From 5436060904fc207a64da97864747978701dab9c9 Mon Sep 17 00:00:00 2001 From: Paul Czarkowski Date: Sun, 25 Jun 2017 23:39:27 -0500 Subject: [PATCH] Add support for Google Authenticator 2fa Yubikeys are great, but not everyone has the hardware, Google 2fa is an easier to demonstrate 2fa system. As well as adding Google 2fa, I wrote a fairly lengthy doc on deploying a bastion as well as moving some roles around to cleanup a bit. --- docs/bastion_user_admin.md | 46 +- docs/deploy_2fa_secured_bastion.md | 205 +++++++ envs/example/bastion/bastion-users.yml | 74 --- envs/example/bastion/group_vars/all.yml | 502 +++++++----------- envs/example/vagrant.yml | 3 + plugins/vars/default_vars.py | 2 +- roles/bastion/defaults/main.yml | 7 + roles/bastion/tasks/google-2fa.yml | 35 ++ roles/bastion/tasks/main.yml | 13 +- roles/bastion/templates/google_authenticator | 7 + roles/common/defaults/main.yml | 2 +- roles/common/tasks/ssh.yml | 8 +- ...ized_keys.py => github_authorized_keys.py} | 16 +- roles/common/templates/etc/ssh/sshd_config | 17 +- roles/security/defaults/main.yml | 1 + .../ttyspy-client/handlers/main.yml | 0 .../{ => ttyspy}/ttyspy-client/meta/main.yml | 0 .../ttyspy-client/tasks/checks.yml | 0 .../{ => ttyspy}/ttyspy-client/tasks/main.yml | 7 +- .../ttyspy-client/tasks/metrics.yml | 0 .../ttyspy-client/tasks/serverspec.yml | 0 .../templates/etc/init/ttyspyd.conf | 0 .../ttyspy-client/templates/etc/ttyspy.conf | 0 .../templates/etc/ttyspy/client/ca.pem | 0 .../templates/etc/ttyspy/client/cert.pem | 0 .../templates/etc/ttyspy/client/key.pem | 0 .../serverspec/ttyspy-client_spec.rb | 0 .../ttyspy-common/defaults/main.yml | 1 + .../{ => ttyspy}/ttyspy-common/meta/main.yml | 0 .../ttyspy-common/tasks/checks.yml | 0 .../{ => ttyspy}/ttyspy-common/tasks/main.yml | 0 .../ttyspy-common/tasks/metrics.yml | 0 .../ttyspy-common/tasks/serverspec.yml | 0 .../serverspec/ttyspy-common_spec.rb | 0 .../ttyspy-server/handlers/main.yml | 0 .../{ => ttyspy}/ttyspy-server/meta/main.yml | 0 .../ttyspy-server/tasks/checks.yml | 0 .../ttyspy-server/tasks/compression.yml | 0 .../{ => ttyspy}/ttyspy-server/tasks/main.yml | 1 + .../ttyspy-server/tasks/metrics.yml | 0 .../ttyspy-server/tasks/serverspec.yml | 0 .../etc/cron.daily/ttyspy_compression | 0 .../templates/etc/ttyspy/compression.py | 0 .../templates/etc/ttyspy/server/ca.pem | 0 .../templates/etc/ttyspy/server/cert.pem | 0 .../templates/etc/ttyspy/server/key.pem | 0 .../serverspec/ttyspy-server_spec.rb | 0 site.yml | 13 +- 48 files changed, 523 insertions(+), 437 deletions(-) create mode 100644 docs/deploy_2fa_secured_bastion.md delete mode 100644 envs/example/bastion/bastion-users.yml create mode 100644 roles/bastion/tasks/google-2fa.yml create mode 100644 roles/bastion/templates/google_authenticator rename roles/common/templates/bin/{ghe_authorized_keys.py => github_authorized_keys.py} (50%) rename roles/{ => ttyspy}/ttyspy-client/handlers/main.yml (100%) rename roles/{ => ttyspy}/ttyspy-client/meta/main.yml (100%) rename roles/{ => ttyspy}/ttyspy-client/tasks/checks.yml (100%) rename roles/{ => ttyspy}/ttyspy-client/tasks/main.yml (85%) rename roles/{ => ttyspy}/ttyspy-client/tasks/metrics.yml (100%) rename roles/{ => ttyspy}/ttyspy-client/tasks/serverspec.yml (100%) rename roles/{ => ttyspy}/ttyspy-client/templates/etc/init/ttyspyd.conf (100%) rename roles/{ => ttyspy}/ttyspy-client/templates/etc/ttyspy.conf (100%) rename roles/{ => ttyspy}/ttyspy-client/templates/etc/ttyspy/client/ca.pem (100%) rename roles/{ => ttyspy}/ttyspy-client/templates/etc/ttyspy/client/cert.pem (100%) rename roles/{ => ttyspy}/ttyspy-client/templates/etc/ttyspy/client/key.pem (100%) rename roles/{ => ttyspy}/ttyspy-client/templates/serverspec/ttyspy-client_spec.rb (100%) rename roles/{ => ttyspy}/ttyspy-common/defaults/main.yml (85%) rename roles/{ => ttyspy}/ttyspy-common/meta/main.yml (100%) rename roles/{ => ttyspy}/ttyspy-common/tasks/checks.yml (100%) rename roles/{ => ttyspy}/ttyspy-common/tasks/main.yml (100%) rename roles/{ => ttyspy}/ttyspy-common/tasks/metrics.yml (100%) rename roles/{ => ttyspy}/ttyspy-common/tasks/serverspec.yml (100%) rename roles/{ => ttyspy}/ttyspy-common/templates/serverspec/ttyspy-common_spec.rb (100%) rename roles/{ => ttyspy}/ttyspy-server/handlers/main.yml (100%) rename roles/{ => ttyspy}/ttyspy-server/meta/main.yml (100%) rename roles/{ => ttyspy}/ttyspy-server/tasks/checks.yml (100%) rename roles/{ => ttyspy}/ttyspy-server/tasks/compression.yml (100%) rename roles/{ => ttyspy}/ttyspy-server/tasks/main.yml (97%) rename roles/{ => ttyspy}/ttyspy-server/tasks/metrics.yml (100%) rename roles/{ => ttyspy}/ttyspy-server/tasks/serverspec.yml (100%) rename roles/{ => ttyspy}/ttyspy-server/templates/etc/cron.daily/ttyspy_compression (100%) rename roles/{ => ttyspy}/ttyspy-server/templates/etc/ttyspy/compression.py (100%) rename roles/{ => ttyspy}/ttyspy-server/templates/etc/ttyspy/server/ca.pem (100%) rename roles/{ => ttyspy}/ttyspy-server/templates/etc/ttyspy/server/cert.pem (100%) rename roles/{ => ttyspy}/ttyspy-server/templates/etc/ttyspy/server/key.pem (100%) rename roles/{ => ttyspy}/ttyspy-server/templates/serverspec/ttyspy-server_spec.rb (100%) diff --git a/docs/bastion_user_admin.md b/docs/bastion_user_admin.md index 99238f7..54abd6e 100644 --- a/docs/bastion_user_admin.md +++ b/docs/bastion_user_admin.md @@ -29,13 +29,14 @@ There are two data structures of importance in your ansible inventory. Users belong to groups, and groups have ssh keys. Certain systems permit access to specific ssh keys. Here's a taste: ``` - blueboxadmin: - system: yes - ssh_keys: - enable_passphrase: no - fingerprint: ~ - public: ~ - private: ~ + user_groups: + blueboxadmin: + system: yes + ssh_keys: + enable_passphrase: no + fingerprint: ~ + public: ~ + private: ~ ``` 2. `users` @@ -45,21 +46,22 @@ There are two data structures of importance in your ansible inventory. This allows granular, explicit, and auditable control of permissions on Bastion systems. Users also have YubiKey data associated with them, which allows for two-factor authentication. `uid` needs to be unique per user. Here's a flavor: ``` - bobsmith: - comment: "Bob Smith; bobsmith@example.com" - primary_group: default - groups: - - internal_restricted - - OpenStack_Operations - - SiteController_Operations - public_keys: - - ssh-rsa AAAAB3... - uid: 1002 - yubikey: - aes_key: ~ - private_id: ~ - public_id: ~ - serial_number: ~ + users: + bobsmith: + comment: "Bob Smith; bobsmith@example.com" + primary_group: default + groups: + - internal_restricted + - OpenStack_Operations + - SiteController_Operations + public_keys: + - ssh-rsa AAAAB3... + uid: 1002 + yubikey: + aes_key: ~ + private_id: ~ + public_id: ~ + serial_number: ~ ``` ## Add & Update Bastion Users diff --git a/docs/deploy_2fa_secured_bastion.md b/docs/deploy_2fa_secured_bastion.md new file mode 100644 index 0000000..cf08e08 --- /dev/null +++ b/docs/deploy_2fa_secured_bastion.md @@ -0,0 +1,205 @@ +# Deploying a 2FA enabled Bastion + +One of the core compontents of Cuttle is the two factor enabled secure Bastion. +This document will talk through how to use the composable nature of Cuttle to +install just the necessary parts to create a secure Bastion with two factor +authentication and secure logging. + +We will deploy two bastion servers for HA that utilize Google Authenticator +for 2FA and sshagentmux for group based access control. To do this we will +use Vagrant and the `envs/example/bastion` inventory. Take the time to +explore the inventory files in that directory before starting. + +Ordinarily you would use `ansible-vault` to encrypt the variables found in here, +especially the ones that include keys and passwords, however for the sake of +demonstration they're left plain text here. + +Before we set up the 2 Factor Authentication we will kick of a basic install of +Bastion and Logging servers. + +``` +$ ursula --provisioner=vagrant envs/example/bastion site.yml +ringing machine 'ttyspy01' up with 'virtualbox' provider... +Bringing machine 'bastion01' up with 'virtualbox' provider... +Bringing machine 'bastion02' up with 'virtualbox' provider... +... +... +``` + +## Explore user management + +Cuttle creates users on your machines based on the `users` and `user_groups` +sections of your ansible inventory. Both are fairly straight forward in their +content and have some extra settings for bastion like servers. + +If you set `_users.manage_authorized_keys: true` then instead of placing the user's +`authorized_keys` files in their `~/.ssh` like normal it places them in a root only +writable location `/etc/ssh/authorized_keys` which means the users need to provide +their public keys via ansible inventory and cannot modify them on the system themselves. +This is