diff --git a/handlers/main.yml b/handlers/main.yml index 798eabf..21c237c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart crowdsec - systemd: + ansible.builtin.systemd: name: crowdsec state: restarted - name: restart crowdsec-firewall-bouncer - systemd: + ansible.builtin.systemd: name: crowdsec-firewall-bouncer - state: restarted \ No newline at end of file + state: restarted diff --git a/meta/main.yml b/meta/main.yml index 5629d8b..c365cd3 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,11 +6,13 @@ galaxy_info: galaxy_tags: [] license: GPL2 platforms: - - name: CentOS - version: - - 7 - - 8 - - name: RedHat - version: - - 7 - - 8 + - name: CentOS + version: + - 7 + - 8 + - 9 + - name: RedHat + version: + - 7 + - 8 + - 9 diff --git a/tasks/add_bouncer.yml b/tasks/add_bouncer.yml index 33f1cb1..b50e71d 100644 --- a/tasks/add_bouncer.yml +++ b/tasks/add_bouncer.yml @@ -14,23 +14,23 @@ when: - ansible_os_family == "RedHat" -#- name: Register new bouncer -# command: cscli bouncers add {{ inventory_hostname }} -o raw -# register: _csbouncer -# delegate_to: "{{ crowdsec_delegate_server_hostname }}" -# changed_when: _csbouncer.stderr is not search("already exists") -# -#- name: Deploy bouncer config -# lineinfile: -# regex: "{{ item.regex }}" -# line: "{{ item.line }}" -# dest: /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -# with_items: -# - regex: "^api_url" -# line: "api_url: {{ crowdsec_lapi_url }}" -# - regex: "^api_key" -# line: "api_key: {{ _csbouncer.stdout }}" -# when: _csbouncer.changed -# notify: restart crowdsec-firewall-bouncer -# loop_control: -# label: "{{ item.regex }}" +# - name: Register new bouncer +# ansible.builtin.command: cscli bouncers add {{ inventory_hostname }} -o raw +# register: _csbouncer +# delegate_to: "{{ crowdsec_delegate_server_hostname }}" +# changed_when: _csbouncer.stderr is not search("already exists") +# +# - name: Deploy bouncer config +# ansible.builtin.lineinfile: +# regex: "{{ item.regex }}" +# line: "{{ item.line }}" +# dest: /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml +# with_items: +# - regex: "^api_url" +# line: "api_url: {{ crowdsec_lapi_url }}" +# - regex: "^api_key" +# line: "api_key: {{ _csbouncer.stdout }}" +# when: _csbouncer.changed +# notify: restart crowdsec-firewall-bouncer +# loop_control: +# label: "{{ item.regex }}" diff --git a/tasks/main.yml b/tasks/main.yml index d4ce028..2bd1c3d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,99 +1,99 @@ --- - name: Crowdsec setup block: -# - name: Include vars for {{ ansible_os_family }} -# include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml" +# - name: Include vars for {{ ansible_os_family }} +# ansible.builtin.include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml" - - name: Debian family configuration - block: - - name: Install required packages + - name: Debian family configuration + block: + - name: Install required packages + ansible.builtin.package: + name: + - apt-transport-https + - gnupg + state: present + update_cache: true + + - name: add crowdsec apt key + ansible.builtin.apt_key: + url: https://packagecloud.io/crowdsec/crowdsec/gpgkey + state: present + + - name: add crowdsec repository + ansible.builtin.apt_repository: + repo: 'deb https://packagecloud.io/crowdsec/crowdsec/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main' + state: present + update_cache: true + + when: + - ansible_os_family == "Debian" + + - name: RedHat family configuration + block: + - name: Import CrowdSec RPM key + ansible.builtin.rpm_key: + state: present + key: "{{ item }}" + with_items: + - https://packagecloud.io/crowdsec/crowdsec/gpgkey + - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-B78D1222C9AD2D5D.pub.gpg + - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg + - name: Add Official crowdsec's repo + ansible.builtin.yum_repository: + name: crowdsec_crowdsec + description: crowdsec_crowdsec + baseurl: https://packagecloud.io/crowdsec/crowdsec/el/$releasever/$basearch + enabled: true + gpgcheck: true + repo_gpgcheck: true + gpgkey: + - https://packagecloud.io/crowdsec/crowdsec/gpgkey + - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-B78D1222C9AD2D5D.pub.gpg + - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg + metadata_expire: "300" + file: crowdsec + + when: + - ansible_os_family == "RedHat" + + - name: Install crowdsec ansible.builtin.package: name: - - apt-transport-https - - gnupg + - crowdsec state: present - update_cache: yes + update_cache: true - - name: add crowdsec apt key - ansible.builtin.apt_key: - url: https://packagecloud.io/crowdsec/crowdsec/gpgkey - state: present + - name: Deploy main config + ansible.builtin.template: + src: etc/crowdsec/config.yaml.j2 + dest: /etc/crowdsec/config.yaml + owner: root + group: root + mode: 0644 + notify: restart crowdsec - - name: add crowdsec repository - ansible.builtin.apt_repository: - repo: 'deb https://packagecloud.io/crowdsec/crowdsec/{{ ansible_distribution|lower }}/ {{ ansible_distribution_release|lower }} main' - state: present - update_cache: yes + - name: Deploy whitelist + ansible.builtin.template: + src: etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2 + dest: /etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml + owner: root + group: root + mode: 0644 + when: crowdsec_whitelist.enabled + notify: restart crowdsec - when: - - ansible_os_family == "Debian" + - name: Flush handlers to apply config + ansible.builtin.meta: flush_handlers - - name: RedHat family configuration - block: - - name: Import CrowdSec RPM key - ansible.builtin.rpm_key: - state: present - key: "{{ item }}" - with_items: - - https://packagecloud.io/crowdsec/crowdsec/gpgkey - - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-B78D1222C9AD2D5D.pub.gpg - - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg - - name: Add Official crowdsec's repo - ansible.builtin.yum_repository: - name: crowdsec_crowdsec - description: crowdsec_crowdsec - baseurl: https://packagecloud.io/crowdsec/crowdsec/el/$releasever/$basearch - enabled: true - gpgcheck: true - repo_gpgcheck: true - gpgkey: - - https://packagecloud.io/crowdsec/crowdsec/gpgkey - - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-B78D1222C9AD2D5D.pub.gpg - - https://packagecloud.io/crowdsec/crowdsec/gpgkey/crowdsec-crowdsec-FED78314A2468CCF.pub.gpg - metadata_expire: "300" - file: crowdsec - - when: - - ansible_os_family == "RedHat" - - - name: Install crowdsec - ansible.builtin.package: - name: - - crowdsec - state: present - update_cache: yes - - - name: Deploy main config - template: - src: etc/crowdsec/config.yaml.j2 - dest: /etc/crowdsec/config.yaml - owner: root - group: root - mode: 0644 - notify: restart crowdsec - - - name: Deploy whitelist - template: - src: etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml.j2 - dest: /etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml - owner: root - group: root - mode: 0644 - when: crowdsec_whitelist.enabled - notify: restart crowdsec - - - name: Flush handlers to apply config - meta: flush_handlers - -# - name: Register agent(s) -# include_tasks: register_agent.yml -# when: -# - crowdsec_delegate_server_hostname != inventory_hostname +# - name: Register agent(s) +# ansible.builtin.include_tasks: register_agent.yml +# when: +# - crowdsec_delegate_server_hostname != inventory_hostname # - - name: Register distributed bouncers(s) - include_tasks: add_bouncer.yml - when: - - crowdsec_bouncer.enabled + - name: Register distributed bouncers(s) + ansible.builtin.include_tasks: add_bouncer.yml + when: + - crowdsec_bouncer.enabled tags: - crowdsec diff --git a/tasks/register_agent.yml b/tasks/register_agent.yml index 59b4d32..577ff99 100644 --- a/tasks/register_agent.yml +++ b/tasks/register_agent.yml @@ -1,17 +1,17 @@ --- - name: Check if agent is already registered - shell: cscli machines list -o raw | grep {{ inventory_hostname }} | grep true || echo "Not found" + ansible.builtin.shell: cscli machines list -o raw | grep {{ inventory_hostname }} | grep true || echo "Not found" register: _csmachines delegate_to: "{{ crowdsec_delegate_server_hostname }}" changed_when: false - block: - name: Register agent to server - command: cscli lapi register -u {{ crowdsec_lapi_url }} --machine {{ inventory_hostname }} + ansible.builtin.command: cscli lapi register -u {{ crowdsec_lapi_url }} --machine {{ inventory_hostname }} notify: restart crowdsec - name: Validate agent on server - command: cscli machines validate {{ inventory_hostname }} + ansible.builtin.command: cscli machines validate {{ inventory_hostname }} delegate_to: "{{ crowdsec_delegate_server_hostname }}" when: - _csmachines.rc == 0