Tweaking:

- Ansible Playbooks refinement - Add Ansible Bootstrapping - Add some notes
2025-07-02 01:27:27 -04:00 · 2023-07-05 17:55:59 +02:00
parent 69be264eae
commit b3f1b71054
7 changed files with 167 additions and 37 deletions
--- a/installer/install/inventory.yml
+++ b/installer/install/inventory.yml
@ -0,0 +1,8 @@
+tpotce:
+  hosts:
+    # Remote IP address, host name or alias:
+    192.168.100.100:
+      # Remote SSH port:
+      ansible_port: 22
+      # Remote SSH user:
+      ansible_user: tsec
--- a/installer/install/sudo.yml
+++ b/installer/install/sudo.yml
@ -1,30 +1,53 @@
 ---
-# Become needs to happen in the task or root will be added to the sudo group instead of the user
- name: On Debian, check if sudo is installed
+#######################################
+# T-Pot - Debian Bootstrapping (sudo) #
+#######################################
+
+# Be sure to use root password as become password
+- name: T-Pot - Debian Bootstrapping (sudo)
  hosts: all
-  gather_facts: true
+  gather_facts: false
  become: false

-  pre_tasks:
-    - name: Check for non-root user id
-      debug:
-        msg: "Detected user: '{{ ansible_user_id }}'"
-      failed_when: ansible_user_id == "root"
+  tasks:
+    - name: Check if running as root
+      assert:
+        that: ansible_user != 'root'
+        fail_msg: "T-Pot playbook should not be run as root."
+        success_msg: "Running as user: {{ ansible_user }}."
+      tags:
+        - "Debian"

-    - name: Install sudo package if not present already
+    - name: Check if running as tpot
+      assert:
+        that: ansible_user != 'tpot'
+        fail_msg: "Reserved username `tpot` detected."
+        success_msg: "Running as user: {{ ansible_user }}."
+      tags:
+        - "Debian"
+
+    - name: Get distribution name
+      raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1
+      register: my_distribution
+      tags:
+        - "Debian"
+
+    - name: Check if sudo is installed
+      # Use echo, or task will fail if sudo not found
+      raw: echo -n $(command -v sudo)
+      register: my_sudo
+      tags:
+        - "Debian"
+
+    - name: Add sudo package and add ansible_user to sudo group (Debian)
      become: true
      become_method: su
-      apt:
-        name: sudo
-        state: present
-        update-cache: yes
-      when: ansible_distribution == "Debian"
-
-    - name: Add current user to sudo group
-      become: true
-      become_method: su
-      user:
-        name: "{{ ansible_user_id }}"
-        groups: sudo
-        append: yes
-      when: ansible_distribution == "Debian"
+      raw: |
+        apt update
+        apt -y install sudo
+        /usr/sbin/usermod -aG sudo {{ ansible_user }}
+        echo '{{ ansible_user }} ALL=(ALL:ALL) ALL' | tee /etc/sudoers.d/{{ ansible_user }}
+        chmod 440 /etc/sudoers.d/{{ ansible_user }}
+      when: my_distribution.stdout | trim in ["Debian"] and my_sudo.stdout | trim == ""
+      tags:
+        - "Debian"
--- a/installer/install/tpot.yml
+++ b/installer/install/tpot.yml
@ -1,4 +1,63 @@
 ---
+################################
+# T-Pot - Bootstrapping Python #
+################################
+
+- name: T-Pot - Bootstrapping Python
+  hosts: all
+  gather_facts: false
+  become: true
+  become_method: sudo
+
+  tasks:
+    - name: Get distribution name (All)
+      raw: awk -F= '/^NAME/{print $2}' /etc/os-release | tr -d '"' | cut -d " " -f1
+      register: my_distribution
+      tags:
+        - "AlmaLinux"
+        - "Debian"
+        - "Fedora"
+        - "openSUSE Tumbleweed"
+        - "Rocky"
+        - "Ubuntu"
+
+    - name: Check if python3 is installed (All)
+      raw: echo $(command -v python3)
+      register: my_python3
+      tags:
+        - "AlmaLinux"
+        - "Debian"
+        - "Fedora"
+        - "openSUSE Tumbleweed"
+        - "Rocky"
+        - "Ubuntu"
+
+    - name: Add python package (Debian, Ubuntu)
+      raw: |
+        apt update
+        apt -y install python3
+      when: my_distribution.stdout | trim in ["Debian", "Ubuntu"] and my_python3.stdout | trim == ""
+      tags:
+        - "Debian"
+        - "Ubuntu"
+
+    - name: Add python package (Alma, Fedora, Rocky)
+      raw: |
+        dnf -y --refresh install python3
+      when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == ""
+      tags:
+        - "AlmaLinux"
+        - "Fedora"
+        - "Rocky"
+
+    - name: Add python package (openSUSE Tumbleweed)
+      raw: |
+        zypper refresh
+        zypper -y install python3
+      when: my_distribution.stdout | trim in ["AlmaLinux", "Fedora", "Rocky"] and my_python3.stdout | trim == ""
+      tags:
+        - "openSUSE Tumbleweed"
+
 ################################
 # T-Pot - Abort if run as root #
 ################################
@ -15,12 +74,19 @@
    - "Rocky"
    - "Ubuntu"

