diff --git a/hardening.yml b/hardening.yml index ff43a4a..b14cc96 100644 --- a/hardening.yml +++ b/hardening.yml @@ -1,31 +1,14 @@ - hosts: test - vars: - ansible_user: vagrant - ansible_password: vagrant - management_user_list: - - name: admin - shell: '/bin/bash' - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL - netbird_setup_key: 26659E99-DED1-4ED4-B2D0-C0CC1246EFAE - netbird_register: true - node_exporter_tls_server_config: - cert_file: /etc/node_exporter/tls.cert - key_file: /etc/node_exporter/tls.key - node_exporter_basic_auth_users: - randomuser: examplepassword - node_exporter_web_listen_address: 192.168.0.20:9100 + # vars: become: true gather_facts: true pre_tasks: + - name: Set hostname + ansible.builtin.hostname: + name: "{{ ansible_hostname }}" + - name: Create node_exporter cert dir file: path: "{{ item }}" @@ -35,18 +18,18 @@ loop: - /etc/node_exporter - - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) and a passphrase + - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/node_exporter/tls.key mode: 0644 # /etc/node_exporter# chmod 644 tls.key - - name: Generate an OpenSSL Certificate Signing Request with a passphrase protected private key + - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/node_exporter/tls.csr privatekey_path: /etc/node_exporter/tls.key - common_name: www.ansible.com + common_name: "{{ ansible_hostname }}.netbird.cloud" - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate: @@ -61,19 +44,64 @@ #||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available roles: - # - robertdebock.update - # - devsec.hardening.os_hardening - # - devsec.hardening.ssh_hardening - # - maxlareo.rkhunter - # - maxlareo.chkrootkit - # - robertdebock.auditd - # - geerlingguy.firewall - # - grog.management-user - # - GROG.user - # - GROG.authorized-key - # - GROG.sudo - # - ansible_unattended_upgrades - # - dominion_solutions.netbird.netbird - # - buluma.lynis - - prometheus.prometheus.node_exporter + - robertdebock.update + - devsec.hardening.os_hardening + - devsec.hardening.ssh_hardening + - maxlareo.rkhunter + - maxlareo.chkrootkit + - robertdebock.auditd + - geerlingguy.firewall + - grog.management-user + - GROG.user + - GROG.authorized-key + - GROG.sudo + - ansible_unattended_upgrades + - dominion_solutions.netbird.netbird + - buluma.lynis + tasks: + - name: Retrieve private IP address netbird + ansible.builtin.gather_facts: + + - name: Set host_interfaces list + ansible.builtin.set_fact: + host_interfaces: "{{ host_interfaces + [item]}}" + vars: + host_interfaces: [] + loop: "{{ ansible_facts.interfaces }}" + + - name: Set host_private_address + ansible.builtin.set_fact: + host_private_address: "{{ ansible_facts[item].ipv4.address }}" + vars: + host_private_address: "" + when: ansible_facts[item].ipv4.address | ansible.utils.ipaddr('100.96.0.0/16') + loop: "{{ host_interfaces }}" + + # - name: Debug fingerprint for ALL hosts + # debug: + # msg: "{{ group_names }}" + # when: group_names is search("monitoring") + + - ansible.builtin.import_role: + name: prometheus.prometheus.node_exporter + + - ansible.builtin.import_role: + name: prometheus.prometheus.prometheus + when: group_names is search("monitoring") + + + # - name: "Include labocbz.install_grafana" + # tags: + # - test + # vars: + # install_grafana__protocol: "https" + # install_grafana__http_addr: "{{ host_private_address }}" + # install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud" + # inv_install_grafana__cert_file: /etc/node_exporter/tls.cert + # inv_install_grafana__cert_key: /etc/node_exporter/tls.key + + # ansible.builtin.include_role: + # name: ansible-role-labocbz-install-grafana + + # - prometheus.prometheus.node_exporter # https://galaxy.ansible.com/ui/repo/published/prometheus/prometheus/content/role/node_exporter/ \ No newline at end of file diff --git a/host_vars/ovh01.yml b/host_vars/ovh01.yml new file mode 100644 index 0000000..fbe1865 --- /dev/null +++ b/host_vars/ovh01.yml @@ -0,0 +1,109 @@ +--- +#* USERS + +management_user_list: + - name: admin + shell: '/bin/bash' + authorized_keys: + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" + exclusive: yes + sudo: + hosts: ALL + as: ALL + commands: ALL + nopasswd: ALL + +#* FIREWALL + +firewall_allowed_tcp_ports: + - "22" + - "80" + - "443" + - "9100" + - "9090" + - "3000" + +#* NETBIRD + +netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED +netbird_register: true + +#* TLS + +node_exporter_tls_server_config: + cert_file: /etc/node_exporter/tls.cert + key_file: /etc/node_exporter/tls.key + +#* NODE_EXPORTER + +# node_exporter_basic_auth_users: +# randomuser: examplepassword +node_exporter_web_listen_address: "{{ host_private_address }}:9100" + +#* PROMETHEUS + +prometheus_web_listen_address: "{{ host_private_address }}:9090" +prometheus_scrape_configs: + - job_name: "prometheus" # Custom scrape job, here using `static_config` + metrics_path: "/metrics" + static_configs: + - targets: + - "{{ host_private_address }}:9090" + - job_name: "node1" + scheme: https # Custom scrape job, here using `static_config` + metrics_path: "/metrics" + tls_config: + ca_file: "{{ node_exporter_tls_server_config.cert_file }}" + static_configs: + - targets: + - "{{ ansible_hostname }}.netbird.cloud:9100" + # - "{{ host_private_address }}:9100" + - job_name: "git" + scheme: https # Custom scrape job, here using `static_config` + metrics_path: "/metrics" + static_configs: + - targets: + - "gitea.jingoh.fr" + - job_name: "publicservicediscovery" + metrics_path: "/metrics" + basic_auth: + username: 'jingohtraf' + password: 'FSzmSLr#6i9M#d' + scheme: https + file_sd_configs: + - files: + - "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets` +prometheus_targets: + node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<>.yml" + - targets: # + - "traefik.jingoh.fr" + +#* GRAFANA + +grafana_address: "{{ host_private_address }}" +install_grafana__protocol: "https" +install_grafana__http_addr: "{{ host_private_address }}" +install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud" +inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}" +inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}" + +# ########## +# # CHISEL # +# ########## + +# chisel_server: false +# chisel_client_server_url: "{{ chisel_server_host }}:8080" +# chisel_client_remotes: "R:{{ chisel_server_host }}:socks" +# chisel_service_name: chisel-client +# chisel_config_name: chisel-client + +# chisel_conf: +# # chisel enable auth and finder +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# state: present +# line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" +# - path: "/etc/chisel/{{ chisel_config_name }}.conf" +# regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" +# state: present +# line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" diff --git a/host_vars/ovh_worker.yml b/host_vars/ovh_worker.yml deleted file mode 100644 index e3e16d7..0000000 --- a/host_vars/ovh_worker.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -install_docker: true - -management_user_list: - - name: stephane - shell: '/bin/bash' - authorized_keys: - - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" - exclusive: yes - sudo: - hosts: ALL - as: ALL - commands: ALL - nopasswd: ALL - -# ########## -# # CHISEL # -# ########## - -# chisel_server: false -# chisel_client_server_url: "{{ chisel_server_host }}:8080" -# chisel_client_remotes: "R:{{ chisel_server_host }}:socks" -# chisel_service_name: chisel-client -# chisel_config_name: chisel-client - -# chisel_conf: -# # chisel enable auth and finder -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" -# state: present -# line: "AUTH=--auth {{ chisel_client_auth_username }}:{{ chisel_client_auth_password }}" -# - path: "/etc/chisel/{{ chisel_config_name }}.conf" -# regexp: "^FINGERPRINT=--fingerprint {{ chisel_client_server_fingerprint }}" -# state: present -# line: "FINGERPRINT=--fingerprint {{ hostvars[groups['server'][0]].chisel_fingerprint[4]|default('') }}" diff --git a/host_vars/test.yml b/host_vars/test.yml index 78096c1..b1eb537 100644 --- a/host_vars/test.yml +++ b/host_vars/test.yml @@ -1,18 +1,88 @@ --- -# unattended_origins_patterns: -# - 'origin=Ubuntu,archive=${distro_codename}-security' -# - 'o=Ubuntu,a=${distro_codename}' -# - 'o=Ubuntu,a=${distro_codename}-updates' -# - 'o=Ubuntu,a=${distro_codename}-proposed-updates' +#* USERS -# management_user_list: -# - name: admin -# shell: '/bin/bash' -# authorized_keys: -# - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" -# exclusive: yes -# sudo: -# hosts: ALL -# as: ALL -# commands: ALL -# nopasswd: ALL \ No newline at end of file +management_user_list: + - name: admin + shell: '/bin/bash' + authorized_keys: + - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClVS1uxDfwS6OusQ4qgcZ6hBc8YRBE8MyXu0sUfGN7S3itjI3W2ixD18v80el8dVQVR12jCY0ueavgoV1cHrfGWkFoLKi+QrA4MuSNUChj0NBbyLTmdwPvne8LRv3ttCbRSJ/6bIEveX8y/7kGn/R1NDFlfE6b5R8ersBUKCQM6YxblAkv/XH8cJlQXhr1nLhVOl/ae+Q/pTCbgioB8qrmGEuMvOLmavcFf7IJbJcSgeiXSOnyIRl2n64X6lbRK+MRZ61pF6vAOXA+Ixyt/fAbO7sjqU0+cEhU5Br5/VcqG4Bc5nhWimtXIHPry3aLV5PtN6K9/i3eA5F6Jpa82JzmUMEbWSBIga02yIw9GjRyAI6ccH/kJGuB6QN5/YwGHpOF2f0FGiEAbUz41mLngN3SsXL1pdV2hT3x56/GIcGe6p/f1cytwVCyOaE7W87B05w5JYb1sSFj6QuGW0rHWfnHT5SY87Mk/H8VgZPaPbm+hSjLIQRAmUYQR+Rub1o9bXE= stephane" + exclusive: