cleaned up handling of passwords and certificates.

db2f7405 · Arne Øslebø · ac4ec956 · db2f7405 · db2f7405 · db2f7405
Commit db2f7405 authored 4 years ago by Arne Øslebø
--- a/HOWTOS.md
+++ b/HOWTOS.md
@@ -8,7 +8,7 @@ To make modifications to the main NiFi pipeline and add it to the Ansible playbo
 * Make necesarry to the pipeline in the NiFi GUI
 * Copy flow.xml.gz file from one of the NiFi containers:  
-  `docker cp <CONTAINER ID>:/opt/nifi/nifi-current/conf/flow.xml.gz .`
+  `docker cp soctools-nifi-1:/opt/nifi/nifi-current/conf/flow.xml.gz .`
 * Convert flowx.xml.gz to new template  
  `utils/flow2template.py flow.xml.gz roles/nifi/templates/flow.xml.j2`

--- a/README.md
+++ b/README.md
@@ -21,7 +21,8 @@ Temporary solution: Upload your ssh key to gitlab.geant.org
 Install soctools:
 Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it point to the FQDN of the server.  
 `vi group_vars/all/main.yml`  
-The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
+Users are specified in the file:  
+`group_vars/all/users.yml`  
 To configure the server running soctools, run the ansible playbook:  
 `ansible-playbook -i inventories soctools_server.yml`
@@ -32,11 +33,11 @@ To build the Docker images needed, run the ansible playbook:
 To build the CA needed for host and user certificates, run the ansible playbook:  
 `ansible-playbook -i inventories buildca.yml`
-If using soclab CA certificates provided with this installation, you first need to download and import root certificate found at roles/ca/files/CA/ca.crt. 
+If using soctools CA certificates provided with this installation, you first need to download and import root certificate found in secrets/CA/ca.crt   
 For Windows, CA certificate should be installed in Trusted Root Certification Authorities store. 
-User certificates are can be found in the directory roles/ca/files/CA/private. Import into browser for authentication.
+User certificates are can be found in the directory secrets/certificates. Import into browser for authentication.
-For Windows, user certificate should be installed in Personal store. 
+For Windows, user certificate should be installed in Personal store. Passwords for the certificates can be found in the directory secrets/passwords.   
 To start the cluster, run the ansible playbook soctools.yml:  
 `ansible-playbook -i inventories soctools.yml -t start`

