From 2bf684e115c8b6abe4199671485d821a4c6a01b6 Mon Sep 17 00:00:00 2001
From: staffadmin <stephane.gratiasquiquandon@gmail.com>
Date: Mon, 1 Apr 2024 18:01:45 +0200
Subject: [PATCH] Update

---
 backup.yml       | 148 +++++++++++++++++++++++++++++++++++++++++++++++
 hardening.yml    |  65 +++++++++++----------
 requirements.yml |   1 +
 3 files changed, 185 insertions(+), 29 deletions(-)

diff --git a/backup.yml b/backup.yml
index 2dd9ea5..c6004c3 100644
--- a/backup.yml
+++ b/backup.yml
@@ -4,6 +4,21 @@
   gather_facts: true
   vars:
     user: staffadmin
+    username: jingohalert
+    password: !vault |
+              $ANSIBLE_VAULT;1.2;AES256;prod
+              66346630333538386564396632636161316239326530653037666465616165393135666532643264
+              3037363865363531636635306535663736353734333733340a363639636638396662616538343335
+              65366439343135636634393832636436353764303066653530346232323164376265313039373630
+              3863613961373430340a303866363962353262623030373061616134303366336237346631383539
+              3130
+    vault_pass: !vault |
+              $ANSIBLE_VAULT;1.2;AES256;prod
+              31393635346263633965326334656663323439643166313736343337343032303234653264653065
+              3933333731343231643033373436653764326131616635640a356566616337373031333065303166
+              36363839323432353936336438636130373134353364326264393563663561346438356533656262
+              3630386265633339630a306334363336396539353133383236316138333538623064333036316233
+              6464
     token: !vault |
               $ANSIBLE_VAULT;1.2;AES256;prod
               35343365393734313034383961616333633265623037303436653739613935366666373237366562
@@ -53,3 +68,136 @@
         chdir: "{{ playbook_dir }}/backup/"
       run_once: true
       delegate_to: localhost 
+
+    - name: Get a cert from an https port
+      community.crypto.get_certificate:
+        host: "gitea.jingoh.fr"
+        port: 443
+      delegate_to: localhost
+      run_once: true
+      register: cert
+      tags: test
+
+    # - name: set
+    #   ansible.builtin.set_fact:
+    #     cert_date: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ') }}"
+    #   tags: test
+    # - debug:
+    #     msg: "{{ cert.not_after | to_datetime('%Y%m%d%H%M%SZ')}}"
+    #   tags: test
+
+    # - debug:
+    #     msg: "{{ cert.not_after  | to_datetime }} - {{ ansible_date_time.iso8601_basic }}"
+    #   # loop: 
+    #   #   - "{{ cert.not_after }}"
+    #   #   - "{{ ansible_date_time.iso8601_basic }}"
+    #   tags: test
+
+    # - debug:
+    #     msg: "{{ item }}"
+    #   loop: 
+    #     - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days }}"
+    #     # - "{{ ansible_date_time.date.total_seconds() }}"
+    #   tags: test
+    #   when:
+    #     - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 30 }}"
+ 
+
+
+# curl -u "$username:$password" -H "Title: HTTPS Certificats" -H "ta:closed_lock_with_key"  -d "*.jingoh.fr Less than 20 days" https://alert.jingoh.fr/scaleway
+
+    #   # when: cert.not_after - ansible_date_time.iso8601_basic >
+    - name: Need to renew HTTPS
+      uri:
+        url: "https://alert.jingoh.fr/scaleway"
+        method: POST
+        user: "{{ username }}"
+        password: "{{ password }}"
+        headers:
+          Title: "HTTPS Certificats"
+          ta: "closed_lock_with_key"
+        body: "*.jingoh.fr Less than 10 days"
