diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index da6e6b4415e22821f3be4befb6701e4cdce87ea9..63e2668eb6931d9803715d21ec09fc0a679c8fd5 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,6 +1,8 @@ --- -soctoolsproxy: "arne-centos2.cert-labs.uninett.no" +soctoolsproxy: "<CHANGE_ME:hostname>" + +docker_build_dir: "{{playbook_dir}}/build" # TheHive Button plugin THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/" @@ -10,7 +12,7 @@ THEHIVE_OWNER: "admin" soctools_netname: "soctoolsnet" soctools_network: "172.22.0.0/16" -repo: gn43-dsl +repo: soctools version: 7 suffix: a20201004 @@ -45,14 +47,10 @@ cassandra_img: "{{repo}}/cassandra:{{version}}{{suffix}}" thehive_name: "soctools-thehive" thehive_img: "{{repo}}/thehive:{{version}}{{suffix}}" -# GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1 -thehive_secret_key: "LcnI9eKLo33711BmCnzf6UM1y05pdmj3dlADL81PxuffWqhobRoiiGFftjNPKpmM" cortex_name: "soctools-cortex" cortex_img: "{{repo}}/cortex:{{version}}{{suffix}}" cortex_elasticsearch_mem: "256m" -# GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1 -cortex_secret_key: "9CZ844IcAp5dHjsgU4iuaEssdopLcS6opzhVP3Ys4t4eRpNlHmwZdtfveLEXpM9D" sysctlconfig: - { key: "net.core.rmem_max", val: "4194304" } @@ -69,8 +67,6 @@ ca_cn: "SOCTOOLS-CA" odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}" odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}" -# GENERATE 32-bit secure value -odfekibana_cookie: "iroAm0ueIV7w6CS1WcJTwIV6R4d5RIAt" #elk_version: "oss-7.6.1" elk_version: "oss-7.4.2" #odfeplugin_version: "1.7.0.0" @@ -89,6 +85,20 @@ maxmind_key: "" misp_dbname: "mispdb" misp_dbuser: "misp" -# misp_salt generated with: openssl rand -base64 32 -#misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically -#misp_crypto_pass: 1234567890 #TODO: Generate dynamically + +services: + - mysql + - haproxy + - openjdk + - zookeeper + - nifi + - elasticsearch + - kibana + - odfees + - odfekibana + - keycloak + - misp + - cassandra + - thehive + - cortex + diff --git a/roles/build/files/cassandrasupervisord.conf b/roles/build/files/cassandra/cassandrasupervisord.conf similarity index 100% rename from roles/build/files/cassandrasupervisord.conf rename to roles/build/files/cassandra/cassandrasupervisord.conf diff --git a/roles/build/files/cortexsupervisord.conf b/roles/build/files/cortex/cortexsupervisord.conf similarity index 100% rename from roles/build/files/cortexsupervisord.conf rename to roles/build/files/cortex/cortexsupervisord.conf diff --git a/roles/build/files/haproxysupervisord.conf b/roles/build/files/haproxy/haproxysupervisord.conf similarity index 100% rename from roles/build/files/haproxysupervisord.conf rename to roles/build/files/haproxy/haproxysupervisord.conf diff --git a/roles/build/files/keycloaksupervisord.conf b/roles/build/files/keycloak/keycloaksupervisord.conf similarity index 100% rename from roles/build/files/keycloaksupervisord.conf rename to roles/build/files/keycloak/keycloaksupervisord.conf diff --git a/roles/build/files/kibanasupervisord.conf b/roles/build/files/kibana/kibanasupervisord.conf similarity index 100% rename from roles/build/files/kibanasupervisord.conf rename to roles/build/files/kibana/kibanasupervisord.conf diff --git a/roles/build/files/misp_rh-php72-php-fpm b/roles/build/files/misp/misp_rh-php72-php-fpm similarity index 100% rename from roles/build/files/misp_rh-php72-php-fpm rename to roles/build/files/misp/misp_rh-php72-php-fpm diff --git a/roles/build/files/misp/mispstart.sh b/roles/build/files/misp/mispstart.sh new file mode 100644 index 0000000000000000000000000000000000000000..d6a5fc0fc4f104e832265adc1ebfefa722e289ac --- /dev/null +++ b/roles/build/files/misp/mispstart.