Commit db2f7405 authored by Arne Øslebø's avatar Arne Øslebø
Browse files

cleaned up handling of passwords and certificates.

parent ac4ec956
......@@ -8,7 +8,7 @@ To make modifications to the main NiFi pipeline and add it to the Ansible playbo
* Make necesarry to the pipeline in the NiFi GUI
* Copy flow.xml.gz file from one of the NiFi containers:
`docker cp <CONTAINER ID>:/opt/nifi/nifi-current/conf/flow.xml.gz .`
`docker cp soctools-nifi-1:/opt/nifi/nifi-current/conf/flow.xml.gz .`
* Convert flowx.xml.gz to new template
`utils/flow2template.py flow.xml.gz roles/nifi/templates/flow.xml.j2`
......
......@@ -21,7 +21,8 @@ Temporary solution: Upload your ssh key to gitlab.geant.org
Install soctools:
Edit group_vars/all/main.yml and change 'soctoolsproxy' so that it point to the FQDN of the server.
`vi group_vars/all/main.yml`
The first entry in the soctools_users variable is the user with full admin privileges in NiFi and Kibana.
Users are specified in the file:
`group_vars/all/users.yml`
To configure the server running soctools, run the ansible playbook:
`ansible-playbook -i inventories soctools_server.yml`
......@@ -32,11 +33,11 @@ To build the Docker images needed, run the ansible playbook:
To build the CA needed for host and user certificates, run the ansible playbook:
`ansible-playbook -i inventories buildca.yml`
If using soclab CA certificates provided with this installation, you first need to download and import root certificate found at roles/ca/files/CA/ca.crt.
If using soctools CA certificates provided with this installation, you first need to download and import root certificate found in secrets/CA/ca.crt
For Windows, CA certificate should be installed in Trusted Root Certification Authorities store.
User certificates are can be found in the directory roles/ca/files/CA/private. Import into browser for authentication.
For Windows, user certificate should be installed in Personal store.
User certificates are can be found in the directory secrets/certificates. Import into browser for authentication.
For Windows, user certificate should be installed in Personal store. Passwords for the certificates can be found in the directory secrets/passwords.
To start the cluster, run the ansible playbook soctools.yml:
`ansible-playbook -i inventories soctools.yml -t start`
......
---
soctoolsproxy: "<CHANGE_ME:hostname>"
soctoolsproxy: "arne-centos2.cert-labs.uninett.no"
# TheHive Button plugin
THEHIVE_URL: "https://hive.gn4-3-wp8-soc.sunet.se/"
......@@ -18,7 +18,6 @@ haproxy_name: "soctools-haproxy"
haproxy_version: "2.2"
haproxy_img: "{{repo}}/haproxy:{{version}}{{suffix}}"
HAPROXY_PROCESSES: "2"
HAPROXY_STATS_PASS: "eiph2Eepaizicheelah3tei+bae3ohgh"
FILEBEAT_VERSION: "7.9.3"
FILEBEAT_OUTPUT_HOST: "{{soctoolsproxy}}"
......@@ -40,7 +39,6 @@ nifi_img: "{{repo}}/nifi:{{version}}{{suffix}}"
mysql_name: "soctools-mysql"
mysql_img: "{{repo}}/mysql:{{version}}{{suffix}}"
mysql_dbrootpass: "Pass006"
cassandra_name: "soctools-cassandra"
cassandra_img: "{{repo}}/cassandra:{{version}}{{suffix}}"
......@@ -55,10 +53,6 @@ cortex_img: "{{repo}}/cortex:{{version}}{{suffix}}"
cortex_elasticsearch_mem: "256m"
# GENERATED WITH cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
cortex_secret_key: "9CZ844IcAp5dHjsgU4iuaEssdopLcS6opzhVP3Ys4t4eRpNlHmwZdtfveLEXpM9D"
cortex_odfe_pass: "Pass009"
kspass: "Testing003"
tspass: "Testing003"
sysctlconfig:
- { key: "net.core.rmem_max", val: "4194304" }
......@@ -73,32 +67,10 @@ nifi_repo: "https://archive.apache.org/dist"
ca_cn: "SOCTOOLS-CA"
soctools_users:
- firstname: "Arne"
lastname: "Oslebo"
username: "arne.oslebo"
email: "arne.oslebo@uninett.no"
DN: "CN=Arne Oslebo"
CN: "Arne Oslebo"