--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
 ---
-soctoolsproxy: "<CHANGE_ME:hostname>"
+soctoolsproxy: "arne-centos2.cert-labs.uninett.no"
 # TheHive Button plugin
 THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/"
@@ -18,7 +18,6 @@ haproxy_name: "soctools-haproxy"
 haproxy_version: "2.2"
 haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}"
 HAPROXY_PROCESSES: "2"
-HAPROXY_STATS_PASS: "eiph2Eepaizicheelah3tei+bae3ohgh"
 FILEBEAT_VERSION: "7.9.3"
 FILEBEAT_OUTPUT_HOST: "{{soctoolsproxy}}"
@@ -40,7 +39,6 @@ nifi_img: "{{repo}}/nifi:{{version}}{{suffix}}"
 mysql_name: "soctools-mysql"
 mysql_img: "{{repo}}/mysql:{{version}}{{suffix}}"
-mysql_dbrootpass: "Pass006"
 cassandra_name: "soctools-cassandra"
 cassandra_img: "{{repo}}/cassandra:{{version}}{{suffix}}"
@@ -55,10 +53,6 @@ cortex_img: "{{repo}}/cortex:{{version}}{{suffix}}"
 cortex_elasticsearch_mem: "256m"
 # GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
 cortex_secret_key: "9CZ844IcAp5dHjsgU4iuaEssdopLcS6opzhVP3Ys4t4eRpNlHmwZdtfveLEXpM9D"
-cortex_odfe_pass: "Pass009"
-kspass: "Testing003"
-tspass: "Testing003"
 sysctlconfig:
  - { key: "net.core.rmem_max", val: "4194304" }
@@ -73,32 +67,10 @@ nifi_repo: "https://archive.apache.org/dist"
 ca_cn: "SOCTOOLS-CA"
-soctools_users:
-  - firstname: "Arne"
-    lastname: "Oslebo"
-    username: "arne.oslebo"
-    email: "arne.oslebo@uninett.no"
-    DN: "CN=Arne Oslebo"
-    CN: "Arne Oslebo"
-    password: "Pass002"
-  - firstname: "Bozidar"
-    lastname: "Proevski"
-    username: "bozidar.proevski"
-    email: "bozidar.proevski@finki.ukim.mk"
-    DN: "CN=Bozidar Proevski"
-    CN: "Bozidar Proevski"
-    password: "Pass001"
-# Minimum one user is required
-ODFE_ADMIN_USERS:
-  - arne.oslebo
-  - bozidar.proevski
 odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
 odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
 # GENERATE 32-bit secure value
 odfekibana_cookie: "iroAm0ueIV7w6CS1WcJTwIV6R4d5RIAt"
-odfees_adminpass: "Pass004"
 #elk_version: "oss-7.6.1"
 elk_version: "oss-7.4.2"
 #odfeplugin_version: "1.7.0.0"
@@ -109,7 +81,6 @@ openid_scope: profile
 openid_subjkey: preferred_username
 keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
-keycloak_adminpass: "Pass005"
 elastic_username: "admin"
 misp_token: ""
@@ -118,8 +89,6 @@ maxmind_key: ""
 misp_dbname: "mispdb"
 misp_dbuser: "misp"
-misp_dbpass: "Pass007"
 # misp_salt generated with: openssl rand -base64 32
-misp_salt:   "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0="
+#misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
-misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
+#misp_crypto_pass: 1234567890 #TODO: Generate dynamically
-misp_crypto_pass: 1234567890 #TODO: Generate dynamically
--- a/group_vars/all/users.yml
+++ b/group_vars/all/users.yml
+---
+soctools_users:
+  - firstname: "User1"
+    lastname: "SOC"
+    username: "user1"
+    email: "user1@soctools.test"
+    DN: "CN=User1Soctools"
+    CN: "User1Soctools"
+  - firstname: "User2"
+    lastname: "SOC"
+    username: "user2"
+    email: "user2@soctools.test"
+    DN: "CN=User2Soctools"
+    CN: "User2Soctools"
+# Minimum one user is required
+ODFE_ADMIN_USERS:
+  - user1
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
 ---
+- name: Create secret directory   
+  file:
+   path: "{{playbook_dir}}/{{item}}"
+   state: directory
+  loop:
+   - secrets
+   - secrets/certificates
+   - secrets/tokens
+   - secrets/passwords
 - name: Check for existing CA folder
  stat:
-    path: roles/ca/files/CA
+    path: "{{playbook_dir}}/secrets/CA"
  register: capath
 - name: build ca root key and cert
@@ -14,27 +24,19 @@
  environment:
    EASYRSA_BATCH: 1
    EASYRSA_REQ_CN: "{{ ca_cn }}"
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
  when: not capath.stat.exists
- name: Copy cert to truststore
-  copy:
-    src: roles/ca/files/CA/ca.crt
-    dest: "roles/ca/files/truststore/{{ ca_cn }}.crt"
 - name: Remove previous truststore
  file:
-    path: roles/ca/files/truststore/cacerts.jks
+    path: '{{playbook_dir}}/secrets/CA/cacerts.jks'
    state: absent
 - name: Generate truststore
  command: >
-    docker run --rm -v {{role_path}}/files/truststore/:/opt/cafiles/:z 
+    docker run --rm -v {{playbook_dir}}/secrets/CA/:/opt/cafiles/:z 
    "{{repo}}/openjdk:{{version}}{{suffix}}" keytool -import -noprompt -trustcacerts 
-    -alias "{{item}}" -file "/opt/cafiles/{{item}}.crt" -keystore /opt/cafiles/cacerts.jks -storepass "{{tspass}}"
+    -alias "{{ ca_cn }}" -file "/opt/cafiles/ca.crt" -keystore /opt/cafiles/cacerts.jks -storepass "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
-  with_items:
-    - "{{ ca_cn }}"
-    #- GN43WP8T31_CA
 - name: Check for existing host certificates
  command: roles/ca/files/easyrsa/easyrsa show-cert {{item}}
@@ -50,7 +52,7 @@
    - "filebeat"
  environment:
    EASYRSA_BATCH: 1
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
  register: hostcerts
  ignore_errors: true
@@ -71,7 +73,7 @@
    - "filebeat"
  environment:
    EASYRSA_BATCH: 1
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
  ignore_errors: true 
  loop_control:
    index_var: my_idx
@@ -95,7 +97,7 @@
  expect:
    command: roles/ca/files/easyrsa/easyrsa export-p12 {{item}}
    responses:
-      Enter Export Password: "{{kspass}}"
+      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
  with_items:
    - "{{ groups['nificontainers'] }}"
    - "{{ groups['odfeescontainers'] }}"
@@ -106,158 +108,7 @@
    - "{{ groups['mispcontainers'] }}"
  environment:
    EASYRSA_BATCH: 1
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
- name: Copy nifi host certs to nifi role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.p12
-    dest: roles/nifi/files/{{item}}.p12
-  with_items:
-    - "{{ groups['nificontainers'] }}"
- name: Copy odfees host certs to odfees role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.p12
-    dest: roles/odfees/files/{{item}}.p12