yes + sudo: + hosts: ALL + as: ALL + commands: ALL + nopasswd: ALL + +#* FIREWALL + +firewall_allowed_tcp_ports: + - "22" + - "80" + - "443" + - "9100" + - "9090" + - "3000" + +#* NETBIRD + +netbird_setup_key: F234BD1F-385B-4BEA-8234-608CCB1062ED +netbird_register: true + +#* TLS + +node_exporter_tls_server_config: + cert_file: /etc/node_exporter/tls.cert + key_file: /etc/node_exporter/tls.key + +#* NODE_EXPORTER + +# node_exporter_basic_auth_users: +# randomuser: examplepassword +node_exporter_web_listen_address: "{{ host_private_address }}:9100" + +#* PROMETHEUS + +prometheus_web_listen_address: "{{ host_private_address }}:9090" +prometheus_scrape_configs: + - job_name: "prometheus" # Custom scrape job, here using `static_config` + metrics_path: "/metrics" + static_configs: + - targets: + - "{{ host_private_address }}:9090" + - job_name: "node1" + scheme: https # Custom scrape job, here using `static_config` + metrics_path: "/metrics" + tls_config: + ca_file: "{{ node_exporter_tls_server_config.cert_file }}" + static_configs: + - targets: + - "{{ ansible_hostname }}.netbird.cloud:9100" + # - "{{ host_private_address }}:9100" + - job_name: "git" + scheme: https # Custom scrape job, here using `static_config` + metrics_path: "/metrics" + static_configs: + - targets: + - "gitea.jingoh.fr" + - job_name: "publicservicediscovery" + metrics_path: "/metrics" + basic_auth: + username: 'jingohtraf' + password: 'FSzmSLr#6i9M#d' + scheme: https + file_sd_configs: + - files: + - "{{ prometheus_config_dir }}/file_sd/node.yml" # This line loads file created from `prometheus_targets` +prometheus_targets: + node: # This is a base file name. File is located in "{{ prometheus_config_dir }}/file_sd/<>.yml" + - targets: # + - "traefik.jingoh.fr" + +#* GRAFANA + +grafana_address: "{{ host_private_address }}" +install_grafana__protocol: "https" +install_grafana__http_addr: "{{ host_private_address }}" +install_grafana__domain: "{{ ansible_hostname }}.netbird.cloud" +inv_install_grafana__cert_file: "{{ node_exporter_tls_server_config.cert_file }}" +inv_install_grafana__cert_key: "{{ node_exporter_tls_server_config.key_file }}" \ No newline at end of file diff --git a/hosts b/hosts index 3aa9a79..8518bdc 100644 --- a/hosts +++ b/hosts @@ -1,20 +1,24 @@ # Test VM vagrant -[kubernetes:children] -kubemaster -kubeworker +; [kubernetes:children] +; kubemaster +; kubeworker -[kubemaster] -ovh_master ansible_host=37.187.127.90 ansible_user=stephane - -[kubeworker] -ovh_worker ansible_host=5.135.181.11 ansible_user=stephane +; [kubemaster] +; ovh_master ansible_host=37.187.127.90 ansible_user=stephane +[netbird] +ovh01 ansible_host=5.135.181.11 ansible_user=stephane +scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane [controller] scaleway_fr ansible_host=163.172.84.28 ansible_user=stephane +[monitoring] +ovh01 ansible_host=5.135.181.11 ansible_user=stephane +ubuntu ansible_host=192.168.0.21 ansible_user=vagrant ansible_password=vagrant + [test] -192.168.0.20 +ubuntu ansible_host=192.168.0.21 ansible_user=vagrant ansible_password=vagrant ; # TO KNOW WHOIS CHISEL SERVER ; [server] diff --git a/requirements.yml b/requirements.yml index c12f5cd..d7b9287 100644 --- a/requirements.yml +++ b/requirements.yml @@ -2,4 +2,6 @@ collections: - name: devsec.hardening - name: dominion_solutions.netbird - name: prometheus.prometheus - - name: community.crypto \ No newline at end of file + - name: community.crypto + - name: ansible.utils + - name: community.grafana \ No newline at end of file diff --git a/roles/.gitignore b/roles/.gitignore index 839a484..592e933 100644 --- a/roles/.gitignore +++ b/roles/.gitignore @@ -42,3 +42,6 @@ jnv.unattended-upgrades ansible_unattended_upgrades robertdebock.auditd robertdebock.update +ansible-role-labocbz-install-grafana +cloudalchemy.grafana +CTL-Fed-Security.ansible-grafana diff --git a/roles/requirements.yml b/roles/requirements.yml index f0fd56a..50521a0 100644 --- a/roles/requirements.yml +++ b/roles/requirements.yml @@ -45,3 +45,6 @@ # version: 0.1.6 - name: ansible_unattended_upgrades src: git+https://gitlab.epfl.ch/ansible-sti-roles/ansible-unattended-upgrades.git +- name: ansible-role-labocbz-install-grafana + src: git+https://gitlab.com/cbz-d-velop/public-ansible/ansible-role-labocbz-install-grafana.git +