ansible:ansible_sandbox
Table of Contents
Ansible sanbox
Test 1
Script shell to start the playbook
# cat /Ansible-Playbook/scripts/cron_download_files.sh
#!/bin/bash
# Start playbook to download files
unset http_proxy
unset https_proxy
log="/var/log/ansible/$1.log"
playbook='download_file.yml'
cd ~/download
>> /var/log/ansible/$1.log
date >> /var/log/ansible/$1.log
>> /var/log/ansible/$1.log
ansible-playbook -vvvv $playbook >> /var/log/ansible/$1.log
# message monitoring
case $? in
0) status="0"
message="Success - script:$playbook log:$log" ;;
99) status="2"
message="Error : User interrupted execution - script:$playbook log:$log" ;;
*) status="2"
message="Error - script:$playbook log:$log" ;;
esac
server=nagiossrv01
echo "$(hostname -s);ansible_download;$status;$message" | /usr/local/nagios/bin/send_nsca -H $server -p 5667 -c /usr/local/nagios/etc/send_nsca.cfg -d ";"
Into ~/download
# ls -lsa ~/download
ansible.cfg .vaultPwd.yml --> password clear for vault download_file.yml
# cat ansible.cfg | grep -v '^#' | sed '/^$/d' [defaults] inventory = ~/inventory/inventory_download host_key_checking = False retry_files_enabled = False pipelining = True ansible_python_interpreter = /usr/bin/python3 inventory_plugins = ~/.ansible/collections/ansible_collections/xxxxx log_path=/var/log/ansible/stdout.log vault_password_file=./.vaultPwd.yml forks = 15 ansible_ssh_extra_args='-C -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' [inventory] enabled_plugins = xxxxx [privilege_escalation] become = True become_method = sudo become_user = ansibuser # cat ~/inventory/inventory_download [linux] linux01 linux02
Test 2 with roles
Execute only one role
ansible-playbook setup.yml -i inventory.ini --tags "common"
setup.yml
---
- hosts: prod
vars_files:
- group_vars/all.yml
- group_vars/main.yml
- group_vars/docker.yml
- group_vars/monit.yml
- group_vars/networking.yml
- group_vars/vault.yml
user: "{{default_username}}" # run whole script with default user
become: yes
roles: # order is not random!
- role: nickjj.fail2ban
tags: fail2ban
- role: common
tags: common
- role: ufw
tags: ufw
- role: user
tags: user
- role: ssh
tags: ssh
- role: nickjj.docker
when: install_docker == true
tags: docker
- role: docker
when: install_docker == true
tags: docker
- role: jnv.debian-backports
tags: common
- role: ansible-monit
tags: common
- role: jnv.unattended-upgrades
tags: common
- role: networking
tags: networking
- role: reboot
tags: reboot
cat group_vars/main.yml
sshpub_location: SSH_PUBKEY_HERE #the full path to your SSH public key ( e.g. /Users/username/.ssh/id_ed25519.pub ) root_pw: "PASSWORD_HERE" #root password that should be set user_name: USERNAME_HERE #username for the created user user_pw: "PASSWORD_HERE" #password for the new user ssh_port: 55899 #port number for ssh mail_to: mailto@example.com #the mail address where mails should be sent to mail_from: mailfrom@example.com #the mail address where mails are sent from mail_smtp_server: smtp.example.com #mail server, e.g. smtp.gmail.com mail_pw: PASSWORD_HERE #password for the mail_from mail address mail_port: 587 #the port where mails are sent to the mail server, e.g. 587
cat group_vars/all.yml
---
# general settings
default_username: debian
dot_forward_email: <YOUR_EMAIL_GOES_HERE>
private_key: .ssh/id_rsa
public_key: .ssh/id_rsa.pub
ntpserver: pool.ntp.org
timezone: Europe/Rome
# default sshd port
sshd_port: 22
# generate random passwords for default user and root user
default_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
root_password: "{{lookup('password', '/dev/null length=15 chars=ascii_letters,digits,punctuation')}}"
# unattended packages install configuration
unattended_mail: "{{dot_forward_email}}"
unattended_remove_unused_dependencies: true
unattended_automatic_reboot_time: "03:00"
unattended_update_days: "Sat"
unattended_clean_interval: 7
# fail2ban
fail2ban_loglevel: INFO
fail2ban_services:
- name: ssh
port: ssh
filter: sshd
logpath: /var/log/auth.log
cat roles/ssh/tasks/main.yml
- name: secure ssh configuration
become: true
blockinfile:
path: /etc/ssh/sshd_config
block: |
########################################################################################################
# start settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
########################################################################################################
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
# Note: This setting is deprecated in OpenSSH 7.5 (https://www.openssh.com/txt/release-7.5)
# UsePrivilegeSeparation sandbox
########################################################################################################