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +#dockerfile from ansible + +# Check if run as root +if [ "$EUID" -eq 0 ]; then + echo "Please DO NOT run the worker script as root" + exit 1 +fi + +PATH_TO_MISP='/var/www/MISP' +RUN_PHP="/usr/bin/scl enable rh-php72" +PHP_INI="/etc/opt/rh/rh-php72/php.ini" +CAKE="${PATH_TO_MISP}/app/Console/cake" + +# Extract base directory where this script is and cd into it +cd "${0%/*}" +$RUN_PHP -- $CAKE CakeResque.CakeResque stop --all +$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue default +$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue prio +$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue cache +$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue email +$RUN_PHP -- $CAKE CakeResque.CakeResque start --interval 5 --queue update +$RUN_PHP -- $CAKE CakeResque.CakeResque startscheduler --interval 5 + +exit 0 diff --git a/roles/build/files/mispsupervisord.conf b/roles/build/files/misp/mispsupervisord.conf similarity index 100% rename from roles/build/files/mispsupervisord.conf rename to roles/build/files/misp/mispsupervisord.conf diff --git a/roles/build/files/mysqlsupervisord.conf b/roles/build/files/mysql/mysqlsupervisord.conf similarity index 100% rename from roles/build/files/mysqlsupervisord.conf rename to roles/build/files/mysql/mysqlsupervisord.conf diff --git a/roles/build/files/nifisupervisord.conf b/roles/build/files/nifi/nifisupervisord.conf similarity index 100% rename from roles/build/files/nifisupervisord.conf rename to roles/build/files/nifi/nifisupervisord.conf diff --git a/roles/build/files/odfesupervisord.conf b/roles/build/files/odfees/odfesupervisord.conf similarity index 100% rename from roles/build/files/odfesupervisord.conf rename to roles/build/files/odfees/odfesupervisord.conf diff --git a/roles/build/files/thehivesupervisord.conf b/roles/build/files/thehive/thehivesupervisord.conf similarity index 100% rename from roles/build/files/thehivesupervisord.conf rename to roles/build/files/thehive/thehivesupervisord.conf diff --git a/roles/build/files/zookeepersupervisord.conf b/roles/build/files/zookeeper/zookeepersupervisord.conf similarity index 100% rename from roles/build/files/zookeepersupervisord.conf rename to roles/build/files/zookeeper/zookeepersupervisord.conf diff --git a/roles/build/tasks/cassandra.yml b/roles/build/tasks/cassandra.yml deleted file mode 100644 index 1c0a2c6930135fe01a0e9e872e036f6c911eccd3..0000000000000000000000000000000000000000 --- a/roles/build/tasks/cassandra.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Configure the cassandra Dockerfile - template: - src: cassandra/Dockerfile.j2 - dest: "{{role_path}}/files/cassandraDockerfile" - -- name: Build cassandra image - command: docker build -t {{repo}}/cassandra:{{version}}{{suffix}} -f {{role_path}}/files/cassandraDockerfile {{role_path}}/files - - diff --git a/roles/build/tasks/cortex.yml b/roles/build/tasks/cortex.yml deleted file mode 100644 index 9a5adbef67cf1fee1f7eb48f23e4d083a8c6631d..0000000000000000000000000000000000000000 --- a/roles/build/tasks/cortex.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Configure the Cortex Dockerfile - template: - src: cortex/Dockerfile.j2 - dest: "{{role_path}}/files/cortexDockerfile" - -- name: Build the Cortex image - command: docker build -t {{repo}}/cortex:{{version}}{{suffix}} -f {{role_path}}/files/cortexDockerfile {{role_path}}/files - - diff --git a/roles/build/tasks/haproxy.yml b/roles/build/tasks/haproxy.yml deleted file mode 100644 index 9cb45f840be6ad255b6420abcabc83fbed79b96a..0000000000000000000000000000000000000000 --- a/roles/build/tasks/haproxy.