diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000000000000000000000000000000000000..3c81bb56f1091c1221c36e7b0b9d5c9a7548d68e --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "user-mgmt-ui"] + path = user-mgmt-ui + url = https://gitlab.geant.org/gn4-3-wp8-t3.1-soc/soctools-user-mgmt-ui.git diff --git a/configure.sh b/configure.sh new file mode 100755 index 0000000000000000000000000000000000000000..474618105ff68bf49353e075fb69a20faffa801f --- /dev/null +++ b/configure.sh @@ -0,0 +1,83 @@ +#!/bin/bash +set -e +if [ -f group_vars/all/variables.yml ]; then + echo "Variables file (group_vars/all/variables.yml) is configure manually. please take a look if everything is correct and move to next step" + cat group_vars/all/variables.yml +else + echo "set FQDN which will be used to access the soctools services. (the DNS record should already be in place.)" + read -p 'soctoolsproxy: ' soctoolsproxy + if [ -z $soctoolsproxy ]; then + echo "Error: Empty string for soctoolsproxy! exiting..." + exit 1 + fi + echo + echo "Organization's top level domain (will be used as organization name and organization domain in different services)" + read -p 'domain: ' domain + if [ -z $domain ]; then + echo "Error: Empty string for domain! exiting..." + exit 1 + fi + echo + echo + echo + echo "Please provide following parameters for first socctolls user which will be created during the initialization with organization admin privileges:" + echo "firstname - First name of the user" + echo "lastname - Last name of the user" + echo "username - Username of the user" + echo "DN - Distinguished Name of the user, for user certificate" + echo "CN - Common Name of the user, for user certificate" + echo "Email will be generated automatically in Username@Domain format becouse of format restrictions in some services" + sleep 10 + for i in firstname lastname username; do + read -p "${i}: " $i + if [ -z $i ]; then + echo "Error: Empty string for ${i}! exiting..." + exit 1 + fi + done + read -p "Enter CN for Certificate [${firstname}${lastname}]: " CN + CN=${CN:-${firstname}${lastname}} + DN=${CN} + echo + echo + echo + sleep 2 + echo "Please check the gethered variables and type 'yes' if everything is correct: " + echo "soctoolsproxy: $soctoolsproxy" + echo "domain: $domain" + echo "firstname: $firstname" + echo "lastname: $lastname" + echo "username: $username" + echo "DN: $DN" + echo "CN: $CN" + echo + echo + sleep 10 + read -p "Correct? type 'yes' or 'no': " ANSWER + if [ $ANSWER = "yes" ]; then + if ! [ -f group_vars/all/variables.template ]; then + echo "template file(group_vars/all/variables.template) does not exists! exiting ..." + exit 1 + else + cp -f group_vars/all/variables.template group_vars/all/variables.yml + sed -i "s/CHANGE_ME_TO_FQDN/${soctoolsproxy}/g" group_vars/all/variables.yml + sed -i "s/soctools.test/${domain}/g" group_vars/all/variables.yml + sed -i "11s/soc_admin/${firstname}/" group_vars/all/variables.yml + sed -i "12s/SOC/${lastname}/" group_vars/all/variables.yml + sed -i "13s/soc_admin/${username}/" group_vars/all/variables.yml + sed -i "14s/soc_admin/${username}/" group_vars/all/variables.yml + sed -i "15s/SOC_Admin/${DN}/" group_vars/all/variables.yml + sed -i "16s/SOC_Admin/${CN}/" group_vars/all/variables.yml + sed -i "26s/soc_admin/${username}/" group_vars/all/variables.yml + echo + echo + echo "variables file generated (group_vars/all/variables.yml)" + sleep 2 + echo "move to next command to deploy the soctools cluster." + echo 'Thank You!' + fi + else + echo "Exiting based of user input ..." + exit 0 + fi +fi diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 3405aa99a37f3b76bf074406b3f7a4419751f478..4886a323f4cd1ec80cb2c0644f7333442d370386 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,13 +1,12 @@ --- -soctoolsproxy: "CHANGE_ME_TO_FQDN" - maxmind_key: "" docker_build_dir: "{{playbook_dir}}/build" soctools_netname: "soctoolsnet" soctools_network: "172.22.0.0/16" +soctools_network_gw: "172.22.0.1" repo: soctools version: 7 @@ -15,6 +14,12 @@ suffix: a20201004 kibana_plugins_version: "v0.7" +THEHIVE_KIBANA_USER: + username: "kibana" + name: "Kibana" + surname: "User" + roles: '["read", "write"]' + haproxy_name: "soctools-haproxy" haproxy_version: "2.2" haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}" diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml deleted file mode 100644 index d4108e11b723c7bf5e75435888aed3d03525a23a..0000000000000000000000000000000000000000 --- a/group_vars/all/users.