ansible
/
security_ansible_playbook
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init projects

This commit is contained in:
areeqakbr 2025-08-14 09:19:37 +07:00
commit c740fd5a50
10 changed files with 357 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
inventory/production.yaml Normal file
View File

@ -0,0 +1,16 @@
all:
children:
security_servers:
hosts:
security-server-01:
ansible_host: 10.0.1.10
ansible_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/security-key.pem
security-server-02:
ansible_host: 10.0.1.11
ansible_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/security-key.pem
vars:
environment: production
vault_version: "1.15.2"
prometheus_version: "2.47.0"

12
inventory/staging.yaml Normal file
View File

@ -0,0 +1,12 @@
all:
children:
security_servers:
hosts:
security-staging-01:
ansible_host: 10.0.2.10
ansible_user: ubuntu
ansible_ssh_private_key_file: ~/.ssh/staging-key.pem
vars:
environment: staging
vault_version: "1.15.2"
prometheus_version: "2.47.0"

150
playbooks/monitoring.yaml Normal file
View File

@ -0,0 +1,150 @@
- name: Deploy Security Monitoring Infrastructure
hosts: security_servers
become: true
vars:
prometheus_version: "2.47.0"
grafana_version: "10.1.0"
node_exporter_version: "1.6.1"
alertmanager_version: "0.25.0"
monitoring_retention_days: 30
roles:
- prometheus
- vault
- wazuh
tasks:
- name: Install Node Exporter
block:
- name: Download Node Exporter
get_url:
url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz"
dest: /tmp/node_exporter.tar.gz
- name: Extract Node Exporter
unarchive:
src: /tmp/node_exporter.tar.gz
dest: /opt/
remote_src: yes
owner: prometheus
group: prometheus
- name: Create Node Exporter symlink
file:
src: "/opt/node_exporter-{{ node_exporter_version }}.linux-amd64/node_exporter"
dest: /usr/local/bin/node_exporter
state: link
- name: Create Node Exporter systemd service
copy:
content: |
[Unit]
Description=Node Exporter
Wants=network-online.target
After=network-online.target
[Service]
User=prometheus
Group=prometheus
Type=simple
ExecStart=/usr/local/bin/node_exporter
[Install]
WantedBy=multi-user.target
dest: /etc/systemd/system/node_exporter.service
notify:
- reload systemd
- restart node_exporter
- name: Install Grafana
block:
- name: Add Grafana GPG key
apt_key:
url: https://packages.grafana.com/gpg.key
state: present
- name: Add Grafana repository
apt_repository:
repo: "deb https://packages.grafana.com/oss/deb stable main"
state: present
- name: Install Grafana
apt:
name: grafana
state: present
update_cache: yes
- name: Start and enable Grafana
service:
name: grafana-server
state: started
enabled: yes
- name: Configure security monitoring alerts
copy:
content: |
groups:
- name: security_alerts
rules:
- alert: WazuhManagerDown
expr: up{job="wazuh"} == 0
for: 2m
labels:
severity: critical
annotations:
summary: "Wazuh Manager is down"
- alert: VaultSealed
expr: vault_core_unsealed == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Vault is sealed"
- alert: HighCPUUsage
expr: 100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80
for: 5m
labels:
severity: warning
annotations:
summary: "High CPU usage on {{ $labels.instance }}"
dest: /etc/prometheus/security_rules.yml
owner: prometheus
group: prometheus
notify: restart prometheus
handlers:
- name: reload systemd
systemd:
daemon_reload: yes
- name: restart prometheus
service:
name: prometheus
state: restarted
- name: restart node_exporter
service:
name: node_exporter
state: restarted
enabled: yes
post_tasks:
- name: Verify monitoring services
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- prometheus
- node_exporter
- grafana-server
- name: Display monitoring URLs
debug:
msg: |
Monitoring services available at:
- Prometheus: http://{{ ansible_default_ipv4.address }}:9090
- Grafana: http://{{ ansible_default_ipv4.address }}:3000
- Node Exporter: http://{{ ansible_default_ipv4.address }}:9100

