diff --git a/dnaclab_linux/ansible.cfg b/dnaclab_linux/ansible.cfg deleted file mode 100644 index 23055e3..0000000 --- a/dnaclab_linux/ansible.cfg +++ /dev/null @@ -1,2 +0,0 @@ -[defaults] -private_key_file = /home/vlad/.ssh/id_rsa \ No newline at end of file diff --git a/dnaclab_linux/configuration_files/ntp.conf b/dnaclab_linux/configuration_files/ntp.conf deleted file mode 100644 index e69de29..0000000 diff --git a/dnaclab_linux/inventory.yml b/dnaclab_linux/inventory.yml index 4b98176..c501e6b 100644 --- a/dnaclab_linux/inventory.yml +++ b/dnaclab_linux/inventory.yml @@ -22,3 +22,4 @@ telemetry.dnaclab.net: developer.dnaclab.net: gitlab.dnaclab.net: + test.dnaclab.net: diff --git a/dnaclab_linux/prestage.yml b/dnaclab_linux/prestage.yml index f39839f..c9dd41a 100644 --- a/dnaclab_linux/prestage.yml +++ b/dnaclab_linux/prestage.yml @@ -1,6 +1,11 @@ +# This playbook is an example of how to manage linux servers with Ansible playbooks. It consists of multiple roles +# which are read in sequence and run through their tasks (defined in the 'roles/xxxx/tasks/main.yml' file - 'xxxx' being the name of the role) +# The playbook requires the target hosts to have a user with sudo privileges configured - add the credentials of this user to the encrypted +# 'roles/common/vars/main.yml' file using the function 'ansible-vault edit' + --- -- name: Prestage server and install services [SYSLOG, FTP, TFTP, NTP] - hosts: services +- name: Prestage server(s) with the following roles {{ ansible_play_role_names }} + hosts: test roles: - common - services @@ -8,26 +13,6 @@ tasks: - - name: Update and upgrade current packages - apt: - update_cache: yes - upgrade: yes - - - name: Create a new regular user with sudo privileges - user: - name: "{{ create_user }}" - state: present - groups: sudo - append: true - create_home: true - shell: /bin/bash - - - name: Set authorized key for remote user - authorized_key: - user: "{{ create_user }}" - state: present - key: "{{ copy_local_key }}" - - name: Send Webex Teams message via BOT to confirm playbook completion community.general.cisco_webex: recipient_type: toPersonEmail diff --git a/dnaclab_linux/roles/common/tasks/main.yml b/dnaclab_linux/roles/common/tasks/main.yml new file mode 100644 index 0000000..177b084 --- /dev/null +++ b/dnaclab_linux/roles/common/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Update and upgrade current packages + ansible.builtin.apt: + update_cache: yes + upgrade: yes + +- name: Create a user with sudo privileges which will be used for managing the host via SSH + ansible.builtin.user: + name: "{{ local_user }}" + state: present + groups: sudo + append: true + create_home: true + shell: /bin/bash + password: "{{ local_password }}" + +- name: Set authorized key for remote SSH access (passwordless login) + ansible.posix.authorized_key: + user: "{{ local_user }}" + state: present + key: "{{ local_key }}" \ No newline at end of file diff --git a/dnaclab_linux/roles/common/vars/main.yml b/dnaclab_linux/roles/common/vars/main.yml index 92093c2..39740fc 100644 --- a/dnaclab_linux/roles/common/vars/main.yml +++ b/dnaclab_linux/roles/common/vars/main.yml @@ -1,25 +1,29 @@ $ANSIBLE_VAULT;1.1;AES256 -37306465323037623364336366393036643966666232653964313436383333633133353232636166 -3232373132386263633466643139313732656537383239310a303935333732353632383736356235 -61326134633862343632343035646637306135646532353264363533383233663034623162663263 -6235616361396435310a313862636162316238336237383938613139366534616537343638306237 -63616535313636303666616137336366626561393162336134656166313837633933326631363430 -39656335303261656637626663383065633265306438323839373239663634316439623730303532 -65383231393738633436356139633665316533383734316434313430393163396636613366373435 -30613839633164363032333434643738353335363666326430396461633331623532346465323361 -37356136306466663132383133653435666666383831646262356166633737656266376135653530 -31363531663366623539363963363766633264356363636133343938323738376630333664666535 -32386230633461623164373338373032313635393137366131336633366137396135343665633330 -33633336386633373437393939343430623164626534633264333031323633613666363738653764 -35373565636233336639393463306534326536383438656334343733333036346463613962643066 -36396634336366396533353038356361326437646538313464653438353231653636366334336437 -34313334326539326338343036633732666465653662373961653566663361396231666566343064 -37633133343463633833643735333637333531326161356263643261653462643362386336623961 -35623864346665633130306233356133346633646238353839393136353439383266343732666535 -63613634663962636436653639396266343166363362663161633562623136343363373037633437 -65386432333634343437313139323466666635313330323831313034616230636465353236383635 -35393138363462333839616261306361386466386662323835376436323462326238363161623339 -64636661623431336266356531373736636337316462333266623266643031613533343632643731 -65653337393562636635326262663639353037336231323332313364616438366362623238393262 -39633134313262616639633637386339353761343339646632356436303061613662643738323736 -36656337333134306363 +32623135623032666634373536313037663734313837316335613936383235393038373434366236 +3034643538666133396565626235616133646138613931660a383037323333373161616436613639 +61663131636637376531646438643166316439643339333433343665303438336163633638316364 +3534353732666636360a323866656461633461386130663263616132646631383736303864393532 +63346661653135313636646233396166323630633535643735653965313637353538393634336161 +39353736353262373139653763646539323030646432633730333334393562306361626637376163 +63343331646236323232393832373037616333333334643630633262333536323563623032373136 +35663333306264616564343263663930393562356465623232386536656434613664316335303933 +64623238323836336538303361663965316136383533666533306235373663646338313164633534 +32346632386164376630646662336436373036653330643137336233613236633335393939333839 +32313066316631366632386234323862386535343964346261633362386331653130396437643930 +61363265356236343639663931643835646261633038356133613964336466396532633436653939 +35363133343634383638363265636261393761653262353035376339333661386262393966343234 +32326136343233356534316562343132303963323862343038613734356436303865356334643031 +32326335633237353563383166666165373232653134643263386536386638633636336662336166 +37313464323961363237306331373132613962636162303561333836656361653732666563363563 +66376231306539613666363534656263366534303066636166336633656136313531333638386437 +33393462663161336630623532313934373535383130373735633632623032336366616164333233 +63366463623838363638613463633134353830353537636630343636333161616333303862623534 +62633134303939366339616530366634366339643935623265636639323533336530663030383031 +39313061626366656431636533643037323439663463653033343735306632333433663231393332 +32346539643064653662323766653765653235633935643530343031666637636563656339313137 +64316164636136666139393762336530373365616563306231396531373031633337383864643361 +66663539303532656335373139656634363539646533393932326462623163653034383036636333 +62343830343136306565303934383464333233633265386635313066646635663664326135663836 +32356433353832323736363939343165346130363031373731366532313137653435393534393030 +37326635656537366339326538653238353534313934303632343361383164633037353136613562 +37383166653735303330 diff --git a/dnaclab_linux/roles/services/files/ntp.conf b/dnaclab_linux/roles/services/files/ntp.conf new file mode 100644 index 0000000..7b7c341 --- /dev/null +++ b/dnaclab_linux/roles/services/files/ntp.conf @@ -0,0 +1,60 @@ +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile /var/lib/ntp/ntp.drift + +# Leap seconds definition provided by tzdata +leapfile /usr/share/zoneinfo/leap-seconds.list + +# Enable this if you want statistics to be logged. +#statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + +# Specify one or more NTP servers. + +# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board +# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for +# more information. +pool pool.ntp.org +server 0.uk.pool.ntp.org iburst +server 1.uk.pool.ntp.org +server 127.0.0.1 + +# Use Ubuntu's ntp server as a fallback. +pool ntp.ubuntu.com + +# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for +# details. The web page +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery limited +restrict -6 default kod notrap nomodify nopeer noquery limited + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Needed for adding pool entries +restrict source notrap nomodify noquery + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, de-comment the +# next lines. Please do this only if you trust everybody on the network! +#disable auth +#broadcastclient diff --git a/dnaclab_linux/roles/services/files/syslog-ng-network-devices.conf b/dnaclab_linux/roles/services/files/syslog-ng-network-devices.conf new file mode 100644 index 0000000..067585b --- /dev/null +++ b/dnaclab_linux/roles/services/files/syslog-ng-network-devices.conf @@ -0,0 +1,55 @@ +#Options + +options { + create-dirs(yes); + owner(administrator); + group(administrator); + perm(0640); + dir-owner(administrator); + dir-group(administrator); + dir-perm(0750); +}; + +#Sources + +source s_regular { tcp(port(5140)); }; +source s_cisco { tcp(port(5141) flags(no-parse,store-raw-message)); }; +source s_servers { tcp(port(5142) flags(no-parse,store-raw-message)); }; + +#Templates + +template t_jsonfile { + template("$(format-json --scope rfc5424 --scope dot-nv-pairs --rekey .