diff --git a/HOWTOS.md b/HOWTOS.md
index 3a9aac098a143fe8e0544f68aedf8c0140bc193c..1da98000b1e2144bc06218726e3d9ff8c4cc8070 100644
--- a/HOWTOS.md
+++ b/HOWTOS.md
@@ -8,7 +8,7 @@ To make modifications to the main NiFi pipeline and add it to the Ansible playbo
* Make necesarry to the pipeline in the NiFi GUI
* Copy flow.xml.gz file from one of the NiFi containers:
- `docker cp <CONTAINER ID>:/opt/nifi/nifi-current/conf/flow.xml.gz .`
+ `docker cp soctools-nifi-1:/opt/nifi/nifi-current/conf/flow.xml.gz .`
* Convert flowx.xml.gz to new template
`utils/flow2template.py flow.xml.gz roles/nifi/templates/flow.xml.j2`
diff --git a/README.md b/README.md
index ac1dfb4ea857a9bb3f6e0d76dc19a944dad5c9fd..f44a4984173bae749d95a9cbcf4551c6461643e6 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,8 @@ Temporary solution: Upload your ssh key to gitlab.geant.org
Install soctools:
Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it point to the FQDN of the server.
`vi group_vars/all/main.yml`
-The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
+Users are specified in the file:
+`group_vars/all/users.yml`
To configure the server running soctools, run the ansible playbook:
`ansible-playbook -i inventories soctools_server.yml`
@@ -32,11 +33,11 @@ To build the Docker images needed, run the ansible playbook:
To build the CA needed for host and user certificates, run the ansible playbook:
`ansible-playbook -i inventories buildca.yml`
-If using soclab CA certificates provided with this installation, you first need to download and import root certificate found at roles/ca/files/CA/ca.crt.
+If using soctools CA certificates provided with this installation, you first need to download and import root certificate found in secrets/CA/ca.crt
For Windows, CA certificate should be installed in Trusted Root Certification Authorities store.
-User certificates are can be found in the directory roles/ca/files/CA/private. Import into browser for authentication.
-For Windows, user certificate should be installed in Personal store.
+User certificates are can be found in the directory secrets/certificates. Import into browser for authentication.
+For Windows, user certificate should be installed in Personal store. Passwords for the certificates can be found in the directory secrets/passwords.
To start the cluster, run the ansible playbook soctools.yml:
`ansible-playbook -i inventories soctools.yml -t start`
diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 840fe8340eef3338d7c72dd9612e31f19ccb7000..da6e6b4415e22821f3be4befb6701e4cdce87ea9 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -1,6 +1,6 @@
---
-soctoolsproxy: "<CHANGE_ME:hostname>"
+soctoolsproxy: "arne-centos2.cert-labs.uninett.no"
# TheHive Button plugin
THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/"
@@ -18,7 +18,6 @@ haproxy_name: "soctools-haproxy"
haproxy_version: "2.2"
haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}"
HAPROXY_PROCESSES: "2"
-HAPROXY_STATS_PASS: "eiph2Eepaizicheelah3tei+bae3ohgh"
FILEBEAT_VERSION: "7.9.3"
FILEBEAT_OUTPUT_HOST: "{{soctoolsproxy}}"
@@ -40,7 +39,6 @@ nifi_img: "{{repo}}/nifi:{{version}}{{suffix}}"
mysql_name: "soctools-mysql"
mysql_img: "{{repo}}/mysql:{{version}}{{suffix}}"
-mysql_dbrootpass: "Pass006"
cassandra_name: "soctools-cassandra"
cassandra_img: "{{repo}}/cassandra:{{version}}{{suffix}}"
@@ -55,10 +53,6 @@ cortex_img: "{{repo}}/cortex:{{version}}{{suffix}}"
cortex_elasticsearch_mem: "256m"
# GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
cortex_secret_key: "9CZ844IcAp5dHjsgU4iuaEssdopLcS6opzhVP3Ys4t4eRpNlHmwZdtfveLEXpM9D"
-cortex_odfe_pass: "Pass009"
-
-kspass: "Testing003"
-tspass: "Testing003"
sysctlconfig:
- { key: "net.core.rmem_max", val: "4194304" }
@@ -73,32 +67,10 @@ nifi_repo: "https://archive.apache.org/dist"
ca_cn: "SOCTOOLS-CA"
-soctools_users:
- - firstname: "Arne"
- lastname: "Oslebo"
- username: "arne.oslebo"
- email: "arne.oslebo@uninett.no"
- DN: "CN=Arne Oslebo"
- CN: "Arne Oslebo"
- password: "Pass002"
- - firstname: "Bozidar"
- lastname: "Proevski"
- username: "bozidar.proevski"
- email: "bozidar.proevski@finki.ukim.mk"
- DN: "CN=Bozidar Proevski"
- CN: "Bozidar Proevski"
- password: "Pass001"
-
-# Minimum one user is required
-ODFE_ADMIN_USERS:
- - arne.oslebo
- - bozidar.proevski
-
odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
# GENERATE 32-bit secure value
odfekibana_cookie: "iroAm0ueIV7w6CS1WcJTwIV6R4d5RIAt"
-odfees_adminpass: "Pass004"
#elk_version: "oss-7.6.1"
elk_version: "oss-7.4.2"
#odfeplugin_version: "1.7.0.0"
@@ -109,7 +81,6 @@ openid_scope: profile
openid_subjkey: preferred_username
keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
-keycloak_adminpass: "Pass005"
elastic_username: "admin"
misp_token: ""
@@ -118,8 +89,6 @@ maxmind_key: ""
misp_dbname: "mispdb"
misp_dbuser: "misp"
-misp_dbpass: "Pass007"
# misp_salt generated with: openssl rand -base64 32
-misp_salt: "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0="
-misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
-misp_crypto_pass: 1234567890 #TODO: Generate dynamically
+#misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
+#misp_crypto_pass: 1234567890 #TODO: Generate dynamically
diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bc785e4800de9f8642c7236db63cbe5069f2826a
--- /dev/null
+++ b/group_vars/all/users.yml
@@ -0,0 +1,21 @@
+---
+
+soctools_users:
+ - firstname: "User1"
+ lastname: "SOC"
+ username: "user1"
+ email: "user1@soctools.test"
+ DN: "CN=User1Soctools"
+ CN: "User1Soctools"
+ - firstname: "User2"
+ lastname: "SOC"
+ username: "user2"
+ email: "user2@soctools.test"
+ DN: "CN=User2Soctools"
+ CN: "User2Soctools"
+
+# Minimum one user is required
+ODFE_ADMIN_USERS:
+ - user1
+
+
diff --git a/roles/ca/tasks/main.yml b/roles/ca/tasks/main.yml
index 8d982c51d19b61b28dbb39164565784404c8901d..e851761376265268c0ea7af70ae65d47d789a43f 100644
--- a/roles/ca/tasks/main.yml
+++ b/roles/ca/tasks/main.yml
@@ -1,8 +1,18 @@
---
+- name: Create secret directory
+ file:
+ path: "{{playbook_dir}}/{{item}}"
+ state: directory
+ loop:
+ - secrets
+ - secrets/certificates
+ - secrets/tokens
+ - secrets/passwords
+
- name: Check for existing CA folder
stat:
- path: roles/ca/files/CA
+ path: "{{playbook_dir}}/secrets/CA"
register: capath
- name: build ca root key and cert
@@ -14,27 +24,19 @@
environment:
EASYRSA_BATCH: 1
EASYRSA_REQ_CN: "{{ ca_cn }}"
- EASYRSA_PKI: roles/ca/files/CA
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
when: not capath.stat.exists
-- name: Copy cert to truststore
- copy:
- src: roles/ca/files/CA/ca.crt