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: Configure the haproxy Dockerfile - template: - src: haproxy/Dockerfile.j2 - dest: "{{role_path}}/files/haproxyDockerfile" - -- name: Build haproxy image - command: docker build -t {{repo}}/haproxy:{{version}}{{suffix}} -f {{role_path}}/files/haproxyDockerfile {{role_path}}/files - diff --git a/roles/build/tasks/keycloak.yml b/roles/build/tasks/keycloak.yml deleted file mode 100644 index f7a7c2b1989bf013e7a23a1646e7d7e62500098e..0000000000000000000000000000000000000000 --- a/roles/build/tasks/keycloak.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: Configure the keycloak Dockerfile - template: - src: keycloak/Dockerfile.j2 - dest: "{{role_path}}/files/keycloakDockerfile" - -- name: Copy tools to build path - command: "cp -av {{role_path}}/templates/keycloak/keycloak-tools/ {{role_path}}/files/keycloak-tools/" - -- name: Build keycloak image - command: docker build -t {{repo}}/keycloak:{{version}}{{suffix}} -f {{role_path}}/files/keycloakDockerfile {{role_path}}/files - -- name: Remove tools from build path - file: - path: "{{role_path}}/files/keycloak-tools/" - state: absent - diff --git a/roles/build/tasks/main.yml b/roles/build/tasks/main.yml index e08a9cf271fd3bab9ba3b2f72f87e2eec3efdc54..eee4ba0ee19f8eda382bed26c1e9dacf11706469 100644 --- a/roles/build/tasks/main.yml +++ b/roles/build/tasks/main.yml @@ -6,15 +6,41 @@ fail_msg: "Review *all* settings in group_vars/all/main.yml" - include: centos.yml -- include: mysql.yml -- include: haproxy.yml -- include: openjdk.yml -- include: zookeeper.yml -- include: nifi.yml -- include: odfees.yml -- include: odfekibana.yml -- include: keycloak.yml -- include: misp.yml -- include: cassandra.yml -- include: thehive.yml -- include: cortex.yml + +- name: Create main build dir + file: + path: "{{docker_build_dir}}" + state: directory + +- name: Create build dir + file: + path: "{{docker_build_dir}}/{{item}}" + state: directory + with_items: "{{services}}" + +- name: Configure the Dockerfile + template: + src: "{{item}}/Dockerfile.j2" + dest: "{{docker_build_dir}}/{{item}}/Dockerfile" + with_items: "{{services}}" + +- name: Copy thehive_button to build path + copy: + src: "{{role_path}}/templates/odfekibana/thehive_button" + dest: "{{docker_build_dir}}/odfekibana/" + +- name: Copy keycloak-tools to build path + copy: + src: "{{role_path}}/templates/keycloak/keycloak-tools" + dest: "{{docker_build_dir}}/keycloak/" + +- name: Copy build files + copy: + src: "files/{{item}}/" + dest: "{{docker_build_dir}}/{{item}}/" + with_items: "{{services}}" + ignore_errors: yes + +- name: Build image + command: docker build -t {{repo}}/{{item}}:{{version}}{{suffix}} -f {{docker_build_dir}}/{{item}}/Dockerfile {{docker_build_dir}}/{{item}} + with_items: "{{services}}" diff --git a/roles/build/tasks/misp.yml b/roles/build/tasks/misp.yml deleted file mode 100644 index 3bfe7c9d9a9757db78964597dbfa4c3bff6aeacf..0000000000000000000000000000000000000000 --- a/roles/build/tasks/misp.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Configure the misp Dockerfile - template: - src: misp/Dockerfile.j2 - dest: "{{role_path}}/files/mispDockerfile" - -- name: Configure the misp worker startscript - template: - src: misp/start.sh.j2 - dest: "{{role_path}}/files/mispstart.sh" - -- name: Build misp image - command: docker build -t {{repo}}/misp:{{version}}{{suffix}} -f {{role_path}}/files/mispDockerfile {{role_path}}/files - diff --git a/roles/build/tasks/mysql.yml b/roles/build/tasks/mysql.yml deleted file mode 100644 index 75d9625f8e906d5ad6884120c21f3c76629f9141..0000000000000000000000000000000000000000 --- a/roles/build/tasks/mysql.