panda
/
MapleGrid


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189
							# playbook.yml:
---
- name: "maplegrid"
  hosts: localhost
  connection: local
  vars_files:
    - maplegrid_variables.yml

###

  tasks:


#Add elastic repo for v7.x


    - name: Add elastic repo key
      shell: curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    
    - name: install packages
      apt:
        pkg:
        - apt-transport-https
        - python-pip
        - python3-pip

    - name: add repo for elastic v7.x
      shell: echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
    
    - name: Install filebeat
      apt:
        name: filebeat
        update_cache: yes
    
    - name: Setup alternate SSH port
      lineinfile:
        dest: "/etc/ssh/sshd_config"
        regexp: "^Port"
        line: "Port 22222"
    
    - name: Setup alternate SSH port in fail2ban jail
      lineinfile:
        dest: "/etc/fail2ban/jail.conf"
        regexp: '^port    = ssh'
        line: "port    = 22222"
    
    - name: Restart fail2ban
      service:
        name: fail2ban
        state: restarted
        enabled: yes
    
    #PSHITT:
    
    - name: Install pip extensions
      shell: pip install python-daemon argparse paramiko
    
    - name: Git checkout
      git:
        repo: 'https://github.com/regit/pshitt'
        dest: /srv/pshitt
    
    - name: Add configuration block in /etc/systemd/system/pshitt.service 
      blockinfile:
        create: yes
        dest: /etc/systemd/system/pshitt.service
        block: |
          [Unit]
          Description=pshitt service
          Wants=network-online.target
          After=network-online.target
          
          [Service]
          ExecStart=/srv/pshitt/pshitt.py -p 22 -k /etc/ssh/ssh_host_rsa_key -o /var/log/pshitt/data.json -l /var/log/pshitt/log.log
          
          [Install]
          WantedBy=multi-user.target
    
    - name: Creates directory
      file:
        path: /var/log/pshitt
        state: directory
    
    #configure iptables:

    - name: Creates directory
      file:
        path: /scripts
        state: directory
    
    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/scripts/rules.v4"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          # Generated by iptables-save v1.4.21 on Tue Nov 19 22:41:29 2019
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [372:91728]
          :fail2ban-ssh - [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p tcp -m tcp --dport 22222 -j ACCEPT
          -A INPUT -i {{ ansible_default_ipv4.interface }} -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
          -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -j DROP
          -A OUTPUT -o lo -j ACCEPT
          -A fail2ban-ssh -j RETURN
          COMMIT
          # Completed on Tue Nov 19 22:41:29 2019

    - name: reload iptables v4
      action: shell /sbin/iptables-restore /scripts/rules.v4
    
    - name: save iptables v4 rules
      shell: iptables-save > /etc/iptables/rules.v4
    
    #restart services on new ports:

    - name: Restart pshitt
      service:
        name: pshitt
        state: restarted
        enabled: yes
    
    - name: Restart sshd
      service:
        name: ssh
        state: restarted
        enabled: yes    

    #Filebeat:

    - name: delete file
      ignore_errors: yes
      file:
        state: absent
        path: /etc/filebeat/filebeat.yml
     
    - name: Ansible create file if it doesn't exist example
      ignore_errors: yes
      file:
        path: "/etc/filebeat/filebeat.yml"
        state: touch
    
    - name: create rules.v4
      blockinfile:
        create: yes
        state: present
        dest: "/etc/filebeat/filebeat.yml"
        marker: "# {mark} ANSIBLE MANAGED BLOCK #"
        block: |
          filebeat.inputs:
          - type: log
            enabled: true
            paths:
              - /var/log/pshitt/data.json
            json.keys_under_root: true
          
          processors:
            - drop_fields:
                fields: ["beat", "source", "prospector", "offset", "host", "log", "input", "event", "fileset" ]
            - add_fields:
                target: ''
                fields:
                  pshitt_host: {{ filebeat_hostname }}
          
          output.logstash:
            hosts: ["{{ logstash_ip }}:{{ logstash_port }}"]
          
          #Filebeat service logging:
          logging.level: info
          logging.to_files: true
          logging.files:
            path: /var/log/filebeat
            name: filebeat
            keepfiles: 7
            permissions: 0640

    - name: Restart filebeat
      service:
        name: filebeat
        state: restarted
        enabled: yes