- dest: "roles/ca/files/truststore/{{ ca_cn }}.crt"
-
- name: Remove previous truststore
file:
- path: roles/ca/files/truststore/cacerts.jks
+ path: '{{playbook_dir}}/secrets/CA/cacerts.jks'
state: absent
- name: Generate truststore
command: >
- docker run --rm -v {{role_path}}/files/truststore/:/opt/cafiles/:z
+ docker run --rm -v {{playbook_dir}}/secrets/CA/:/opt/cafiles/:z
"{{repo}}/openjdk:{{version}}{{suffix}}" keytool -import -noprompt -trustcacerts
- -alias "{{item}}" -file "/opt/cafiles/{{item}}.crt" -keystore /opt/cafiles/cacerts.jks -storepass "{{tspass}}"
- with_items:
- - "{{ ca_cn }}"
- #- GN43WP8T31_CA
+ -alias "{{ ca_cn }}" -file "/opt/cafiles/ca.crt" -keystore /opt/cafiles/cacerts.jks -storepass "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
- name: Check for existing host certificates
command: roles/ca/files/easyrsa/easyrsa show-cert {{item}}
@@ -50,7 +52,7 @@
- "filebeat"
environment:
EASYRSA_BATCH: 1
- EASYRSA_PKI: roles/ca/files/CA
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
register: hostcerts
ignore_errors: true
@@ -71,7 +73,7 @@
- "filebeat"
environment:
EASYRSA_BATCH: 1
- EASYRSA_PKI: roles/ca/files/CA
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
ignore_errors: true
loop_control:
index_var: my_idx
@@ -95,7 +97,7 @@
expect:
command: roles/ca/files/easyrsa/easyrsa export-p12 {{item}}
responses:
- Enter Export Password: "{{kspass}}"
+ Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
with_items:
- "{{ groups['nificontainers'] }}"
- "{{ groups['odfeescontainers'] }}"
@@ -106,158 +108,7 @@
- "{{ groups['mispcontainers'] }}"
environment:
EASYRSA_BATCH: 1
- EASYRSA_PKI: roles/ca/files/CA
-
-- name: Copy nifi host certs to nifi role
- copy:
- src: roles/ca/files/CA/private/{{item}}.p12
- dest: roles/nifi/files/{{item}}.p12
- with_items:
- - "{{ groups['nificontainers'] }}"
-
-- name: Copy odfees host certs to odfees role
- copy:
- src: roles/ca/files/CA/private/{{item}}.p12
- dest: roles/odfees/files/{{item}}.p12
- with_items:
- - "{{ groups['odfeescontainers'] }}"
-
-- name: Copy odfekibana host p12 certs to odfekibana role
- copy:
- src: roles/ca/files/CA/private/{{item}}.p12
- dest: roles/odfekibana/files/{{item}}.p12
- with_items:
- - "{{ groups['odfekibanacontainers'] }}"
-
-- name: Copy cortex host p12 certs to cortex role
- copy:
- src: roles/ca/files/CA/private/{{item}}.p12
- dest: roles/cortex/files/{{item}}.p12
- with_items:
- - "{{ groups['cortex'] }}"
-
-- name: Copy odfekibana host certs to odfekibana role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/odfekibana/files/{{item}}.crt
- with_items:
- - "{{ groups['odfekibanacontainers'] }}"
-
-- name: Copy odfekibana host keys to odfekibana role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/odfekibana/files/{{item}}.key
- with_items:
- - "{{ groups['odfekibanacontainers'] }}"
-
-- name: Copy haproxy host cert to haproxy role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/haproxy/files/{{item}}.crt
- with_items:
- - "{{ groups['haproxy'] }}"
-
-- name: Copy haproxy host key to haproxy role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/haproxy/files/{{item}}.key
- with_items:
- - "{{ groups['haproxy'] }}"
-
-- name: Copy filebeat host cert to filebeat role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/filebeat/files/{{item}}.crt
- with_items:
- - "filebeat"
-
-- name: Copy filebeat host key to filebeat role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/filebeat/files/{{item}}.key
- with_items:
- - "filebeat"
-
-- name: Copy keycloak host certs to keycloak role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/keycloak/files/{{item}}.crt
- with_items:
- - "{{ groups['keycloakcontainers'] }}"
-
-- name: Copy keycloak host keys to keycloak role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/keycloak/files/{{item}}.key
- with_items:
- - "{{ groups['keycloakcontainers'] }}"
-
-- name: Copy misp host certs to misp role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/misp/files/{{item}}.crt
- with_items:
- - "{{ groups['mispcontainers'] }}"
-
-- name: Copy misp host keys to misp role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/misp/files/{{item}}.key
- with_items:
- - "{{ groups['mispcontainers'] }}"
-
-- name: Copy thehive host cert to thehive role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/thehive/files/{{item}}.crt
- with_items:
- - "{{ groups['thehive'] }}"
-
-- name: Copy thehive host key to thehive role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/thehive/files/{{item}}.key
- with_items:
- - "{{ groups['thehive'] }}"
-
-- name: Copy cortex host cert to cortex role
- copy:
- src: roles/ca/files/CA/issued/{{item}}.crt
- dest: roles/cortex/files/{{item}}.crt
- with_items:
- - "{{ groups['cortex'] }}"
-
-- name: Copy cortex host key to cortex role
- copy:
- src: roles/ca/files/CA/private/{{item}}.key
- dest: roles/cortex/files/{{item}}.key
- with_items:
- - "{{ groups['cortex'] }}"
-
-- name: Copy truststore to roles
- copy:
- src: roles/ca/files/truststore/cacerts.jks
- dest: "roles/{{item}}/files/cacerts.jks"
- with_items:
- - nifi
- - odfees
- - odfekibana
- - keycloak
- - misp
- - cortex
-
-- name: Copy ca cert to roles
- copy:
- src: "roles/ca/files/truststore/{{ ca_cn }}.crt"
- dest: "roles/{{item}}/files/{{ ca_cn }}.crt"
- with_items:
- - nifi
- - odfees
- - odfekibana
- - keycloak
- - misp
- - thehive
- - cortex
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
- name: Check for existing user certificates
command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
@@ -265,7 +116,7 @@
- "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
- EASYRSA_PKI: roles/ca/files/CA
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
register: usercerts
ignore_errors: true
@@ -275,7 +126,7 @@
- "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
- EASYRSA_PKI: roles/ca/files/CA
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
ignore_errors: true
loop_control:
index_var: my_idx
@@ -285,24 +136,17 @@
expect:
command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item.CN}}"
responses:
- Enter Export Password: "{{item.password}}"
+ Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
with_items:
- "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
- EASYRSA_PKI: roles/ca/files/CA
-
-- name: Copy user certs to odfees
- copy:
- src: "roles/ca/files/CA/private/{{ item.CN }}.p12"
- dest: "roles/odfees/files/{{ item.CN }}.p12"
- with_items:
- - "{{soctools_users}}"
+ EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
-- name: Copy user certs to odfekibana
+- name: Copy user certs to certificates
copy:
