From 1c434c2be0c6653a86c2204561a25760ade34668 Mon Sep 17 00:00:00 2001
From: Temur Maisuradze <temur@grena.ge>
Date: Fri, 19 Feb 2021 17:26:53 +0400
Subject: [PATCH] devide instalation into multiple steps (start and stop docker
containers, init cluster and also seperate actions for start, stop, restart
and update-config)
---
dockercontainers.yml | 7 +
initsoctools.yml | 57 +++++++
roles/cassandra/tasks/init.yml | 15 ++
roles/cassandra/tasks/main.yml | 4 +
roles/cassandra/tasks/restart.yml | 7 +
roles/cassandra/tasks/start.yml | 12 --
roles/cassandra/tasks/update-config.yml | 7 -
roles/cortex/tasks/init.yml | 47 ++++++
roles/cortex/tasks/main.yml | 4 +
roles/cortex/tasks/start.yml | 45 ------
roles/docker/tasks/cassandra.yml | 4 +-
roles/docker/tasks/cortex.yml | 8 +-
roles/docker/tasks/haproxy.yml | 4 +-
roles/docker/tasks/keycloak.yml | 4 +-
roles/docker/tasks/misp.yml | 4 +-
roles/docker/tasks/mysql.yml | 4 +-
roles/docker/tasks/networkcreate.yml | 3 +-
roles/docker/tasks/networkremove.yml | 2 +-
roles/docker/tasks/nifi.yml | 4 +-
roles/docker/tasks/odfees.yml | 4 +-
roles/docker/tasks/odfekibana.yml | 4 +-
roles/docker/tasks/thehive.yml | 6 +-
roles/docker/tasks/volumecreate.yml | 10 +-
roles/docker/tasks/zookeeper.yml | 4 +-
roles/filebeat/tasks/init.yml | 19 +++
roles/filebeat/tasks/main.yml | 4 +
roles/filebeat/tasks/start.yml | 16 --
roles/haproxy/tasks/init.yml | 52 +++++++
roles/haproxy/tasks/main.yml | 4 +
roles/haproxy/tasks/start.yml | 49 ------
roles/keycloak/tasks/init.yml | 103 ++++++++++++
roles/keycloak/tasks/main.yml | 4 +
roles/keycloak/tasks/start.yml | 89 -----------
roles/misp/tasks/init.yml | 59 +++++++
roles/misp/tasks/main.yml | 6 +-
roles/misp/tasks/start.yml | 57 -------
roles/misp/tasks/stop.yml | 3 +-
roles/mysql/tasks/init.yml | 7 +
roles/mysql/tasks/main.yml | 8 +-
roles/mysql/tasks/misp.yml | 13 --
roles/mysql/tasks/secure.yml | 46 ------
roles/mysql/tasks/start.yml | 4 +
roles/nifi/tasks/init.yml | 185 ++++++++++++++++++++++
roles/nifi/tasks/main.yml | 4 +
roles/nifi/tasks/start.yml | 198 ------------------------
roles/odfees/tasks/init.yml | 100 ++++++++++++
roles/odfees/tasks/main.yml | 4 +
roles/odfees/tasks/start.yml | 88 -----------
roles/odfekibana/tasks/init.yml | 114 ++++++++++++++
roles/odfekibana/tasks/main.yml | 4 +
roles/odfekibana/tasks/restart.yml | 8 -
roles/odfekibana/tasks/start.yml | 143 -----------------
roles/thehive/tasks/init.yml | 49 ++++++
roles/thehive/tasks/main.yml | 12 +-
roles/thehive/tasks/start.yml | 46 ------
soctools.yml | 8 +
startsoctools.yml | 30 ++--
stopsoctools.yml | 50 +++++-
58 files changed, 972 insertions(+), 884 deletions(-)
create mode 100644 dockercontainers.yml
create mode 100644 initsoctools.yml
create mode 100644 roles/cassandra/tasks/init.yml
create mode 100644 roles/cortex/tasks/init.yml
create mode 100644 roles/filebeat/tasks/init.yml
create mode 100644 roles/haproxy/tasks/init.yml
create mode 100644 roles/keycloak/tasks/init.yml
create mode 100644 roles/misp/tasks/init.yml
create mode 100644 roles/mysql/tasks/init.yml
create mode 100644 roles/mysql/tasks/start.yml
create mode 100644 roles/nifi/tasks/init.yml
create mode 100644 roles/odfees/tasks/init.yml
create mode 100644 roles/odfekibana/tasks/init.yml
create mode 100644 roles/thehive/tasks/init.yml
diff --git a/dockercontainers.yml b/dockercontainers.yml
new file mode 100644
index 0000000..de07583
--- /dev/null
+++ b/dockercontainers.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Manage docker containers
+ hosts: soctoolsmain
+ roles:
+ - docker
+
diff --git a/initsoctools.yml b/initsoctools.yml
new file mode 100644
index 0000000..b437150
--- /dev/null
+++ b/initsoctools.yml
@@ -0,0 +1,57 @@
+---
+
+- name: Reconfigure and start haproxy
+ hosts: haproxy
+ roles:
+ - haproxy
+
+- name: Reconfigure and start mysql
+ hosts: mysql
+ roles:
+ - mysql
+
+- name: Reconfigure and start Cassandra
+ hosts: cassandra
+ roles:
+ - cassandra
+
+- name: Reconfigure and start Keycloak
+ hosts: keycloakcontainers
+ roles:
+ - keycloak
+
+- name: Reconfigure and start MISP
+ hosts: mispcontainers
+ roles:
+ - misp
+
+- name: Reconfigure and start NiFi
+ hosts: nificontainers
+ roles:
+ - nifi
+
+- name: Reconfigure and start TheHive
+ hosts: thehive
+ roles:
+ - thehive
+
+- name: Reconfigure and start Cortex
+ hosts: cortex
+ roles:
+ - cortex
+
+- name: Reconfigure and start OpenDistro for Elasticsearch
+ hosts: odfeescontainers
+ roles:
+ - odfees
+
+- name: Reconfigure and start OpenDistro Kibana for Elasticsearch
+ hosts: odfekibanacontainers
+ roles:
+ - odfekibana
+
+- name: Install and run filebeat
+ hosts: filebeat
+ roles:
+ - filebeat
+
diff --git a/roles/cassandra/tasks/init.yml b/roles/cassandra/tasks/init.yml
new file mode 100644
index 0000000..e8a1d35
--- /dev/null
+++ b/roles/cassandra/tasks/init.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Configure Cassandra
+ remote_user: cassandra
+ template:
+ src: cassandra.yaml.j2
+ dest: /usr/share/cassandra/conf/cassandra.yaml
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
+
+
diff --git a/roles/cassandra/tasks/main.yml b/roles/cassandra/tasks/main.yml
index f26e13b..86f49a4 100644
--- a/roles/cassandra/tasks/main.yml
+++ b/roles/cassandra/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/cassandra/tasks/restart.yml b/roles/cassandra/tasks/restart.yml
index b6e575b..41c4a11 100644
--- a/roles/cassandra/tasks/restart.yml
+++ b/roles/cassandra/tasks/restart.yml
@@ -4,3 +4,10 @@
remote_user: root
command: "supervisorctl restart cassandra"
+- name: Wait for Cassandra
+ remote_user: root
+ wait_for:
+ host: "{{groups['cassandra'][0]}}"
+ port: 9042
+ state: started
+ delay: 5
diff --git a/roles/cassandra/tasks/start.yml b/roles/cassandra/tasks/start.yml
index 1018944..b3d1cc8 100644
--- a/roles/cassandra/tasks/start.yml
+++ b/roles/cassandra/tasks/start.yml
@@ -1,11 +1,5 @@
---
-- name: Configure Cassandra
- remote_user: cassandra
- template:
- src: cassandra.yaml.j2
- dest: /usr/share/cassandra/conf/cassandra.yaml
-
- name: Start Cassandra
remote_user: root
command: "supervisorctl start cassandra"
@@ -18,10 +12,4 @@
state: started
delay: 5
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
-
diff --git a/roles/cassandra/tasks/update-config.yml b/roles/cassandra/tasks/update-config.yml
index ceb0b60..977839a 100644
--- a/roles/cassandra/tasks/update-config.yml
+++ b/roles/cassandra/tasks/update-config.yml
@@ -6,10 +6,3 @@
src: cassandra.yaml.j2
dest: /usr/share/cassandra/conf/cassandra.yaml
-- name: Wait for Cassandra
- remote_user: root
- wait_for:
- host: "{{groups['cassandra'][0]}}"
- port: 9042
- state: started
- delay: 5
diff --git a/roles/cortex/tasks/init.yml b/roles/cortex/tasks/init.yml
new file mode 100644
index 0000000..c435512
--- /dev/null
+++ b/roles/cortex/tasks/init.yml
@@ -0,0 +1,47 @@
+---
+
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+
+- name: Copy certificates in cortex conf dir
+ remote_user: cortex
+ copy:
+ src: "{{ item }}"
+ dest: "/etc/cortex/"
+ mode: 0600
+ with_items:
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - "{{playbook_dir}}/secrets/CA/ca.crt"
+
+- name: Get openid authkey
+ set_fact:
+ cortexsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/cortexsecret',convert_data=False) | from_json}}"
+
+- name: Configure embedded Elasticsearch 6
+ remote_user: root
+ template:
+ src: jvm.options.j2
+ dest: /etc/elasticsearch/jvm.options
+
+- name: Configure Cortex
+ remote_user: cortex
+ template:
+ src: application.conf.j2
+ dest: /etc/cortex/application.conf
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
+
diff --git a/roles/cortex/tasks/main.yml b/roles/cortex/tasks/main.yml
index 5216d2c..0ce28c0 100644
--- a/roles/cortex/tasks/main.yml
+++ b/roles/cortex/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/cortex/tasks/start.yml b/roles/cortex/tasks/start.yml
index 9b7eb79..347856f 100644
--- a/roles/cortex/tasks/start.yml
+++ b/roles/cortex/tasks/start.yml
@@ -1,48 +1,9 @@
---
-- name: Copy cacert to ca-trust dir
- remote_user: root
- copy:
- src: "{{playbook_dir}}/secrets/CA/ca.crt"
