MapleGrid/ansible/maplegrid.yml

189 lines
5 KiB
YAML

# playbook.yml:
---
- name: "maplegrid"
hosts: localhost
connection: local
vars_files:
- maplegrid_variables.yml
###
tasks:
#Add elastic repo for v7.x
- name: Add elastic repo key
shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
- name: install packages
apt:
pkg:
- apt-transport-https
- python-pip
- python3-pip
- name: add repo for elastic v7.x
shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
- name: Install filebeat
apt:
name: filebeat
update_cache: yes
- name: Setup alternate SSH port
lineinfile:
dest: "/etc/ssh/sshd_config"
regexp: "^Port"
line: "Port 22222"
- name: Setup alternate SSH port in fail2ban jail
lineinfile:
dest: "/etc/fail2ban/jail.conf"
regexp: '^port = ssh'
line: "port = 22222"
- name: Restart fail2ban
service:
name: fail2ban
state: restarted
enabled: yes
#PSHITT:
- name: Install pip extensions
shell: pip install python-daemon argparse paramiko
- name: Git checkout
git:
repo: 'https://github.com/regit/pshitt'
dest: /srv/pshitt
- name: Add configuration block in /etc/systemd/system/pshitt.service
blockinfile:
create: yes
dest: /etc/systemd/system/pshitt.service
block: |
[Unit]
Description=pshitt service
Wants=network-online.target
After=network-online.target
[Service]
ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
[Install]
WantedBy=multi-user.target
- name: Creates directory
file:
path: /var/log/pshitt
state: directory
#configure iptables:
- name: Creates directory
file:
path: /scripts
state: directory
- name: create rules.v4
blockinfile:
create: yes
state: present
dest: "/scripts/rules.v4"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
# Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [372:91728]
:fail2ban-ssh - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
-A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Tue Nov 19 22:41:29 2019
- name: reload iptables v4
action: shell /sbin/iptables-restore /scripts/rules.v4
- name: save iptables v4 rules
shell: iptables-save > /etc/iptables/rules.v4
#restart services on new ports:
- name: Restart pshitt
service:
name: pshitt
state: restarted
enabled: yes
- name: Restart sshd
service:
name: ssh
state: restarted
enabled: yes
#Filebeat:
- name: delete file
ignore_errors: yes
file:
state: absent
path: /etc/filebeat/filebeat.yml
- name: Ansible create file if it doesn't exist example
ignore_errors: yes
file:
path: "/etc/filebeat/filebeat.yml"
state: touch
- name: create rules.v4
blockinfile:
create: yes
state: present
dest: "/etc/filebeat/filebeat.yml"
marker: "# {mark} ANSIBLE MANAGED BLOCK #"
block: |
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/pshitt/data.json
json.keys_under_root: true
processors:
- drop_fields:
fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
- add_fields:
target: ''
fields:
pshitt_host: {{ filebeat_hostname }}
output.logstash:
hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
#Filebeat service logging:
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0640
- name: Restart filebeat
service:
name: filebeat
state: restarted
enabled: yes