- hosts: cosmos # vars: become: true gather_facts: true pre_tasks: # to reinstall netbird rm /usr/share/keyrings/netbird-archive-keyring.gpg # become root no password /etc/sudoers.d/20stephane => stephane ALL=(ALL) NOPASSWD: ALL - apt: update_cache: yes become: true - ansible.builtin.pip: name: netaddr delegate_to: localhost - name: Set hostname ansible.builtin.hostname: name: "{{ inventory_hostname }}" - name: Check for Netbird Installation ansible.builtin.shell: cmd: netbird version ignore_errors: true register: netbird_installed - name: Install Netbird first to have private network block: - name: Add key Netbird become: true ansible.builtin.shell: curl -sSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor --output /usr/share/keyrings/netbird-archive-keyring.gpg - name: mode file for netbird key ansible.builtin.file: path: /usr/share/keyrings/netbird-archive-keyring.gpg state: file mode: 0644 - name: Add netbird repo ansible.builtin.apt_repository: repo: "deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main" state: present - name: Install netbird ansible.builtin.apt: name: "netbird" state: present update_cache: true - name: Start Netbird become: true ansible.builtin.shell: netbird up --setup-key="{{ netbird_setup_key }}" when: netbird_installed.rc != 0 # curl -sSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor --output /usr/share/keyrings/netbird-archive-keyring.gpg # chmod 0644 /usr/share/keyrings/netbird-archive-keyring.gpg # # echo 'deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main' | sudo tee /etc/apt/sources.list.d/netbird.list - name: Create node_exporter cert dir file: path: "{{ item }}" state: directory owner: root group: root loop: - /etc/node_exporter - name: Update repositories and install packages needed ansible.builtin.apt: name: "{{ item }}" update_cache: true loop: "{{ package_repo }}" # delegate_to: localhost - name: Install pip package ansible.builtin.pip: name: "{{ item }}" loop: - setuptools - netaddr - cryptography # delegate_to: localhost - name: Generate an OpenSSL private key with the default values (4096 bits, RSA) community.crypto.openssl_privatekey: path: /etc/node_exporter/tls.key mode: 0644 # /etc/node_exporter# chmod 644 tls.key - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: /etc/node_exporter/tls.csr privatekey_path: /etc/node_exporter/tls.key common_name: "{{ inventory_hostname }}.netbird.cloud" - name: Generate a Self Signed OpenSSL certificate community.crypto.x509_certificate: path: /etc/node_exporter/tls.cert privatekey_path: /etc/node_exporter/tls.key csr_path: /etc/node_exporter/tls.csr provider: selfsigned # export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES ---> ERROR! A worker was found in a dead state # chmod go+r /usr/share/keyrings/netbird-archive-keyring.gpg for error: #||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available roles: # - robertdebock.update - role: devsec.hardening.os_hardening tags: os - role: devsec.hardening.ssh_hardening tags: ssh # - maxlareo.rkhunter # - maxlareo.chkrootkit - role: robertdebock.auditd tags: auditd - role: geerlingguy.firewall tags: firewall - role: grog.management-user tags: user - role: GROG.user tags: user - role: GROG.authorized-key tags: user - role: GROG.sudo tags: user # - ansible_unattended_upgrades # - buluma.lynis # roles: # - role: netways.elasticstack.elasticsearch # tags: test2 tasks: - name: Tcheck ssh conf for phone connection ansible.builtin.lineinfile: path: /etc/ssh/ssh_config insertafter: 'Host ' firstmatch: true line: '#!Enable-HMAC-ETM' - name: Reload service sshd, in all cases ansible.builtin.service: name: sshd.service state: reloaded - name: Retrieve private IP address netbird ansible.builtin.gather_facts: - name: Set host_interfaces list ansible.builtin.set_fact: host_interfaces: "{{ host_interfaces + [item]}}" vars: host_interfaces: [] when: ansible_facts[item].ipv4.address is defined loop: "{{ ansible_facts.interfaces }}" - name: Set host_private_address ansible.builtin.set_fact: host_private_address: "{{ ansible_facts[item].ipv4.address }}" vars: host_private_address: "" when: ansible_facts[item].ipv4.address | ansible.utils.ipaddr('100.96.0.0/16') loop: "{{ host_interfaces }}" - name: Debug host_private_address for ALL hosts debug: msg: "{{ host_private_address }}" #! Set up docker socket for monitoring - ansible.builtin.import_role: name: prometheus.prometheus.node_exporter tags: monitoring # - ansible.builtin.import_role: # name: prometheus.prometheus.prometheus # when: group_names is search("monitoring") # - ansible.builtin.import_role: # name: ansible-role-labocbz-install-grafana # when: group_names is search("monitoring") # - ansible.builtin.import_role: # name: netways.elasticstack.repos # tags: repo # to reset password #/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic # xpack.security.http.ssl.verification_mode: none # Add token for new node ? # /usr/share/elasticsearch/elasticsearch-create-enrollment-token -s kibana # /usr/share/kibana/bin/kibana-encryption-keys generate --force # /usr/share/elasticsearch/bin# ./elasticsearch-service-tokens create elastic/kibana token # bin/elasticsearch-create-enrollment-token -s kibana --url "https://172.0.0.3:9200" # - ansible.builtin.import_role: # name: netways.elasticstack.elasticsearch # tags: elastic # # Wait the end install to have th url to connect and put the enroll token # - ansible.builtin.import_role: # name: netways.elasticstack.kibana # tags: kibana # - ansible.builtin.import_role: # name: netways.elasticstack.logstash # tags: test2 # FileBEAT # filebeat test config -e filebeat.yml # filebeat setup -e # restart filebeat # - ansible.builtin.import_role: # name: netways.elasticstack.beats # tags: filebeat