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -domain: "soctools.test" - -soctools_users: - - firstname: "User1" - lastname: "SOC" - username: "user1" - email: "user1@{{domain}}" - DN: "CN=User1Soctools" - CN: "User1Soctools" - - firstname: "User2" - lastname: "SOC" - username: "user2" - email: "user2@{{domain}}" - DN: "CN=User2Soctools" - CN: "User2Soctools" - -# Minimum one user is required -ODFE_ADMIN_USERS: - - user1 - -THEHIVE_KIBANA_USER: - username: "kibana" - name: "Kibana" - surname: "User" - roles: '["read", "write"]' - -# Special account for user management GUI, configured as admin user in some of the tools -USER_MGMT_ADMIN_USER: - username: "soctools-user-mgmt" - DN: "CN=soctools-user-mgmt" - CN: "soctools-user-mgmt" \ No newline at end of file diff --git a/group_vars/all/variables.template b/group_vars/all/variables.template new file mode 100644 index 0000000000000000000000000000000000000000..ed0178a7249d1afc7c1f64af3ab87c9c5b164a18 --- /dev/null +++ b/group_vars/all/variables.template @@ -0,0 +1,28 @@ +--- + +# set FQDN which will be used to access the soctools services. (the DNS record should already be in place.) +soctoolsproxy: "CHANGE_ME_TO_FQDN" + +# Organization's top level domain (will be used as organization name and organization domain in different services) +domain: "soctools.test" + +#List of users which will be created during the initialization with organization admin privileges +soctools_users: + - firstname: "soc_admin" + lastname: "SOC" + username: "soc_admin" + email: "soc_admin@{{domain}}" + DN: "CN=SOC_Admin" + CN: "SOC_Admin" +# - firstname: "soc_admin_2" +# lastname: "SOC" +# username: "soc_admin_2" +# email: "soc_admin_2@{{domain}}" +# DN: "CN=SOC_Admin_2" +# CN: "SOC_Admin_2" + +# list of users(username) from previous step which will recive admin roles in ODFE. (Minimum one user is required) +ODFE_ADMIN_USERS: + - soc_admin +# - soc_admin_2 + diff --git a/roles/docker/tasks/haproxy.yml b/roles/docker/tasks/haproxy.yml index 5fb181e93d2ca094431d4d7e7b5a1835d52c2533..4eca955c135b997404dd48027ccde47a76ad1bc2 100644 --- a/roles/docker/tasks/haproxy.yml +++ b/roles/docker/tasks/haproxy.yml @@ -10,6 +10,7 @@ networks_cli_compatible: yes published_ports: - "443:443" + - "5443:5443" - "8888:8888" - "8443:8443" - "9443:9443" diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 86ee05bfc6fef364b734bea561560f412271ed36..3166247724fe2b6a0a23d58f0b38460e80ed5f76 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -86,6 +86,17 @@ listen cortexserv server {{cortexhost}} {{cortexhost}}:9001 check verify none {% endfor %} +listen user-mgmt-ui + bind *:5443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1 + mode http + maxconn 5000 + fullconn 5000 + balance source + option tcpka + option forwardfor + option httplog + server soctools_server {{ soctools_network_gw }}:8050 + {% for port in range(50, 60) %} listen nifiservtcp77{{port}} bind *:77{{port}} diff --git a/roles/soctools-server/tasks/main.yml b/roles/soctools-server/tasks/main.yml index 61507d66af74b30c48a6abd2a5a087467ce2cf9e..da0b59fa2d342f1b006ca592ae663b87be7be2a8 100644 --- a/roles/soctools-server/tasks/main.yml +++ b/roles/soctools-server/tasks/main.yml @@ -13,13 +13,36 @@ when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' - name: Install required packages yum: - name: ["docker-ce","docker-ce-cli","containerd.io","python-pip","unzip","firewalld","python-docker-py"] + name: ["docker-ce","docker-ce-cli","containerd.io","python-pip","unzip","firewalld","python-docker-py","python36"] state: latest validate_certs: no when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' - name: Install pip packages pip: name: ["pexpect==3.3"] + +- name: create venv for user-mgmt-ui + shell: 'python3 -m venv venv' + args: + chdir: '{{playbook_dir}}/user-mgmt-ui' + warn: no + +- name: install venv packages for user-mgmt-ui + shell: './venv/bin/python3 -m pip install -r requirements.txt' + args: + chdir: '{{playbook_dir}}/user-mgmt-ui' + warn: no + +- name: create systemd service file for user-mgmt-ui + template: src=user-mgmt-ui.service.j2 dest=/etc/systemd/system/user-mgmt-ui.service mode=644 + +- name: enable and start user-mgmt-ui service + systemd: + state: restarted + daemon_reload: yes + name: user-mgmt-ui + enabled: yes + - name: Set sysctl parameters sysctl: name: "{{item.key}}" diff --git a/roles/soctools-server/templates/user-mgmt-ui.service.j2 b/roles/soctools-server/templates/user-mgmt-ui.service.j2 new file mode 100644 index 0000000000000000000000000000000000000000..dde0c4ee833baa507fb60b2d4a7a0becbe395765 --- /dev/null +++ b/roles/soctools-server/templates/user-mgmt-ui.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=user-mgmt-ui service +Requires=network.target +After=syslog.target network.target + +[Service] +Type=simple +ExecStart={{playbook_dir}}/user-mgmt-ui/venv/bin/gunicorn --workers=2 --bind 0.0.0.0:8050 main:app +User=root +KillMode=process +WorkingDirectory={{playbook_dir}}/user-mgmt-ui + +[Install] +WantedBy=multi-user.target