Ansible Script 추가

ansible/infra_setting/ansible.cfg

@@ -0,0 +1,10 @@
+[defaults]
+inventory	= inventory
+roles_path	= roles
+deprecation_warnings = False
+display_skipped_hosts = no
+ansible_home	= .
+stdout_callback = debug
+host_key_checking=False
+#private_key_file=/root/.ssh/dev2-iac
+#remote_tmp = /tmp/.ansible/tmp

ansible/infra_setting/infra-settings.yml

@@ -0,0 +1,19 @@
+---
+- hosts: all
+  become: true
+  roles:
+    - connect-settings
+      #    - teleport
+  vars:
+    username: dev2
+    adminuser: root
+    manual_password: saasadmin1234
+    sshmainport: 2222
+      #encrypt: 1
+      #debug_mode: True
+    teleport_uri: teleport.kr.datasaker.io
+    # remove: True
+    # custom_labels: 'user=havelight,company=exem'
+    #update: True
+    # install: True
+

ansible/infra_setting/inventory

@@ -0,0 +1,31 @@
+[all]
+10.10.43.195
+10.10.43.196
+10.10.43.197
+10.10.43.200
+10.10.43.201
+10.10.43.202
+10.10.43.203
+10.10.43.204
+10.10.43.205
+10.10.43.206
+10.10.43.207
+10.10.43.208
+10.10.43.210
+10.10.43.211
+10.10.43.212
+10.10.43.213
+10.10.43.214
+10.10.43.215
+10.10.43.216
+10.10.43.217
+10.10.43.218
+10.10.43.224
+10.10.43.225
+10.10.43.226
+10.10.43.227
+10.10.43.228
+10.10.43.230
+10.10.43.235
+10.10.43.236
+10.10.43.252