-  pre_tasks:
+  tasks:
    - name: Check if running as root (All)
      assert:
        that: ansible_user_id != 'root'
        fail_msg: "T-Pot playbook should not be run as root."
        success_msg: "Running as user: {{ ansible_user_id }}."
+
+    - name: Check if running as tpot (All)
+      assert:
+        that: ansible_user != 'tpot'
+        fail_msg: "Reserved username `tpot` detected."
+        success_msg: "Running as user: {{ ansible_user_id }}."
+
    - name: Check if supported distribution (All)
      assert:
        that: ansible_distribution in ["AlmaLinux", "Debian", "Fedora", "openSUSE Tumbleweed", "Rocky", "Ubuntu"]
--- a/installer/remove/inventory.yml
+++ b/installer/remove/inventory.yml
@ -0,0 +1,8 @@
+tpotce:
+  hosts:
+    # Remote IP address, host name or alias:
+    192.168.100.100:
+      # Remote SSH port:
+      ansible_port: 22
+      # Remote SSH user:
+      ansible_user: tsec
--- a/installer/remove/sudo.yml
+++ b/installer/remove/sudo.yml
@ -1,28 +1,55 @@
 ---
-# Become needs to happen in the task or root will be added to the sudo group instead of the user
- name: On Debian, remove sudo
+################################
+# T-Pot - Debian Remove (sudo) #
+################################
+
+# Be sure to use root password as become password
+- name: T-Pot - Debian Remove (sudo)
  hosts: all
  gather_facts: true
  become: false

-  pre_tasks:
-    - name: Check for non-root user id
-      debug:
-        msg: "Detected user: '{{ ansible_user_id }}'"
-      failed_when: ansible_user_id == "root"
+  tasks:
+    - name: Check if running as root
+      assert:
+        that: ansible_user != 'root'
+        fail_msg: "T-Pot playbook should not be run as root."
+        success_msg: "Running as user: {{ ansible_user }}."
+      tags:
+        - "Debian"
+
+    - name: Check if running as tpot
+      assert:
+        that: ansible_user != 'tpot'
+        fail_msg: "Reserved username `tpot` detected."
+        success_msg: "Running as user: {{ ansible_user }}."
+      tags:
+        - "Debian"

    - name: Remove current user from sudo group
      become: true
      become_method: su
      command: gpasswd -d "{{ ansible_user_id  }}" sudo
      when: ansible_distribution == "Debian"
+      tags:
+        - "Debian"

    - name: Uninstall sudo package if present
      become: true
      become_method: su
-      apt:
+      package:
        name: sudo
        state: absent
        update-cache: no
      when: ansible_distribution == "Debian"
+      tags:
+        - "Debian"

+    - name: Remove sudoers file for ansible_user_id
+      become: true
+      become_method: su
+      file:
+        path: /etc/sudoers.d/{{ ansible_user_id }}
+        state: absent
+      tags:
+        - "Debian"