- src: "roles/ca/files/CA/private/{{ item.CN }}.p12"
- dest: "roles/odfekibana/files/{{ item.CN }}.p12"
+ src: "{{playbook_dir}}/secrets/CA/private/{{ item.CN }}.p12"
+ dest: "{{playbook_dir}}/secrets/certificates/{{ item.CN }}.p12"
with_items:
- "{{soctools_users}}"
diff --git a/roles/cortex/tasks/start.yml b/roles/cortex/tasks/start.yml
index c3de8167d8d1240cd79220fc5b0ef2e70fb6b4f7..ddb37bc3f01c9a37165ecc98232d091d5ceb34d0 100644
--- a/roles/cortex/tasks/start.yml
+++ b/roles/cortex/tasks/start.yml
@@ -3,7 +3,7 @@
- name: Copy cacert to ca-trust dir
remote_user: root
copy:
- src: "files/{{ca_cn}}.crt"
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
dest: /etc/pki/ca-trust/source/anchors/ca.crt
- name: Install cacert to root truststore
@@ -14,14 +14,14 @@
remote_user: cortex
copy:
src: "{{ item }}"
- dest: "/etc/cortex/{{ item }}"
+ dest: "/etc/cortex/"
mode: 0600
with_items:
- - "{{ inventory_hostname }}.p12"
- - "{{ inventory_hostname }}.crt"
- - "{{ inventory_hostname }}.key"
- - cacerts.jks
- - "{{ca_cn}}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - "{{playbook_dir}}/secrets/CA/ca.crt"
- name: Configure embedded Elasticsearch 6
remote_user: root
diff --git a/roles/cortex/templates/application.conf.j2 b/roles/cortex/templates/application.conf.j2
index 56ef22f5583db5ac8b0e9413276a19b4efc76f20..4d1ff58fcca9e55fd1437673ebf3bf864058d069 100644
--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -34,18 +34,18 @@ search {
## ## Authentication configuration
## search.username = "cortex"
-## search.password = "{{cortex_odfe_pass}}"
+## search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
##
## ## SSL configuration
## search.keyStore {
## path = "/etc/cortex/soctools-cortex.p12"
## type = "PKCS12" # or PKCS12
-## password = "{{kspass}}"
+## password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
## }
## search.trustStore {
## path = "/etc/cortex/cacerts.jks"
## type = "JKS" # or PKCS12
-## password = "{{tspass}}"
+## password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
## }
}
diff --git a/roles/filebeat/tasks/main.yml b/roles/filebeat/tasks/main.yml
index 1c17549beab48f2b25a4d28e31a99cb80c4af2f4..2ae0966d316066c5ec234dde0bedc21548532f93 100644
--- a/roles/filebeat/tasks/main.yml
+++ b/roles/filebeat/tasks/main.yml
@@ -4,11 +4,11 @@
- name: Copy filebeat certificates
copy:
src: "{{ item }}"
- dest: "/opt/filebeat/{{ item }}"
+ dest: "/opt/filebeat/"
mode: 0600
with_items:
- - "filebeat.crt"
- - "filebeat.key"
+ - "{{playbook_dir}}/secrets/CA/issued/filebeat.crt"
+ - "{{playbook_dir}}/secrets/CA/private/filebeat.key"
become: true
tags:
- start
diff --git a/roles/haproxy/tasks/start.yml b/roles/haproxy/tasks/start.yml
index 9c06c74acd303463b8d00b31e70ab4a851f8cad5..f33f0eab5622bbca1e9f73dfbe575322aebc9f1b 100644
--- a/roles/haproxy/tasks/start.yml
+++ b/roles/haproxy/tasks/start.yml
@@ -23,11 +23,11 @@
- name: Copy haproxy certificates
copy:
src: "{{ item }}"
- dest: "/opt/haproxy/{{ item }}"
+ dest: "/opt/haproxy/"
mode: 0600
with_items:
- - "{{ inventory_hostname }}.crt"
- - "{{ inventory_hostname }}.key"
+ - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- name: Combine crt and key for haproxy
assemble:
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index f35e48e961672e296b38bc91d133ede5f5fb9fd4..d566981a6c63627dddb93a94d562a497856c349e 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -22,7 +22,7 @@ listen stats
stats hide-version
stats uri /
stats realm HAProxy Statistics
- stats auth haproxy:{{ HAPROXY_STATS_PASS }}
+ stats auth haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
listen nifiserv
bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
diff --git a/roles/keycloak/tasks/start.yml b/roles/keycloak/tasks/start.yml
index e691b26e100217bfdd9f02390fc57767356b4364..468cb2559c151b0b146a9f17cfa3980bc70b24a0 100644
--- a/roles/keycloak/tasks/start.yml
+++ b/roles/keycloak/tasks/start.yml
@@ -7,16 +7,16 @@
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- - local: "files/{{ inventory_hostname }}.crt"
+ - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
remote: /etc/x509/https/tls.crt
mode: '0644'
- - local: "files/{{ inventory_hostname }}.key"
+ - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
remote: /etc/x509/https/tls.key
mode: '0600'
- - local: "files/{{ ca_cn }}.crt"
+ - local: "{{playbook_dir}}/secrets/CA/ca.crt"
remote: /etc/x509/ca/ca.crt
mode: '0644'
- - local: "files/cacerts.jks"
+ - local: "{{playbook_dir}}/secrets/CA/cacerts.jks"
remote: /opt/jboss/keycloak/cacerts.jks
mode: '0644'
@@ -28,7 +28,8 @@
- name: Set admin password
remote_user: jboss
- command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{keycloak_adminpass}}"
+ command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
+ ignore_errors: True
- name: Configure logging format
remote_user: jboss
@@ -85,11 +86,11 @@
flat: yes
with_items:
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
- local: "roles/nifi/files/nifisecret"
+ local: "{{playbook_dir}}/secrets/tokens/nifisecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
- local: "roles/odfekibana/files/kibanasecret"
+ local: "{{playbook_dir}}/secrets/tokens/kibanasecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
- local: "roles/misp/files/mispsecret"
+ local: "{{playbook_dir}}/secrets/tokens/mispsecret"
- name: Set Autostart for supervisord's services
shell: "sed -i 's/autostart=false/autostart=true/g' /etc/supervisord.conf"
diff --git a/roles/keycloak/tasks/update-config.yml b/roles/keycloak/tasks/update-config.yml
index 1178e33a8714944ccd9f172c2890f0e892f04de9..c64229a7f6a580c619e2d87f30cb1d3304d3d008 100644
--- a/roles/keycloak/tasks/update-config.yml
+++ b/roles/keycloak/tasks/update-config.yml
@@ -24,9 +24,9 @@
flat: yes
with_items:
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
- local: "roles/nifi/files/nifisecret"
+ local: "{{playbook_dir}}/secrets/tokens/nifisecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
- local: "roles/odfekibana/files/kibanasecret"
+ local: "{{playbook_dir}}/secrets/tokens/kibanasecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
- local: "roles/misp/files/mispsecret"
+ local: "{{playbook_dir}}/secrets/tokens/mispsecret"
diff --git a/roles/keycloak/templates/initkeycloakrealm.sh.j2 b/roles/keycloak/templates/initkeycloakrealm.sh.j2
index f4cfc9ec97b8829820128672692c6b3ef844e8c9..3d790f2eb02af9dbb6644d50795d77788f8c0ba4 100644
--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -5,8 +5,8 @@ exec 7>&2
exec > /opt/jboss/keycloak/initkeycloak.log 2>&1
-kcadm.sh config truststore --trustpass {{tspass}} /opt/jboss/keycloak/cacerts.jks
-kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password {{keycloak_adminpass}}
+kcadm.sh config truststore --trustpass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} /opt/jboss/keycloak/cacerts.jks
+kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
kcadm.sh create realms -b '{ "enabled": "true", "id": "{{openid_realm}}", "realm": "{{openid_realm}}"}'
kcadm.sh create realms/{{openid_realm}}/authentication/flows/browser/copy -b '{ "id": "browser-x509", "newName": "X.509 Browser" }'
BROWSERFORM=$(kcadm.sh create realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions/execution -i -b '{ "provider": "auth-x509-client-username-form" }')
@@ -18,7 +18,7 @@ kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
{% for user in soctools_users %}
kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
-kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{user.password}}
+kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}
{% endfor %}
NIFICLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-nifi","protocol":"openid-connect","clientAuthenticatorType": "client-secret","redirectUris": ["https://{{soctoolsproxy}}:9443/*" ],"webOrigins": [], "publicClient": false }')
diff --git a/roles/misp/tasks/config.yml b/roles/misp/tasks/config.yml
index 1628108448c0361f2f5f2f346537654edcfc48bb..4ceec76506f2380216e6983b5a5b7c6b369b0aea 100644
--- a/roles/misp/tasks/config.yml
+++ b/roles/misp/tasks/config.yml
@@ -1,7 +1,7 @@
---
- name: Change password of default user
- shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '/tmp/passwordfile') }}"
+ shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin') }}"
- name: Configure MISP
shell: '/var/www/MISP/app/Console/cake Admin setSetting {{item.var}} {{item.value}}'
diff --git a/roles/misp/tasks/start.yml b/roles/misp/tasks/start.yml
index 047dc1016d0c62ae898f9b277dc0d6ea2bbdad68..c07917fd83fe41509adf423109b20bfc9e781744 100644
--- a/roles/misp/tasks/start.yml
+++ b/roles/misp/tasks/start.yml
@@ -12,16 +12,16 @@
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- - local: "files/{{ inventory_hostname }}.crt"
+ - local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
remote: /etc/ssl/certs/misp.crt
mode: '0644'
- - local: "files/{{ inventory_hostname }}.key"
+ - local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
remote: /etc/ssl/certs/misp.key
mode: '0600'
- - local: "files/{{ ca_cn }}.crt"
+ - local: "{{playbook_dir}}/secrets/CA/ca.crt"
remote: /etc/ssl/certs/ca.crt
mode: '0644'
- - local: "files/{{ ca_cn }}.crt"
+ - local: "{{playbook_dir}}/secrets/CA/ca.crt"
remote: /etc/pki/ca-trust/source/anchors/ca.crt
mode: '0644'
@@ -30,7 +30,7 @@
- name: Get openid authkey
set_fact:
- mispsecret: "{{lookup('file', 'files/mispsecret',convert_data=False) | from_json }}"
+ mispsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/mispsecret',convert_data=False) | from_json }}"
- name: Configure Apache web server for misp
template:
@@ -46,7 +46,7 @@
lineinfile:
path: /var/www/MISP/app/Config/config.php
regexp: "'salt'.*=>"
- line: "'salt' => '{{misp_salt}}',"
+ line: "'salt' => '{{lookup('password', '{{playbook_dir}}/secrets/misp_salt')}}',"
- name: Configure MISP database initialization script
template:
diff --git a/roles/misp/templates/checkdb.sh.j2 b/roles/misp/templates/checkdb.sh.j2
index 5bea05ab971b254e7db23bd66c3cd4c8c8852676..c8eb4abac0fefe53b36d5ac6fb5e588e96a03054 100644
--- a/roles/misp/templates/checkdb.sh.j2
+++ b/roles/misp/templates/checkdb.sh.j2
@@ -1,5 +1,5 @@
#!/bin/bash -x
-MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
+MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}})
if [ ${MISPINIT} == "0" ]; then
- cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
+ cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}}
fi
diff --git a/roles/misp/templates/database.php.j2 b/roles/misp/templates/database.php.j2
index 549c3cc124ddfff3f3e659ff2b8713f51f08a451..867e5fb9e876d23e8d6552eab177a1e5121c8eff 100755
--- a/roles/misp/templates/database.php.j2
+++ b/roles/misp/templates/database.php.j2
@@ -67,7 +67,7 @@ class DATABASE_CONFIG {
'login' => '{{misp_dbuser}}',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
- 'password' => '{{misp_dbpass}}',
+ 'password' => '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}',
'database' => '{{misp_dbname}}',
'prefix' => '',
'encoding' => 'utf8',
diff --git a/roles/misp/templates/misp.conf.j2 b/roles/misp/templates/misp.conf.j2
index a1fa137965d50ab49999d749527dd6ca7df6e54b..2ca05216dba90d63323d1362325837dd83824fbd 100644
--- a/roles/misp/templates/misp.conf.j2
+++ b/roles/misp/templates/misp.conf.j2
@@ -14,7 +14,7 @@ ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
-OIDCCryptoPassphrase {{misp_crypto_pass}}
+OIDCCryptoPassphrase {{lookup('password', '{{playbook_dir}}/secrets/passwords/misp_crypto')}}
OIDCProviderMetadataURL https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
OIDCRedirectURI https://{{soctoolsproxy}}:6443/users/login/keycloak
OIDCClientID soctools-misp
diff --git a/roles/misp/templates/mysql_secure.sql.j2 b/roles/misp/templates/mysql_secure.sql.j2
index 7b8dd283a33da8aab7f443985ea9f5f97fb6f5d6..dd8ffd5d96d8dcdc08ca9efca5b2f66f3fa82dc9 100644
--- a/roles/misp/templates/mysql_secure.sql.j2
+++ b/roles/misp/templates/mysql_secure.sql.j2
@@ -1,4 +1,4 @@
-UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+UPDATE mysql.user SET Password=PASSWORD('{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}') WHERE User='root';
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
DROP DATABASE IF EXISTS test;
@@ -6,7 +6,7 @@ DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
CREATE DATABASE {{misp_dbname}};
{% for misp_host in groups['mispcontainers'] %}
-GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}';
GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
{% endfor %}
diff --git a/roles/mysql/tasks/misp.yml b/roles/mysql/tasks/misp.yml
index 7c9cc2027e58bf4ff8ea538c821d77486c491267..7c4c8c5f744b359240034c28449d29c4067eb670 100644
--- a/roles/mysql/tasks/misp.yml
+++ b/roles/mysql/tasks/misp.yml
@@ -12,7 +12,7 @@
name: "{{misp_dbuser}}"
#host: "{{item}}.{{soctools_netname}}"
host: "%"
- password: "{{misp_dbpass}}"
+ password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}"
priv: "{{misp_dbname}}.*:ALL"
with_items: "{{groups['mispcontainers']}}"
tags:
@@ -26,7 +26,7 @@
# CREATE DATABASE IF NOT EXISTS {{misp_dbname}};
# {% for misp_host in groups['mispcontainers'] %}
-# GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+# GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}}';
# GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
# {% endfor %}
#
diff --git a/roles/mysql/tasks/secure.yml b/roles/mysql/tasks/secure.yml
index 18f098e0bf61973914ca8e52e4de00a7e8a10652..80db96cf207efd2ba5b4ec0c5aa4828041a6e980 100644
--- a/roles/mysql/tasks/secure.yml
+++ b/roles/mysql/tasks/secure.yml
@@ -4,7 +4,7 @@
mysql_user:
name: root
host_all: yes
- password: "{{mysql_dbrootpass}}"
+ password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}"
tags:
- start
ignore_errors: true
@@ -54,7 +54,7 @@
#
#
#
-# UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+# UPDATE mysql.user SET Password=PASSWORD('{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}') WHERE User='root';
# DELETE FROM mysql.user WHERE User='';
# DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
# DROP DATABASE IF EXISTS test;
@@ -64,9 +64,9 @@
#
#
# #!/bin/bash -x
-# MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
-# #MISPINIT=$(echo "select count(id) from users;" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
+# MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}})
+# #MISPINIT=$(echo "select count(id) from users;" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}})
# if [ ${MISPINIT} == "0" ]; then
-# cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
+# cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_misp')}} {{misp_dbname}}
# touch /var/www/MISP/dbchecked-$(date +%Y%m%d_%H%M%S)
# fi
diff --git a/roles/mysql/templates/dotmy.cnf.j2 b/roles/mysql/templates/dotmy.cnf.j2
index 56feaea61621677a51089d18f6fea96fc3a30a4b..79fe59e355fa1a7d55872cdd80e0025bfc246f25 100644
--- a/roles/mysql/templates/dotmy.cnf.j2
+++ b/roles/mysql/templates/dotmy.cnf.j2
@@ -1,3 +1,3 @@
[client]
user=root
-password='{{mysql_dbrootpass}}'
+password='{{lookup('password', '{{playbook_dir}}/secrets/passwords/mysql_root')}}'
diff --git a/roles/mysql/templates/mysql_secure.sql.j2 b/roles/mysql/templates/mysql_secure.sql.j2
index 65bf47105711378d6237ca873016b25eeb36e6e6..5b8474e9b0dc5dbcc27f013a771f2187fdc68b6a 100644
--- a/roles/mysql/templates/mysql_secure.sql.j2
+++ b/roles/mysql/templates/mysql_secure.sql.j2
@@ -1,4 +1,4 @@
-UPDATE mysql.user SET Password=PASSWORD('{{mysql_dbrootpass}}') WHERE User='root';
+UPDATE mysql.user SET Password=PASSWORD('{{playbook_dir}}/secrets/passwords/mysql_root')}}') WHERE User='root';
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
DROP DATABASE IF EXISTS test;
@@ -6,7 +6,7 @@ DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
CREATE DATABASE IF NOT EXISTS {{misp_dbname}};
{% for misp_host in groups['mispcontainers'] %}
-GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{misp_dbpass}}';
+GRANT USAGE on *.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}' IDENTIFIED by '{{playbook_dir}}/secrets/passwords/mysql_misp')}}';
GRANT ALL PRIVILEGES on {{misp_dbname}}.* to '{{misp_dbuser}}'@'{{misp_host}}.{{soctools_netname}}';
{% endfor %}
diff --git a/roles/nifi/tasks/main.yml b/roles/nifi/tasks/main.yml
index 6a7db1549311f1064b69a58ad15f60fa2f3267c5..d40885d26a03128c02cea825800bd269730ac50f 100644
--- a/roles/nifi/tasks/main.yml
+++ b/roles/nifi/tasks/main.yml
@@ -3,7 +3,7 @@
- name: Copy cacert to ca-trust dir
remote_user: root
copy:
- src: "files/{{ca_cn}}.crt"
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
dest: /etc/pki/ca-trust/source/anchors/ca.crt
tags:
- start
@@ -18,10 +18,10 @@
remote_user: nifi
copy:
src: "{{ item }}"
- dest: "conf/{{ item }}"
+ dest: "conf/"
with_items:
- - "{{ inventory_hostname }}.p12"
- - cacerts.jks
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
- common-cacerts.jks
tags:
- start
@@ -46,7 +46,7 @@
- name: Get openid authkey
remote_user: nifi
set_fact:
- nifisecret: "{{lookup('file', 'files/nifisecret',convert_data=False) | from_json }}"
+ nifisecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/nifisecret',convert_data=False)}}"
tags:
- start
diff --git a/roles/nifi/templates/flow.xml.j2 b/roles/nifi/templates/flow.xml.j2
index ed7d7a84258de5752e6d641a2c6f21dd4e33fab6..1a0096b513b7cc10f7f5202b50fd1eb41ae6dd3a 100644
--- a/roles/nifi/templates/flow.xml.j2
+++ b/roles/nifi/templates/flow.xml.j2
@@ -4205,16 +4205,16 @@
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
<outputPort>
- <id>21a9e277-2d80-359a-9c57-cb76d8962e6d</id>
- <name>To data output</name>
- <position x="-1120.0" y="592.0" />
+ <id>20b01ab3-3a8d-3573-b95d-a4a45494050f</id>
+ <name>To enrichment</name>
+ <position x="480.0" y="392.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
<outputPort>
- <id>20b01ab3-3a8d-3573-b95d-a4a45494050f</id>
- <name>To enrichment</name>
- <position x="480.0" y="392.0" />
+ <id>21a9e277-2d80-359a-9c57-cb76d8962e6d</id>
+ <name>To data output</name>
+ <position x="-1120.0" y="592.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
@@ -4226,16 +4226,16 @@
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
<outputPort>
- <id>27d5dab2-0172-1000-ffff-ffffab5c50be</id>
- <name>To data output</name>
- <position x="-632.0" y="328.0" />
+ <id>27d5761b-0172-1000-0000-000059275dad</id>
+ <name>To enrichment</name>
+ <position x="-312.0" y="328.0" />
<comments />
<scheduledState>STOPPED</scheduledState>
</outputPort>
<outputPort>
- <id>27d5761b-0172-1000-0000-000059275dad</id>
- <name>To enrichment</name>
- <position x="-312.0" y="328.0" />
+ <id>27d5dab2-0172-1000-ffff-ffffab5c50be</id>
+ <name>To data output</name>
+ <position x="-632.0" y="328.0" />
<comments />
<scheduledState>STOPPED</scheduledState>
</outputPort>
@@ -4606,14 +4606,14 @@
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <funnel>
- <id>bc925474-0175-1000-0000-00004e78071f</id>
- <position x="1882.9999517774115" y="327.9999931568573" />
- </funnel>
<funnel>
<id>bc90d189-0175-1000-0000-0000037bc986</id>
<position x="8.0" y="424.0" />
</funnel>
+ <funnel>
+ <id>bc925474-0175-1000-0000-00004e78071f</id>
+ <position x="1882.9999517774115" y="327.9999931568573" />
+ </funnel>
<connection>
<id>bc90c7ac-0175-1000-ffff-fffffa80b534</id>
<name />
@@ -5120,14 +5120,14 @@
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <funnel>
- <id>895f7db3-0175-1000-ffff-ffff8229d688</id>
- <position x="-1446.1517058240609" y="301.4492766741185" />
- </funnel>
<funnel>
<id>895faa7a-0175-1000-0000-000014ef9dd3</id>
<position x="278.84829417593915" y="332.4492766741185" />
</funnel>
+ <funnel>
+ <id>895f7db3-0175-1000-ffff-ffff8229d688</id>
+ <position x="-1446.1517058240609" y="301.4492766741185" />
+ </funnel>
<connection>
<id>895fbf8f-0175-1000-ffff-ffffa5d2d01e</id>
<name />
@@ -6118,14 +6118,14 @@
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <funnel>