* --shift 1 --scope nv-pairs --key ISODATE)\n"); +}; + +#Parsers + +parser p_cisco { cisco-parser(); }; + +#Destinations + +destination d_raw { + file("/home/administrator/Desktop/SYSLOG/RAW_LOGS/$HOST-$YEAR-$MONTH-$DAY.log" template("${RAWMSG}\n")); +}; +destination d_from_cisco { + file("/home/administrator/Desktop/SYSLOG/CISCO_DEVICES/$HOST-$YEAR-$MONTH-$DAY.log" template(t_jsonfile)); +}; +destination d_from_servers { + file("/home/administrator/Desktop/SYSLOG/SERVERS/$HOST-$YEAR-$MONTH-$DAY.log" ); +}; + +#Loggers + +log { + source(s_regular); + destination(d_raw); +}; +log { + source(s_cisco); + parser(p_cisco); + destination(d_from_cisco); +}; +log { + source(s_servers); + destination(d_from_servers); +}; diff --git a/dnaclab_linux/roles/services/files/tftpd-hpa b/dnaclab_linux/roles/services/files/tftpd-hpa new file mode 100644 index 0000000..94094b6 --- /dev/null +++ b/dnaclab_linux/roles/services/files/tftpd-hpa @@ -0,0 +1,6 @@ +# /etc/default/tftpd-hpa + +TFTP_USERNAME="tftp" +TFTP_DIRECTORY="/home/administrator/Desktop/TFTP" +TFTP_ADDRESS=":69" +TFTP_OPTIONS="--secure --create" diff --git a/dnaclab_linux/roles/services/files/vsftpd.conf b/dnaclab_linux/roles/services/files/vsftpd.conf new file mode 100644 index 0000000..53cc3ba --- /dev/null +++ b/dnaclab_linux/roles/services/files/vsftpd.conf @@ -0,0 +1,46 @@ +listen=YES +listen_ipv6=NO +anonymous_enable=NO +local_enable=YES +write_enable=YES +local_umask=022 +dirmessage_enable=YES +use_localtime=YES +xferlog_enable=YES +connect_from_port_20=YES +chroot_local_user=YES +secure_chroot_dir=/var/run/vsftpd/empty +pam_service_name=vsftpd +rsa_cert_file=/etc/ssl/certs/sftp.ubuntu.dnaclab.net.pem +rsa_private_key_file=/etc/ssl/private/sftp.ubuntu.dnaclab.net.key +ssl_enable=NO +pasv_enable=YES +pasv_min_port=10000 +pasv_max_port=10100 +allow_writeable_chroot=YES + +# Below verbose log is for transfer/upload, formatted for common tools stats. +# Use command: tail -f /var/log/xferlog +xferlog_enable=YES +xferlog_file=/var/log/xferlog +xferlog_std_format=YES + +# Below verbose log is for FTP commands and responses. +# By default, logs were written to syslog instead of file. +# Use command: tail -f /var/log/vsftpd.log +# Use command: logread -f + +log_ftp_protocol=YES +vsftpd_log_file=/var/log/vsftpd.log +syslog_enable=YES + +# Allow log 1 and 2 to be written simultaneously. + +dual_log_enable=YES + +#Directory configuration and user access + +local_root=/home/administrator/Desktop/SFTP +userlist_enable=YES +userlist_file=/etc/vsftpd.userlist +userlist_deny=NO diff --git a/dnaclab_linux/roles/services/tasks/main.yml b/dnaclab_linux/roles/services/tasks/main.yml index 6c6b412..a06e620 100644 --- a/dnaclab_linux/roles/services/tasks/main.yml +++ b/dnaclab_linux/roles/services/tasks/main.yml @@ -1,17 +1,17 @@ --- - name: Install required packages - apt: + ansible.builtin.apt: name: "{{ item }}" loop: - curl - tree + - ufw + - ntp + - tftpd-hpa - syslog-ng - vsftpd - - tftpd-hpa - - ntp - - ufw -- name: Configure UFW to allow inbound NTP, SSH, SYSLOG, FTP connections +- name: Configure UFW to allow inbound NTP, SSH, SYSLOG, FTP and TFTP connections community.general.ufw: rule: allow direction: in @@ -37,7 +37,7 @@ - port: '5142' proto: tcp -- name: UFW - Deny all other incoming traffic by default +- name: Deny all other incoming IPv4 traffic community.general.ufw: state: enabled policy: deny @@ -51,9 +51,54 @@ - name: Apply NTP configuration file ansible.builtin.copy: - src: ./configuration_files/ntp.conf + src: ntp.conf dest: /etc/ntp.conf owner: root group: root mode: '0644' backup: yes + +- name: Apply TFTP configuration file + ansible.builtin.copy: + src: tftpd-hpa + dest: /etc/default/tftpd-hpa + owner: root + group: root + mode: '0644' + backup: yes + +- name: Create TFTP directory + ansible.builtin.file: + path: "/home/{{ ansible_user }}/Desktop/TFTP" + state: directory + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: '0777' + +- name: Apply SYSLOG configuration file + ansible.builtin.copy: + src: syslog-ng-network-devices.conf + dest: /etc/syslog-ng/conf.d/syslog-ng-network-devices.conf + owner: root + group: root + mode: '0644' + backup: yes + +- name: Apply FTP configuration file + ansible.builtin.copy: + src: vsftpd.conf + dest: /etc/vsftpd.conf + owner: root + group: root + mode: '0644' + backup: yes + +- name: Enable installed services + ansible.builtin.service: + name: "{{ item }}" + enabled: yes + loop: + - ntp + - tftpd-hpa + - syslog-ng + - vsftpd \ No newline at end of file