- dest: /etc/pki/ca-trust/source/anchors/ca.crt
-
-- name: Install cacert to root truststore
- remote_user: root
- command: "update-ca-trust"
-
-- name: Copy certificates in cortex conf dir
- remote_user: cortex
- copy:
- src: "{{ item }}"
- dest: "/etc/cortex/"
- mode: 0600
- with_items:
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
- - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- - "{{playbook_dir}}/secrets/CA/cacerts.jks"
- - "{{playbook_dir}}/secrets/CA/ca.crt"
-
-- name: Get openid authkey
- set_fact:
- cortexsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/cortexsecret',convert_data=False) | from_json}}"
-
-- name: Configure embedded Elasticsearch 6
- remote_user: root
- template:
- src: jvm.options.j2
- dest: /etc/elasticsearch/jvm.options
-
- name: Start embedded Elasticsearch 6
remote_user: root
command: "supervisorctl start elasticsearch"
-- name: Configure Cortex
- remote_user: cortex
- template:
- src: application.conf.j2
- dest: /etc/cortex/application.conf
-
- name: Start Cortex
remote_user: root
command: "supervisorctl start cortex"
@@ -55,9 +16,3 @@
state: started
delay: 5
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
-
diff --git a/roles/docker/tasks/cassandra.yml b/roles/docker/tasks/cassandra.yml
index b913425..bfb41cc 100644
--- a/roles/docker/tasks/cassandra.yml
+++ b/roles/docker/tasks/cassandra.yml
@@ -13,7 +13,7 @@
interactive: "yes"
with_items: "{{ groups['cassandra'] }}"
tags:
- - start
+ - start-docker-containers
- name: Disconnect cassandra containers from network and remove
docker_container:
@@ -21,5 +21,5 @@
state: absent
with_items: "{{ groups['cassandra'] }}"
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/cortex.yml b/roles/docker/tasks/cortex.yml
index 15a0732..ec2ff38 100644
--- a/roles/docker/tasks/cortex.yml
+++ b/roles/docker/tasks/cortex.yml
@@ -8,15 +8,12 @@
networks:
- name: "{{ soctools_netname }}"
networks_cli_compatible: yes
-# published_ports:
-# - "9001:9001"
volumes:
- "{{item}}:/var/lib/elasticsearch/"
interactive: "yes"
with_items: "{{ groups['cortex'] }}"
tags:
- - start
- - startcortex
+ - start-docker-containers
- name: Disconnect cortex containers from network and remove
docker_container:
@@ -24,5 +21,4 @@
state: absent
with_items: "{{ groups['cortex'] }}"
tags:
- - stop
- - stopcortex
+ - stop-docker-containers
diff --git a/roles/docker/tasks/haproxy.yml b/roles/docker/tasks/haproxy.yml
index b018076..5fb181e 100644
--- a/roles/docker/tasks/haproxy.yml
+++ b/roles/docker/tasks/haproxy.yml
@@ -21,11 +21,11 @@
- "9001:9001"
interactive: "yes"
tags:
- - start
+ - start-docker-containers
- name: Destroy haproxy container
docker_container:
name: "{{ haproxy_name }}"
state: absent
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/keycloak.yml b/roles/docker/tasks/keycloak.yml
index 1fddf2a..dfc073c 100644
--- a/roles/docker/tasks/keycloak.yml
+++ b/roles/docker/tasks/keycloak.yml
@@ -13,7 +13,7 @@
interactive: "yes"
with_items: "{{ groups['keycloakcontainers'] }}"
tags:
- - start
+ - start-docker-containers
- name: Disconnect keycloak containers from network and remove
docker_container:
@@ -21,5 +21,5 @@
state: absent
with_items: "{{ groups['keycloakcontainers'] }}"
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/misp.yml b/roles/docker/tasks/misp.yml
index f32e440..953f386 100644
--- a/roles/docker/tasks/misp.yml
+++ b/roles/docker/tasks/misp.yml
@@ -12,11 +12,11 @@
published_ports:
- "6443:6443"
tags:
- - start
+ - start-docker-containers
- name: Destroy misp container
docker_container:
name: "{{ misp_name }}"
state: absent
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/mysql.yml b/roles/docker/tasks/mysql.yml
index ada6fb4..d7779da 100644
--- a/roles/docker/tasks/mysql.yml
+++ b/roles/docker/tasks/mysql.yml
@@ -11,11 +11,11 @@
volumes:
- "{{mysql_name}}:/var/opt/rh/rh-mariadb103/lib/mysql"
tags:
- - start
+ - start-docker-containers
- name: Destroy mysql container
docker_container:
name: "{{ mysql_name }}"
state: absent
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/networkcreate.yml b/roles/docker/tasks/networkcreate.yml
index 3e1cdf6..02494b9 100644
--- a/roles/docker/tasks/networkcreate.yml
+++ b/roles/docker/tasks/networkcreate.yml
@@ -7,6 +7,5 @@
ipam_config:
- subnet: "{{ soctools_network }}"
tags:
- - start
- - startcortex
+ - start-docker-containers
diff --git a/roles/docker/tasks/networkremove.yml b/roles/docker/tasks/networkremove.yml
index caec5bc..5a217ce 100644
--- a/roles/docker/tasks/networkremove.yml
+++ b/roles/docker/tasks/networkremove.yml
@@ -5,5 +5,5 @@
name: "{{ soctools_netname }}"
state: absent
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/nifi.yml b/roles/docker/tasks/nifi.yml
index e85fb61..fa32278 100644
--- a/roles/docker/tasks/nifi.yml
+++ b/roles/docker/tasks/nifi.yml
@@ -13,7 +13,7 @@
interactive: "yes"
with_items: "{{ groups['nificontainers'] }}"
tags:
- - start
+ - start-docker-containers
- name: Disconnect Nifi containers from network and remove
docker_container:
@@ -21,5 +21,5 @@
state: absent
with_items: "{{ groups['nificontainers'] }}"
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/odfees.yml b/roles/docker/tasks/odfees.yml
index fa35ddd..7ae76b5 100644
--- a/roles/docker/tasks/odfees.yml
+++ b/roles/docker/tasks/odfees.yml
@@ -13,7 +13,7 @@
interactive: "yes"
with_items: "{{ groups['odfeescontainers'] }}"
tags:
- - start
+ - start-docker-containers
- name: Disconnect odfe elasticsearch containers from network and remove
docker_container:
@@ -21,5 +21,5 @@
state: absent
with_items: "{{ groups['odfeescontainers'] }}"
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/odfekibana.yml b/roles/docker/tasks/odfekibana.yml
index a1c88a2..af56622 100644
--- a/roles/docker/tasks/odfekibana.yml
+++ b/roles/docker/tasks/odfekibana.yml
@@ -13,7 +13,7 @@
interactive: "yes"
with_items: "{{ groups['odfekibanacontainers'] }}"
tags:
- - start
+ - start-docker-containers
- name: Disconnect odfe kibana containers from network and remove
docker_container:
@@ -21,5 +21,5 @@
state: absent
with_items: "{{ groups['odfekibanacontainers'] }}"
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/thehive.yml b/roles/docker/tasks/thehive.yml
index 68fdd3c..18dc840 100644
--- a/roles/docker/tasks/thehive.yml
+++ b/roles/docker/tasks/thehive.yml
@@ -8,12 +8,10 @@
networks:
- name: "{{ soctools_netname }}"
networks_cli_compatible: yes
-# published_ports:
-# - "9000:9000"
interactive: "yes"
with_items: "{{ groups['thehive'] }}"
tags:
- - start
+ - start-docker-containers
- name: Disconnect thehive containers from network and remove
docker_container:
@@ -21,5 +19,5 @@
state: absent
with_items: "{{ groups['thehive'] }}"
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/docker/tasks/volumecreate.yml b/roles/docker/tasks/volumecreate.yml
index 706652a..a4e9220 100644
--- a/roles/docker/tasks/volumecreate.yml
+++ b/roles/docker/tasks/volumecreate.yml
@@ -6,7 +6,7 @@
with_items:
- "{{ groups['mysql'] }}"
tags:
- - start
+ - start-docker-containers
- name: Create cassandra volumes
docker_volume:
@@ -14,7 +14,7 @@
with_items:
- "{{ groups['cassandra'] }}"
tags:
- - start
+ - start-docker-containers
- name: Create cortex volumes
docker_volume:
@@ -22,7 +22,7 @@
with_items:
- "{{ groups['cortex'] }}"
tags:
- - start
+ - start-docker-containers
- name: Create NiFi volumes
docker_volume:
@@ -30,7 +30,7 @@
with_items:
- "{{ groups['nificontainers'] }}"
tags:
- - start
+ - start-docker-containers
- name: Create OpenDistro for Elasticearch volumes
docker_volume:
@@ -38,5 +38,5 @@
with_items:
- "{{ groups['odfeescontainers'] }}"
tags:
- - start
+ - start-docker-containers
diff --git a/roles/docker/tasks/zookeeper.yml b/roles/docker/tasks/zookeeper.yml
index d8cc7f3..d0b3f71 100644
--- a/roles/docker/tasks/zookeeper.yml
+++ b/roles/docker/tasks/zookeeper.yml
@@ -11,12 +11,12 @@
env:
ALLOW_ANONYMOUS_LOGIN: "yes"
tags:
- - start
+ - start-docker-containers
- name: Remove zookeeper
docker_container:
name: "{{ zookeeper_name }}"
state: absent
tags:
- - stop
+ - stop-docker-containers