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: Configure the mysql Dockerfile - template: - src: mysql/Dockerfile.j2 - dest: "{{role_path}}/files/mysqlDockerfile" - -- name: Build mysql image - command: docker build -t {{repo}}/mysql:{{version}}{{suffix}} -f {{role_path}}/files/mysqlDockerfile {{role_path}}/files - diff --git a/roles/build/tasks/nifi.yml b/roles/build/tasks/nifi.yml deleted file mode 100644 index 423978d987b5ced99a995ddc5a3e733cf56504da..0000000000000000000000000000000000000000 --- a/roles/build/tasks/nifi.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Configure the nifi Dockerfile - template: - src: nifi/Dockerfile.j2 - dest: "{{role_path}}/files/nifiDockerfile" - -- name: Build nifi image - command: docker build -t {{repo}}/nifi:{{version}}{{suffix}} -f {{role_path}}/files/nifiDockerfile {{role_path}}/files - - diff --git a/roles/build/tasks/odfees.yml b/roles/build/tasks/odfees.yml deleted file mode 100644 index 5741223fdd61d30801eec2fc4c2bdbe1fdb7ed36..0000000000000000000000000000000000000000 --- a/roles/build/tasks/odfees.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: Configure elasticsearch Dockerfile - template: - src: odfees/Dockerfile-elastic.j2 - dest: "{{role_path}}/files/elasticDockerfile" - -- name: Build elasticsearch image - command: docker build -t {{repo}}/elasticsearch:{{version}}{{suffix}} -f {{role_path}}/files/elasticDockerfile {{role_path}}/files - -- name: Configure odfe elasticsearch Dockerfile - template: - src: odfees/Dockerfile-odfeelastic.j2 - dest: "{{role_path}}/files/odfeesDockerfile" - -- name: Build odfe elasticsearch image - command: docker build -t {{repo}}/odfees:{{version}}{{suffix}} -f {{role_path}}/files/odfeesDockerfile {{role_path}}/files - diff --git a/roles/build/tasks/odfekibana.yml b/roles/build/tasks/odfekibana.yml deleted file mode 100644 index 8e1980a7680f5f23b7370d61dba057e457430291..0000000000000000000000000000000000000000 --- a/roles/build/tasks/odfekibana.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: Configure kibana Dockerfile - template: - src: odfekibana/Dockerfile-kibana.j2 - dest: "{{role_path}}/files/kibanaDockerfile" - -- name: Copy tools to build path - command: "cp -av {{role_path}}/templates/odfekibana/thehive_button/ {{role_path}}/files/thehive_button/" - -- name: Build kibana image - command: docker build -t {{repo}}/kibana:{{version}}{{suffix}} -f {{role_path}}/files/kibanaDockerfile {{role_path}}/files - -- name: Configure odfe kibana Dockerfile - template: - src: odfekibana/Dockerfile-odfekibana.j2 - dest: "{{role_path}}/files/odfekibanaDockerfile" - -- name: Build odfe kibana image - command: docker build -t {{repo}}/odfekibana:{{version}}{{suffix}} -f {{role_path}}/files/odfekibanaDockerfile {{role_path}}/files - - diff --git a/roles/build/tasks/openjdk.yml b/roles/build/tasks/openjdk.yml deleted file mode 100644 index 8754ac7fdf7d6147ab522f936b8888a5fd5a7e60..0000000000000000000000000000000000000000 --- a/roles/build/tasks/openjdk.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Configure the openjdk Dockerfile - template: - src: openjdk/Dockerfile.j2 - dest: "{{role_path}}/files/openjdkDockerfile" - -- name: Build openjdk image - command: docker build -t {{repo}}/openjdk:{{version}}{{suffix}} -f {{role_path}}/files/openjdkDockerfile {{role_path}}/files - - diff --git a/roles/build/tasks/thehive.yml b/roles/build/tasks/thehive.yml deleted file mode 100644 index 35fe08ebf7d5da456a40f0a0de273d102d5eada2..0000000000000000000000000000000000000000 --- a/roles/build/tasks/thehive.