-  with_items:
-    - "{{ groups['odfeescontainers'] }}"
- name: Copy odfekibana host p12 certs to odfekibana role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.p12
-    dest: roles/odfekibana/files/{{item}}.p12
-  with_items:
-    - "{{ groups['odfekibanacontainers'] }}"
- name: Copy cortex host p12 certs to cortex role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.p12
-    dest: roles/cortex/files/{{item}}.p12
-  with_items:
-    - "{{ groups['cortex'] }}"
- name: Copy odfekibana host certs to odfekibana role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/odfekibana/files/{{item}}.crt
-  with_items:
-    - "{{ groups['odfekibanacontainers'] }}"
- name: Copy odfekibana host keys to odfekibana role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/odfekibana/files/{{item}}.key
-  with_items:
-    - "{{ groups['odfekibanacontainers'] }}"
- name: Copy haproxy host cert to haproxy role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/haproxy/files/{{item}}.crt
-  with_items:
-    - "{{ groups['haproxy'] }}"
- name: Copy haproxy host key to haproxy role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/haproxy/files/{{item}}.key
-  with_items:
-    - "{{ groups['haproxy'] }}"
- name: Copy filebeat host cert to filebeat role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/filebeat/files/{{item}}.crt
-  with_items:
-    - "filebeat"
- name: Copy filebeat host key to filebeat role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/filebeat/files/{{item}}.key
-  with_items:
-    - "filebeat"
- name: Copy keycloak host certs to keycloak role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/keycloak/files/{{item}}.crt
-  with_items:
-    - "{{ groups['keycloakcontainers'] }}"
- name: Copy keycloak host keys to keycloak role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/keycloak/files/{{item}}.key
-  with_items:
-    - "{{ groups['keycloakcontainers'] }}"
- name: Copy misp host certs to misp role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/misp/files/{{item}}.crt
-  with_items:
-    - "{{ groups['mispcontainers'] }}"
- name: Copy misp host keys to misp role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/misp/files/{{item}}.key
-  with_items:
-    - "{{ groups['mispcontainers'] }}"
- name: Copy thehive host cert to thehive role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/thehive/files/{{item}}.crt
-  with_items:
-    - "{{ groups['thehive'] }}"
- name: Copy thehive host key to thehive role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/thehive/files/{{item}}.key
-  with_items:
-    - "{{ groups['thehive'] }}"
- name: Copy cortex host cert to cortex role
-  copy:
-    src: roles/ca/files/CA/issued/{{item}}.crt
-    dest: roles/cortex/files/{{item}}.crt
-  with_items:
-    - "{{ groups['cortex'] }}"
- name: Copy cortex host key to cortex role
-  copy:
-    src: roles/ca/files/CA/private/{{item}}.key
-    dest: roles/cortex/files/{{item}}.key
-  with_items:
-    - "{{ groups['cortex'] }}"
- name: Copy truststore to roles
-  copy:
-    src: roles/ca/files/truststore/cacerts.jks
-    dest: "roles/{{item}}/files/cacerts.jks"
-  with_items:
-    - nifi
-    - odfees
-    - odfekibana
-    - keycloak
-    - misp
-    - cortex
- name: Copy ca cert to roles
-  copy:
-    src: "roles/ca/files/truststore/{{ ca_cn }}.crt"
-    dest: "roles/{{item}}/files/{{ ca_cn }}.crt"
-  with_items:
-    - nifi
-    - odfees
-    - odfekibana
-    - keycloak
-    - misp
-    - thehive
-    - cortex
 - name: Check for existing user certificates
  command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
@@ -265,7 +116,7 @@
    - "{{soctools_users}}"
  environment:
    EASYRSA_BATCH: 1
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
  register: usercerts
  ignore_errors: true
@@ -275,7 +126,7 @@
    - "{{soctools_users}}"
  environment:
    EASYRSA_BATCH: 1
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
  ignore_errors: true
  loop_control:
    index_var: my_idx
@@ -285,24 +136,17 @@
  expect:
    command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item.CN}}"
    responses:
-      Enter Export Password: "{{item.password}}"
+      Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
  with_items:
    - "{{soctools_users}}"
  environment:
    EASYRSA_BATCH: 1
-    EASYRSA_PKI: roles/ca/files/CA
+    EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
- name: Copy user certs to odfees
-  copy:
-    src: "roles/ca/files/CA/private/{{ item.CN }}.p12"
-    dest: "roles/odfees/files/{{ item.CN }}.p12"
-  with_items:
-    - "{{soctools_users}}"
- name: Copy user certs to odfekibana
+- name: Copy user certs to certificates
  copy:
-    src: "roles/ca/files/CA/private/{{ item.CN }}.p12"
+    src: "{{playbook_dir}}/secrets/CA/private/{{ item.CN }}.p12"
-    dest: "roles/odfekibana/files/{{ item.CN }}.p12"
+    dest: "{{playbook_dir}}/secrets/certificates/{{ item.CN }}.p12"
  with_items:
    - "{{soctools_users}}"
--- a/roles/cortex/tasks/start.yml
+++ b/roles/cortex/tasks/start.yml
@@ -3,7 +3,7 @@
 - name: Copy cacert to ca-trust dir
  remote_user: root
  copy:
-    src: "files/{{ca_cn}}.crt"
+    src: "{{playbook_dir}}/secrets/CA/ca.crt"
    dest: /etc/pki/ca-trust/source/anchors/ca.crt
 - name: Install cacert to root truststore
@@ -14,14 +14,14 @@
  remote_user: cortex
  copy:
    src:  "{{ item }}"
-    dest: "/etc/cortex/{{ item }}"
+    dest: "/etc/cortex/"
    mode: 0600
  with_items:
-    - "{{ inventory_hostname }}.p12"
+    - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
-    - "{{ inventory_hostname }}.crt"
+    - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
-    - "{{ inventory_hostname }}.key"
+    - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
-    - cacerts.jks
+    - "{{playbook_dir}}/secrets/CA/cacerts.jks"
-    - "{{ca_cn}}.crt"
+    - "{{playbook_dir}}/secrets/CA/ca.crt"
 - name: Configure embedded Elasticsearch 6
  remote_user: root