ansible/infra_setting/passwd_inventory

@@ -0,0 +1,76 @@
+[all]
+10.10.43.100 ansible_port=2222 ansible_user=dev2 
+10.10.43.101 ansible_port=2222 ansible_user=dev2
+10.10.43.105 ansible_port=2222 ansible_user=dev2
+10.10.43.106 ansible_port=2222 ansible_user=dev2
+10.10.43.111 ansible_port=2222 ansible_user=dev2
+10.10.43.112 ansible_port=2222 ansible_user=dev2
+10.10.43.113 ansible_port=2222 ansible_user=dev2
+10.10.43.114 ansible_port=2222 ansible_user=dev2
+10.10.43.115 ansible_port=2222 ansible_user=dev2
+10.10.43.116 ansible_port=2222 ansible_user=dev2
+10.10.43.117 ansible_port=2222 ansible_user=dev2
+10.10.43.118 ansible_port=2222 ansible_user=dev2
+10.10.43.119 ansible_port=2222 ansible_user=dev2
+10.10.43.120 ansible_port=2222 ansible_user=dev2
+10.10.43.121 ansible_port=2222 ansible_user=dev2
+10.10.43.122 ansible_port=2222 ansible_user=dev2
+10.10.43.123 ansible_port=2222 ansible_user=dev2
+10.10.43.124 ansible_port=2222 ansible_user=dev2
+10.10.43.125 ansible_port=2222 ansible_user=dev2
+10.10.43.126 ansible_port=2222 ansible_user=dev2
+10.10.43.127 ansible_port=2222 ansible_user=dev2
+10.10.43.128 ansible_port=2222 ansible_user=dev2
+10.10.43.129 ansible_port=2222 ansible_user=dev2
+10.10.43.130 ansible_port=2222 ansible_user=dev2
+10.10.43.131 ansible_port=2222 ansible_user=dev2
+10.10.43.132 ansible_port=2222 ansible_user=dev2
+10.10.43.133 ansible_port=2222 ansible_user=dev2
+10.10.43.134 ansible_port=2222 ansible_user=dev2
+10.10.43.135 ansible_port=2222 ansible_user=dev2
+10.10.43.136 ansible_port=2222 ansible_user=dev2
+10.10.43.137 ansible_port=2222 ansible_user=dev2
+10.10.43.138 ansible_port=2222 ansible_user=dev2
+10.10.43.139 ansible_port=2222 ansible_user=dev2
+10.10.43.140 ansible_port=2222 ansible_user=dev2
+10.10.43.141 ansible_port=2222 ansible_user=dev2
+10.10.43.142 ansible_port=2222 ansible_user=dev2
+10.10.43.143 ansible_port=2222 ansible_user=dev2
+10.10.43.144 ansible_port=2222 ansible_user=dev2
+10.10.43.145 ansible_port=2222 ansible_user=dev2
+10.10.43.146 ansible_port=2222 ansible_user=dev2
+10.10.43.147 ansible_port=2222 ansible_user=dev2
+10.10.43.148 ansible_port=2222 ansible_user=dev2
+10.10.43.151 ansible_port=2222 ansible_user=dev2
+10.10.43.152 ansible_port=2222 ansible_user=dev2
+10.10.43.153 ansible_port=2222 ansible_user=dev2
+10.10.43.164 ansible_port=2222 ansible_user=dev2
+10.10.43.165 ansible_port=2222 ansible_user=dev2
+10.10.43.166 ansible_port=2222 ansible_user=dev2
+10.10.43.167 ansible_port=2222 ansible_user=dev2
+10.10.43.168 ansible_port=2222 ansible_user=dev2
+10.10.43.169 ansible_port=2222 ansible_user=dev2
+10.10.43.171 ansible_port=2222 ansible_user=dev2
+10.10.43.172 ansible_port=2222 ansible_user=dev2
+10.10.43.173 ansible_port=2222 ansible_user=dev2
+10.10.43.174 ansible_port=2222 ansible_user=dev2
+10.10.43.175 ansible_port=2222 ansible_user=dev2
+10.10.43.176 ansible_port=2222 ansible_user=dev2
+10.10.43.177 ansible_port=2222 ansible_user=dev2
+10.10.43.178 ansible_port=2222 ansible_user=dev2
+10.10.43.179 ansible_port=2222 ansible_user=dev2
+10.10.43.180 ansible_port=2222 ansible_user=dev2
+10.10.43.181 ansible_port=2222 ansible_user=dev2
+10.10.43.182 ansible_port=2222 ansible_user=dev2
+10.10.43.185 ansible_port=2222 ansible_user=dev2
+10.10.43.186 ansible_port=2222 ansible_user=dev2
+10.10.43.187 ansible_port=2222 ansible_user=dev2
+10.10.43.188 ansible_port=2222 ansible_user=dev2
+10.10.43.189 ansible_port=2222 ansible_user=dev2
+10.10.43.190 ansible_port=2222 ansible_user=dev2
+10.10.43.191 ansible_port=2222 ansible_user=dev2
+10.10.43.192 ansible_port=2222 ansible_user=dev2
+10.10.43.193 ansible_port=2222 ansible_user=dev2
+10.10.43.194 ansible_port=2222 ansible_user=dev2
+10.10.43.199 ansible_port=2222 ansible_user=dev2
+

ansible/infra_setting/roles/connect-settings/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

ansible/infra_setting/roles/connect-settings/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+# defaults file for password
+
+encrypt: 0 # strings 0 , encrypted 1
+debug_mode: False
+sshrootlogin: forced-commands-only
+sshmainport: 2222
+iptables_rules:
+  - { source: "10.10.45.0/24", target: "DROP" }
+  - { source: "10.10.47.0/24", target: "DROP" }
+  - { source: "10.10.48.0/24", target: "DROP" }
+  - { source: "10.10.50.0/24", target: "DROP" }
+  - { source: "10.10.37.0/24", target: "DROP" }
+delete_rule: False
+add_rule: True