password: "Pass002"
- firstname: "Bozidar"
lastname: "Proevski"
username: "bozidar.proevski"
email: "bozidar.proevski@finki.ukim.mk"
DN: "CN=Bozidar Proevski"
CN: "Bozidar Proevski"
password: "Pass001"
# Minimum one user is required
ODFE_ADMIN_USERS:
- arne.oslebo
- bozidar.proevski
odfees_img: "{{repo}}/odfees:{{version}}{{suffix}}"
odfekibana_img: "{{repo}}/odfekibana:{{version}}{{suffix}}"
# GENERATE 32-bit secure value
odfekibana_cookie: "iroAm0ueIV7w6CS1WcJTwIV6R4d5RIAt"
odfees_adminpass: "Pass004"
#elk_version: "oss-7.6.1"
elk_version: "oss-7.4.2"
#odfeplugin_version: "1.7.0.0"
......@@ -109,7 +81,6 @@ openid_scope: profile
openid_subjkey: preferred_username
keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
keycloak_adminpass: "Pass005"
elastic_username: "admin"
misp_token: ""
......@@ -118,8 +89,6 @@ maxmind_key: ""
misp_dbname: "mispdb"
misp_dbuser: "misp"
misp_dbpass: "Pass007"
# misp_salt generated with: openssl rand -base64 32
misp_salt: "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0="
misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
misp_crypto_pass: 1234567890 #TODO: Generate dynamically
#misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
#misp_crypto_pass: 1234567890 #TODO: Generate dynamically
---
soctools_users:
- firstname: "User1"
lastname: "SOC"
username: "user1"
email: "user1@soctools.test"
DN: "CN=User1Soctools"
CN: "User1Soctools"
- firstname: "User2"
lastname: "SOC"
username: "user2"
email: "user2@soctools.test"
DN: "CN=User2Soctools"
CN: "User2Soctools"
# Minimum one user is required
ODFE_ADMIN_USERS:
- user1
---
- name: Create secret directory
file:
path: "{{playbook_dir}}/{{item}}"
state: directory
loop:
- secrets
- secrets/certificates
- secrets/tokens
- secrets/passwords
- name: Check for existing CA folder
stat:
path: roles/ca/files/CA
path: "{{playbook_dir}}/secrets/CA"
register: capath
- name: build ca root key and cert
......@@ -14,27 +24,19 @@
environment:
EASYRSA_BATCH: 1
EASYRSA_REQ_CN: "{{ ca_cn }}"
EASYRSA_PKI: roles/ca/files/CA
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
when: not capath.stat.exists
- name: Copy cert to truststore
copy:
src: roles/ca/files/CA/ca.crt
dest: "roles/ca/files/truststore/{{ ca_cn }}.crt"
- name: Remove previous truststore
file:
path: roles/ca/files/truststore/cacerts.jks
path: '{{playbook_dir}}/secrets/CA/cacerts.jks'
state: absent
- name: Generate truststore
command: >
docker run --rm -v {{role_path}}/files/truststore/:/opt/cafiles/:z
docker run --rm -v {{playbook_dir}}/secrets/CA/:/opt/cafiles/:z
"{{repo}}/openjdk:{{version}}{{suffix}}" keytool -import -noprompt -trustcacerts
-alias "{{item}}" -file "/opt/cafiles/{{item}}.crt" -keystore /opt/cafiles/cacerts.jks -storepass "{{tspass}}"
with_items:
- "{{ ca_cn }}"
#- GN43WP8T31_CA
-alias "{{ ca_cn }}" -file "/opt/cafiles/ca.crt" -keystore /opt/cafiles/cacerts.jks -storepass "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
- name: Check for existing host certificates
command: roles/ca/files/easyrsa/easyrsa show-cert {{item}}
......@@ -50,7 +52,7 @@
- "filebeat"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
register: hostcerts
ignore_errors: true
......@@ -71,7 +73,7 @@
- "filebeat"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
ignore_errors: true
loop_control:
index_var: my_idx
......@@ -95,7 +97,7 @@
expect:
command: roles/ca/files/easyrsa/easyrsa export-p12 {{item}}
responses:
Enter Export Password: "{{kspass}}"
Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
with_items:
- "{{ groups['nificontainers'] }}"
- "{{ groups['odfeescontainers'] }}"
......@@ -106,158 +108,7 @@
- "{{ groups['mispcontainers'] }}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
