Ansible Script 추가

2023-12-19 13:36:16 +09:00
parent 0273450ff6
commit 05cb8d9269
2610 changed files with 281893 additions and 0 deletions
--- a/ansible/01_old/roles/connect-settings/tasks/00_host_setting.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/00_host_setting.yml
@@ -0,0 +1,142 @@
+- name: "Create dev2 group"
+  ansible.builtin.group:
+    name: "dev2"
+    state: present
+  when:
+    - add_rule == True
+
+- name: Ensure user dev2-iac exists
+  user:
+    name: "{{ item }}"
+    create_home: yes
+    home: "/home/{{ item }}"
+    group: dev2
+    shell: /bin/bash
+  with_items:
+    - dev2-iac
+    - dev2
+  when:
+    - add_rule == True
+
+- name: "Ensure .ssh directory exists for dev2-iac"
+  file:
+    path: /home/dev2-iac/.ssh
+    state: directory
+    owner: dev2-iac
+    group: dev2
+    mode: '0700'
+  when:
+    - add_rule == True
+
+- name: "Add authorized key for dev2-iac"
+  authorized_key:
+    user: dev2-iac
+    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsiN0I8B3UmB1mVBxVpvrSF5j0vrwUggngVrlplW8iJLllSBwarHzmSpMWv3eQtb9QQ/HKyOsS3j6UkbQK2aJ6jGeK2pQUkbb6KdMc9OrS/ILWysritcBJ3rUuITwOMvekQHtq+yKshap3uw/8ZEiM1Xn0MxVGhpAZsWbotf9n6ntmsMDXkRSQnYU5T2y4hkWlYImPkIasmbDFVkxi0Wz7I7pUX4hG3l6NJegXWO6n4OcpXxm26oZUtmpqrNRipUIUglM5xp4+YlQhu3FIa/aEZ+fuE9xnSZ8gCYnmPKwJ7AKKkEUruSTA3vhBnlh5rFYgSg5NkVte2RjdPg1SYZCTUXVwE9bbIzeGiXJ9vSe1/bhacpLeLgg48H6SSVInoCmen6W4Oo4/QlekXMBCuxfRwH2pO2K84gEKAAD0hUHBEf0Eh4rIi3K2oUdDCnMv5CD3lqiBn49hFB+bBdk+kxFNNx9iSDciFc91lIjz2IW8FO//+iLO7DEBZMrz/B8bJQ0="
+  when:
+    - add_rule == True
+
+- name: "Add authorized key for dev2"
+  authorized_key:
+    user: dev2
+    key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUAppqxDLltrMsYMwIxGi0FA5STA/R+H6oy7myfiJP2Lt4woCogMi3ELVKEhFkeJx4i8y9G80lynEYCHRH1kAQ/7YaJEVFrPXTvBw+OVxYdVS/gLl0rL89ky+n0dv6A9mancrvUOMacI5aN7/W+EhoLohRjRbWlsPGNnvAmO0AZnt595aMUjFkdhusGyBVunDUFSitj9TFkjxDhr6cx8Bi0FLpvdsoAvfqiw/MVKW2pMgj56AT5UCT0wvtSHSNY/C731jP/RKrxP0fnVhIkVys/XmLV/6SVEqL1XwqMTvRfi5+Q8cPsXrnPuUFHiNN4e/MGJkYi0lg7XbX8jDXv3ybdxZ7lGiUDebxjTKBCCghFae3eAwpJADEDfrzb8DHJZFwJVVdKGXvStTWTibcs14ilRPcB4SWIBx/cFCzwOBK/iw8CfEfsbVe6WQbDc4T4LrgL8cUzHPOO8CQcC4DV/O3BuoqQExu6xTmU8rhLT9kgatIdX0K5jgGbuqz7c2lelU="
+  when:
+    - add_rule == True
+
+- name: "sudoers_users file"
+  file: 
+    path: /etc/sudoers.d/sudoers_users
+    state: touch
+  when:
+    - add_rule == True
+
+- name: "Allow user to sudo"
+  lineinfile:
+    path: /etc/sudoers.d/sudoers_users
+    line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
+    state: present
+  with_items:
+    - dev2-iac
+    - dev2
+  when:
+    - add_rule == True
+
+# - name: Check if rule exists
+#   command: iptables -D INPUT 7
+#   loop: "{{ range(0, 9) }}"
+#   ignore_errors: yes
+#   when:
+#     - delete_rule == True
+
+# - name: Check if rule exists
+#   command: iptables -C INPUT -s {{ item.source }} -j {{ item.target }}
+#   register: rule_check
+#   ignore_errors: yes
+#   changed_when: false
+#   with_items: "{{ iptables_rules }}"
+#   when:
+#     - add_rule == True
+
+# - name: Add rule if it doesn't exist
+#   command: iptables -A INPUT -s {{ item.item.source }} -j {{ item.item.target }}
+#   with_items: "{{ rule_check.results }}"
+#   when: 
+#     - item.rc == 1
+#     - add_rule == True
+
+- name: "selinux permissive"
+  command: "setenforce 0"
+  ignore_errors: yes
+  when:
+  - ansible_facts.os_family == "RedHat"
+
+- name: "firewalld stop"
+  systemd:
+    name: firewalld
+    state: stopped
+    enabled: false
+  ignore_errors: yes
+  when:
+  - ansible_facts.os_family == "RedHat"
+
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: Remove existing Port lines
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^Port'
+    state: absent
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: "Create sshd_config.d directory"
+  ansible.builtin.file:
+    path: "/etc/ssh/sshd_config.d/"
+    state: directory
+    recurse: yes
+    owner: root
+    group: root
+
+- name: "Setting sshd allow users"
+  template:
+    src: allow_users.j2
+    dest: "/etc/ssh/sshd_config.d/allow_users.conf"
+  notify: restart sshd
--- a/ansible/01_old/roles/connect-settings/tasks/01_get_password.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/01_get_password.yml
@@ -0,0 +1,36 @@
+---
+- name: get password
+  command: "{{ role_path }}/files/gen_password {{ encrypt }}"
