From 734bbf6905a41c384185b7ed86c201c490db858c Mon Sep 17 00:00:00 2001 From: staffadmin Date: Fri, 2 Aug 2024 01:27:05 +0200 Subject: [PATCH] [commmit staff] --- scan_https.yml | 153 +++++++++++++++++++++++++++++++++++++++++++++++++ swarm.yml | 27 --------- 2 files changed, 153 insertions(+), 27 deletions(-) create mode 100644 scan_https.yml diff --git a/scan_https.yml b/scan_https.yml new file mode 100644 index 0000000..9e1fdf5 --- /dev/null +++ b/scan_https.yml @@ -0,0 +1,153 @@ +--- +- name: Scan + hosts: scale01 + become: true + gather_facts: false + vars: + + user: staffadmin + token: !vault | + $ANSIBLE_VAULT;1.2;AES256;prod + 35343365393734313034383961616333633265623037303436653739613935366666373237366562 + 3663316563663439363333396530376139663731346637390a366335333732303134316364363130 + 30313631343534643866383336623837363433303032376264373139306464313866313034663636 + 3961303030373531380a343061326437343066663665613833623533376437326630326432363566 + 37653135666331633532653436656461396131623736353962643632316135633562346631313036 + 6137356332636431643830666461333862613835336631333037 + # 163.172.0.0/24 + # 163.172.80.0/28 + target_network: 163.172.80.0/28 + ansible_user: stephane + ansible_password: stephane + ansible_become_password: stephane + username: jingohalert + password: !vault | + $ANSIBLE_VAULT;1.2;AES256;prod + 66346630333538386564396632636161316239326530653037666465616165393135666532643264 + 3037363865363531636635306535663736353734333733340a363639636638396662616538343335 + 65366439343135636634393832636436353764303066653530346232323164376265313039373630 + 3863613961373430340a303866363962353262623030373061616134303366336237346631383539 + 3130 +# apt-get install sshpass + +# # +# # @author Stéphane Gratias (2021). +# + + + # roles: + # - { role: geerlingguy.pip, tags: pip } + tasks: + + + - ansible.builtin.apt: + name: masscan + update_cache: true + + - ansible.builtin.git: + repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git + dest: "{{ playbook_dir }}/scan" + single_branch: yes + force: true + delegate_to: localhost + + # apt install masscan + - ansible.builtin.command: + cmd: "masscan {{ target_network }} -p443" + become: true + register: scan_output + + +# - debug: +# msg: "{{ item }}" +# loop: "{{ scan_output.stdout_lines }}" +# # - "{{ cert.not_after }}" +# # - "{{ ansible_date_time.iso8601_basic }}" +# tags: test +# delegate_to: localhost + + - name: Get a cert from an https port + community.crypto.get_certificate: + host: "{{ item.split('on')[-1].strip() }}" + port: 443 + delegate_to: localhost + run_once: true + loop: "{{ scan_output.stdout_lines }}" + ignore_errors: true + register: cert + tags: test + + +# item.subject.CN + - debug: + # msg: "{{ item.subject.CN }}" + msg: "{{ item.invocation.module_args.host}}" + loop: "{{ cert.results }}" + # - "{{ cert.not_after }}" + # - "{{ ansible_date_time.iso8601_basic }}" + tags: test + delegate_to: localhost + + + - name: Change file ownership, group and permissions + ansible.builtin.file: + path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/" + state: directory + loop: "{{ cert.results }}" + + - name: Add a line to a file if the file does not exist, without passing regexp + ansible.builtin.lineinfile: + path: "{{ playbook_dir }}/scan/https/{{ item.invocation.module_args.host.split('.')[0] }}/{{ item.invocation.module_args.host.split('.')[1] }}/{{ item.invocation.module_args.host.split('.')[2] }}" + line: "{{ item.invocation.module_args.host }} ---- {{ item.subject.CN | default('---') }} ---- {{ item.issuer| default('---')}}" + create: yes + loop: "{{ cert.results }}" + delegate_to: localhost + + + # - name: Copy file with owner and permissions + # ansible.builtin.copy: + # dest: "{{ playbook_dir }}/scan/scan_https_{{ target_network.split('/')[0] }}_{{ target_network.split('/')[-1] }}" + # content: | + # "{{ item.invocation.module_args.host }} ---- {{ item.subject.CN }} ---- {{ item.issuer}}" + # loop: "{{ cert.results }}" + # delegate_to: localhost + +# # item.subject.CN +# - debug: +# msg: "{{ item.item.split('on')[-1].strip() }}" +# loop: "{{ cert.results }}" +# # - "{{ cert.not_after }}" +# # - "{{ ansible_date_time.iso8601_basic }}" +# tags: test +# delegate_to: localhost + + - ansible.builtin.shell: | + git config user.email "stephane.gratiasquiquandon@gmail.com" + git config user.name "staffadmin" + git add . + git commit -m "Push scan with access token" + git push https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/scan.git + args: + chdir: "{{ playbook_dir }}/scan/" + run_once: true + delegate_to: localhost + + + # - debug: + # msg: "{{ host_interfaces }}" + + + # - name: NTFY when docker compose changed + # uri: + # url: "https://alert.jingoh.fr/scaleway" + # method: POST + # user: "{{ username }}" + # password: "{{ password }}" + # headers: + # Title: "SCAN HTTPS " + # ta: "file_folder" + # body: "{{ target_network }}" + # status_code: 200 + # tags: test1 + # delegate_to: localhost + # when: fetch_files_backup.changed is true diff --git a/swarm.yml b/swarm.yml index 490a49b..750c3bb 100644 --- a/swarm.yml +++ b/swarm.yml @@ -326,33 +326,6 @@ - "traefik.enable=false" networks: - public - grafana: - image: grafana/grafana:latest - container_name: grafana - security_opt: - - no-new-privileges:true - restart: unless-stopped - networks: - - public - volumes: - - grafana-lib:/var/lib/grafana - environment: - GF_INSTALL_PLUGINS: "grafana-clock-panel,grafana-simple-json-datasource,grafana-worldmap-panel,grafana-piechart-panel" - deploy: - mode: replicated - replicas: 1 - labels: - - "traefik.enable=true" - # HTTP Routers - - "traefik.http.routers.grafana-rtr.entrypoints=websecure" - - "traefik.http.routers.grafana-rtr.rule=Host(`grafana2.jingoh.private`)" - # Middlewares - - "traefik.http.routers.grafana-rtr.middlewares=privatevpn,forward-auth" - # HTTP Services - - "traefik.http.routers.grafana-rtr.service=grafana-svc" - - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000" - # TLS - - "traefik.http.routers.grafana-rtr.tls=true" networks: public: external: true