cyhy_amis/ansible/roles/cyhy_commander/tasks/main.yml at 7ca25edf567d4105380f929bdafa3ef25778a8a7 · cisagov/cyhy_amis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
---
#
# Copy private key to new instance
#
- name: Copy ssh private key for cyhy user
  ansible.builtin.copy:
    content: "{{ cyhy_commander_ssh_private_key }}"
    dest: /var/cyhy/.ssh/id_ed25519
    group: cyhy
    mode: u=rw,g=,o=
    owner: cyhy

#
# Copy the cyhy-commander conf file
#
- name: Create the configuration file for cyhy-commander
  ansible.builtin.template:
    dest: /etc/cyhy/commander.conf
    mode: u=rw,g=r,o=r
    src: commander.conf.j2

#
# Create empty cyhy ssh config with cyhy as owner and group
#
- name: Create empty ssh config file
  ansible.builtin.file:
    group: cyhy
    mode: u=rw,g=r,o=r
    owner: cyhy
    path: /var/cyhy/.ssh/config
    state: touch

- name: Enable and start cyhy-commander
  ansible.builtin.service:
    name: cyhy-commander
    enabled: true
    state: restarted

#
# Grab the files we need to create the "places" collection from cyhy-core
#
- name: Create the directories needed to import places data
  ansible.builtin.file:
    mode: u=rwx,g=rx,o=rx
    path: "{{ item }}"
    state: directory
  loop:
    - /tmp/cyhy-places/extras
    - /tmp/cyhy-places/scripts

- name: Download load_places.sh from GitHub
  ansible.builtin.get_url:
    dest: /tmp/cyhy-places/scripts/load_places.sh
    mode: u=rwx,g=rx,o=rx
    url: "https://raw.githubusercontent.com/cisagov/cyhy-core/develop/var/load_places.sh"

- name: Download GNIS_data_import.py from GitHub
  ansible.builtin.get_url:
    dest: /tmp/cyhy-places/scripts/GNIS_data_import.py
    mode: u=rwx,g=rx,o=rx
    url: "https://raw.githubusercontent.com/cisagov/cyhy-core/develop/var/GNIS_data_import.py"

- name: Download ADDL_CYHY_PLACES.txt from GitHub
  ansible.builtin.get_url:
    dest: /tmp/cyhy-places/extras/ADDL_CYHY_PLACES.txt
    mode: u=rw,g=r,o=r
    url: "https://raw.githubusercontent.com/cisagov/cyhy-core/develop/extras/ADDL_CYHY_PLACES.txt"

- name: Check if cyhy.conf already exists
  ansible.builtin.stat:
    path: /etc/cyhy/cyhy.conf
  register: cyhy_commander_cyhy_conf_result

#
# Set up /etc/cyhy/cyhy.conf with commander creds
#
# This is a little messy.  The real solution is to just create a
# cyhy.conf with credentials for each user in mongo_users.other_users.
# That will cause some heartburn, though, since the credential
# sections will have to be named using the MongoDB username.  That
# will necessitate some changes elsewhere in the code where named
# sections from cyhy.conf are explicitly referenced.
- name: Create cyhy.conf (with commander credentials) if it doesn't exist
  ansible.builtin.template:
    dest: /etc/cyhy/cyhy.conf
    group: cyhy
    mode: u=rw,g=rw,o=
    owner: cyhy
    src: cyhy.conf.j2
  when: not cyhy_commander_cyhy_conf_result.stat.exists

- name: Add commander credentials block to cyhy.conf if necessary
  ansible.builtin.blockinfile:
    block: |
      [production]
      database-uri = mongodb://{{ cyhy_commander_commander_user }}:{{ cyhy_commander_commander_pw }}@database1.cyhy:27017/{{ cyhy_commander_commander_db }}
      database-name = {{ cyhy_commander_commander_db }}
    marker: '; {mark} ANSIBLE MANAGED BLOCK commander'
    path: /etc/cyhy/cyhy.conf
  when: cyhy_commander_cyhy_conf_result.stat.exists

#
# Run script to create the "places" collection
#
# Note that we have to turn on pipelining, as described here:
# https://docs.ansible.com/ansible/latest/user_guide/become.html#becoming-an-unprivileged-user
#
# When rerun this updates the "places" collection with the latest information
# with no indication of whether or not data in the collection has changed.
- name: Load data to places collection as the cyhy user
  ansible.builtin.command: # noqa no-changed-when
    cmd: /tmp/cyhy-places/scripts/load_places.sh
  become: true
  become_user: cyhy

#
# Cleanup
#
- name: Delete /tmp/cyhy-places
  ansible.builtin.file:
    path: /tmp/cyhy-places
    state: absent

#
# Run cyhy-nvdsync daily at 0815 (UTC) as cyhy user
#
- name: Set up nightly cron job to sync NVD data
  ansible.builtin.cron:
    hour: '8'
    job: /usr/local/bin/cyhy-nvdsync --use-network 2>&1 | /usr/bin/logger --tag cyhy-nvdsync
    minute: '15'
    name: Nightly cyhy-nvdsync
    user: cyhy

#
# Run cyhy-kevsync daily at 0845 (UTC) as cyhy user
#
- name: Set up nightly cron job to sync KEV data
  ansible.builtin.cron:
    hour: '8'
    job: /usr/local/bin/cyhy-kevsync 2>&1 | /usr/bin/logger --tag cyhy-kevsync
    minute: '45'
    name: Nightly cyhy-kevsync
    user: cyhy