therion/demo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

all demo

Browse Source
This commit is contained in:
Pavel Guzaev
2024-03-09 17:36:50 +05:00
commit 431b4f5cfd
44 changed files with 3239 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ansible/playbook/roles/gate/README.md Normal file
View File

@@ -0,0 +1,6 @@
Получаем данные напрямую из naupp
url: "https://{{ gate_naupp_fqdn }}/sd/services/rest/exec?accessKey={{ accesskey }}&func=modules.externalAccess.getExternalAccesses&params=user"
На текущий момент роль ставит все необходимые для работы пакеты, настраивает их автозапуск и разрешает проброс пакетов, после чего настраивает файлы для iptables-save и перезапускает службу при необходимости.
Для отключения проброса пакетов, например, в случае подозрения на несанкционированный доступ, поменять переменную iptables_ip_forward

5
ansible/playbook/roles/gate/gate.yml Normal file
View File

@@ -0,0 +1,5 @@
- hosts: sd-gw
become: yes
remote_user: root
roles:
- gate

15
ansible/playbook/roles/gate/roles/gate/defaults/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
# Fast disable forward if we have a problem now
gate_iptables_ip_forward: 1
# Name of the service to reload
gate_iptables_rules_file: /etc/iptables/rules
# gate host ext and int ip.
gate_local_net: 192.168.0.0/16,10.0.0.0/8
gate_int_if: ens18
gate_ext_if: ens19
# naupp site and access_key
gate_naupp_fqdn: naupp.nau.com
gate_access_key: akfjj666-f897-9978-b5006c-0508938848

6
ansible/playbook/roles/gate/roles/gate/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: restart netfilter-persistent
service:
name: netfilter-persistent
state: restarted
sleep: 10

62
ansible/playbook/roles/gate/roles/gate/tasks/main.yml Normal file
View File

@@ -0,0 +1,62 @@
---
- name: install iptables
apt:
name: iptables
state: present
tags: packages
- name: install iptables-persistent for Debian
apt:
pkg: iptables-persistent
state: present
tags: packages
- name: GET RESULT
uri:
url: "https://{{ gate_naupp_fqdn }}/sd/services/rest/exec?accessKey={{ gate_access_key }}&func=modules.externalAccess.getExternalAccesses&params=user"
method: GET
return_content: yes
delegate_to: 127.0.0.1
register: _result
until: _result.status != -1
retries: 15
delay: 15
- set_fact:
endpoint_naupp: "{{ _result['content'] }}"
- debug:
msg: "{{ endpoint_naupp }}"
- name: setup IP forwarding for IPv4
sysctl:
name: net.ipv4.ip_forward
value: "{{ gate_iptables_ip_forward }}"
tags: configuration
- name: start iptables and add to boot runlevel
service:
name: netfilter-persistent
enabled: true
state: started
- name: configure rules
template:
src: rules.iptables.j2
dest: "{{ gate_iptables_rules_file }}"
notify: restart netfilter-persistent
tags: configuration
- name: symlink IPv4 rules
file:
src: "{{ gate_iptables_rules_file }}"
dest: /etc/iptables/rules.v4
state: link
tags: configuration
- name: disable IPv6 on all interfaces
sysctl:
name: net.ipv6.conf.all.disable_ipv6
value: 1
tags: configuration

192
ansible/playbook/roles/gate/roles/gate/templates/rules.iptables.j2 Normal file
View File