--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -34,18 +34,18 @@ search {
 ##   ## Authentication configuration
 ##   search.username = "cortex"
-##   search.password = "{{cortex_odfe_pass}}"
+##   search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
 ## 
 ##   ## SSL configuration
 ##   search.keyStore {
 ##     path = "/etc/cortex/soctools-cortex.p12"
 ##     type = "PKCS12" # or PKCS12
-##     password = "{{kspass}}"
+##     password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
 ##   }
 ##   search.trustStore {
 ##     path = "/etc/cortex/cacerts.jks"
 ##     type = "JKS" # or PKCS12
-##     password = "{{tspass}}"
+##     password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
 ##   }
 }

--- a/roles/filebeat/tasks/main.yml
+++ b/roles/filebeat/tasks/main.yml
@@ -4,11 +4,11 @@
 - name: Copy filebeat certificates
  copy:
    src:  "{{ item }}"
-    dest: "/opt/filebeat/{{ item }}"
+    dest: "/opt/filebeat/"
    mode: 0600
  with_items:
-    - "filebeat.crt"
+    - "{{playbook_dir}}/secrets/CA/issued/filebeat.crt"
-    - "filebeat.key"
+    - "{{playbook_dir}}/secrets/CA/private/filebeat.key"
  become: true
  tags:
    - start

--- a/roles/haproxy/tasks/start.yml
+++ b/roles/haproxy/tasks/start.yml
@@ -23,11 +23,11 @@
 - name: Copy haproxy certificates
  copy:
    src:  "{{ item }}"
-    dest: "/opt/haproxy/{{ item }}"
+    dest: "/opt/haproxy/"
    mode: 0600
  with_items:
-    - "{{ inventory_hostname }}.crt"
+    - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
-    - "{{ inventory_hostname }}.key"
+    - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
 - name: Combine crt and key for haproxy
  assemble:

