From 052825b2a75faccfcba5725167ae2bee482fa34d Mon Sep 17 00:00:00 2001 From: Olivier Date: Sat, 22 Oct 2022 15:52:36 +0200 Subject: [PATCH] first commit --- Vagrantfile | 25 ++++++++ ansible/openvas.yml | 7 +++ ansible/roles/docker/defaults/main.yml | 57 +++++++++++++++++ ansible/roles/docker/handlers/main.yml | 7 +++ ansible/roles/docker/tasks/docker-users.yml | 7 +++ ansible/roles/docker/tasks/main.yml | 70 +++++++++++++++++++++ ansible/roles/docker/tasks/setup-Debian.yml | 55 ++++++++++++++++ ansible/roles/docker/tasks/setup-RedHat.yml | 34 ++++++++++ ansible/roles/openvas/defaults/main.yml | 12 ++++ ansible/roles/openvas/handlers/main.yml | 1 + ansible/roles/openvas/tasks/main.yml | 34 ++++++++++ bootstrap.sh | 5 ++ 12 files changed, 314 insertions(+) create mode 100644 Vagrantfile create mode 100644 ansible/openvas.yml create mode 100644 ansible/roles/docker/defaults/main.yml create mode 100644 ansible/roles/docker/handlers/main.yml create mode 100644 ansible/roles/docker/tasks/docker-users.yml create mode 100644 ansible/roles/docker/tasks/main.yml create mode 100644 ansible/roles/docker/tasks/setup-Debian.yml create mode 100644 ansible/roles/docker/tasks/setup-RedHat.yml create mode 100644 ansible/roles/openvas/defaults/main.yml create mode 100644 ansible/roles/openvas/handlers/main.yml create mode 100644 ansible/roles/openvas/tasks/main.yml create mode 100644 bootstrap.sh diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..3d992a8 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,25 @@ +# Defines our Vagrant environment +# +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "debian/bullseye64" + config.vm.define "openvas" # Pour ne pas avoir le nom "default" par defaut + config.vm.hostname = "openvas" + config.vm.network "forwarded_port", guest: 9392, host: 9392 + # config.vm.network :private_network, ip: "192.168.56.4" + config.vm.provider "virtualbox" do |vb| + vb.name = "openvas" + vb.memory = "4096" + vb.cpus = 4 + end + config.vm.provision :shell, path: "bootstrap.sh" + config.vm.provision "ansible" do |ansible| + ansible.playbook = "ansible/openvas.yml" + ansible.groups = { + "openvas_servers" => ["openvas"], + "all_groups:children" => ["openvas_servers"] + } + end +end \ No newline at end of file diff --git a/ansible/openvas.yml b/ansible/openvas.yml new file mode 100644 index 0000000..4bc7f31 --- /dev/null +++ b/ansible/openvas.yml @@ -0,0 +1,7 @@ +--- +- hosts: openvas_servers + become: true + roles: + - {role: 'docker'} + - {role: 'openvas'} + diff --git a/ansible/roles/docker/defaults/main.yml b/ansible/roles/docker/defaults/main.yml new file mode 100644 index 0000000..c6f88b0 --- /dev/null +++ b/ansible/roles/docker/defaults/main.yml @@ -0,0 +1,57 @@ +--- +# Edition can be one of: 'ce' (Community Edition) or 'ee' (Enterprise Edition). +docker_edition: 'ce' +docker_packages: + - "docker-{{ docker_edition }}" + - "docker-{{ docker_edition }}-cli" + - "docker-{{ docker_edition }}-rootless-extras" + - "containerd.io" +docker_packages_state: present + +# Service options. +docker_service_manage: true +docker_service_state: started +docker_service_enabled: true +docker_restart_handler_state: restarted + +# Docker Compose Plugin options. +docker_install_compose_plugin: false +docker_compose_package: docker-compose-plugin +docker_compose_package_state: present + +# Docker Compose options. +docker_install_compose: true +docker_compose_version: "v2.11.1" +docker_compose_arch: "{{ ansible_architecture }}" +docker_compose_url: "https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-linux-{{ docker_compose_arch }}" +docker_compose_path: /usr/local/bin/docker-compose + +# Docker repo URL. +docker_repo_url: https://download.docker.com/linux + +# Used only for Debian/Ubuntu. Switch 'stable' to 'nightly' if needed. +docker_apt_release_channel: stable +docker_apt_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}" +docker_apt_repository: "deb [arch={{ docker_apt_arch }}] {{ docker_repo_url }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} {{ docker_apt_release_channel }}" +docker_apt_ignore_key_error: true +docker_apt_gpg_key: "{{ docker_repo_url }}/{{ ansible_distribution | lower }}/gpg" + +# Used only for RedHat/CentOS/Fedora. +docker_yum_repo_url: "{{ docker_repo_url }}/{{ (ansible_distribution == 'Fedora') | ternary('fedora','centos') }}/docker-{{ docker_edition }}.repo" +docker_yum_repo_enable_nightly: '0' +docker_yum_repo_enable_test: '0' +docker_yum_gpg_key: "{{ docker_repo_url }}/centos/gpg" + +# A list of users who will be added to the docker group. +docker_users: [vagrant] + +# Docker daemon options as a dict +docker_daemon_options: { + "log-driver": "json-file", + "log-opts": { + "max-size": "300m", + "max-file": "3", + "compress": "true" + }, + "live-restore": true +} \ No newline at end of file diff --git a/ansible/roles/docker/handlers/main.yml b/ansible/roles/docker/handlers/main.yml new file mode 100644 index 0000000..54d6ffb --- /dev/null +++ b/ansible/roles/docker/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: restart docker + service: + name: docker + state: "{{ docker_restart_handler_state }}" + ignore_errors: "{{ ansible_check_mode }}" + when: docker_service_manage | bool \ No newline at end of file diff --git a/ansible/roles/docker/tasks/docker-users.yml b/ansible/roles/docker/tasks/docker-users.yml new file mode 100644 index 0000000..aeb2124 --- /dev/null +++ b/ansible/roles/docker/tasks/docker-users.yml @@ -0,0 +1,7 @@ +--- +- name: Ensure docker users are added to the docker group. + user: + name: "{{ item }}" + groups: docker + append: true + with_items: "{{ docker_users }}" \ No newline at end of file diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 0000000..7fc59bb --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,70 @@ +--- +- include_tasks: setup-RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: setup-Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Docker packages. + package: + name: "{{ docker_packages }}" + state: "{{ docker_packages_state }}" + notify: restart docker + ignore_errors: "{{ ansible_check_mode }}" + when: "ansible_version.full is version_compare('2.12', '<') or ansible_os_family not in ['RedHat', 'Debian']" + +- name: Install Docker packages (with downgrade option). + package: + name: "{{ docker_packages }}" + state: "{{ docker_packages_state }}" + allow_downgrade: true + notify: restart docker + ignore_errors: "{{ ansible_check_mode }}" + when: "ansible_version.full is version_compare('2.12', '>=') and ansible_os_family in ['RedHat', 'Debian']" + +- name: Ensure /etc/docker/ directory exists. + file: + path: /etc/docker + state: directory + mode: 0755 + when: docker_daemon_options.keys() | length > 0 + +- name: Configure Docker daemon options. + copy: + content: "{{ docker_daemon_options | to_nice_json }}" + dest: /etc/docker/daemon.json + mode: 0644 + when: docker_daemon_options.keys() | length > 0 + notify: restart docker + +- name: Ensure Docker is started and enabled at boot. + service: + name: docker + state: "{{ docker_service_state }}" + enabled: "{{ docker_service_enabled }}" + ignore_errors: "{{ ansible_check_mode }}" + when: docker_service_manage | bool + +- name: Ensure handlers are notified now to avoid firewall conflicts. + meta: flush_handlers + +# On récupère les utilisateurs membres du groupe docker si on a passé des users dans la variable docker_users +- name: Get docker group info using getent. + getent: + database: group + key: docker + split: ':' + when: docker_users | length > 0 + +# On vérifie si les users n'exsistent pas. Si c'est le cas on créé une nouvelle variable +- name: Check if there are any users to add to the docker group. + set_fact: + at_least_one_user_to_modify: true + when: + - docker_users | length > 0 + - item not in ansible_facts.getent_group["docker"][2] # Permet de récupérer une liste des utilisateurs renseignée dans le troisième champs. + with_items: "{{ docker_users }}" + +# Si la nouvelle variable a été définie on exécute la task +- include_tasks: docker-users.yml + when: at_least_one_user_to_modify is defined \ No newline at end of file diff --git a/ansible/roles/docker/tasks/setup-Debian.yml b/ansible/roles/docker/tasks/setup-Debian.yml new file mode 100644 index 0000000..a82bde5 --- /dev/null +++ b/ansible/roles/docker/tasks/setup-Debian.yml @@ -0,0 +1,55 @@ +--- +- name: Ensure old versions of Docker are not installed. + ansible.builtin.package: + name: + - docker + - docker-engine + - docker.io + state: absent + +- name: Ensure dependencies are installed. + ansible.builtin.apt: + name: + - apt-transport-https + - ca-certificates + state: present + +- name: Ensure additional dependencies are installed (on Ubuntu < 20.04 and any other systems). + ansible.builtin.apt: + name: gnupg2 + state: present + when: ansible_distribution != 'Ubuntu' or