+  register: user_password
+  delegate_to: 127.0.0.1
+  when: manual_password is not defined
+
+- name: get admin password
+  command: "{{ role_path }}/files/gen_password {{ encrypt }}"
+  register: admin_password
+  delegate_to: 127.0.0.1
+  when: manual_password is not defined
+
+- name: set fact user password
+  block:
+    - set_fact:
+        user_password: "{{ user_password.stdout }}"
+  rescue:
+    - set_fact:
+        user_password: "{{ manual_password }}"
+  always:
+    - debug:
+        msg: "{{ username }} : {{ user_password }}"
+      when: debug_mode == True
+
+- name: set fact admin password
+  block:
+    - set_fact:
+        admin_password: "{{ admin_password.stdout }}"
+  rescue:
+    - set_fact:
+        admin_password: "{{ manual_password }}"
+  always:
+    - debug:
+        msg: "{{ adminuser }} : {{ admin_password }}"
+      when: debug_mode == True
--- a/ansible/01_old/roles/connect-settings/tasks/02_change_password.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/02_change_password.yml
@@ -0,0 +1,21 @@
+---
+- include_tasks: 99_decrypt_password.yml
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
+
+- name: user password change
+  user:
+    name: "{{ item }}"
+    password: "{{ user_password | password_hash('sha512') }}"
+    state: present
+  with_items:
+    - "{{ username }}"
+
+- name: admin password change
+  user:
+    name: "{{ item }}"
+    password: "{{ admin_password | password_hash('sha512') }}"
+    state: present
+  with_items:
+  - "{{ adminuser }}"
--- a/ansible/01_old/roles/connect-settings/tasks/03_vault.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/03_vault.yml
@@ -0,0 +1,21 @@
+---
+- name: Check if ansible_port is defined
+  set_fact:
+    ansible_port: "{{ ansible_port | default(22) }}"
+
+- debug:
+    msg: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ ansible_port }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+  when: debug_mode == True
+
+- name: put vault
+  command: "{{ role_path }}/files/vault_put {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+  delegate_to: 127.0.0.1
+
+- name: get vault
+  command: "{{ role_path }}/files/vault_get {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+  register: get_vault
+  delegate_to: 127.0.0.1
+
+- debug:
+    msg: "{{get_vault.stdout_lines}}"
+  when: debug_mode == True
--- a/ansible/01_old/roles/connect-settings/tasks/04_excel_export.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/04_excel_export.yml
@@ -0,0 +1,19 @@
+---
+- name: Redirect output to local file
+  delegate_to: localhost
+  copy:
+    content: "[{{ ansible_date_time.date }} {{ ansible_date_time.hour }}:{{ ansible_date_time.minute }}:{{ ansible_date_time.second }}]"
+    dest: "/tmp/host_list"
+    mode: '0666'
+    backup: yes
+
+- name: Append output to local file
+  delegate_to: localhost
+  lineinfile:
+    path: "/tmp/host_list"
+    line: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ sshmainport }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+    create: yes
+
+- name: excel export
+  command: "{{ role_path }}/files/custom_excel"
+  delegate_to: 127.0.0.1
--- a/ansible/01_old/roles/connect-settings/tasks/99_decrypt_password.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/99_decrypt_password.yml
@@ -0,0 +1,27 @@
+---
+- name: user_password decrypt
+  command: "{{ role_path }}/files/decrypt_password {{ user_password }}"
+  register: user_password
+  delegate_to: 127.0.0.1
+
+- name: admin_password decrypt
+  command: "{{ role_path }}/files/decrypt_password {{ admin_password }}"
+  register: admin_password
+  delegate_to: 127.0.0.1
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
+
+- name: admin_password re fact
+  set_fact: 
+    admin_password: "{{ admin_password.stdout }}"
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
+
+- name: user_password re fact
+  set_fact: 
+    user_password: "{{ user_password.stdout }}"
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
--- a/ansible/01_old/roles/connect-settings/tasks/main.yml
+++ b/ansible/01_old/roles/connect-settings/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- include: 00_host_setting.yml
+  tags: host
+
+- include: 01_get_password.yml
+  tags: password
+
+- include: 02_change_password.yml
+  tags: change
+
+- include: 03_vault.yml
+  tags: vault
+
+- include: 04_excel_export.yml
+  tags: excel