accomplished by the setting `AuthorizedKeysFile /etc/ssh/authorized_keys/%u.keys` +in sshd_config. + +Because we did this in the example we also had to set a `vagrant` user in the +users variable so that we could add its public key back in. + +You can even set `common.ssh.github_authorized_keys` which enabled a very +rudimentary script that scrapes the github API upon login to grab the user's +valid public keys. This is very useful for dev enivornments, but ties your +ability to login to the availability of the github api. It is turned off in +this example. + +## Explore group based access controls with sshagentmux + +[sshagentmux](https://github.com/blueboxgroup/sshagentmux) is a tool written by +the Blue Box team to emulate a ssh-agent and provide an private keys via +ssh-agent to a user based on group membership. Giving them access to the keys +via ssh-agent allows it to keep the user from ever viewing or changing the key. + +private and public keys are assigned to groups in the `user_groups` variable in +the ansible inventory (it can even support keys with passphrases) and then flow +onto the users who are in those groups. + +This means that I can restrict access to groups of servers by having an `admin` +user and adding the `admin` group's public key to its `authorized_keys`. + +### Demonstrate ACLs with sshagentmux + +``` +$ ssh -F envs/example/bastion/.ssh_config bobsmith@bastion01 +bobsmith@bastion01:~$ ssh-add -l +2048 ee:53:dc:40:87:49:6e:96:88:3d:02:5d:ca:f2:ac:c6 pczarkowski@czark (RSA) +2048 64:f3:60:f0:33:ed:8b:a3:af:33:c3:c1:e6:c8:41:bf /root/.ssh/admin-id_rsa (RSA) +bobsmith@bastion01:~$ exit +``` + +You'll see in the above I have two keys in my agent. One is forwarded from my +desktop (the ssh config that we created from the Vagrantfile has agent +forwarding enabled) and the other key is my admin group's key. + +Try to view that key! you can't. + +We have created an `admin` user in our `users` dictionary with this public key +in its authorized_keys, so you should be able to ssh into one of the other +servers using this key: + +``` +ssh -F envs/example/bastion/.ssh_config bobsmith@bastion01 +bobsmith@bastion01:~$ ssh admin@ttyspy01 +Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-117-generic x86_64) +admin@ttyspy01:~$ exit +bobsmith@bastion01:~$ exit +``` + +## Explore ttyspy + +[ttyspy](https://github.com/IBM/ttyspy) is a fairly simple concept that emulates +the linux [script](https://linux.die.net/man/1/script) +command to log sessions, but instead of logging to a file it sends it over a +TLS secured connection to the ttyspyserver. _It can nearly be done by tying `script` +and `netcat` (or `curl -X POST`) together with a named pipe._ + +The server is a fairly simple daemon that is run by an installed service. the +client is made up of two parts a daemon that drops a socket file and a +`ForceCommand` config setting in `/etc/ssh/sshd.conf` that forces all `ssh` +connections to pipe through ttyspy. + +You can set a backdoor (`bastion.backdoor_user: vagrant`) user in your ansible +inventory that skips the `ForceCommand` and thus logging/2fa etc. This can be +useful for the initial setup or for dev work, but we recommend against doing +it in production use cases unless you are very careful. + +Both the TTY Spy client and Servers have TLS keys which are secured by a common +CA certificate. The ones in the example inventory we're using was generated via +the command `docker run -ti -e SSL_SUBJECT=server.test paulczar/omgwtfssl` +and we set the ansible variable `etc_hosts` to fake out DNS for this ttyspy +server so that we don't have to fight TLS with IP addresses. + +In this example we are putting our session transcripts in `/tmp/transcripts` which +is not particularly secure. We can quite easily put it in an encrypted volume, +one that is encrypted before cuttle is run, or by utilizing the `mange_disks` role +which can create `luks` encrypted `LVM` volumes. + +### Demonstrate ttyspy + +SSH into a bastion server and run some commands, since we set a backdoor for the +vagrant user we'll need to use the `bobsmith` user we created: + +``` +$ ssh -F envs/example/bastion/.ssh_config bobsmith@bastion02 +$ echo hello +$ cat /etc/passwd +$ exit +``` + +Now we'll check out the logs for the session we just had on bastion02: + +_each user session gets its own log file based on the date-time of the login._ + +``` +$ vagrant ssh ttyspy01 +vagrant@ttyspy01:~$ sudo cat /tmp/transcripts/bobsmith/bastion02/2017/06/25/transcript_2017-06-25T18\:22\:06Z_308648827 +Username: bobsmith +GECOS: Bob Smith; bobsmith@example.com +Hostname: bastion02 +Session started: 2017-06-25T18:22:06Z +SSH_Client: 10.0.2.2 53914 22 +bobsmith@bastion02:~$ echo hello +hello +bobsmith@bastion02:~$ cat /etc/passwd +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +... +bobsmith@bastion02:~$ exit +logout +Session ended: 2017-06-25T18:22:13Z +``` + +## Explore 2 Factor Authentication + +2FA is achieved by utilizing either Google Authenticator or yubikeys. + +The easiest of the options is Google Authenticator as there are plenty of +OTP clients to use, including the Google Authenticator phone app. + +we have an extra file in our inventory called `bastion-users.yml` which we can +inject into our ansible runs with `-e "@envs/example/bastion/bastion-users.yml"`. +While we can do a full `site.yml` run to add the users, we can also be a bit more +targeted by running it with just the necessary tags: + +``` +$ ursula --provisioner=vagrant envs/example/bastion \ + site.yml --tags ssh,google-2fa \ + -e "twofa_enabled=true" \ + -e "usernames=bobsmith" +``` + +The `twofa_enabled` variable we set above is a shortcut in the bastion +inventory so that we can easily toggle it on. + +We preload the google authenticator details in the `users` variable in inventory +and host the files in a directory that only root can read so that users cannot +remove or mess with their google authenticator id. + +You can create google authenticator keys needed for the inventory by running +the command `$ google-authenticator -t -d -f -r 3 -R 30 -W` on a machine with +the google authenticator pam module already installed. This will output a URL +and a QR Code that the user you've created can access/scan to set up their +2fa client. + +Since I have an example 2fa code for the `bobsmith` user you can just browse +[here](https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/vagrant@bastion01%3Fsecret%3DJEPXZJ3HSYNHMDQO) +to set up your google authenticator client for it. + +For this demo we have enabled `nullok` in our inventory so that the vagrant user +can login without 2fa, in production you would probably want to disable `nullok`. + +### Demonstrate 2 Factor Authentication + +``` +ssh -F envs/example/bastion/.ssh_config bobsmith@bastion01 +Verification code: +To run a command as administrator (user "root"), use "sudo ". +See "man sudo_root" for details. + +bobsmith@bastion01:~$ +``` diff --git a/envs/example/bastion/bastion-users.yml b/envs/example/bastion/bastion-users.yml deleted file mode 100644 index be5e9fc..0000000 --- a/envs/example/bastion/bastion-users.yml +++ /dev/null @@ -1,74 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -34626462393236363232316530346665643334646530333337323262356538346663626565653031 -3431666463653634653434333839346663383664363635620a356466643733616364646361616562 -65353133303739643530393261303534363637656139613536313839623632336434663362666465 -3534363737636536390a346230383863373637333531643836313839613761313030636133386462 -39396630376239396239393931356464333733383630383530306137323037336666643162393534 -65643461646565646138373732656664393863356634303830313061623864373538653538343265 -31306230363031643138643630373132623435353434666261626430636364373766386565643435 -61663135313035323033383133663832393438306162666437316661653763353135323733346430 -33343262643766333062316136323438623731633938343034396631346433303030646132626135 -35623665623362306536326438656364343938346136623235303364623130393765643634626663 -63353465323762303834363866343264636235626261636266653737373731363131666431343162 -65613835386566336339643661653830666531346662366662313737386231386538326130636166 -38643365313830633032356166613032383465653131326161386633363034396162306635376362 -32386639356537626133396361623138343039343662353236393662653261623765376365326439 -32383335323564303462323337626533373531373063363134366338386332633365666239383862 -65313432373639643930356638363966663337326662323666396564313833336364623138356530 -34343731366637356661376433326138343433643063393364396132333366383063393561616439 -62643662616436626430653531656434653166396433393230386534643831626136643533646265 -34373764613561383438663438396437633637336335626132616231613862636365666133633061 -64386435326332623937363864616430643134396666663361623034336665663166326434326431 -65646134333534303232623636366264376663383563653932643733336433303131366462656364 -38376565363337306236323664306363646561616533656231663734393364663331303430353563 -37323835373032363532333732326266383366393065396662393932323039373630306461326665 -32333539666133623336363437643766393039333863623635313537356363663636323037303833 -65613232356238636135353433313236366631313965373439656266656332626364346132353830 -39376565376366633731333932383461313536353439386632663861656161333134333262663234 -66633263373166666564663531643165333061323034353734346533666438373935653636353636 -37313135376561653563376563306361613532396534383031623863616335383238616539393035 -62353066353765633634636636643136656563626632333965373063633831376133633631333232 -30653362663866383330636537613365366630306531393332313336363263653165633431663361 -36373139303765356661373261613566376338613035396139313438613733393963353637383864 -33386661343739383765336362623834313437326634326565396230616166323463333638663239 -63333765626633613830393664653665363937343666376432666438396432663666383630303864 -65623634343732616365356437323762653763656634306237343864313863653261303432666231 -37636262303834373136643165646438636137383165313363316664663533303737396337356530 -66363765383263363437653631643636633330326362336432333666343233313862373931353833 -32306133623335616534316132616435626164386661656661616162326161623039663863303663 -39616430633734623161306632303235633966356161366362316432653132303665323032363561 -64623961366662326432643966363865333064376161343335313039623362363735633531396462 -62626635383036353036383563353033303963333533643564616430663630343266613264666432 -39353036613564393730633430363831383531316261306665366432643061396534336332373364 -39343663616638343736333034316339313737363631613165656233383036336430393363393139 -65663131386135343236323462323031656536316563383930366439656530623636663635626165 -31666366396330396465383666633163363933613566653433623164356165343330653964346565 -63613135323235343937636133303534613639383362326664386363623632366339383337366237 -38616435306363643432376464626431333765353061363361373034646339313461316539336666 -64323762666630326238313932643933656662643965313737383137666430386662343339333236 -30393436653532336432393033643833613831636438616562303935666662386236323931343835 -38633137353538363337343435663137343363366265353937396336333964323264333233653662 -63616535306436363664316364353239636633366163376638643532646566303564366639353965 -35326665363866656131613663653334343765353234666432653535663665373465343039396432 -66346461366562303666336536366565636230336561316436623462343665663761646131613665 -32363464633833383331613261643936333039663838383337393065626662373135383163383361 -61623431353764623933346666653730623937346662356664393138653739373266386262323861 -65373131376537393230616531303233663735383566613232316434366535313962636233623966 -30646637313534616163643661343766643033363662623464643139316433393061396463353532 -36323930316330313836346336396666363461343030653430326462393435323833373366636331 -63623366373134666432336362373237356436376535616435376562636264653939353331303864 -62343032383231646237343538303632383639396332303635346536663937616537613031646630 -32613966353839346235333763626337643262323662623838363530646639353561363135343630 -62363563323337663837633434623765363461316562633966396632643439353436643264646636 -39323632383734646164616336636164666431333061316562373532376338396132353034386233 -39376461633961383361333466313132613662643866343538613438633230316566626436663638 -36393134313438636564376331643361383764373133626366333935363163626331643332646634 -64356565633565613266633636353363633564633266336337343637336437383037376536633336 -37613539663431323363333463636461386366393530346366386338323130323133643761356131 -63666336373438653264373736323465343961356435333835343535333264326534313032656538 -31623464633038313639316533323333353638623039313235623233323332643463613363356137 -63306435663062383335666234343062623830643062363634383562353764393764653064366130 -39623437333064336464643864393635316263383434336335646632653337363939663030333232 -62363834393939303737333137643737383834613234326130366332636434366133336338363461 -64663039616232633735336463643863636636616465373330343934333332613563373131643938 -64373231336531333963313232666332313363313261373733356165643062363064 diff --git a/envs/example/bastion/group_vars/all.yml b/envs/example/bastion/group_vars/all.yml index 7f664de..bfc4622 100644 --- a/envs/example/bastion/group_vars/all.yml +++ b/envs/example/bastion/group_vars/all.yml @@ -6,9 +6,19 @@ private_interface: ansible_eth0 public_ipv4: "{{ hostvars[inventory_hostname][public_interface]['ipv4'] }}" private_ipv4: "{{ hostvars[inventory_hostname][private_interface]['ipv4'] }}" +etc_hosts: + - name: "{{ ttyspy.server.host }}" + ip: "{{ ttyspy.server.ip }}" + - name: bastion01 + ip: 172.16.0.150 + - name: bastion02 + ip: 172.16.0.151 + - name: ttyspy01 + ip: 172.16.0.152 + common: ssh: - ghe_authorized_keys: + github_authorized_keys: enabled: False api_url: ~ # ex: https://github.ghe.com/api/v3 api_user: ~ @@ -19,153 +29,160 @@ bastion: ssh_port: 22 force_commands: - /usr/bin/ttyspy - - /usr/bin/ssh-ip-check - /usr/bin/ssh-mosh-filter users: ~ -yama_utils: - enabled: true +_users: + manage_authorized_keys: true + +twofa: + enabled: "{{ twofa_enabled|default('false')|bool }}" + method: google -yubiauthd: +user_groups: + default: + system: yes + admin: + system: yes + ssh_keys: + enable_passphrase: false + fingerprint: "64:f3:60:f0:33:ed:8b:a3:af:33:c3:c1:e6:c8:41:bf" + private: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEA34Tz/TDvjmcZkDiWmbm6Zz4jx1bl4rcEiSpbxYRqyXvxbGkG + e+YoDyy5s+M/tKaP+kAYDbXwJM6NnLq8q4YsEeqszjDE3+qgH54TE8EoT1VoPDkl + iUiE3a0d1DLZT8oX7x8y+q+39qQFN2sjTf39VgMpbWy6zOH7Ok9hpJXMItezuX9B + sMOfHE3TgZdYnRlc9tRmI58+igw1E2reNqHBxWu2c4FdydoakTXgUmcLLheKW0xC + m0NG9Cy5oAdq79ZJruuQQxTy9W71xm6W4EreDMCZrR3JWBvH2Ahv2JcDdj8BEB2g + iYzwzSqM4D3l44jza2BULgoXf58JS/8B7LkryQIDAQABAoIBAE6ba1M3yofCKnNV + 82DMuIlmiR6pqN86jhXPF8c28nc5Z4ZAyU75ek0b5ZMl8FmP2kKgF9V6jqHjIlpk + McYAwa7rYSqCbDpzQSzdYsgnvg1oc+f6EQFex5tOLpdZ6qLs583oov0WnxPWSx9a + Rmg/UsDVC9S30FoNf1TaZfSD2e7GVOCohXSXheQnRs5AkovlieoBy8NbaRj9+ey3 + hTsbtAsMk7WiazHpP/Fl7LwAXSHRgtFl+s1dbSYbpBLWdabB54j7m75x/hJRWzlW + zgmTdGSpLOnPeKe9TJtIkWzkqx0+XMbk1D4FUZVpo2D8whpHJxZNUdzY1UpqTu6M + frGsQIECgYEA8vqxh7Pw3S32TyMmkpL6oNziccyKe7U+xurulmccrPD6dhpMjOXR + 0ErPBIklxiUsAEZNIdBP4G2Of1xU0OWnWH9Xpk69FI7K7/XPmOoNeC3lYp08IUtb + jvs2C7F6ir+cSpEjU1PrT9hIKTk6XO13Nx291pd6xxUz1UUfdyxv220CgYEA639M + jEH9BsFSghYHM41GCMp2/+xfLLN9sTdPB7b8ElsOMD2Xne1QJ9uHfXyDi5Ba07aI + GbxgIoKcVlxIf/JJFdomeiXzf3PjDOTE8Pv/wMVhjQsfkCfgEunqVKF9amLTeTbl + Ype2modJXe+yuo4AqN8inz3CvTsP15rfZRh9XE0CgYA6xnOdPOS9y/lx6THScOVZ + djT8jBrPk+csnPW7whOIrf4YBYKQ7qLTPNVY5ogRpzo+ksLjtA0uX7IBkucdZQAX + Ay7DlvZb+7KRWyeteKhrcsazFQ/PifgK3S+Uooje+TyoOPWPmZQpS0shVauNgQ++ + cF5Ug236rGFObJsQ69ne/QKBgAaxxLRL/+xcPIM0Kxo9DtubHczipEX6CD2sa9O1 + UO8YpYubhJ7Zqyim5fAcRQUHon1YOAA7SaRRgC44S1tPwOIdJHDeeVCLM84fBrYv + A7MwKTjAMzJ+37DJ835aZN1MV+SfOeAWnftAk0ZXVQZWmRAz36EVOV71udqQLX+L + Na0VAoGBAOyAT/XPSDjMaWMxkf0/cuGrPDotG/2qlPkFzykTurYRXfB+gs/0wM9q + V64jR8VQpxfyljtdEEIbNnYiiHcu3WGDK6zu0w3LzYFdKawKxJezL7vbC3X4qgil + 3KsipSty93s+kZ265SMqby2itnryoMSURt5PniUFlBq5BBrzeZde + -----END RSA PRIVATE KEY----- + public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfhPP9MO+OZxmQOJaZubpnPiPHVuXitwSJKlvFhGrJe/FsaQZ75igPLLmz4z+0po/6QBgNtfAkzo2curyrhiwR6qzOMMTf6qAfnhMTwShPVWg8OSWJSITdrR3UMtlPyhfvHzL6r7f2pAU3ayNN/f1WAyltbLrM4fs6T2Gklcwi17O5f0Gww58cTdOBl1idGVz21GYjnz6KDDUTat42ocHFa7ZzgV3J2hqRNeBSZwsuF4pbTEKbQ0b0LLmgB2rv1kmu65BDFPL1bvXGbpbgSt4MwJmtHclYG8fYCG/YlwN2PwEQHaCJjPDNKozgPeXjiPNrYFQuChd/nwlL/wHsuSvJ dummmy-key-2 + +users: + vagrant: + public_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key + admin: + comment: "Shared Admin User" + primary_group: default + groups: + - admin + public_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfhPP9MO+OZxmQOJaZubpnPiPHVuXitwSJKlvFhGrJe/FsaQZ75igPLLmz4z+0po/6QBgNtfAkzo2curyrhiwR6qzOMMTf6qAfnhMTwShPVWg8OSWJSITdrR3UMtlPyhfvHzL6r7f2pAU3ayNN/f1WAyltbLrM4fs6T2Gklcwi17O5f0Gww58cTdOBl1idGVz21GYjnz6KDDUTat42ocHFa7ZzgV3J2hqRNeBSZwsuF4pbTEKbQ0b0LLmgB2rv1kmu65BDFPL1bvXGbpbgSt4MwJmtHclYG8fYCG/YlwN2PwEQHaCJjPDNKozgPeXjiPNrYFQuChd/nwlL/wHsuSvJ dummmy-key-2 + uid: 1001 + bobsmith: + comment: "Bob Smith; bobsmith@example.com" + primary_group: default + groups: + - admin + public_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key + uid: 1002 + google_2fa: + secret_key: JEPXZJ3HSYNHMDQO + verification_code: 411221 + emergency_codes: [20698313,36545541,21001349,81954311,82144245] + +yama_utils: enabled: true - skipped_users: - - root - - "{{ admin_user }}" - hosts: - - name: bastion01 - ip: "{{ hostvars['bastion01'][public_interface]['ipv4']['address']|default('172.16.0.150') }}" - - name: bastion02 - ip: "{{ hostvars['bastion02'][public_interface]['ipv4']['address']|default('172.16.0.151') }}" - sync_socket_secret: thisisabadsecret - firewall: - friendly_networks: - - "{{ private_ipv4.network }}/{{ private_ipv4.netmask }}" - - "{{ public_ipv4.network }}/{{ public_ipv4.netmask }}" ttyspy: common: ssl: ca_cert: | -----BEGIN CERTIFICATE----- - MIIFETCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdUZXN0 - IENBMB4XDTE1MTAwNTIyNDMwMFoXDTI1MTAwNTIyNDMwMFowEjEQMA4GA1UEAxMH - VGVzdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALaSaxQLH42A - UAoXi/kpW1p4I4Do2A6oyyeaaP3SejcnNb5bW3VFu1RK2aAfeSLgB3URtBN57W4x - D7f41fkqGYYIwS9D2iDKRGRBuofTjNeOYs6m95eLs3Erbz96oCPm5T1IyP6G36Ye - Gt9ut+IaGMiUP4ocyxJnf78YeIfDdCQEV19k9C4GEEFwfeyEIscId0VrQy1cSRjN - 7Tyht1WYCXUJu8ye7D5NUtMLACV7ZB5OxgZc8vaoFoFErUD76WmZa2sHe8dopa1r - Waadixjx+2t6w4zYQj70g0X79m9uB8TDa2a+nIspEYJOO9cMQEOHRNVrofSEGTTv - 5c/eh+s5i4WkN8NBqgCEkqczV3lJMThi/mmkpVmtJ1X3Vh2SB6SihBg09ESfngsS - odX504FCFQLjR2hI1B1Ofd6DszVkCyp7G063Dpa7QvA90P79BbjhAKOkBAykRH68 - HiPCDD61DarrpjVJ7Nlr0A4R0WjNgiF945EZv0ZvzOSW5qqJhOR8WbBG2NmK5UcU - iX1FQUt7Wq1MXb46nAc/N5JLkM5vMYuw2dZ4Ny5Nbxx7hMDHPCGQ/ltIRd1w+kdG - 40a/ln29/LakjHQ1FSOpCqhD11lLfAxvn0SbIHuSfOxMX4rEGYBDsU05CXAvnTlC - AJdrNxqr7M0ll+BeBVIIPn8Vtl0uDjt3AgMBAAGjcjBwMA8GA1UdEwEB/wQFMAMB - Af8wHQYDVR0OBBYEFGsa+1qlRsk+vMyh2RQsenxX2IArMAsGA1UdDwQEAwIBBjAR - BglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0 - ZTANBgkqhkiG9w0BAQsFAAOCAgEAppnxty/kqH6mDTEB1/1m3IEju9hMDf6sD37k - ogN2D3NBJC/CQDNfqz6/0wtAF5CSUSSZ919MtZG/wEKcVbNzuoYNERrpS51OjiCS - pgV4U/mPFvZlNFD1iMtaYGnOjLJagK1W2NfW2fGuV0mhmvIckqjjQPEjWcYRL8i/ - 4E6jbnQzuSUrpLumZBFQSjZkfPyeo7jYll1b4LM+/K8omzGA6xfbLbIWUvLSzl2R - 4YUW/ezJWTONEh3jrFWUXxrNwDaIVPEMBm5+V7/L/cvQKdt2SH67lbSFHSWvfND8 - 3wNHRvRyTCtfVDoPGa2otuY29SoSOTWi63QSZQVu9th4wcPtXwQTeQx34bUfdwei - Xjxd1F7Ux0IkPv90GUixxYOXv2O7Sjhjtw+68DFYd5Yiec30692aEghzMThe1yLe - rImozA7iV4jih7OTaiIDKdCfvs2GcKHfI+nx9cCaCRYPe+9dB79yEXpDRxGii68X - 904ga0g0p1035FTicZ2btECFIN7H3zceylDe9D95WETP0ENB0q8qHs+LjiCNuqiv - 2KzUW4HW7eA8HBoNzxsRZCj3eu+SeY+5LzSu4j/4nhp2Q6pOlbOKVHDjVmnZIZt6 - 8cLTIKuMbD0pxJzSrrHeYh5fdV4j0xJub6MxROEQPbPn0oH1RjfYwRUohg2ibq64 - NojcNto= + MIIC9zCCAd+gAwIBAgIJAIE56AbnAKhuMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV + BAMMB3Rlc3QtY2EwHhcNMTcwNjI1MTgwOTI3WhcNMTcwODI0MTgwOTI3WjASMRAw + DgYDVQQDDAd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA + zgvi1iB4L9AGRv4sv2WnS0PizlcS98i2nVXDBYUbUGlDGxo+TdkrfsCW85GRUYei + avEPsi4LrLWUJ4V2h5okA5N3rT+K4MFwW69RFoVYvRxzYHBcCSaDSQK9B5b+pxke + pyFuk8VVIZDomBAndIMhVriPMDeguDALOEXPTsJZyExYU185rwXCX/eOSzcO6gqx + MLpbZ3ErfVu2wpNgVSGxK/Isn05DbzlpRSLwT7zaO6/e0+e3oc/uC2BRNc4CUTck + Y+UicUOS1mRgaL0Tw47pjfv1DXUVnPglUnwylRxYAkj3aWMvRJDlxUYiHszjdoJI + S2jzgpCsEL9ZARbz3OEt7QIDAQABo1AwTjAdBgNVHQ4EFgQU9GGaMnGd9HPdCfSB + cXx8g+jGxi8wHwYDVR0jBBgwFoAU9GGaMnGd9HPdCfSBcXx8g+jGxi8wDAYDVR0T + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAT9ouwn9hRMF1ffVGIyP/LkOAq53G + nmqHKOcaVVo3Shar/Xt3jJQL5qzGsXiteQ/jnFuOVnnxMeM47SE42jHUQaxDOkO2 + VlsDaQvjk18enKeJ7Vpu9/ntO/OWN19E7sjy0uAzBfwFRnUmPGNOd27+kxjYGGA0 + h9/x7BKWdNyyA1/+lhR4EeZ6EixcQ51aJOqmgs7heLDu2DoN+t11oO3Su6M/xLJg + Gh+MfiB46fRo72kv1MjIkysBMQuTIBv0aATLVPbhiG0VQ1ePqZ8apeDrrAJN0oPX + BubvkaS2EzQqHlbYm4XScVH+tKNlAyLpvBdqjbAGBNNIdn1MBly3ggpobg== -----END CERTIFICATE----- + client: enabled: true ssl: cert: | -----BEGIN CERTIFICATE----- - MIIFEjCCAvqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdUZXN0 - IENBMB4XDTE1MTAwNTIyNDQwMFoXDTE2MTAwNDIyNDQwMFowFjEUMBIGA1UEAxML - Y2xpZW50LnRlc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDkiiXQ - E3v0thvOjzXLlNA6+uy3+2cKYRJ/AGJZAwpbjmMg+M1Ql2ZN7RbMBSdAXDH1RXxh - xTjWJMboj1XFsX/Mf8taiOTgSUN/sEm3HLFVnXC2fbZOjZV9DfuEjKSzWfm8TLiU - pmbQ9R1ZxVO9Y50hWC5hmA2lDth1QU9L2IoeYBR8qqM6heorxem2a5NyI6Cc8bPQ - ydBo3zhVUAP4Gnhq0CEYFY8sCrJKemVlfJfhQ/sbDRwQ/PsL0inl1qwHrcKWTzVe - t9vOFRdeOfdN6qa2iIHeLjjJ/NV7V0jBuALJUGIWz9NBYhZL5AArhDwVS9lSL9p7 - sLwYa4rc2Zo079sv7UVBj+7UJO1upgnHziKdhZX/Be1gOdKHzlrR3/Rr910tWXuE - /6S/TUffekmKgPhr8+AMT5PLKMVaB16urHB0jf+hLVAJS6xaenJvt6f7eoYUGMRN - OJQMlFW3WMKjMveUDurxi9v9XKrRwx5f8geiI6ANNZfV/WEhJeME+C+Jne3k37sj - vKjb2W1eap6ftP9yPS4d8m1M8ChJUnawBR/xAAbuivsBlz6eY4YZ5fsGL5mIX7Gs - LeyoGYCb8fc2XJ2MR4sqoQqwD5V5BOfJR8hpMA7sMXj5+ICqtZJq+tesgd/daXxZ - OSIKcGbv8yoI+GYK8mgjfQhXRe9gApSHW/Q4GwIDAQABo28wbTAMBgNVHRMBAf8E - AjAAMB0GA1UdDgQWBBQaDK+1R3zzYUV7es6VWg+HsvH+tzALBgNVHQ8EBAMCBLAw - EQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNh - dGUwDQYJKoZIhvcNAQELBQADggIBAIdLFwQx0ZCX1PJhN22mGEYGpV1rq7Osixbz - vX5K48wxX/gJG76vYUnkhAt/cm9H9yOtUglHdYXlLvt5grR/rPPKZ60iMBud0n47 - SGmojQVCaWdwbKMjehSz6N8NWT/LG4lmahIeiv8IPpmV6cfsQLdWS+AeqtqmFSNA - 1lVLBdoLYvN0i/CGQBtRnTprmp1CbV9MFUDb5JSR4XhxtqfCxZQFcAovk4TlgmFS - 9WHfkXcFU56LypQHvzIqa7QEm2z3QuqHpA1S56L+1+MLxdNzNthS6fnKY6EbEGQN - 0rQyEgebk858DpeMdJA708H4vgr5TR7eIPIlAJUvF0QMJKqgQ/yMdH5+XmFYqbDZ - nHvQNvXMY4l2DiaxgqVBlpUeKbjDqURTLNXXZJYEWhpz1iVXx66C2q+Uh0+JA3g9 - 9VJsIq0LDrBDoNw3GvDX/WKUItRKs5BD24T/7xHs8z8AfSPlEX3ChtMhZYqJK/C3 - 8UbQV6MASZTLoO4S+66Gq3Fra3VZXvFGjMLlXGzRCMZpw/1TeolGc84XjsGUpaq3 - 99JK4m+OlIKyDFqC9090S7WyEV/pyy0VEAEupob4voAGGA0EjV6Ytx9XaarJgqBy - XS6tqm19L6OtSmCbapndz0KBUhejFgNSLUqY/YMO2onayoAYXnUiskfb1cKQax8F - rNKZQ9So + MIIDAjCCAeqgAwIBAgIJAPqKYjM75y5YMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV + BAMMB3Rlc3QtY2EwHhcNMTcwNjI1MTgwOTI3WhcNMTcwODI0MTgwOTI3WjAWMRQw + EgYDVQQDDAtzZXJ2ZXIudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBAMidwFEci8d9jWIJpeiBkW2crSfog9aW6HQWNJXeaL8CY7jLsn6OyzeV2/Rz + BpssxvBYkKghnvg6/0x1Nj7nylUlgc7UrmhZ83oWg01UGwZnMGDRVlYaMz4lEMDk + XbCRtrYmq0M5ZlYAI10FdCI3U+a/JjQBV7jiV3I4lRkiaNTEZyGFqNeJdmMJ41dg + COnU2w/cJkAtQ+3KQB6ud+oUbR9Ixjxicu7Wi8JV7oeDY8ofYWXYXgnc+M9zfvye + 2fEhJO5aV8xCKaJzNgBgZZZhcJMar3nW4Fd8ogehioghnbLhmHkxQSI96fYiteCd + vtoqSbQ7g05G/vbfl0NgJgA83DkCAwEAAaNXMFUwCQYDVR0TBAIwADALBgNVHQ8E + BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBwGA1UdEQQVMBOC + C3NlcnZlci50ZXN0hwSsEACYMA0GCSqGSIb3DQEBCwUAA4IBAQCdTqbyjAeCL38/ + 5zDNnQokO+LVMaMMsCxNHIusWSpWMlepgPP5iGIZ+aWo4LspGwMFDjGoYc3mxGx3 + unq2GBLhnw04gNFktzmTo24jaDWxt/irrNRY9B+Q//l5rZOXTbbYHuFrauCvxogN + ludljzM/W79Y0rwpkh6nc9A8OoTeSfntbp8cuzjwgkPb2Q+JR8QYU+0isble9K9h + kjmKFitWl1tQY1RkkAwDSF7jA9w6olyp1/VVTpAEbBBpKKioXzQ4B/2lE7da/dSn + Vwx7cO4H4RZ8V1q4fKR8KRDLQ0hMvaIX14+LtApu8t1Dj2lweBGWmrEulksdxxbm + TA/q0ryr -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- - MIIJKgIBAAKCAgEA5Iol0BN79LYbzo81y5TQOvrst/tnCmESfwBiWQMKW45jIPjN - UJdmTe0WzAUnQFwx9UV8YcU41iTG6I9VxbF/zH/LWojk4ElDf7BJtxyxVZ1wtn22 - To2VfQ37hIyks1n5vEy4lKZm0PUdWcVTvWOdIVguYZgNpQ7YdUFPS9iKHmAUfKqj - OoXqK8XptmuTciOgnPGz0MnQaN84VVAD+Bp4atAhGBWPLAqySnplZXyX4UP7Gw0c - EPz7C9Ip5dasB63Clk81XrfbzhUXXjn3TeqmtoiB3i44yfzVe1dIwbgCyVBiFs/T - QWIWS+QAK4Q8FUvZUi/ae7C8GGuK3NmaNO/bL+1FQY/u1CTtbqYJx84inYWV/wXt - YDnSh85a0d/0a/ddLVl7hP+kv01H33pJioD4a/PgDE+TyyjFWgderqxwdI3/oS1Q - CUusWnpyb7en+3qGFBjETTiUDJRVt1jCozL3lA7q8Yvb/Vyq0cMeX/IHoiOgDTWX - 1f1hISXjBPgviZ3t5N+7I7yo29ltXmqen7T/cj0uHfJtTPAoSVJ2sAUf8QAG7or7 - AZc+nmOGGeX7Bi+ZiF+xrC3sqBmAm/H3NlydjEeLKqEKsA+VeQTnyUfIaTAO7DF4 - +fiAqrWSavrXrIHf3Wl8WTkiCnBm7/MqCPhmCvJoI30IV0XvYAKUh1v0OBsCAwEA - AQKCAgEAio9PeaY2gxleJpAhN3rT/M5hcvKTeHF+O03KUtlLEFN1umneYTxJpHlY - Vv3Q3G6JQ4GLdeOTIBJQHnO4txF0wFHCwvM4gNsqd2I0bzaQNa4sxhfVzi59McKm - eaijurGUfhut1UJGF+5kiybeLHcWrz69cCI2M5qalgywvPVeWCg8g5EZQcQrQ7rM - hfMXBB6hpEXOlYmmN88OYnsOzP+PfoMNbYK0uSkLC6jFjRBLLSKAPdhm6c3Xj0Uu - bdEHn+gzj9oaK4EhXQLglhpi2/SmewisZD5149DMxekXjYu49MEtl1MNbBjCF+T2 - TWvw2aCQ9AlbV57Bi7S4DkpH+kxqALFUXitGaOEtHY7yC+sScFuiYnkcs44t4Fwv - LcKMohVx+liTIHV0/zYIRKqzY8BWo48z+3JENIJeuplPhuNFQuSoR32Vjd4MsyDa - 7k1PfnjLPxoJt639lXAj++FvgJH0MQFfqxZn5ZiHlGidk2vOqmGAVubCUZmVrj3t - P36Fh2jwOun0Ny50IVCT/HY8zBOQ/h1icaHmut73eoFmIHgJsXppjpNpyF5xnyBe - wqYAL0ymt4giET/bKwpMV9Hoy0TrhBSNhjiDYsfS3N1jXTLajHCbf9CGlbeSQXZi - ttd0PSMD5I0NrhqEYfm18qh5ARXygXfRoKtzCwFrMtkJ20tTiWECggEBAPlffvVo - R6E03LPkl8kZC0X3zZze3EXRtvH5GKyVBbtzDPxlGnsJjB5Nit/f2SLOcwj2EIgv - pTVjavpg/fP7tOcqsIzkbnq/mLb8JwJCq7RUaUU2c8taEg/JclAJjCznwDfFXKgc - N3V2pMfjuf3k/ykyCbLZYlDEEEdtig3WpWZ6qnkn5b9DbNXTNznHeYi7FpsvZWbb - IytMfDWZxDflOoUK7M3RmYWCVkJf5klAOEsEyhbgF864g7u3LF9pcOO6LeaYppYU - iDDVnselafu3WB7kxKyLDk6eDL/RivTGpBc5sXVD3VPEqC7YBSN4pSqVu8twHGvb - RoApnLiiqAxW8IMCggEBAOqc66wwKYeCaCTxdXdh+IWRzyW4rfe7FoHz81sE9qgG - bLvJs28xmO9nORK2msftW9RG3ABL8aTcsIQoMuzfw2OZf0+OTzfkBpNzGAMSbqjK - ajjedsnhHBLpqj31MFJg/QAHXJdyVH5R0dOk9Hha1HVNk+0sAPDSdx6U1bJTmIx/ - e74qMND70vNvZER7pVOZozKOU0mHilYXSPOSueTza155foE6ZCnYO8xFnECDq8DZ - UdvY00fDDSzw8U3RTDTzImHqkr7CE4qllkdPAmPRDhvY6En81zM75TNpCc+XfcIs - ypIbhbn5vFBGM26twknhOA8Y9dT9JAVSy4VyRqwg1okCggEAZgGiNVCKvG6bORrw - 