- <id>8d3298f0-0175-1000-ffff-ffffc9f211a7</id>
- <position x="56.0" y="280.0" />
- </funnel>
<funnel>
<id>8d399854-0175-1000-ffff-ffff8272837e</id>
<position x="1736.0" y="528.0" />
</funnel>
+ <funnel>
+ <id>8d3298f0-0175-1000-ffff-ffffc9f211a7</id>
+ <position x="56.0" y="280.0" />
+ </funnel>
<connection>
<id>8d3979b7-0175-1000-ffff-ffffe2efe898</id>
<name />
@@ -6942,14 +6942,14 @@
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <funnel>
- <id>f1b33d4c-1b10-18ad-ab4a-4a3a1e744f4b</id>
- <position x="1112.0" y="376.0" />
- </funnel>
<funnel>
<id>7113dbce-0176-1000-ffff-ffffbbfa695f</id>
<position x="-673.331668377643" y="376.49854987272295" />
</funnel>
+ <funnel>
+ <id>f1b33d4c-1b10-18ad-ab4a-4a3a1e744f4b</id>
+ <position x="1112.0" y="376.0" />
+ </funnel>
<connection>
<id>631e37d8-ca81-1bfa-8f55-aac2a22873ad</id>
<name />
@@ -7581,51 +7581,15 @@
</processGroup>
<processGroup>
<id>7263390f-914c-1f6e-9451-75f908ed8816</id>
- <name>Copy of Keycloak</name>
+ <name>Elasticsearch</name>
<position x="-1904.0" y="488.0" />
<comment />
<flowfileConcurrency>UNBOUNDED</flowfileConcurrency>
<flowfileOutboundPolicy>STREAM_WHEN_AVAILABLE</flowfileOutboundPolicy>
- <processor>
- <id>1224352d-d1d1-10e8-b669-faf8022a7a5b</id>
- <name>Extract message</name>
- <position x="344.0" y="480.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.ConvertRecord</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>record-reader</name>
- <value>179dd31f-89ed-3179-adb2-85a9c61869ce</value>
- </property>
- <property>
- <name>record-writer</name>
- <value>bc8e5957-0175-1000-0000-00003346421d</value>
- </property>
- <property>
- <name>include-zero-record-flowfiles</name>
- <value>true</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
<processor>
<id>295133bd-42e6-1b08-80c5-bea2e19921fc</id>
<name>UpdateAttribute</name>
- <position x="344.0" y="816.0" />
+ <position x="360.0" y="600.0" />
<styles />
<comment />
<class>org.apache.nifi.processors.attributes.UpdateAttribute</class>
@@ -7663,162 +7627,6 @@
<value>logs-elasticsearch</value>
</property>
</processor>
- <processor>
- <id>c2133480-cab5-13e3-a30c-44afba300fe9</id>
- <name>Append ]</name>
- <position x="1000.0" y="656.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.ReplaceText</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Regular Expression</name>
- <value>(?s)(^.*),$</value>
- </property>
- <property>
- <name>Replacement Value</name>
- <value>$1]</value>
- </property>
- <property>
- <name>Character Set</name>
- <value>UTF-8</value>
- </property>
- <property>
- <name>Maximum Buffer Size</name>
- <value>1 MB</value>
- </property>
- <property>
- <name>Replacement Strategy</name>
- <value>Regex Replace</value>
- </property>
- <property>
- <name>Evaluation Mode</name>
- <value>Entire text</value>
- </property>
- <property>
- <name>Line-by-Line Evaluation Mode</name>
- <value>All</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>7570be71-0176-1000-0000-000062deefd2</id>
- <name>Prepend [</name>
- <position x="344.0" y="648.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.ReplaceText</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Regular Expression</name>
- <value>(?s)(^.*$)</value>
- </property>
- <property>
- <name>Replacement Value</name>
- <value>[</value>
- </property>
- <property>
- <name>Character Set</name>
- <value>UTF-8</value>
- </property>
- <property>
- <name>Maximum Buffer Size</name>
- <value>1 MB</value>
- </property>
- <property>
- <name>Replacement Strategy</name>
- <value>Prepend</value>
- </property>
- <property>
- <name>Evaluation Mode</name>
- <value>Entire text</value>
- </property>
- <property>
- <name>Line-by-Line Evaluation Mode</name>
- <value>All</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
- <processor>
- <id>75699f60-0176-1000-0000-000064aed2e3</id>
- <name>Add , between log lines</name>
- <position x="992.0" y="480.0" />
- <styles />
- <comment />
- <class>org.apache.nifi.processors.standard.ReplaceText</class>
- <bundle>
- <group>org.apache.nifi</group>
- <artifact>nifi-standard-nar</artifact>
- <version>1.12.1</version>
- </bundle>
- <maxConcurrentTasks>1</maxConcurrentTasks>
- <schedulingPeriod>0 sec</schedulingPeriod>
- <penalizationPeriod>30 sec</penalizationPeriod>
- <yieldPeriod>1 sec</yieldPeriod>
- <bulletinLevel>WARN</bulletinLevel>
- <lossTolerant>false</lossTolerant>
- <scheduledState>RUNNING</scheduledState>
- <schedulingStrategy>TIMER_DRIVEN</schedulingStrategy>
- <executionNode>ALL</executionNode>
- <runDurationNanos>0</runDurationNanos>
- <property>
- <name>Regular Expression</name>
- <value>(?s)(^.*}$)</value>
- </property>
- <property>
- <name>Replacement Value</name>
- <value>$1,</value>
- </property>
- <property>
- <name>Character Set</name>
- <value>UTF-8</value>
- </property>
- <property>
- <name>Maximum Buffer Size</name>
- <value>1 MB</value>
- </property>
- <property>
- <name>Replacement Strategy</name>
- <value>Regex Replace</value>
- </property>
- <property>
- <name>Evaluation Mode</name>
- <value>Line-by-Line</value>
- </property>
- <property>
- <name>Line-by-Line Evaluation Mode</name>
- <value>All</value>
- </property>
- <autoTerminatedRelationship>failure</autoTerminatedRelationship>
- </processor>
<inputPort>
<id>39ce3238-1ebd-1c2c-b724-01d18f147b6f</id>
<name>Input</name>
@@ -7829,54 +7637,10 @@
<outputPort>
<id>bbc63756-9681-13b9-8c07-20c82f62ceca</id>
<name>Output</name>
- <position x="376.0" y="1048.0" />
+ <position x="408.0" y="920.0" />
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <funnel>
- <id>756f7444-0176-1000-0000-00007e35cecc</id>
- <position x="1648.466280349272" y="602.7973494129587" />
- </funnel>
- <connection>
- <id>7569c58e-0176-1000-ffff-ffff917ad2c3</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>1224352d-d1d1-10e8-b669-faf8022a7a5b</sourceId>
- <sourceGroupId>7263390f-914c-1f6e-9451-75f908ed8816</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>75699f60-0176-1000-0000-000064aed2e3</destinationId>
- <destinationGroupId>7263390f-914c-1f6e-9451-75f908ed8816</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
- <connection>
- <id>7572fc65-0176-1000-0000-000049bf5d64</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>c2133480-cab5-13e3-a30c-44afba300fe9</sourceId>
- <sourceGroupId>7263390f-914c-1f6e-9451-75f908ed8816</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>295133bd-42e6-1b08-80c5-bea2e19921fc</destinationId>
- <destinationGroupId>7263390f-914c-1f6e-9451-75f908ed8816</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
<connection>
<id>15e0341e-6dd3-172a-b2b5-8f1d5740fea1</id>
<name />
