_csr:
+        path: /etc/ssl/certs/ansible.com.csr
+        privatekey_path: /etc/ssl/certs/ansible.com.pem
+        common_name: www.ansible.com
+
+    - name: Generate a Self Signed OpenSSL certificate
+      openssl_certificate:
+        path: /etc/ssl/certs/ansible.com.crt
+        privatekey_path: /etc/ssl/certs/ansible.com.pem
+        csr_path: /etc/ssl/certs/ansible.com.csr
+        provider: selfsigned
+
     - name: Start httpd
       systemd:
         name: httpd
         state: started
+
+    - name: Start and enable snmpd
+      systemd:
+        name: snmpd
+        enabled: true
+        state: started
+
     - name: Print message
       debug:
         msg: "Play 2028: http://localhost:8080/"

student_files/03/provision_iptables.yml

@@ -18,9 +18,10 @@
   # ansible lint complains about reloading, so we disable that warning
   # noqa 503
   # also  iptables-restore doesn't work inside docker, so we skip the step
-  command: iptables-restore /etc/sysconfig/iptables
+  command: "{{ item.iptables_filename }}-restore /etc/sysconfig/{{ item.iptables_filename }}"
   when:
-    - iptables_rules_install_result.changed
+    - item.changed
     # should be removed after releasing https://github.com/ansible/ansible/issues/66304
     - ansible_virtualization_type != "docker"
     - ansible_virtualization_type != "VirtualPC"
+  with_items: "{{ iptables_rules_install_result.results }}"

student_files/03/provision_me.yml

@@ -6,9 +6,16 @@
   become_user: root
   vars:
     iptables_allowed_ports:
+      # default
       - {protocol: tcp, port: 180}
       - {protocol: tcp, port: 1443}
       - {protocol: udp, port: 1161}
+      # task3.3
+      - {protocol: udp, port: 161}
+      - {protocol: tcp, port: 443}
+      # httpd
+      - {protocol: tcp, port: 80}
+    sshgroup_name: sshusers
     user:
       login: deploy
       password_hash:
@@ -21,6 +28,9 @@
         5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0\
         jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE9\
         8OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
+    snmpd_config:
+      - {access: rocommunity, community: public, address: 127.0.0.1}
+      - {access: rocommunity, community: private, address: 192.168.1.1}
   tasks:
     - name: Create admin user
       import_tasks: provision_users.yml

student_files/03/provision_software.yml

@@ -11,11 +11,36 @@
   package:
     name:
       - httpd
+      - net-snmp
+      - net-snmp-utils
     state: present
   when: ansible_distribution == 'CentOS'
+
 - name: Install software Ubuntu
   package:
     name:
       - apache2
+      - snmpd
     state: present
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: Configure snmpd via template module
+  template:
+    src: "snmpd_conf.j2"
+    dest: "/etc/snmp/snmpd.conf"
+    owner: root
+    group: root
+    mode: '0600'
+    backup: true
+  register: snmpd_config_result
+  become: true
+
+- name: Restart snmpd if config changed
+  systemd:
+    name: snmpd
+    state: restarted
+    daemon_reload: true
+  when: snmpd_config_result.changed
+  become: true
+  tags:
+    - skip_ansible_lint

student_files/03/provision_users.yml

@@ -1,16 +1,44 @@
 ---
-- name: Create admin account
+# - name: Create admin account
+#   user:
+#     name: "{{ user.login }}"
+#     shell: /bin/bash
+#     update_password: always
+#     password: "{{ user.password_hash }}"
+
+# - name: Add admin to sudoers
+#   lineinfile:
+#     dest: /etc/sudoers
+#     state: present
+#     line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL"
+
+# - name: Create authorized key for admin
+#   authorized_key:
+#     user: "{{ user.login }}"
+#     state: present
+#     key: "{{ user.authorized_key }}"
+
+- name: Create {{ sshgroup_name }} group for {{ user.login }}
+  group:
+    name: "{{ sshgroup_name }}"
+    state: present
+
+- name: Create user {{ user.login }} account
   user:
     name: "{{ user.login }}"
+    groups: "{{ sshgroup_name }}"
     shell: /bin/bash
     update_password: always
     password: "{{ user.password_hash }}"
-- name: Add admin to sudoers
+
+- name: Add user {{ user.login }} to sudoers
   lineinfile:
     dest: /etc/sudoers
     state: present
     line: "{{ user.login }} ALL=(ALL:ALL) NOPASSWD:ALL"
-- name: Create authorized key for admin
+    validate: '/usr/sbin/visudo -cf %s'
+
+- name: Create authorized key for user {{ user.login }}
   authorized_key:
     user: "{{ user.login }}"
     state: present

student_files/03/templates/snmpd_conf.j2

@@ -0,0 +1,5 @@
+{% if snmpd_config is defined %}
+{% for record in snmpd_config %}
+{{ record.access }} {{ record.community }} {{ record.address }}
+{% endfor %}
+{% endif %}