ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

reverting b/c symbolic link doesn't work :-|

Browse Source
This commit is contained in:
sean cavanaugh
2022-02-04 09:21:45 -05:00
parent 258d0f4869
commit 6431c64213
25 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
playbooks
View File

@@ -1 +0,0 @@
old-demo-repository/playbooks

16
playbooks/developer/developer_report.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: grab linux facts
hosts: web
gather_facts: true
- name: build developer report
hosts: node1
gather_facts: false
vars:
file_path: /var/www/html/report/index.html
tasks:
- name: use developer report
include_role:
name: "../../roles/developer_report"

9
playbooks/generate_readme.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: setup deploy application demo
hosts: localhost
connection: local
tasks:
- name: install demo
include_role:
name: "../roles/generate_readme"

58
playbooks/infrastructure/aws_provision_vm.yml Normal file
View File

@@ -0,0 +1,58 @@
- name: Create AWS resources
hosts: localhost
connection: local
gather_facts: False
collections:
- amazon.aws
tasks:
- name: Setting the correct AMI per us-east-1
set_fact:
ami_id: ami-096fda3c22c1c990a
when: aws_region == "us-east-1"
- name: Setting the correct AMI per us-east-1
set_fact:
ami_id: ami-09d9c5cdcfb8fc655
when: aws_region == "us-west-1"
- name: create a new ec2 key pair
ec2_key:
name: "{{ keypair }}"
region: "{{ aws_region }}"
- name: Create VPC
ec2_vpc_net:
name: "{{ vpc_name }}"
cidr_block: 10.10.0.0/16
region: "{{ aws_region }}"
register: my_vpc
- name: Create a security group
ec2_group:
name: ansible
description: "Ansible Security Group"
region: "{{ aws_region }}"
vpc_id: "{{ my_vpc.vpc.id }}"
rules:
- proto: all
cidr_ip: 10.10.0.0/16
- proto: all
group_name: ansible
rules_egress:
- proto: all
cidr_ip: 0.0.0.0/0
register: firewall
- name: Create an EC2 instance
ec2_instance:
key_name: "{{ keypair }}"
region: "{{ aws_region }}"
security_group: "{{ firewall.group_id }}"
instance_type: "{{ instance_type }}"
image_id: "{{ ami_id }}"
wait: yes
name: "{{ instance_name }}"
register: ec2

44
playbooks/infrastructure/azure_mysql_server.yml Normal file
View File

@@ -0,0 +1,44 @@
---
- hosts: localhost
tasks:
- name: Prepare random postfix
set_fact:
rpfx: "{{ 1000 | random }}"
run_once: yes
- hosts: localhost
vars:
resource_group: "{{ resource_group_name }}"
location: "{{ azure_region }}"
mysqlserver_name: mysql{{ rpfx }}
mysqldb_name: "{{ sqlserver_name }}"
admin_username: "{{ admin_user }}"
admin_password: "{{ admin_pw }}"
collections:
- azure.azcollection
tasks:
- name: Create a resource group
azure_rm_resourcegroup:
name: "{{ resource_group }}"
location: "{{ location }}"
- name: Create MySQL Server
azure_rm_mysqlserver:
resource_group: "{{ resource_group }}"
name: "{{ mysqlserver_name }}"
location: "{{ location }}"
version: 5.6
enforce_ssl: True
admin_username: "{{ admin_username }}"
admin_password: "{{ admin_password }}"
storage_mb: 51200
- name: Create instance of MySQL Database
azure_rm_mysqldatabase:
resource_group: "{{ resource_group }}"
server_name: "{{ mysqlserver_name }}"
name: "{{ mysqldb_name }}"

