diff --git a/facts/general/package.yml b/facts/general/package.yml index 55cd207..09a0c49 100644 --- a/facts/general/package.yml +++ b/facts/general/package.yml @@ -60,6 +60,7 @@ tar: tar microcode_amd: ucode-amd microcode_intel: ucode-intel + cron: cronie when: ansible_pkg_mgr == "zypper" diff --git a/facts/general/system.yml b/facts/general/system.yml index cf9c4db..d11ab18 100644 --- a/facts/general/system.yml +++ b/facts/general/system.yml @@ -39,8 +39,8 @@ - name: General | Facts | System | Report File Names set_fact: - lynis_report: "{{ lynis_install_dir }}/run.txt" - nmap_report: "{{ lynis_install_dir }}/nmap.txt" + lynis_report: "lynis_hardness_check.txt" + nmap_report: "nmap_port_check.txt" - name: General | Facts | System | Ansible Branch diff --git a/local.yml b/local.yml index 1a64787..37052fa 100644 --- a/local.yml +++ b/local.yml @@ -8,92 +8,88 @@ become: true tasks: - - include: facts/general/gather.yml - - include: tasks/general/acct_mgmt/provision_config.yml + - include_tasks: facts/general/gather.yml + - include_tasks: tasks/general/acct_mgmt/provision_config.yml - - include: facts/general/system.yml - - include: facts/general/package.yml - - include: facts/general/service.yml - - include: facts/general/user.yml + - include_tasks: facts/general/system.yml + - include_tasks: facts/general/package.yml + - include_tasks: facts/general/service.yml + - include_tasks: facts/general/user.yml - - include: tasks/general/software/packages.yml - - include: tasks/general/software/services.yml - ignore_errors: yes - - include: tasks/general/software/sendmail.yml - ignore_errors: yes + - include_tasks: tasks/general/software/packages.yml + - include_tasks: tasks/general/software/services.yml + - include_tasks: tasks/general/software/sendmail.yml when: ansible_system == "FreeBSD" - - include: facts/general/gather.yml + - include_tasks: facts/general/gather.yml - - include: tasks/general/acct_mgmt/groups.yml - - include: tasks/general/acct_mgmt/users.yml - - include: tasks/general/acct_mgmt/sudo.yml + - include_tasks: tasks/general/acct_mgmt/groups.yml + - include_tasks: tasks/general/acct_mgmt/users.yml + - include_tasks: tasks/general/acct_mgmt/sudo.yml + - include_tasks: tasks/general/acct_mgmt/doas.yml - - include: tasks/general/scripts/root.yml - - include: tasks/general/scripts/user.yml + - include_tasks: tasks/general/scripts/root.yml + - include_tasks: tasks/general/scripts/user.yml - - include: tasks/general/cron/ansible.yml + - include_tasks: tasks/general/cron/ansible.yml # TODO Need to refactor. Maybe tasks/general/cron/freebsd.yml - - include: tasks/workstation/freebsd/cron/ansible.yml + - include_tasks: tasks/workstation/freebsd/cron/ansible.yml when: ansible_system == "FreeBSD" - - include: tasks/general/software/metasploit.yml + - include_tasks: tasks/general/software/metasploit.yml when: pentesting == true - ####### Workstations ####### # Additional setup for systems with GUI. - name: Main | Workstation Setup block: - - include: facts/workstation/package.yml + - include_tasks: facts/workstation/package.yml # Set Up Desktop Environments # - - include: tasks/workstation/freebsd/software/gpu.yml + - include_tasks: tasks/workstation/freebsd/software/gpu.yml when: ansible_system == "FreeBSD" and bsd_gpu == true - - include: tasks/workstation/freebsd/software/gnome.yml + - include_tasks: tasks/workstation/freebsd/software/gnome.yml when: ansible_system == "FreeBSD" - - include: tasks/workstation/linux/software/gnome.yml + - include_tasks: tasks/workstation/linux/software/gnome.yml when: ansible_system == "Linux" - - include: tasks/workstation/shared/software/dwm.yml - ignore_errors: yes + - include_tasks: tasks/workstation/shared/software/dwm.yml # Software Tasks # - - include: tasks/workstation/linux/software/flatpaks.yml + - include_tasks: tasks/workstation/linux/software/flatpaks.yml when: ansible_system == "Linux" and flatpak_distro - - include: tasks/workstation/linux/software/brave.yml + - include_tasks: tasks/workstation/linux/software/brave.yml when: ansible_pkg_mgr in ("apt", "dnf", "zypper") and not mobile - - include: tasks/workstation/freebsd/software/packages.yml + - include_tasks: tasks/workstation/freebsd/software/packages.yml when: ansible_system == "FreeBSD" - - include: tasks/workstation/mac-os/software/brew.yml + - include_tasks: tasks/workstation/mac-os/software/brew.yml when: ansible_system == "Darwin" # Configuration Tasks # - - include: tasks/workstation/shared/settings/gnome.yml + - include_tasks: tasks/workstation/shared/settings/gnome.yml when: not mobile - - include: tasks/workstation/linux/cron/ansible.yml + - include_tasks: tasks/workstation/linux/cron/ansible.yml when: ansible_system == "Linux" and not mobile - - include: tasks/workstation/shared/settings/nfs.yml + - include_tasks: tasks/workstation/shared/settings/nfs.yml - - include: tasks/workstation/shared/settings/rdp.yml + - include_tasks: tasks/workstation/shared/settings/rdp.yml when: rdp == true - - include: tasks/workstation/shared/settings/vnc.yml + - include_tasks: tasks/workstation/shared/settings/vnc.yml when: vnc == true - - include: tasks/workstation/shared/settings/services.yml - ignore_errors: yes + - include_tasks: tasks/workstation/shared/settings/services.yml when: workstation == true @@ -106,81 +102,79 @@ # block: # # ##### Setup ##### -# - include: tasks/miner/debug.yml +# - include_tasks: tasks/miner/debug.yml # -# - include: tasks/miner/acct_mgmt/users.yml +# - include_tasks: tasks/miner/acct_mgmt/users.yml # -# - include: facts/miner/system.yml -# - include: facts/miner/config.yml -# - include: facts/miner/pool.yml +# - include_tasks: facts/miner/system.yml +# - include_tasks: facts/miner/config.yml +# - include_tasks: facts/miner/pool.yml # # ##### Installations ##### # ### CPU SECTION ### # # Monero # -# - include: tasks/miner/software/xmr-stak-cpu.yml +# - include_tasks: tasks/miner/software/xmr-stak-cpu.yml # when: xmr_stak_cpu is defined # # ### GPU Section ### # ## Drivers ## -# - include: tasks/miner/drivers/amdgpu.yml +# - include_tasks: tasks/miner/drivers/amdgpu.yml # when: ansible_distribution == "Ubuntu" and amdgpu == true # # # Ethereum # -# - include: tasks/miner/software/ethminer.yml +# - include_tasks: tasks/miner/software/ethminer.yml # when: ethminer == true # -# - include: tasks/miner/software/nanominer.yml +# - include_tasks: tasks/miner/software/nanominer.yml # when: nanominer == true # # ##### Scheduling ##### -# - include: tasks/miner/cron/ansible.yml -# - include: tasks/miner/cron/mfn.yml +# - include_tasks: tasks/miner/cron/ansible.yml +# - include_tasks: tasks/miner/cron/mfn.yml # # when: miner == true - ####### Servers ####### # Easy to deploy server configurations. - name: Main | Server Setup block: - - include: tasks/server/software/services.yml + - include_tasks: tasks/server/software/services.yml - - include: tasks/server/software/certbot.yml + - include_tasks: tasks/server/software/certbot.yml when: certbot == true - - include: tasks/server/cron/certbot.yml + - include_tasks: tasks/server/cron/certbot.yml when: certbot == true - - include: tasks/server/software/onlyoffice.yml + - include_tasks: tasks/server/software/onlyoffice.yml when: onlyoffice == true and ansible_pkg_mgr == "apt" - - include: tasks/server/software/influxdb1.yml + - include_tasks: tasks/server/software/influxdb1.yml when: influxdb1 == true and ansible_pkg_mgr == "apt" - - include: tasks/server/software/influxdb2.yml + - include_tasks: tasks/server/software/influxdb2.yml when: influxdb2 == true and