From 44822bd37bbb2ae7fd90ad101217ac153e2cdfc1 Mon Sep 17 00:00:00 2001 From: jaydee Date: Wed, 11 Dec 2024 23:10:40 +0100 Subject: [PATCH] bitwarden --- desktop.yml | 9 ++ roles/fail2ban/tasks/main.yml | 166 ++++++------------------------- roles/ldap_client/tasks/main.yml | 10 +- roles/ssh_banner/tasks/main.yml | 35 +++++++ roles/wake_on_lan/tasks/main.yml | 10 +- servers.yml | 3 +- test.yml | 4 + 7 files changed, 91 insertions(+), 146 deletions(-) create mode 100755 desktop.yml create mode 100755 roles/ssh_banner/tasks/main.yml create mode 100755 test.yml diff --git a/desktop.yml b/desktop.yml new file mode 100755 index 0000000..0cfef9c --- /dev/null +++ b/desktop.yml @@ -0,0 +1,9 @@ +--- +- hosts: desktop + roles: + - common + - wake_on_lan + - timeshift + - zabbix-agent + - autofs_client + - ldap_client \ No newline at end of file diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index a1451b5..92410d8 100755 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,149 +1,39 @@ - block: - - name: Install ldap packages + - name: Install fail2ban packages ansible.builtin.apt: name: - - libpam-ldapd - - ldap-utils - - libnss-ldapd - # - name: Reconfigure ldap base - # ansible.builtin.lineinfile: - # path: /etc/ldap.conf - # regexp: "^base " - # line: "base dc=sectorq,dc=eu" - - # - name: Reconfigure ldap uri - # ansible.builtin.lineinfile: - # path: /etc/ldap.conf - # regexp: "^uri ldap.*" - # line: "uri ldaps://ldap-server.loc/" - # - name: Reconfigure ldap version - # ansible.builtin.lineinfile: - # path: /etc/ldap.conf - # regexp: "^ldap_version.*" - # line: "ldap_version 3" - - # - name: Reconfigure ldap rootbinddn - # ansible.builtin.lineinfile: - # path: /etc/ldap.conf - # regexp: "^rootbinddn.*" - # line: "rootbinddn cn=admin,dc=sectorq,dc=eu" - - name: Reconfigure common-session - ansible.builtin.lineinfile: - path: /etc/pam.d/common-session - regexp: "^session optional pam_mkhomedir.so.*" - line: "session optional pam_mkhomedir.so skel=/etc/skel umask=077" - - name: Reconfigure common-session - ansible.builtin.lineinfile: - path: /etc/pam.d/common-session - regexp: "^session.*pam_ldap.so.*" - line: "session [success=ok default=ignore] pam_ldap.so minimum_uid=1000" - - name: Reconfigure common-password - ansible.builtin.lineinfile: - path: /etc/pam.d/common-password - regexp: "^password.*success=1 user_unknown=ignore default=die.*" - line: "password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass" - - name: Reconfigure nsswitch passwd - ansible.builtin.lineinfile: - path: /etc/nsswitch.conf - regexp: "^passwd:.*" - line: "passwd: compat systemd ldap" - - name: Reconfigure nsswitch group - ansible.builtin.lineinfile: - path: /etc/nsswitch.conf - regexp: "^group:.*" - line: "group: compat systemd ldap" - - name: Reconfigure nsswitch shadow - ansible.builtin.lineinfile: - path: /etc/nsswitch.conf - regexp: "^shadow:.*" - line: "shadow: compat ldap" - - - name: Reconfigure nslcd uri - ansible.builtin.lineinfile: - path: /etc/nslcd.conf - regexp: "^uri ldap.*" - line: "uri ldap://192.168.77.101:2389/" - - - - name: Reconfigure ldap base - ansible.builtin.lineinfile: - path: /etc/nslcd.conf - regexp: "^base " - line: "base dc=sectorq,dc=eu" - - - - name: Reconfigure nslcd binddn - ansible.builtin.lineinfile: - path: /etc/nslcd.conf - regexp: "^binddn" - line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu" - - - name: Reconfigure nslcd bindpw - ansible.builtin.lineinfile: - path: /etc/nslcd.conf - regexp: "^bindpw" - line: "bindpw {{ ldap_admin_password }}" - # - name: Reconfigure ldap base - # ansible.builtin.lineinfile: - # path: /etc/nslcd.conf - # regexp: "^#ssl" - # line: "ssl start_tls" - - name: Reconfigure nslcd tls_reqcert - ansible.builtin.lineinfile: - path: /etc/nslcd.conf - regexp: "^tls_reqcert" - line: "tls_reqcert allow" - - name: Restart nslcd service - ansible.builtin.service: - name: nslcd.service - state: restarted - - - name: Creating a file with content + - fail2ban + - sendmail + - name: Copy files copy: - dest: "/usr/local/bin/fetchSSHKeysFromLDAP" - content: | - #!