68
playbooks/infrastructure/azure_provision_vm.yml Normal file
View File

@@ -0,0 +1,68 @@
# Description
# ===========
# This playbook create an Azure VM with public IP, and open 22 port for SSH
---
- name: Create Azure VM
hosts: localhost
connection: local
vars:
resource_group: vmdemo
vm_name: testvm
location: eastus
collections:
- azure.azcollection
tasks:
- name: Create a resource group
azure_rm_resourcegroup:
name: "{{ resource_group }}"
location: "{{ location }}"
- name: Create virtual network
azure_rm_virtualnetwork:
resource_group: "{{ resource_group }}"
name: "{{ vm_name }}"
address_prefixes: "10.0.0.0/16"
- name: Add subnet
azure_rm_subnet:
resource_group: "{{ resource_group }}"
name: "{{ vm_name }}"
address_prefix: "10.0.1.0/24"
virtual_network: "{{ vm_name }}"
- name: Create public IP address
azure_rm_publicipaddress:
resource_group: "{{ resource_group }}"
allocation_method: Static
name: "{{ vm_name }}"
- name: Create Network Security Group that allows SSH
azure_rm_securitygroup:
resource_group: "{{ resource_group }}"
name: "{{ vm_name }}"
rules:
- name: SSH
protocol: Tcp
destination_port_range: 22
access: Allow
priority: 1001
direction: Inbound
- name: Create virtual network inteface card
azure_rm_networkinterface:
resource_group: "{{ resource_group }}"
name: "{{ vm_name }}"
virtual_network: "{{ vm_name }}"
subnet: "{{ vm_name }}"
public_ip_name: "{{ vm_name }}"
security_group: "{{ vm_name }}"
- name: Create VM
azure_rm_virtualmachine:
resource_group: "{{ resource_group }}"
name: "{{ vm_name }}"
vm_size: Standard_DS1_v2
admin_username: azureuser
admin_password: Password@123
network_interfaces: "{{ vm_name }}"
image:
offer: RHEL
publisher: RedHat
sku: 7-LVM
version: latest

17
playbooks/infrastructure/chocolatey_app_install.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: install chocolatey package on Windows host
hosts: windows
vars:
choco_packages: git
app_state: present
collections:
- chocolatey.chocolatey
tasks:
- name: Install multiple packages
win_chocolatey:
name: "{{ choco_packages }}"
state: "{{ app_state }}"

18
playbooks/infrastructure/chocolatey_config.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: configuring Chocolatey
hosts: windows
vars:
config_item: cacheLocation
state: present
value: C:\chocolatey_temp2
collections:
- chocolatey.chocolatey
tasks:
- name: set configuration parameter
win_chocolatey_config:
name: "{{ config_item }}"
state: "{{ state }}"
value: "{{ value }}"

17
playbooks/infrastructure/chocolatey_features.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: enabling or disabling chocolatey features
hosts: windows
vars:
feature: stopOnFirstPackageFailure
state: enabled
collections:
- chocolatey.chocolatey
tasks:
- name: enable or disable Chocolatey features
win_chocolatey_feature:
name: "{{ feature }}"
state: "{{ state }}"

30
playbooks/infrastructure/debug_info.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: gather debug info
hosts: "{{ HOSTS | default('web') }}"
become: true
gather_facts: false
tasks:
- name: Gather recent vmstat info
command: /bin/vmstat 1 5
register: vmstat
- name: Gather top CPU hogs
command: ps -eo user,pid,size,pcpu,cmd --sort=-pcpu
register: pscpu
- name: Gather top memory hogs
command: ps -eo user,pid,size,pcpu,cmd --sort=-size
register: pssize
- name: Swap + wait states
debug:
var: vmstat.stdout_lines
- name: Top 3 CPU hogs
debug:
var: pscpu.stdout_lines[:4]
- name: Top 3 memory hogs
debug:
var: pssize.stdout_lines[:4]

30
playbooks/infrastructure/deploy_application.yml Normal file
View File

@@ -0,0 +1,30 @@
---
- name: application deployment
hosts: web
gather_facts: false
become: true
tasks:
- name: make sure application is not empty
assert:
that:
- "application != ''"
- name: printing to terminal application information
debug:
msg: "This Ansible Playbook will install {{application}}"
- name: install application
dnf:
name: "{{application}}"
allow_downgrade: true
register: result
- name: printing to terminal application information
debug:
msg: "The application: {{application}} has been installed"
when: result.changed|bool
- name: printing to terminal application information
debug:
msg: "The application: {{application}} was already installed"
when: not result.changed|bool