ansible/infra_setting/roles/connect-settings/files/00_old/gen_password.py

@@ -0,0 +1,44 @@
+#!/usr/bin/python3
+
+import base64, random, string, os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from Crypto.Util.Padding import pad, unpad
+
+try:
+    encrypt_flag=True if os.sys.argv[1].lower()=='1' else False 
+except Exception as err:
+    encrypt_flag=False
+
+def generate_password(length=8, num_uppercase=1, num_lowercase=1, num_digits=1, num_sp_char=1):
+    sp_char = '!@#$'
+    all_chars = string.ascii_letters + string.digits + sp_char
+
+    password = [
+        *random.choices(string.ascii_uppercase, k=num_uppercase),
+        *random.choices(string.ascii_lowercase, k=num_lowercase),
+        *random.choices(string.digits, k=num_digits),
+        *random.choices(sp_char, k=num_sp_char)
+    ]
+
+    remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
+    password += random.choices(all_chars, k=remaining_length)
+    
+    random.shuffle(password)
+    return ''.join(password)
+
+def encrypt(plain_text, key):
+    manual_iv = b'PhilinnovatorDEV'
+    cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
+    ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
+    ct = base64.b64encode(ct_bytes).decode('utf-8')
+    return ct
+
+key = b'PhilinnovatorDEVPhilinnovatorDEV'
+plain_text = generate_password()
+
+if encrypt_flag: 
+    encrypted_text = encrypt(plain_text, key)
+    print(encrypted_text)
+else:
+    print(plain_text)

ansible/infra_setting/roles/connect-settings/files/00_old/vault_test.py

@@ -0,0 +1,11 @@
+import hvac
+
+str_url   = "http://10.10.43.98:31080"
+str_token = "hvs.CAESIMV6zCg-GpUP4pQgVA5f1ZXkgyJZrqOC6QDCegrpiAX9Gh4KHGh2cy5ORkpkc2ZyVUxYd09qUVFtQldRNDBjS3I"
+client = hvac.Client(url=str_url, token=str_token)
+
+str_mount_point = 'kv'
+str_secret_path = 'host1'
+read_secret_result = client.secrets.kv.v1.read_secret(mount_point=str_mount_point, path=str_secret_path)
+print(read_secret_result)
+

ansible/infra_setting/roles/connect-settings/files/custom_excel

@@ -0,0 +1,108 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import os, sys, time, errno, socket, signal, psutil, random, logging.handlers, subprocess, paramiko, hvac
+from xlwt import Workbook, XFStyle, Borders, Font, Pattern
+from socket import error as SocketError
+
+process_time 	= time.strftime("%Y%m%d_%H%M", time.localtime())
+excel_file_name = '/mnt/e/excel/{}.xls'.format(process_time)
+
+def process_close(flag=True, result=''):
+    if flag:
+        print("[Success]")
+    else:
+        print("[Fail]:{}".format(result))
+
+    sys.exit(0)
+
+def set_header(sheet, header_list):
+    # 폰트 설정
+    font = Font()
+    font.bold = True
+
+    # 테두리 설정
+    borders = Borders()
+    borders.left = Borders.THIN
+    borders.right = Borders.THIN
+    borders.top = Borders.THIN
+    borders.bottom = Borders.THIN
+
+    # 배경색 설정
+    pattern = Pattern() 
+    pattern.pattern = Pattern.SOLID_PATTERN 
+    pattern.pattern_fore_colour = 22 # #E2EFDA는 xlwt에서 인덱스 22에 해당하는 색입니다.
+
+    hdrstyle = XFStyle()
+    hdrstyle.font = font
+    hdrstyle.borders = borders
+    hdrstyle.pattern = pattern
+
+    for idx, header in enumerate(header_list):
+        sheet.write(0, idx, header, hdrstyle)
+        sheet.col(idx).width = len(header) * 800
+
+def write_data(sheet, data_list):
+    datestyle = XFStyle()
+    datestyle.num_format_str = 'YYYY-MM-DD'
+
+    for row_num, data in enumerate(data_list, start=1):
+        for col_num, cell_data in enumerate(data):
+            if col_num == 7:
+                sheet.write(row_num, col_num, cell_data, datestyle)
+            elif col_num in [1, 4, 5]:
+                formatted_data = u'{}'.format(cell_data) if cell_data else ''
+                sheet.write(row_num, col_num, formatted_data)
+            else:
+                sheet.write(row_num, col_num, cell_data)
+
+def excel_write(header_list=[], data_list=[], filename='', sheetTitle=''):
+    workbook = Workbook(style_compression=2, encoding='utf-8')
+    sheet = workbook.add_sheet(sheetTitle)
+
+    set_header(sheet, header_list)
+    write_data(sheet, data_list)
+
+    sheet.panes_frozen = True
+    sheet.vert_split_pos = 0
+    sheet.horz_split_pos = 1
+    workbook.save(filename)
+
+def main():
+    header_list=['번호','호스트 유형','호스트명','호스트 IP','포트번호','프로토콜','인증방법','1차 로그인 계정명','1차 로그인 비밀번호','1차 로그인 계정명','2차 로그인 비밀번호','용도','비고']
+    data_list=[]
+
+    openfile=open('/tmp/host_list','r')
+    readfile=openfile.readlines()
+    openfile.close()
+    for idx, host_data in enumerate(readfile):
+        try:
+            if idx==0: continue
+            host_num=idx
+            hosttype=host_data.strip().split(' ')[0]
+            print(hosttype)
+            hostname=host_data.strip().split(' ')[1]
+            host_ips=host_data.strip().split(' ')[2]
+            port_num=int(host_data.strip().split(' ')[3])
+            protocol='SSH'
+            auth_con='Password'
+            username=host_data.strip().split(' ')[4]
+            first_pw=host_data.strip().split(' ')[5]
+            rootuser=host_data.strip().split(' ')[6]
+            secon_pw=host_data.strip().split(' ')[7]
+            descript='-'
+            remarks_='-'
+            data_list.append([host_num,hosttype,hostname,host_ips,port_num,protocol,auth_con,username,first_pw,rootuser,secon_pw,descript,remarks_,])
+        except:
+            continue
+
+    excel_write(header_list, data_list, excel_file_name, 'TEST')
+
+DEBUG=False
+try:
+	if os.sys.argv[1]: DEBUG=True
+except:
+	pass
+main()
+process_close()
+