29nauqw690hSYlz+sMxsQ2xSA/N0BGp3Ao1NO7gMbrdqYsqAU9ITwSF8OvKH+BNk - zkDQJx9XSMrIRn3JQlCyxEHxarp8tUso4q3dZYfJsuO060mBX07kMAAaz3nQvdNx - aWIa3gcR4I77oH4TCqTMLAz5a4oR4a1oVWyHQJA9ruzh0gR1otUobYKGSFfpFyPn - F9Y0sedeJnLukaZXEp+X267hWA6FfAX+txjTCh5LkFvZSc4GqKUYv5t2ekNnx9Lq - H4VIDpsVuF7JY29TV8OnS6lVxgpbhNRV3MY85ayHrZLUPS8yum0JszTnCdX7vasL - gsCtcQKCAQEAoeq2w9lhcAJSOdzjAwd8a0KcQh5ZAjX+bKWeeFzOllwIwvmLetwx - /lexDfc0j3KDA9f7kcDX/r3InQzZSJ2NzblsIc3HYn1fBHhURBp+gMNh1+nA9ccE - hxD4y1XiiZgiQ9jQ0Dy5j4yMUZLwnfeh1Ws7Al5yL8IxL8vsR+xlxeFd13pqwnBp - wFRKUPE8wpuwA/4yAPcoRA5B7MiAv0A4A7W51xojcrWnX21TTzsQWEIjuqTD/Czj - dPa8ssYV4B1Ex2sK59gtgGyTcJdYwObQ4+spNZboNpXJs1d0y+5zfoVHMNsJybZP - ft9UM7h79F0ZQWIql1o1d+8SQwEBQV5QcQKCAQEAuzNUrKJO43WZBVJ9QZf+qQvX - 9XKsnP5mDgeW4pdUW/Jr/4ajAhuKSnmf5BebsFxBw/0te8jCXghufyEnFIReMp15 - pgp8N6HGWasFqne3P1vMCHzqWus/EqX1QkzZtrPqBergs02nkis3fVlWoBfbA0+x - T4MmIq1pa0c+AX9MNd3N6SX3Iho8mIJv9YClnEQuwR2uTt2SlSStP6AS3PzyVSXt - Tis6QRKxjn6AnptKc2BBrC9vzTeLGvOAq7COsTYmtZGp+rOGRpmAndgRtcIKuSze - qyi5gok40OEg9KWWZ0NwOGLE+L7hm3hmMvx6cmVn130KTON0HrlloW5tVL0GBg== + MIIEpgIBAAKCAQEAyJ3AURyLx32NYgml6IGRbZytJ+iD1pbodBY0ld5ovwJjuMuy + fo7LN5Xb9HMGmyzG8FiQqCGe+Dr/THU2PufKVSWBztSuaFnzehaDTVQbBmcwYNFW + VhozPiUQwORdsJG2tiarQzlmVgAjXQV0IjdT5r8mNAFXuOJXcjiVGSJo1MRnIYWo + 14l2YwnjV2AI6dTbD9wmQC1D7cpAHq536hRtH0jGPGJy7taLwlXuh4Njyh9hZdhe + Cdz4z3N+/J7Z8SEk7lpXzEIponM2AGBllmFwkxqvedbgV3yiB6GKiCGdsuGYeTFB + Ij3p9iK14J2+2ipJtDuDTkb+9t+XQ2AmADzcOQIDAQABAoIBAQCpIfYFbB+cLAmK + Yb/x6WqGEtUZFDoyLEAFvsLOpxeAEa+pGHJ/qDtDvaAW0vL62CFQeBpc5Rt1A6hA + +YCmQByg9GIf0cbISy2t/FTuWL4AA/cRaOt049nXxr/9H4qtVevIXYl9v2K7lpo5 + zmM+hY7Cttyqc4dVY919ep6Y9h2TYhFlTeoxWsjkOMC94m+1337JvCfFBC2KONuU + H7OD08lE9TIXOpv94vWBvnCBUxnwOCZ0bQUr1qS3rWwcP/CNEL3KRCp8BS4VQnBb + KLxzpQ9f9LYq1VmBop358I6UWBafb0pIzF1FcdKG5Ma/L/Q4+AdGND4QjgyEL/fp + U82FnfjRAoGBAP0/hSUfORh1gxR1EnuJJGn6HuKufLWOXgnSKkNMZ8feKK60hyYe + btcZlkh1RHiI3j9DX1PocIjEEzUtgDY13JcxoqpHmSY+KvLPb0D5bkk6zTSr/kJH + QUTrXcS4BUiy8YOA1LyOlhNiVZ1C9UtYj8GSx8Hm17woB4qIqgJEPuxLAoGBAMrL + 0iWJjMshZMIQtsuXqZ5RpMsF97ZIQ3e3fmgCxs8108H/aVe1l6KyepVWOkVBbhnn + OXHNOlI2sm3Bf1xpLY8mek+I/6DD0Z+gsUd47sQOuaYGmOYDpbDcEoJGBoXuBpxD + OTiQP+wcFFlVjRSOWnYM5qkVrxDn9EtBK/E+Pv8LAoGBALRdjSKHPk7hQt5LE0LQ + xhKEhYLE6yUTpH4yJM+Rl0iOPUNQaAEKI78nBhXND1sZf9Bm13oXTi7aFyQEqA/0 + BIvaWhQUskq+dDBC9OW9wIJ/Uq90372sqhu/1iTJO1ovuDsEgn9YviJIItnCWpmz + FY+0TnkXRAdKKzTLaOn8WSRJAoGBALefmDeO9aIUKZSi57EvMVF+IZYHYEV350cm + Kdnp8bQ7y/LT3sGhVpzluKMxwW9mEFh6CoSlzFIW3rcMxtKZFbyRnZwYs0YRKOS9 + 7ueFc8SohKb1QEq9MLEUg9nbqBpq7Sdeoxg5XPfgcPh2w1jCkNxlUBH35V2MeaIO + b8hvkUEDAoGBAJebZ3xwbaQWc7mmHq4rrFTIkaM1BMBFoU23kXi8dDcR1whNAal0 + /PqZyNduxrZpFJ31q4/ZhT7sSS6JnKft9xliyh3a2zRdc2cn2NYWhDxKyiGsLCph + DAuubrT+HoMApzxGbIV+f6afRafKViJf17giVa77hWHIjNMg+vOPwqdz -----END RSA PRIVATE KEY----- server: enabled: true host: server.test - ip: "{{ hostvars['ttyspy01'][public_interface]['ipv4']['address']|default('172.16.0.152') }}" + ip: 172.16.0.152 port: 8090 transcript_path: /tmp/transcripts firewall: @@ -175,203 +192,62 @@ ttyspy: ssl: cert: | -----BEGIN CERTIFICATE----- - MIIFEjCCAvqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdUZXN0 - IENBMB4XDTE1MTAwNTIyNDQwMFoXDTE2MTAwNDIyNDQwMFowFjEUMBIGA1UEAxML - c2VydmVyLnRlc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCxHM2K - 0b3A1yk1IY4Bwvq/g+8HDsI1kRVdpkZOljE8JWEXBcotV9NoRnpKWImLRthPfBcm - TmOXaBDmS2rx4hW/jwca3V5dSSSXkfx8DEWMmUhX3dxBMerbjtMyQLy+8HKAZPGQ - xRNmEhV/qwS5ZxEKI+dsB2zlyepnF8S3IE5kKJQFOZVZv59WZFgaxv7XbFyTeJJf - qrcpULnzzI7AwBXt3JxCxM5U/ABzAlzVOvH/tOweHYIjtm6yQCs1KQStumjh7L4X - BVjU/YPfGy+Fqky60mruZEU1JvpISsjO67QsmcnYWR3vQI4K2L6fo6OCGhOkdNsb - 3z6LWlk+pzbB5rRKsMv7FJkqdFDfOb2mF+SPUVU0hAx5e0XiNfJsPUpqlzF8dALW - M26vEpUDemEEYwW4MQEEBnvL4E8oXXwTExFvHAvCuqu3wdCBufn5qCVTir/wT+v0 - aYqsR6QhgscIMCzZipyjeLs7yfW4rAMgLUE4xz8ZIJfSKr5+zeDwoYBs7d9y/8v6 - g4j3CTNMfraSbdKbLBRvvVk/+ruBVnGl/NPd5z7XtlBtfDV/aHqzj4n6frR7UmA4 - +VewY5idzdxgu0T+6mlqhY1s83EZsu+gNl0hAmAvMdp7UptfwWnDr/Waqj0CJHfq - alp1cdRZh6ceRbTIkpBemIxXAKW27i+/ScAh9wIDAQABo28wbTAMBgNVHRMBAf8E - AjAAMB0GA1UdDgQWBBRkwxTJ3QzxIU2qleVkIIaa6Y6otTALBgNVHQ8EBAMCBeAw - EQYJYIZIAYb4QgEBBAQDAgZAMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNh - dGUwDQYJKoZIhvcNAQELBQADggIBAICHzCY8omXOgmGFRQxSQMZ9KCbaLDVQ6duN - ysniO0imXdy0qGb+b0HVP1gnTv7moq8YrIA50TeyfdGZkBXpT6pA/hc6Q11aw2Bq - FaDSSj0otCpxSuur0b52G1p2IhFjymFeuCQwkkPZ+1YXtAY9evE7iq6ItFkGEs/K - FgSIffFggOHFfoHWz9QhAMtE28VZOieYbpsyR7YnZHANkkJfjK6FNJGE4LrwuvlG - SR/wvFeecmWMsRVsWdi0Jb9PHF9JW2gJVFl6fvHCZleg9LtEoVwSseK7mIy0VU1A - JlYVx7Z2lcxYVpkDk0JQlUsOSD0C+lyTwjwfCN/UX6PjaSMMiAP4h+dOBVFLsp6S - c1qeZrA5Dgsv/9efTPXxb2uEaSg2bNqvn0ivmbcu0TfDALCAKUtzTvM7lO6IVijp - HKGm46ZuvOVLIv4oZmaAg/1lC4J9HZPzGMABR+63lTEhcR8DqtZ5MtJ9clD618Z8 - dg9jEgpapUdao+nat3jbVr+mh7m9WFfd4H/8d++xxfjcEEUSPhH8JT1voSzZr4cn - gBjSiohrW/FpcDNeCTsoE847wldkpHblD5khwtTmDDwrIRAD3Q0i+EBAkhsk/dY3 - +LEbD1Ab8lmSMiLGDONctQxFdWEWSyR/btki8Q0NG8fAFy0qzPIymCF2aVMtxX24 - /xdoyOms + MIIDAjCCAeqgAwIBAgIJAPqKYjM75y5YMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV + BAMMB3Rlc3QtY2EwHhcNMTcwNjI1MTgwOTI3WhcNMTcwODI0MTgwOTI3WjAWMRQw + EgYDVQQDDAtzZXJ2ZXIudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC + ggEBAMidwFEci8d9jWIJpeiBkW2crSfog9aW6HQWNJXeaL8CY7jLsn6OyzeV2/Rz + BpssxvBYkKghnvg6/0x1Nj7nylUlgc7UrmhZ83oWg01UGwZnMGDRVlYaMz4lEMDk + XbCRtrYmq0M5ZlYAI10FdCI3U+a/JjQBV7jiV3I4lRkiaNTEZyGFqNeJdmMJ41dg + COnU2w/cJkAtQ+3KQB6ud+oUbR9Ixjxicu7Wi8JV7oeDY8ofYWXYXgnc+M9zfvye + 2fEhJO5aV8xCKaJzNgBgZZZhcJMar3nW4Fd8ogehioghnbLhmHkxQSI96fYiteCd + vtoqSbQ7g05G/vbfl0NgJgA83DkCAwEAAaNXMFUwCQYDVR0TBAIwADALBgNVHQ8E + BAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBwGA1UdEQQVMBOC + C3NlcnZlci50ZXN0hwSsEACYMA0GCSqGSIb3DQEBCwUAA4IBAQCdTqbyjAeCL38/ + 5zDNnQokO+LVMaMMsCxNHIusWSpWMlepgPP5iGIZ+aWo4LspGwMFDjGoYc3mxGx3 + unq2GBLhnw04gNFktzmTo24jaDWxt/irrNRY9B+Q//l5rZOXTbbYHuFrauCvxogN + ludljzM/W79Y0rwpkh6nc9A8OoTeSfntbp8cuzjwgkPb2Q+JR8QYU+0isble9K9h + kjmKFitWl1tQY1RkkAwDSF7jA9w6olyp1/VVTpAEbBBpKKioXzQ4B/2lE7da/dSn + Vwx7cO4H4RZ8V1q4fKR8KRDLQ0hMvaIX14+LtApu8t1Dj2lweBGWmrEulksdxxbm + TA/q0ryr -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- - MIIJJwIBAAKCAgEAsRzNitG9wNcpNSGOAcL6v4PvBw7CNZEVXaZGTpYxPCVhFwXK - LVfTaEZ6SliJi0bYT3wXJk5jl2gQ5ktq8eIVv48HGt1eXUkkl5H8fAxFjJlIV93c - QTHq247TMkC8vvBygGTxkMUTZhIVf6sEuWcRCiPnbAds5cnqZxfEtyBOZCiUBTmV - Wb+fVmRYGsb+12xck3iSX6q3KVC588yOwMAV7dycQsTOVPwAcwJc1Trx/7TsHh2C - I7ZuskArNSkErbpo4ey+FwVY1P2D3xsvhapMutJq7mRFNSb6SErIzuu0LJnJ2Fkd - 70COCti+n6OjghoTpHTbG98+i1pZPqc2wea0SrDL+xSZKnRQ3zm9phfkj1FVNIQM - eXtF4jXybD1KapcxfHQC1jNurxKVA3phBGMFuDEBBAZ7y+BPKF18ExMRbxwLwrqr - t8HQgbn5+aglU4q/8E/r9GmKrEekIYLHCDAs2Yqco3i7O8n1uKwDIC1BOMc/GSCX - 0iq+fs3g8KGAbO3fcv/L+oOI9wkzTH62km3SmywUb71ZP/q7gVZxpfzT3ec+17ZQ - bXw1f2h6s4+J+n60e1JgOPlXsGOYnc3cYLtE/uppaoWNbPNxGbLvoDZdIQJgLzHa - e1KbX8Fpw6/1mqo9AiR36mpadXHUWYenHkW0yJKQXpiMVwCltu4vv0nAIfcCAwEA - AQKCAgAk/dcQP25acJXyuudmBstIZM3vs21ssri7rpbQox31afk1TchEYCuPg+jW - zlcr98gGEezj20uBvAKLlwTnMElKkRzyx3mGEljKL3uEjSuZigpKD9SI6VwcL2B9 - BnhliOLhXjP2ALNkhjJnT9jUwGoWrBkRvxtHgzyp+5TiiqTU1oTT8or3C8bDzIF6 - VkWzyLYtNumbgZRv1KSB/x9xsqzh2UnpyCEwLtIJM10gTAdvWOJYB+G+g8PrBuv/ - VmnbvytYxJGPTVaYZbq9RnhOeps8Cea7k8XArDtqDfSTAzfGePhnb3WJGvqP2WU3 - An6MFdY0axO4ZpAxmtU4+MO/C+hruAiPaXYOZXbeH7B+4XkXkeuY3YCBIsI1IAk8 - kgqnW2mVz5p7+5VsyasQk050f+l1frTEKLCp87nrOlG5PzfIMLdnAiErpJfGvlIt - iTpaUQRw8dX6ERnOrDeErt4YueY2v5zxGFIKyOLTZNFUdcEjLsa8lTVKDZjSzQag - rqi6IEpNHwV24THey0Jx7Ky+9HlAGZBsZ6AmGrWuEu2cgb2lGY9OF0unukKQ1nsW - HgYQMO8Utwf2PiE0mEF7eB3OfXMmbBF6WuVVDhva0MjcLIW838BRu5o9dVs5JiSL - Shamz2464JI5Fhnx5abmWcAqcOa4UphvH2f2MKTon4WKjNVxAQKCAQEA5CS7r8M/ - ob6B8Z0q27cj1dCJQ3Z+ca5yhGfTLb/HecxDmpckNzDxW7y9LBga7sXfvWSXl4Q+ - 3sQGzRmLseubNXybeUPj7V4625MAmleW/bBGRGADa1Saodcn/XSiHKzL9f8AKWho - /N4taQWvb/diVfWdk5kEsMqLsr/+Bpsk7E8m9Y8HPOje0tp1qCESUixjzKoFNT0N - C7YII2vUFyjjt/Vvc/ndVEtNMZNEbWoXwYHv/2ak5sdG1xd9CYjA2gaR56ywKH39 - fQjeo9EbpUlx9wc0UP++FwkrHuuz0ffYTJtviGX/jTbd3VDsx95WFOdHsvOcW+gI - bO/ReI3B2NtAxwKCAQEAxrzz8pK9kklIXKaRV47z4TNfhiIzO80m76oU4oU5hOo2 - Ike4J+dnQDLnBzu/vZn3HuI+GUtJ5OTF6s/76nrSscA739mUlRfYCS0lugS6/eXi - L1N2LBJ2rZ1g8D+N4Az7qrDGq+E0JikefpmesJ2bfmrvSG8uYFBoTHoDtmY9NuUu - F1s2evp3IAfMO02daSYOUvzIV7KcECqQh1bssPYbtujoqMuVlMudn0P2hMuu1vIa - GNW4d0TNngvBlCAIGqrT9sT8kDx40wFGV+pbeFqT3EUNgevGqpOUhANYwfnaMPM4 - 3ClgdYuT/y13zxLD+zePqUk9E/ZX/eICs8JrN71FUQKCAQAwp+jjVlfGzhN2jRdr - 3oYk/qGXorja0+KWfHIcaq9HOZodaSiPIMAI2ZrawZVU4RyTjtWJuemSpunwagdR - /baPVLDvztvYbuVMmPBi+lU4a5TA1l1EUbnc1D8yHeLJDM0+/JBzRFJHw7aZlF3T - GkZ9oLFnnhXTAo+CotGxZPsd7s+XRVa81clX3MGFBvCaV9888fHEZe3XVo4rx75m - 5hCS1iRb7qkWZizjas4IK70/RtABf0mh8lQYYWkIVIMUvJv3devn5t7eALtC4sDr - oltM3Nt6fuByl0D8CjbCjAI0bF4AEAjNfCsbHTwycCeZs62l67CoJTdOzGK3PDxg - XHpXAoIBACztyrisM+8+Yf2QKouA5eGjm5TXZn2+g27rJI2RUM+bo2FclWVwCweY - emJIP7C9fgCdZSySuMHmdlf/bRQ1cCx/KQoSRmTuXwi0DDNhnmSH8/p/A9gy1GGr - kp69v3VHeh28mS2CXCfEZAB6+kUzXFPYGQBnIjTj+LBRZUV3F5+xcBoXpNlohkXX - fXRqt4tt7w8T1rb8ygtdlA8Et73J5boULYT7gXWCEsBOvQyIf55YXU4AAxPzmgiA - 3+J821gsBn9jSTXSdf4964k0kjlDQOorMkKM6vzlIE4383jm40ztr40WTZhFVc/6 - l3tY4rWIehHrXMOGjZ332mSJL3QKdgECggEAESPSBpWeUl9P69RG5GsolpOL7LyC - OxhKSTU0sFGQEDEk3PQ8vgFVPKRYgJM8ahHIlHD9vnHQ91wy+48ECDwOeK9JiCEN - MXM5xrfzSYN00tIQpua0BHdo5GNxS+Lm49Jx15PjwLpY9HYbHl9vJKdfJJt2oiq6 - o8ZjHVm1Zz74zH8pugSAGxXSVXuslPqOHMPYedk1C89mCwkn48sINkubuxhiZNDM - 6SoYyEG9xMlmu8UVD8NPOlMeBw7XlCaiJCYCczsRWajDty4CmyU5y5QioEXq4cze - 1PXfVVtYENr7abQWNd3SFyYELKMDK2KE/8FSgRn9IRGco4xuftPUrPuS5A== + MIIEpgIBAAKCAQEAyJ3AURyLx32NYgml6IGRbZytJ+iD1pbodBY0ld5ovwJjuMuy + fo7LN5Xb9HMGmyzG8FiQqCGe+Dr/THU2PufKVSWBztSuaFnzehaDTVQbBmcwYNFW + VhozPiUQwORdsJG2tiarQzlmVgAjXQV0IjdT5r8mNAFXuOJXcjiVGSJo1MRnIYWo + 14l2YwnjV2AI6dTbD9wmQC1D7cpAHq536hRtH0jGPGJy7taLwlXuh4Njyh9hZdhe + Cdz4z3N+/J7Z8SEk7lpXzEIponM2AGBllmFwkxqvedbgV3yiB6GKiCGdsuGYeTFB + Ij3p9iK14J2+2ipJtDuDTkb+9t+XQ2AmADzcOQIDAQABAoIBAQCpIfYFbB+cLAmK + Yb/x6WqGEtUZFDoyLEAFvsLOpxeAEa+pGHJ/qDtDvaAW0vL62CFQeBpc5Rt1A6hA + +YCmQByg9GIf0cbISy2t/FTuWL4AA/cRaOt049nXxr/9H4qtVevIXYl9v2K7lpo5 + zmM+hY7Cttyqc4dVY919ep6Y9h2TYhFlTeoxWsjkOMC94m+1337JvCfFBC2KONuU + H7OD08lE9TIXOpv94vWBvnCBUxnwOCZ0bQUr1qS3rWwcP/CNEL3KRCp8BS4VQnBb + KLxzpQ9f9LYq1VmBop358I6UWBafb0pIzF1FcdKG5Ma/L/Q4+AdGND4QjgyEL/fp + U82FnfjRAoGBAP0/hSUfORh1gxR1EnuJJGn6HuKufLWOXgnSKkNMZ8feKK60hyYe + btcZlkh1RHiI3j9DX1PocIjEEzUtgDY13JcxoqpHmSY+KvLPb0D5bkk6zTSr/kJH + QUTrXcS4BUiy8YOA1LyOlhNiVZ1C9UtYj8GSx8Hm17woB4qIqgJEPuxLAoGBAMrL + 0iWJjMshZMIQtsuXqZ5RpMsF97ZIQ3e3fmgCxs8108H/aVe1l6KyepVWOkVBbhnn + OXHNOlI2sm3Bf1xpLY8mek+I/6DD0Z+gsUd47sQOuaYGmOYDpbDcEoJGBoXuBpxD + OTiQP+wcFFlVjRSOWnYM5qkVrxDn9EtBK/E+Pv8LAoGBALRdjSKHPk7hQt5LE0LQ + xhKEhYLE6yUTpH4yJM+Rl0iOPUNQaAEKI78nBhXND1sZf9Bm13oXTi7aFyQEqA/0 + BIvaWhQUskq+dDBC9OW9wIJ/Uq90372sqhu/1iTJO1ovuDsEgn9YviJIItnCWpmz + FY+0TnkXRAdKKzTLaOn8WSRJAoGBALefmDeO9aIUKZSi57EvMVF+IZYHYEV350cm + Kdnp8bQ7y/LT3sGhVpzluKMxwW9mEFh6CoSlzFIW3rcMxtKZFbyRnZwYs0YRKOS9 + 7ueFc8SohKb1QEq9MLEUg9nbqBpq7Sdeoxg5XPfgcPh2w1jCkNxlUBH35V2MeaIO + b8hvkUEDAoGBAJebZ3xwbaQWc7mmHq4rrFTIkaM1BMBFoU23kXi8dDcR1whNAal0 + /PqZyNduxrZpFJ31q4/ZhT7sSS6JnKft9xliyh3a2zRdc2cn2NYWhDxKyiGsLCph + DAuubrT+HoMApzxGbIV+f6afRafKViJf17giVa77hWHIjNMg+vOPwqdz -----END RSA PRIVATE KEY----- support_tools: - enabled: true - system_deps: - - libxml2-dev - - libxslt-dev - - libssl-dev - git: - - name: ursula-master - path: /opt/git/ursula/master - owner: "{{ admin_user }}" - repo: https://github.com/blueboxgroup/ursula.git - rev: master - virtualenvs: - - name: ursula-master - path: /opt/venv/ursula/master - owner: "{{ admin_user }}" - requirements: /opt/git/ursula/master/requirements.txt - alternatives: - - name: ursula - path: /opt/venv/ursula/master/bin/ursula - link: /usr/local/bin/ursula - cleanup: [] + enabled: false sshagentmux: enabled: true auth_socket: /var/run/authorization_proxy.sock -users: - exampleuser: - primary_group: sitecontroller - groups: - - exampleuser - home: /home/bastionuser - createhome: yes - shell: /bin/bash - uid: 1999 - yubikey: - public_id: 111 - serial_number: 111 - aes_key: 111 - private_id: 111 - public_keys: - - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4rAIuN7EoPdU8iDPnp27zd+hXsbTE1NEIAQFblG0IywG2B522pivpxE/v1BmtaIVas1APRFDsn5SMGrDOiVNZGz/MdIdJOPjza29WyXgb5w9I329I/XKF5/NEkXDajqzHQheHZ0NSQFFqrlW+N7t6KdKkFP0heAnOLtXJIXrJso04Ew/o/NX6qJFvDY8pVMUeQVloX5zFuHwq+N2JjJIEDS89mmNfqThoAR0KZ/jKQnjNhCdKVurS20Sxft4HI6Zjm7YZMXJO5a+TL+nYEq+JEzLL+PdKcBf4BVpr6MLO/R3d5nxGAtdhgXUSvEDT2bCFWc66KBzNtJTzDKcVn2KcQ== blueboxadmin@yama-1.blueboxgrid.com - - -user_groups: - exampleuser: - system: yes - admin: - system: yes - blueboxadmin: - system: yes - ssh_keys: - enable_passphrase: false - fingerprint: "64:f3:60:f0:33:ed:8b:a3:af:33:c3:c1:e6:c8:41:bf" - private: | - -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEA34Tz/TDvjmcZkDiWmbm6Zz4jx1bl4rcEiSpbxYRqyXvxbGkG - e+YoDyy5s+M/tKaP+kAYDbXwJM6NnLq8q4YsEeqszjDE3+qgH54TE8EoT1VoPDkl - iUiE3a0d1DLZT8oX7x8y+q+39qQFN2sjTf39VgMpbWy6zOH7Ok9hpJXMItezuX9B - sMOfHE3TgZdYnRlc9tRmI58+igw1E2reNqHBxWu2c4FdydoakTXgUmcLLheKW0xC - m0NG9Cy5oAdq79ZJruuQQxTy9W71xm6W4EreDMCZrR3JWBvH2Ahv2JcDdj8BEB2g - iYzwzSqM4D3l44jza2BULgoXf58JS/8B7LkryQIDAQABAoIBAE6ba1M3yofCKnNV - 82DMuIlmiR6pqN86jhXPF8c28nc5Z4ZAyU75ek0b5ZMl8FmP2kKgF9V6jqHjIlpk - McYAwa7rYSqCbDpzQSzdYsgnvg1oc+f6EQFex5tOLpdZ6qLs583oov0WnxPWSx9a - Rmg/UsDVC9S30FoNf1TaZfSD2e7GVOCohXSXheQnRs5AkovlieoBy8NbaRj9+ey3 - hTsbtAsMk7WiazHpP/Fl7LwAXSHRgtFl+s1dbSYbpBLWdabB54j7m75x/hJRWzlW - zgmTdGSpLOnPeKe9TJtIkWzkqx0+XMbk1D4FUZVpo2D8whpHJxZNUdzY1UpqTu6M - frGsQIECgYEA8vqxh7Pw3S32TyMmkpL6oNziccyKe7U+xurulmccrPD6dhpMjOXR - 0ErPBIklxiUsAEZNIdBP4G2Of1xU0OWnWH9Xpk69FI7K7/XPmOoNeC3lYp08IUtb - jvs2C7F6ir+cSpEjU1PrT9hIKTk6XO13Nx291pd6xxUz1UUfdyxv220CgYEA639M - jEH9BsFSghYHM41GCMp2/+xfLLN9sTdPB7b8ElsOMD2Xne1QJ9uHfXyDi5Ba07aI - GbxgIoKcVlxIf/JJFdomeiXzf3PjDOTE8Pv/wMVhjQsfkCfgEunqVKF9amLTeTbl - Ype2modJXe+yuo4AqN8inz3CvTsP15rfZRh9XE0CgYA6xnOdPOS9y/lx6THScOVZ - djT8jBrPk+csnPW7whOIrf4YBYKQ7qLTPNVY5ogRpzo+ksLjtA0uX7IBkucdZQAX - Ay7DlvZb+7KRWyeteKhrcsazFQ/PifgK3S+Uooje+TyoOPWPmZQpS0shVauNgQ++ - cF5Ug236rGFObJsQ69ne/QKBgAaxxLRL/+xcPIM0Kxo9DtubHczipEX6CD2sa9O1 - UO8YpYubhJ7Zqyim5fAcRQUHon1YOAA7SaRRgC44S1tPwOIdJHDeeVCLM84fBrYv - A7MwKTjAMzJ+37DJ835aZN1MV+SfOeAWnftAk0ZXVQZWmRAz36EVOV71udqQLX+L - Na0VAoGBAOyAT/XPSDjMaWMxkf0/cuGrPDotG/2qlPkFzykTurYRXfB+gs/0wM9q - V64jR8VQpxfyljtdEEIbNnYiiHcu3WGDK6zu0w3LzYFdKawKxJezL7vbC3X4qgil - 3KsipSty93s+kZ265SMqby2itnryoMSURt5PniUFlBq5BBrzeZde - -----END RSA PRIVATE KEY----- - public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfhPP9MO+OZxmQOJaZubpnPiPHVuXitwSJKlvFhGrJe/FsaQZ75igPLLmz4z+0po/6QBgNtfAkzo2curyrhiwR6qzOMMTf6qAfnhMTwShPVWg8OSWJSITdrR3UMtlPyhfvHzL6r7f2pAU3ayNN/f1WAyltbLrM4fs6T2Gklcwi17O5f0Gww58cTdOBl1idGVz21GYjnz6KDDUTat42ocHFa7ZzgV3J2hqRNeBSZwsuF4pbTEKbQ0b0LLmgB2rv1kmu65BDFPL1bvXGbpbgSt4MwJmtHclYG8fYCG/YlwN2PwEQHaCJjPDNKozgPeXjiPNrYFQuChd/nwlL/wHsuSvJ dummmy-key-2 - sitecontroller: - system: no - ssh_keys: - enable_passphrase: false - fingerprint: "c6:a2:23:58:cf:c7:7e:c7:63:87:0f:4c:ce:be:7a:eb" - private: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEA1x6zzX/OSjNwqPuQTJGyXqIB+OBzNTxCXQZUYrb9c9ZjC7rS - yvqpnpfNq2iSag+TSkyZmz+rSOVey94YBf8KY9tI3PXwMFnyoSIsTChmDpSiNx9b - /IswRWHMjWmGo0oxD0cVsRIDPH4cd9DMPpbYgY9062E7nCBgv4b+xerul3sjlGzN - WN3tWFJ0BgzbvWKM9R6fFMgXOrIz2ASyVepCUizndh4m0DU3Dsj7utEnVawMUWN8 - asWZx6XvxlEghQixEhIp2gFOhe3vm+GGgR0BzCfmQqget+jYs7FlW3Vx2he8izAv - yfBOV9PfpfEv0mgCd266rijAFIZycj9xONuvNwIDAQABAoIBAQCkQkNU9PQV4HVz - 8rLaZJ3oeJg861XNHngmBAFHZybc3qS+fica6o++E3fuHGlAJyh2oUrhKpqljM73 - qFx7p6TNXtGiNwDySpxjwW5FsMtM8t1ybbWVfsqbD/RbPmqaILqZSdQcYv6poDoo - mvx6BkDHnTzPxmz36Bk35eKAScVpUC0SDVX9AiK+/4cIna2UvSB3XpTOtaXNHqIQ - 4gJzO8A7EF6u4CyGD8ycB49Y1w/+0gLVpH7p9aIgZrJTxr4bloJTnTrALzEly4p0 - MzIB9DtSFpTv0yx+f3acix38gRehhjQtxLk1+/goODQU3j/7JK2ZiH5a0uDM8zEY - tELDC4mBAoGBAO0xUrNHfJnY5x9dDRd5RLIEP8Bd0GRnCNxfAtwH5iKHJlXHekj+ - zFHkGZJqFCC9ej6i0Mh7tnfZRQUBvVBjw6kslAKXD+x9vDq1qiqVxxwJeFihX8fj - xk5GWCS3I3ienEWPZMu83sZC4YJN2px5IO9BZGoXj9WN0MLH0ejmYH3XAoGBAOgt - VXbYMjt1VwVtawBCywvazmq+0A85AvZ2Ak0LSS2+mgZ/fUlzgRbKOP8Myh4gmYAh - ME35vOb85IpVn2AF02v4HcBOTNBvHluXNgxieqHICYsfCUVqnmBA1UucpCGNGVt7 - UGof+FdUBYGMLLEIfLGsjNj/MmjasGqyRLZBKG2hAoGAZfQPgjQ2IMMVBWwv1mkv - 1/zvkjZA/wcyzdahGgbjKvBA0BpAO+QZ2xFa1I54PGJ1izrc13AlzHo9qptGzqkz - TyJ0NHDOTW72W53+mPNsdGa1rhMfYoJLmRWviYiW3KAAt/2c694xO7M/z4y7bQq7 - 11uaV+fs0XR1yWOunJd53l0CgYAl9NNV/H4pzkMNtheaEVFUfM7mEI+/DVj4pc42 - fjPWcKSJj2oSCfn+mcy7lYGtbzLpCYP2G2/Qa2OJYfoOHqWzrvpeJ+7S3HegDZZe - a/MUY7l7rvU7DfUaUz8Lf24ttf2BQSWiU9urmybTSPE9d9+6xDS6fO3mymmw57fn - +7r6QQKBgQCEhCWm6PdAhixliu4u4Fh+DS8RzxTYYeY5d1f3D8PFdWUW45ILdN9+ - Tvgu9ijpqfu+4faO5UVODPU/GpF8sd8UhTRtrsQof/OzdBP6cbT7OsNYg6fQd4XL - rNd+I4++Fjjcm36/6uS0Uk80ASZTlsJd8IGAJzG2+KlTilZWo4VC/A== - -----END RSA PRIVATE KEY----- - public: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXHrPNf85KM3Co+5BMkbJeogH44HM1PEJdBlRitv1z1mMLutLK+qmel82raJJqD5NKTJmbP6tI5V7L3hgF/wpj20jc9fAwWfKhIixMKGYOlKI3H1v8izBFYcyNaYajSjEPRxWxEgM8fhx30Mw+ltiBj3TrYTucIGC/hv7F6u6XeyOUbM1Y3e1YUnQGDNu9Yoz1Hp8UyBc6sjPYBLJV6kJSLOd2HibQNTcOyPu60SdVrAxRY3xqxZnHpe/GUSCFCLESEinaAU6F7e+b4YaBHQHMJ+ZCqB636NizsWVbdXHaF7yLMC/J8E5X09+l8S/SaAJ3brquKMAUhnJyP3E42683 dummy-key +logging: + enabled: false +sensu: + client: + enabled: false diff --git a/envs/example/vagrant.yml b/envs/example/vagrant.yml index 8e2c017..4e43c74 100644 --- a/envs/example/vagrant.yml +++ b/envs/example/vagrant.yml @@ -25,6 +25,9 @@ kibana: start: false config_in_es: false +security: + enabled: false + #env_vars: # http_proxy: "http://10.0.2.2:3128" # https_proxy: "http://10.0.2.2:3128" diff --git a/plugins/vars/default_vars.py b/plugins/vars/default_vars.py index 825cb1b..8b5b898 100644 --- a/plugins/vars/default_vars.py +++ b/plugins/vars/default_vars.py @@ -41,7 +41,7 @@ def _get_defaults(self): p, cfg_path = load_config_file() defaults_file = get_config(p, DEFAULTS, 'var_defaults_file', 'ANSIBLE_VAR_DEFAULTS_FILE', None) - print "Using defaults.yml: %s" % defaults_file + #print "Using defaults.yml: %s" % defaults_file if not defaults_file: return None diff --git a/roles/bastion/defaults/main.yml b/roles/bastion/defaults/main.yml index f4f1c3b..d9796ea 100644 --- a/roles/bastion/defaults/main.yml +++ b/roles/bastion/defaults/main.yml @@ -6,6 +6,10 @@ yama_utils: - libdbd-mysql-perl - python-daemon +twofa: + enabled: false + method: yubiauthd + yubiauthd: enabled: false package: https://github.com/blueboxgroup/yubiauthd/releases/download/1.0.1/yubiauthd_1.0.1_all.deb @@ -28,3 +32,6 @@ yubiauthd: firewall: friendly_networks: - 0.0.0.0/0 + +google_2fa: + nullok: true diff --git a/roles/bastion/tasks/google-2fa.yml b/roles/bastion/tasks/google-2fa.yml new file mode 100644 index 0000000..33c92d1 --- /dev/null +++ b/roles/bastion/tasks/google-2fa.yml @@ -0,0 +1,35 @@ +--- +- name: install google authenticator pam plugin + apt: + name: libpam-google-authenticator + +- name: update pam for google auth + lineinfile: + dest: /etc/pam.d/sshd + regexp: '^auth required pam_google_authenticator.so' + insertafter: EOF + line: "auth required pam_google_authenticator.so secret=/etc/google_authenticator/${USER} user=root {{ ( google_2fa.nullok|bool ) | ternary('nullok', '') }}" + +- name: update pam to disable common auth + lineinfile: + dest: /etc/pam.d/sshd + regexp: "^@include common-auth" + state: absent + +- name: create google authenticator directory + file: + dest: /etc/google_authenticator + mode: 0700 + owner: root + group: root + state: directory + +- name: set google2a file per user + template: + src: google_authenticator + dest: "/etc/google_authenticator/{{ item.key }}" + owner: "root" + mode: "0600" + with_dict: "{{ users_to_add|default(users) }}" + when: item.value.google_2fa|default({}) + tags: google-2fa, users diff --git a/roles/bastion/tasks/main.yml b/roles/bastion/tasks/main.yml index 728c2a4..2fde3b3 100644 --- a/roles/bastion/tasks/main.yml +++ b/roles/bastion/tasks/main.yml @@ -6,10 +6,21 @@ when: users_to_add is not defined - include: yubiauthd.yml - when: yubiauthd.enabled|default("False")|bool + when: + - twofa.enabled|default("False")|bool + - twofa.method == "yubiauthd" + tags: yubiauthd + +- include: google-2fa.yml + when: + - twofa.enabled|default("False")|bool + - twofa.method == "google" + tags: google-2fa + - include: utils.yml when: yama_utils.enabled|default("False")|bool + tags: yama_utils - include: checks.yml when: sensu.client.enable_checks|default('True')|bool diff --git a/roles/bastion/templates/google_authenticator b/roles/bastion/templates/google_authenticator new file mode 100644 index 0000000..534b595 --- /dev/null +++ b/roles/bastion/templates/google_authenticator @@ -0,0 +1,7 @@ +{{ item.value.google_2fa.secret_key }} +" RATE_LIMIT 3 30 +" DISALLOW_REUSE +" TOTP_AUTH +{% for code in item.value.google_2fa.emergency_codes %} +{{ code }} +{% endfor %} diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 877f039..dbe3ac0 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -101,7 +101,7 @@ common: ssh_host_rsa_key: public: ~ private: ~ - ghe_authorized_keys: + github_authorized_keys: enabled: False api_url: ~ # ex: https://api.github.com api_user: ~ diff --git a/roles/common/tasks/ssh.yml b/roles/common/tasks/ssh.yml index 61b7120..d6a5ab5 100644 --- a/roles/common/tasks/ssh.yml +++ b/roles/common/tasks/ssh.yml @@ -1,12 +1,12 @@ --- -- name: install GHE authorized keys app +- name: install GitHub authorized keys app template: - src: bin/ghe_authorized_keys.py - dest: /usr/local/bin/ghe_authorized_keys.py + src: bin/github_authorized_keys.py + dest: /usr/local/bin/github_authorized_keys.py owner: root group: root mode: 0755 - when: common.ssh.ghe_authorized_keys.enabled|bool + when: common.ssh.github_authorized_keys.enabled|bool - name: configure ssh settings template: src=etc/ssh/sshd_config diff --git a/roles/common/templates/bin/ghe_authorized_keys.py b/roles/common/templates/bin/github_authorized_keys.py similarity index 50% rename from roles/common/templates/bin/ghe_authorized_keys.py rename to roles/common/templates/bin/github_authorized_keys.py index d53bf43..03b573c 100644 --- a/roles/common/templates/bin/ghe_authorized_keys.py +++ b/roles/common/templates/bin/github_authorized_keys.py @@ -8,16 +8,22 @@ if len(sys.argv) == 2: ssh_user = sys.argv[1] - user_url = "{{ common.ssh.ghe_authorized_keys.api_url }}/users/%s" % ssh_user + user_url = "{{ common.ssh.github_authorized_keys.api_url }}/users/%s" % ssh_user key_url = "%s/keys" % user_url - api_user = '{{ common.ssh.ghe_authorized_keys.api_user }}' - api_key = '{{ common.ssh.ghe_authorized_keys.api_pass }}' + api_user = '{{ common.ssh.github_authorized_keys.api_user }}' + api_key = '{{ common.ssh.github_authorized_keys.api_pass }}' - user_info = requests.get(user_url,auth=(api_user, api_key)) + if api_user and api_key: + user_info = requests.get(user_url,auth=(api_user, api_key)) + else: + user_info = requests.get(user_url) if(user_info.ok): user = json.loads(user_info.content) if not user['suspended_at']: - myResponse = requests.get(key_url,auth=(api_user, api_key)) + if api_user and api_key: + myResponse = requests.get(key_url,auth=(api_user, api_key)) + else: + myResponse = requests.get(key_url) if(myResponse.ok): keys = json.loads(myResponse.content) for key in keys: diff --git a/roles/common/templates/etc/ssh/sshd_config b/roles/common/templates/etc/ssh/sshd_config index e14526c..fd22c12 100644 --- a/roles/common/templates/etc/ssh/sshd_config +++ b/roles/common/templates/etc/ssh/sshd_config @@ -52,7 +52,13 @@ PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) +{% if groups['bastion'] is defined and inventory_hostname in groups['bastion'] %} +{% if twofa.enabled|bool and twofa.method == "google" %} +AuthenticationMethods publickey,keyboard-interactive +ChallengeResponseAuthentication yes +{% else %} ChallengeResponseAuthentication no +{% endif %}{% endif %} # Kerberos options #KerberosAuthentication no @@ -112,15 +118,18 @@ ClientAliveCountMax {{ common.ssh.client_alive.countmax }} # The remaining values are exclusive to Bastion hosts AllowAgentForwarding yes - {% if bastion.force_commands | length > 0 %} +{% if bastion.backdoor_user %} # Backdoor for {{ bastion.backdoor_user }} user -Match User *,!{{ bastion.backdoor_user }} +Match User *,!{{ bastion.backdoor_user }} +{% else %} +Match User * +{% endif %} ForceCommand {{ bastion.force_commands | join(" ") }} {% endif %} {% endif %} -{% if common.ssh.ghe_authorized_keys.enabled | bool %} -AuthorizedKeysCommand /usr/local/bin/ghe_authorized_keys.py +{% if common.ssh.github_authorized_keys.enabled | bool %} +AuthorizedKeysCommand /usr/local/bin/github_authorized_keys.py AuthorizedKeysCommandUser nobody {% endif %} diff --git a/roles/security/defaults/main.yml b/roles/security/defaults/main.yml index f2f1934..03d986d 100644 --- a/roles/security/defaults/main.yml +++ b/roles/security/defaults/main.yml @@ -1,5 +1,6 @@ --- security: + enabled: true always_update: apt: - bash diff --git a/roles/ttyspy-client/handlers/main.yml b/roles/ttyspy/ttyspy-client/handlers/main.yml similarity index 100% rename from roles/ttyspy-client/handlers/main.yml rename to roles/ttyspy/ttyspy-client/handlers/main.yml diff --git a/roles/ttyspy-client/meta/main.yml b/roles/ttyspy/ttyspy-client/meta/main.yml similarity index 100% rename from roles/ttyspy-client/meta/main.yml rename to roles/ttyspy/ttyspy-client/meta/main.yml diff --git a/roles/ttyspy-client/tasks/checks.yml b/roles/ttyspy/ttyspy-client/tasks/checks.yml similarity index 100% rename from roles/ttyspy-client/tasks/checks.yml rename to roles/ttyspy/ttyspy-client/tasks/checks.yml diff --git a/roles/ttyspy-client/tasks/main.yml b/roles/ttyspy/ttyspy-client/tasks/main.yml similarity index 85% rename from roles/ttyspy-client/tasks/main.yml rename to roles/ttyspy/ttyspy-client/tasks/main.yml index 0a3c316..7948cf1 100644 --- a/roles/ttyspy-client/tasks/main.yml +++ b/roles/ttyspy/ttyspy-client/tasks/main.yml @@ -27,12 +27,7 @@ group: ttyspy mode: 0640 with_fileglob: ../templates/etc/ttyspy/client/* - -# TLS doesn't play nicely with IPs -- name: configure ttyspy server IP & hostname in /etc/hosts - lineinfile: - dest: "/etc/hosts" - line: "{{ ttyspy.server.ip }} {{ ttyspy.server.host }}" + notify: restart ttyspyd - name: configure ttyspyd service template: diff --git a/roles/ttyspy-client/tasks/metrics.yml b/roles/ttyspy/ttyspy-client/tasks/metrics.yml similarity index 100% rename from roles/ttyspy-client/tasks/metrics.yml rename to roles/ttyspy/ttyspy-client/tasks/metrics.yml diff --git a/roles/ttyspy-client/tasks/serverspec.yml b/roles/ttyspy/ttyspy-client/tasks/serverspec.yml similarity index 100% rename from roles/ttyspy-client/tasks/serverspec.yml rename to roles/ttyspy/ttyspy-client/tasks/serverspec.yml diff --git a/roles/ttyspy-client/templates/etc/init/ttyspyd.conf b/roles/ttyspy/ttyspy-client/templates/etc/init/ttyspyd.conf similarity index 100% rename from roles/ttyspy-client/templates/etc/init/ttyspyd.conf rename to roles/ttyspy/ttyspy-client/templates/etc/init/ttyspyd.conf diff --git a/roles/ttyspy-client/templates/etc/ttyspy.conf b/roles/ttyspy/ttyspy-client/templates/etc/ttyspy.conf similarity index 100% rename from roles/ttyspy-client/templates/etc/ttyspy.conf rename to roles/ttyspy/ttyspy-client/templates/etc/ttyspy.conf diff --git a/roles/ttyspy-client/templates/etc/ttyspy/client/ca.pem b/roles/ttyspy/ttyspy-client/templates/etc/ttyspy/client/ca.pem similarity index 100% rename from roles/ttyspy-client/templates/etc/ttyspy/client/ca.pem rename to roles/ttyspy/ttyspy-client/templates/etc/ttyspy/client/ca.pem diff --git a/roles/ttyspy-client/templates/etc/ttyspy/client/cert.pem b/roles/ttyspy/ttyspy-client/templates/etc/ttyspy/client/cert.pem similarity index 100% rename from roles/ttyspy-client/templates/etc/ttyspy/client/cert.pem rename to roles/ttyspy/ttyspy-client/templates/etc/ttyspy/client/cert.pem diff --git a/roles/ttyspy-client/templates/etc/ttyspy/client/key.pem b/roles/ttyspy/ttyspy-client/templates/etc/ttyspy/client/key.pem similarity index 100% rename from roles/ttyspy-client/templates/etc/ttyspy/client/key.pem rename to roles/ttyspy/ttyspy-client/templates/etc/ttyspy/client/key.pem diff --git a/roles/ttyspy-client/templates/serverspec/ttyspy-client_spec.rb b/roles/ttyspy/ttyspy-client/templates/serverspec/ttyspy-client_spec.rb similarity index 100% rename from roles/ttyspy-client/templates/serverspec/ttyspy-client_spec.rb rename to roles/ttyspy/ttyspy-client/templates/serverspec/ttyspy-client_spec.rb diff --git a/roles/ttyspy-common/defaults/main.yml b/roles/ttyspy/ttyspy-common/defaults/main.yml similarity index 85% rename from roles/ttyspy-common/defaults/main.yml rename to roles/ttyspy/ttyspy-common/defaults/main.yml index 9908ece..819db42 100644 --- a/roles/ttyspy-common/defaults/main.yml +++ b/roles/ttyspy/ttyspy-common/defaults/main.yml @@ -16,6 +16,7 @@ ttyspy: server: enabled: false + package: https://github.com/IBM/ttyspy/releases/download/packages/ttyspy-server_0.0.1_amd64.deb host: server.test ip: 127.0.0.1 port: 8090 diff --git a/roles/ttyspy-common/meta/main.yml b/roles/ttyspy/ttyspy-common/meta/main.yml similarity index 100% rename from roles/ttyspy-common/meta/main.yml rename to roles/ttyspy/ttyspy-common/meta/main.yml diff --git a/roles/ttyspy-common/tasks/checks.yml b/roles/ttyspy/ttyspy-common/tasks/checks.yml similarity index 100% rename from roles/ttyspy-common/tasks/checks.yml rename to roles/ttyspy/ttyspy-common/tasks/checks.yml diff --git a/roles/ttyspy-common/tasks/main.yml b/roles/ttyspy/ttyspy-common/tasks/main.yml similarity index 100% rename from roles/ttyspy-common/tasks/main.yml rename to roles/ttyspy/ttyspy-common/tasks/main.yml diff --git a/roles/ttyspy-common/tasks/metrics.yml b/roles/ttyspy/ttyspy-common/tasks/metrics.yml similarity index 100% rename from roles/ttyspy-common/tasks/metrics.yml rename to roles/ttyspy/ttyspy-common/tasks/metrics.yml diff --git a/roles/ttyspy-common/tasks/serverspec.yml b/roles/ttyspy/ttyspy-common/tasks/serverspec.yml similarity index 100% rename from roles/ttyspy-common/tasks/serverspec.yml rename to roles/ttyspy/ttyspy-common/tasks/serverspec.yml diff --git a/roles/ttyspy-common/templates/serverspec/ttyspy-common_spec.rb b/roles/ttyspy/ttyspy-common/templates/serverspec/ttyspy-common_spec.rb similarity index 100% rename from roles/ttyspy-common/templates/serverspec/ttyspy-common_spec.rb rename to roles/ttyspy/ttyspy-common/templates/serverspec/ttyspy-common_spec.rb diff --git a/roles/ttyspy-server/handlers/main.yml b/roles/ttyspy/ttyspy-server/handlers/main.yml similarity index 100% rename from roles/ttyspy-server/handlers/main.yml rename to roles/ttyspy/ttyspy-server/handlers/main.yml diff --git a/roles/ttyspy-server/meta/main.yml b/roles/ttyspy/ttyspy-server/meta/main.yml similarity index 100% rename from roles/ttyspy-server/meta/main.yml rename to roles/ttyspy/ttyspy-server/meta/main.yml diff --git a/roles/ttyspy-server/tasks/checks.yml b/roles/ttyspy/ttyspy-server/tasks/checks.yml similarity index 100% rename from roles/ttyspy-server/tasks/checks.yml rename to roles/ttyspy/ttyspy-server/tasks/checks.yml diff --git a/roles/ttyspy-server/tasks/compression.yml b/roles/ttyspy/ttyspy-server/tasks/compression.yml similarity index 100% rename from roles/ttyspy-server/tasks/compression.yml rename to roles/ttyspy/ttyspy-server/tasks/compression.yml diff --git a/roles/ttyspy-server/tasks/main.yml b/roles/ttyspy/ttyspy-server/tasks/main.yml similarity index 97% rename from roles/ttyspy-server/tasks/main.yml rename to roles/ttyspy/ttyspy-server/tasks/main.yml index 34c8b1b..90c466a 100644 --- a/roles/ttyspy-server/tasks/main.yml +++ b/roles/ttyspy/ttyspy-server/tasks/main.yml @@ -27,6 +27,7 @@ group: ttyspy mode: 0640 with_fileglob: ../templates/etc/ttyspy/server/* + notify: restart ttyspy-receiver - name: allow ttyspy traffic ufw: diff --git a/roles/ttyspy-server/tasks/metrics.yml b/roles/ttyspy/ttyspy-server/tasks/metrics.yml similarity index 100% rename from roles/ttyspy-server/tasks/metrics.yml rename to roles/ttyspy/ttyspy-server/tasks/metrics.yml diff --git a/roles/ttyspy-server/tasks/serverspec.yml b/roles/ttyspy/ttyspy-server/tasks/serverspec.yml similarity index 100% rename from roles/ttyspy-server/tasks/serverspec.yml rename to roles/ttyspy/ttyspy-server/tasks/serverspec.yml diff --git a/roles/ttyspy-server/templates/etc/cron.daily/ttyspy_compression b/roles/ttyspy/ttyspy-server/templates/etc/cron.daily/ttyspy_compression similarity index 100% rename from roles/ttyspy-server/templates/etc/cron.daily/ttyspy_compression rename to roles/ttyspy/ttyspy-server/templates/etc/cron.daily/ttyspy_compression diff --git a/roles/ttyspy-server/templates/etc/ttyspy/compression.py b/roles/ttyspy/ttyspy-server/templates/etc/ttyspy/compression.py similarity index 100% rename from roles/ttyspy-server/templates/etc/ttyspy/compression.py rename to roles/ttyspy/ttyspy-server/templates/etc/ttyspy/compression.py diff --git a/roles/ttyspy-server/templates/etc/ttyspy/server/ca.pem b/roles/ttyspy/ttyspy-server/templates/etc/ttyspy/server/ca.pem similarity index 100% rename from roles/ttyspy-server/templates/etc/ttyspy/server/ca.pem rename to roles/ttyspy/ttyspy-server/templates/etc/ttyspy/server/ca.pem diff --git a/roles/ttyspy-server/templates/etc/ttyspy/server/cert.pem b/roles/ttyspy/ttyspy-server/templates/etc/ttyspy/server/cert.pem similarity index 100% rename from roles/ttyspy-server/templates/etc/ttyspy/server/cert.pem rename to roles/ttyspy/ttyspy-server/templates/etc/ttyspy/server/cert.pem diff --git a/roles/ttyspy-server/templates/etc/ttyspy/server/key.pem b/roles/ttyspy/ttyspy-server/templates/etc/ttyspy/server/key.pem similarity index 100% rename from roles/ttyspy-server/templates/etc/ttyspy/server/key.pem rename to roles/ttyspy/ttyspy-server/templates/etc/ttyspy/server/key.pem diff --git a/roles/ttyspy-server/templates/serverspec/ttyspy-server_spec.rb b/roles/ttyspy/ttyspy-server/templates/serverspec/ttyspy-server_spec.rb similarity index 100% rename from roles/ttyspy-server/templates/serverspec/ttyspy-server_spec.rb rename to roles/ttyspy/ttyspy-server/templates/serverspec/ttyspy-server_spec.rb diff --git a/site.yml b/site.yml index b1e920c..d5ec7b4 100644 --- a/site.yml +++ b/site.yml @@ -56,25 +56,25 @@ hosts: bastion serial: 1 roles: - - role: ttyspy-client - tags: ['ttyspy-client'] + - role: ttyspy/ttyspy-client + tags: ['ttyspy-client', 'ttyspy'] when: ttyspy.client.enabled|default("False")|bool - role: sshagentmux tags: ['sshagentmux'] when: sshagentmux.enabled|default("False")|bool + - role: bastion + tags: ['bastion-role','bastion'] # - role: support-tools # tags: ['support-tools'] # when: support_tools.enabled|default("False")|bool -# - role: bastion -# tags: ['bastion-role'] environment: "{{ env_vars|default({}) }}" any_errors_fatal: true - name: ttyspy server hosts: ttyspy-server roles: - - role: ttyspy-server - tags: ['ttyspy-server'] + - role: ttyspy/ttyspy-server + tags: ['ttyspy-server', 'ttyspy'] when: ttyspy.server.enabled|default("False")|bool environment: "{{ env_vars|default({}) }}" any_errors_fatal: true @@ -235,5 +235,6 @@ roles: - role: security tags: ['security', 'always'] + when: security.enabled|default('true')|bool environment: "{{ env_vars|default({}) }}" any_errors_fatal: true