From a3d4468cf80f3882921cfd84287a613cbfd28f78 Mon Sep 17 00:00:00 2001
From: areeqakbr <ariqakbar.muhammad.ma16@gmail.com>
Date: Thu, 14 Aug 2025 14:14:01 +0700
Subject: [PATCH] complete ansible for security installation

---
 .gitignore                            |   1 +
 ansible.cfg                           |  10 ++
 inventory/production.yaml             |  11 +-
 playbooks/monitoring.yaml             |   6 +-
 roles/promotheus/task/main.yaml       |  46 ------
 roles/promotheus/tasks/main.yaml      |  73 ++++++++++
 roles/vault/{task => tasks}/main.yaml |   0
 roles/wazuh/task/main.yaml            |  42 ------
 roles/wazuh/tasks/main.yaml           | 192 ++++++++++++++++++++++++++
 9 files changed, 283 insertions(+), 98 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 ansible.cfg
 delete mode 100644 roles/promotheus/task/main.yaml
 create mode 100644 roles/promotheus/tasks/main.yaml
 rename roles/vault/{task => tasks}/main.yaml (100%)
 delete mode 100644 roles/wazuh/task/main.yaml
 create mode 100644 roles/wazuh/tasks/main.yaml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a38349e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+%*
\ No newline at end of file
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..d295048
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,10 @@
+[defaults]
+inventory = inventory/production.yaml
+host_key_checking = False
+remote_user = cifo
+private_key_file = ~/.ssh/id_ed25519
+roles_path = roles
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
+pipelining = True
\ No newline at end of file
diff --git a/inventory/production.yaml b/inventory/production.yaml
index 602871d..9e38456 100644
--- a/inventory/production.yaml
+++ b/inventory/production.yaml
@@ -3,13 +3,10 @@ all:
     security_servers:
       hosts:
         security-server-01:
-          ansible_host: 10.0.1.10
-          ansible_user: ubuntu
-          ansible_ssh_private_key_file: ~/.ssh/security-key.pem
-        security-server-02:
-          ansible_host: 10.0.1.11
-          ansible_user: ubuntu
-          ansible_ssh_private_key_file: ~/.ssh/security-key.pem
+          ansible_host: 172.16.255.177
+          ansible_user: cifo
+          ansible_port: 60022
+          ansible_ssh_private_key_file: ~/.ssh/id_ed25519
       vars:
         environment: production
         vault_version: "1.15.2"
diff --git a/playbooks/monitoring.yaml b/playbooks/monitoring.yaml
index c50d622..ac3f47f 100644
--- a/playbooks/monitoring.yaml
+++ b/playbooks/monitoring.yaml
@@ -9,9 +9,9 @@
     monitoring_retention_days: 30
 
   roles:
-  - promotheus
-  - vault
-  - wazuh
+    - promotheus
+    - vault
+    - wazuh
 
   tasks:
   - name: Install Node Exporter
diff --git a/roles/promotheus/task/main.yaml b/roles/promotheus/task/main.yaml
deleted file mode 100644
index 6934213..0000000
--- a/roles/promotheus/task/main.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-# roles/prometheus/tasks/main.yml  
----
-- name: Create prometheus user
-  user:
-    name: prometheus
-    system: yes
-    shell: /bin/false
-
-- name: Create prometheus directories
-  file:
-    path: "{{ item }}"
-    state: directory
-    owner: prometheus
-    group: prometheus
-  loop:
-    - /etc/prometheus
-    - /var/lib/prometheus
-
-- name: Download Prometheus
-  get_url:
-    url: "https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz"
-    dest: /tmp/prometheus.tar.gz
-
-- name: Extract Prometheus
-  unarchive:
-    src: /tmp/prometheus.tar.gz
-    dest: /opt/
-    remote_src: yes
-    owner: prometheus
-    group: prometheus
-
-- name: Configure Prometheus
-  template:
-    src: prometheus.yml.j2
-    dest: /etc/prometheus/prometheus.yml
-    owner: prometheus
-    group: prometheus
-  notify: restart prometheus
-
-- name: Create Prometheus systemd service
-  template:
-    src: prometheus.service.j2
-    dest: /etc/systemd/system/prometheus.service
-  notify:
-    - reload systemd
-    - restart prometheus