33
playbooks/site.yaml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Deploy Centralized Security Server
hosts: security_servers
become: true
vars:
server_environment: production
vault_version: "1.15.2"
wazuh_version: "4.7.0"
roles:
- common # Base system hardening
- docker # Container runtime
- nginx-proxy # Reverse proxy with SSL
- vault # HashiCorp Vault
- wazuh-server # OSSEC/Wazuh server
- elasticsearch # Log storage
- prometheus # Metrics collection
- grafana # Dashboards
- vulnerability-scanner # Security scanning
- backup-setup # Backup configuration
post_tasks:
- name: Verify all services are running
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- vault
- wazuh-manager
- elasticsearch
- prometheus
- grafana

0
playbooks/vault_install.yaml Normal file
View File

0
playbooks/vuln-scanner.yaml Normal file
View File

0
playbooks/wazuh_server.yaml Normal file
View File

46
roles/promotheus/task/main.yaml Normal file
View File

@ -0,0 +1,46 @@
# roles/prometheus/tasks/main.yml
---
- name: Create prometheus user
user:
name: prometheus
system: yes
shell: /bin/false
- name: Create prometheus directories
file:
path: "{{ item }}"
state: directory
owner: prometheus
group: prometheus
loop:
- /etc/prometheus
- /var/lib/prometheus
- name: Download Prometheus
get_url:
url: "https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz"
dest: /tmp/prometheus.tar.gz
- name: Extract Prometheus
unarchive:
src: /tmp/prometheus.tar.gz
dest: /opt/
remote_src: yes
owner: prometheus
group: prometheus
- name: Configure Prometheus
template:
src: prometheus.yml.j2
dest: /etc/prometheus/prometheus.yml
owner: prometheus
group: prometheus
notify: restart prometheus
- name: Create Prometheus systemd service
template:
src: prometheus.service.j2
dest: /etc/systemd/system/prometheus.service
notify:
- reload systemd
- restart prometheus

58
roles/vault/task/main.yaml Normal file
View File

@ -0,0 +1,58 @@
# roles/vault/tasks/main.yml
---
- name: Create vault user
user:
name: vault
system: yes
shell: /bin/false
home: /opt/vault
- name: Download Vault binary
get_url:
url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
dest: /tmp/vault.zip
mode: '0644'
- name: Extract Vault binary
unarchive:
src: /tmp/vault.zip
dest: /usr/local/bin/
remote_src: yes
owner: root
group: root
mode: '0755'
- name: Create Vault directories
file:
path: "{{ item }}"
state: directory
owner: vault
group: vault
mode: '0750'
loop:
- /etc/vault.d
- /opt/vault/data
- /opt/vault/logs
- name: Generate Vault configuration
template:
src: vault.hcl.j2
dest: /etc/vault.d/vault.hcl
owner: vault
group: vault
mode: '0640'
notify: restart vault
- name: Create Vault systemd service
template:
src: vault.service.j2
dest: /etc/systemd/system/vault.service
notify:
- reload systemd
- restart vault
- name: Start and enable Vault service
service:
name: vault
state: started
enabled: yes

42
roles/wazuh/task/main.yaml Normal file
View File

@ -0,0 +1,42 @@
# roles/wazuh-server/tasks/main.yml
---
- name: Add Wazuh repository
get_url:
url: https://packages.wazuh.com/key/GPG-KEY-WAZUH
dest: /tmp/GPG-KEY-WAZUH
- name: Add Wazuh GPG key
apt_key:
file: /tmp/GPG-KEY-WAZUH
state: present
- name: Add Wazuh repository
apt_repository:
repo: "deb https://packages.wazuh.com/4.x/apt/ stable main"
state: present
- name: Install Wazuh manager
apt:
name:
- wazuh-manager
- wazuh-indexer
- wazuh-dashboard
state: present
update_cache: yes
- name: Configure Wazuh manager
template:
src: ossec.conf.j2
dest: /var/ossec/etc/ossec.conf
backup: yes
notify: restart wazuh-manager
- name: Start Wazuh services
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- wazuh-manager
- wazuh-indexer
- wazuh-dashboard