- name: Copy nifi host certs to nifi role
copy:
src: roles/ca/files/CA/private/{{item}}.p12
dest: roles/nifi/files/{{item}}.p12
with_items:
- "{{ groups['nificontainers'] }}"
- name: Copy odfees host certs to odfees role
copy:
src: roles/ca/files/CA/private/{{item}}.p12
dest: roles/odfees/files/{{item}}.p12
with_items:
- "{{ groups['odfeescontainers'] }}"
- name: Copy odfekibana host p12 certs to odfekibana role
copy:
src: roles/ca/files/CA/private/{{item}}.p12
dest: roles/odfekibana/files/{{item}}.p12
with_items:
- "{{ groups['odfekibanacontainers'] }}"
- name: Copy cortex host p12 certs to cortex role
copy:
src: roles/ca/files/CA/private/{{item}}.p12
dest: roles/cortex/files/{{item}}.p12
with_items:
- "{{ groups['cortex'] }}"
- name: Copy odfekibana host certs to odfekibana role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/odfekibana/files/{{item}}.crt
with_items:
- "{{ groups['odfekibanacontainers'] }}"
- name: Copy odfekibana host keys to odfekibana role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/odfekibana/files/{{item}}.key
with_items:
- "{{ groups['odfekibanacontainers'] }}"
- name: Copy haproxy host cert to haproxy role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/haproxy/files/{{item}}.crt
with_items:
- "{{ groups['haproxy'] }}"
- name: Copy haproxy host key to haproxy role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/haproxy/files/{{item}}.key
with_items:
- "{{ groups['haproxy'] }}"
- name: Copy filebeat host cert to filebeat role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/filebeat/files/{{item}}.crt
with_items:
- "filebeat"
- name: Copy filebeat host key to filebeat role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/filebeat/files/{{item}}.key
with_items:
- "filebeat"
- name: Copy keycloak host certs to keycloak role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/keycloak/files/{{item}}.crt
with_items:
- "{{ groups['keycloakcontainers'] }}"
- name: Copy keycloak host keys to keycloak role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/keycloak/files/{{item}}.key
with_items:
- "{{ groups['keycloakcontainers'] }}"
- name: Copy misp host certs to misp role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/misp/files/{{item}}.crt
with_items:
- "{{ groups['mispcontainers'] }}"
- name: Copy misp host keys to misp role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/misp/files/{{item}}.key
with_items:
- "{{ groups['mispcontainers'] }}"
- name: Copy thehive host cert to thehive role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/thehive/files/{{item}}.crt
with_items:
- "{{ groups['thehive'] }}"
- name: Copy thehive host key to thehive role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/thehive/files/{{item}}.key
with_items:
- "{{ groups['thehive'] }}"
- name: Copy cortex host cert to cortex role
copy:
src: roles/ca/files/CA/issued/{{item}}.crt
dest: roles/cortex/files/{{item}}.crt
with_items:
- "{{ groups['cortex'] }}"
- name: Copy cortex host key to cortex role
copy:
src: roles/ca/files/CA/private/{{item}}.key
dest: roles/cortex/files/{{item}}.key
with_items:
- "{{ groups['cortex'] }}"
- name: Copy truststore to roles
copy:
src: roles/ca/files/truststore/cacerts.jks
dest: "roles/{{item}}/files/cacerts.jks"
with_items:
- nifi
- odfees
- odfekibana
- keycloak
- misp
- cortex
- name: Copy ca cert to roles
copy:
src: "roles/ca/files/truststore/{{ ca_cn }}.crt"
dest: "roles/{{item}}/files/{{ ca_cn }}.crt"
with_items:
- nifi
- odfees
- odfekibana
- keycloak
- misp
- thehive
- cortex
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
- name: Check for existing user certificates
command: roles/ca/files/easyrsa/easyrsa show-cert {{item.CN | regex_escape()}}