ansible/infra_setting/roles/connect-settings/files/decrypt_password

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import base64, random, string, os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from Crypto.Util.Padding import pad, unpad
+
+try:
+    encrypted_text=os.sys.argv[1]
+except:
+    encrypted_text="q6i1/JxyNe1OUrO0JKu+Z4WQTyQZam2yIJTp43dl1pI="
+
+def decrypt(ct, key):
+    manual_iv = b'PhilinnovatorDEV'
+    ct_bytes = base64.b64decode(ct)
+    cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
+    return unpad(cipher.decrypt(ct_bytes), 16).decode('utf-8')
+
+key = b'PhilinnovatorDEVPhilinnovatorDEV'
+print(decrypt(encrypted_text, key))

ansible/infra_setting/roles/connect-settings/files/gen_password

@@ -0,0 +1,45 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import base64, random, string, os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from Crypto.Util.Padding import pad, unpad
+
+try:
+    encrypt_flag=True if os.sys.argv[1].lower()=='1' else False 
+except Exception as err:
+    encrypt_flag=False
+
+def generate_password(length=12, num_uppercase=3, num_lowercase=4, num_digits=3, num_sp_char=2):
+    sp_char = '!@#$'
+    all_chars = string.ascii_letters + string.digits + sp_char
+
+    password = [
+        *random.choices(string.ascii_uppercase, k=num_uppercase),
+        *random.choices(string.ascii_lowercase, k=num_lowercase),
+        *random.choices(string.digits, k=num_digits),
+        *random.choices(sp_char, k=num_sp_char)
+    ]
+
+    remaining_length = length - (num_uppercase + num_lowercase + num_digits + num_sp_char)
+    password += random.choices(all_chars, k=remaining_length)
+    
+    random.shuffle(password)
+    return ''.join(password)
+
+def encrypt(plain_text, key):
+    manual_iv = b'PhilinnovatorDEV'
+    cipher = AES.new(key, AES.MODE_CBC, iv=manual_iv)
+    ct_bytes = cipher.encrypt(pad(plain_text.encode(), 16))
+    ct = base64.b64encode(ct_bytes).decode('utf-8')
+    return ct
+
+key = b'PhilinnovatorDEVPhilinnovatorDEV'
+plain_text = generate_password()
+
+if encrypt_flag: 
+    encrypted_text = encrypt(plain_text, key)
+    print(encrypted_text)
+else:
+    print(plain_text)