ansible_distribution_version is version('20.04', '<') + +- name: Ensure additional dependencies are installed (on Ubuntu >= 20.04). + ansible.builtin.apt: + name: gnupg + state: present + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=') + +- name: Add Docker apt key. + ansible.builtin.get_url: + url: "{{ docker_apt_gpg_key }}" + dest: /etc/apt/trusted.gpg.d/docker.asc + mode: '0644' + force: true + register: add_repository_key + ignore_errors: "{{ docker_apt_ignore_key_error }}" + +- name: Ensure curl is present (on older systems without SNI). + ansible.builtin.package: + name: curl + state: present + when: add_repository_key is failed + +- name: Add Docker apt key (alternative for older systems without SNI). + shell: > + curl -sSL {{ docker_apt_gpg_key }} | apt-key add - + args: + warn: false + when: add_repository_key is failed + +- name: Add Docker repository. + apt_repository: + repo: "{{ docker_apt_repository }}" + state: present + update_cache: true \ No newline at end of file diff --git a/ansible/roles/docker/tasks/setup-RedHat.yml b/ansible/roles/docker/tasks/setup-RedHat.yml new file mode 100644 index 0000000..cb680d9 --- /dev/null +++ b/ansible/roles/docker/tasks/setup-RedHat.yml @@ -0,0 +1,34 @@ +--- +- name: Ensure old versions of Docker are not installed. + package: + name: + - docker + - docker-common + - docker-engine + state: absent + +- name: Add Docker GPG key. + rpm_key: + key: "{{ docker_yum_gpg_key }}" + state: present + +- name: Add Docker repository. + get_url: + url: "{{ docker_yum_repo_url }}" + dest: '/etc/yum.repos.d/docker-{{ docker_edition }}.repo' + owner: root + group: root + mode: 0644 + +- name: Configure containerd on RHEL 8. + block: + - name: Ensure container-selinux is installed. + package: + name: container-selinux + state: present + + - name: Ensure containerd.io is installed. + package: + name: containerd.io + state: present + when: ansible_distribution_major_version | int == 8 \ No newline at end of file diff --git a/ansible/roles/openvas/defaults/main.yml b/ansible/roles/openvas/defaults/main.yml new file mode 100644 index 0000000..b4a3642 --- /dev/null +++ b/ansible/roles/openvas/defaults/main.yml @@ -0,0 +1,12 @@ +--- +openvas_image_tag: "latest-full" +openvas_server_name: "openvas" +openvas_base_dir: "/opt/openvas" +openvas_database_dir: '{{ openvas_base_dir }}/database' +openvas_plugins_dir: '{{ openvas_base_dir }}/plugins' +openvas_gvm_dir: '{{ openvas_base_dir }}/gvm' +# Variables à renseigner +openvas_admin_account: "ADMINUSER" +openvas_admin_password: "ADMINPASSWORD" +openvas_db_password: "DBPASSWORD" +openvas_timezone: "Europe/Paris" diff --git a/ansible/roles/openvas/handlers/main.yml b/ansible/roles/openvas/handlers/main.yml new file mode 100644 index 0000000..73b314f --- /dev/null +++ b/ansible/roles/openvas/handlers/main.yml @@ -0,0 +1 @@ +--- \ No newline at end of file diff --git a/ansible/roles/openvas/tasks/main.yml b/ansible/roles/openvas/tasks/main.yml new file mode 100644 index 0000000..64362fe --- /dev/null +++ b/ansible/roles/openvas/tasks/main.yml @@ -0,0 +1,34 @@ +- name: Create directories + ansible.builtin.file: + path: '{{ item.path }}' + owner: '{{ item.owner | default("vagrant") }}' + group: '{{ item.group | default("vagrant") }}' + mode: '{{ item.mode | default("0755") }}' + state: directory + loop: + - path: '{{ openvas_base_dir }}' + - path: '{{ openvas_database_dir }}' + - path: '{{ openvas_plugins_dir }}' + - path: '{{ openvas_gvm_dir }}' + +- name: Start Openvas container + community.docker.docker_container: + name: openvas-ct + image: 'deineagenturug/gvm:{{ openvas_image_tag }}' + state: started + restart_policy: unless-stopped + volumes: + - '{{ openvas_database_dir }}:/opt/database' + - '{{ openvas_plugins_dir }}:/var/lib/openvas/plugins' + - '{{ openvas_gvm_dir }}:/var/lib/gvm' + ports: + # Publish container port 9392 as host port 9392 + - "9392:9392" + env: + USERNAME: '{{ openvas_admin_account }}' + PASSWORD: '{{ openvas_admin_password }}' + DB_PASSWORD: '{{ openvas_db_password }}' + AUTO_SYNC: "true" + HTTPS: "true" + TZ: '{{ openvas_timezone }}' + SSHD: "false" \ No newline at end of file diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100644 index 0000000..560baac --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +apt-get update +apt install htop -y +ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime +dpkg-reconfigure --frontend noninteractive tzdata