MapleGrid/ansible/maplegrid.yml

# playbook.yml:
---
- name: "maplegrid"
  hosts: localhost
  connection: local
  vars_files:
    - maplegrid_variables.yml

###

  tasks:


#Add elastic repo for v7.x


    - name: Add elastic repo key
      shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    
    - name: install packages
      apt:
        pkg:
        - apt-transport-https
        - python-pip
        - python3-pip

    - name: add repo for elastic v7.x
      shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
    
    - name: Install filebeat
      apt:
        name: filebeat
        update_cache: yes
    
    - name: Setup alternate SSH port
      lineinfile:
        dest: "/etc/ssh/sshd_config"
        regexp: "^Port"
        line: "Port 22222"
    
    - name: Setup alternate SSH port in fail2ban jail
      lineinfile:
        dest: "/etc/fail2ban/jail.conf"
        regexp: '^port    = ssh'
        line: "port    = 22222"
    
    - name: Restart fail2ban
      service:
        name: fail2ban
        state: restarted
        enabled: yes
    
    #PSHITT:
    
    - name: Install pip extensions
      shell: pip install python-daemon argparse paramiko
    
    - name: Git checkout
      git:
        repo: 'https://github.com/regit/pshitt'
        dest: /srv/pshitt
    
    - name: Add configuration block in /etc/systemd/system/pshitt.service 
      blockinfile:
        create: yes
        dest: /etc/systemd/system/pshitt.service
        block: |
          [Unit]
          Description=pshitt service
          Wants=network-online.target
          After=network-online.target
          
          [Service]
          ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
          
          [Install]
          WantedBy=multi-user.target
    
    - name: Creates directory
      file:
        path: /var/log/pshitt
        state: directory
    
    #configure iptables:

    - name: Creates directory
      file:
        path: /scripts
        state: directory
    
    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v4"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [372:91728]
          :fail2ban-ssh - [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -j DROP
          -A OUTPUT -o lo -j ACCEPT
          -A fail2ban-ssh -j RETURN
          COMMIT
          # Completed on Tue Nov 19 22:41:29 2019

    - name: reload iptables v4
      action: shell /sbin/iptables-restore /scripts/rules.v4
    
    - name: save iptables v4 rules
      shell: iptables-save > /etc/iptables/rules.v4
    
    #restart services on new ports:

    - name: Restart pshitt
      service:
        name: pshitt
        state: restarted
        enabled: yes
    
    - name: Restart sshd
      service:
        name: ssh
        state: restarted
        enabled: yes    

    #Filebeat:

    - name: delete file
      ignore_errors: yes
      file:
        state: absent
        path: /etc/filebeat/filebeat.yml
     
    - name: Ansible create file if it doesn't exist example
      ignore_errors: yes
      file:
        path: "/etc/filebeat/filebeat.yml"
        state: touch
    
    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/etc/filebeat/filebeat.yml"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          filebeat.inputs:
          - type: log
            enabled: true
            paths:
              - /var/log/pshitt/data.json
            json.keys_under_root: true
          
          processors:
            - drop_fields:
                fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
            - add_fields:
                target: ''
                fields:
                  pshitt_host: {{ filebeat_hostname }}
          
          output.logstash:
            hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
          
          #Filebeat service logging:
          logging.level: info
          logging.to_files: true
          logging.files:
            path: /var/log/filebeat
            name: filebeat
            keepfiles: 7
            permissions: 0640

    - name: Restart filebeat
      service:
        name: filebeat
        state: restarted
        enabled: yes
Upload files to 'ansible' 2022-05-26 10:39:32 +02:00			`# playbook.yml:`
			`---`
			`- name: "maplegrid"`
			`hosts: localhost`
			`connection: local`
			`vars_files:`
			`- maplegrid_variables.yml`

			`###`

			`tasks:`


			`#Add elastic repo for v7.x`


			`- name: Add elastic repo key`
			`shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch \| apt-key add -`

			`- name: install packages`
			`apt:`
			`pkg:`
			`- apt-transport-https`
			`- python-pip`
			`- python3-pip`

			`- name: add repo for elastic v7.x`
			`shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" \| tee /etc/apt/sources.list.d/elastic-7.x.list`