@@ -0,0 +1,192 @@
###############################################################################
# The MIT License
#
# Copyright 2012-2014 Jakub Jirutka <jakub@jirutka.cz>.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
###############################################################################
#
# Basic iptables/IPv4 template for an ordinary servers
#
# This file is in iptables-restore format. See the man pages for
# iptables-restore(8) and iptables-save(8).
#
# The following is a set of firewall rules that should be applicable to Linux
# servers running within departments. It is intended to provide a useful
# starting point from which to devise a comprehensive firewall policy for
# a host.
#
# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be
# populated with rules specific to particular hosts. The optional part 4 is
# prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade...
#
# This template is based on http://jdem.cz/v64a3 from University of Leicester.
#
# For the newest version go to https://gist.github.com/jirutka/3742890.
#
# @author Jakub Jirutka <jakub@jirutka.cz>
# @version 1.3.1
# @date 2014-01-28
#
###############################################################################
# 1. COMMON HEADER #
# #
# This section is a generic header that should be suitable for most hosts. #
###############################################################################
*filter
# Base policy
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Don't attempt to firewall internal traffic on the loopback device.
-A INPUT -i lo -j ACCEPT
# Continue connections that are already established or related to an established
# connection.
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Drop non-conforming packets, such as malformed headers, etc.
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Block remote packets claiming to be from a loopback address.
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
# Drop all packets that are going to broadcast, multicast or anycast address.
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
# Chain for preventing SSH brute-force attacks.
# Permits 10 new connections within 5 minutes from a single host then drops
# incomming connections from that host. Beyond a burst of 100 connections we
# log at up 1 attempt per second to prevent filling of logs.
-N SSHBRUTE
-A SSHBRUTE -m recent --name SSH --set
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
-A SSHBRUTE -j ACCEPT
# Chain for preventing ping flooding - up to 6 pings per second from a single
# source, again with log limiting. Also prevents us from ICMP REPLY flooding
# some victim when replying to ICMP ECHO from a spoofed source.
-N ICMPFLOOD
-A ICMPFLOOD -m recent --set --name ICMP --rsource
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
-A ICMPFLOOD -j ACCEPT
###############################################################################
# 2. HOST SPECIFIC RULES #
# #
# This section is a good place to enable your host-specific services. #
# ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 ! #
###############################################################################
# Accept HTTP and HTTPS
#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT
# ACCEPT RULES FROM naupp
{% for params in endpoint_naupp %}
-A INPUT -p tcp -m tcp -s {{ params.source_ip|join(',') }} --dport {{ params.external_port }} -j ACCEPT
-A FORWARD -p tcp -m tcp -s {{ params.source_ip|join(',') }} --dport {{ params.target_port }} -j ACCEPT
{% endfor %}
###############################################################################
# 3. GENERAL RULES #
# #
# This section contains general rules that should be suitable for most hosts. #
###############################################################################
# Accept worldwide access to SSH and use SSHBRUTE chain for preventing
# brute-force attacks.
-A INPUT -s {{ gate_local_net }} -i {{ gate_int_if }} -j ACCEPT
-A FORWARD -s {{ gate_local_net }} -i {{ gate_int_if }} -j ACCEPT
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
# Permit useful IMCP packet types.
# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
# Blocking these can make diagnosing of even simple faults much more tricky.
# Real security lies in locking down and hardening all services, not by hiding.
-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD
-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
# Do not log packets that are going to ports used by SMB
# (Samba / Windows Sharing).
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
-A INPUT -p udp --dport 137:139 -j DROP
-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
# Do not log packets that are going to port used by UPnP protocol.
-A INPUT -p udp --dport 1900 -j DROP
# Do not log late replies from nameservers.
-A INPUT -p udp --sport 53 -j DROP
# Good practise is to explicately reject AUTH traffic so that it fails fast.
-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
# Prevent DOS by filling log files.
-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
COMMIT
###############################################################################
# 4. HOST SPECIFIC NAT RULES #
# #
# Uncomment this section if you want to use NAT table, e.g. for port #
# forwarding, redirect, masquerade... #
###############################################################################
*nat
# Base policy
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Redirect port 21 to local port 2121
#-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121
# Forward port 8080 to port 80 on host 192.168.1.10
#-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80
# NAT rules from naupp
{% for params in endpoint_naupp %}
-A PREROUTING -i {{ gate_ext_if }} -p tcp --dport {{ params.external_port }} -j DNAT --to-destination {{ params.target_ip }}:{{ params.target_port }}
{% endfor %}
# mask because not default route
-A POSTROUTING -o {{ gate_ext_if }} -j MASQUERADE
-A POSTROUTING -o {{ gate_int_if }} -j MASQUERADE
COMMIT