@@ -7886,7 +7650,7 @@
<sourceId>39ce3238-1ebd-1c2c-b724-01d18f147b6f</sourceId>
<sourceGroupId>7263390f-914c-1f6e-9451-75f908ed8816</sourceGroupId>
<sourceType>INPUT_PORT</sourceType>
- <destinationId>1224352d-d1d1-10e8-b669-faf8022a7a5b</destinationId>
+ <destinationId>295133bd-42e6-1b08-80c5-bea2e19921fc</destinationId>
<destinationGroupId>7263390f-914c-1f6e-9451-75f908ed8816</destinationGroupId>
<destinationType>PROCESSOR</destinationType>
<relationship />
@@ -7897,26 +7661,6 @@
<partitioningAttribute />
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
- <connection>
- <id>756f21d7-0176-1000-0000-00005f72243e</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>75699f60-0176-1000-0000-000064aed2e3</sourceId>
- <sourceGroupId>7263390f-914c-1f6e-9451-75f908ed8816</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>7570be71-0176-1000-0000-000062deefd2</destinationId>
- <destinationGroupId>7263390f-914c-1f6e-9451-75f908ed8816</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
<connection>
<id>af99379e-bf26-19c5-bd70-bd6d405fb0b7</id>
<name />
@@ -7937,26 +7681,6 @@
<partitioningAttribute />
<loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
</connection>
- <connection>
- <id>7572deb6-0176-1000-ffff-ffffadef21f8</id>
- <name />
- <bendPoints />
- <labelIndex>1</labelIndex>
- <zIndex>0</zIndex>
- <sourceId>7570be71-0176-1000-0000-000062deefd2</sourceId>
- <sourceGroupId>7263390f-914c-1f6e-9451-75f908ed8816</sourceGroupId>
- <sourceType>PROCESSOR</sourceType>
- <destinationId>c2133480-cab5-13e3-a30c-44afba300fe9</destinationId>
- <destinationGroupId>7263390f-914c-1f6e-9451-75f908ed8816</destinationGroupId>
- <destinationType>PROCESSOR</destinationType>
- <relationship>success</relationship>
- <maxWorkQueueSize>10000</maxWorkQueueSize>
- <maxWorkQueueDataSize>1 GB</maxWorkQueueDataSize>
- <flowFileExpiration>0 sec</flowFileExpiration>
- <loadBalanceStrategy>DO_NOT_LOAD_BALANCE</loadBalanceStrategy>
- <partitioningAttribute />
- <loadBalanceCompression>DO_NOT_COMPRESS</loadBalanceCompression>
- </connection>
</processGroup>
<processGroup>
<id>f88732b0-d93f-1f6e-ba01-40b41ea20fe3</id>
@@ -8358,14 +8082,14 @@
<comments />
<scheduledState>RUNNING</scheduledState>
</outputPort>
- <funnel>
- <id>06521038-335b-3139-839d-ab43a013ce03</id>
- <position x="-1557.869726298236" y="758.8984861527665" />
- </funnel>
<funnel>
<id>c8c0a13d-0170-1000-ffff-ffff874141fa</id>
<position x="248.5321508445502" y="703.4412774751572" />
</funnel>
+ <funnel>
+ <id>06521038-335b-3139-839d-ab43a013ce03</id>
+ <position x="-1557.869726298236" y="758.8984861527665" />
+ </funnel>
<connection>
<id>3c739604-b69c-3e86-ba4c-a4739078837c</id>
<name />
@@ -9856,7 +9580,7 @@
</property>
<property>
<name>Password</name>
- <value>enc{7b058219496226c432334bb2328fd6ac2e18b4a882f6f4cf620b3247dee61c302fe4f23f7f176a6ccab993575feaf57a}</value>
+ <value>enc{c03f976a42d5917087e1c446fb6820f1c4fb8502ea2e946fd458c60b039ace3a5361abddad1c37049987c3ef5a9f1a72}</value>
</property>
<property>
<name>elasticsearch-http-connect-timeout</name>
@@ -12594,7 +12318,7 @@
</property>
<property>
<name>Truststore Password</name>
- <value>enc{d29783c1ee73a853528fcca52cc3290be47bee59e798ef217823358940cc450f}</value>
+ <value>enc{9d89bece21ad1ada6980d4d66e01948edea69bf4ca660094d01b6b80ec1d4d7b}</value>
</property>
<property>
<name>Truststore Type</name>
@@ -13012,7 +12736,7 @@
</property>
<property>
<name>Truststore Password</name>
- <value>enc{0942bb00127810c864d39e9d08a35d84e4f192ccc3f20fb8f99fe898d8fbb620}</value>
+ <value>{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}</value>
</property>
<property>
<name>Truststore Type</name>
@@ -13191,7 +12915,7 @@
<variable name="elastic_username" value="{{ elastic_username }}" />
<variable name="misp_url" value="{{ misp_url }}" />
<variable name="elastic_url" value="https://{{ soctoolsproxy }}:9200" />
- <variable name="elastic_password" value="{{ odfees_adminpass }}" />
+ <variable name="elastic_password" value="{{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}" />
</rootGroup>
<controllerServices />
<reportingTasks />
diff --git a/roles/nifi/templates/nifi.properties.j2 b/roles/nifi/templates/nifi.properties.j2
index 188f234fb5ac788f5e89c0f5fc42251fe100b771..7a1137c86419db6dc8e74262adb4b15e23d44360 100644
--- a/roles/nifi/templates/nifi.properties.j2
+++ b/roles/nifi/templates/nifi.properties.j2
@@ -154,11 +154,11 @@ nifi.sensitive.props.additional.keys=
nifi.security.keystore=./conf/{{ inventory_hostname }}.p12
nifi.security.keystoreType=pkcs12
-nifi.security.keystorePasswd={{ kspass}}
+nifi.security.keystorePasswd={{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}
#nifi.security.keyPasswd=IP7Jgn7amiAYi3LRSRk5LGg3t4zlfh0kEKcAaaoxHDo
nifi.security.truststore=./conf/cacerts.jks
nifi.security.truststoreType=jks
-nifi.security.truststorePasswd={{ tspass}}
+nifi.security.truststorePasswd={{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}
nifi.security.user.authorizer=managed-authorizer
nifi.security.user.login.identity.provider=
nifi.security.ocsp.responder.url=
diff --git a/roles/odfees/tasks/main.yml b/roles/odfees/tasks/main.yml
index f66bd067ca63aeb4cc68ee3efde50275edc76ae6..e0589265dfb6a931d0d78f46f79ec7876711ffb5 100644
--- a/roles/odfees/tasks/main.yml
+++ b/roles/odfees/tasks/main.yml
@@ -3,7 +3,7 @@
- name: Copy cacert to ca-trust dir
remote_user: root
copy:
- src: "files/{{ca_cn}}.crt"
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
dest: /etc/pki/ca-trust/source/anchors/ca.crt
tags:
- start
@@ -18,12 +18,12 @@
remote_user: elasticsearch
copy:
src: "{{ item }}"
- dest: "config/{{ item }}"
+ dest: "config/"
mode: 0600
with_items:
- - "{{ inventory_hostname }}.p12"
- - cacerts.jks
- - "{{soctools_users[0].CN}}.p12"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
tags:
- start
@@ -55,7 +55,7 @@
- name: Change password for admin
remote_user: elasticsearch
- command: "bash plugins/opendistro_security/tools/hash.sh -p {{odfees_adminpass}}"
+ command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}"
register: adminhash
# when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
tags:
@@ -70,7 +70,7 @@
- name: Change password for cortex
remote_user: elasticsearch
- command: "bash plugins/opendistro_security/tools/hash.sh -p {{cortex_odfe_pass}}"
+ command: "bash plugins/opendistro_security/tools/hash.sh -p {{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
register: cortexhash
# when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
tags:
@@ -118,7 +118,7 @@
- name: Configure OpenDistro security
remote_user: elasticsearch
