first commit
This commit is contained in:
parent
d5333ab877
commit
052825b2a7
|
|
@ -0,0 +1,25 @@
|
|||
# Defines our Vagrant environment
|
||||
#
|
||||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
Vagrant.configure("2") do |config|
|
||||
config.vm.box = "debian/bullseye64"
|
||||
config.vm.define "openvas" # Pour ne pas avoir le nom "default" par defaut
|
||||
config.vm.hostname = "openvas"
|
||||
config.vm.network "forwarded_port", guest: 9392, host: 9392
|
||||
# config.vm.network :private_network, ip: "192.168.56.4"
|
||||
config.vm.provider "virtualbox" do |vb|
|
||||
vb.name = "openvas"
|
||||
vb.memory = "4096"
|
||||
vb.cpus = 4
|
||||
end
|
||||
config.vm.provision :shell, path: "bootstrap.sh"
|
||||
config.vm.provision "ansible" do |ansible|
|
||||
ansible.playbook = "ansible/openvas.yml"
|
||||
ansible.groups = {
|
||||
"openvas_servers" => ["openvas"],
|
||||
"all_groups:children" => ["openvas_servers"]
|
||||
}
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- hosts: openvas_servers
|
||||
become: true
|
||||
roles:
|
||||
- {role: 'docker'}
|
||||
- {role: 'openvas'}
|
||||
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
---
|
||||
# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition).
|
||||
docker_edition: 'ce'
|
||||
docker_packages:
|
||||
- "docker-{{ docker_edition }}"
|
||||
- "docker-{{ docker_edition }}-cli"
|
||||
- "docker-{{ docker_edition }}-rootless-extras"
|
||||
- "containerd.io"
|
||||
docker_packages_state: present
|
||||
|
||||
# Service options.
|
||||
docker_service_manage: true
|
||||
docker_service_state: started
|
||||
docker_service_enabled: true
|
||||
docker_restart_handler_state: restarted
|
||||
|
||||
# Docker Compose Plugin options.
|
||||
docker_install_compose_plugin: false
|
||||
docker_compose_package: docker-compose-plugin
|
||||
docker_compose_package_state: present
|
||||
|
||||
# Docker Compose options.
|
||||
docker_install_compose: true
|
||||
docker_compose_version: "v2.11.1"
|
||||
docker_compose_arch: "{{ ansible_architecture }}"
|
||||
docker_compose_url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-linux-{{ docker_compose_arch }}"
|
||||
docker_compose_path: /usr/local/bin/docker-compose
|
||||
|
||||
# Docker repo URL.
|
||||
docker_repo_url: https://download.docker.com/linux
|
||||
|
||||
# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed.
|
||||
docker_apt_release_channel: stable
|
||||
docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
|
||||
docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}"
|
||||
docker_apt_ignore_key_error: true
|
||||
docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg"
|
||||
|
||||
# Used only for RedHat/CentOS/Fedora.
|
||||
docker_yum_repo_url: "{{ docker_repo_url }}/{{ (ansible_distribution == 'Fedora') | ternary('fedora','centos') }}/docker-{{ docker_edition }}.repo"
|
||||
docker_yum_repo_enable_nightly: '0'
|
||||
docker_yum_repo_enable_test: '0'
|
||||
docker_yum_gpg_key: "{{ docker_repo_url }}/centos/gpg"
|
||||
|
||||
# A list of users who will be added to the docker group.
|
||||
docker_users: [vagrant]
|
||||
|
||||
# Docker daemon options as a dict
|
||||
docker_daemon_options: {
|
||||
"log-driver": "json-file",
|
||||
"log-opts": {
|
||||
"max-size": "300m",
|
||||
"max-file": "3",
|
||||
"compress": "true"
|
||||
},
|
||||
"live-restore": true
|
||||
}
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: restart docker
|
||||
service:
|
||||
name: docker
|
||||
state: "{{ docker_restart_handler_state }}"
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
when: docker_service_manage | bool
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: Ensure docker users are added to the docker group.
|
||||
user:
|
||||
name: "{{ item }}"
|
||||
groups: docker
|
||||
append: true
|
||||
with_items: "{{ docker_users }}"
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
- include_tasks: setup-RedHat.yml
|
||||
when: ansible_os_family == 'RedHat'
|
||||
|
||||
- include_tasks: setup-Debian.yml
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: Install Docker packages.