ansible/infra_setting/roles/connect-settings/files/vault_get

@@ -0,0 +1,17 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import hvac
+import os
+
+hostname=os.sys.argv[1]
+
+str_url   = "http://10.10.43.240:30803"
+client = hvac.Client(url=str_url)
+client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
+
+try:
+    data = client.secrets.kv.v2.read_secret_version(mount_point='host', path=hostname, raise_on_deleted_version=True)['data']['data']
+    print(data)
+except Exception as err:
+    print(err)

ansible/infra_setting/roles/connect-settings/files/vault_put

@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+#-*- coding: utf-8 -*-
+
+import hvac
+import os
+
+hostname=os.sys.argv[1]
+accountid=os.sys.argv[2]
+password=os.sys.argv[3]
+adminuser=os.sys.argv[4]
+adminpass=os.sys.argv[5]
+
+str_url   = "http://10.10.43.240:30803"
+client = hvac.Client(url=str_url)
+client.auth.approle.login(role_id="e96c5fd8-abde-084a-fde7-7450a9348a70", secret_id="5371706b-414a-11d3-f3fd-6cf98871aad1")
+
+client.secrets.kv.v2.create_or_update_secret(
+    mount_point='host',
+    path=hostname,
+    secret=dict(accountid=f'{accountid}',password=f'{password}',adminuser=f'{adminuser}',adminpass=f'{adminpass}')
+)

ansible/infra_setting/roles/connect-settings/handlers/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Reload systemd configuration
+  ansible.builtin.systemd:
+    daemon_reload: True
+    
+- name: Restart teleport service
+  ansible.builtin.systemd:
+    name: teleport
+    enabled: true
+    state: restarted
+
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+    enabled: true

ansible/infra_setting/roles/connect-settings/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