- command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{soctools_users[0].password}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{tspass}} -cn soctools-cluster"
+ command: "bash ./plugins/opendistro_security/tools/securityadmin.sh -h {{groups['odfeescontainers'][0]}} -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -ks '/usr/share/elasticsearch/config/{{soctools_users[0].CN}}.p12' -kspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} {{lookup('password','{{playbook_dir}}/secrets/passwords/{{soctools_users[0].CN}}')}} -ts /usr/share/elasticsearch/config/cacerts.jks -tspass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} -cn soctools-cluster"
when: "'{{groups['odfeescontainers'][0]}}' in inventory_hostname"
tags:
- start
diff --git a/roles/odfees/templates/config/elasticsearch.yml.j2 b/roles/odfees/templates/config/elasticsearch.yml.j2
index 298388859563c8e7df385c5f2ccb9fccb011a648..5cae9eb487b720020c25d429973def12d01f840f 100644
--- a/roles/odfees/templates/config/elasticsearch.yml.j2
+++ b/roles/odfees/templates/config/elasticsearch.yml.j2
@@ -30,11 +30,11 @@ cluster.initial_master_nodes:
opendistro_security.ssl.transport.keystore_type: pkcs12
opendistro_security.ssl.transport.keystore_filepath: {{ inventory_hostname }}.p12
-opendistro_security.ssl.transport.keystore_password: {{ kspass }}
+opendistro_security.ssl.transport.keystore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}
#opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.truststore_type: jks
opendistro_security.ssl.transport.truststore_filepath: cacerts.jks
-opendistro_security.ssl.transport.truststore_password: {{ tspass }}
+opendistro_security.ssl.transport.truststore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
@@ -42,10 +42,10 @@ opendistro_security.ssl.http.enabled: true
# opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.keystore_type: pkcs12
opendistro_security.ssl.http.keystore_filepath: {{ inventory_hostname }}.p12
-opendistro_security.ssl.http.keystore_password: {{ kspass }}
+opendistro_security.ssl.http.keystore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}
opendistro_security.ssl.http.truststore_type: jks
opendistro_security.ssl.http.truststore_filepath: cacerts.jks
-opendistro_security.ssl.http.truststore_password: {{ tspass }}
+opendistro_security.ssl.http.truststore_password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}
#opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
#opendistro_security.ssl.http.clientauth_mode: optional
opendistro_security.allow_unsafe_democertificates: false
diff --git a/roles/odfekibana/tasks/main.yml b/roles/odfekibana/tasks/main.yml
index 9ce8bbcbc49c23c0b4066246b9220ad85edcf222..2ff94161ae43e6bd3a7e7ccaee3cbe1098995eff 100644
--- a/roles/odfekibana/tasks/main.yml
+++ b/roles/odfekibana/tasks/main.yml
@@ -11,7 +11,7 @@
- name: Copy cacert to ca-trust dir
remote_user: root
copy:
- src: "files/{{ca_cn}}.crt"
+ src: "{{playbook_dir}}/secrets/CA/ca.crt"
dest: /etc/pki/ca-trust/source/anchors/ca.crt
tags:
- start
@@ -26,22 +26,22 @@
remote_user: kibana
copy:
src: "{{ item }}"
- dest: "config/{{ item }}"
+ dest: "config/"
mode: 0600
with_items:
- - "{{ inventory_hostname }}.p12"
- - "{{ inventory_hostname }}.crt"
- - "{{ inventory_hostname }}.key"
- - cacerts.jks
- - "{{ca_cn}}.crt"
- - "{{soctools_users[0].CN}}.p12"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
+ - "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+ - "{{playbook_dir}}/secrets/CA/cacerts.jks"
+ - "{{playbook_dir}}/secrets/CA/ca.crt"
+ - "{{playbook_dir}}/secrets/CA/private/{{soctools_users[0].CN}}.p12"
tags:
- start
- name: Get openid authkey
remote_user: kibana
set_fact:
- kibanasecret: "{{lookup('file', 'files/kibanasecret',convert_data=False) | from_json }}"
+ kibanasecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/kibanasecret',convert_data=False) | from_json }}"
tags:
- start
@@ -158,7 +158,7 @@
remote_user: kibana
shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/saved_objects/_import?overwrite=true" \
-b /tmp/cookie.txt -c /tmp/cookie.txt \
- -k --user admin:{{ odfees_adminpass }} \
+ -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
-H "kbn-xsrf: reporting" -H "Content-Type: multipart/form-data" \
-F "file=@/tmp/kibana_graphs.ndjson"'
tags:
@@ -176,7 +176,7 @@
remote_user: kibana
shell: 'curl -X "POST" "https://{{soctoolsproxy}}:5601/api/v1/configuration/rolesmapping/all_access" \
-b /tmp/cookie.txt -c /tmp/cookie.txt \
- -k --user admin:{{ odfees_adminpass }} \
+ -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
-H "kbn-xsrf: reporting" -H "Content-Type: application/json" \
-d @/tmp/role.json'
tags:
diff --git a/roles/odfekibana/templates/kibana.yml.j2 b/roles/odfekibana/templates/kibana.yml.j2
index a94de652aa8cd0ef0a6b5501e22ba9fa91c0d41a..aa445d73ab310cf78af7d68a2a41b6133b4adfb8 100644
--- a/roles/odfekibana/templates/kibana.yml.j2
+++ b/roles/odfekibana/templates/kibana.yml.j2
@@ -42,7 +42,7 @@ opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration"
opendistro_security.openid.client_id: "soctools-kibana"
opendistro_security.openid.client_secret: "{{kibanasecret.value}}"
-opendistro_security.openid.root_ca: "/usr/share/kibana/config/{{ca_cn}}.crt"
+opendistro_security.openid.root_ca: "/usr/share/kibana/config/ca.crt"
opendistro_security.openid.base_redirect_url: "https://{{soctoolsproxy}}:5601"
opendistro_security.cookie.secure: true
@@ -52,7 +52,7 @@ server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/{{inventory_hostname}}.key
server.ssl.certificate: /usr/share/kibana/config/{{inventory_hostname}}.crt
#server.ssl.keystore.path: /usr/share/kibana/config/{{inventory_hostname}}.p12
-#server.ssl.keystore.password: {{kspass}}
+#server.ssl.keystore.password: {{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}
#server.ssl.certificateAuthorities:
#server.ssl.truststore.path: jks (p12?)
#server.ssl.truststore.password:
diff --git a/utils/flow2template.py b/utils/flow2template.py
index e00930a0049675d9b2723d2b68fd7029b4d2173c..4fafbdae8bc48b482588504bf3d509ccacc83a8a 100755
--- a/utils/flow2template.py
+++ b/utils/flow2template.py
@@ -23,7 +23,10 @@ for v in et.findall(".//variable"):
elif a['name']=="elastic_username":
a['value']="{{ elastic_username }}"
elif a['name']=="elastic_password":
- a['value']="{{ odfees_adminpass }}"
+ a['value']="{{lookup('password', '{{playbook_dir}}/secrets/passwords/odfees_adminpass')}}"
+
+for v in et.findall(".//controllerService[name='Soctools CA']/property[name='Truststore Password']/value"):
+ v.text="{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
et.write(args.templatefile)