+        status_code: 200
+      tags: test
+      delegate_to: localhost
+      when:
+        - "{{ ((cert.not_after | to_datetime('%Y%m%d%H%M%SZ') ) - (ansible_date_time.date | to_datetime('%Y-%m-%d') )).days < 10 }}"
+ 
+
+
+    # - name: Exécuter le conteneur Docker
+    #   community.docker.docker_container:
+    #     name: vaultwarden-backup
+    #     image: bruceforce/vaultwarden-backup
+    #     state: started
+    #     auto_remove: true
+    #     command: manual
+    #     volumes_from:
+    #       - vault
+    #     env:
+    #       UID: "0"
+    #       BACKUP_DIR: "/data/backup"
+    #       TIMESTAMP: "true"
+    #       ENCRYPTION_PASSWORD: "{{ vault_pass }}"
+    #   # tags: dock 
+    #   when: inventory_hostname in groups['controller']
+
+    # - name: Supprimer les fichiers de sauvegarde de Vaultwarden plus anciens que 7 jours
+    #   find:
+    #     paths: /opt/dockerapps/appdata/vaultwarden/backup/
+    #     age: 7d
+    #   register: files_to_remove
+    #   become: true
+    #   when: inventory_hostname in groups['controller']
+    #   tags: dock
+
+    # - name: Supprimer les fichiers plus anciens que 7 jours
+    #   file:
+    #     path: "{{ item.path }}"
+    #     state: absent
+    #   loop: "{{ files_to_remove.files }}"
+    #   tags: dock
+    #   become: true
+
+    # - name: Backup vault
+    #   uri:
+    #     url: "https://alert.jingoh.fr/scaleway"
+    #     method: POST
+    #     user: "{{ username }}"
+    #     password: "{{ password }}"
+    #     headers:
+    #       Title: "Backup Vault"
+    #       ta: "inbox_tray"
+    #     body: "Local Backup vault done !"
+    #     status_code: 200
+    #   tags: dock
+    #   delegate_to: localhost
+
+
+    # - name: Exécuter la commande dans le conteneur Docker
+    #   community.docker.docker_container:
+    #     name: gitea
+    #     command: "gitea dump -c /data/gitea/conf/app.ini"
+    #     user: git
+    #     working_dir: /data/
+    #     state: present
+    #     interactive: no
+    #     image: gitea/gitea:latest
+    #     tty: no
+    #   tags: git
+
+
+
+        # docker exec -u git -w /data/ gitea gitea dump -c /data/gitea/conf/app.ini
+        # mv /opt/dockerapps/appdata/gitea/gitea/gitea-dump-*.zip /opt/dockerapps/backup/
+        # docker exec gitea-db pg_dump -U root gitea > gitea-db-pg.sql
+        # mv ./gitea-db-pg.sql /opt/dockerapps/backup/
+        # find /opt/dockerapps/backup/ -mtime +7 -exec rm {} \;
+        # curl -u "$username:$password" -H "Title: Backup gitea" -H "ta:inbox_tray"  -d "Local Backup gitea done !" https://alert.jingoh.fr/scaleway
+
+        #  docker run --rm --volumes-from=vault -e UID=0 -e BACKUP_DIR=/data/backup -e TIMESTAMP=true -e ENCRYPTION_PASSWORD="$VAULT" bruceforce/vaultwarden-backup manual
+        # chown -R stephane:stephane /opt/dockerapps/appdata/vaultwarden/backup
+        # find /opt/dockerapps/appdata/vaultwarden/backup/ -mtime +7 -exec rm {} \;
+        # curl -u "$username:$password" -H "Title: Backup vault" -H "ta:inbox_tray"  -d "Local Backup vault done !" https://alert.jingoh.fr/scaleway
+
+
diff --git a/hardening.yml b/hardening.yml
index b60497d..596f859 100644
--- a/hardening.yml
+++ b/hardening.yml
@@ -1,4 +1,4 @@
-- hosts: test
+- hosts: monitoring
   # vars:
   become: true
   gather_facts: true
@@ -27,7 +27,7 @@
             state: file
             mode: 0644
 
