diff --git a/backup.yml b/backup.yml index 982ecf3..e5df21c 100644 --- a/backup.yml +++ b/backup.yml @@ -4,7 +4,6 @@ gather_facts: false vars: # Variables depuis Environment (non-sensibles) - app_env: "{{ lookup('env', 'bw_client_id') }}" vaultwarden_url: "https://vault.jingoh.fr" bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" bw_client_password: "{{ lookup('env', 'bw_client_password') }}" diff --git a/scan.yml b/scan.yml index 6dd4072..eccc193 100644 --- a/scan.yml +++ b/scan.yml @@ -1,43 +1,53 @@ --- - name: Scan - hosts: - - tower + hosts: tower #- localhost become: true gather_facts: false vars: - user: sgratias - user_mail: stephane.gratiasquiquandon@gmail.com - token: !vault | - $ANSIBLE_VAULT;1.2;AES256;prod - 30383538646164373137616166636632353964373362323735626239656337306139616265323138 - 3834383331316466653565323632616163353964643637660a363262383461363234363738613034 - 64383132373061653337313365333734646635396635313133613861303730303163383764653664 - 6537633761353939330a356236623265383931643530316430303938303735306536343163323163 - 62636236346362663036343765363830383738623563613161373637383239623134376163653662 - 3565333032326133326232326633386332633639373862313463 + vaultwarden_url: "https://vault.jingoh.fr" + bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}" + bw_client_password: "{{ lookup('env', 'bw_client_password') }}" + bw_client_id: "{{ lookup('env', 'bw_client_id') }}" + # password_monitoring_alert: "{{ lookup('env', 'password') }}" + # user_monitoring_alert: "{{ lookup('env', 'username') }}" + gitea_token: "{{ lookup('env', 'gitea_token') }}" + user_mail: "{{ lookup('env', 'mail') }}" + user: "{{ lookup('env', 'username') }}" + target_network: "{{ lookup('env', 'target_network') }}" + target_port: "{{ lookup('env', 'target_port') }}" + # user: sgratias + # user_mail: stephane.gratiasquiquandon@gmail.com + # token: !vault | + # $ANSIBLE_VAULT;1.2;AES256;prod + # 30383538646164373137616166636632353964373362323735626239656337306139616265323138 + # 3834383331316466653565323632616163353964643637660a363262383461363234363738613034 + # 64383132373061653337313365333734646635396635313133613861303730303163383764653664 + # 6537633761353939330a356236623265383931643530316430303938303735306536343163323163 + # 62636236346362663036343765363830383738623563613161373637383239623134376163653662 + # 3565333032326133326232326633386332633639373862313463 #TODO target in list # 163.172.0.0/24 # 163.172.80.0/28 - target_network: 147.135.120.20/30 - target_port: 20-80 + # target_network: 147.135.120.20/30 + # target_port: 20-80 # 163.172.0.0/20 # 163.172.16.0/20 # 163.172.31.0/20 # 163.172.48.0/20 # 163.172.63.254/20 - ansible_user: stephane + # ansible_user: stephane # ansible_password: stephane # ansible_become_password: stephane - username: jingohalert - password: !vault | - $ANSIBLE_VAULT;1.2;AES256;prod - 66346630333538386564396632636161316239326530653037666465616165393135666532643264 - 3037363865363531636635306535663736353734333733340a363639636638396662616538343335 - 65366439343135636634393832636436353764303066653530346232323164376265313039373630 - 3863613961373430340a303866363962353262623030373061616134303366336237346631383539 - 3130 -# apt-get install sshpass +# username: jingohalert +# password: !vault | +# $ANSIBLE_VAULT;1.2;AES256;prod +# 66346630333538386564396632636161316239326530653037666465616165393135666532643264 +# 3037363865363531636635306535663736353734333733340a363639636638396662616538343335 +# 65366439343135636634393832636436353764303066653530346232323164376265313039373630 +# 3863613961373430340a303866363962353262623030373061616134303366336237346631383539 +# 3130 +# # apt-get install sshpass # # # # @author Stéphane Gratias (2021). @@ -49,12 +59,55 @@ tasks: + - ansible.builtin.command: + cmd: bw logout + delegate_to: localhost + ignore_errors: true + + - name: bitwarden token session + ansible.builtin.shell: "{{ item }}" + environment: + BW_CLIENTID: "{{ bw_client_id }}" + BW_CLIENTSECRET: "{{ bw_client_secret }}" + BW_PASSWORD: "{{ bw_client_password }}" + loop: + - bw config server {{ vaultwarden_url }} + - bw login --apikey + - bw unlock --passwordenv BW_PASSWORD --raw + delegate_to: localhost + register: bw_session_result + + - name: Get secret from Bitwarden + command: + argv: + - bw + - get + - password + - "{{ bw_requested_password_id }}" + - --session + - "{{ bw_session_result.results[-1].stdout | trim }}" + delegate_to: localhost + register: gitea_token_result + no_log: true + changed_when: false + + # - name: Return all secrets from a path + # ansible.builtin.debug: + # msg: "{{ gitea_token_result.stdout }}" + # delegate_to: localhost + + - ansible.builtin.set_fact: + gitea_token : "{{ gitea_token_result.stdout | trim }}" + no_log: true + delegate_to: localhost + + # - ansible.builtin.apt: # name: masscan # update_cache: true - ansible.builtin.git: - repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/{{ user }}/scan.git + repo: https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/scan.git dest: "{{ playbook_dir }}/scan" single_branch: yes force: true @@ -143,7 +196,7 @@ git config user.name "{{ user }}" git add . git commit -m "Push scan with access token" - git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/{{ user }}/scan.git + git push https://{{ user }}:{{ gitea_token}}@gitea.jingoh.fr/{{ user }}/scan.git args: chdir: "{{ playbook_dir }}/scan/" run_once: true @@ -173,16 +226,16 @@ # msg: "{{ host_interfaces }}" - # - name: NTFY when docker compose changed - # uri: - # url: "https://alert.jingoh.fr/scaleway" - # method: POST - # user: "{{ username }}" - # password: "{{ password }}" - # headers: - # Title: "SCAN {{ target_port }}" - # ta: "file_folder" - # body: "{{ target_network }}" - # status_code: 200 - # tags: test1 - # delegate_to: localhost + - name: NTFY when docker compose changed + uri: + url: "http://alert/scaleway" + method: POST + # user: "{{ username }}" + # password: "{{ password }}" + headers: + Title: "SCAN {{ target_port }}" + ta: "file_folder" + body: "{{ target_network }}" + status_code: 200 + tags: test1 + delegate_to: localhost