10 changed files with 30 additions and 109 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,6 +9,3 @@ terraform.tfstate.backup
 .terraform/
 .terraform.lock.hcl
 bullseye
-inspec/
-inspec.sh
-ansible/assets/
--- a/2
+++ b/2
@ -9,7 +9,6 @@ endef

 define configure_base
 	ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/playbook.yml
-	ansible-playbook -i ./ansible/inventory/hosts.ini -f 10 ./ansible/harden.yml
 endef

 define configure_loadbalance
@ -105,5 +104,6 @@ test.loadbalance: ## Test loadbalancer installation
 test.libreddit: ## Test libreddit installation
 	$(call test_libreddit)

+
 help: ## Prints help for targets with comments
 	@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
--- a/ansible/harden.yml
+++ b/ansible/harden.yml
@ -1,29 +0,0 @@
-# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
---
- name: Baseline security compliance
-  hosts: all
-  remote_user: atm
-  become: true
-  pre_tasks:
-    - name: Ensure all VMs are reachable
-      ansible.builtin.ping:
-  collections:
-    - devsec.hardening
-  roles:
-    - devsec.hardening.os_hardening
-    - ssh_hardening
-  vars:
-    - ssh_allow_tcp_forwarding: no
-    - ssh_allow_agent_forwarding: false
-    - ssh_x11_forwarding: false
-    - ssh_server_password_login: false
-    - os_filesystem_whitelist: vfat
-    - sysctl_overwrite:
-        - net.ipv6.conf.default.autoconf: 0
-        - net.ipv6.conf.all.autoconf: 0
-        - net.ipv6.conf.all.router_solicitations: 0
-        - fs.protected_symlinks: 1
-        - fs.protected_hardlinks: 1
--- a/ansible/libreddit.yml
+++ b/ansible/libreddit.yml
@ -8,50 +8,45 @@
  remote_user: atm

  tasks:
+    - name: Ensure all VMs are reachable
+      ansible.builtin.ping:
+
    - name: Create /etc/apt/keyrings dir
-      become: true
      ansible.builtin.file:
        path: /etc/apt/keyrings
        state: directory
        recurse: true

    - name: Add Docker GPG apt Key
-      become: true
      ansible.builtin.apt_key:
        url: https://download.docker.com/linux/debian/gpg
        state: present

    - name: Add Docker Repository
-      become: true
      ansible.builtin.apt_repository:
        repo: deb https://download.docker.com/linux/debian buster stable
        state: present

    - name: Update apt and install docker-ce
-      become: true
      ansible.builtin.apt:
        name: docker-ce
        update_cache: true

    - name: Install Docker Module for Python
-      become: true
      ansible.builtin.pip:
        name: docker

    - name: Ensure docker group is present
-      become: true
      ansible.builtin.group:
        name: docker
        state: present

    - name: Add user atm to docker group
-      become: true
      ansible.builtin.user:
        name: atm
        groups: docker,users,admin

    - name: Deploy libreddit
-      become: true
      ansible.builtin.docker_container:
        name: libreddit
        state: started
@ -61,7 +56,6 @@
          - "8080:8080"

    - name: Allow port 8080
-      become: true
      community.general.ufw:
        state: enabled
        proto: tcp
--- a/ansible/loadbalance.yml
+++ b/ansible/loadbalance.yml
@ -5,23 +5,24 @@
 ---
 - name: Configure loadbalancers
  hosts: bullseye_loadbalance
-  remote_user: atm
-  become: true
-  pre_tasks:
-    - name: Install nginx
-      become: true
+  remote_user: root
+
+  tasks:
+    - name: Ensure all VMs are reachable
+      ansible.builtin.ping:
+    - name: Update package cache
+      ansible.builtin.apt:
+        update_cache: true
+        upgrade: safe
+
+    - name: Install git, zip, nginx, wget, curl & other utils
      ansible.builtin.apt:
        update_cache: true
        pkg:
          - nginx
          - ca-certificates
+          - ufw

-  collections:
-    - devsec.hardening
-  roles:
-    - dev-sec.nginx-hardening
-
-  tasks:
    - name: Add user atm to docker group
      ansible.builtin.user:
        name: atm
@ -61,12 +62,12 @@
    - name: Copy the Nginx config file and restart nginx
      ansible.builtin.copy:
        src: ./assets/nginx.cfg
-        dest: /etc/nginx/sites-available/libreddit
+        dest: /etc/nginx/sites-available/nginx.cfg

    - name: Create symlink
      ansible.builtin.file:
-        src: /etc/nginx/sites-available/libreddit
-        dest: /etc/nginx/sites-enabled/libreddit
+        src: /etc/nginx/sites-available/nginx.cfg
+        dest: /etc/nginx/sites-enabled/default
        state: link