-        - name: somerepo | apt source
+        - name: Add netbird repo
           ansible.builtin.apt_repository:
             repo: "deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main"
             state: present
@@ -81,26 +81,33 @@
 # chmod go+r /usr/share/keyrings/netbird-archive-keyring.gpg for error:
 #||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available
 
-  # roles:
-  #   - robertdebock.update
-  #   - devsec.hardening.os_hardening
-  #   - devsec.hardening.ssh_hardening
-  #   - maxlareo.rkhunter
-  #   - maxlareo.chkrootkit
-  #   - robertdebock.auditd
-  #   - geerlingguy.firewall
-  #   - grog.management-user
-  #   - GROG.user
-  #   - GROG.authorized-key
-  #   - GROG.sudo
-  #   - ansible_unattended_upgrades
-  #   - buluma.lynis
+  roles:
+    - robertdebock.update
+    - devsec.hardening.os_hardening
+    - devsec.hardening.ssh_hardening
+    - maxlareo.rkhunter
+    - maxlareo.chkrootkit
+    - robertdebock.auditd
+    - geerlingguy.firewall
+    - grog.management-user
+    - GROG.user
+    - GROG.authorized-key
+    - GROG.sudo
+    - ansible_unattended_upgrades
+    - buluma.lynis
   
   # roles:
   #   - role: netways.elasticstack.elasticsearch
   #     tags: test2
   tasks:
 
+    - name: Tcheck ssh conf for phone connection 
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/ssh_config
+        insertafter: 'Host '
+        firstmatch: true
+        line: '#!Enable-HMAC-ETM'
+
     - name: Retrieve private IP address netbird
       ansible.builtin.gather_facts:
 
@@ -136,9 +143,9 @@
     #     name: ansible-role-labocbz-install-grafana
     #   when: group_names is search("monitoring") 
 
-    - ansible.builtin.import_role: 
-        name: netways.elasticstack.repos
-      tags: repo
+    # - ansible.builtin.import_role: 
+    #     name: netways.elasticstack.repos
+    #   tags: repo
 
 
 # to reset password
@@ -151,15 +158,15 @@
 # /usr/share/kibana/bin/kibana-encryption-keys generate --force
 # /usr/share/elasticsearch/bin# ./elasticsearch-service-tokens create elastic/kibana token
 # bin/elasticsearch-create-enrollment-token -s kibana --url "https://172.0.0.3:9200"
-    - ansible.builtin.import_role: 
-        name: netways.elasticstack.elasticsearch
-      tags: elastic
+#     - ansible.builtin.import_role: 
+#         name: netways.elasticstack.elasticsearch
+#       tags: elastic
 
 
-# Wait the end install to have th url to connect and put the enroll token
-    - ansible.builtin.import_role: 
-        name: netways.elasticstack.kibana
-      tags: kibana
+# # Wait the end install to have th url to connect and put the enroll token
+#     - ansible.builtin.import_role: 
+#         name: netways.elasticstack.kibana
+#       tags: kibana
 
     # - ansible.builtin.import_role: 
     #     name: netways.elasticstack.logstash
@@ -169,6 +176,6 @@
 # filebeat test config -e filebeat.yml
 # filebeat setup -e
 # restart filebeat
-    - ansible.builtin.import_role: 
-        name: netways.elasticstack.beats
-      tags: filebeat
+    # - ansible.builtin.import_role: 
+    #     name: netways.elasticstack.beats
+    #   tags: filebeat
diff --git a/requirements.yml b/requirements.yml
index 2c1ba66..674d453 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -4,6 +4,7 @@ collections:
   - name: community.crypto
   - name: ansible.utils
   - name: community.grafana
+  - name: community.docker
   # - name: geerlingguy.redis
   - name: git+https://github.com/netways/ansible-collection-elasticstack.git
   # - name: elastic.elasticsearch