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Configure theHive Dockerfile - template: - src: thehive/Dockerfile.j2 - dest: "{{role_path}}/files/thehiveDockerfile" - -- name: Build theHive image - command: docker build -t {{repo}}/thehive:{{version}}{{suffix}} -f {{role_path}}/files/thehiveDockerfile {{role_path}}/files - - diff --git a/roles/build/tasks/zookeeper.yml b/roles/build/tasks/zookeeper.yml deleted file mode 100644 index a61a6b397f8d1d34559da24f290df8ea93b85f94..0000000000000000000000000000000000000000 --- a/roles/build/tasks/zookeeper.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- name: Configure the zookeeper Dockerfile - template: - src: zookeeper/Dockerfile.j2 - dest: "{{role_path}}/files/zookeeperDockerfile" - -- name: Build zookeeper image - command: docker build -t {{repo}}/zookeeper:{{version}}{{suffix}} -f {{role_path}}/files/zookeeperDockerfile {{role_path}}/files - - diff --git a/roles/build/templates/odfees/Dockerfile-elastic.j2 b/roles/build/templates/elasticsearch/Dockerfile.j2 similarity index 100% rename from roles/build/templates/odfees/Dockerfile-elastic.j2 rename to roles/build/templates/elasticsearch/Dockerfile.j2 diff --git a/roles/build/templates/keycloak/Dockerfile.j2 b/roles/build/templates/keycloak/Dockerfile.j2 index f6c1206d5fc3579a7cd43f976feed6f4e0b60f59..561a6466f121ee2462dab388ed99a580f16ba39c 100644 --- a/roles/build/templates/keycloak/Dockerfile.j2 +++ b/roles/build/templates/keycloak/Dockerfile.j2 @@ -27,6 +27,7 @@ RUN yum -y install openssl supervisor rsync && yum -y clean all && \ adduser -u 1000 -g 0 -d /opt/jboss jboss && \ chown -R jboss:root /opt/jboss && \ chmod -R g+rwX /opt/jboss && \ + chmod a+x /opt/jboss/tools/x509.sh && \ mkdir -p /etc/x509/{https,ca} && chown -R jboss:root /etc/x509/{https,ca} ENV PATH="/opt/jboss/keycloak/bin:${PATH}" diff --git a/roles/build/templates/kibana/Dockerfile.j2 b/roles/build/templates/kibana/Dockerfile.j2 new file mode 100644 index 0000000000000000000000000000000000000000..ef2a4768f809d02b8320cb90963ea701cbddec16 --- /dev/null +++ b/roles/build/templates/kibana/Dockerfile.j2 @@ -0,0 +1,23 @@ +FROM {{repo}}/centos:{{version}}{{suffix}} + +RUN yum install -y supervisor +RUN yum clean all + +ENV PATH="/usr/share/kibana/bin:${PATH}" + +RUN groupadd -g 1000 kibana && \ + adduser -u 1000 -g 1000 -d /usr/share/kibana kibana + +WORKDIR /usr/share/kibana + +RUN rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \ + rpm -Uvh https://artifacts.elastic.co/downloads/kibana/kibana-{{elk_version}}-x86_64.rpm && \ + cp -a /etc/kibana/ /usr/share/kibana/config/ && \ + chown -R kibana /usr/share/kibana/config/ + +RUN echo 'kibana ALL=(ALL:ALL) NOPASSWD: ALL' >> /etc/sudoers + +EXPOSE 5601 +COPY kibanasupervisord.conf /etc/supervisord.conf +ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"] + diff --git a/roles/build/templates/odfees/Dockerfile-odfeelastic.j2 b/roles/build/templates/odfees/Dockerfile.j2 similarity index 100% rename from roles/build/templates/odfees/Dockerfile-odfeelastic.j2 rename to roles/build/templates/odfees/Dockerfile.j2 diff --git a/roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 b/roles/build/templates/odfekibana/Dockerfile.j2 similarity index 100% rename from roles/build/templates/odfekibana/Dockerfile-odfekibana.j2 rename to roles/build/templates/odfekibana/Dockerfile.j2 diff --git a/roles/cortex/templates/application.conf.j2 b/roles/cortex/templates/application.conf.j2 index 4d1ff58fcca9e55fd1437673ebf3bf864058d069..c7f8b0aaa38ae0c8a3cc7d4dea1a84784a3f69cc 100644 --- a/roles/cortex/templates/application.conf.j2 +++ b/roles/cortex/templates/application.conf.j2 @@ -6,7 +6,7 @@ # # IMPORTANT: If you deploy your application to several instances, make # sure