--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -22,7 +22,7 @@ listen stats
        stats hide-version
        stats uri     /
        stats realm   HAProxy Statistics
-        stats auth    haproxy:{{ HAPROXY_STATS_PASS }}
+        stats auth    haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
 listen nifiserv
 	bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1

--- a/roles/keycloak/tasks/start.yml
+++ b/roles/keycloak/tasks/start.yml
@@ -7,16 +7,16 @@
    dest: "{{ item.remote }}"
    mode: "{{ item.mode}}"
  with_items:
-    - local: "files/{{ inventory_hostname }}.crt"
+    - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
      remote: /etc/x509/https/tls.crt
      mode: '0644'
-    - local: "files/{{ inventory_hostname }}.key"
+    - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
      remote: /etc/x509/https/tls.key
      mode: '0600'
-    - local: "files/{{ ca_cn }}.crt"
+    - local: "{{playbook_dir}}/secrets/CA/ca.crt"
      remote: /etc/x509/ca/ca.crt
      mode: '0644'
-    - local: "files/cacerts.jks"
+    - local: "{{playbook_dir}}/secrets/CA/cacerts.jks"
      remote: /opt/jboss/keycloak/cacerts.jks
      mode: '0644'
@@ -28,7 +28,8 @@
 - name: Set admin password
  remote_user: jboss
-  command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{keycloak_adminpass}}"
+  command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
+  ignore_errors: True
 - name: Configure logging format
  remote_user: jboss
@@ -85,11 +86,11 @@
    flat: yes
  with_items:
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
-      local:  "roles/nifi/files/nifisecret"
+      local:  "{{playbook_dir}}/secrets/tokens/nifisecret"
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
-      local:  "roles/odfekibana/files/kibanasecret"
+      local:  "{{playbook_dir}}/secrets/tokens/kibanasecret"
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
-      local:  "roles/misp/files/mispsecret"
+      local:  "{{playbook_dir}}/secrets/tokens/mispsecret"
 - name: Set Autostart for supervisord's services
  shell: "sed -i 's/autostart=false/autostart=true/g' /etc/supervisord.conf"
--- a/roles/keycloak/tasks/update-config.yml
+++ b/roles/keycloak/tasks/update-config.yml
@@ -24,9 +24,9 @@
    flat: yes
  with_items:
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
-      local:  "roles/nifi/files/nifisecret"
+      local:  "{{playbook_dir}}/secrets/tokens/nifisecret"
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
-      local:  "roles/odfekibana/files/kibanasecret"
+      local:  "{{playbook_dir}}/secrets/tokens/kibanasecret"
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
-      local:  "roles/misp/files/mispsecret"
+      local:  "{{playbook_dir}}/secrets/tokens/mispsecret"
--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -5,8 +5,8 @@ exec 7>&2
 exec > /opt/jboss/keycloak/initkeycloak.log 2>&1
-kcadm.sh config truststore --trustpass {{tspass}} /opt/jboss/keycloak/cacerts.jks
+kcadm.sh config truststore --trustpass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} /opt/jboss/keycloak/cacerts.jks
-kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password {{keycloak_adminpass}}
+kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
 kcadm.sh create realms -b '{ "enabled": "true", "id": "{{openid_realm}}", "realm": "{{openid_realm}}"}'
 kcadm.sh create realms/{{openid_realm}}/authentication/flows/browser/copy -b '{ "id": "browser-x509", "newName": "X.509 Browser" }'
 BROWSERFORM=$(kcadm.sh create realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions/execution -i -b '{ "provider": "auth-x509-client-username-form" }')
@@ -18,7 +18,7 @@ kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
 {% for user in soctools_users %}
 kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
-kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{user.password}}
+kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}
 {% endfor %}
 NIFICLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-nifi","protocol":"openid-connect","clientAuthenticatorType": "client-secret","redirectUris": ["https://{{soctoolsproxy}}:9443/*" ],"webOrigins": [], "publicClient": false }')

--- a/roles/misp/tasks/config.yml
+++ b/roles/misp/tasks/config.yml
 ---
 - name: Change password of default user
-  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '/tmp/passwordfile') }}"
+  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin') }}"
 - name: Configure MISP
  shell: '/var/www/MISP/app/Console/cake Admin setSetting {{item.var}} {{item.value}}'