38
playbooks/infrastructure/grant_sudo.yml Normal file
View File

@@ -0,0 +1,38 @@
---
- name: grant sudo
hosts: "{{ HOSTS | default('web') }}"
become: true
gather_facts: false
vars:
sudo_cleanup: true
tasks:
- name: Check if sudo user exists on system
getent:
database: passwd
key: "{{ sudo_user }}"
- name: create sudo rule
copy:
dest: "/etc/sudoers.d/{{ sudo_user }}"
owner: root
group: root
mode: 0640
content: "{{ sudo_user }} ALL=(ALL) NOPASSWD:ALL"
- name: install package
yum:
name: at
state: latest
- name: start service
service:
name: atd
state: started
- name: time based cleanup
at:
command: "rm /etc/sudoers.d/{{ sudo_user }}"
count: "{{ sudo_count | default('10') }}"
units: "{{ sudo_units | default('minutes') }}"
when: sudo_cleanup|bool

15
playbooks/infrastructure/insights.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: install and configure insights agent on all specified nodes
hosts: "{{ HOSTS | default('web') }}"
tasks:
- include_role:
name: RedHatInsights.insights-client
vars:
redhat_portal_username: "{{ insights_user }}"
redhat_portal_password: "{{ insights_password }}"
insights_display_name: "{{ inventory_hostname }}"
when: ansible_os_family == 'RedHat'
- name: print info to terminal window
debug:
msg: "Red Hat Insights is installed and configured for {{ inventory_hostname }}"

21
playbooks/infrastructure/patching.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: apply non-kernel updates
hosts: "{{ HOSTS | default('web') }}"
become: true
gather_facts: false
tasks:
- name: upgrade all packages except kernel
yum:
name: '*'
state: latest
exclude: kernel*
tags: all
- name: upgrade all packages security related except kernel
yum:
name: '*'
state: latest
security: true
exclude: kernel*
tags: security

11
playbooks/infrastructure/turn_off_community_grid.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: turn off community-grid
hosts: "{{ HOSTS | default('web') }}"
gather_facts: false
become: yes
tasks:
- name: enable and start boinc-client
systemd:
name: boinc-client
state: stopped
enabled: false

23
playbooks/infrastructure/windows_iis.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: install the iis web service
hosts: windows
tasks:
- name: install iis
win_feature:
name: Web-Server
state: present
- name: start iis service
win_service:
name: W3Svc
state: started
- name: Create website index.html
win_copy:
content: "{{ iis_test_message }}"
dest: C:\Inetpub\wwwroot\index.html
- name: Show website address
debug:
msg: http://{{ ansible_host }}

17
playbooks/infrastructure/windows_regedit_legal_notice.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Edit legal notice on start up message
hosts: windows
gather_facts: False
tasks:
- name: Updating Legal Notice Title
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: legalnoticecaption
data: "{{ title_legal_notice }}"
- name: Updating Legal Notice Text
win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: legalnoticetext
data: "{{ text_legal_notice }}"

11
playbooks/install_demo.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: setup deploy application demo
hosts: localhost
gather_facts: false
connection: local
tasks:
- name: install demo
include_role:
name: "../roles/install_demo"

33
playbooks/network/configlet_logging.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- hosts: ios
gather_facts: no
vars:
log_servers:
- logging 10.10.10.10
- logging 10.10.10.11
tasks:
- name: "GET CONFIG"
ios_command:
commands:
- show running-config full | include logging [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
register: log
- name: RUN 'Set Logging'
ios_config:
commands: "{{ item }}"
loop: "{{ log_servers }}"
register: set_logging
- debug: var=log.stdout_lines
- name: RUN 'Remove Logging'
ios_config:
commands: "no {{ item }}"
when: "(log.stdout_lines[0][0] != '') and (item not in log_servers)"
loop: "{{ log.stdout_lines[0] }}"
register: remove_logging

