diff options
64 files changed, 0 insertions, 1193 deletions
diff --git a/inventory.yaml b/inventory.yaml index 95fd4c7..5b71acf 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -28,5 +28,3 @@ all: turing: ritchie: neumann: - vars: - wireguard_port: 46850 diff --git a/playbook.yml b/playbook.yml index 34f9f5c..91a025c 100644 --- a/playbook.yml +++ b/playbook.yml @@ -2,10 +2,8 @@ hosts: all roles: - common - - jumpcloud - ufw - prometheus-node-exporter - - wireguard - fail2ban - name: Deploy our monitoring stack @@ -13,15 +11,6 @@ roles: - prometheus -- name: Deploy nginx & certbot to hosts - hosts: nginx - roles: - - certbot - - nginx - - nginx-geoip - - nginx-ufw - - nginx-cloudflare-mtls - - name: Deploy podman to container service hosts hosts: podman roles: @@ -31,17 +20,3 @@ hosts: lovelace roles: - postgres - -- name: Deploy monitoring software - hosts: neumann - roles: - - elasticsearch - - kibana - - kibana-nginx - -- name: Deploy monitoring agents - hosts: all - roles: - - filebeat - - packetbeat - - auditbeat diff --git a/roles/auditbeat/README.md b/roles/auditbeat/README.md deleted file mode 100644 index da18eda..0000000 --- a/roles/auditbeat/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "auditbeat" - -The auditbeat role installs and configures the auditbeat reporting agent. diff --git a/roles/auditbeat/handlers/main.yml b/roles/auditbeat/handlers/main.yml deleted file mode 100644 index cda733c..0000000 --- a/roles/auditbeat/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: restart auditbeat - service: - name: auditbeat - state: restarted - tags: - - role::auditbeat diff --git a/roles/auditbeat/meta/main.yml b/roles/auditbeat/meta/main.yml deleted file mode 100644 index 522f87c..0000000 --- a/roles/auditbeat/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: elasticsearch-repos - tags: - - role::auditbeat diff --git a/roles/auditbeat/tasks/main.yml b/roles/auditbeat/tasks/main.yml deleted file mode 100644 index b928c4a..0000000 --- a/roles/auditbeat/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Install Auditbeat - apt: - pkg: auditbeat - state: present - tags: - - role::auditbeat - -- name: Configure Auditbeat - template: - src: auditbeat.yml.j2 - dest: /etc/auditbeat/auditbeat.yml - mode: 0644 - owner: root - group: root - tags: - - role::auditbeat - notify: - - restart auditbeat - -- name: Start and enable Auditbeat - service: - name: auditbeat - state: started - enabled: true - tags: - - role::auditbeat diff --git a/roles/auditbeat/templates/auditbeat.yml.j2 b/roles/auditbeat/templates/auditbeat.yml.j2 deleted file mode 100644 index b779a05..0000000 --- a/roles/auditbeat/templates/auditbeat.yml.j2 +++ /dev/null @@ -1,99 +0,0 @@ -# You can find the full configuration reference here: -# https://www.elastic.co/guide/en/beats/auditbeat/index.html - -# =========================== Modules configuration ============================ -auditbeat.modules: - -- module: auditd - # Load audit rules from separate files. Same format as audit.rules(7). - audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ] - audit_rules: | - ## Define audit rules here. - ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these - ## examples or add your own rules. - - ## If you are on a 64 bit platform, everything should be running - ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls - ## because this might be a sign of someone exploiting a hole in the 32 - ## bit API. - #-a always,exit -F arch=b32 -S all -F key=32bit-abi - - ## Executions. - #-a always,exit -F arch=b64 -S execve,execveat -k exec - - ## External access (warning: these can be expensive to audit). - #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access - - ## Identity changes. - #-w /etc/group -p wa -k identity - #-w /etc/passwd -p wa -k identity - #-w /etc/gshadow -p wa -k identity - - ## Unauthorized access attempts. - #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access - #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access - -- module: file_integrity - paths: - - /bin - - /usr/bin - - /sbin - - /usr/sbin - - /etc - -- module: system - datasets: - - package # Installed, updated, and removed packages - - period: 2m # The frequency at which the datasets check for changes - -- module: system - datasets: - - host # General host information, e.g. uptime, IPs - - login # User logins, logouts, and system boots. - - process # Started and stopped processes - - socket # Opened and closed sockets - - user # User information - - # How often datasets send state updates with the - # current state of the system (e.g. all currently - # running processes, all open sockets). - state.period: 3h - - # Enabled by default. Auditbeat will read password fields in - # /etc/passwd and /etc/shadow and store a hash locally to - # detect any changes. - user.detect_password_changes: true - - # File patterns of the login record files. - login.wtmp_file_pattern: /var/log/wtmp* - login.btmp_file_pattern: /var/log/btmp* - -# ======================= Elasticsearch template setting ======================= -setup.template.settings: - index.number_of_shards: 1 - #index.codec: best_compression - #_source.enabled: false - -# ================================== Outputs =================================== - -# Configure what output to use when sending the data collected by the beat. - -# ---------------------------- Elasticsearch Output ---------------------------- -output.elasticsearch: - # Array of hosts to connect to. - hosts: ["{{ auditbeat_elasticsearch_host }}"] - - protocol: "https" - username: "{{ auditbeat_elastic_username }}" - password: "{{ auditbeat_elastic_password}}" - - ssl: - enabled: true - ca_trusted_fingerprint: "{{ auditbeat_elastic_fingerprint }}" - - -processors: - - add_host_metadata: ~ - - add_cloud_metadata: ~ - - add_docker_metadata: ~ diff --git a/roles/auditbeat/vars/main/vars.yml b/roles/auditbeat/vars/main/vars.yml deleted file mode 100644 index f7c6aa2..0000000 --- a/roles/auditbeat/vars/main/vars.yml +++ /dev/null @@ -1,7 +0,0 @@ -auditbeat_kibana_host: "http://10.5.0.0:5601" -auditbeat_elasticsearch_host: "10.5.0.0:9200" - -auditbeat_elastic_username: "pydis" -auditbeat_elastic_password: "{{ encrypted_auditbeat_elastic_password }}" -auditbeat_elastic_fingerprint: >- - e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73 diff --git a/roles/auditbeat/vars/main/vault.yml b/roles/auditbeat/vars/main/vault.yml deleted file mode 100644 index e2443a1..0000000 --- a/roles/auditbeat/vars/main/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -35633733373033323135653436373566666461363766646664313032316535313638353365333565 -6530393663656438653338333865396266306130613666630a633263373239626436633965346533 -66396166626231376564373462643065653261663362383762633234336234396566663937353864 -3733633736306237630a626639646437343735316331623361636333613932616439366336323035 -65636234366363663630363834633764613564366264663037386166633538303630343935383438 -38303838633632386164663265313430656535383761613936333861383138376139613533336264 -393131653033376537643138643635363765 diff --git a/roles/certbot/README.md b/roles/certbot/README.md deleted file mode 100644 index b9d3e36..0000000 --- a/roles/certbot/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "certbot" - -Installs certbot and the Cloudflare DNS plugin for certbot to provision and deploy TLS certificates for web properties. diff --git a/roles/certbot/files/rsync.sh b/roles/certbot/files/rsync.sh deleted file mode 100644 index fa9b27b..0000000 --- a/roles/certbot/files/rsync.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -# Start the rsync server and perform the transfer -rrsync -wo /etc/letsencrypt/live - -# Reload NGINX -systemctl reload nginx diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml deleted file mode 100644 index abe22cc..0000000 --- a/roles/certbot/tasks/main.yml +++ /dev/null @@ -1,110 +0,0 @@ ---- -- name: Install certbot and certbot Cloudflare plugin - when: inventory_hostname == ansible_play_hosts_all[0] - package: - name: - - python3-certbot - - python3-certbot-dns-cloudflare - state: present - tags: - - role::certbot - -- name: Install rsync on certbot hosts - package: - name: rsync - state: present - tags: - - role::certbot - -- name: Generate Cloudflare credentials file on designated leader - when: inventory_hostname == ansible_play_hosts_all[0] - copy: - content: | - # This file is managed by Ansible - dns_cloudflare_api_token = {{ certbot_cloudflare_token }} - dest: /etc/letsencrypt/cloudflare.ini - owner: root - group: root - mode: 0400 - tags: - - role::certbot - -- name: Generate SSH key for certificate distribution - when: inventory_hostname == ansible_play_hosts_all[0] - community.crypto.openssh_keypair: - path: /root/.ssh/cert_{{ item }}_key_ed25519 - type: ed25519 - state: present - comment: certificate distribution key for {{ item }} - with_items: - - "{{ ansible_play_hosts | reject('in', [inventory_hostname]) }}" - tags: - - role::certbot - register: generated_keys - -- name: Create certificate directories on replica certificate hosts - when: inventory_hostname != ansible_play_hosts[0] - file: - path: /etc/letsencrypt/live - recurse: true - state: directory - owner: root - group: root - mode: 0700 - tags: - - role::certbot - -- name: Install rsync + nginx reload script to replica servers - when: inventory_hostname != ansible_play_hosts[0] - copy: - src: rsync.sh - dest: /opt/cert_rsync.sh - owner: root - group: root - mode: 0500 - tags: - - role::certbot - -- name: Install certificate distribution keys to other NGINX nodes - when: inventory_hostname != ansible_play_hosts[0] - ansible.posix.authorized_key: - user: root - state: present - key: | - {{ hostvars[ansible_play_hosts_all[0]]['generated_keys']['results'] - | selectattr('item', 'equalto', inventory_hostname) - | map(attribute='public_key') - | first }} - comment: "certificate distribution key" - key_options: 'from="{{ hostvars[ansible_play_hosts_all[0]]["wireguard_subnet"] }}",restrict,command="/opt/cert_rsync.sh"' - tags: - - role::certbot - -- name: Create renewal hook to synchronize certificates - when: inventory_hostname == ansible_play_hosts_all[0] - template: - src: renewal-hook.sh.j2 - dest: /etc/letsencrypt/renewal-hooks/deploy/distribute-certs - owner: root - group: root - mode: 0700 - tags: - - role::certbot - -- name: Request certificates for configured domains - when: inventory_hostname == ansible_play_hosts_all[0] - command: | - certbot certonly - --agree-tos - --non-interactive - --email {{ certbot_email }} - --dns-cloudflare - --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini - --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/distribute-certs - -d {{ item }} -d *.{{ item }} -d cloud.native.is.fun.and.easy.pydis.wtf - args: - creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" - with_items: - - "{{ certbot_domains }}" - tags: - - role::certbot diff --git a/roles/certbot/templates/renewal-hook.sh.j2 b/roles/certbot/templates/renewal-hook.sh.j2 deleted file mode 100644 index 7fa7252..0000000 --- a/roles/certbot/templates/renewal-hook.sh.j2 +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -set -ex - -{% for host in ansible_play_hosts if host != inventory_hostname %} -rsync --copy-links --delete --recursive -e "ssh -i /root/.ssh/cert_{{ host }}_key_ed25519 -o StrictHostKeyChecking=accept-new" /etc/letsencrypt/live/* root@{{ hostvars[host]['wireguard_subnet'] | split("/") | first }}:/etc/letsencrypt/live -{% endfor %} diff --git a/roles/certbot/vars/main/main.yml b/roles/certbot/vars/main/main.yml deleted file mode 100644 index fdfc7b1..0000000 --- a/roles/certbot/vars/main/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -certbot_cloudflare_token: "{{ encrypted_cloudflare_token }}" -certbot_email: "[email protected]" -certbot_domains: - - pydis.wtf - - pythondiscord.com diff --git a/roles/certbot/vars/main/vault.yml b/roles/certbot/vars/main/vault.yml deleted file mode 100644 index c669b69..0000000 --- a/roles/certbot/vars/main/vault.yml +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -66336535306366333038666137306135663438346366643735383962623339636236343438633766 -6565343931306531623330373936313730353539303264390a333031363634663236636232386461 -34353239643364653464373531653236383963303137326438343239313136376537336636326162 -3537383737323732310a623836363138646434636165643130366362656661393937346534313632 -37663966613031363036623838326666636231313462363831396366363837343632646131303863 -35363032386463346164623733656463633735376161653361343231326166313466643236623762 -31343562323362353238663666303435353138643463656531373466336639316464376632623731 -32646464393438656134 diff --git a/roles/elasticsearch-repos/README.md b/roles/elasticsearch-repos/README.md deleted file mode 100644 index 7da91d0..0000000 --- a/roles/elasticsearch-repos/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "elasticsearch-repos" - -This role installs and configures the elasticsearch APT repositories. diff --git a/roles/elasticsearch-repos/handlers/main.yml b/roles/elasticsearch-repos/handlers/main.yml deleted file mode 100644 index 2111644..0000000 --- a/roles/elasticsearch-repos/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -- name: apt update - apt: - update_cache: true - tags: - - role::elasticsearch-repos diff --git a/roles/elasticsearch-repos/tasks/main.yml b/roles/elasticsearch-repos/tasks/main.yml deleted file mode 100644 index a76ad43..0000000 --- a/roles/elasticsearch-repos/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Install GPG - package: - name: gpg - state: present - tags: - - role::elasticsearch-repos - -- name: Install Elasticsearch signing key - # noqa command-instead-of-module - shell: >- - set -o pipefail && wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | - gpg --yes --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg - args: - creates: /usr/share/keyrings/elasticsearch-keyring.gpg - tags: - - role::elasticsearch-repos - -- name: Add Elasticsearch repository to apt - copy: - content: >- - deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] - https://artifacts.elastic.co/packages/8.x/apt stable main - dest: /etc/apt/sources.list.d/elastic-8.x.list - owner: root - group: root - mode: 0644 - tags: - - role::elasticsearch-repos - notify: - - apt update diff --git a/roles/elasticsearch/README.md b/roles/elasticsearch/README.md deleted file mode 100644 index 1896679..0000000 --- a/roles/elasticsearch/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "elasticsearch" - -The elasticsearch role installs and configures Elasticsearch. diff --git a/roles/elasticsearch/meta/main.yml b/roles/elasticsearch/meta/main.yml deleted file mode 100644 index 91796da..0000000 --- a/roles/elasticsearch/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: elasticsearch-repos - tags: - - role::elasticsearch diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml deleted file mode 100644 index 9a69b24..0000000 --- a/roles/elasticsearch/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Install Elasticsearch - apt: - pkg: elasticsearch - state: present - tags: - - role::elasticsearch - -- name: Start and enable Elasticsearch - service: - name: elasticsearch - state: started - enabled: true - tags: - - role::elasticsearch diff --git a/roles/filebeat/README.md b/roles/filebeat/README.md deleted file mode 100644 index 7b65e9a..0000000 --- a/roles/filebeat/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "filebeat" - -The filebeat role installs and configures the filebeat agent, used to ship logs to Elasticsearch. diff --git a/roles/filebeat/handlers/main.yml b/roles/filebeat/handlers/main.yml deleted file mode 100644 index 5580f47..0000000 --- a/roles/filebeat/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: restart filebeat - service: - state: restarted - name: filebeat - tags: - - role::filebeat diff --git a/roles/filebeat/meta/main.yml b/roles/filebeat/meta/main.yml deleted file mode 100644 index e9d04b1..0000000 --- a/roles/filebeat/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: elasticsearch-repos - tags: - - role::filebeat diff --git a/roles/filebeat/tasks/main.yml b/roles/filebeat/tasks/main.yml deleted file mode 100644 index d3001bb..0000000 --- a/roles/filebeat/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Install Filebeat - apt: - pkg: filebeat - state: present - tags: - - role::filebeat - -- name: Configure Filebeat - template: - src: filebeat.yml.j2 - dest: /etc/filebeat/filebeat.yml - mode: 0644 - owner: root - group: root - tags: - - role::filebeat - notify: - - restart filebeat - -- name: Start and enable Filebeat - service: - name: filebeat - state: started - enabled: true - tags: - - role::filebeat diff --git a/roles/filebeat/templates/filebeat.yml.j2 b/roles/filebeat/templates/filebeat.yml.j2 deleted file mode 100644 index 5a84729..0000000 --- a/roles/filebeat/templates/filebeat.yml.j2 +++ /dev/null @@ -1,99 +0,0 @@ -# For more available modules and options, please see the filebeat.reference.yml sample -# configuration file. - -# ============================== Filebeat inputs =============================== - -filebeat.inputs: - -# Each - is an input. Most options can be set at the input level, so -# you can use different inputs for various configurations. -# Below are the input specific configurations. - -# filestream is an input for collecting log messages from files. -- type: filestream - - # Change to true to enable this input configuration. - enabled: false - - # Paths that should be crawled and fetched. Glob based paths. - paths: - - /var/log/*.log - - # Exclude lines. A list of regular expressions to match. It drops the lines that are - # matching any regular expression from the list. - #exclude_lines: ['^DBG'] - - # Include lines. A list of regular expressions to match. It exports the lines that are - # matching any regular expression from the list. - #include_lines: ['^ERR', '^WARN'] - - # Exclude files. A list of regular expressions to