|
||||
package:
|
||||
name: "{{ docker_packages }}"
|
||||
state: "{{ docker_packages_state }}"
|
||||
notify: restart docker
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
when: "ansible_version.full is version_compare('2.12', '<') or ansible_os_family not in ['RedHat', 'Debian']"
|
||||
|
||||
- name: Install Docker packages (with downgrade option).
|
||||
package:
|
||||
name: "{{ docker_packages }}"
|
||||
state: "{{ docker_packages_state }}"
|
||||
allow_downgrade: true
|
||||
notify: restart docker
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
when: "ansible_version.full is version_compare('2.12', '>=') and ansible_os_family in ['RedHat', 'Debian']"
|
||||
|
||||
- name: Ensure /etc/docker/ directory exists.
|
||||
file:
|
||||
path: /etc/docker
|
||||
state: directory
|
||||
mode: 0755
|
||||
when: docker_daemon_options.keys() | length > 0
|
||||
|
||||
- name: Configure Docker daemon options.
|
||||
copy:
|
||||
content: "{{ docker_daemon_options | to_nice_json }}"
|
||||
dest: /etc/docker/daemon.json
|
||||
mode: 0644
|
||||
when: docker_daemon_options.keys() | length > 0
|
||||
notify: restart docker
|
||||
|
||||
- name: Ensure Docker is started and enabled at boot.
|
||||
service:
|
||||
name: docker
|
||||
state: "{{ docker_service_state }}"
|
||||
enabled: "{{ docker_service_enabled }}"
|
||||
ignore_errors: "{{ ansible_check_mode }}"
|
||||
when: docker_service_manage | bool
|
||||
|
||||
- name: Ensure handlers are notified now to avoid firewall conflicts.
|
||||
meta: flush_handlers
|
||||
|
||||
# On récupère les utilisateurs membres du groupe docker si on a passé des users dans la variable docker_users
|
||||
- name: Get docker group info using getent.
|
||||
getent:
|
||||
database: group
|
||||
key: docker
|
||||
split: ':'
|
||||
when: docker_users | length > 0
|
||||
|
||||
# On vérifie si les users n'exsistent pas. Si c'est le cas on créé une nouvelle variable
|
||||
- name: Check if there are any users to add to the docker group.
|
||||
set_fact:
|
||||
at_least_one_user_to_modify: true
|
||||
when:
|
||||
- docker_users | length > 0
|
||||
- item not in ansible_facts.getent_group["docker"][2] # Permet de récupérer une liste des utilisateurs renseignée dans le troisième champs.
|
||||
with_items: "{{ docker_users }}"
|
||||
|
||||
# Si la nouvelle variable a été définie on exécute la task
|
||||
- include_tasks: docker-users.yml
|
||||
when: at_least_one_user_to_modify is defined
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
- name: Ensure old versions of Docker are not installed.
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- docker
|
||||
- docker-engine
|
||||
- docker.io
|
||||
state: absent
|
||||
|
||||
- name: Ensure dependencies are installed.
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- apt-transport-https
|
||||
- ca-certificates
|
||||
state: present
|
||||
|
||||
- name: Ensure additional dependencies are installed (on Ubuntu < 20.04 and any other systems).
|
||||
ansible.builtin.apt:
|
||||
name: gnupg2
|
||||
state: present
|
||||
when: ansible_distribution != 'Ubuntu' or ansible_distribution_version is version('20.04', '<')
|
||||
|
||||
- name: Ensure additional dependencies are installed (on Ubuntu >= 20.04).
|
||||
ansible.builtin.apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')
|
||||
|
||||
- name: Add Docker apt key.
