====== Ansible sanbox ======
===== Test 1 =====
Script shell to start the playbook
# cat /Ansible-Playbook/scripts/cron_download_files.sh
#!/bin/bash
# Start playbook to download files
unset http_proxy
unset https_proxy
log="/var/log/ansible/$1.log"
playbook='download_file.yml'
cd ~/download
>> /var/log/ansible/$1.log
date >> /var/log/ansible/$1.log
>> /var/log/ansible/$1.log
ansible-playbook -vvvv $playbook >> /var/log/ansible/$1.log
# message monitoring
case $? in
0) status="0"
message="Success - script:$playbook log:$log" ;;
99) status="2"
message="Error : User interrupted execution - script:$playbook log:$log" ;;
*) status="2"
message="Error - script:$playbook log:$log" ;;
esac
server=nagiossrv01
echo "$(hostname -s);ansible_download;$status;$message" | /usr/local/nagios/bin/send_nsca -H $server -p 5667 -c /usr/local/nagios/etc/send_nsca.cfg -d ";"
Into **~/download**
# ls -lsa ~/download
ansible.cfg
.vaultPwd.yml --> password clear for vault
download_file.yml
# cat ansible.cfg | grep -v '^#' | sed '/^$/d'
[defaults]
inventory = ~/inventory/inventory_download
host_key_checking = False
retry_files_enabled = False
pipelining = True
ansible_python_interpreter = /usr/bin/python3
inventory_plugins = ~/.ansible/collections/ansible_collections/xxxxx
log_path=/var/log/ansible/stdout.log
vault_password_file=./.vaultPwd.yml
forks = 15
ansible_ssh_extra_args='-C -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
[inventory]
enabled_plugins = xxxxx
[privilege_escalation]
become = True
become_method = sudo
become_user = ansibuser
# cat ~/inventory/inventory_download
[linux]
linux01
linux02
===== Test 2 with roles =====
Execute only one role
ansible-playbook setup.yml -i inventory.ini --tags "common"
setup.yml
---
- hosts: prod
vars_files:
- group_vars/all.yml
- group_vars/main.yml
- group_vars/docker.yml
- group_vars/monit.yml
- group_vars/networking.yml
- group_vars/vault.yml
user: "{{default_username}}" # run whole script with default user
become: yes
roles: # order is not random!
- role: nickjj.fail2ban
tags: fail2ban
- role: common
tags: common
- role: ufw
tags: ufw
- role: user
tags: user
- role: ssh
tags: ssh
- role: nickjj.docker
when: install_docker == true
tags: docker
- role: docker
when: install_docker == true
tags: docker
- role: jnv.debian-backports
tags: common
- role: ansible-monit
tags: common
- role: jnv.unattended-upgrades
tags: common
- role: networking
tags: networking
- role: reboot
tags: reboot
cat group_vars/main.yml
sshpub_location: SSH_PUBKEY_HERE #the full path to your SSH public key ( e.g. /Users/username/.ssh/id_ed25519.pub )
root_pw: "PASSWORD_HERE" #root password that should be set
user_name: USERNAME_HERE #username for the created user
user_pw: "PASSWORD_HERE" #password for the new user
ssh_port: 55899 #port number for ssh
mail_to: mailto@example.com #the mail address where mails should be sent to
mail_from: mailfrom@example.com #the mail address where mails are sent from
mail_smtp_server: smtp.example.com #mail server, e.g. smtp.gmail.com
mail_pw: PASSWORD_HERE #password for the mail_from mail address
mail_port: 587 #the port where mails are sent to the mail server, e.g. 587
cat group_vars/all.yml
---
# general settings
default_username: debian
dot_forward_email:
private_key: .ssh/id_rsa
public_key: .ssh/id_rsa.pub
ntpserver: pool.ntp.org
timezone: Europe/Rome
# default sshd port
sshd_port: 22
# generate random passwords for default user and root user
default_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
root_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
# unattended packages install configuration
unattended_mail: "{{dot_forward_email}}"
unattended_remove_unused_dependencies: true
unattended_automatic_reboot_time: "03:00"
unattended_update_days: "Sat"
unattended_clean_interval: 7
# fail2ban
fail2ban_loglevel: INFO
fail2ban_services:
- name: ssh
port: ssh
filter: sshd
logpath: /var/log/auth.log
cat roles/ssh/tasks/main.yml
- name: secure ssh configuration
become: true
blockinfile:
path: /etc/ssh/sshd_config
block: |
########################################################################################################
# start settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
########################################################################################################
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