ansible/infra_setting/roles/connect-settings/tasks/00_host_setting.yml

@@ -0,0 +1,162 @@
+---
+- name: "host setting"
+  hosts: all
+  become: yes
+  vars:
+    iptables_rules:
+      - { source: "10.10.45.0/24", target: "DROP" }
+      - { source: "10.10.47.0/24", target: "DROP" }
+      - { source: "10.10.48.0/24", target: "DROP" }
+      - { source: "10.10.50.0/24", target: "DROP" }
+      - { source: "10.10.37.0/24", target: "DROP" }
+    delete_rule: False
+    add_rule: True
+
+- name: "Create dev2 group"
+  ansible.builtin.group:
+    name: "dev2"
+    state: present
+  when:
+    - add_rule == True
+
+- name: Ensure user dev2-iac exists
+  user:
+    name: "{{ item }}"
+    create_home: yes
+    home: "/home/{{ item }}"
+    group: dev2
+    shell: /bin/bash
+  with_items:
+    - dev2-iac
+    - dev2
+  when:
+    - add_rule == True
+
+- name: "Ensure .ssh directory exists for dev2-iac"
+  file:
+    path: /home/dev2-iac/.ssh
+    state: directory
+    owner: dev2-iac
+    group: dev2
+    mode: '0700'
+  when:
+    - add_rule == True
+
+- name: "Add authorized key for dev2-iac"
+  authorized_key:
+    user: dev2-iac
+    key: "{{ item }}"
+  with_items:
+    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRP/Kjn7UBudTO4ZLtWXRJNDcOPGbm+5jLKax+1tVgN2n0MCmwwrbFJQJvdaE/wp4+PnMtEyt+IqdwFdUDah8tu9CIYZ2Jk2T18oU7hYGvymh+QJmZgCNvYcmM9ATJbXpns7y8VLDVbkSq9EJIB+emLt1ZV/C8cyvhlmBUwGQA6c3zMgzWl9MT0HLa7H88cNVVknZPY0vGIw+H0Y2JtDr62xyVNT7w8B+jh7Yu6nCnQchwx3IRWGATuKfi2FB3rhkDqNvM1h00JJosu5ooBn3g5xll+w+sVKIQxEWShI9zatYP9/zrce+uVYeZLfz52X8giJ9dns66vqEKdJtdp4By5RPxRSsdQ2QGAQ0UuBHKgweU2EzivLynu49oiShAiJPxmru4TiGtchl52dvw/E9rjZiCKTq697azHHLbwTiOgbHpnu7GrxNRMdXCON70RYJpfERg/SGxxmUNF9OhYUeQJGNc8DcWnlBUrT/9Wi3Ryh1rKx2wtZt6eDkrehJ1lgU="
+    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmxGUDo5rdB/XA+cyH4a7Kn8zGWHqbL0AZDL55j5JLRLXC/z482Rp2cIx/FsQRtwEslEVXHHSowpJWHvQ4Z6NcInh0/0psJK2K8qnApLDHhPoiQzpGL+nG4JIho/10QPGpJ2aDcXdushvUME97j0A8hfaoR2xhBl2C9r865Vred0M971A5SRchwN/cmsTh2OMYGXKHD9RC6OFud2sQjyidkSTW58yBoN2B5CoAO4GMV09jX6Wp43jot19xJ5lX65NAHLsNIXMWiURmQDieIKqEiwWlPgwo7geErHlMOoNoypU9yTaN9NMYWZBG1xVL5skjmkdTEd+cnHBLAvhVtW1w5pOA7S8OUXkmiu0UITLYyWfzUx4uwzb7nGcb6aDboRVX6w8H4+GVgpYWJq+fh0ZZ9JbsdP6+PjRz1vgptM7K4Ji5ZRvqV5WMT0cvpySBaJakLSiPSa+dxGi6nfowXvUEAzMIVyaScNgCs1/NpdgN8dwffZlYB9WBUxY+5IjBQc8=" 
+  when:
+    - add_rule == True
+
+- name: "Add authorized key for dev2"
+  authorized_key:
+    user: dev2
+    key: "{{ item }}"
+  with_items:
+    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRP/Kjn7UBudTO4ZLtWXRJNDcOPGbm+5jLKax+1tVgN2n0MCmwwrbFJQJvdaE/wp4+PnMtEyt+IqdwFdUDah8tu9CIYZ2Jk2T18oU7hYGvymh+QJmZgCNvYcmM9ATJbXpns7y8VLDVbkSq9EJIB+emLt1ZV/C8cyvhlmBUwGQA6c3zMgzWl9MT0HLa7H88cNVVknZPY0vGIw+H0Y2JtDr62xyVNT7w8B+jh7Yu6nCnQchwx3IRWGATuKfi2FB3rhkDqNvM1h00JJosu5ooBn3g5xll+w+sVKIQxEWShI9zatYP9/zrce+uVYeZLfz52X8giJ9dns66vqEKdJtdp4By5RPxRSsdQ2QGAQ0UuBHKgweU2EzivLynu49oiShAiJPxmru4TiGtchl52dvw/E9rjZiCKTq697azHHLbwTiOgbHpnu7GrxNRMdXCON70RYJpfERg/SGxxmUNF9OhYUeQJGNc8DcWnlBUrT/9Wi3Ryh1rKx2wtZt6eDkrehJ1lgU="
+    - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDmxGUDo5rdB/XA+cyH4a7Kn8zGWHqbL0AZDL55j5JLRLXC/z482Rp2cIx/FsQRtwEslEVXHHSowpJWHvQ4Z6NcInh0/0psJK2K8qnApLDHhPoiQzpGL+nG4JIho/10QPGpJ2aDcXdushvUME97j0A8hfaoR2xhBl2C9r865Vred0M971A5SRchwN/cmsTh2OMYGXKHD9RC6OFud2sQjyidkSTW58yBoN2B5CoAO4GMV09jX6Wp43jot19xJ5lX65NAHLsNIXMWiURmQDieIKqEiwWlPgwo7geErHlMOoNoypU9yTaN9NMYWZBG1xVL5skjmkdTEd+cnHBLAvhVtW1w5pOA7S8OUXkmiu0UITLYyWfzUx4uwzb7nGcb6aDboRVX6w8H4+GVgpYWJq+fh0ZZ9JbsdP6+PjRz1vgptM7K4Ji5ZRvqV5WMT0cvpySBaJakLSiPSa+dxGi6nfowXvUEAzMIVyaScNgCs1/NpdgN8dwffZlYB9WBUxY+5IjBQc8=" 
+  when:
+    - add_rule == True
+
+- name: "sudoers_users file"
+  file: 
+    path: /etc/sudoers.d/sudoers_users
+    state: touch
+  when:
+    - add_rule == True
+
+- name: "Allow user to sudo"
+  lineinfile:
+    path: /etc/sudoers.d/sudoers_users
+    line: "{{ item }} ALL=(ALL) NOPASSWD:ALL"
+    state: present
+  with_items:
+    - dev2-iac
+    - dev2
+  when:
+    - add_rule == True
+
+# - name: Check if rule exists
+#   command: iptables -D INPUT 7
+#   loop: "{{ range(0, 9) }}"
+#   ignore_errors: yes
+#   when:
+#     - delete_rule == True
+
+# - name: Check if rule exists
+#   command: iptables -C INPUT -s {{ item.source }} -j {{ item.target }}
+#   register: rule_check
+#   ignore_errors: yes
+#   changed_when: false
+#   with_items: "{{ iptables_rules }}"
+#   when:
+#     - add_rule == True
+
+# - name: Add rule if it doesn't exist
+#   command: iptables -A INPUT -s {{ item.item.source }} -j {{ item.item.target }}
+#   with_items: "{{ rule_check.results }}"
+#   when: 
+#     - item.rc == 1
+#     - add_rule == True
+
+- name: "selinux permissive"
+  command: "setenforce 0"
+  ignore_errors: yes
+  when:
+  - ansible_facts.os_family == "RedHat"
+
+- name: "firewalld stop"
+  systemd:
+    name: firewalld
+    state: stopped
+    enabled: false
+  ignore_errors: yes
+  when:
+  - ansible_facts.os_family == "RedHat"
+
+- name: Configure ssh root login to {{sshrootlogin}}
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(#)?PermitRootLogin.*'
+    line: 'PermitRootLogin {{sshrootlogin}}'
+    insertbefore: '^Match.*'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: Remove existing Port lines
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^Port'
+    state: absent
+
+- name: SSH Listen on Main Port
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    insertbefore: '^#*AddressFamily'
+    line: 'Port {{sshmainport}}'
+    state: present
+    owner: root
+    group: root
+    mode: 0640
+  notify: restart sshd
+
+- name: "Create sshd_config.d directory"
+  ansible.builtin.file:
+    path: "/etc/ssh/sshd_config.d/"
+    state: directory
+    recurse: yes
+    owner: root
+    group: root
+
+- name: "Setting sshd allow users"
+  template:
+    src: allow_users.j2
+    dest: "/etc/ssh/sshd_config.d/allow_users.conf"
+  notify: restart sshd