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ docker_apt_gpg_key }}"
|
||||
dest: /etc/apt/trusted.gpg.d/docker.asc
|
||||
mode: '0644'
|
||||
force: true
|
||||
register: add_repository_key
|
||||
ignore_errors: "{{ docker_apt_ignore_key_error }}"
|
||||
|
||||
- name: Ensure curl is present (on older systems without SNI).
|
||||
ansible.builtin.package:
|
||||
name: curl
|
||||
state: present
|
||||
when: add_repository_key is failed
|
||||
|
||||
- name: Add Docker apt key (alternative for older systems without SNI).
|
||||
shell: >
|
||||
curl -sSL {{ docker_apt_gpg_key }} | apt-key add -
|
||||
args:
|
||||
warn: false
|
||||
when: add_repository_key is failed
|
||||
|
||||
- name: Add Docker repository.
|
||||
apt_repository:
|
||||
repo: "{{ docker_apt_repository }}"
|
||||
state: present
|
||||
update_cache: true
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
- name: Ensure old versions of Docker are not installed.
|
||||
package:
|
||||
name:
|
||||
- docker
|
||||
- docker-common
|
||||
- docker-engine
|
||||
state: absent
|
||||
|
||||
- name: Add Docker GPG key.
|
||||
rpm_key:
|
||||
key: "{{ docker_yum_gpg_key }}"
|
||||
state: present
|
||||
|
||||
- name: Add Docker repository.
|
||||
get_url:
|
||||
url: "{{ docker_yum_repo_url }}"
|
||||
dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Configure containerd on RHEL 8.
|
||||
block:
|
||||
- name: Ensure container-selinux is installed.
|
||||
package:
|
||||
name: container-selinux
|
||||
state: present
|
||||
|
||||
- name: Ensure containerd.io is installed.
|
||||
package:
|
||||
name: containerd.io
|
||||
state: present
|
||||
when: ansible_distribution_major_version | int == 8
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
openvas_image_tag: "latest-full"
|
||||
openvas_server_name: "openvas"
|
||||
openvas_base_dir: "/opt/openvas"
|
||||
openvas_database_dir: '{{ openvas_base_dir }}/database'
|
||||
openvas_plugins_dir: '{{ openvas_base_dir }}/plugins'
|
||||
openvas_gvm_dir: '{{ openvas_base_dir }}/gvm'
|
||||
# Variables à renseigner
|
||||
openvas_admin_account: "ADMINUSER"
|
||||
openvas_admin_password: "ADMINPASSWORD"
|
||||
openvas_db_password: "DBPASSWORD"
|
||||
openvas_timezone: "Europe/Paris"
|
||||
|
|
@ -0,0 +1 @@
|
|||
---
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
- name: Create directories
|
||||
ansible.builtin.file:
|
||||
path: '{{ item.path }}'
|
||||
owner: '{{ item.owner | default("vagrant") }}'
|
||||
group: '{{ item.group | default("vagrant") }}'
|
||||
mode: '{{ item.mode | default("0755") }}'
|
||||
state: directory
|
||||
loop:
|
||||
- path: '{{ openvas_base_dir }}'
|
||||
- path: '{{ openvas_database_dir }}'
|
||||
- path: '{{ openvas_plugins_dir }}'
|
||||
- path: '{{ openvas_gvm_dir }}'
|
||||
|
||||
- name: Start Openvas container
|
||||
community.docker.docker_container:
|
||||
name: openvas-ct
|
||||
image: 'deineagenturug/gvm:{{ openvas_image_tag }}'
|
||||
state: started
|
||||
restart_policy: unless-stopped
|
||||
volumes:
|
||||
- '{{ openvas_database_dir }}:/opt/database'
|
||||
- '{{ openvas_plugins_dir }}:/var/lib/openvas/plugins'
|
||||
- '{{ openvas_gvm_dir }}:/var/lib/gvm'
|
||||
ports:
|
||||
# Publish container port 9392 as host port 9392
|
||||
- "9392:9392"
|
||||
env:
|
||||
USERNAME: '{{ openvas_admin_account }}'
|
||||
PASSWORD: '{{ openvas_admin_password }}'
|
||||
DB_PASSWORD: '{{ openvas_db_password }}'
|
||||
AUTO_SYNC: "true"
|
||||
HTTPS: "true"
|
||||
TZ: '{{ openvas_timezone }}'
|
||||
SSHD: "false"
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
#!/usr/bin/env bash
|
||||
apt-get update
|
||||
apt install htop -y
|
||||
ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime
|
||||
dpkg-reconfigure --frontend noninteractive tzdata
|
||||
Loading…
Reference in New Issue