diff --git a/roles/promotheus/tasks/main.yaml b/roles/promotheus/tasks/main.yaml
new file mode 100644
index 0000000..1eafcb7
--- /dev/null
+++ b/roles/promotheus/tasks/main.yaml
@@ -0,0 +1,73 @@
+---
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Install Prometheus from Ubuntu repository
+  apt:
+    name:
+      - prometheus
+      - prometheus-node-exporter
+    state: present
+
+- name: Check which Prometheus services are available
+  shell: systemctl list-unit-files | grep prometheus
+  register: prometheus_services
+  ignore_errors: true
+
+- name: Debug available Prometheus services
+  debug:
+    var: prometheus_services.stdout_lines
+
+- name: Generate Prometheus configuration
+  template:
+    src: prometheus.yml.j2
+    dest: /etc/prometheus/prometheus.yml
+    owner: prometheus
+    group: prometheus
+    mode: '0644'
+    backup: yes
+  notify: restart prometheus
+
+- name: Start and enable Prometheus service (try different service names)
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
+  loop:
+    - prometheus
+    - prometheus-server
+  ignore_errors: true
+  register: service_start_result
+
+- name: Debug service start results
+  debug:
+    var: service_start_result
+
+- name: Start and enable Node Exporter
+  service:
+    name: prometheus-node-exporter
+    state: started
+    enabled: yes
+  ignore_errors: true
+
+- name: Check Prometheus status
+  shell: systemctl status prometheus* --no-pager
+  register: prometheus_status
+  ignore_errors: true
+
+- name: Show Prometheus status
+  debug:
+    var: prometheus_status.stdout_lines
+
+- name: Check if Prometheus is listening on port 9090
+  wait_for:
+    port: 9090
+    host: 127.0.0.1
+    timeout: 30
+  ignore_errors: true
+  register: port_check
+
+- name: Debug port check
+  debug:
+    var: port_check
\ No newline at end of file
diff --git a/roles/vault/task/main.yaml b/roles/vault/tasks/main.yaml
similarity index 100%
rename from roles/vault/task/main.yaml
rename to roles/vault/tasks/main.yaml
diff --git a/roles/wazuh/task/main.yaml b/roles/wazuh/task/main.yaml
deleted file mode 100644
index de6be48..0000000
--- a/roles/wazuh/task/main.yaml
+++ /dev/null
@@ -1,42 +0,0 @@
-# roles/wazuh-server/tasks/main.yml
----
-- name: Add Wazuh repository
-  get_url:
-    url: https://packages.wazuh.com/key/GPG-KEY-WAZUH
-    dest: /tmp/GPG-KEY-WAZUH
-
-- name: Add Wazuh GPG key
-  apt_key:
-    file: /tmp/GPG-KEY-WAZUH
-    state: present
-
-- name: Add Wazuh repository
-  apt_repository:
-    repo: "deb https://packages.wazuh.com/4.x/apt/ stable main"
-    state: present
-
-- name: Install Wazuh manager
-  apt:
-    name:
-      - wazuh-manager
-      - wazuh-indexer
-      - wazuh-dashboard
-    state: present
-    update_cache: yes
-
-- name: Configure Wazuh manager
-  template:
-    src: ossec.conf.j2
-    dest: /var/ossec/etc/ossec.conf
-    backup: yes
-  notify: restart wazuh-manager
-
-- name: Start Wazuh services
-  service:
-    name: "{{ item }}"
-    state: started
-    enabled: yes
-  loop:
-    - wazuh-manager
-    - wazuh-indexer
-    - wazuh-dashboard
\ No newline at end of file
diff --git a/roles/wazuh/tasks/main.yaml b/roles/wazuh/tasks/main.yaml
new file mode 100644
index 0000000..92f9c99
--- /dev/null
+++ b/roles/wazuh/tasks/main.yaml
@@ -0,0 +1,192 @@
+---
+- name: Update apt cache
+  apt:
+    update_cache: yes
+
+- name: Install required packages
+  apt:
+    name:
+      - curl
+      - apt-transport-https
+      - lsb-release
+      - gnupg2
+    state: present
+
+- name: Add Wazuh repository key
+  get_url:
+    url: https://packages.wazuh.com/key/GPG-KEY-WAZUH
+    dest: /tmp/GPG-KEY-WAZUH
+
+- name: Add Wazuh GPG key
+  apt_key:
+    file: /tmp/GPG-KEY-WAZUH
+    state: present
+
+- name: Add Wazuh repository
+  apt_repository:
+    repo: "deb https://packages.wazuh.com/4.x/apt/ stable main"
+    state: present
+
+- name: Install Wazuh manager first
+  apt:
+    name: wazuh-manager
+    state: present
+    update_cache: yes