match. Filebeat drops the files that - # are matching any regular expression from the list. By default, no files are dropped. - #prospector.scanner.exclude_files: ['.gz$'] - - # Optional additional fields. These fields can be freely picked - # to add additional information to the crawled log files for filtering - #fields: - # level: debug - # review: 1 -- type: journald - id: everything - -# ============================== Filebeat modules ============================== - -filebeat.config.modules: - # Glob pattern for configuration loading - path: ${path.config}/modules.d/*.yml - - # Set to true to enable config reloading - reload.enabled: false - - # Period on which files under path should be checked for changes - #reload.period: 10s - -filebeat.modules: -{% if "nginx" in group_names %} -- module: nginx - access: - enabled: {{ 'nginx' in group_names }} - error: - enabled: {} -{% endif %} -{% if inventory_hostname == "lovelace" %} -- module: postgresql - log: - enabled: {{ inventory_hostname == "lovelace" }} -{% endif %} -- module: system - auth: - - - -# ======================= Elasticsearch template setting ======================= - -setup.template.settings: - index.number_of_shards: 1 - -# ================================== Outputs =================================== - -# Configure what output to use when sending the data collected by the beat. - -# ---------------------------- Elasticsearch Output ---------------------------- -output.elasticsearch: - # Array of hosts to connect to. - hosts: ["{{ filebeat_elasticsearch_host }}"] - - protocol: "https" - username: "{{ filebeat_elastic_username }}" - password: "{{ filebeat_elastic_password}}" - - ssl: - enabled: true - ca_trusted_fingerprint: "{{ filebeat_elastic_fingerprint }}" - -processors: - - add_host_metadata: - when.not.contains.tags: forwarded - - add_cloud_metadata: ~ - - add_docker_metadata: ~ - - add_kubernetes_metadata: ~ diff --git a/roles/filebeat/vars/main/vars.yml b/roles/filebeat/vars/main/vars.yml deleted file mode 100644 index ec23785..0000000 --- a/roles/filebeat/vars/main/vars.yml +++ /dev/null @@ -1,7 +0,0 @@ -filebeat_kibana_host: "http://10.5.0.0:5601" -filebeat_elasticsearch_host: "10.5.0.0:9200" - -filebeat_elastic_username: "pydis" -filebeat_elastic_password: "{{ encrypted_filebeat_elastic_password }}" -filebeat_elastic_fingerprint: >- - e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73 diff --git a/roles/filebeat/vars/main/vault.yml b/roles/filebeat/vars/main/vault.yml deleted file mode 100644 index b2eca18..0000000 --- a/roles/filebeat/vars/main/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -62373038653236313435346433326232383433306265326437303133636536393163373333666432 -3136356638363739653737326363663361653834633038350a356334313264653932333935386665 -39383738393839623937616231633430633465366537363032323133636133653963383036616234 -3433643532393937360a343938643730376330396537343133616462363339643066393631623137 -64616336666638623030343065633965306531303933646232383334333162336438643433623462 -31613039323033333063323736323262326638333765663930633532363531323462396264383966 -306636386335386565636633316235653332 diff --git a/roles/jumpcloud/defaults/main/vars.yml b/roles/jumpcloud/defaults/main/vars.yml deleted file mode 100644 index e7ca319..0000000 --- a/roles/jumpcloud/defaults/main/vars.yml +++ /dev/null @@ -1 +0,0 @@ -jumpcloud_key: '{{ encrypted_jumpcloud_key }}' diff --git a/roles/jumpcloud/defaults/main/vault.yml b/roles/jumpcloud/defaults/main/vault.yml deleted file mode 100644 index 38708cd..0000000 --- a/roles/jumpcloud/defaults/main/vault.yml +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -36346334376434303630653535336231356666626163386430326262383361386661386330373633 -3830666466383333353663626666386234383038343839620a643662613439663839623535326230 -32366634656133323931346266363537313962346534633666306463663237323564336430336632 -3361353862383231310a656532396333633362616636373430306436636633353434653561646234 -65313632633865333765346132383761393564326262333232303037333866383862306532343362 -65666565643833656532646561666162636538346464616638613338383466336238363236646636 -66666261313333633461626432336262346137643461343664336639376330306437323632323862 -37363234363834386565 diff --git a/roles/jumpcloud/tasks/main.yml b/roles/jumpcloud/tasks/main.yml deleted file mode 100644 index b8cf35f..0000000 --- a/roles/jumpcloud/tasks/main.yml +++ /dev/null @@ -1,29 +0,0 @@ -- name: Fetch service facts - service_facts: - tags: - - role::jumpcloud - -- name: Check if JumpCloud service is installed - set_fact: - jumpcloud_installed: "{{ 'jcagent.service' in ansible_facts.services }}" - tags: - - role::jumpcloud - -- name: Grab copy of JumpCloud install script - uri: - url: "https://kickstart.jumpcloud.com/Kickstart" - headers: - x-connect-key: "{{ jumpcloud_key }}" - return_content: true - register: jc_install_script - when: not jumpcloud_installed - tags: - - role::jumpcloud - -- name: Execute JumpCloud install script - command: sh -s -- -y - args: - stdin: "{{ jc_install_script.content }}" - when: not jumpcloud_installed - tags: - - role::jumpcloud diff --git a/roles/kibana-nginx/README.md b/roles/kibana-nginx/README.md deleted file mode 100644 index 23f8ffc..0000000 --- a/roles/kibana-nginx/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "kibana-nginx" - -This role installs the configuration for NGINX reverse proxying to Kibana. diff --git a/roles/kibana-nginx/meta/main.yml b/roles/kibana-nginx/meta/main.yml deleted file mode 100644 index fe0bcd5..0000000 --- a/roles/kibana-nginx/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - nginx - - nginx-cloudflare-mtls diff --git a/roles/kibana-nginx/tasks/main.yml b/roles/kibana-nginx/tasks/main.yml deleted file mode 100644 index 40120b8..0000000 --- a/roles/kibana-nginx/tasks/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: Install Kibana NGINX config - copy: - dest: /etc/nginx/conf.d/kibana.conf - mode: 0644 - group: root - owner: root - content: | - # Managed by Ansible - server { - listen 443 ssl http2; - server_name kibana.pydis.wtf; - - ssl_certificate /etc/letsencrypt/live/pydis.wtf/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/pydis.wtf/privkey.pem; - ssl_client_certificate {{ nginx_cloudflare_mtls_certificate_path }}; - ssl_verify_client on; - - location / { - include proxy_params; - proxy_pass http://localhost:5601; - } - } - notify: - - reload the nginx service - tags: - - role::kibana-nginx diff --git a/roles/kibana/README.md b/roles/kibana/README.md deleted file mode 100644 index b3f1188..0000000 --- a/roles/kibana/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "kibana" - -The Kibana role deploys Kibana, a visualisation software for Elasticsearch. diff --git a/roles/kibana/meta/main.yml b/roles/kibana/meta/main.yml deleted file mode 100644 index 7d0b403..0000000 --- a/roles/kibana/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: elasticsearch-repos - tags: - - role::kibana diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml deleted file mode 100644 index 849209a..0000000 --- a/roles/kibana/tasks/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Install Kibana - apt: - pkg: kibana - state: present - tags: - - role::kibana - -- name: Configure Kibana base URL - lineinfile: - path: /etc/kibana/kibana.yml - state: present - line: "server.publicBaseUrl: {{ kibana_public_url }}" - tags: - - role::kibana - -- name: Start and enable Kibana - service: - name: kibana - state: started - enabled: true - tags: - - role::kibana diff --git a/roles/kibana/vars/main/vars.yml b/roles/kibana/vars/main/vars.yml deleted file mode 100644 index 6c91ac0..0000000 --- a/roles/kibana/vars/main/vars.yml +++ /dev/null @@ -1,3 +0,0 @@ -kibana_elastic_username: "pydis" -kibana_elastic_password: "{{ encrypted_kibana_elastic_password }}" -kibana_public_url: "https://kibana.pydis.wtf" diff --git a/roles/kibana/vars/main/vault.yml b/roles/kibana/vars/main/vault.yml deleted file mode 100644 index cc3f7ef..0000000 --- a/roles/kibana/vars/main/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -39393931323735373539653161363535623031303435633030353239643464303066333536623161 -3537666562346136646663393066323137663034373866610a316331353166366135383164656535 -39323866336534383730383436303863643963353333383933356634336466636337663766393639 -6330313161633865310a396564343161626236366639616635333537613639663464356265333333 -62643932343962653236396430383139333333316132623362626239346662393131396332393136 -62633934303531373139303530653236323136646537303035653061386539613839346365316332 -323334663539356430326131373335623861 diff --git a/roles/nginx-cloudflare-mtls/README.md b/roles/nginx-cloudflare-mtls/README.md deleted file mode 100644 index 081cacb..0000000 --- a/roles/nginx-cloudflare-mtls/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Role "nginx-cloudflare-mtls" - -Installs the certificate required for performing mutual TLS authentication -between NGINX and Cloudflare. - -To use mutual TLS in your NGINX virtual hosts, add this configuration snippet: - -```nginx -ssl_client_certificate {{ nginx_cloudflare_mtls_certificate_path }}; -ssl_verify_client on; -``` - - -## Variables - -See [role defaults](./defaults/main.yml) for an annotated overview. diff --git a/roles/nginx-cloudflare-mtls/defaults/main.yml b/roles/nginx-cloudflare-mtls/defaults/main.yml deleted file mode 100644 index ff1c667..0000000 --- a/roles/nginx-cloudflare-mtls/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# The path at which to install the certificate. -nginx_cloudflare_mtls_certificate_path: /etc/nginx/certs/cloudflare.crt diff --git a/roles/nginx-cloudflare-mtls/files/cloudflare.crt b/roles/nginx-cloudflare-mtls/files/cloudflare.crt deleted file mode 100644 index 965f0bf..0000000 --- a/roles/nginx-cloudflare-mtls/files/cloudflare.crt +++ /dev/null @@ -1,35 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV -BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln -aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv -cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx -MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV -BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD -VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD -ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD -ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI -42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e -ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw -hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY -QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3 -Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn -aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5 -lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR -PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh -CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa -+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB -AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud -DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz -alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1 -QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS -zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX -VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz -6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z -0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc -5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/ -fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j -bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm -iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F -AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM -fVQ6VpyjEXdiIXWUq/o= ------END CERTIFICATE----- diff --git a/roles/nginx-cloudflare-mtls/meta/main.yml b/roles/nginx-cloudflare-mtls/meta/main.yml deleted file mode 100644 index 72b1bd7..0000000 --- a/roles/nginx-cloudflare-mtls/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - nginx diff --git