Configure a scanner user on all machines

Deploy GVM to a box at home
2021-12-30 10:04:31 -06:00 · 2021-12-30 09:34:45 -06:00
5 changed files with 71 additions and 7 deletions
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@ -58,13 +58,21 @@ zerotier_network_id: !vault |
          3339633961393864330a616437613534643231366634643362383438316233376334636264303361
          65313231393433396538663463383731303661633663343066333264303330313133

-# For geerlingguy.apache
-apache_remove_default_vhost: yes
-apache_ssl_cipher_suite: "ECDH:AECDH:!SHA1:!SHA256:!SHA384"
-apache_ssl_protocol: all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-
-# For geerlingguy.php
-##RESERVED
+# For GVM
+secret_gvm_db_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36386339623936656635346132333761356566313430616536346363363335393365613731396539
+          3664323233396565666334306263303338346637613361390a666634656636373136313634323262
+          37666165336437323031326262646333393439646664393066383765346631383835663762323263
+          3363326461316636660a323465373630323435313161663362356234376563633266336534303861
+          39393835666661323637353830336530393361643664656536313035386338323937
+secret_gvm_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36393639656131363065343830323830323365383933646261353661326235383366343864386135
+          3335326666623162396234313462653264326362323261360a633736353363666538393064616439
+          35323734623233313937623861306337633539623761396266363939363565653638613661333366
+          6637306661373339350a633038336339306639386539336163386530376662663663653966336633
+          65383335323339366637633934323632666638366265353839306432373365376530

 # For gulagbot
 secret_gulagbot_db_pass: !vault |
--- a/playbooks/all_scanner.yml
+++ b/playbooks/all_scanner.yml
@ -0,0 +1,16 @@
+#!/usr/bin/env ansible-playbook
+# vim:ft=ansible:
+---
+- hosts: all
+  tasks:
+    - name: assure scanner user
+      user: name=scanner password="!" state=present
+      tags: [ scanner, greenbone ]
+    - name: assure scanner user sudoers rule
+      lineinfile: path=/etc/sudoers line=
+      tags: [ scanner, greenbone ]
+    - name: assure scanner user authorized keys
+      authorized_key:
+        user: scanner
+        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCTtAXbh9IDD0dYIJhtWiOtmAYgH5ul5aMksb9RtdUa04DkZ2tcxIay9Wm/84yxultevvpOlFcKGNaBiLVHknkYO/eLS6W38xXy40DcIMRgzpWOu54hvL6jzzhbdupUkO+f6UGEE3j/uEnkoCKUbj0NMMDQgC/5t2N4lysuGeZMMOL85UdEmXdul4lQLlDywIo3P1cifxaRfnADgqQnt3zSlgIwKJi2Vjyh4A1Xox2wn8fQXs+MfuclVdWQlDkKFMuDdQdZnGUnqKjuEE1PZe/jDxTgjGBU3t3v8m2gRxZQyll6Ju6Z5oeBI6LN0P/Dt7XKyWmrWaub0pLDmklWqU0g+aUj5oiokvf/3A27EIoP5ifSK760B8DPZHLgM2OZhsUzUaYy36yFx3Le25iGlDWjIy9GZo1iZXp558I5VKLh4uUL4MjhvL5UpMLa4NL4VrHvrjzMbWquNvsMYVgk6Y07VaVcg43wTdcX6Jzxzd6IvGVBS1kXZC3kZeqU+zUYbQE="
+      tags: [ scanner, greenbone ]
--- a/playbooks/home_app.yml
+++ b/playbooks/home_app.yml
@ -21,6 +21,22 @@
        backup_s3backup_list_extra:
          - /data
      tags: [ backup ]
+- hosts: vm-scan-1.home.mgmt.desu.ltd
+  module_defaults:
+    docker_container:
+      state: started
+      restart_policy: unless-stopped
+      pull: yes
+  pre_tasks:
+    - name: ensure docker network
+      docker_network: name=web
+      tags: [ docker ]
+  tasks:
+    - name: include tasks for applications
+      include_tasks: tasks/{{ item }}
+      with_items:
+        - app/gvm.yml
+      tags: [ always ]
 - hosts: vm-syncthing-1.home.mgmt.desu.ltd
  module_defaults:
    docker_container:
--- a/playbooks/tasks/app/gvm.yml
+++ b/playbooks/tasks/app/gvm.yml
@ -0,0 +1,23 @@
+# vim:ft=ansible:
+- name: docker deploy gvm
+  docker_container:
+    name: gvm
+    image: securecompliance/gvm:latest
+    env:
+      DB_PASSWORD: "{{ secret_gvm_db_pass }}"
+      USERNAME: admin
+      PASSWORD: "{{ secret_gvm_pass }}"
+      TZ: America/Chicago
+    networks:
+      - name: web
+        aliases: [ "gvm" ]
+    volumes:
+      - /data/gvm/gvm:/var/lib/gvm
+      - /data/gvm/openvas-plugins:/var/lib/openvas/plugins
+      - /data/gvm/postgres:/opt/database
+      - /data/gvm/ssh:/etc/ssh
+    ports:
+      - 443:9392/tcp
+      - 5432:5432/tcp
+      - 2222:22/tcp
+  tags: [ docker, gvm ]
--- a/site.yml
+++ b/site.yml
@ -3,6 +3,7 @@
 ---
  # Preambulatory system configuration
 - import_playbook: playbooks/all.yml
+- import_playbook: playbooks/all_scanner.yml
  # Platform configuration
 - import_playbook: playbooks/platforms_ub2004.yml
 - import_playbook: playbooks/platforms_proxmox-ve-7.yml
Author	SHA1	Message	Date
Salt	111f1cdef6	Configure a scanner user on all machines	2021-12-30 10:04:31 -06:00
Salt	1cff8a6aa8	Deploy GVM to a box at home	2021-12-30 09:34:45 -06:00