......@@ -265,7 +116,7 @@
- "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
register: usercerts
ignore_errors: true
......@@ -275,7 +126,7 @@
- "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
ignore_errors: true
loop_control:
index_var: my_idx
......@@ -285,24 +136,17 @@
expect:
command: roles/ca/files/easyrsa/easyrsa export-p12 "{{item.CN}}"
responses:
Enter Export Password: "{{item.password}}"
Enter Export Password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/{{item.CN}}')}}"
with_items:
- "{{soctools_users}}"
environment:
EASYRSA_BATCH: 1
EASYRSA_PKI: roles/ca/files/CA
- name: Copy user certs to odfees
copy:
src: "roles/ca/files/CA/private/{{ item.CN }}.p12"
dest: "roles/odfees/files/{{ item.CN }}.p12"
with_items:
- "{{soctools_users}}"
EASYRSA_PKI: "{{playbook_dir}}/secrets/CA"
- name: Copy user certs to odfekibana
- name: Copy user certs to certificates
copy:
src: "roles/ca/files/CA/private/{{ item.CN }}.p12"
dest: "roles/odfekibana/files/{{ item.CN }}.p12"
src: "{{playbook_dir}}/secrets/CA/private/{{ item.CN }}.p12"
dest: "{{playbook_dir}}/secrets/certificates/{{ item.CN }}.p12"
with_items:
- "{{soctools_users}}"
......@@ -3,7 +3,7 @@
- name: Copy cacert to ca-trust dir
remote_user: root
copy:
src: "files/{{ca_cn}}.crt"
src: "{{playbook_dir}}/secrets/CA/ca.crt"
dest: /etc/pki/ca-trust/source/anchors/ca.crt
- name: Install cacert to root truststore
......@@ -14,14 +14,14 @@
remote_user: cortex
copy:
src: "{{ item }}"
dest: "/etc/cortex/{{ item }}"
dest: "/etc/cortex/"
mode: 0600
with_items:
- "{{ inventory_hostname }}.p12"
- "{{ inventory_hostname }}.crt"
- "{{ inventory_hostname }}.key"
- cacerts.jks
- "{{ca_cn}}.crt"
- "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.p12"
- "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- "{{playbook_dir}}/secrets/CA/cacerts.jks"
- "{{playbook_dir}}/secrets/CA/ca.crt"
- name: Configure embedded Elasticsearch 6
remote_user: root
......
......@@ -34,18 +34,18 @@ search {
## ## Authentication configuration
## search.username = "cortex"
## search.password = "{{cortex_odfe_pass}}"
## search.password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/cortex_odfe')}}"
##
## ## SSL configuration
## search.keyStore {
## path = "/etc/cortex/soctools-cortex.p12"
## type = "PKCS12" # or PKCS12
## password = "{{kspass}}"
## password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keystore')}}"
## }
## search.trustStore {
## path = "/etc/cortex/cacerts.jks"
## type = "JKS" # or PKCS12
## password = "{{tspass}}"
## password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
## }
}
......
......@@ -4,11 +4,11 @@
- name: Copy filebeat certificates
copy:
src: "{{ item }}"
dest: "/opt/filebeat/{{ item }}"
dest: "/opt/filebeat/"
mode: 0600
with_items:
- "filebeat.crt"
- "filebeat.key"
- "{{playbook_dir}}/secrets/CA/issued/filebeat.crt"
- "{{playbook_dir}}/secrets/CA/private/filebeat.key"
become: true
tags:
- start
......
......@@ -23,11 +23,11 @@
- name: Copy haproxy certificates
copy:
src: "{{ item }}"
dest: "/opt/haproxy/{{ item }}"
dest: "/opt/haproxy/"
mode: 0600
with_items:
- "{{ inventory_hostname }}.crt"
- "{{ inventory_hostname }}.key"
- "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
- "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
- name: Combine crt and key for haproxy
assemble:
......
......@@ -22,7 +22,7 @@ listen stats
stats hide-version
stats uri /
stats realm HAProxy Statistics
stats auth haproxy:{{ HAPROXY_STATS_PASS }}
stats auth haproxy:{{lookup('password', '{{playbook_dir}}/secrets/passwords/haproxy_stats')}}
listen nifiserv
bind *:9443 ssl crt /etc/ssl/haproxy alpn h2,http/1.1
......