ansible_pkg_mgr == "apt" - - include: tasks/server/software/grafana.yml + - include_tasks: tasks/server/software/grafana.yml when: grafana == true and ansible_pkg_mgr == "apt" - - include: tasks/server/software/hugo.yml + - include_tasks: tasks/server/software/hugo.yml when: hugo == true - - include: tasks/server/software/gitlab.yml + - include_tasks: tasks/server/software/gitlab.yml when: gitlab and ansible_pkg_mgr in ("apt", "dnf") and ansible_distribution not in ("Fedora") - - include: tasks/server/software/git.yml + - include_tasks: tasks/server/software/git.yml when: git and ansible_pkg_mgr in ("apt") when: server == true - ####### Reporting ####### # Provide information for analysis. - - include: tasks/general/software/telegraf.yml + - include_tasks: tasks/general/software/telegraf.yml - - include: tasks/general/tests/lynis.yml - - include: tasks/general/tests/nmap.yml + - include_tasks: tasks/general/tests/lynis.yml + - include_tasks: tasks/general/tests/nmap.yml diff --git a/setup.sh b/setup.sh index f1ecac1..7f6c8fb 100755 --- a/setup.sh +++ b/setup.sh @@ -53,9 +53,15 @@ while getopts ":lb:h" arg; do done if [[ $branch == "" ]]; then + echo "Using default branch $BRANCH." branch="$BRANCH" fi +if [[ $1 != "-"* ]]; then + echo "ERROR: '$1' is not a valid option, please check your parameters and try again." + usage 1 +fi + ## Main ## os="$(cat /etc/os-release)" diff --git a/tasks/general/acct_mgmt/doas.yml b/tasks/general/acct_mgmt/doas.yml new file mode 100644 index 0000000..a971895 --- /dev/null +++ b/tasks/general/acct_mgmt/doas.yml @@ -0,0 +1,53 @@ +--- +# Install and configure doas. + +- name: General | Software | DoAs | Facts + set_fact: + doas_config: | + permit persist :wheel as root + permit persist :admin as root + permit persist :sudo as root + doas_conf_file_linux: /etc/doas.conf + doas_conf_file_bsd: /usr/local/etc/doas.conf + +- name: General | Software | DoAs | Install + package: + name: + - doas + ignore_errors: yes + +- name: General | Software | DoAs | Configure [Linux] + blockinfile: + path: "{{ doas_conf_file_linux }}" + block: | + {{ doas_config }} + marker: '# {mark} MANAGED BY ANSIBLE | doas Linux' + state: present + create: yes + backup: yes + when: ansible_system in ("Linux") + +- name: General | Software | DoAs | Configure [BSD] + blockinfile: + path: "{{ doas_conf_file_linux }}" + block: | + {{ doas_config }} + marker: '# {mark} MANAGED BY ANSIBLE | doas BSD' + state: present + create: yes + backup: yes + when: ansible_system in ("FreeBSD") + +- name: General | Software | DoAs | Configure [Other] + blockinfile: + path: "{{ item }}" + block: | + {{ doas_config }} + marker: '# {mark} MANAGED BY ANSIBLE | doas Other' + state: present + create: yes + backup: yes + loop: + - "{{ doas_conf_file_linux }}" + - "{{ doas_conf_file_bsd }}" + when: ansible_system not in ("Linux", "FreeBSD") diff --git a/tasks/general/acct_mgmt/users.yml b/tasks/general/acct_mgmt/users.yml index 105f442..1a44aab 100644 --- a/tasks/general/acct_mgmt/users.yml +++ b/tasks/general/acct_mgmt/users.yml @@ -102,6 +102,7 @@ - "{{ user_user.home }}/LBRY" - "{{ user_user.home }}/TRASH" - "{{ user_user.home }}/Downloads" + - "{{ user_user.home }}/Reports" become_user: "{{ user }}" when: user_user.home != "" @@ -277,6 +278,7 @@ return echo "ERROR: Something went wrong while removing Flatpak apps!" } + alias_vim: alias vi=vim - name: General | Account Management | Users | Files | Common Variable set_fact: @@ -302,6 +304,7 @@ {{ function_clean }} {{ function_flatpak_usage }} {{ function_flatpak_purge }} + {{ alias_vim }} - name: General | Account Management | Users | Files | .bashrc blockinfile: @@ -334,3 +337,28 @@ - "{{ user_user.home }}" ignore_errors: yes when: user_root.home != "" and user_user.home != "" + +- name: General | Account Management | Users | Files | .vimrc + blockinfile: + path: "{{ item }}/.vimrc" + block: | + " Turn off syntax, flashy lights, etc. Make VIM into a basic editor. + syntax off + set nohlsearch + set noautoindent noautowrite noshowmatch wrapmargin=0 report=1 ts=3 + set ignorecase + + " Turn off auto-commenting. + autocmd Filetype * set fo-=c fo-=r fo-=o + + " qq shortcut for immediately exiting all files without saving. + nnoremap qq :qa! + marker: '" {mark} MANAGED BY ANSIBLE | vimrc' + state: present + create: yes + backup: yes + loop: + - "{{ user_root.home }}" + - "{{ user_user.home }}" + ignore_errors: yes + when: user_root.home != "" and user_user.home != "" diff --git a/tasks/general/software/packages.yml b/tasks/general/software/packages.yml index 169b59d..0edc176 100644 --- a/tasks/general/software/packages.yml +++ b/tasks/general/software/packages.yml @@ -50,6 +50,9 @@ - "{{ opensshd }}" - "{{ tar }}" - curl + - at + - gcc + - vim state: present - name: General | Software | Packages | Install Software (DEV) @@ -89,17 +92,18 @@ name: - which - "{{ cron }}" - - vi state: present when: ansible_distribution == "Archlinux" -# openSUSE Tumbleweed comes without gnome-control-center being able to open -# properly. Hopefully just a one-time accident but I wanted bleeding edge so I -# guess I got it! Luckily was easy to figure out based on CLI error launching. - name: General | Software | Services | Install Fix (Looking at you, openSUSE) package: name: + # openSUSE Tumbleweed comes without gnome-control-center being able to open + # properly. Hopefully just a one-time accident but I wanted bleeding edge so I + # guess I got it! Luckily was easy to figure out based on CLI error on launch. - libvulkan1 + # Provides c99 used to compile ST for DWM. + - posix_cc state: present when: ansible_pkg_mgr in ("zypper") diff --git a/tasks/general/software/sendmail.yml b/tasks/general/software/sendmail.yml index 8bde16c..22b9c49 100644 --- a/tasks/general/software/sendmail.yml +++ b/tasks/general/software/sendmail.yml @@ -10,6 +10,7 @@ - name: Server | Sendmail | Check shell: which postfix register: postfix + ignore_errors: yes - name: Server | Sendmail | Install package: diff --git a/tasks/general/software/services.yml b/tasks/general/software/services.yml index c8ff0d1..9743749 100644 --- a/tasks/general/software/services.yml +++ b/tasks/general/software/services.yml @@ -19,6 +19,7 @@ pattern: "{{ cups_pattern }}" state: stopped enabled: no + ignore_errors: yes - name: General | Software | Services | CUPS-Browse | Disable service: @@ -26,6 +27,7 @@ pattern: "{{ cups_browse_pattern }}" state: stopped enabled: no + ignore_errors: yes ## SSHD ## diff --git a/tasks/general/tests/lynis.yml b/tasks/general/tests/lynis.yml index ebe41de..9a83f39 100644 --- a/tasks/general/tests/lynis.yml +++ b/tasks/general/tests/lynis.yml @@ -1,6 +1,14 @@ --- # Lynis hardness check. +- name: General | Tests | Lynis | Set Facts + set_fact: + lynis_file: "{{ user_user.home }}/Reports/{{ lynis_report }}" + +- name: General | Tests | Lynis | Set Facts 2 + set_fact: + lynis_temp_file: "{{ lynis_file }}.tmp" + - name: General | Tests | Lynis | Rename Old Install shell: mv "/usr/local/lynis" "/usr/local/src/" ignore_errors: yes @@ -27,13 +35,23 @@ path: "{{ lynis_install_dir }}/lynis" mode: '0755' +- name: General | Tests | Lynis | Ensure Folder Permissions + file: + path: "{{ lynis_install_dir }}" + state: directory + mode: '0755' + recurse: no + - name: General | Tests | Lynis | Run System Audit - shell: "./lynis audit system --no-colors > {{ lynis_report }} 2>&1" + shell: "{{ item }}" + loop: + - "./lynis audit system --no-colors > {{ lynis_temp_file }} 2>&1" + - "mv {{ lynis_temp_file }} {{ lynis_file }}" args: executable: "{{ bash_exec.stdout }}" chdir: "{{ lynis_install_dir }}" - name: General | Tests | Lynis | Make Report Readable file: - path: "{{ lynis_report }}" - mode: '0777' + path: "{{ lynis_file }}" + mode: '0644' diff --git a/tasks/general/tests/nmap.yml b/tasks/general/tests/nmap.yml index 1574cb5..39a3933 100644 --- a/tasks/general/tests/nmap.yml +++ b/tasks/general/tests/nmap.yml @@ -1,13 +1,30 @@ --- # Nmap port test -- name: General | Tests | nmap | Run Count - shell: "nmap --open localhost | grep -c open > {{ nmap_report }}; echo success" +- name: General | Tests | nmap | Set Facts + set_fact: + nmap_file: "{{ user_user.home }}/Reports/{{ nmap_report }}" + nmap_separator: "\n*******************************\n\n" -- name: General | Tests | nmap | Run Open - shell: "nmap --open localhost | grep open >> {{ nmap_report }}; echo success" +- name: General | Tests | nmap | Set Facts 2 + set_fact: + nmap_temp_file: "{{ nmap_file }}.tmp" + +- name: General | Tests | nmap | Create Report + shell: "{{ item }}" + loop: + - "date > {{ nmap_temp_file }}" + - "printf '{{ nmap_separator }}' >> {{ nmap_temp_file }}" + - "echo '-=Open Ports=-' >> {{ nmap_temp_file }}" + - "printf 'Number of open ports: ' >> {{ nmap_temp_file }}" + - "nmap --open localhost | grep -c open >> {{ nmap_temp_file }}; echo success" + - "nmap --open localhost | grep open >> {{ nmap_temp_file }}; echo success" + - "printf '{{ nmap_separator }}' >> {{ nmap_temp_file }}" + - "echo '-=Aggressive Vulnerability Check=-' >> {{ nmap_temp_file }}" + - "nmap -A localhost >> {{ nmap_temp_file }}; echo success" + - "mv {{ nmap_temp_file }} {{ nmap_file }}" - name: General | Tests | nmap | Make Viewable file: - path: "{{ nmap_report }}" - mode: '0777' + path: "{{ nmap_file }}" + mode: '0644' diff --git a/tasks/workstation/linux/software/brave.yml b/tasks/workstation/linux/software/brave.yml index 62746c9..cc70373 100644 --- a/tasks/workstation/linux/software/brave.yml +++ b/tasks/workstation/linux/software/brave.yml @@ -37,8 +37,9 @@ shell: "{{ item }}" loop: - rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc - - sudo zypper addrepo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo + - zypper addrepo https://brave-browser-rpm-release.s3.brave.com/brave-browser.repo when: ansible_pkg_mgr == "zypper" + ignore_errors: yes - name: Workstation | Software | Brave | Install package: diff --git a/tasks/workstation/linux/software/flatpaks.yml b/tasks/workstation/linux/software/flatpaks.yml index fc8a227..39f076e 100644 --- a/tasks/workstation/linux/software/flatpaks.yml +++ b/tasks/workstation/linux/software/flatpaks.yml @@ -330,6 +330,8 @@ - steam - vscode - code + - libreoffice + - "*libreoffice*" - '*libreoffice*' - gimp state: absent diff --git a/tasks/workstation/shared/settings/services.yml b/tasks/workstation/shared/settings/services.yml index 37be15b..62bfa70 100644 --- a/tasks/workstation/shared/settings/services.yml +++ b/tasks/workstation/shared/settings/services.yml @@ -9,6 +9,7 @@ pattern: "{{ cups_pattern }}" state: started enabled: yes + ignore_errors: yes - name: General | Software | Services | Disable CUPS-Browse Daemon service: @@ -16,3 +17,4 @@ pattern: "{{ cups_browse_pattern }}" state: started enabled: yes + ignore_errors: yes diff --git a/tasks/workstation/shared/software/dwm.yml b/tasks/workstation/shared/software/dwm.yml index 11aeff6..c9e2c96 100644 --- a/tasks/workstation/shared/software/dwm.yml +++ b/tasks/workstation/shared/software/dwm.yml @@ -51,9 +51,11 @@ - name: Workstation | Linux | Software | DWM | Install shell: "cd {{ dwm_install_dir }}; {{ make }} clean install" + ignore_errors: yes - name: Workstation | Linux | Software | DWM | Install (st) shell: "cd {{ st_install_dir }}; {{ make }} clean install" + ignore_errors: yes ## X Init Sript ##