7
ansible/playbook/roles/hetzner_app/defaults/main.yml Normal file
View File

@@ -0,0 +1,7 @@
hetzner_app_java_11: jdk-11.0.12+7
hetzner_app_java_11_file: OpenJDK11U-jdk_x64_linux_hotspot_11.0.12_7.tar.gz
hetzner_app_java_8: jdk8u312-b07
hetzner_app_java_8_file: OpenJDK8U-jdk_x64_linux_hotspot_8u312b07.tar.gz
hetzner_app_swap_file_path: /swapfile
hetzner_app_swap_file_size_gb: 8
hetzner_app_stands_user: nausd4

160
ansible/playbook/roles/hetzner_app/tasks/main.yml Normal file
View File

@@ -0,0 +1,160 @@
---
- name: Allow all access from RFC1918 networks to this host
community.general.ufw:
rule: allow
src: '{{ item }}'
loop:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 195.151.207.0/24
- 37.29.46.132/32
- 109.235.215.238/32
- 84.47.191.162/32
- 77.232.53.10/32
- 188.187.118.117/32
- 91.234.153.110/32
- 195.151.8.25/32
- 78.30.223.233/32
- 109.237.104.138/32
- 84.47.168.163/32
- 94.28.29.140/32
- name: Enable UFW
community.general.ufw:
state: enabled
- name: set timezone to Asia/Yekaterinburg
community.general.timezone:
hwclock: local
name: Asia/Yekaterinburg
- name: Install java_11
ansible.builtin.unarchive:
src: "https://github.com/adoptium/temurin11-binaries/releases/download/{{ hetzner_app_java_11 }}/{{ hetzner_app_java_11_file }}"
dest: /opt
remote_src: yes
- name: symlink java_11
file:
src: "/opt/{{ hetzner_app_java_11 }}/"
dest: /opt/openjdk_11
state: link
- name: Install java_8
ansible.builtin.unarchive:
src: "https://github.com/adoptium/temurin8-binaries/releases/download/{{ hetzner_app_java_8 }}/{{ hetzner_app_java_8_file }}"
dest: /opt
remote_src: yes
- name: symlink java_8
file:
src: "/opt/{{ hetzner_app_java_8 }}/"
dest: /opt/openjdk_8
state: link
- name: Run the equivalent of "apt-get update" as a separate step
apt:
update_cache: yes
- name: Install a list of packages
apt:
pkg:
- libmime-tools-perl
- atop
- iotop
- less
- nano
- vim
- telnet
- dnsutils
- curl
- wget
- zip
- unzip
- tar
- rsync
- screen
- openssl
- ldap-utils
- fontconfig
- htop
- mc
- ttf-mscorefonts-installer
- python-simplejson
- software-properties-common
- traceroute
- file
- chrony
- name: Create swap file
command: fallocate -l {{ hetzner_app_swap_file_size_gb }}G {{ hetzner_app_swap_file_path }}
creates="{{ hetzner_app_swap_file_path }}"
tags:
- swap.file.create
- name: Change swap file permissions
file: path="{{ hetzner_app_swap_file_path }}"
owner=root
group=root
mode=0600
tags:
- swap.file.permissions
- name: "Check swap file type"
command: file {{ hetzner_app_swap_file_path }}
register: swapfile
tags:
- swap.file.mkswap
- name: Make swap file
command: "sudo mkswap {{ hetzner_app_swap_file_path }}"
when: swapfile.stdout.find('swap file') == -1
tags:
- swap.file.mkswap
- name: Write swap entry in fstab
mount: name=none
src={{ hetzner_app_swap_file_path }}
fstype=swap
opts=sw
passno=0
dump=0
state=present
tags:
- swap.fstab
- name: Mount swap
command: "swapon {{ hetzner_app_swap_file_path }}"
when: ansible_swaptotal_mb < 1
tags:
- swap.file.swapon
- name: "Add the user {{ hetzner_app_stands_user }} with a bash shell"
ansible.builtin.user:
name: "{{ hetzner_app_stands_user }}"
shell: /bin/bash
home: "/home/{{ hetzner_app_stands_user }}"
create_home: yes
generate_ssh_key: yes
- name: Ansible copy authorized_keys
copy:
src: /root/.ssh/authorized_keys
dest: "/home/{{ hetzner_app_stands_user }}/.ssh/authorized_keys"
remote_src: yes
- name: Change file permissions
file: path="/home/{{ hetzner_app_stands_user }}/.ssh/authorized_keys"
owner="{{ hetzner_app_stands_user }}"
group="{{ hetzner_app_stands_user }}"
mode=0600
- name: Create stands directory
file:
path: /opt/stands
state: directory
owner: "{{ hetzner_app_stands_user }}"
group: "{{ hetzner_app_stands_user }}"
mode: 0775