--- a/roles/misp/tasks/start.yml
+++ b/roles/misp/tasks/start.yml
@@ -12,16 +12,16 @@
    dest: "{{ item.remote }}"
    mode: "{{ item.mode}}"
  with_items:
-    - local: "files/{{ inventory_hostname }}.crt"
+    - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
      remote: /etc/ssl/certs/misp.crt
      mode: '0644'
-    - local: "files/{{ inventory_hostname }}.key"
+    - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
      remote: /etc/ssl/certs/misp.key
      mode: '0600'
-    - local: "files/{{ ca_cn }}.crt"
+    - local: "{{playbook_dir}}/secrets/CA/ca.crt"
      remote: /etc/ssl/certs/ca.crt
      mode: '0644'
-    - local: "files/{{ ca_cn }}.crt"
+    - local: "{{playbook_dir}}/secrets/CA/ca.crt"
      remote: /etc/pki/ca-trust/source/anchors/ca.crt
      mode: '0644'
@@ -30,7 +30,7 @@
 - name: Get openid authkey
  set_fact:
-    mispsecret: "{{lookup('file', 'files/mispsecret',convert_data=False) | from_json }}"
+    mispsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/mispsecret',convert_data=False) | from_json }}"
 - name: Configure Apache web server for misp
  template:
@@ -46,7 +46,7 @@
  lineinfile:
    path: /var/www/MISP/app/Config/config.php
    regexp: "'salt'.*=>"
-    line: "'salt' => '{{misp_salt}}',"
+    line: "'salt' => '{{lookup('password', '{{playbook_dir}}/secrets/misp_salt')}}',"
 - name: Configure MISP database initialization script
  template:

--- a/roles/misp/templates/checkdb.sh.j2
+++ b/roles/misp/templates/checkdb.sh.j2
 #!/bin/bash -x
-MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
+MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}})
 if [ ${MISPINIT} == "0" ]; then
-  cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
+  cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}}
 fi
--- a/roles/misp/templates/database.php.j2
+++ b/roles/misp/templates/database.php.j2
@@ -67,7 +67,7 @@ class DATABASE_CONFIG {
 		'login' => '{{misp_dbuser}}',
 		'port' => 3306, // MySQL & MariaDB
 		//'port' => 5432, // PostgreSQL
-		'password' => '{{misp_dbpass}}',
+		'password' => '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}',
 		'database' => '{{misp_dbname}}',
 		'prefix' => '',
 		'encoding' => 'utf8',

--- a/roles/misp/templates/misp.conf.j2
+++ b/roles/misp/templates/misp.conf.j2
@@ -14,7 +14,7 @@ ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot
 SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
-OIDCCryptoPassphrase {{misp_crypto_pass}}
+OIDCCryptoPassphrase {{lookup('password', '{{playbook_dir}}/secrets/passwords/misp_crypto')}}
 OIDCProviderMetadataURL https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
 OIDCRedirectURI https://{{soctoolsproxy}}:6443/users/login/keycloak
 OIDCClientID soctools-misp

--- a/roles/misp/templates/mysql_secure.sql.j2
+++ b/roles/misp/templates/mysql_secure.sql.j2
-UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+UPDATE mysql.user SET Password=PASSWORD('{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}') WHERE User='root';
 DELETE FROM mysql.user WHERE User='';
 DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
 DROP DATABASE IF EXISTS test;
@@ -6,7 +6,7 @@ DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
 CREATE DATABASE {{misp_dbname}};
 {% for misp_host in groups['mispcontainers'] %}
-GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}';
 GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
 {% endfor %}

--- a/roles/mysql/tasks/misp.yml
+++ b/roles/mysql/tasks/misp.yml
@@ -12,7 +12,7 @@
    name: "{{misp_dbuser}}"
    #host: "{{item}}.{{soctools_netname}}"
    host: "%"
-    password: "{{misp_dbpass}}"
+    password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}"
    priv: "{{misp_dbname}}.*:ALL"
  with_items: "{{groups['mispcontainers']}}"
  tags:
@@ -26,7 +26,7 @@
 #  CREATE DATABASE IF NOT EXISTS {{misp_dbname}};
 #  {% for misp_host in groups['mispcontainers'] %}
-#  GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+#  GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}';
 #  GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
 #  {% endfor %}
 #