diff --git a/roles/filebeat/tasks/init.yml b/roles/filebeat/tasks/init.yml
new file mode 100644
index 0000000..67b3846
--- /dev/null
+++ b/roles/filebeat/tasks/init.yml
@@ -0,0 +1,19 @@
+---
+# tasks file for filebeat
+
+- name: Copy filebeat certificates
+ copy:
+ src: "{{ item }}"
+ dest: "/opt/filebeat/"
+ mode: 0600
+ with_items:
+ - "{{playbook_dir}}/secrets/CA/issued/filebeat.crt"
+ - "{{playbook_dir}}/secrets/CA/private/filebeat.key"
+ become: true
+
+- name: Copy filebeat configuration file
+ template:
+ src: filebeat.yml.j2
+ dest: /opt/filebeat/filebeat.yml
+ become: true
+
diff --git a/roles/filebeat/tasks/main.yml b/roles/filebeat/tasks/main.yml
index 02ac9c7..5035f7b 100644
--- a/roles/filebeat/tasks/main.yml
+++ b/roles/filebeat/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/filebeat/tasks/start.yml b/roles/filebeat/tasks/start.yml
index 1944c1f..f2f3ec4 100644
--- a/roles/filebeat/tasks/start.yml
+++ b/roles/filebeat/tasks/start.yml
@@ -1,22 +1,6 @@
---
# tasks file for filebeat
-- name: Copy filebeat certificates
- copy:
- src: "{{ item }}"
- dest: "/opt/filebeat/"
- mode: 0600
- with_items:
- - "{{playbook_dir}}/secrets/CA/issued/filebeat.crt"
- - "{{playbook_dir}}/secrets/CA/private/filebeat.key"
- become: true
-
-- name: Copy filebeat configuration file
- template:
- src: filebeat.yml.j2
- dest: /opt/filebeat/filebeat.yml
- become: true
-
- name: Restart filebeat
remote_user: root
shell: "supervisorctl restart filebeat"
diff --git a/roles/haproxy/tasks/init.yml b/roles/haproxy/tasks/init.yml
new file mode 100644
index 0000000..a64cc79
--- /dev/null
+++ b/roles/haproxy/tasks/init.yml
@@ -0,0 +1,52 @@
+---
+# tasks file for haproxy
+
+- name: Copy haproxy configuration file
+ template:
+ src: haproxy.cfg.j2
+ dest: /usr/local/etc/haproxy/haproxy.cfg
+
+- name: Create required directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ mode: 0755
+ owner: root
+ group: root
+ with_items:
+ - /opt/haproxy
+ - /etc/ssl/haproxy
+
+- name: Generate dhparam file for haproxy
+ shell: "openssl dhparam -out /usr/local/etc/haproxy/dhparam.pem 2048"
+
+- name: Copy haproxy certificates
+ copy:
+ src: "{{ item }}"
+ dest: "/opt/haproxy/"
+ mode: 0600
+ with_items:
+ - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+
+- name: Combine crt and key for haproxy
+ assemble:
+ src: /opt/haproxy
+ dest: /etc/ssl/haproxy/{{ inventory_hostname }}.crt
+ owner: root
+ mode: 0600
+
+- name: Delete temporary files and directory
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /opt/haproxy/{{ inventory_hostname }}.crt
+ - /opt/haproxy/{{ inventory_hostname }}.key
+ - /opt/haproxy
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 00ff357..b93f5ee 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/haproxy/tasks/start.yml b/roles/haproxy/tasks/start.yml
index f33f0ea..30ef26f 100644
--- a/roles/haproxy/tasks/start.yml
+++ b/roles/haproxy/tasks/start.yml
@@ -1,55 +1,6 @@
---
# tasks file for haproxy
-- name: Copy haproxy configuration file
- template:
- src: haproxy.cfg.j2
- dest: /usr/local/etc/haproxy/haproxy.cfg
-
-- name: Create required directories
- file:
- path: "{{ item }}"
- state: directory
- mode: 0755
- owner: root
- group: root
- with_items:
- - /opt/haproxy
- - /etc/ssl/haproxy
-
-- name: Generate dhparam file for haproxy
- shell: "openssl dhparam -out /usr/local/etc/haproxy/dhparam.pem 2048"
-
-- name: Copy haproxy certificates
- copy:
- src: "{{ item }}"
- dest: "/opt/haproxy/"
- mode: 0600
- with_items:
- - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
-
-- name: Combine crt and key for haproxy
- assemble:
- src: /opt/haproxy
- dest: /etc/ssl/haproxy/{{ inventory_hostname }}.crt
- owner: root
- mode: 0600
-
-- name: Delete temporary files and directory
- file:
- path: "{{ item }}"
- state: absent
- with_items:
- - /opt/haproxy/{{ inventory_hostname }}.crt
- - /opt/haproxy/{{ inventory_hostname }}.key
- - /opt/haproxy
-
- name: Start haproxy
shell: "supervisorctl start haproxy"
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
diff --git a/roles/keycloak/tasks/init.yml b/roles/keycloak/tasks/init.yml
new file mode 100644
index 0000000..8f9bc30
--- /dev/null
+++ b/roles/keycloak/tasks/init.yml
@@ -0,0 +1,103 @@
+---
+
+- name: Copy certificates in keycloak x509 conf dir
+ remote_user: jboss
+ copy:
+ src: "{{ item.local }}"
+ dest: "{{ item.remote }}"
+ mode: "{{ item.mode}}"
+ with_items:
+ - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ remote: /etc/x509/https/tls.crt
+ mode: '0644'
+ - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ remote: /etc/x509/https/tls.key
+ mode: '0600'
+ - local: "{{playbook_dir}}/secrets/CA/ca.crt"
+ remote: /etc/x509/ca/ca.crt
+ mode: '0644'
+ - local: "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ remote: /opt/jboss/keycloak/cacerts.jks
+ mode: '0644'
+
+- name: Generate Keycloak secure config
+ remote_user: jboss
+ command: "/opt/jboss/tools/x509.sh"
+ environment:
+ X509_CA_BUNDLE: "/etc/x509/ca/ca.crt"
+
+- name: Set admin password
+ remote_user: jboss
+ command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
+ ignore_errors: True
+
+- name: Configure logging format
+ remote_user: jboss
+ lineinfile: #TODO: Change to community.general.xml
+ path: /opt/jboss/keycloak/standalone/configuration/standalone.xml
+ regexp: '.*<formatter name="PATTERN">.*'
+ line: "<formatter name=\"JSON\"><json-formatter date-format=\"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'\" pretty-print=\"false\" print-details=\"true\" zone-id=\"UTC\"/></formatter><formatter name=\"PATTERN\">"
+
+- name: Enable event logging
+ remote_user: jboss
+ lineinfile:
+ path: /opt/jboss/keycloak/standalone/configuration/standalone.xml
+ regexp: '.*<spi name="eventsStore">.*'
+ line: '<spi name="eventsListener"><provider name="jboss-logging" enabled="true"><properties><property name="success-level" value="INFO"/><property name="error-level" value="WARN"/></properties></provider></spi><spi name="eventsStore">'
+
+- name: Specify logging format
+ remote_user: jboss
+ lineinfile:
+ path: /opt/jboss/keycloak/standalone/configuration/standalone.xml
+ regexp: ".*<named-formatter name=.*"
+ line: '<named-formatter name="JSON"/>'
+
+- name: Configure Keycloak start script
+ remote_user: jboss
+ template:
+ src: "{{item}}.j2"
+ dest: "/opt/jboss/tools/{{item}}"
+ mode: 0750
+ with_items:
+ - startkeycloak.sh
+ - initkeycloakrealm.sh
+
+- name: Start Keycloak IdP
+ remote_user: root
+ command: "supervisorctl start keycloak"
+
+- name: Wait for Keycloak
+ remote_user: jboss
+ wait_for:
+ host: "{{groups['keycloakcontainers'][0]}}"
+ port: 8443
+ state: started
+ delay: 5
+
+- name: Initialize Keycloak realm
+ remote_user: jboss
+ command: /opt/jboss/tools/initkeycloakrealm.sh
+
+- name: Copy secrets from Keycloak
+ remote_user: jboss
+ fetch:
+ src: "{{ item.remote }}"
+ dest: "{{ item.local }}"
+ flat: yes
+ with_items:
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
+ local: "{{playbook_dir}}/secrets/tokens/nifisecret"
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
+ local: "{{playbook_dir}}/secrets/tokens/kibanasecret"
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
+ local: "{{playbook_dir}}/secrets/tokens/mispsecret"
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/thehivesecret"
+ local: "{{playbook_dir}}/secrets/tokens/thehivesecret"
+ - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/cortexsecret"
+ local: "{{playbook_dir}}/secrets/tokens/cortexsecret"
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml
index d7668ba..657a525 100644
--- a/roles/keycloak/tasks/main.yml
+++ b/roles/keycloak/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/keycloak/tasks/start.yml b/roles/keycloak/tasks/start.yml
index 8f9bc30..4c8551d 100644
--- a/roles/keycloak/tasks/start.yml
+++ b/roles/keycloak/tasks/start.yml
@@ -1,67 +1,5 @@
---
-- name: Copy certificates in keycloak x509 conf dir
- remote_user: jboss
- copy:
- src: "{{ item.local }}"
- dest: "{{ item.remote }}"
- mode: "{{ item.mode}}"
- with_items:
- - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- remote: /etc/x509/https/tls.crt