6
ansible/playbook/roles/hetzner_server/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
# NetPlan file for internal network
hetzner_server_netplan_int_net: /etc/netplan/01-network-manager.yaml
hetzner_server_server_location: hel1-dc2
# hetzner_server_server_location: fsn1-dc14
# default gateway
hetzner_server_gw_ip: 10.106.100.1

6
ansible/playbook/roles/hetzner_server/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
- name: netplan apply
tags: netplan
command: ssh {{ ip_addr }} -oStrictHostKeyChecking=no "netplan apply"
async: 1
poll: 0

65
ansible/playbook/roles/hetzner_server/tasks/main.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: GET APPS NUMBER
shell: hcloud server list -o columns=name | grep sd-apps[[:digit:]] | sed s/[^0-9]//g
register: _nodes
- set_fact:
nodes: "{{ _nodes.stdout_lines }}"
- name: GET NEXT NODE NUMBER
set_fact: max_node_id="{{ nodes | sort | last }}"
- debug:
msg: "Next Node id is {{ max_node_id | int + 1 }}"
- name: "Create new sd-apps server with next number {{ max_node_id | int + 1 }}"
shell: hcloud server create --datacenter "{{ hetzner_server_server_location }}" --image ubuntu-20.04 --ssh-key ansible,manager,pguzaev@naumen.ru --network 1127862 --start-after-create --type cpx51 --name "sd-apps{{ max_node_id | int + 1 }}-presale"
register: _status
- debug:
msg: "Status is {{ _status.stdout_lines }}"
- set_fact:
ext_ip_addr: "{{ _status.stdout_lines[3] }}"
- debug:
msg: "External ip address is {{ ext_ip_addr.split()[1] }}"
- name: Wait ssh avalaible
wait_for:
host: "{{ ext_ip_addr.split()[1] }}"
port: "22"
state: started # Port should be open
delay: 10 # No wait before first check (sec)
timeout: 240 # Stop checking after timeout (sec)
ignore_errors: no
- name: GET APPS
shell: hcloud server describe -o json "sd-apps{{ max_node_id | int + 1 }}-presale"
register: _result
- set_fact:
private_net: "{{ (_result.stdout | from_json).private_net }}"
- set_fact:
ip_addr: "{{ private_net[0]['ip'] }}"
- name: GET APPS
shell: hcloud server ssh sd-apps{{ max_node_id | int + 1 }}-presale -oStrictHostKeyChecking=no ifconfig | awk '/{{ ip_addr }}/ {print $1}' RS="\n\n"
register: _if_int
- set_fact:
if_int: "{{ _if_int.stdout }}"
- debug:
msg: "internal iface is {{ if_int }} and has ip adress is {{ ip_addr }}"
- name: Netplan configure rules
template:
src: 01-network-manager.yaml.js2
dest: "/tmp/sd-apps{{ max_node_id | int + 1 }}-presale.yaml"
- name: Set Netplan
shell: scp -oStrictHostKeyChecking=no "/tmp/sd-apps{{ max_node_id | int + 1 }}-presale.yaml" "{{ ip_addr }}:{{ hetzner_server_netplan_int_net }}"
notify:
- netplan apply

23
ansible/playbook/roles/hetzner_server/templates/01-network-manager.yaml.js2 Normal file
View File