a/roles/nginx-cloudflare-mtls/tasks/main.yml b/roles/nginx-cloudflare-mtls/tasks/main.yml deleted file mode 100644 index d5ef7f4..0000000 --- a/roles/nginx-cloudflare-mtls/tasks/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: Create nginx certificates directory - file: - path: /etc/nginx/certs - state: directory - owner: root - group: root - mode: 0444 - tags: - - role::nginx-cloudflare-mtls - -- name: Copy the cloudflare mutual TLS certificate - copy: - src: cloudflare.crt - dest: /etc/nginx/certs/cloudflare.crt - owner: root - group: root - mode: 0444 - tags: - - role::nginx-cloudflare-mtls diff --git a/roles/nginx-geoip/meta/main.yml b/roles/nginx-geoip/meta/main.yml deleted file mode 100644 index 72b1bd7..0000000 --- a/roles/nginx-geoip/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - nginx diff --git a/roles/nginx-geoip/tasks/main.yml b/roles/nginx-geoip/tasks/main.yml deleted file mode 100644 index fee4bab..0000000 --- a/roles/nginx-geoip/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# ref https://packages.debian.org/bullseye/amd64/libnginx-mod-http-geoip/filelist -# installed by default in debian nginx package, including "geoip-database" dep -# see https://packages.debian.org/bullseye/amd64/geoip-database/filelist -- name: Configure the geoip module - copy: - # ref https://nginx.org/en/docs/http/ngx_http_geoip_module.html - content: geoip_country /usr/share/GeoIP/GeoIP.dat; - dest: /etc/nginx/conf.d/geoip.conf - owner: root - group: root - mode: 0444 - tags: - - role::nginx-geoip - notify: - - reload the nginx service diff --git a/roles/nginx-ufw/README.md b/roles/nginx-ufw/README.md deleted file mode 100644 index e657afb..0000000 --- a/roles/nginx-ufw/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "nginx-ufw" - -Allows NGINX HTTP and HTTPS traffic through the UFW firewall. diff --git a/roles/nginx-ufw/meta/main.yml b/roles/nginx-ufw/meta/main.yml deleted file mode 100644 index dac7049..0000000 --- a/roles/nginx-ufw/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - nginx - - ufw diff --git a/roles/nginx-ufw/tasks/main.yml b/roles/nginx-ufw/tasks/main.yml deleted file mode 100644 index fb703bf..0000000 --- a/roles/nginx-ufw/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Allow http(s) traffic through the firewall - ufw: - app: Nginx Full - rule: allow - tags: - - role::nginx-ufw diff --git a/roles/nginx/README.md b/roles/nginx/README.md deleted file mode 100644 index 9961a69..0000000 --- a/roles/nginx/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "nginx" - -Installs nginx on target hosts and provides a handler for reloading nginx, for instance on configuration change. diff --git a/roles/nginx/files/default_server.conf b/roles/nginx/files/default_server.conf deleted file mode 100644 index 13e74a0..0000000 --- a/roles/nginx/files/default_server.conf +++ /dev/null @@ -1,24 +0,0 @@ -# Managed by Ansible -server { - listen 443 ssl http2 default_server; - - ssl_certificate /etc/letsencrypt/live/pydis.wtf/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/pydis.wtf/privkey.pem; - - location / { - set_by_lua_block $url { - local urls = { - "https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-ride", - "https://en.wikipedia.org/wiki/Tax_evasion", - "https://jchri.st/blog/apfs-sadness-on-macos-big-sur.html", - "https://cdn.discordapp.com/attachments/675756741417369640/852688961516077086/Screenshot_2021-06-11_at_00.21.22.png", - "https://news.ycombinator.com/", - "https://www.hertfordshire.gov.uk/latest/letchworth-webcam.jpg", - "https://media.discordapp.net/attachments/922169059175444501/952929630459924501/1svkf3xto3n61.png" - } - return urls [ math.random(#urls) ] - } - - return 302 $url; - } -} diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml deleted file mode 100644 index 376d85a..0000000 --- a/roles/nginx/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: reload the nginx service - service: - name: nginx - state: reloaded - tags: - - role::nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml deleted file mode 100644 index 3419cb3..0000000 --- a/roles/nginx/tasks/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Install NGINX & modules - package: - name: - - nginx - - libnginx-mod-http-lua - state: present - tags: - - role::nginx - -- name: Copy NGINX default config - copy: - src: default_server.conf - dest: /etc/nginx/conf.d/default_server.conf - group: root - owner: root - mode: 0644 - tags: - - role::nginx - notify: - - reload the nginx service diff --git a/roles/packetbeat/README.md b/roles/packetbeat/README.md deleted file mode 100644 index 14d54ae..0000000 --- a/roles/packetbeat/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "packetbeat" - -The packetbeat role installs and configures the packetbeat reporting agent. diff --git a/roles/packetbeat/handlers/main.yml b/roles/packetbeat/handlers/main.yml deleted file mode 100644 index 596958d..0000000 --- a/roles/packetbeat/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: restart packetbeat - service: - name: packetbeat - state: restarted - tags: - - role::packetbeat diff --git a/roles/packetbeat/meta/main.yml b/roles/packetbeat/meta/main.yml deleted file mode 100644 index 0e42a9a..0000000 --- a/roles/packetbeat/meta/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -dependencies: - - role: elasticsearch-repos - tags: - - role::packetbeat diff --git a/roles/packetbeat/tasks/main.yml b/roles/packetbeat/tasks/main.yml deleted file mode 100644 index d68ff00..0000000 --- a/roles/packetbeat/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: Install Packetbeat - apt: - pkg: packetbeat - state: present - tags: - - role::packetbeat - -- name: Configure Packetbeat - template: - src: packetbeat.yml.j2 - dest: /etc/packetbeat/packetbeat.yml - mode: 0644 - owner: root - group: root - tags: - - role::packetbeat - notify: - - restart packetbeat - -- name: Start and enable Packetbeat - service: - name: packetbeat - state: started - enabled: true - tags: - - role::packetbeat diff --git