- mode: '0644'
- - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- remote: /etc/x509/https/tls.key
- mode: '0600'
- - local: "{{playbook_dir}}/secrets/CA/ca.crt"
- remote: /etc/x509/ca/ca.crt
- mode: '0644'
- - local: "{{playbook_dir}}/secrets/CA/cacerts.jks"
- remote: /opt/jboss/keycloak/cacerts.jks
- mode: '0644'
-
-- name: Generate Keycloak secure config
- remote_user: jboss
- command: "/opt/jboss/tools/x509.sh"
- environment:
- X509_CA_BUNDLE: "/etc/x509/ca/ca.crt"
-
-- name: Set admin password
- remote_user: jboss
- command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
- ignore_errors: True
-
-- name: Configure logging format
- remote_user: jboss
- lineinfile: #TODO: Change to community.general.xml
- path: /opt/jboss/keycloak/standalone/configuration/standalone.xml
- regexp: '.*<formatter name="PATTERN">.*'
- line: "<formatter name=\"JSON\"><json-formatter date-format=\"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'\" pretty-print=\"false\" print-details=\"true\" zone-id=\"UTC\"/></formatter><formatter name=\"PATTERN\">"
-
-- name: Enable event logging
- remote_user: jboss
- lineinfile:
- path: /opt/jboss/keycloak/standalone/configuration/standalone.xml
- regexp: '.*<spi name="eventsStore">.*'
- line: '<spi name="eventsListener"><provider name="jboss-logging" enabled="true"><properties><property name="success-level" value="INFO"/><property name="error-level" value="WARN"/></properties></provider></spi><spi name="eventsStore">'
-
-- name: Specify logging format
- remote_user: jboss
- lineinfile:
- path: /opt/jboss/keycloak/standalone/configuration/standalone.xml
- regexp: ".*<named-formatter name=.*"
- line: '<named-formatter name="JSON"/>'
-
-- name: Configure Keycloak start script
- remote_user: jboss
- template:
- src: "{{item}}.j2"
- dest: "/opt/jboss/tools/{{item}}"
- mode: 0750
- with_items:
- - startkeycloak.sh
- - initkeycloakrealm.sh
-
- name: Start Keycloak IdP
remote_user: root
command: "supervisorctl start keycloak"
@@ -74,30 +12,3 @@
state: started
delay: 5
-- name: Initialize Keycloak realm
- remote_user: jboss
- command: /opt/jboss/tools/initkeycloakrealm.sh
-
-- name: Copy secrets from Keycloak
- remote_user: jboss
- fetch:
- src: "{{ item.remote }}"
- dest: "{{ item.local }}"
- flat: yes
- with_items:
- - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
- local: "{{playbook_dir}}/secrets/tokens/nifisecret"
- - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
- local: "{{playbook_dir}}/secrets/tokens/kibanasecret"
- - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
- local: "{{playbook_dir}}/secrets/tokens/mispsecret"
- - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/thehivesecret"
- local: "{{playbook_dir}}/secrets/tokens/thehivesecret"
- - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/cortexsecret"
- local: "{{playbook_dir}}/secrets/tokens/cortexsecret"
-
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
diff --git a/roles/misp/tasks/init.yml b/roles/misp/tasks/init.yml
new file mode 100644
index 0000000..335ce0b
--- /dev/null
+++ b/roles/misp/tasks/init.yml
@@ -0,0 +1,59 @@
+---
+
+- name: Set PHP symbolic link
+ file:
+ src: /opt/rh/rh-php72/root/bin/php
+ dest: /usr/bin/php
+ state: link
+
+- name: Copy certificates
+ copy:
+ src: "{{ item.local }}"
+ dest: "{{ item.remote }}"
+ mode: "{{ item.mode}}"
+ with_items:
+ - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ remote: /etc/ssl/certs/misp.crt
+ mode: '0644'
+ - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ remote: /etc/ssl/certs/misp.key
+ mode: '0600'
+ - local: "{{playbook_dir}}/secrets/CA/ca.crt"
+ remote: /etc/ssl/certs/ca.crt
+ mode: '0644'
+ - local: "{{playbook_dir}}/secrets/CA/ca.crt"
+ remote: /etc/pki/ca-trust/source/anchors/ca.crt
+ mode: '0644'
+
+- name: Update CA trust
+ command: update-ca-trust
+
+- name: Get openid authkey
+ set_fact:
+ mispsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/mispsecret',convert_data=False) | from_json }}"
+
+- name: Configure Apache web server for misp
+ template:
+ src: misp.conf.j2
+ dest: /etc/httpd/conf.d/misp.conf
+
+- name: Configure MISP database access
+ template:
+ src: database.php.j2
+ dest: /var/www/MISP/app/Config/database.php
+
+- name: Configure salt
+ lineinfile:
+ path: /var/www/MISP/app/Config/config.php
+ regexp: "'salt'.*=>"
+ line: "'salt' => '{{lookup('password', '{{playbook_dir}}/secrets/misp_salt')}}',"
+
+- name: Configure MISP database initialization script
+ template:
+ src: checkdb.sh.j2
+ dest: /var/www/MISP/checkdb.sh
+ mode: '0700'
+
+- name: Check if database is initialized
+ command: /var/www/MISP/checkdb.sh
+
diff --git a/roles/misp/tasks/main.yml b/roles/misp/tasks/main.yml
index 9b53c6c..ce31c84 100644
--- a/roles/misp/tasks/main.yml
+++ b/roles/misp/tasks/main.yml
@@ -1,11 +1,15 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: config.yml
tags:
- - start
+ - init
- config
- include: stop.yml
tags: stop
diff --git a/roles/misp/tasks/start.yml b/roles/misp/tasks/start.yml
index c07917f..10e9b79 100644
--- a/roles/misp/tasks/start.yml
+++ b/roles/misp/tasks/start.yml
@@ -1,62 +1,5 @@
---
-- name: Set PHP symbolic link
- file:
- src: /opt/rh/rh-php72/root/bin/php
- dest: /usr/bin/php
- state: link
-
-- name: Copy certificates
- copy:
- src: "{{ item.local }}"
- dest: "{{ item.remote }}"
- mode: "{{ item.mode}}"
- with_items:
- - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- remote: /etc/ssl/certs/misp.crt
- mode: '0644'
- - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- remote: /etc/ssl/certs/misp.key
- mode: '0600'
- - local: "{{playbook_dir}}/secrets/CA/ca.crt"
- remote: /etc/ssl/certs/ca.crt
- mode: '0644'
- - local: "{{playbook_dir}}/secrets/CA/ca.crt"
- remote: /etc/pki/ca-trust/source/anchors/ca.crt
- mode: '0644'
-
-- name: Update CA trust
- command: update-ca-trust
-
-- name: Get openid authkey
- set_fact:
- mispsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/mispsecret',convert_data=False) | from_json }}"
-
-- name: Configure Apache web server for misp
- template:
- src: misp.conf.j2
- dest: /etc/httpd/conf.d/misp.conf
-
-- name: Configure MISP database access
- template:
- src: database.php.j2
- dest: /var/www/MISP/app/Config/database.php
-
-- name: Configure salt
- lineinfile:
- path: /var/www/MISP/app/Config/config.php
- regexp: "'salt'.*=>"
- line: "'salt' => '{{lookup('password', '{{playbook_dir}}/secrets/misp_salt')}}',"
-
-- name: Configure MISP database initialization script
- template:
- src: checkdb.sh.j2
- dest: /var/www/MISP/checkdb.sh
- mode: '0700'
-
-- name: Check if database is initialized
- command: /var/www/MISP/checkdb.sh
-
- name: Start php-fpm
command: "supervisorctl start php-fpm"
diff --git a/roles/misp/tasks/stop.yml b/roles/misp/tasks/stop.yml
index 6a56d87..769afae 100644
--- a/roles/misp/tasks/stop.yml
+++ b/roles/misp/tasks/stop.yml
@@ -12,6 +12,5 @@
command: "supervisorctl stop misp-modules"
- name: Stop workers
- #command: "supervisorctl start workers"
- command: 'su - -s /bin/bash -c "/var/www/MISP/app/Console/worker/stop.sh" apache'
+ command: "supervisorctl stop workers"
diff --git a/roles/mysql/tasks/init.yml b/roles/mysql/tasks/init.yml
new file mode 100644
index 0000000..e360aa8
--- /dev/null
+++ b/roles/mysql/tasks/init.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml
index 69395fe..83c2328 100644
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@@ -2,8 +2,14 @@
- include: secure.yml
tags:
- - start
+ - init
- include: misp.yml
+ tags:
+ - init
+- include: init.yml
+ tags:
+ - init
+- include: start.yml
tags:
- start
- include: stop.yml
diff --git a/roles/mysql/tasks/misp.yml b/roles/mysql/tasks/misp.yml
index c541e99..471da9d 100644
--- a/roles/mysql/tasks/misp.yml
+++ b/roles/mysql/tasks/misp.yml
@@ -14,16 +14,3 @@
priv: "{{misp_dbname}}.*:ALL"
with_items: "{{groups['mispcontainers']}}"
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
-
-
-# CREATE DATABASE IF NOT EXISTS {{misp_dbname}};
-# {% for misp_host in groups['mispcontainers'] %}
-# GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}';
-# GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
-# {% endfor %}
-#
diff --git a/roles/mysql/tasks/secure.yml b/roles/mysql/tasks/secure.yml
index 80db96c..23dccd4 100644
--- a/roles/mysql/tasks/secure.yml
+++ b/roles/mysql/tasks/secure.yml
@@ -5,8 +5,6 @@
name: root
host_all: yes
password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}"
- tags:
- - start
ignore_errors: true
- name: Configure root access to db
@@ -14,59 +12,15 @@
src: dotmy.cnf.j2
dest: /root/.my.cnf
mode: 0600
- tags:
- - start
- name: Remove all anonymous user accounts
mysql_user:
name: ''
host_all: yes
state: absent
- tags:
- - start
- name: Remove MySQL test database
mysql_db:
name: test
state: absent
- tags:
- - start
-
-# template:
-# src: mysql_secure.sql.j2
-# dest: /opt/rh/rh-mariadb103/root/root/mysql_secure.sql
-# tags:
-# - start
-# - reconf
-#
-# - name: Apply mysql conf
-# command: "/opt/rh/rh-mariadb103/root/usr/bin/mysql -v -v -v -u root -e 'source /opt/rh/rh-mariadb103/root/root/mysql_secure.sql'"
-# register: mysqlconf
-# tags:
-# - start
-# - reconf
-#
-# - name: show output from mysql command
-# debug: msg="{{mysqlconf.stdout}}"
-# tags:
-# - start
-#
-#
-#
-# UPDATE mysql.user SET Password=PASSWORD('{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}') WHERE User='root';
-# DELETE FROM mysql.user WHERE User='';
-# DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
-# DROP DATABASE IF EXISTS test;
-# DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
-#
-#
-#
-#
-# #!/bin/bash -x
-# MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}})
-# #MISPINIT=$(echo "select count(id) from users;" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}})
-# if [ ${MISPINIT} == "0" ]; then
-# cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}}
-# touch /var/www/MISP/dbchecked-$(date +%Y%m%d_%H%M%S)
-# fi
diff --git a/roles/mysql/tasks/start.yml b/roles/mysql/tasks/start.yml
new file mode 100644
index 0000000..e072ee2
--- /dev/null
+++ b/roles/mysql/tasks/start.yml
@@ -0,0 +1,4 @@
+---
+
+- name: Start MySQL
+ shell: "supervisorctl start mysql"
diff --git a/roles/nifi/tasks/init.yml b/roles/nifi/tasks/init.yml
new file mode 100644
index 0000000..58b26f3
--- /dev/null
+++ b/roles/nifi/tasks/init.yml
@@ -0,0 +1,185 @@
+---
+
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+
+- name: Copy certificates in NiFi conf dir
+ remote_user: nifi
+ copy:
+ src: "{{ item }}"
+ dest: "conf/"
+ with_items:
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - common-cacerts.jks
+
+- name: Check if flow.xml already exists
+ remote_user: nifi
+ stat:
+ path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml"
+ register: flowfile
+
+- name: Configure flow.xml
+ remote_user: nifi
+ template:
+ src: "flow.xml.j2"
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml"
+ when: not flowfile.stat.exists
+
+- name: Gzip flow.xml
+ remote_user: nifi
+ archive:
+ path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml"
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml.gz"
+ format: gz
+ when: not flowfile.stat.exists
+
+- name: Get openid authkey
+ remote_user: nifi
+ set_fact:
+ nifisecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/nifisecret',convert_data=False)}}"
+
+- name: Configure NiFi boostrap properties
+ remote_user: nifi
+ template:
+ src: bootstrap.conf.j2
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/bootstrap.conf"
+
+- name: Configure NiFi properties for secure servers
+ remote_user: nifi
+ template:
+ src: nifi.properties.j2
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/nifi.properties"
+
+- name: Copy authorizations.xml
+ remote_user: nifi
+ copy:
+ src: "authorizations.xml"
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/authorizations.xml"
+
+- name: Configure users
+ remote_user: nifi
+ template:
+ src: users.xml.j2
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/users.xml"
+
+- name: Configure NiFi authorizers for secure servers
+ remote_user: nifi
+ template:
+ src: authorizers.xml.j2
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/authorizers.xml"
+
+- name: Create conf/enrich dir
+ remote_user: nifi
+ file: path={{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich state=directory
+
+- name: Create conf/enrich/freq dir
+ remote_user: nifi
+ file: path={{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/freq state=directory
+
+- name: Download freq processor
+ remote_user: nifi
+ get_url:
+ url: 'https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/nifi-processors/-/raw/master/scripts/freq/{{ item }}'
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/freq/"
+ with_items:
+ - alexa.json
+ - freq.py
+ - freqProcessor.py
+
+- name: Copy empty GeoLite2-City database
+ remote_user: nifi
+ copy:
+ src: GeoLite2-City.mmdb
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/GeoLite2-City.mmdb"
+
+- name: Copy CountriesWithRegionalCodes.csv
+ remote_user: nifi
+ copy:
+ src: CountriesWithRegionalCodes.csv
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/CountriesWithRegionalCodes.csv"
+
+- name: Copy grok libraries
+ copy:
+ src: haproxy.groklib
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/haproxy.groklib"
+
+- name: Create empty list of Tor nodes
+ remote_user: nifi
+ copy:
+ content: "ip_addr,value"
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/tornodes.csv"
+ force: no
+
+- name: Download umbrella-top-1m.csv.zip
+ remote_user: nifi
+ local_action:
+ module: get_url
+ url: http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip
+ dest: "/tmp/umbrella-top-1m.csv.zip"
+ run_once: True
+
+- name: Unzip umbrella-top-1m.csv.zip
+ remote_user: nifi
+ local_action:
+ module: unarchive
+ src: "/tmp/umbrella-top-1m.csv.zip"
+ dest: "/tmp"
+ run_once: True
+
+- name: Copy umbrella-top-1m.csv
+ remote_user: nifi
+ copy:
+ src: "/tmp/top-1m.csv"
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/umbrella-top-1m.csv"
+
+- name: Add header to umbrella-top-1m.csv
+ remote_user: nifi
+ lineinfile:
+ path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/umbrella-top-1m.csv"
+ line: 'index,domain'
+ insertbefore: BOF
+
+- name: Download alexa-top-1m.csv.zip
+ remote_user: nifi
+ local_action:
+ module: get_url
+ url: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
+ dest: "/tmp/alexa-top-1m.csv.zip"
+ run_once: True
+
+- name: Unzip alexa-top-1m.csv.zip
+ remote_user: nifi
+ local_action:
+ module: unarchive
+ src: "/tmp/alexa-top-1m.csv.zip"
+ dest: "/tmp"
+ run_once: True
+
+- name: Copy alexa-top-1m.csv
+ remote_user: nifi
+ copy:
+ src: "/tmp/top-1m.csv"
+ dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/alexa-top-1m.csv"
+
+- name: Add header to alexa-top-1m.csv
+ remote_user: nifi
+ lineinfile:
+ path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/alexa-top-1m.csv"
+ line: 'index,domain'
+ insertbefore: BOF
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
+
+
diff --git a/roles/nifi/tasks/main.yml b/roles/nifi/tasks/main.yml
index d4ab3ad..9ae0650 100644
--- a/roles/nifi/tasks/main.yml
+++ b/roles/nifi/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/nifi/tasks/start.yml b/roles/nifi/tasks/start.yml
index ecccbbd..31ee2ec 100644
--- a/roles/nifi/tasks/start.yml
+++ b/roles/nifi/tasks/start.yml
@@ -1,204 +1,6 @@
---
-- name: Copy cacert to ca-trust dir
- remote_user: root
- copy:
- src: "{{playbook_dir}}/secrets/CA/ca.crt"
- dest: /etc/pki/ca-trust/source/anchors/ca.crt
-
-- name: Install cacert to root truststore
- remote_user: root
- command: "update-ca-trust"
-
-- name: Copy certificates in NiFi conf dir
- remote_user: nifi
- copy:
- src: "{{ item }}"
- dest: "conf/"
- with_items:
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
- - "{{playbook_dir}}/secrets/CA/cacerts.jks"
- - common-cacerts.jks
-
-- name: Check if flow.xml already exists
- remote_user: nifi
- stat:
- path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml"
- register: flowfile
-
-- name: Configure flow.xml
- remote_user: nifi
- template:
- src: "flow.xml.j2"
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml"
- when: not flowfile.stat.exists