@@ -0,0 +1,23 @@
# This file is generated from ansible autogeneration scripts
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
{{ if_int }}
dhcp4: true
nameservers:
addresses:
- 192.168.224.7
- 192.168.240.7
- 91.232.196.12
search:
- office0.naumen.ru
routes:
- to: 192.168.0.0/16
via: 10.106.100.1
- to: 172.16.0.0/16
via: 10.106.100.1
- to: 10.0.0.0/8
via: {{ hetzner_server_gw_ip }}

16
ansible/playbook/roles/ldap-auth/defaults/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
# ldap
ldap_server: "ldap://<some_server>"
ldap_port: "389"
ldap_base: dc=naumen,dc=ru
base_group: ou=groups,dc=naumen,dc=ru
base_passwd: ou=users,dc=naumen,dc=ru
filter_group: (|(objectClass=posixGroup)(objectClass=groupOfNames))
filter_passwd: (&(objectClass=posixAccount)(shadowInactive=0)(memberOf=cn=users,ou=groups,dc=naumen,dc=ru))
nss_nested_groups: on
reconnect_invalidate: passwd,group,nfsidmap
uid: nslcd
gid: nslcd
ssl_type: start_tls
ssl: "no"
tls_reqcert: "allow"

0
ansible/playbook/roles/ldap-auth/files/key.pub Normal file
View File

14
ansible/playbook/roles/ldap-auth/files/nsswitch.conf.Debian Normal file
View File

@@ -0,0 +1,14 @@
passwd: compat ldap
group: compat ldap
shadow: compat ldap
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis ldap

23
ansible/playbook/roles/ldap-auth/files/nsswitch.conf.RedHat Normal file
View File

@@ -0,0 +1,23 @@
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus

7
ansible/playbook/roles/ldap-auth/files/sudoers Normal file
View File

@@ -0,0 +1,7 @@
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
%<some_group> ALL=(ALL) NOPASSWD: ALL
administrator ALL=(root) NOPASSWD: /bin/systemctl * dev_branch*_hornetq*

19
ansible/playbook/roles/ldap-auth/handlers/main.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: restart nscd
service:
name: nscd
enabled: true
state: restarted
- name: restart nslcd
service:
name: nslcd
enabled: true
state: restarted
- name: restart sshd
service:
name: sshd
enabled: true
state: restarted