to use the same key. -play.http.secret.key="{{cortex_secret_key}}" +play.http.secret.key='{{lookup("password", "{{playbook_dir}}/secrets/passwords/cortex_secret_key")}}' ## ElasticSearch search { diff --git a/roles/odfees/templates/config/elasticsearch.yml.j2 b/roles/odfees/templates/config/elasticsearch.yml.j2 index 5cae9eb487b720020c25d429973def12d01f840f..5e8e18fc2999f2622cca3b0c229265a379c49b44 100644 --- a/roles/odfees/templates/config/elasticsearch.yml.j2 +++ b/roles/odfees/templates/config/elasticsearch.yml.j2 @@ -30,11 +30,11 @@ cluster.initial_master_nodes: opendistro_security.ssl.transport.keystore_type: pkcs12 opendistro_security.ssl.transport.keystore_filepath: {{ inventory_hostname }}.p12 -opendistro_security.ssl.transport.keystore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}} +opendistro_security.ssl.transport.keystore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}" #opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.truststore_type: jks opendistro_security.ssl.transport.truststore_filepath: cacerts.jks -opendistro_security.ssl.transport.truststore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} +opendistro_security.ssl.transport.truststore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}" opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true @@ -42,10 +42,10 @@ opendistro_security.ssl.http.enabled: true # opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem opendistro_security.ssl.http.keystore_type: pkcs12 opendistro_security.ssl.http.keystore_filepath: {{ inventory_hostname }}.p12 -opendistro_security.ssl.http.keystore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}} +opendistro_security.ssl.http.keystore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}" opendistro_security.ssl.http.truststore_type: jks opendistro_security.ssl.http.truststore_filepath: cacerts.jks -opendistro_security.ssl.http.truststore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} +opendistro_security.ssl.http.truststore_password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}" #opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem #opendistro_security.ssl.http.clientauth_mode: optional opendistro_security.allow_unsafe_democertificates: false diff --git a/roles/odfekibana/templates/kibana.yml.j2 b/roles/odfekibana/templates/kibana.yml.j2 index aa445d73ab310cf78af7d68a2a41b6133b4adfb8..e676b3735c0f2f9ee59a2c7b3e19c020e04faa1b 100644 --- a/roles/odfekibana/templates/kibana.yml.j2 +++ b/roles/odfekibana/templates/kibana.yml.j2 @@ -46,7 +46,7 @@ opendistro_security.openid.root_ca: "/usr/share/kibana/config/ca.crt" opendistro_security.openid.base_redirect_url: "https://{{soctoolsproxy}}:5601" opendistro_security.cookie.secure: true -opendistro_security.cookie.password: "{{odfekibana_cookie}}" +opendistro_security.cookie.password: {{lookup("password", "{{playbook_dir}}/secrets/passwords/kibana_cookiepassword length=32")}} server.ssl.enabled: true server.ssl.key: /usr/share/kibana/config/{{inventory_hostname}}.key diff --git a/roles/thehive/templates/application.conf.j2 b/roles/thehive/templates/application.conf.j2 index 6fa36eb370673fc95111327904af57738cabda58..d25e059818a773a6a4a48fb34196cc641f79e718 100644 --- a/roles/thehive/templates/application.conf.j2 +++ b/roles/thehive/templates/application.conf.j2 @@ -5,7 +5,7 @@ ## Include Play secret key # More information on secret key at https://www.playframework.com/documentation/2.8.x/ApplicationSecret #include "/etc/thehive/secret.conf" -play.http.secret.key="{{thehive_secret_key}}" +play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_secret_key')}}" ## Database configuration db.janusgraph {