-
-- name: Gzip flow.xml
- remote_user: nifi
- archive:
- path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml"
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml.gz"
- format: gz
- when: not flowfile.stat.exists
-
-- name: Get openid authkey
- remote_user: nifi
- set_fact:
- nifisecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/nifisecret',convert_data=False)}}"
-
-- name: Configure NiFi boostrap properties
- remote_user: nifi
- template:
- src: bootstrap.conf.j2
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/bootstrap.conf"
-
-- name: Configure NiFi properties for secure servers
- remote_user: nifi
- template:
- src: nifi.properties.j2
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/nifi.properties"
-
-- name: Copy authorizations.xml
- remote_user: nifi
- copy:
- src: "authorizations.xml"
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/authorizations.xml"
-
-- name: Configure users
- remote_user: nifi
- template:
- src: users.xml.j2
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/users.xml"
-
-- name: Configure NiFi authorizers for secure servers
- remote_user: nifi
- template:
- src: authorizers.xml.j2
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/authorizers.xml"
-
-- name: Create conf/enrich dir
- remote_user: nifi
- file: path={{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich state=directory
-
-- name: Create conf/enrich/freq dir
- remote_user: nifi
- file: path={{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/freq state=directory
-
-- name: Download freq processor
- remote_user: nifi
- get_url:
- url: 'https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/nifi-processors/-/raw/master/scripts/freq/{{ item }}'
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/freq/"
- with_items:
- - alexa.json
- - freq.py
- - freqProcessor.py
-
-- name: Copy empty GeoLite2-City database
- remote_user: nifi
- copy:
- src: GeoLite2-City.mmdb
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/GeoLite2-City.mmdb"
-
-- name: Copy CountriesWithRegionalCodes.csv
- remote_user: nifi
- copy:
- src: CountriesWithRegionalCodes.csv
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/CountriesWithRegionalCodes.csv"
-
-- name: Copy grok libraries
- copy:
- src: haproxy.groklib
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/haproxy.groklib"
-
-- name: Create empty list of Tor nodes
- remote_user: nifi
- copy:
- content: "ip_addr,value"
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/tornodes.csv"
- force: no
-
-- name: Download umbrella-top-1m.csv.zip
- remote_user: nifi
- local_action:
- module: get_url
- url: http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip
- dest: "/tmp/umbrella-top-1m.csv.zip"
- run_once: True
-
-- name: Unzip umbrella-top-1m.csv.zip
- remote_user: nifi
- local_action:
- module: unarchive
- src: "/tmp/umbrella-top-1m.csv.zip"
- dest: "/tmp"
- run_once: True
-
-- name: Copy umbrella-top-1m.csv
- remote_user: nifi
- copy:
- src: "/tmp/top-1m.csv"
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/umbrella-top-1m.csv"
-
-- name: Add header to umbrella-top-1m.csv
- remote_user: nifi
- lineinfile:
- path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/umbrella-top-1m.csv"
- line: 'index,domain'
- insertbefore: BOF
-
-- name: Download alexa-top-1m.csv.zip
- remote_user: nifi
- local_action:
- module: get_url
- url: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
- dest: "/tmp/alexa-top-1m.csv.zip"
- run_once: True
-
-- name: Unzip alexa-top-1m.csv.zip
- remote_user: nifi
- local_action:
- module: unarchive
- src: "/tmp/alexa-top-1m.csv.zip"
- dest: "/tmp"
- run_once: True
-
-- name: Copy alexa-top-1m.csv
- remote_user: nifi
- copy:
- src: "/tmp/top-1m.csv"
- dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/alexa-top-1m.csv"
-
-- name: Add header to alexa-top-1m.csv
- remote_user: nifi
- lineinfile:
- path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/alexa-top-1m.csv"
- line: 'index,domain'
- insertbefore: BOF
-
- name: Start NiFi
remote_user: root
command: "supervisorctl start nifi"
-#- name: check reachable hosts
-# gather_facts: no
-# tasks:
-# - command: ping -c1 {{ inventory_hostname }}
-# delegate_to: localhost
-# register: ping_result
-# ignore_errors: yes
-# - group_by: key=reachable
-# when: ping_result|success
-
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
-
-#- name: Copy flow from NiFi
-# fetch:
-# src: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/flow.xml.gz"
-# dest: "{{ role_path }}/files/flow-{{ inventory_hostname }}.xml.gz"
-# flat: yes
-
diff --git a/roles/odfees/tasks/init.yml b/roles/odfees/tasks/init.yml
new file mode 100644
index 0000000..0eaedc5
--- /dev/null
+++ b/roles/odfees/tasks/init.yml
@@ -0,0 +1,100 @@
+---
+
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+
+- name: Copy certificates in odfe conf dir
+ remote_user: elasticsearch
+ copy:
+ src: "{{ item }}"
+ dest: "config/"
+ mode: 0600
+ with_items:
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
+
+- name: Configure sysconfig
+ remote_user: elasticsearch
+ template:
+ src: sysconfig_elasticsearch.j2
+ dest: sysconfig_elasticsearch
+
+- name: Copy sysconfig to /etc
+ remote_user: elasticsearch
+ command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch"
+
+- name: Configure odfe properties
+ remote_user: elasticsearch
+ template:
+ src: "config/{{item}}.j2"
+ dest: "config/{{item}}"
+ with_items:
+ - elasticsearch.yml
+ - jvm.options
+ - log4j2.properties
+
+- name: Change password for admin
+ remote_user: elasticsearch
+ command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}"
+ register: adminhash
+ # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
+
+- set_fact:
+ adminhashpwd: "{{ adminhash.stdout }}"
+ #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
+ remote_user: elasticsearch
+
+- name: Change password for cortex
+ remote_user: elasticsearch
+ command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
+ register: cortexhash
+ # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
+
+- set_fact:
+ cortexhashpwd: "{{ cortexhash.stdout }}"
+ #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
+ remote_user: elasticsearch
+
+- name: Configure opendistro_security properties
+ remote_user: elasticsearch
+ template:
+ src: "securityconfig/{{item}}.j2"
+ dest: "plugins/opendistro_security/securityconfig/{{item}}"
+ with_items:
+ - internal_users.yml
+ - config.yml
+ - roles_mapping.yml
+
+
+- name: Start OpenDistro for Elasticsearch
+ remote_user: root
+ command: "supervisorctl start odfe"
+
+- name: Wait for ElasticSearch
+ remote_user: root
+ wait_for:
+ host: "{{groups['odfeescontainers'][0]}}"
+ port: 9200
+ state: started
+ delay: 5
+
+- name: Configure OpenDistro security
+ remote_user: elasticsearch
+ command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
+ when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
+
+- name: Set Autostart for supervisord's services
+ remote_user: root
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
+
diff --git a/roles/odfees/tasks/main.yml b/roles/odfees/tasks/main.yml
index 016e878..50f6080 100644
--- a/roles/odfees/tasks/main.yml
+++ b/roles/odfees/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/odfees/tasks/start.yml b/roles/odfees/tasks/start.yml
index 622a1cd..953b53f 100644
--- a/roles/odfees/tasks/start.yml
+++ b/roles/odfees/tasks/start.yml
@@ -1,81 +1,5 @@
---
-- name: Copy cacert to ca-trust dir
- remote_user: root
- copy:
- src: "{{playbook_dir}}/secrets/CA/ca.crt"
- dest: /etc/pki/ca-trust/source/anchors/ca.crt
-
-- name: Install cacert to root truststore
- remote_user: root
- command: "update-ca-trust"
-
-- name: Copy certificates in odfe conf dir
- remote_user: elasticsearch
- copy:
- src: "{{ item }}"
- dest: "config/"
- mode: 0600
- with_items:
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
- - "{{playbook_dir}}/secrets/CA/cacerts.jks"
- - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
-
-- name: Configure sysconfig
- remote_user: elasticsearch
- template:
- src: sysconfig_elasticsearch.j2
