codeenigma · matej5 · Feb 23, 2024 · Feb 23, 2024 · Feb 23, 2024
diff --git a/README.md b/README.md
@@ -28,3 +28,9 @@ Ansible roles and group of roles that constitute the deploy stack.
 
 ### [Documentation](contribute/README.md#documentation)
 <!--ENDTOC-->
+
+<a href="https://github.com/codeenigma/ce-provision/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=codeenigma/ce-provision" />
+</a>
+
+Made with [contrib.rocks](https://contrib.rocks).
diff --git a/docs/roles/_init.md b/docs/roles/_init.md
@@ -14,6 +14,7 @@ _init:
   # This is used to detect if the playbook must re-run or not.
   vars_dirs: []
   force_play: false
+  ce_provision_version: 2.x # Outputted by the _init role at the start of plays.
 
   # Although these variables logically belong with ce_provision, the _init role needs to
   # gather the extra variables if there are any, so there are _init variables.

diff --git a/docs/roles/aws/aws_cloudfront_distribution.md b/docs/roles/aws/aws_cloudfront_distribution.md
@@ -7,6 +7,32 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery.
 ## Default variables
 ```yaml
 ---
+# Uncomment cf_acl to create firewall rules for Cloudfront distro
+#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int)
+#cf_acl:
+#  acl_name: "dummy_master_acl"
+#  scope: "CLOUDFRONT" # Can be "REGIONAL"
+#  region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
+#
+#  ip_allow
+#    name: "Allowed-ips"
+#    list:
+#    - 1.1.1.1/32
+#    - 2.2.2.2/32
+#    - 3.3.3.3/32
+#
+#  ip_block:
+#    name: "Blocked-ips"
+#    list:
+#    - 4.4.4.4/32
+#    - 5.5.5.5/32
+#    - 6.6.6.6/32
+#
+#  cc_block_list:
+#    - BY # Belarus
+#    - CN # China
+#    - IR # Iran
+#    - SA # Saudi Arabia
 aws_cloudfront_distribution:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
@@ -69,7 +95,11 @@ aws_cloudfront_distribution:
   cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required.
   enabled: true
   purge_existing: true # Set to false to append entries instead of replacing them.
-
+#  logging:
+#    bucket: "" # URL of S3 bucket to store logs
+#    enabled: false # Set true to allow logging
+#    include_cookies: false # Set true to add cookies in logs
+#    prefix: "" # Prefix for S3 object names
 ```
 
 <!--ENDROLEVARS-->
diff --git a/docs/roles/debian/ce_provision.md b/docs/roles/debian/ce_provision.md
@@ -37,7 +37,7 @@ ce_provision:
   contrib_roles:
     - directory: wazuh
       repo: https://github.com/wazuh/wazuh-ansible.git
-      branch: stable
+      branch: "v4.7.2"
     - directory: systemd_timers
       repo: https://github.com/vlcty/ansible-systemd-timers.git
       branch: master

diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md
@@ -24,6 +24,7 @@ clamav:
   scan_location: /
   exclude_directories:
     - /sys/
+  install_clamdscan: false # flag to install additional 'clamdscan' package
 
 ```
 

diff --git a/docs/roles/debian/ssl.md b/docs/roles/debian/ssl.md
@@ -1,10 +1,11 @@
 # SSL
-Manages SSL certificates.
+Manages SSL certificates on servers. See the `aws/aws_acm` role for SSL handling in AWS services.
 
 <!--TOC-->
 <!--ENDTOC-->
 
-If you are using LetsEncrypt for handling it assume `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work:
+## LetsEncrypt
+If you are using LetsEncrypt for handling it assumes `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work:
 
 * You must have firewalls open to allow traffic to ports 80 and/or 443, regardless of your configuration
 * LetsEncrypt's certbot application will try to use port 80, if this will not be possible you can either:
@@ -72,6 +73,8 @@ ssl:
     79RG06iurGJEorFopyQesKwix1h6aBYXpM8yZ0IPR0leeeipBtYHIwbPHEYRJiFn
     6XoQQlb5mYuLKCzAZws9uceeVH+z
     -----END PRIVATE KEY-----
+  # Set this to true to have Ansible replace the existing certificate.
+  replace_existing: false
 
   # For "letsencrypt" handling.
   email: admin@example.com

diff --git a/docs/roles/debian/wazuh.md b/docs/roles/debian/wazuh.md
@@ -11,6 +11,8 @@ Supports standalone managers, scaled out services and agent installation (defaul
 ```yaml
 ---
 wazuh:
+  #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible
+  branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version!
   # Agent variables, installed locally by default
   # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
   agent:

diff --git a/roles/_init/README.md b/roles/_init/README.md
@@ -14,6 +14,7 @@ _init:
   # This is used to detect if the playbook must re-run or not.
   vars_dirs: []
   force_play: false
+  ce_provision_version: 2.x # Outputted by the _init role at the start of plays.
 
