Skip to content

Latest commit

 

History

History
257 lines (211 loc) · 10.7 KB

README.md

File metadata and controls

257 lines (211 loc) · 10.7 KB

T-Pot Ansible

Here you can find a ready-to-use solution for your automated T-Pot deployment using Ansible.
It consists of an Ansible Playbook with multiple roles, which is reusable for all OpenStack based clouds (e.g. Open Telekom Cloud, Orange Cloud, Telefonica Open Cloud, OVH) out of the box.
Apart from that you can easily adapt the deploy role to use other cloud providers. Check out Ansible Galaxy for more cloud collections.

The Playbook first creates all resources (security group, network, subnet, router), deploys one (or more) new servers and then installs and configures T-Pot on them.

This example showcases the deployment on our own OpenStack based Public Cloud Offering Open Telekom Cloud.

Table of contents

Preparation of Ansible Master

You can either run the Ansible Playbook locally on your Linux or macOS machine or you can use an ECS (Elastic Cloud Server) on Open Telekom Cloud, which I did.
I used Ubuntu 18.04 for my Ansible Master Server, but other OSes are fine too.
Ansible works over the SSH Port, so you don't have to add any special rules to your Security Group.

Ansible Installation

⚠️ Ansible 2.10 or newer is required!

Example for Ubuntu 18.04:

At first we update the system:
sudo apt update
sudo apt dist-upgrade

Then we need to add the repository and install Ansible:
sudo apt-add-repository --yes --update ppa:ansible/ansible
sudo apt install ansible

For other OSes and Distros have a look at the official Ansible Documentation.

If your OS does not offer a recent version of Ansible (>= 2.10) you should consider installing Ansible with pip.
In short (if you already have Python3/pip3 installed):

pip3 install ansible

OpenStack Collection Installation

For interacting with OpenStack resources in Ansible, you need to install the collection from Ansible Galaxy:
ansible-galaxy collection install openstack.cloud

Agent Forwarding

If you run the Ansible Playbook remotely on your Ansible Master Server, Agent Forwarding must be enabled in order to let Ansible connect to newly created machines.

  • On Linux or macOS:
    • Create or edit ~/.ssh/config
      Host ANSIBLE_MASTER_IP
      ForwardAgent yes
      
  • On Windows using Putty:
    Putty Agent Forwarding

Preparations in Open Telekom Cloud Console

(You can skip this if you have already set up a project and an API account with key pair)
(Just make sure you know the naming for everything, as you need to configure the Ansible variables.)

Before we can start deploying, we have to prepare the Open Telekom Cloud tenant.
For that, go to the Web Console and log in with an admin user.

Create new project

I strongly advise you to create a separate project for the T-Pots in your tenant.
In my case I named it tpot.

Create new project

Create API user

The next step is to create a new user account, which is restricted to the project.
This ensures that the API access is limited to that project.

Create API user

Import Key Pair

⚠️ Now log in with the newly created API user account and select your project.

Login as API user

Import your SSH public key.

Import SSH Public Key

Clone Git Repository

Clone the tpotce repository to your Ansible Master:
git clone https://github.com/telekom-security/tpotce.git
All Ansible related files are located in the cloud/ansible/openstack folder.

Settings and recommended values

You can configure all aspects of your Elastic Cloud Server and T-Pot before using the Playbook:

clouds.yaml

Located at openstack/clouds.yaml.
Enter your Open Telekom Cloud API user credentials here (username, password, project name, user domain name):

clouds:
  open-telekom-cloud:
    profile: otc
    auth:
      project_name: eu-de_your_project
      username: your_api_user
      password: your_password
      user_domain_name: OTC-EU-DE-000000000010000XXXXX

You can also perform different authentication methods like sourcing OpenStack OS_* environment variables or providing an inline dictionary.
For more information have a look in the openstack.cloud.server Ansible module documentation.

If you already have your own clouds.yaml file or have multiple clouds in there, you can specify which one to use in the openstack/my_os_cloud.yaml file:

# Enter the name of your cloud to use from clouds.yaml
cloud: open-telekom-cloud

Ansible remote user

You may have to adjust the remote_user in the Ansible Playbook under openstack/deploy_tpot.yaml depending on your Debian base image (e.g. on Open Telekom Cloud the default Debian user is linux).

Number of instances to deploy

You can adjust the number of VMs/T-Pots that you want to create in openstack/deploy_tpot.yaml:

loop: "{{ range(0, 1) }}"

One instance is set as the default, increase to your liking.

Instance settings

Located at openstack/roles/create_vm/vars/main.yaml.
Here you can customize your virtual machine specifications:

  • Choose an availability zone. For Open Telekom Cloud reference see here.
  • Change the OS image (For T-Pot we need Debian)
  • (Optional) Change the volume size
  • Specify your key pair (:warning: Mandatory)
  • (Optional) Change the instance type (flavor)
    s3.medium.8 corresponds to 1 vCPU and 8GB of RAM and is the minimum required flavor.
    A full list of Open Telekom Cloud flavors can be found here.
availability_zone: eu-de-03
image: Standard_Debian_10_latest
volume_size: 128
key_name: your-KeyPair
flavor: s3.medium.8

User password

Located at openstack/roles/install/vars/main.yaml.
Here you can set the password for your Debian user (you should definitely change that).

user_password: LiNuXuSeRPaSs#

Configure tpot.conf.dist

The file is located in iso/installer/tpot.conf.dist.
Here you can choose:

  • between the various T-Pot editions
  • a username for the web interface
  • a password for the web interface (you should definitely change that)

Optional: Custom ews.cfg

Enable this by uncommenting the role in the deploy_tpot.yaml playbook.

#    - custom_ews

You can use a custom config file for ewsposter.
e.g. when you have your own credentials for delivering data to our Sicherheitstacho.
You can find the ews.cfg template file here: openstack/roles/custom_ews/templates/ews.cfg and adapt it for your needs.

For setting custom credentials, these settings would be relevant for you (the rest of the file can stay as is):

[MAIN]
...
contact = your_email_address
...

[EWS]
...
username = your_username
token = your_token
...

Optional: Custom HPFEEDS

Enable this by uncommenting the role in the deploy_tpot.yaml playbook.

#    - custom_hpfeeds

You can specify custom HPFEEDS in openstack/roles/custom_hpfeeds/files/hpfeeds.cfg.
That file contains the defaults (turned off) and you can adapt it for your needs, e.g. for SISSDEN:

myENABLE=true
myHOST=hpfeeds.sissden.eu
myPORT=10000
myCHANNEL=t-pot.events
myCERT=/opt/ewsposter/sissden.pem
myIDENT=your_user
mySECRET=your_secret
myFORMAT=json

Deploying a T-Pot 🍯🐝

Now, after configuring everything, we can finally start deploying T-Pots!

Go to the openstack folder and run the Ansible Playbook with:
ansible-playbook deploy_tpot.yaml
(Yes, it is as easy as that 😄)

If you are running on a machine which asks for a sudo password, you can use:
ansible-playbook --ask-become-pass deploy_tpot.yaml

The Playbook will first install required packages on the Ansible Master and then deploy one (or more) new server instances.
After that, T-Pot gets installed and configured on them, optionally custom configs are applied and finally it reboots.

Once this is done, you can proceed with connecting/logging in to the T-Pot according to the documentation.

Further documentation