# end settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01
########################################################################################################
# don't let users set environment variables
PermitUserEnvironment no
# only use the newer, more secure protocol
Protocol 2
# disable port forwarding
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
# don't allow login if the account has an empty password
PermitEmptyPasswords no
# ignore .rhosts and .shosts
IgnoreRhosts yes
# verify hostname matches IP
UseDNS yes
Compression no
TCPKeepAlive no
AllowAgentForwarding no
# don't allow .rhosts or /etc/hosts.equiv
HostbasedAuthentication no
notify: restart ssh service
- name: secure ssh configuration part 2
become: true
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^AllowGroups', line: 'AllowGroups sshusers' }
- { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax 0'}
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval 300'}
- { regexp: '^ListenAddress', line: 'ListenAddress 0.0.0.0'}
- { regexp: '^LoginGraceTime', line: 'LoginGraceTime 30'}
- { regexp: '^MaxAuthTries', line: 'MaxAuthTries 2'}
- { regexp: '^MaxSessions', line: 'MaxSessions 2'}
- { regexp: '^MaxStartups', line: 'MaxStartups 2'}
- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no'}
- { regexp: '^Port', line: 'Port {{ ssh_port }}'}
- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no'}
- { regexp: '^X11Forwarding', line: 'X11Forwarding no'}
- { regexp: '^Subsystem', line: 'Subsystem sftp internal-sftp -f AUTHPRIV -l INFO'}
notify: restart ssh service
- name: remove short diffie diffie-hellman
become: true
shell: |
awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp
mv /etc/ssh/moduli.tmp /etc/ssh/moduli
notify: restart ssh service
cat roles/ssh/handlers/main.yml
- name: restart ssh service
become: yes
service:
name: ssh
state: restarted
cat roles/others/tasks/main.yml
- name: include Debian.yml include_tasks: Debian.yml when: ansible_os_family == 'Debian' - name: include RedHat.yml include_tasks: RedHat.yml when: ansible_os_family == 'RedHat'
cat roles/others/tasks/Debian.yml
- name: install others
apt:
name: ['bash-completion', 'htop', 'rsync', 'tmux', 'nmap', 'netcat-openbsd', 'gawk']
state: present
when: ansible_os_family == 'Debian'
cat roles/others/tasks/Redhat.yml
- name: install others
yum: name={{ item }} state=present
when: ansible_os_family == 'Redhat'
with_items:
- bash-completion
- tig
- wget
- htop
- rsync
- tmux
- nmap
- nmap-ncat
Test 3 backup file
File is backuped with format 2025-02-23T14:30:00Z
--- - name: Backup file if it exists hosts: localhost tasks: - name: Check if the file exists stat: path: /path/to/your/file register: file_stat - name: Create a backup if the file exists copy: src: /path/to/your/file dest: "/path/to/backup/file_{{ ansible_date_time.iso8601 }}.bak" remote_src: yes when: file_stat.stat.exists
Backup only if modified
--- - name: Backup file if it is different hosts: localhost tasks: - name: Get the checksum of the current file stat: path: /path/to/your/file register: file_stat - name: Get the checksum of the last backup (if exists) stat: path: "/path/to/backup/file_last.bak" register: backup_stat ignore_errors: yes - name: Compare the current file checksum with the backup checksum command: "sha256sum /path/to/your/file | awk '{ print $1 }'" register: current_checksum when: file_stat.stat.exists - name: Compare the backup checksum (if backup exists) command: "sha256sum /path/to/backup/file_last.bak | awk '{ print $1 }'" register: backup_checksum when: backup_stat.stat.exists - name: Backup the file if checksums are different copy: src: /path/to/your/file dest: "/path/to/backup/file_{{ ansible_date_time.iso8601 }}.bak" remote_src: yes when: - file_stat.stat.exists - (backup_stat.stat.exists == false or current_checksum.stdout != backup_checksum.stdout)
Test 4 insertafter using bash
--- - name: Insert line after pattern using bash hosts: all become: true tasks: - name: Insert line after pattern using sed shell: | if ! grep -q '^new_config_line=value$' /etc/example.conf; then sed -i '/# INSERT HERE/a new_config_line=value' /etc/example.conf fi args: executable: /bin/bash
https://stackoverflow.com/questions/70162334/in-ansible-how-do-i-add-a-line-without-delete-comment
https://www.theunixschool.com/2012/06/insert-line-before-or-after-pattern.html
ansible/ansible_sandbox.txt · Last modified: 2025/05/28 10:28 by manu
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