    - name: Enable and start nginx service
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@ -3,22 +3,19 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
- name: Install and enable firewall
-  hosts: all
-  remote_user: atm
-  pre_tasks:
-    - name: Ensure all VMs are reachable
-      ansible.builtin.ping:
+- name: Configure webservers
+  hosts: [bullseye_libreddit,bullseye_loadbalance]
+  remote_user: root

  tasks:
-    - name: Update all packages
-      become: true
+    - name: Ensure all VMs are reachable
+      ansible.builtin.ping:
+    - name: Update package cache
      ansible.builtin.apt:
        update_cache: true
        upgrade: safe

    - name: Install git, zip, nginx, wget, curl & other utils
-      become: true
      ansible.builtin.apt:
        update_cache: true
        pkg:
@ -27,7 +24,6 @@
          - curl
          - gpg
          - ca-certificates
-          - ntp
          - zip
          - python3-pip
          - virtualenv
@ -36,12 +32,10 @@


    - name: Set logging
-      become: true
      community.general.ufw:
        logging: "on"

    - name: Allow port 22 and enable UFW
-      become: true
      community.general.ufw:
        state: enabled
        rule: allow
@ -50,15 +44,7 @@


    - name: Enable and start ufw service
-      become: true
      ansible.builtin.service:
        name: ufw
        enabled: true
        state: started
-
-    - name: Enable and start ufw service
-      become: true
-      ansible.builtin.service:
-        name: ntp
-        enabled: true
-        state: started
--- a/conf.tf
+++ b/conf.tf
@ -34,7 +34,7 @@ variable "loadbalance_count" {


 variable "libreddit_count" {
-  default = 2
+  default = 4
 }


@ -208,19 +208,3 @@ resource "local_file" "nginx_loadbalance_conf" {

  filename = "./ansible/assets/nginx.cfg"
 }
-
-resource "local_file" "auditor_script" {
-  content = templatefile("./templates/auditor.tftpl",
-    {
-      libreddit_vm_ips   = local.libreddit_vm_ips,
-      libreddit_vm_names = local.libreddit_vm_names,
-      libreddit_vms      = local.libreddit_vm_map,
-
-      loadbalance_vm_ips   = local.loadbalance_vm_ips,
-      loadbalance_vm_names = local.loadbalance_vm_names,
-      loadbalance_vms      = local.loadbalance_vm_map
-
-  })
-
-  filename = "./inspec.sh"
-}
--- a/templates/auditor.tftpl
+++ b/templates/auditor.tftpl
@ -1,12 +0,0 @@
-#!/bin/bash
-
-%{ for vm in loadbalance_vms ~}
-cinc-auditor exec ./inspec/linux-baseline -t ssh://atm@${vm.ip} # ${vm.name}
-cinc-auditor exec ./inspec/ssh-baseline -t ssh://atm@${vm.ip} # ${vm.name}
-cinc-auditor exec ./inspec/nginx-baseline -t ssh://atm@${vm.ip} # ${vm.name}
-%{ endfor ~}
-
-%{ for vm in libreddit_vms ~}
-cinc-auditor exec ./inspec/linux-baseline -t ssh://atm@${vm.ip} # ${vm.name}
-cinc-auditor exec ./inspec/ssh-baseline -t ssh://atm@${vm.ip} # ${vm.name}
-%{ endfor ~}
--- a/templates/hosts.yml.tftpl
+++ b/templates/hosts.yml.tftpl
@ -1,9 +1,9 @@
 [bullseye_loadbalance]
 %{ for vm in loadbalance_vms ~}
-${vm.name} ansible_host=${vm.ip} ansible_user=atm
+${vm.name} ansible_host=${vm.ip} ansible_user=root
 %{ endfor ~}

 [bullseye_libreddit]
 %{ for vm in libreddit_vms ~}
-${vm.name} ansible_host=${vm.ip} ansible_user=atm
+${vm.name} ansible_host=${vm.ip} ansible_user=root
 %{ endfor ~}
--- a/tests/test_loadbalance.py
+++ b/tests/test_loadbalance.py
@ -33,11 +33,11 @@ def test_nginx_service_running_and_enabled(host):
    assert service.is_enabled

 def test_config_is_present(host):
-    file = host.file("/etc/nginx/sites-available/libreddit")
+    file = host.file("/etc/nginx/sites-available/nginx.cfg")
    assert file.exists
    assert file.is_file

-    sym_file = host.file("/etc/nginx/sites-enabled/libreddit")
+    sym_file = host.file("/etc/nginx/sites-enabled/default")
    assert sym_file.exists
    assert sym_file.is_symlink
    assert sym_file.linked_to  == file