356
ansible/playbook/roles/ldap-auth/tasks/main.yml Normal file
View File

@@ -0,0 +1,356 @@
---
- name: Install ldap package (Debian-like)
apt:
pkg:
- libpam-ldapd
- libnss-ldapd
- ldap-utils
- nscd
state: present
update_cache: true
cache_valid_time: 36000
when: ansible_os_family == "Debian"
- name: Install ldap package (RedHat-like)
yum:
name:
- pam_ldap
- nss-pam-ldapd
- openldap-clients
- nscd
state: present
when: ansible_os_family == "RedHat"
- name: Disable SELinux on (RedHat-like)
selinux:
state: disabled
when: ansible_os_family == "RedHat"
- name: Remove dist configs (RedHat-like)
file:
path: /etc/nslcd.conf
state: absent
when: ansible_os_family == "RedHat"
- name: Backup dist configs (Debian-like)
command: mv /etc/nslcd.conf /etc/nslcd_dist.conf
when: ansible_os_family == "Debian"
- name: Create config files (RedHat-like)
file:
src: /etc/openldap/ldap.conf
dest: /etc/nslcd.conf
state: link
when: ansible_os_family == "RedHat"
- name: Create config files (Debian-like)
file:
src: /etc/ldap/ldap.conf
dest: /etc/nslcd.conf
state: link
when: ansible_os_family == "Debian"
- name: Create ldap.conf file (RedHat-like)
template:
src: ldap.conf.j2
dest: "/etc/openldap/ldap.conf"
mode: 0440
owner: root
group: root
when: ansible_os_family == "RedHat"
- name: Create ldap.conf file (Debian-like)
template:
src: ldap.conf.j2
dest: "/etc/ldap/ldap.conf"
mode: 0440
owner: root
group: root
when: ansible_os_family == "Debian"
- name: Edit nsswitch.conf (RedHat-like)
copy:
src: "{{ role_path }}/files/nsswitch.conf.RedHat"
dest: /etc/nsswitch.conf
backup: true
when: ansible_os_family == "RedHat"
- name: Edit nsswitch.conf (Debian-like)
copy:
src: "{{ role_path }}/files/nsswitch.conf.Debian"
dest: /etc/nsswitch.conf
backup: true
when: ansible_os_family == "Debian"
notify:
- restart nslcd
- name: Create get_ldap_ssh_key.sh bash script
template:
src: get_ldap_ssh_key.sh.j2
dest: "/usr/bin/get_ldap_ssh_key.sh"
mode: 0755
owner: root
group: root
- name: Update pam.d (Debian-like)
pamd:
name: common-account
type: account
control: "required"
module_path: pam_permit.so
new_type: account
new_control: "[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-auth
type: auth
control: "[success=2 default=ignore]"
module_path: pam_unix.so
new_type: auth
new_control: "[success=1 default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500 use_first_pass'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-password
type: password
control: "[success=2 default=ignore]"
module_path: pam_unix.so
new_type: password
new_control: "[success=1 default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500 use_first_pass'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-session
type: session
control: "required"
module_path: pam_unix.so
new_type: session
new_control: "[success=ok default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (Debian-like)
pamd:
name: common-session
type: session
control: "required"
module_path: pam_permit.so
new_type: session
new_control: optional
new_module_path: pam_mkhomedir.so
module_arguments: 'skel=/etc/skel/'
state: after
when: ansible_os_family == "Debian"
- name: Update pam.d (RedHat-like)
pamd:
name: system-auth-ac
type: session
control: "required"
module_path: pam_unix.so
new_type: session
new_control: "[success=ok default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: system-auth-ac
type: session
control: "[success=ok default=ignore]"
module_path: pam_ldap.so
new_type: session
new_control: "optional"
new_module_path: pam_ldap.so
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: password-auth-ac
type: session
control: "required"
module_path: pam_unix.so
new_type: session
new_control: "[success=ok default=ignore]"
new_module_path: pam_ldap.so
module_arguments: 'minimum_uid=500'
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: password-auth-ac
type: session
control: "[success=ok default=ignore]"
module_path: pam_ldap.so
new_type: session
new_control: "optional"
new_module_path: pam_ldap.so
state: after
when: ansible_os_family == "RedHat"
- name: Update pam.d (RedHat-like)
pamd:
name: postlogin-ac
type: session
control: "optional"
module_path: pam_lastlog.so
new_type: session
new_control: optional
new_module_path: pam_mkhomedir.so
module_arguments: 'skel=/etc/skel/'
state: after
when: ansible_os_family == "RedHat"
- name: Update nscd.conf
lineinfile:
path: /etc/nscd.conf
regexp: "^reload-count"
line: 'reload-count unlimited'
- name: Update nscd.conf
lineinfile:
path: /etc/nscd.conf
regexp: '^positive-time-to-live passwd'
line: 'positive-time-to-live passwd 2592000'
- name: Update nscd.conf
lineinfile:
path: /etc/nscd.conf
regexp: '^positive-time-to-live group'
line: "positive-time-to-live passwd 2592000"
- name: Update sudoes users for sd-tpivi group
lineinfile:
path: /etc/sudoers
line: "%sd-tpivi ALL=(ALL) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-321 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-321 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-322 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-322 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-323 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-323 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-324 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-324 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-325 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-325 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-326 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-326 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-327 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-327 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-328 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-328 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-329 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-329 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-329 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-353 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sshd_config for AuthorizedKeysCommand
lineinfile:
path: /etc/ssh/sshd_config
line: "AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh"
state: present
- name: Update sshd_config for AuthorizedKeysCommandUser
lineinfile:
path: /etc/ssh/sshd_config
line: "AuthorizedKeysCommandUser nobody"
state: present
- name: Update sshd_config for AuthorizedKeysCommandUser
lineinfile:
path: /etc/ssh/sshd_config
line: "AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4"
state: present
- name: Update sshd.conf PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: 'PermitRootLogin No'
- name: Update sshd.conf Match All
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
line: 'Match All'
- name: Update sshd.conf PasswordAuthentication no
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^Match All'
line: ' PasswordAuthentication no'
- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^ PasswordAuthentication no'
line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
notify:
- restart sshd
- restart nscd
- restart nslcd