			`- name: Install filebeat`
			`apt:`
			`name: filebeat`
			`update_cache: yes`

			`- name: Setup alternate SSH port`
			`lineinfile:`
			`dest: "/etc/ssh/sshd_config"`
			`regexp: "^Port"`
			`line: "Port 22222"`

			`- name: Setup alternate SSH port in fail2ban jail`
			`lineinfile:`
			`dest: "/etc/fail2ban/jail.conf"`
			`regexp: '^port = ssh'`
			`line: "port = 22222"`

			`- name: Restart fail2ban`
			`service:`
			`name: fail2ban`
			`state: restarted`
			`enabled: yes`

			`#PSHITT:`

Update 'ansible/maplegrid.yml' 2022-05-26 19:43:56 +02:00			`- name: Install pip extensions`
Update 'ansible/maplegrid.yml' 2022-05-26 19:40:53 +02:00			`shell: pip install python-daemon argparse paramiko`
Upload files to 'ansible' 2022-05-26 10:39:32 +02:00
			`- name: Git checkout`
			`git:`
			`repo: 'https://github.com/regit/pshitt'`
			`dest: /srv/pshitt`

			`- name: Add configuration block in /etc/systemd/system/pshitt.service`
			`blockinfile:`
			`create: yes`
			`dest: /etc/systemd/system/pshitt.service`
			`block: \|`
			`[Unit]`
			`Description=pshitt service`
			`Wants=network-online.target`
			`After=network-online.target`

			`[Service]`
			`ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log`

			`[Install]`
			`WantedBy=multi-user.target`

			`- name: Creates directory`
			`file:`
			`path: /var/log/pshitt`
			`state: directory`

			`#configure iptables:`

			`- name: Creates directory`
			`file:`
			`path: /scripts`
			`state: directory`

			`- name: create rules.v4`
			`blockinfile:`
			`create: yes`
			`state: present`
			`dest: "/scripts/rules.v4"`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK #"`
			`block: \|`
			`# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019`
			`*filter`
			`:INPUT DROP [0:0]`
			`:FORWARD DROP [0:0]`
			`:OUTPUT ACCEPT [372:91728]`
			`:fail2ban-ssh - [0:0]`
			`-A INPUT -i lo -j ACCEPT`
			`-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh`
			`-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT`
			`-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT`
			`-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT`
			`-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT`
			`-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`-A INPUT -j DROP`
			`-A OUTPUT -o lo -j ACCEPT`
			`-A fail2ban-ssh -j RETURN`
			`COMMIT`
			`# Completed on Tue Nov 19 22:41:29 2019`

			`- name: reload iptables v4`
			`action: shell /sbin/iptables-restore /scripts/rules.v4`

			`- name: save iptables v4 rules`
			`shell: iptables-save > /etc/iptables/rules.v4`

			`#restart services on new ports:`

			`- name: Restart pshitt`
			`service:`
			`name: pshitt`
			`state: restarted`
			`enabled: yes`

			`- name: Restart sshd`
			`service:`
			`name: ssh`
			`state: restarted`
			`enabled: yes`

			`#Filebeat:`

			`- name: delete file`
			`ignore_errors: yes`
			`file:`
			`state: absent`
			`path: /etc/filebeat/filebeat.yml`

			`- name: Ansible create file if it doesn't exist example`
			`ignore_errors: yes`
			`file:`
			`path: "/etc/filebeat/filebeat.yml"`
			`state: touch`

			`- name: create rules.v4`
			`blockinfile:`
			`create: yes`
			`state: present`
			`dest: "/etc/filebeat/filebeat.yml"`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK #"`
			`block: \|`
			`filebeat.inputs:`
			`- type: log`
			`enabled: true`
			`paths:`
			`- /var/log/pshitt/data.json`
			`json.keys_under_root: true`

			`processors:`
			`- drop_fields:`
			`fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]`
			`- add_fields:`
			`target: ''`
			`fields:`
			`pshitt_host: {{ filebeat_hostname }}`

			`output.logstash:`
			`hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]`

			`#Filebeat service logging:`
			`logging.level: info`
			`logging.to_files: true`
			`logging.files:`
			`path: /var/log/filebeat`
			`name: filebeat`
			`keepfiles: 7`
			`permissions: 0640`

			`- name: Restart filebeat`
			`service:`
			`name: filebeat`
			`state: restarted`
			`enabled: yes`