......@@ -7,16 +7,16 @@
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- local: "files/{{ inventory_hostname }}.crt"
- local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
remote: /etc/x509/https/tls.crt
mode: '0644'
- local: "files/{{ inventory_hostname }}.key"
- local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
remote: /etc/x509/https/tls.key
mode: '0600'
- local: "files/{{ ca_cn }}.crt"
- local: "{{playbook_dir}}/secrets/CA/ca.crt"
remote: /etc/x509/ca/ca.crt
mode: '0644'
- local: "files/cacerts.jks"
- local: "{{playbook_dir}}/secrets/CA/cacerts.jks"
remote: /opt/jboss/keycloak/cacerts.jks
mode: '0644'
......@@ -28,7 +28,8 @@
- name: Set admin password
remote_user: jboss
command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{keycloak_adminpass}}"
command: /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "admin" --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
ignore_errors: True
- name: Configure logging format
remote_user: jboss
......@@ -85,11 +86,11 @@
flat: yes
with_items:
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
local: "roles/nifi/files/nifisecret"
local: "{{playbook_dir}}/secrets/tokens/nifisecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
local: "roles/odfekibana/files/kibanasecret"
local: "{{playbook_dir}}/secrets/tokens/kibanasecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
local: "roles/misp/files/mispsecret"
local: "{{playbook_dir}}/secrets/tokens/mispsecret"
- name: Set Autostart for supervisord's services
shell: "sed -i 's/autostart=false/autostart=true/g' /etc/supervisord.conf"
......@@ -24,9 +24,9 @@
flat: yes
with_items:
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/nifisecret"
local: "roles/nifi/files/nifisecret"
local: "{{playbook_dir}}/secrets/tokens/nifisecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
local: "roles/odfekibana/files/kibanasecret"
local: "{{playbook_dir}}/secrets/tokens/kibanasecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
local: "roles/misp/files/mispsecret"
local: "{{playbook_dir}}/secrets/tokens/mispsecret"
......@@ -5,8 +5,8 @@ exec 7>&2
exec > /opt/jboss/keycloak/initkeycloak.log 2>&1
kcadm.sh config truststore --trustpass {{tspass}} /opt/jboss/keycloak/cacerts.jks
kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password {{keycloak_adminpass}}
kcadm.sh config truststore --trustpass {{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}} /opt/jboss/keycloak/cacerts.jks
kcadm.sh config credentials --server https://{{groups['keycloakcontainers'][0]}}:8443/auth --realm master --user admin --password "{{lookup('password', '{{playbook_dir}}/secrets/passwords/keykloak_admin')}}"
kcadm.sh create realms -b '{ "enabled": "true", "id": "{{openid_realm}}", "realm": "{{openid_realm}}"}'
kcadm.sh create realms/{{openid_realm}}/authentication/flows/browser/copy -b '{ "id": "browser-x509", "newName": "X.509 Browser" }'
BROWSERFORM=$(kcadm.sh create realms/{{openid_realm}}/authentication/flows/X.509%20Browser/executions/execution -i -b '{ "provider": "auth-x509-client-username-form" }')
......@@ -18,7 +18,7 @@ kcadm.sh create realms/{{openid_realm}}/groups -b '{"name":"GN43WP8T31"}'
{% for user in soctools_users %}
kcadm.sh create realms/{{openid_realm}}/users -b '{"enabled":true,"attributes":{"DN": ["{{user.DN}}"],"CN": ["{{user.CN}}"]},"username":"{{user.username}}","emailVerified":"","email":"{{user.email}}","firstName":"{{user.firstname}}","lastName":"{{user.lastname}}","groups": ["/GN43WP8T31"] }'
kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{user.password}}
kcadm.sh set-password -r {{openid_realm}} --username {{user.username}} --new-password {{lookup('password', '{{playbook_dir}}/secrets/passwords/'+user.CN)}}
{% endfor %}
NIFICLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-nifi","protocol":"openid-connect","clientAuthenticatorType": "client-secret","redirectUris": ["https://{{soctoolsproxy}}:9443/*" ],"webOrigins": [], "publicClient": false }')
......
---
- name: Change password of default user
shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '/tmp/passwordfile') }}"
shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '{{playbook_dir}}/secrets/passwords/misp_admin') }}"
- name: Configure MISP
shell: '/var/www/MISP/app/Console/cake Admin setSetting {{item.var}} {{item.value}}'
......
......@@ -12,16 +12,16 @@
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- local: "files/{{ inventory_hostname }}.crt"
- local: "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
remote: /etc/ssl/certs/misp.crt
mode: '0644'
- local: "files/{{ inventory_hostname }}.key"
- local: "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
remote: /etc/ssl/certs/misp.key
mode: '0600'