ansible/infra_setting/roles/connect-settings/tasks/01_get_password.yml

@@ -0,0 +1,36 @@
+---
+- name: get password
+  command: "{{ role_path }}/files/gen_password {{ encrypt }}"
+  register: user_password
+  delegate_to: 127.0.0.1
+  when: manual_password is not defined
+
+- name: get admin password
+  command: "{{ role_path }}/files/gen_password {{ encrypt }}"
+  register: admin_password
+  delegate_to: 127.0.0.1
+  when: manual_password is not defined
+
+- name: set fact user password
+  block:
+    - set_fact:
+        user_password: "{{ user_password.stdout }}"
+  rescue:
+    - set_fact:
+        user_password: "{{ manual_password }}"
+  always:
+    - debug:
+        msg: "{{ username }} : {{ user_password }}"
+      when: debug_mode == True
+
+- name: set fact admin password
+  block:
+    - set_fact:
+        admin_password: "{{ admin_password.stdout }}"
+  rescue:
+    - set_fact:
+        admin_password: "{{ manual_password }}"
+  always:
+    - debug:
+        msg: "{{ adminuser }} : {{ admin_password }}"
+      when: debug_mode == True

ansible/infra_setting/roles/connect-settings/tasks/02_change_password.yml

@@ -0,0 +1,21 @@
+---
+- include_tasks: 99_decrypt_password.yml
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
+
+- name: user password change
+  user:
+    name: "{{ item }}"
+    password: "{{ user_password | password_hash('sha512') }}"
+    state: present
+  with_items:
+    - "{{ username }}"
+
+- name: admin password change
+  user:
+    name: "{{ item }}"
+    password: "{{ admin_password | password_hash('sha512') }}"
+    state: present
+  with_items:
+  - "{{ adminuser }}"

