Skip to content

kennethnyspi-edu/CIS_Ubuntu

Repository files navigation

Ansible Env Setup

Ansible Lint


Clone project

Clone this repo recursive, roles are included as submoduls:

$git clone --recursive https://github.com/MVladislav/ansible-env-setup.git

# load
$git submodule update --init --recursive
# update
$git submodule update --recursive --remote

Install dependencies on host

Install ansible on host to run the playbook:

# optional: openssh-sftp-server
$sudo apt install python3 python3-pip sshpass
$python3 -m pip install [--break-system-packages] ansible molecule molecule-plugins[docker] yamllint ansible-lint

# for use of "ansible-galaxy collection install"
$python3 -m pip install [--break-system-packages] -Iv "resolvelib<0.8.1"

Update ansible on host:

$python3 -m pip install [--break-system-packages] --upgrade ansible molecule molecule-plugins[docker] yamllint ansible-lint
$ansible-galaxy collection install --upgrade -r requirements.yml

Setup host

Copy the inventory template inventory/inventory-example.yml as inventory/inventory.yml:

$cp inventory/inventory-example.yml inventory/inventory.yml

Copy vars default playbooks/vars/default-example.yml as playbooks/vars/default.yml which holds the ssh-keys for setup in pre-tasks.yml defined by clients in inventory.yml:

clients are identified in playbooks/vars/default.yml by key with "{{ ansible_user }}-{{ ansible_host }}" inside inventory.yml you can define in ansible_ssh_private_key_file the related ssh-key

$cp playbooks/vars/default-example.yml playbooks/vars/default.yml

Update inventory/inventory.yml with your own configuration as you need. By default multiple playbooks are pre defined. Use and update them as you need.

Following are some main playbooks to install clients or servers:

  • base
    • playbook-sec-short.yml
  • clients
    • playbook-client.yml
    • playbook-client-vm.yml
    • playbook-client-dev.yml
    • playbook-client-pentest.yml
  • servers
    • playbook-server-minimal.yml
    • playbook-server-dev.yml
    • playbook-server-cluster.yml

Setup targets

-k => will use ssh with a password, as a fresh setup has no ssh-key installed if ssh-key is installed on target you not need to inclide -k

Example to run playbook-sec-short:

$ansible-playbook playbooks/playbook-sec-short.yml --ask-become-pass -k

# or with less output information
$ansible-playbook playbooks/playbook-sec-short.yml --ask-become-pass -k | grep -v "started TASK\|included: "

Flow for Security Playbook

Playbook Sec Short

Playbooks overview

In general following playbooks/roles/tasks are run by each client playbook with its specific configuration:

  • playbook-s-cis

    Harden the client by CIS rules

    • ansible-cis-ubuntu-2204
    • cis aide env extender
  • playbook-s-pre-install

    some pre installs and configs

    • pre-tasks
    • ansible-updater
    • community.general.ufw
    • ansible-ssh
    • ansible-netplan
    • playbook-s-pre-mailing
      • ansible-postfix
      • nullmailer
  • playbook-s-hardening

    some more general client hardenings

    • ansible-security
  • ansible-install-server

    install tools/service for server usage, which also useful for clients

  • ansible-install-client

    install tools/service for client usage

  • playbook-s-container
    • ansible-docker

      install docker with CIS harden

    • ansible-kubernetes

ansible-install-server

  • servers:
    • s1: default (TODO)
    • s2: minimal
    • s3: dev
    • s4: cluster
  • clients:
    • c1: default
    • c2: vm
    • c3: dev
    • c4: pentest
apps s1 s2 s3 s4 c1 c2 c3 c4
apt_base x x x x x x x
apt_exa
apt_eza x x x x x x x
apt_bat x x x x x x x
apt_ncdu
apt_auth_priv x x x x x
apt_cert x x x x x x x
apt_archive x x x x
apt_dev x x x x
apt_build x x
apt_libs x x
apt_php
apt_lua
apt_java_jre_headless x
apt_java_jdk
apt_java_ant
apt_java_maven
apt_java_gradle
apt_snap x x x x x
apt_qemu_guest_agent x x x x x
apt_rasp_pi_pkg
apt_vpn_resolvconf
apt_vpn_wireguard
apt_vpn_openvpn
apt_vpn_openconnect
apt_latex x x x
apt_pandoc x x x
apt_apt_john_the_ripper x
apt_nmap x x x
snap_john_the_ripper
snap_nmap x
snap_juju
snap_maas
snap_microk8s
snap_kubectl
snap_helm
snap_multipass
snap_btop x x x x x
snap_glow x x
snap_go
snap_httpie x
snap_node x
snap_ruby
snap_rust
snap_openjdk
snap_openjfx
inst_git_conf x x x x x x x
inst_fonts x x x x x x
inst_zsh_conf x x x x x x
inst_tmux_conf x x x x x
inst_nvim_conf x x x x x
apt_python x x x x x
apt_python_pip x x x x x
apt_python_venv x x x x x
apt_python_dev x x x x
pip_s_tui x x x x x
pip_virtualenv
pip_autopep8 x x x x
pip_black x x x x
pip_mypy x x x x
pip_pre_commit x x x x
pip_openconnect_sso
pip_ansible x x x
go_kompose
go_act

ansible-install-client

services/tools default dev pentest vm
dev x x x x
fonts x x x x
gnome additional's x x x x
gnome dep.
gnome ext. x x x x
gnome ext. ubuntu tiling
gnome ext. caffeine
gnome ext. sound
gnome ext. blur shell x x x x
gnome ext. burn window
gnome ext. dash to panel x x x x
gnome ext. ui tune
gnome keybinding
gnome overlay x x x x
gnome terminal overlay x x x x
apps default vm dev pentest
base x x x x
auth_priv x x x x
ubuntu x x x x
archive x x x
codec
gnome
snap x x x x
flatpak x x x x
texmaker
logitech_unifying_solaar
mpv
vpn_resolvconf
vpn_l2tp
vpn_openvpn
vpn_openconnect
vpn_wireguard
gnome_boxes
virt_viewer x
veracrypt x x x x
veracrypt_cli
virtualbox
1password_cli
portmaster
parsec
brim x
logseq x x x
ultimaker x
1password
keepassxc
yubioath
chromium x x x
denaro
firefox x x x x
flameshot
foliate
libreoffice
newsflash
okular
onlyoffice x x x x
thunderbird x x
xournalpp
zoom
discord
jdownloader
signal x x
telegram x x
blender
darktable x
drawio x x x
gimp x x
inkscape x x x
krita
lunacy x
upscayl x x
amberol
haruna x x x x
obs
parabolic
video_trimmer
vlc
moosync
spotify x x
steam
android_studio x
beekeeper_studio x
code x x x
dbeaver x
insomnia x
postman
remmina x x x
rpi_imager
ghidra x
zaproxy x
mqtt_explorer x
UBports
fbreader
pixelfx
cryptomator x
flatseal x x x x
pika_backup
ausweisapp2
easy_effects x
extension_manager
filezilla
missioncenter
planify
warp x
threemaqt
conjure
peek
girens
lutris
arduinoide
betaflightconfigurator
fritzing
mongodb_compass
sublimetext
wireshark

About

No description, website, or topics provided.

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published