/usr/bin/bash - ldapsearch -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' - mode: '0755' - - name: Reconfigure sshd - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: "^#AuthorizedKeysCommand *" - line: "AuthorizedKeysCommand /usr/local/bin/fetchSSHKeysFromLDAP" + src: "{{ item }}" + dest: /etc/fail2ban/jail.d/ + with_fileglob: + - "jail.d/*.conf" - - name: Reconfigure sshd - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: "^#AuthorizedKeysCommandUser *" - line: "AuthorizedKeysCommandUser root" - - name: Create a directory LDAP if it does not exist - ansible.builtin.file: - path: /etc/ldap/ - state: directory - mode: '0755' - - name: Creating a file with content + - name: Copy files copy: - dest: "/etc/ldap/ldap.conf" - content: | - # - # LDAP Defaults - # + src: "{{ item }}" + dest: /etc/fail2ban/filter.d/ + with_fileglob: + - "filter.d/*.conf" - # See ldap.conf(5) for details - # This file should be world readable but not world writable. + - name: Copy files + copy: + src: "{{ item }}" + dest: /etc/fail2ban/action.d/ + with_fileglob: + - "action.d/*.conf" - BASE dc=sectorq,dc=eu - URI ldap://192.168.77.101:2389 - - #SIZELIMIT 12 - #TIMELIMIT 15 - #DEREF never - - # TLS certificates (needed for GnuTLS) - TLS_CACERT /etc/ssl/certs/ca-certificates.crt - - - name: Restart sshd service + - name: disable sendmail service ansible.builtin.service: - name: sshd.service + name: sendmail.service + state: stopped + enabled: false + + - name: Restart fail2ban service + ansible.builtin.service: + name: fail2ban.service state: restarted + enabled: true become: true \ No newline at end of file diff --git a/roles/ldap_client/tasks/main.yml b/roles/ldap_client/tasks/main.yml index a1451b5..a3956d3 100755 --- a/roles/ldap_client/tasks/main.yml +++ b/roles/ldap_client/tasks/main.yml @@ -76,7 +76,7 @@ ansible.builtin.lineinfile: path: /etc/nslcd.conf regexp: "^binddn" - line: "binddn cn=jaydee,dc=users,dc=sectorq,dc=eu" + line: "binddn cn=ldapservice,ou=users,dc=sectorq,dc=eu" - name: Reconfigure nslcd bindpw ansible.builtin.lineinfile: @@ -103,8 +103,10 @@ dest: "/usr/local/bin/fetchSSHKeysFromLDAP" content: | #!/usr/bin/bash - ldapsearch -x '(&(objectClass=ldapPublicKey)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' - mode: '0755' + ldapsearch -x -H ldap://192.168.77.101:2389 -D 'cn=ldapservice,ou=users,DC=sectorq,DC=eu' -w {{ ldap_admin_password }} '(&(objectClass=person)(cn='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' + owner: root + group: root + mode: '0700' - name: Reconfigure sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config @@ -144,6 +146,6 @@ - name: Restart sshd service ansible.builtin.service: - name: sshd.service + name: ssh state: restarted become: true \ No newline at end of file diff --git a/roles/ssh_banner/tasks/main.yml b/roles/ssh_banner/tasks/main.yml new file mode 100755 index 0000000..8cdebc6 --- /dev/null +++ b/roles/ssh_banner/tasks/main.yml @@ -0,0 +1,35 @@ +- block: + - name: Install packages + ansible.builtin.apt: + name: + - figlet + - toilet + + - name: Create Banner + ansible.builtin.command: | + figlet -c {{ (inventory_hostname|split('.'))[0] }} -f slant + register: logo + + - name: Creating a file with content + copy: + dest: "/etc/banner" + content: | + {{ logo.stdout }} + + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^Banner.* " + line: "Banner /etc/banner" + + - name: Reconfigure sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#PrintLastLog.* " + line: "PrintLastLog no" + + - name: sshd + ansible.builtin.service: + name: ssh.service + state: restarted + become: true \ No newline at end of file diff --git a/roles/wake_on_lan/tasks/main.yml b/roles/wake_on_lan/tasks/main.yml index 9674660..04c65b3 100755 --- a/roles/wake_on_lan/tasks/main.yml +++ b/roles/wake_on_lan/tasks/main.yml @@ -8,10 +8,14 @@ var: ansible_facts.interfaces - name: Get wifi adapter set_fact: - wifi_adapter: '{{ item }}' + active_adapter: '{{ item }}' loop: '{{ ansible_facts.interfaces }}' when: 'item.startswith("eno")' - +- name: Display all interfaces name + debug: + msg: "{{ ansible_default_ipv4.interface }}" + + - name: Creating config become: true ansible.builtin.copy: @@ -23,7 +27,7 @@ [Service] Type=oneshot - ExecStart = /usr/sbin/ethtool --change {{ wifi_adapter }} wol g + ExecStart = /usr/sbin/ethtool --change {{ ansible_default_ipv4.interface }} wol g [Install] WantedBy=basic.target diff --git a/servers.yml b/servers.yml index bd83562..2c9a27c 100755 --- a/servers.yml +++ b/servers.yml @@ -9,4 +9,5 @@ - monitoring - zabbix-agent - autofs_client - - ldap_client \ No newline at end of file + - ldap_client + - ssh_banner \ No newline at end of file diff --git a/test.yml b/test.yml new file mode 100755 index 0000000..ecc359e --- /dev/null +++ b/test.yml @@ -0,0 +1,4 @@ +--- +- hosts: datacenter + roles: + - ssh_banner \ No newline at end of file