a/roles/packetbeat/templates/packetbeat.yml.j2 b/roles/packetbeat/templates/packetbeat.yml.j2 deleted file mode 100644 index 441d8bd..0000000 --- a/roles/packetbeat/templates/packetbeat.yml.j2 +++ /dev/null @@ -1,212 +0,0 @@ -# You can find the full configuration reference here: -# https://www.elastic.co/guide/en/beats/packetbeat/index.html - -# =============================== Network device =============================== - -# Select the network interface to sniff the data. On Linux, you can use the -# "any" keyword to sniff on all connected interfaces. -packetbeat.interfaces.device: any - -# The network CIDR blocks that are considered "internal" networks for -# the purpose of network perimeter boundary classification. The valid -# values for internal_networks are the same as those that can be used -# with processor network conditions. -# -# For a list of available values see: -# https://www.elastic.co/guide/en/beats/packetbeat/current/defining-processors.html#condition-network -packetbeat.interfaces.internal_networks: - - private - -# =================================== Flows ==================================== - -# Set `enabled: false` or comment out all options to disable flows reporting. -packetbeat.flows: - # Set network flow timeout. Flow is killed if no packet is received before being - # timed out. - timeout: 30s - - # Configure reporting period. If set to -1, only killed flows will be reported - period: 10s - -# =========================== Transaction protocols ============================ - -packetbeat.protocols: -- type: icmp - # Enable ICMPv4 and ICMPv6 monitoring. The default is true. - enabled: true - -- type: amqp - # Configure the ports where to listen for AMQP traffic. You can disable - # the AMQP protocol by commenting out the list of ports. - ports: [5672] - -- type: cassandra - # Configure the ports where to listen for Cassandra traffic. You can disable - # the Cassandra protocol by commenting out the list of ports. - ports: [9042] - -- type: dhcpv4 - # Configure the DHCP for IPv4 ports. - ports: [67, 68] - -- type: dns - # Configure the ports where to listen for DNS traffic. You can disable - # the DNS protocol by commenting out the list of ports. - ports: [53] - -- type: http - # Configure the ports where to listen for HTTP traffic. You can disable - # the HTTP protocol by commenting out the list of ports. - ports: [80, 8080, 8000, 5000, 8002] - -- type: memcache - # Configure the ports where to listen for memcache traffic. You can disable - # the Memcache protocol by commenting out the list of ports. - ports: [11211] - -- type: mysql - # Configure the ports where to listen for MySQL traffic. You can disable - # the MySQL protocol by commenting out the list of ports. - ports: [3306,3307] - -- type: pgsql - # Configure the ports where to listen for Pgsql traffic. You can disable - # the Pgsql protocol by commenting out the list of ports. - ports: [5432] - -- type: redis - # Configure the ports where to listen for Redis traffic. You can disable - # the Redis protocol by commenting out the list of ports. - ports: [6379] - -- type: thrift - # Configure the ports where to listen for Thrift-RPC traffic. You can disable - # the Thrift-RPC protocol by commenting out the list of ports. - ports: [9090] - -- type: mongodb - # Configure the ports where to listen for MongoDB traffic. You can disable - # the MongoDB protocol by commenting out the list of ports. - ports: [27017] - -- type: nfs - # Configure the ports where to listen for NFS traffic. You can disable - # the NFS protocol by commenting out the list of ports. - ports: [2049] - -- type: tls - # Configure the ports where to listen for TLS traffic. You can disable - # the TLS protocol by commenting out the list of ports. - ports: - - 443 # HTTPS - - 993 # IMAPS - - 995 # POP3S - - 5223 # XMPP over SSL - - 8443 - - 8883 # Secure MQTT - - 9243 # Elasticsearch - -- type: sip - # Configure the ports where to listen for SIP traffic. You can disable - # the SIP protocol by commenting out the list of ports. - ports: [5060] - -# ======================= Elasticsearch template setting ======================= - -setup.template.settings: - index.number_of_shards: 1 - #index.codec: best_compression - #_source.enabled: false - -# ================================== General =================================== - -# The name of the shipper that publishes the network data. It can be used to group -# all the transactions sent by a single shipper in the web interface. -#name: - -# A list of tags to include in every event. In the default configuration file -# the forwarded tag causes Packetbeat to not add any host fields. If you are -# monitoring a network tap or mirror port then add the forwarded tag. -#tags: [forwarded] - -# Optional fields that you can specify to add additional information to the -# output. -#fields: -# env: staging - -# ================================= Dashboards ================================= -# These settings control loading the sample dashboards to the Kibana index. Loading -# the dashboards is disabled by default and can be enabled either by setting the -# options here or by using the `setup` command. -#setup.dashboards.enabled: false - -# The URL from where to download the dashboards archive. By default this URL -# has a value which is computed based on the Beat name and version. For released -# versions, this URL points to the dashboard archive on the artifacts.elastic.co -# website. -#setup.dashboards.url: - -# =================================== Kibana =================================== - -# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. -# This requires a Kibana endpoint configuration. -setup.kibana: - - # Kibana Host - # Scheme and port can be left out and will be set to the default (http and 5601) - # In case you specify and additional path, the scheme is required: http://localhost:5601/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 - #host: "localhost:5601" - - # Kibana Space ID - # ID of the Kibana Space