[Add Scan]

backup.yml

@@ -4,7 +4,6 @@
   gather_facts: false
   vars:
     # Variables depuis Environment (non-sensibles)
-    app_env: "{{ lookup('env', 'bw_client_id') }}"
     vaultwarden_url: "https://vault.jingoh.fr"
     bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
     bw_client_password: "{{ lookup('env', 'bw_client_password') }}"

scan.yml

@@ -1,43 +1,53 @@
 ---
 - name: Scan
-  hosts:
+  hosts: tower
-    - tower
     #- localhost
   become: true
   gather_facts: false
   vars: 
-    user: sgratias
+    vaultwarden_url: "https://vault.jingoh.fr"
-    user_mail: stephane.gratiasquiquandon@gmail.com
+    bw_client_secret: "{{ lookup('env', 'bw_client_secret') }}"
-    token: !vault |
+    bw_client_password: "{{ lookup('env', 'bw_client_password') }}"
-              $ANSIBLE_VAULT;1.2;AES256;prod
+    bw_client_id: "{{ lookup('env', 'bw_client_id') }}"
-              30383538646164373137616166636632353964373362323735626239656337306139616265323138
+    # password_monitoring_alert: "{{ lookup('env', 'password') }}"
-              3834383331316466653565323632616163353964643637660a363262383461363234363738613034
+    # user_monitoring_alert: "{{ lookup('env', 'username') }}"
-              64383132373061653337313365333734646635396635313133613861303730303163383764653664
+    gitea_token: "{{ lookup('env', 'gitea_token') }}"
-              6537633761353939330a356236623265383931643530316430303938303735306536343163323163
+    user_mail: "{{ lookup('env', 'mail') }}"
-              62636236346362663036343765363830383738623563613161373637383239623134376163653662
+    user: "{{ lookup('env', 'username') }}"
-              3565333032326133326232326633386332633639373862313463
+    target_network: "{{ lookup('env', 'target_network') }}"
+    target_port: "{{ lookup('env', 'target_port') }}"
+    # user: sgratias
+    # user_mail: stephane.gratiasquiquandon@gmail.com
+    # token: !vault |
+    #           $ANSIBLE_VAULT;1.2;AES256;prod
+    #           30383538646164373137616166636632353964373362323735626239656337306139616265323138
+    #           3834383331316466653565323632616163353964643637660a363262383461363234363738613034
+    #           64383132373061653337313365333734646635396635313133613861303730303163383764653664
+    #           6537633761353939330a356236623265383931643530316430303938303735306536343163323163
+    #           62636236346362663036343765363830383738623563613161373637383239623134376163653662
+    #           3565333032326133326232326633386332633639373862313463
   #TODO target in list
   # 163.172.0.0/24
   # 163.172.80.0/28 
-    target_network: 147.135.120.20/30
+    # target_network: 147.135.120.20/30
-    target_port: 20-80
+    # target_port: 20-80
     # 163.172.0.0/20
     # 163.172.16.0/20
     # 163.172.31.0/20
     # 163.172.48.0/20
     # 163.172.63.254/20
-    ansible_user: stephane 
+    # ansible_user: stephane 
     # ansible_password: stephane 
     # ansible_become_password: stephane
-    username: jingohalert
+#     username: jingohalert
-    password: !vault |
+#     password: !vault |
-              $ANSIBLE_VAULT;1.2;AES256;prod
+#               $ANSIBLE_VAULT;1.2;AES256;prod
-              66346630333538386564396632636161316239326530653037666465616165393135666532643264
+#               66346630333538386564396632636161316239326530653037666465616165393135666532643264
-              3037363865363531636635306535663736353734333733340a363639636638396662616538343335
+#               3037363865363531636635306535663736353734333733340a363639636638396662616538343335
-              65366439343135636634393832636436353764303066653530346232323164376265313039373630
+#               65366439343135636634393832636436353764303066653530346232323164376265313039373630
-              3863613961373430340a303866363962353262623030373061616134303366336237346631383539
+#               3863613961373430340a303866363962353262623030373061616134303366336237346631383539
-              3130
+#               3130
-# apt-get install sshpass
+# # apt-get install sshpass
 
 # #
 # # @author Stéphane Gratias (2021).
@@ -49,12 +59,55 @@
   tasks:
 
 
+  - ansible.builtin.command:
+      cmd: bw logout
+    delegate_to: localhost
+    ignore_errors: true
+
+  - name: bitwarden token session 
+    ansible.builtin.shell: "{{ item }}"
+    environment:
+      BW_CLIENTID: "{{ bw_client_id }}"
+      BW_CLIENTSECRET: "{{ bw_client_secret }}"
+      BW_PASSWORD: "{{ bw_client_password }}"
+    loop:
+      - bw config server {{ vaultwarden_url }}
+      - bw login --apikey
+      - bw unlock --passwordenv BW_PASSWORD --raw
+    delegate_to: localhost
+    register: bw_session_result
+
+  - name: Get secret from Bitwarden
+    command:
+      argv:
+        - bw
+        - get
+        - password
+        - "{{ bw_requested_password_id }}"
+        - --session
+        - "{{ bw_session_result.results[-1].stdout | trim }}"
+    delegate_to: localhost
+    register: gitea_token_result
+    no_log: true
+    changed_when: false
+
+  # - name: Return all secrets from a path
+  #   ansible.builtin.debug: 
+  #     msg: "{{ gitea_token_result.stdout }}"
+  #   delegate_to: localhost
+
+  - ansible.builtin.set_fact:
+      gitea_token : "{{ gitea_token_result.stdout | trim }}"
+    no_log: true
+    delegate_to: localhost
+
+
   # - ansible.builtin.apt:
   #     name: masscan
   #     update_cache: true
 
   - ansible.builtin.git:
-      repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/{{ user }}/scan.git
+      repo: https://{{ user }}:{{ gitea_token }}@gitea.jingoh.fr/{{ user }}/scan.git
       dest: "{{ playbook_dir }}/scan"
       single_branch: yes
       force: true
@@ -143,7 +196,7 @@
       git config user.name "{{ user }}"
       git add .
       git commit -m "Push scan with access token"
-      git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/{{ user }}/scan.git
+      git push https://{{ user }}:{{ gitea_token}}@gitea.jingoh.fr/{{ user }}/scan.git
     args:
       chdir: "{{ playbook_dir }}/scan/"
     run_once: true
@@ -173,16 +226,16 @@
   #     msg: "{{ host_interfaces }}"
 
 
-  # - name: NTFY when docker compose changed
+  - name: NTFY when docker compose changed
-  #   uri:
+    uri:
-  #     url: "https://alert.jingoh.fr/scaleway"
+      url: "http://alert/scaleway"
-  #     method: POST
+      method: POST
-  #     user: "{{ username }}"
+      # user: "{{ username }}"
-  #     password: "{{ password }}"
+      # password: "{{ password }}"
-  #     headers:
+      headers:
-  #       Title: "SCAN {{ target_port }}"
+        Title: "SCAN {{ target_port }}"
-  #       ta: "file_folder"
+        ta: "file_folder"
-  #     body: "{{ target_network }}"
+      body: "{{ target_network }}"
-  #     status_code: 200
+      status_code: 200
-  #   tags: test1
+    tags: test1
-  #   delegate_to: localhost
+    delegate_to: localhost