108
ansible/playbook/roles/ldap-auth/tasks/sec_ssh.yml Normal file
View File

@@ -0,0 +1,108 @@
---
- name: sec_ssh start!
hosts: ldap-auth
become: yes
tasks:
- name: Update sshd.conf PermitRootLogin
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: 'PermitRootLogin No'
tags:
- sec_ssh
- name: Update sshd.conf Match All
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
line: 'Match All'
tags:
- sec_ssh
- name: Update sshd.conf PasswordAuthentication no
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^Match All'
line: ' PasswordAuthentication no'
tags:
- sec_ssh
- name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Match User'
insertbefore: '^ PasswordAuthentication no'
line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
tags:
- sec_ssh
- name: Update sshd.conf AllowGroups
lineinfile:
path: /etc/ssh/sshd_config
regexp: "^AllowGroups"
line: 'AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4'
tags:
- sec_ssh
- name: Update sudoes users for sd-devel-321 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-321 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-322 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-322 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-323 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-323 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-324 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-324 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-325 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-325 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-326 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-326 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-327 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-327 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-328 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-328 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: Update sudoes users for sd-devel-329 group
lineinfile:
path: /etc/sudoers
line: "%sd-devel-329 ALL=(administrator,postgres,mssql,oinstall,nausd4) NOPASSWD: ALL"
state: present
- name: restart sshd
service:
name: sshd
enabled: true
state: restarted

29
ansible/playbook/roles/ldap-auth/tasks/sec_test.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- hosts: sec
become: yes
gather_facts: yes
vars:
user_to_check: administrator
tasks:
- name: Check if administrator has sudo right
shell: sudo -n -l -U administrator 2>&1 | egrep -c -i "not allowed to run sudo|unknown user|неизвестный пользователь|не разрешается"
args:
executable: /bin/bash
ignore_errors: yes
register: right
- name: show administrator sudo right
debug: var=right.stdout
- name: Create temporary backup of /etc/sudoers
copy:
src: "/etc/sudoers"
remote_src: yes
dest: "/etc/sudoers_{{ now().strftime('%Y-%m-%d_%H_%M_%S') }}.bak"
# register: "sudoers_backup"
when: right.stdout == "0"
# changed_when: false
- name: Send sudoers to remote Server
copy: src="../files/sudoers" dest=/etc/sudoers
when: right.stdout == "0"

16
ansible/playbook/roles/ldap-auth/templates/get_ldap_ssh_key.sh.j2 Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
SSH_USER=$1
LDAP_URI={{ ldap_server }}:{{ ldap_port }}
GROUP_DN={{ base_group }}
BASE_DN={{ base_passwd }}
ldapFilter="(&(shadowInactive=0)(uid=${SSH_USER})(memberOf=cn=users,ou=groups,dc=dc1,dc=com)(sshPublicKey=*))"
# Get "sshPublicKey":
KEY=$(ldapsearch -x -LLL -o ldif-wrap=no -H "${LDAP_URI}" -b "${BASE_DN}" "${ldapFilter}" sshPublicKey | \
grep sshPublicKey | \
perl -MMIME::Base64 -wpe 's/^sshPublicKey(:{1,2}) (.+)$/$1 eq "::" ? decode_base64($2) : $2/e')
echo "${KEY}"
exit 0

7
ansible/playbook/roles/ldap-auth/templates/ldap.conf.j2 Normal file
View File

@@ -0,0 +1,7 @@
uri {{ ldap_server }}:{{ ldap_port }}/
base {{ ldap_base }}
base group {{ base_group }}
base passwd {{ base_passwd }}
filter group {{ filter_group }}
filter passwd {{ filter_passwd }}
tls_reqcert {{ tls_reqcert }}