- dest: sysconfig_elasticsearch
-
-- name: Copy sysconfig to /etc
- remote_user: elasticsearch
- command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch"
-
-- name: Configure odfe properties
- remote_user: elasticsearch
- template:
- src: "config/{{item}}.j2"
- dest: "config/{{item}}"
- with_items:
- - elasticsearch.yml
- - jvm.options
- - log4j2.properties
-
-- name: Change password for admin
- remote_user: elasticsearch
- command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}"
- register: adminhash
- # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
-
-- set_fact:
- adminhashpwd: "{{ adminhash.stdout }}"
- #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
- remote_user: elasticsearch
-
-- name: Change password for cortex
- remote_user: elasticsearch
- command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
- register: cortexhash
- # when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
-
-- set_fact:
- cortexhashpwd: "{{ cortexhash.stdout }}"
- #adminhashpwd: "{{ hostvars[groups['odfeescontainers'][0]]['adminhash.stdout'] }}"
- remote_user: elasticsearch
-
-- name: Configure opendistro_security properties
- remote_user: elasticsearch
- template:
- src: "securityconfig/{{item}}.j2"
- dest: "plugins/opendistro_security/securityconfig/{{item}}"
- with_items:
- - internal_users.yml
- - config.yml
- - roles_mapping.yml
-
-#- name: Exit here to test ODFE
-# meta: end_play
-
- name: Start OpenDistro for Elasticsearch
remote_user: root
command: "supervisorctl start odfe"
@@ -88,15 +12,3 @@
state: started
delay: 5
-- name: Configure OpenDistro security
- remote_user: elasticsearch
- command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
- when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
-
-- name: Set Autostart for supervisord's services
- remote_user: root
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
-
diff --git a/roles/odfekibana/tasks/init.yml b/roles/odfekibana/tasks/init.yml
new file mode 100644
index 0000000..a6b8b05
--- /dev/null
+++ b/roles/odfekibana/tasks/init.yml
@@ -0,0 +1,114 @@
+---
+
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+
+- name: Copy certificates in odfe kibana conf dir
+ remote_user: kibana
+ copy:
+ src: "{{ item }}"
+ dest: "config/"
+ mode: 0600
+ with_items:
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - "{{playbook_dir}}/secrets/CA/ca.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
+
+- name: Get openid authkey
+ remote_user: kibana
+ set_fact:
+ kibanasecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/kibanasecret',convert_data=False) | from_json }}"
+
+- name: Configure odfe kibana properties
+ remote_user: kibana
+ template:
+ src: "{{item}}.j2"
+ dest: "config/{{item}}"
+ with_items:
+ - kibana.yml
+
+- name: Configure odfe kibana start script
+ remote_user: kibana
+ template:
+ src: "{{item}}.j2"
+ dest: "{{item}}"
+ mode: 0750
+ with_items:
+ - startkibana.sh
+
+- name: Generate configuration for thehive_button plugin
+ remote_user: kibana
+ template:
+ src: files/env.js.j2
+ dest: "/usr/share/kibana/plugins/thehive_button/public/env.js"
+ owner: kibana
+ group: kibana
+
+
+- name: Start Kibana
+ remote_user: root
+ shell: "supervisorctl start kibana"
+
+- name: Wait for Kibana
+ remote_user: kibana
+ wait_for:
+ host: "{{groups['odfekibanacontainers'][0]}}"
+ port: 5601
+ state: started
+ delay: 5
+
+- name: Check Kibana health
+ remote_user: kibana
+ shell: 'curl -k -b /tmp/cookie.txt -c /tmp/cookie.txt -X "GET" "https://{{soctoolsproxy}}:5601/api/status" \
+ | egrep status....overall....state...green'
+ register: result
+ until: result.rc == 0
+ retries: 90
+ delay: 2
+ ignore_errors: yes
+
+- name: Copy kibana_graphs.ndjson to container
+ remote_user: kibana
+ template:
+ src: "kibana_graphs.ndjson.j2"
+ dest: /tmp/kibana_graphs.ndjson
+
+- name: Import graphs to kibana
+ remote_user: kibana
+ shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
+ -b /tmp/cookie.txt -c /tmp/cookie.txt \
+ -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
+ -H "kbn-xsrf: reporting" -H "Content-Type: multipart/form-data" \
+ -F "file=@/tmp/kibana_graphs.ndjson"'
+ ignore_errors: True
+
+- name: Copy role modification json to container
+ remote_user: kibana
+ template:
+ src: "role.json.j2"
+ dest: /tmp/role.json
+
+- name: Grant admin permissions to users
+ remote_user: kibana
+ shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/v1/configuration/rolesmapping/all_access" \
+ -b /tmp/cookie.txt -c /tmp/cookie.txt \
+ -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
+ -H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
+ -d @/tmp/role.json'
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
+
diff --git a/roles/odfekibana/tasks/main.yml b/roles/odfekibana/tasks/main.yml
index 1662efd..671f2b9 100644
--- a/roles/odfekibana/tasks/main.yml
+++ b/roles/odfekibana/tasks/main.yml
@@ -1,8 +1,12 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: stop.yml
tags:
- stop
diff --git a/roles/odfekibana/tasks/restart.yml b/roles/odfekibana/tasks/restart.yml
index 7ef3390..cadeb7e 100644
--- a/roles/odfekibana/tasks/restart.yml
+++ b/roles/odfekibana/tasks/restart.yml
@@ -22,11 +22,3 @@
delay: 2
ignore_errors: yes
-- name: Import graphs to kibana
- remote_user: kibana
- shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
- -b /tmp/cookie.txt -c /tmp/cookie.txt \
- -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
- -H "kbn-xsrf: reporting" -H "Content-Type: multipart/form-data" \
- -F "file=@/tmp/kibana_graphs.ndjson"'
-
diff --git a/roles/odfekibana/tasks/start.yml b/roles/odfekibana/tasks/start.yml
index a067386..b22cd0d 100644
--- a/roles/odfekibana/tasks/start.yml
+++ b/roles/odfekibana/tasks/start.yml
@@ -1,83 +1,5 @@
---
-#- name: Create config directory
-# file:
-# name: config
-# state: directory
-# mode: 0700
-
-- name: Copy cacert to ca-trust dir
- remote_user: root
- copy:
- src: "{{playbook_dir}}/secrets/CA/ca.crt"
- dest: /etc/pki/ca-trust/source/anchors/ca.crt
-
-- name: Install cacert to root truststore
- remote_user: root
- command: "update-ca-trust"
-
-- name: Copy certificates in odfe kibana conf dir
- remote_user: kibana
- copy:
- src: "{{ item }}"
- dest: "config/"
- mode: 0600
- with_items:
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
- - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- - "{{playbook_dir}}/secrets/CA/cacerts.jks"
- - "{{playbook_dir}}/secrets/CA/ca.crt"
- - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
-
-- name: Get openid authkey
- remote_user: kibana
- set_fact:
- kibanasecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/kibanasecret',convert_data=False) | from_json }}"
-
-#- name: Configure sysconfig
-# template:
-# src: sysconfig_elasticsearch.j2
-# dest: sysconfig_elasticsearch
-#
-#- name: Copy sysconfig to /etc
-# command: "cp sysconfig_elasticsearch /etc/sysconfig/elasticsearch"
-
-# lineinfile:
-# path: /etc/sysconfig/elasticsearch
-# regexp: '^ES_PATH_CONF='
-# line: ES_PATH_CONF=/usr/share/elasticsearch/config
-
-- name: Configure odfe kibana properties
- remote_user: kibana
- template:
- src: "{{item}}.j2"
- dest: "config/{{item}}"
- with_items:
- - kibana.yml
-
-- name: Configure odfe kibana start script
- remote_user: kibana
- template:
- src: "{{item}}.j2"
- dest: "{{item}}"
- mode: 0750
- with_items:
- - startkibana.sh
-
-#- name: Exit here to test ODFE
-# meta: end_play
-
-
-- name: Generate configuration for thehive_button plugin
- remote_user: kibana
- template:
- src: files/env.js.j2
- dest: "/usr/share/kibana/plugins/thehive_button/public/env.js"
- owner: kibana
- group: kibana
-
-
- name: Start Kibana
remote_user: root
shell: "supervisorctl start kibana"
@@ -100,68 +22,3 @@
delay: 2
ignore_errors: yes
-#- name: Copy tenant.json to container
-# remote_user: kibana
-# copy:
-# src: "files/tenant.json"
-# dest: /tmp/tenant.json
-#
-#- name: change tenant to global
-# shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/v1/multitenancy/tenant" \
-# -b /tmp/cookie.txt -c /tmp/cookie.txt \
-# -k --user admin:{{ odfees_adminpass }} \