into which the dashboards should be loaded. By default, - # the Default Space will be used. - #space.id: - -# =============================== Elastic Cloud ================================ - -# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/). - -# The cloud.id setting overwrites the `output.elasticsearch.hosts` and -# `setup.kibana.host` options. -# You can find the `cloud.id` in the Elastic Cloud web UI. -#cloud.id: - -# The cloud.auth setting overwrites the `output.elasticsearch.username` and -# `output.elasticsearch.password` settings. The format is `<user>:<pass>`. -#cloud.auth: - -# ================================== Outputs =================================== - -# Configure what output to use when sending the data collected by the beat. - -# ---------------------------- Elasticsearch Output ---------------------------- - -output.elasticsearch: - # Array of hosts to connect to. - hosts: ["{{ packetbeat_elasticsearch_host }}"] - - protocol: "https" - username: "{{ packetbeat_elastic_username }}" - password: "{{ packetbeat_elastic_password}}" - - ssl: - enabled: true - ca_trusted_fingerprint: "{{ packetbeat_elastic_fingerprint }}" - -processors: - - # Add forwarded to tags when processing data from a network tap or mirror. - if.contains.tags: forwarded - then: - - drop_fields: - fields: [host] - else: - - add_host_metadata: ~ - - add_cloud_metadata: ~ - - add_docker_metadata: ~ - - detect_mime_type: - field: http.request.body.content - target: http.request.mime_type - - detect_mime_type: - field: http.response.body.content - target: http.response.mime_type diff --git a/roles/packetbeat/vars/main/vars.yml b/roles/packetbeat/vars/main/vars.yml deleted file mode 100644 index cad0514..0000000 --- a/roles/packetbeat/vars/main/vars.yml +++ /dev/null @@ -1,6 +0,0 @@ -packetbeat_elasticsearch_host: "10.5.0.0:9200" - -packetbeat_elastic_username: "pydis" -packetbeat_elastic_password: "{{ encrypted_packetbeat_elastic_password }}" -packetbeat_elastic_fingerprint: >- - e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73 diff --git a/roles/packetbeat/vars/main/vault.yml b/roles/packetbeat/vars/main/vault.yml deleted file mode 100644 index ca476d4..0000000 --- a/roles/packetbeat/vars/main/vault.yml +++ /dev/null @@ -1,8 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -61666235353637366266353437636237373538656435393466653566653432616631336662363638 -3033373166663265663334373739633238326336323539310a333262366432643161633935316135 -35353331666138613231313764366132393935303866383739663861333839373231636261646436 -3164313239633863300a343335383637366164643939376639663433336633616237623663366566 -39646433623065353537306562303363333162333061613130653361313835373930346461663961 -34646664333166653063626335616536396562393534386134643930373965303834633039333635 -616233636263623239323431643230656435 diff --git a/roles/wireguard/defaults/main/vars.yml b/roles/wireguard/defaults/main/vars.yml deleted file mode 100644 index 10c80ae..0000000 --- a/roles/wireguard/defaults/main/vars.yml +++ /dev/null @@ -1,4 +0,0 @@ -extra_keys: - - name: Joe - pubkey: /dJ+tKXzxv7nrUleNlF+CGyq7OIVlqL8/9Sn8j+cEAc= - subnet: 10.0.1.0/24 diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml deleted file mode 100644 index 0edcf3a..0000000 --- a/roles/wireguard/handlers/main.yml +++ /dev/null @@ -1,4 +0,0 @@ -- name: reload wg-quick - service: - name: wg-quick@wg0 - state: reloaded diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml deleted file mode 100644 index 46ff3e9..0000000 --- a/roles/wireguard/tasks/main.yml +++ /dev/null @@ -1,72 +0,0 @@ -- name: Install WireGuard - apt: - update_cache: true - cache_valid_time: 3600 - pkg: - - wireguard - - wireguard-tools - - linux-headers-{{ ansible_kernel }} - tags: - - role::wireguard - -- name: Generate WireGuard private key - shell: set -o pipefail && wg genkey > /etc/wireguard/key.priv - args: - executable: /bin/bash - creates: /etc/wireguard/key.priv - tags: - - role::wireguard - -- name: Generate WireGuard public key - shell: set -o pipefail && cat /etc/wireguard/key.priv | wg pubkey > /etc/wireguard/key.pub - args: - executable: /bin/bash - creates: /etc/wireguard/key.pub - tags: - - role::wireguard - -- name: Ensure file permissions for keys set correctly - file: - path: '{{ item }}' - owner: root - group: root - mode: '0600' - with_items: - - /etc/wireguard/key.priv - - /etc/wireguard/key.pub - tags: - - role::wireguard - -- name: Fetch private key for all hosts - slurp: - src: /etc/wireguard/key.priv - register: wg_priv_key - tags: - - role::wireguard - -- name: Fetch public key for all hosts - slurp: - src: /etc/wireguard/key.pub - register: wg_pub_key - tags: - - role::wireguard - -- name: Generate WireGuard configuration file - template: - src: wg0.conf.j2 - dest: /etc/wireguard/wg0.conf - mode: '0600' - group: root - owner: root - notify: - - reload wg-quick - tags: - - role::wireguard - -- name: Start and enable the WireGuard service - service: - name: wg-quick@wg0 - enabled: true - state: started - tags: - - role::wireguard diff --git a/roles/wireguard/templates/wg0.conf.j2 b/roles/wireguard/templates/wg0.conf.j2 deleted file mode 100644 index 647854a..0000000 --- a/roles/wireguard/templates/wg0.conf.j2 +++ /dev/null @@ -1,25 +0,0 @@ -# Configuration managed by Ansible -[Interface] -Address = {{ wireguard_subnet }} -ListenPort = {{ wireguard_port }} -PrivateKey = {{ wg_priv_key['content'] | b64decode | trim }} - -PostUp = ip route add local {{ wireguard_subnet }} dev eth0 - -{% for host in hostvars.keys() if not host == inventory_hostname %} -# Peer config for: {{ host }} -[Peer] -AllowedIPs = {{ hostvars[host]['wireguard_subnet'] }} -PublicKey = {{ hostvars[host]['wg_pub_key']['content'] | b64decode | trim }} -Endpoint = {{ host }}.box.pydis.wtf:{{ wireguard_port }} -PersistentKeepalive = 30 - -{% endfor %} - -{% for key in extra_keys %} -# DevOps config for: {{ key.name }} -[Peer] -AllowedIPs = {{ key.subnet }} -PublicKey = {{ key.pubkey }} - -{% endfor %} |