Upload files to 'ansible'

ansible/maplegrid.yml

@@ -0,0 +1,193 @@
+# playbook.yml:
+---
+- name: "maplegrid"
+  hosts: localhost
+  connection: local
+  vars_files:
+    - maplegrid_variables.yml
+
+###
+
+  tasks:
+
+
+#Add elastic repo for v7.x
+
+
+    - name: Add elastic repo key
+      shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
+    
+    - name: install packages
+      apt:
+        pkg:
+        - apt-transport-https
+        - python-pip
+        - python3-pip
+
+    - name: add repo for elastic v7.x
+      shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
+    
+    - name: Install filebeat
+      apt:
+        name: filebeat
+        update_cache: yes
+    
+    - name: Setup alternate SSH port
+      lineinfile:
+        dest: "/etc/ssh/sshd_config"
+        regexp: "^Port"
+        line: "Port 22222"
+    
+    - name: Setup alternate SSH port in fail2ban jail
+      lineinfile:
+        dest: "/etc/fail2ban/jail.conf"
+        regexp: '^port    = ssh'
+        line: "port    = 22222"
+    
+    - name: Restart fail2ban
+      service:
+        name: fail2ban
+        state: restarted
+        enabled: yes
+    
+    #PSHITT:
+    
+    - name: Install multi python packages with version specifiers
+      pip:
+        name:
+          - python-daemon
+          - argparse
+          - paramiko
+    
+    - name: Git checkout
+      git:
+        repo: 'https://github.com/regit/pshitt'
+        dest: /srv/pshitt
+    
+    - name: Add configuration block in /etc/systemd/system/pshitt.service 
+      blockinfile:
+        create: yes
+        dest: /etc/systemd/system/pshitt.service
+        block: |
+          [Unit]
+          Description=pshitt service
+          Wants=network-online.target
+          After=network-online.target
+          
+          [Service]
+          ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
+          
+          [Install]
+          WantedBy=multi-user.target
+    
+    - name: Creates directory
+      file:
+        path: /var/log/pshitt
+        state: directory
+    
+    #configure iptables:
+
+    - name: Creates directory
+      file:
+        path: /scripts
+        state: directory
+    
+    - name: create rules.v4
+      blockinfile:
+        create: yes
+        state: present
+        dest: "/scripts/rules.v4"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
+        block: |
+          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
+          *filter
+          :INPUT DROP [0:0]
+          :FORWARD DROP [0:0]
+          :OUTPUT ACCEPT [372:91728]
+          :fail2ban-ssh - [0:0]
+          -A INPUT -i lo -j ACCEPT
+          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
+          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
+          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+          -A INPUT -j DROP
+          -A OUTPUT -o lo -j ACCEPT
+          -A fail2ban-ssh -j RETURN
+          COMMIT
+          # Completed on Tue Nov 19 22:41:29 2019
+
+    - name: reload iptables v4
+      action: shell /sbin/iptables-restore /scripts/rules.v4
+    
+    - name: save iptables v4 rules
+      shell: iptables-save > /etc/iptables/rules.v4
+    
+    #restart services on new ports:
+
+    - name: Restart pshitt
+      service:
+        name: pshitt
+        state: restarted
+        enabled: yes
+    
+    - name: Restart sshd
+      service:
+        name: ssh
+        state: restarted
+        enabled: yes    
+
+    #Filebeat:
+
+    - name: delete file
+      ignore_errors: yes
+      file:
+        state: absent
+        path: /etc/filebeat/filebeat.yml
+     
+    - name: Ansible create file if it doesn't exist example
+      ignore_errors: yes
+      file:
+        path: "/etc/filebeat/filebeat.yml"
+        state: touch
+    
+    - name: create rules.v4
+      blockinfile:
+        create: yes
+        state: present
+        dest: "/etc/filebeat/filebeat.yml"
+        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
+        block: |
+          filebeat.inputs:
+          - type: log
+            enabled: true
+            paths:
+              - /var/log/pshitt/data.json
+            json.keys_under_root: true
+          
+          processors:
+            - drop_fields:
+                fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
+            - add_fields:
+                target: ''
+                fields:
+                  pshitt_host: {{ filebeat_hostname }}
+          
+          output.logstash:
+            hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
+          
+          #Filebeat service logging:
+          logging.level: info
+          logging.to_files: true
+          logging.files:
+            path: /var/log/filebeat
+            name: filebeat
+            keepfiles: 7
+            permissions: 0640
+
+    - name: Restart filebeat
+      service:
+        name: filebeat
+        state: restarted
+        enabled: yes