# Note: This setting is deprecated in OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5)
# UsePrivilegeSeparation sandbox
########################################################################################################
# end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
########################################################################################################
# don't let users set environment variables
PermitUserEnvironment no
# only use the newer, more secure protocol
Protocol 2
# disable port forwarding
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
# don't allow login if the account has an empty password
PermitEmptyPasswords no
# ignore .rhosts and .shosts
IgnoreRhosts yes
# verify hostname matches IP
UseDNS yes
Compression no
TCPKeepAlive no
AllowAgentForwarding no
# don't allow .rhosts or /etc/hosts.equiv
HostbasedAuthentication no
notify: restart ssh service
- name: secure ssh configuration part 2
become: true
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^AllowGroups', line: 'AllowGroups sshusers' }
- { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax 0'}
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300'}
- { regexp: '^ListenAddress', line: 'ListenAddress 0.0.0.0'}
- { regexp: '^LoginGraceTime', line: 'LoginGraceTime 30'}
- { regexp: '^MaxAuthTries', line: 'MaxAuthTries 2'}
- { regexp: '^MaxSessions', line: 'MaxSessions 2'}
- { regexp: '^MaxStartups', line: 'MaxStartups 2'}
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no'}
- { regexp: '^Port', line: 'Port {{ ssh_port }}'}
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no'}
- { regexp: '^X11Forwarding', line: 'X11Forwarding no'}
- { regexp: '^Subsystem', line: 'Subsystem sftp internal-sftp -f AUTHPRIV -l INFO'}
notify: restart ssh service
- name: remove short diffie diffie-hellman
become: true
shell: |
awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
notify: restart ssh service
cat roles/ssh/handlers/main.yml
- name: restart ssh service
become: yes
service:
name: ssh
state: restarted
cat roles/others/tasks/main.yml
- name: include Debian.yml
include_tasks: Debian.yml
when: ansible_os_family == 'Debian'
- name: include RedHat.yml
include_tasks: RedHat.yml
when: ansible_os_family == 'RedHat'
cat roles/others/tasks/Debian.yml
- name: install others
apt:
name: ['bash-completion', 'htop', 'rsync', 'tmux', 'nmap', 'netcat-openbsd', 'gawk']
state: present
when: ansible_os_family == 'Debian'
cat roles/others/tasks/Redhat.yml
- name: install others
yum: name={{ item }} state=present
when: ansible_os_family == 'Redhat'
with_items:
- bash-completion
- tig
- wget
- htop
- rsync
- tmux
- nmap
- nmap-ncat
===== Test 3 backup file =====
File is backuped with format **2025-02-23T14:30:00Z**
---
- name: Backup file if it exists
hosts: localhost
tasks:
- name: Check if the file exists
stat:
path: /path/to/your/file
register: file_stat
- name: Create a backup if the file exists
copy:
src: /path/to/your/file
dest: "/path/to/backup/file_{{ ansible_date_time.iso8601 }}.bak"
remote_src: yes
when: file_stat.stat.exists
Backup only if modified
---
- name: Backup file if it is different
hosts: localhost
tasks:
- name: Get the checksum of the current file
stat:
path: /path/to/your/file
register: file_stat
- name: Get the checksum of the last backup (if exists)
stat:
path: "/path/to/backup/file_last.bak"
register: backup_stat
ignore_errors: yes
- name: Compare the current file checksum with the backup checksum
command: "sha256sum /path/to/your/file | awk '{ print $1 }'"
register: current_checksum
when: file_stat.stat.exists
- name: Compare the backup checksum (if backup exists)
command: "sha256sum /path/to/backup/file_last.bak | awk '{ print $1 }'"
register: backup_checksum
when: backup_stat.stat.exists
- name: Backup the file if checksums are different
copy:
src: /path/to/your/file
dest: "/path/to/backup/file_{{ ansible_date_time.iso8601 }}.bak"
remote_src: yes
when:
- file_stat.stat.exists
- (backup_stat.stat.exists == false or current_checksum.stdout != backup_checksum.stdout)
===== Test 4 insertafter using bash =====
---
- name: Insert line after pattern using bash
hosts: all
become: true
tasks:
- name: Insert line after pattern using sed
shell: |
if ! grep -q '^new_config_line=value$' /etc/example.conf; then
sed -i '/# INSERT HERE/a new_config_line=value' /etc/example.conf
fi
args:
executable: /bin/bash
https://stackoverflow.com/questions/70162334/in-ansible-how-do-i-add-a-line-without-delete-comment
https://www.theunixschool.com/2012/06/insert-line-before-or-after-pattern.html