   # Although these variables logically belong with ce_provision, the _init role needs to
   # gather the extra variables if there are any, so there are _init variables.

diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md
@@ -7,6 +7,32 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery.
 ## Default variables
 ```yaml
 ---
+# Uncomment cf_acl to create firewall rules for Cloudfront distro
+#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int)
+#cf_acl:
+#  acl_name: "dummy_master_acl"
+#  scope: "CLOUDFRONT" # Can be "REGIONAL"
+#  region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
+#
+#  ip_allow
+#    name: "Allowed-ips"
+#    list:
+#    - 1.1.1.1/32
+#    - 2.2.2.2/32
+#    - 3.3.3.3/32
+#
+#  ip_block:
+#    name: "Blocked-ips"
+#    list:
+#    - 4.4.4.4/32
+#    - 5.5.5.5/32
+#    - 6.6.6.6/32
+#
+#  cc_block_list:
+#    - BY # Belarus
+#    - CN # China
+#    - IR # Iran
+#    - SA # Saudi Arabia
 aws_cloudfront_distribution:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
@@ -69,7 +95,11 @@ aws_cloudfront_distribution:
   cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required.
   enabled: true
   purge_existing: true # Set to false to append entries instead of replacing them.
-
+#  logging:
+#    bucket: "" # URL of S3 bucket to store logs
+#    enabled: false # Set true to allow logging
+#    include_cookies: false # Set true to add cookies in logs
+#    prefix: "" # Prefix for S3 object names
 ```
 
 <!--ENDROLEVARS-->
diff --git a/roles/debian/ce_provision/README.md b/roles/debian/ce_provision/README.md
@@ -37,7 +37,7 @@ ce_provision:
   contrib_roles:
     - directory: wazuh
       repo: https://github.com/wazuh/wazuh-ansible.git
-      branch: stable
+      branch: "v4.7.2"
     - directory: systemd_timers
       repo: https://github.com/vlcty/ansible-systemd-timers.git
       branch: master

diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md
@@ -24,6 +24,7 @@ clamav:
   scan_location: /
   exclude_directories:
     - /sys/
+  install_clamdscan: false # flag to install additional 'clamdscan' package
 
 ```
 

diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md
@@ -1,10 +1,11 @@
 # SSL
-Manages SSL certificates.
+Manages SSL certificates on servers. See the `aws/aws_acm` role for SSL handling in AWS services.
 
 <!--TOC-->
 <!--ENDTOC-->
 
-If you are using LetsEncrypt for handling it assume `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work:
+## LetsEncrypt
+If you are using LetsEncrypt for handling it assumes `standalone` mode. If you want to do DNS validation, please do not use this role at this time. There are a few pre-requisites for `standalone` mode to work:
 
 * You must have firewalls open to allow traffic to ports 80 and/or 443, regardless of your configuration
 * LetsEncrypt's certbot application will try to use port 80, if this will not be possible you can either:
@@ -72,6 +73,8 @@ ssl:
     79RG06iurGJEorFopyQesKwix1h6aBYXpM8yZ0IPR0leeeipBtYHIwbPHEYRJiFn
     6XoQQlb5mYuLKCzAZws9uceeVH+z
     -----END PRIVATE KEY-----
+  # Set this to true to have Ansible replace the existing certificate.
+  replace_existing: false
 
   # For "letsencrypt" handling.
   email: admin@example.com

diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml
@@ -24,6 +24,8 @@ ssl:
     79RG06iurGJEorFopyQesKwix1h6aBYXpM8yZ0IPR0leeeipBtYHIwbPHEYRJiFn
     6XoQQlb5mYuLKCzAZws9uceeVH+z
     -----END PRIVATE KEY-----
+  # Set this to true to have Ansible replace the existing certificate.
+  replace_existing: false
 
   # For "letsencrypt" handling.
   email: admin@example.com

diff --git a/roles/debian/ssl/tasks/copy.yml b/roles/debian/ssl/tasks/copy.yml
@@ -1,17 +1,12 @@
 ---
-- name: Check if we have an existing SSL key.
-  ansible.builtin.stat:
-    path: "{{ ssl_facts[certificate_domain].key }}"
-  register: ssl_key
-
 - name: Copy public cert file to destination
   ansible.builtin.copy:
     content: "{{ ssl.cert }}"
     dest: "{{ ssl_facts[certificate_domain].certificate }}"
     owner: root
     group: root
     mode: 0644
-  when: not ssl_key.stat.exists
+    force: "{{ ssl.replace_existing }}"
 
 - name: Copy CA cert file to destination
   ansible.builtin.copy:
@@ -20,8 +15,8 @@
     owner: root
     group: root
     mode: 0644
+    force: "{{ ssl.replace_existing }}"
   when:
-    - not ssl_key.stat.exists
     - ssl.ca_cert is defined
 
 - name: Copy private key file to destination
@@ -31,4 +26,4 @@
     owner: root
     group: root
     mode: 0400
-  when: not ssl_key.stat.exists
+    force: "{{ ssl.replace_existing }}"
diff --git a/roles/debian/ssl/tasks/generate.yml b/roles/debian/ssl/tasks/generate.yml
@@ -2,8 +2,20 @@
 - name: Check if we have an existing SSL key.
   ansible.builtin.stat:
     path: "{{ ssl_facts[certificate_domain].key }}"
-  register: ssl_key
+  register: _ssl_key
+
+- name: Delete existing SSL key.
+  ansible.builtin.file:
+    path: "{{ ssl_facts[certificate_domain].key }}"
+    state: absent
+  when: ssl.replace_existing
+
+- name: Delete existing SSL cert.
+  ansible.builtin.file:
+    path: "{{ ssl_facts[certificate_domain].certificate }}"
+    state: absent
+  when: ssl.replace_existing
 
 - name: Generates a new key/cert.
   ansible.builtin.command: "openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj '/C=GB/ST=Test/L=London/O=CodeEnigma/OU=Test/CN={{ certificate_domain }}' -keyout {{ ssl_facts[certificate_domain].key }} -out {{ ssl_facts[certificate_domain].certificate }}"
-  when: not ssl_key.stat.exists
+  when: not _ssl_key.stat.exists or ssl.replace_existing
diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml
@@ -31,7 +31,7 @@
 - name: Check if we have a certificate.
   ansible.builtin.stat:
     path: "{{ ssl_facts[_ssl_domains[0]].certificate }}" # it's sufficient to check the first domain for a SAN cert
-  register: letsencrypt_cert
+  register: _letsencrypt_cert
 
 - name: Stop services listening on port 80.
   ansible.builtin.service:
@@ -41,7 +41,7 @@
   loop_control:
     loop_var: ssl_service
   when:
-    - not letsencrypt_cert.stat.exists
+    - not _letsencrypt_cert.stat.exists
     - _ssl_services | length > 0
 
 - name: Build certificate domains string.
@@ -50,12 +50,12 @@
   with_items: "{{ _ssl_domains }}"
   loop_control:
     loop_var: certificate_domain
-  when: not letsencrypt_cert.stat.exists
+  when: not _letsencrypt_cert.stat.exists
 
 - name: Register certificate bypassing web server if needed.
   ansible.builtin.command: "{{ ssl.certbot_register_command }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} --http-01-port {{ ssl.http_01_port }} -m {{ ssl.email }} --{{ _ssl_web_server }}{{ _letsencrypt_domain_string }}"
   when:
-    - not letsencrypt_cert.stat.exists
+    - not _letsencrypt_cert.stat.exists
 
 - name: Restart services.
   ansible.builtin.service:
@@ -65,7 +65,7 @@
   loop_control:
     loop_var: ssl_service
   when:
-    - not letsencrypt_cert.stat.exists
+    - not _letsencrypt_cert.stat.exists
     - _ssl_services | length > 0
 
 # Because of the scripted command each SSL implementation needs it's own uniquely named cron script.

diff --git a/roles/debian/wazuh/README.md b/roles/debian/wazuh/README.md
@@ -11,6 +11,8 @@ Supports standalone managers, scaled out services and agent installation (defaul
 ```yaml
 ---
 wazuh:
+  #roles_directory: "/path/to/roles" # defaults to /home/controller/.ansible/roles/wazuh-ansible
+  branch: "v4.7.2" # wazuh-ansible git branch to checkout - not to be confused with wazuh_version!
   # Agent variables, installed locally by default
   # Role defaults - https://github.com/wazuh/wazuh-ansible/blob/master/roles/wazuh/ansible-wazuh-agent/defaults/main.yml
   agent:
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,6 +24,7 @@ clamav: @@
       scan_location: /
       exclude_directories:
         - /sys/
+      install_clamdscan: false # flag to install additional 'clamdscan' package
     ```
@@ Expand Down @@