+
+- name: Start and enable Wazuh manager
+  service:
+    name: wazuh-manager
+    state: started
+    enabled: yes
+
+- name: Install Wazuh indexer
+  apt:
+    name: wazuh-indexer
+    state: present
+    update_cache: yes
+
+- name: Stop Wazuh indexer before configuration
+  service:
+    name: wazuh-indexer
+    state: stopped
+
+- name: Configure Wazuh indexer with security disabled
+  copy:
+    content: |
+      cluster.name: wazuh-cluster
+      node.name: wazuh-node-1
+      path.data: /var/lib/wazuh-indexer
+      path.logs: /var/log/wazuh-indexer
+
+      network.host: 127.0.0.1
+      http.port: 9200
+      transport.host: 127.0.0.1
+      transport.tcp.port: 9300
+
+      bootstrap.memory_lock: false
+      cluster.initial_master_nodes: ["wazuh-node-1"]
+
+      # Disable security plugin to avoid certificate issues
+      plugins.security.disabled: true
+
+      # Memory settings
+      indices.memory.index_buffer_size: 10%
+      
+      # Discovery settings
+      discovery.type: single-node
+    dest: /etc/wazuh-indexer/opensearch.yml
+    backup: yes
+    owner: wazuh-indexer
+    group: wazuh-indexer
+    mode: '0660'
+
+- name: Set JVM heap size for Wazuh indexer (1GB system has plenty of RAM)
+  copy:
+    content: |
+      -Xms1g
+      -Xmx1g
+      -XX:+UseG1GC
+      -XX:MaxGCPauseMillis=200
+      -XX:+UnlockExperimentalVMOptions
+      -XX:+UseCGroupMemoryLimitForHeap
+      -XX:+DisableExplicitGC
+      -Djava.io.tmpdir=/tmp
+      -XX:+HeapDumpOnOutOfMemoryError
+      -XX:HeapDumpPath=/var/lib/wazuh-indexer
+      -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log
+      -XX:+PrintGCDetails
+      -XX:+PrintGCTimeStamps
+      -XX:+PrintGCDateStamps
+      -XX:+PrintClassHistogram
+      -XX:+PrintTenuringDistribution
+      -XX:+PrintGCApplicationStoppedTime
+      -Xloggc:/var/log/wazuh-indexer/gc.log
+      -XX:+UseGCLogFileRotation
+      -XX:NumberOfGCLogFiles=32
+      -XX:GCLogFileSize=64m
+    dest: /etc/wazuh-indexer/jvm.options
+    backup: yes
+    owner: wazuh-indexer
+    group: wazuh-indexer
+    mode: '0660'
+
+- name: Set vm.max_map_count for Wazuh indexer
+  sysctl:
+    name: vm.max_map_count
+    value: '262144'
+    state: present
+    reload: yes
+
+- name: Reload systemd daemon
+  systemd:
+    daemon_reload: yes
+
+- name: Start and enable Wazuh indexer
+  service:
+    name: wazuh-indexer
+    state: started
+    enabled: yes
+  register: indexer_start
+
+- name: Wait for Wazuh indexer to be ready
+  wait_for:
+    port: 9200
+    host: 127.0.0.1
+    delay: 10
+    timeout: 120
+  when: not indexer_start.failed
+
+- name: Test Wazuh indexer API
+  uri:
+    url: http://127.0.0.1:9200
+    method: GET
+  register: indexer_api_test
+  ignore_errors: true
+
+- name: Show indexer API test result
+  debug:
+    var: indexer_api_test
+
+- name: Install Wazuh dashboard
+  apt:
+    name: wazuh-dashboard
+    state: present
+    update_cache: yes
+  when: not indexer_start.failed
+
+- name: Configure Wazuh dashboard
+  copy:
+    content: |
+      server.host: 0.0.0.0
+      server.port: 443
+      opensearch.hosts: ["http://127.0.0.1:9200"]
+      opensearch.ssl.verificationMode: none
+      opensearch.security.auth.type: "basicauth"
+      opensearch_security.cookie.secure: false
+    dest: /etc/wazuh-dashboard/opensearch_dashboards.yml
+    backup: yes
+    owner: wazuh-dashboard
+    group: wazuh-dashboard
+    mode: '0660'
+  when: not indexer_start.failed
+
+- name: Start and enable Wazuh dashboard
+  service:
+    name: wazuh-dashboard
+    state: started
+    enabled: yes
+  when: not indexer_start.failed
+
+- name: Verify Wazuh services status
+  shell: systemctl status {{ item }} --no-pager
+  register: wazuh_status
+  changed_when: false
+  ignore_errors: true
+  loop:
+    - wazuh-manager
+    - wazuh-indexer
+    - wazuh-dashboard
+
+- name: Show Wazuh services status
+  debug:
+    var: wazuh_status.results
\ No newline at end of file