ansible/infra_setting/roles/connect-settings/tasks/03_vault.yml

@@ -0,0 +1,21 @@
+---
+- name: Check if ansible_port is defined
+  set_fact:
+    ansible_port: "{{ ansible_port | default(22) }}"
+
+- debug:
+    msg: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ ansible_port }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+  when: debug_mode == True
+
+- name: put vault
+  command: "{{ role_path }}/files/vault_put {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+  delegate_to: 127.0.0.1
+
+- name: get vault
+  command: "{{ role_path }}/files/vault_get {{ ansible_default_ipv4.address }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+  register: get_vault
+  delegate_to: 127.0.0.1
+
+- debug:
+    msg: "{{get_vault.stdout_lines}}"
+  when: debug_mode == True

ansible/infra_setting/roles/connect-settings/tasks/04_excel_export.yml

@@ -0,0 +1,19 @@
+---
+- name: Redirect output to local file
+  delegate_to: localhost
+  copy:
+    content: "[{{ ansible_date_time.date }} {{ ansible_date_time.hour }}:{{ ansible_date_time.minute }}:{{ ansible_date_time.second }}]"
+    dest: "/tmp/host_list"
+    mode: '0666'
+    backup: yes
+
+- name: Append output to local file
+  delegate_to: localhost
+  lineinfile:
+    path: "/tmp/host_list"
+    line: "{{ ansible_distribution }} {{ ansible_hostname }} {{ ansible_default_ipv4.address }} {{ sshmainport }} {{ username }} {{ user_password }} {{ adminuser }} {{ admin_password }}"
+    create: yes
+
+- name: excel export
+  command: "{{ role_path }}/files/custom_excel"
+  delegate_to: 127.0.0.1

ansible/infra_setting/roles/connect-settings/tasks/99_decrypt_password.yml

@@ -0,0 +1,27 @@
+---
+- name: user_password decrypt
+  command: "{{ role_path }}/files/decrypt_password {{ user_password }}"
+  register: user_password
+  delegate_to: 127.0.0.1
+
+- name: admin_password decrypt
+  command: "{{ role_path }}/files/decrypt_password {{ admin_password }}"
+  register: admin_password
+  delegate_to: 127.0.0.1
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
+
+- name: admin_password re fact
+  set_fact: 
+    admin_password: "{{ admin_password.stdout }}"
+  when: 
+  - encrypt == 1
+  - manual_password is not defined
+
+- name: user_password re fact
+  set_fact: 
+    user_password: "{{ user_password.stdout }}"
+  when: 
+  - encrypt == 1
+  - manual_password is not defined

ansible/infra_setting/roles/connect-settings/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- include: 00_host_setting.yml
+  tags: host
+
+- include: 01_get_password.yml
+  tags: password
+
+- include: 02_change_password.yml
+  tags: change
+
+- include: 03_vault.yml
+  tags: vault
+
+- include: 04_excel_export.yml
+  tags: excel

ansible/infra_setting/roles/connect-settings/templates/allow_users.j2

@@ -0,0 +1,22 @@
+AllowUsers dev2-iac@10.10.43.*
+AllowUsers *@10.20.142.*
+{% if ansible_distribution == "Ubuntu" %}
+AllowUsers ubuntu@10.10.43.*
+{% endif %}
+{% if ansible_distribution == "CentOS" %}
+AllowUsers centos@10.10.43.*
+{% endif %}
+{% if ansible_distribution == "RedHat" %}
+AllowUsers redhat@10.10.43.*
+{% endif %}
+
+{% if admin_users is defined %}
+{% for user in admin_users %}
+AllowUsers {{ user.name }}@{{ user.ip }} 
+{% endfor %}
+{% endif %}
+{% if allow_users is defined %}
+{% for user in allow_users %}
+AllowUsers {{ user.name }}@{{ user.ip }} 
+{% endfor %}
+{% endif %}

ansible/infra_setting/roles/connect-settings/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

ansible/infra_setting/roles/connect-settings/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - password

ansible/infra_setting/roles/connect-settings/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for password