-# -H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
-# -d @/tmp/tenant.json'
-
-- name: Copy kibana_graphs.ndjson to container
- remote_user: kibana
- template:
- src: "kibana_graphs.ndjson.j2"
- dest: /tmp/kibana_graphs.ndjson
-
-- name: Import graphs to kibana
- remote_user: kibana
- shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
- -b /tmp/cookie.txt -c /tmp/cookie.txt \
- -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
- -H "kbn-xsrf: reporting" -H "Content-Type: multipart/form-data" \
- -F "file=@/tmp/kibana_graphs.ndjson"'
- ignore_errors: True
-
-- name: Copy role modification json to container
- remote_user: kibana
- template:
- src: "role.json.j2"
- dest: /tmp/role.json
-
-- name: Grant admin permissions to users
- remote_user: kibana
- shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/v1/configuration/rolesmapping/all_access" \
- -b /tmp/cookie.txt -c /tmp/cookie.txt \
- -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
- -H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
- -d @/tmp/role.json'
-
-#- name: cleanup temporary files for kibana_graph import
-# shell: '/bin/rm -rf /tmp/cookie.txt /tmp/kibana_graphs.ndjson /tmp/tenant.json'
-# ignore_errors: true
-
-#- name: check reachable hosts
-# gather_facts: no
-# tasks:
-# - command: ping -c1 {{ inventory_hostname }}
-# delegate_to: localhost
-# register: ping_result
-# ignore_errors: yes
-# - group_by: key=reachable
-# when: ping_result|success
-
-#- name: Stop OpenDistro Kibana for Elasticsearch
-# command: "pkill -SIGTERM -F {{inventory_hostname}}.pid"
-
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
-
diff --git a/roles/thehive/tasks/init.yml b/roles/thehive/tasks/init.yml
new file mode 100644
index 0000000..97993c8
--- /dev/null
+++ b/roles/thehive/tasks/init.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Copy cacert to ca-trust dir
+ remote_user: root
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
+ dest: /etc/pki/ca-trust/source/anchors/ca.crt
+
+- name: Install cacert to root truststore
+ remote_user: root
+ command: "update-ca-trust"
+
+- name: Copy certificate in thehive conf dir
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ dest: "/etc/thehive/{{ inventory_hostname }}.crt"
+ mode: 0600
+
+- name: Copy certificate key in thehive conf dir
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ dest: "/etc/thehive/{{ inventory_hostname }}.key"
+ mode: 0600
+
+- name: Copy CA certificates in thehive conf dir
+ copy:
+ src: "{{playbook_dir}}/secrets/CA/{{ item }}"
+ dest: "/etc/thehive/{{ item }}"
+ mode: 0600
+ with_items:
+ - "cacerts.jks"
+ - "ca.crt"
+
+- name: Get openid authkey
+ set_fact:
+ thehivesecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/thehivesecret',convert_data=False) | from_json}}"
+
+- name: Configure TheHive
+ remote_user: thehive
+ template:
+ src: application.conf.j2
+ dest: /etc/thehive/application.conf
+
+- name: Set Autostart for supervisord's services
+ replace:
+ path: /etc/supervisord.conf
+ regexp: '^autostart=false$'
+ replace: 'autostart=true'
+
diff --git a/roles/thehive/tasks/main.yml b/roles/thehive/tasks/main.yml
index def4e3d..ef9011e 100644
--- a/roles/thehive/tasks/main.yml
+++ b/roles/thehive/tasks/main.yml
@@ -1,20 +1,24 @@
---
+- include: init.yml
+ tags:
+ - init
- include: start.yml
tags:
- start
+ - init
- include: adminuser.yml
tags:
- - start
+ - init
- include: organization.yml
tags:
- - start
+ - init
- include: kibanauser.yml
tags:
- - start
+ - init
- include: createusers.yml
tags:
- - start
+ - init
- create-thehive-users
- createusers
- include: stop.yml
diff --git a/roles/thehive/tasks/start.yml b/roles/thehive/tasks/start.yml
index 9521b57..f5f467b 100644
--- a/roles/thehive/tasks/start.yml
+++ b/roles/thehive/tasks/start.yml
@@ -1,46 +1,5 @@
---
-- name: Copy cacert to ca-trust dir
- remote_user: root
- copy:
- src: "{{playbook_dir}}/secrets/CA/ca.crt"
- dest: /etc/pki/ca-trust/source/anchors/ca.crt
-
-- name: Install cacert to root truststore
- remote_user: root
- command: "update-ca-trust"
-
-- name: Copy certificate in thehive conf dir
- copy:
- src: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- dest: "/etc/thehive/{{ inventory_hostname }}.crt"
- mode: 0600
-
-- name: Copy certificate key in thehive conf dir
- copy:
- src: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- dest: "/etc/thehive/{{ inventory_hostname }}.key"
- mode: 0600
-
-- name: Copy CA certificates in thehive conf dir
- copy:
- src: "{{playbook_dir}}/secrets/CA/{{ item }}"
- dest: "/etc/thehive/{{ item }}"
- mode: 0600
- with_items:
- - "cacerts.jks"
- - "ca.crt"
-
-- name: Get openid authkey
- set_fact:
- thehivesecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/thehivesecret',convert_data=False) | from_json}}"
-
-- name: Configure TheHive
- remote_user: thehive
- template:
- src: application.conf.j2
- dest: /etc/thehive/application.conf
-
- name: Start TheHive
remote_user: root
command: "supervisorctl start thehive"
@@ -53,9 +12,4 @@
state: started
delay: 5
-- name: Set Autostart for supervisord's services
- replace:
- path: /etc/supervisord.conf
- regexp: '^autostart=false$'
- replace: 'autostart=true'
diff --git a/soctools.yml b/soctools.yml
index 4e7f89b..8074042 100644
--- a/soctools.yml
+++ b/soctools.yml
@@ -1,5 +1,13 @@
---
+- name: Manage Docker Containers
+ import_playbook: dockercontainers.yml
+ when: "'start-docker-containers' in ansible_run_tags or 'stop-docker-containers' in ansible_run_tags"
+
+- name: Init and start soctools cluster
+ import_playbook: initsoctools.yml
+ when: "'init' in ansible_run_tags or 'config' in ansible_run_tags"
+
- name: Start soctools cluster
import_playbook: startsoctools.yml
when: "'start' in ansible_run_tags or 'config' in ansible_run_tags"
diff --git a/startsoctools.yml b/startsoctools.yml
index fec35b6..2549876 100644
--- a/startsoctools.yml
+++ b/startsoctools.yml
@@ -1,62 +1,52 @@
---
-- name: Start docker containers
- hosts: soctoolsmain
- roles:
- - docker
-
-- name: Reconfigure and start haproxy
+- name: Start haproxy
hosts: haproxy
roles:
- haproxy
-- name: Reconfigure and start mysql
+- name: Start mysql
hosts: mysql
roles:
- mysql
-- name: Reconfigure and start Cassandra
+- name: Start Cassandra
hosts: cassandra
roles:
- cassandra
-- name: Reconfigure and start Keycloak
+- name: Start Keycloak
hosts: keycloakcontainers
roles:
- keycloak
-- name: Reconfigure and start MISP
+- name: Start MISP
hosts: mispcontainers
roles:
- misp
-- name: Reconfigure and start NiFi
+- name: Start NiFi
hosts: nificontainers
roles:
- nifi
-- name: Reconfigure and start TheHive
+- name: Start TheHive
hosts: thehive
roles:
- thehive
-- name: Reconfigure and start Cortex
+- name: Start Cortex
hosts: cortex
roles:
- cortex
-- name: Reconfigure and start OpenDistro for Elasticsearch
+- name: Start OpenDistro for Elasticsearch
hosts: odfeescontainers
roles:
- odfees
-- name: Reconfigure and start OpenDistro Kibana for Elasticsearch
+- name: Start OpenDistro Kibana for Elasticsearch
hosts: odfekibanacontainers
roles:
- odfekibana
-- name: Install and run filebeat
- hosts: filebeat
- roles:
- - filebeat
-
diff --git a/stopsoctools.yml b/stopsoctools.yml
index 5bd1217..8d28f6e 100644
--- a/stopsoctools.yml
+++ b/stopsoctools.yml
@@ -5,8 +5,52 @@
roles:
- nifi
-- name: Stop all containers
- hosts: soctoolsmain
+- name: Stop haproxy
+ hosts: haproxy
roles:
- - docker
+ - haproxy
+- name: Stop mysql
+ hosts: mysql
+ roles:
+ - mysql
+
+- name: Stop Cassandra
+ hosts: cassandra
+ roles:
+ - cassandra
+
+- name: Stop Keycloak
+ hosts: keycloakcontainers
+ roles:
+ - keycloak
+
+- name: Stop MISP
+ hosts: mispcontainers
+ roles:
+ - misp
+
+- name: Stop NiFi
+ hosts: nificontainers
+ roles:
+ - nifi
+
+- name: Stop TheHive
+ hosts: thehive
+ roles:
+ - thehive
+
+- name: Stop Cortex
+ hosts: cortex
+ roles:
+ - cortex
+
+- name: Stop OpenDistro for Elasticsearch
+ hosts: odfeescontainers
+ roles:
+ - odfees
+
+- name: Stop OpenDistro Kibana for Elasticsearch
+ hosts: odfekibanacontainers
+ roles:
+ - odfekibana
--
GitLab