37
playbooks/network/configlet_ntp.yml Normal file
View File

@@ -0,0 +1,37 @@
---
- hosts: ios
gather_facts: no
vars:
ntp_servers:
- ntp server 10.10.10.13
- ntp server 10.10.10.14
tasks:
- name: "GET CONFIG"
ios_command:
commands:
- "show running-config full | include ntp server"
register: get_config
- debug: var=get_config.stdout_lines
- name: RUN 'Set NTP'
with_items: "{{ ntp_servers }}"
ios_config:
lines:
- "{{ item }}"
register: set_ntp
- name: RUN 'Remove NTP'
when: "(get_config.stdout_lines[0][0] != '') and (item not in ntp_servers)"
with_items: "{{ get_config.stdout_lines[0] }}"
register: remove_ntp
ios_config:
lines:
- "no {{ item }}"

60
playbooks/network/configlet_vtyacl.yml Normal file
View File

@@ -0,0 +1,60 @@
---
- name: CORRECT VTY-ACL ON CISCO DEVICES
hosts: cisco
connection: network_cli
gather_facts: no
tasks:
- name: SAVE RUNNING-CONFIG TO NVRAM FOR RECOVERY IF NEEDED
ios_config:
save_when: always
- name: Set the task_status var
set_fact:
task_status: "OK"
- block:
- name: UPDATE VTY-ACL ACCESS LIST
ios_config:
parents: ip access-list extended VTY-ACL
lines:
- permit tcp host {{ hostvars['ansible-1'].ansible_host }} any eq 22
- permit tcp 172.16.0.0 0.15.255.255 any eq 22
- permit tcp 192.168.0.0 0.0.255.255 any eq 22
- permit tcp 10.0.0.0 0.255.255.255 any eq 22 log-input
- deny ip any any log-input
match: exact
replace: block
before:
- line vty 0 15
- NO access-class VTY-ACL in
- NO ip access-list extended VTY-ACL
after:
- line vty 0 15
- access-class VTY-ACL in
- name: CHECK IF SSH IS STILL ACCESSIABLE FROM NETWORK
wait_for:
host: "{{ inventory_hostname }}"
port: 22
state: started
delay: 2
timeout: 6
ignore_errors: no
- name: SSH TEST SUCCESSFUL. SAVING RUNNING-CONFIG
ios_config:
save_when: always
rescue:
- name: UPDATE FAILED. ROLLING BACK CONFIG
ios_command:
commands:
- configure replace nvram:startup-config force
- set_fact:
task_status: "ERROR"
when: task_status == 'OK'

31
playbooks/security/hardening.yml Normal file
View File

@@ -0,0 +1,31 @@
---
- name: harden linux systems
hosts: "{{ HOSTS | default('web') }}"
become: true
vars:
- harden_firewall: false
- harden_time: false
- harden_ssh: false
- harden_pci: false
tasks:
- name: Configure Firewall
when: harden_firewall | bool
include_role:
name: linux-system-roles.firewall
- name: Configure Timesync
when: harden_time | bool
include_role:
name: redhat.rhel_system_roles.timesync
- name: SSH Hardening
when: harden_ssh | bool
include_role:
name: dev-sec.ssh-hardening
# run with --skip-tags accounts_passwords_pam_faillock_deny
- name: Apply PCI Baseline
when: harden_pci | bool
include_role:
name: redhatofficial.rhel8_pci_dss

45
playbooks/security/openscap.yml Normal file
View File

@@ -0,0 +1,45 @@
---
- name: build openscap report for rhel7
hosts: web
gather_facts: false
vars:
file_path: "/var/www/html/openscap/"
ssg_schema: "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"
tasks:
- name: make sure openscap-scanner and scap-security guide are installed
yum:
name:
- openscap-scanner
- scap-security-guide
state: present
- name: Check if SCAP Security Guide (SSG) profile is available
stat:
path: "{{ssg_schema}}"
- name: create HTML report
command: "oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --results report.xml --report index.html {{ssg_schema}}"
register: command_result
failed_when: "'Error' in command_result.stderr"
- name: Create directory if it does falset exist
become: true
file:
path: "{{file_path}}"
state: directory
- name: move files into httpd
become: true
copy:
src: ./{{item}}
dest: "{{file_path}}/{{item}}"
remote_src: true
loop:
- report.xml
- index.html
- name: DISPLAY LINK TO INVENTORY REPORT
debug:
msg: "Please go to http://{{ansible_host}}/openscap"