From ccc5a495107d64115c74f26c758cbe40e2915f7c Mon Sep 17 00:00:00 2001
From: root <root@arne-centos2.cert-labs.uninett.no>
Date: Wed, 23 Sep 2020 06:46:09 -0400
Subject: [PATCH] added fixed subnet for docker network. Automatic
 configuration of firewalld

---
 group_vars/all/main.yml              |  3 ++-
 roles/docker/tasks/networkcreate.yml |  2 ++
 roles/nifi/tasks/main.yml            | 26 ++++++++++++++------------
 roles/soctools-server/tasks/main.yml | 15 ++++++++++++++-
 4 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index a331ddb..93108ef 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -1,6 +1,6 @@
 ---
 
-dslproxy: "arne-centos.cert-labs.uninett.no"
+dslproxy: "<CHANGE_ME:hostname>"
 
 # TheHive Button plugin
 THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/"
@@ -8,6 +8,7 @@ THEHIVE_API_KEY: "5LymseWiurZBrQN8Kqp8O+9KniTL5cE0"
 THEHIVE_OWNER: "admin"
 
 soctools_netname: "soctoolsnet"
+soctools_network: "172.22.0.0/16"
 
 repo: gn43-dsl
 version: 7
diff --git a/roles/docker/tasks/networkcreate.yml b/roles/docker/tasks/networkcreate.yml
index 9034314..15dd085 100644
--- a/roles/docker/tasks/networkcreate.yml
+++ b/roles/docker/tasks/networkcreate.yml
@@ -4,6 +4,8 @@
   docker_network:
     name: "{{ soctools_netname }}"
     enable_ipv6: no
+    ipam_config:
+      - subnet: "{{ soctools_network }}"
   tags:
     - start
 
diff --git a/roles/nifi/tasks/main.yml b/roles/nifi/tasks/main.yml
index e66a72a..ec0249c 100644
--- a/roles/nifi/tasks/main.yml
+++ b/roles/nifi/tasks/main.yml
@@ -48,14 +48,14 @@
 - name: Configure NiFi boostrap properties
   template:
     src: bootstrap.conf.j2
-    dest: conf/bootstrap.conf
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/bootstrap.conf"
   tags:
     - start
 
 - name: Configure NiFi properties for secure servers
   template:
     src: nifi.properties.j2
-    dest: conf/nifi.properties
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/nifi.properties"
   tags:
     - start
 
@@ -69,37 +69,39 @@
 - name: Configure users
   template:
     src: users.xml.j2
-    dest: conf/users.xml
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/users.xml"
   tags:
     - start
 
 - name: Configure NiFi authorizers for secure servers
   template:
     src: authorizers.xml.j2
-    dest: conf/authorizers.xml
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/authorizers.xml"
   tags:
     - start
 
 - name: Create conf/enrich dir
-  file: path=conf/enrich state=directory
+  file: path={{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich state=directory
+  tags:
+   - start
 
 - name: Copy empty GeoLite2-City database
   copy:
     src: GeoLite2-City.mmdb
-    dest: conf/enrich/GeoLite2-City.mmdb
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/GeoLite2-City.mmdb"
   tags:
     - start
 
 - name: Download list of Tor exist nodes
   get_url:
     url: https://check.torproject.org/torbulkexitlist
-    dest: conf/enrich/tornodes.csv
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/tornodes.csv"
   tags:
    - start
 
 - name: Add header to tornodes.csv
   lineinfile:
-    path: conf/enrich/tornodes.csv
+    path: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/tornodes.csv"
     line: 'ip_addr'
     insertbefore: BOF
   tags:
@@ -108,19 +110,19 @@
 - name: Download umbrella-top-1m.csv
   get_url:
     url: http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip
-    dest: conf/enrich/umbrella-top-1m.csv
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/umbrella-top-1m.csv"
   tags:
    - start
 
 - name: Download alexa-top-1m.csv
   get_url:
     url: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
-    dest: conf/enrich/alexa-top-1m.csv
+    dest: "{{ ansible_facts.env['NIFI_HOME'] }}/conf/enrich/alexa-top-1m.csv"
   tags:
    - start
 
 - name: Start NiFi
-  command: "./bin/nifi.sh start"
+  command: "{{ ansible_facts.env['NIFI_HOME'] }}/bin/nifi.sh start"
   tags:
     - start
 
@@ -135,7 +137,7 @@
 #      when: ping_result|success
 
 - name: Stop NiFi
-  command: "./bin/nifi.sh stop"
+  command: "{{ ansible_facts.env['NIFI_HOME'] }}/bin/nifi.sh stop"
   tags:
     - stop
 
diff --git a/roles/soctools-server/tasks/main.yml b/roles/soctools-server/tasks/main.yml
index 47f9f8d..7b5739e 100644
--- a/roles/soctools-server/tasks/main.yml
+++ b/roles/soctools-server/tasks/main.yml
@@ -34,7 +34,20 @@
   with_items:
     - "{{sysctlconfig}}"
 
+- name: Configure fw
+  ansible.posix.firewalld:
+    source: "{{ soctools_network }}"
+    zone: public
+    permanent: yes
+    state: enabled
+
+- name: Reload firewalld
+  systemd:
+    state: restarted
+    daemon_reload: yes
+    name: firewalld
+
 - name: Start Docker service
   systemd:
     name: docker
-    state: started
\ No newline at end of file
+    state: started
-- 
GitLab