add initial version for greenbone

author: Christian Pointner <equinox@spreadspace.org> 2024-01-19 19:36:18 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2024-01-19 19:36:18 +0100
commit: 84c32cb662aa057ed3504e22c94ad22c4650b592 (patch)
tree: ac00e1cd1ee969333951703b7b1b6fc9b0d4ffb5 /roles/greenbone
parent: vm/guest: minor fix for ubuntu (diff)
5 files changed, 268 insertions, 0 deletions
diff --git a/roles/greenbone/server/defaults/main.yml b/roles/greenbone/server/defaults/main.yml
new file mode 100644
index 00000000..9844fdbb
--- /dev/null
+++ b/roles/greenbone/server/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+greenbone_server_version: 22.4
+
+# greenbone_server_hostname: greenbone.example.com
+
+# greenbone_server_tls:
+#   certificate_provider: ...
+#   ...
+
+# greenbone_server_admin_password: secret
diff --git a/roles/greenbone/server/tasks/main.yml b/roles/greenbone/server/tasks/main.yml
new file mode 100644
index 00000000..e66d0418
--- /dev/null
+++ b/roles/greenbone/server/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- name: create base directory
+  file:
+    path: "/var/lib/greenbone/{{ greenbone_server_hostname }}"
+    state: directory
+
+- name: copy docker compose file
+  template:
+    src: "docker-compose-{{ greenbone_server_version }}.yml.j2"
+    dest: "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml"
+
+## TODO: replace this with proper ansible modules once the v2 modules get released
+- name: get list of running compose projects
+  check_mode: no
+  command: "docker compose ls --format json --filter 'name=^{{ greenbone_server_hostname }}$'"
+  changed_when: False
+  register: greenbone_server_compose_list
+
+- name: initial compose setup
+  when: (greenbone_server_compose_list.stdout | from_json | length) == 0
+  block:
+  - name: pull greenbone images
+    command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" pull
+
+  - name: start greenbone
+    command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" up -d
+
+  - name: set admin password
+    command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" exec -u gvmd gvmd gvmd --user=admin --new-password="{{ greenbone_server_admin_password }}"
+    register: greenbone_server_set_admin_password
+    until: "greenbone_server_set_admin_password is not failed"
+    retries: 15
+    delay: 5
+
+- name: compute nginx vhost config
+  vars:
+    greenbone_server_vhost_base:
+      name: greenbone
+      mode: "0600"
+      template: generic
+      hostnames:
+      - "{{ greenbone_server_hostname }}"
+      locations:
+        '/':
+          proxy_pass: "http://127.0.0.1:9392"
+    greenbone_server_vhost_override__yaml: |
+      {% if greenbone_server_tls is defined %}
+      tls:
+        {{ greenbone_server_tls | to_nice_yaml(indent=2) | indent(2) }}
+      {% endif %}
+  set_fact:
+    greenbone_server_vhost: "{{ greenbone_server_vhost_base | combine(greenbone_server_vhost_override__yaml | from_yaml, recursive=True) }}"
+
+- name: configure nginx vhost
+  vars:
+    nginx_vhost:
+      "{{ greenbone_server_vhost }}"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/greenbone/server/templates/docker-compose-22.4.yml.j2 b/roles/greenbone/server/templates/docker-compose-22.4.yml.j2
new file mode 100644
index 00000000..85742836
--- /dev/null
+++ b/roles/greenbone/server/templates/docker-compose-22.4.yml.j2
@@ -0,0 +1,179 @@
+services:
+  vulnerability-tests:
+    image: greenbone/vulnerability-tests
+    environment:
+      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
+    volumes:
+      - vt_data_vol:/mnt
+
+  notus-data:
+    image: greenbone/notus-data
+    volumes:
+      - notus_data_vol:/mnt
+
+  scap-data:
+    image: greenbone/scap-data
+    volumes:
+      - scap_data_vol:/mnt
+
+  cert-bund-data:
+    image: greenbone/cert-bund-data
+    volumes:
+      - cert_data_vol:/mnt
+
+  dfn-cert-data:
+    image: greenbone/dfn-cert-data
+    volumes:
+      - cert_data_vol:/mnt
+    depends_on:
+      - cert-bund-data
+
+  data-objects:
+    image: greenbone/data-objects
+    volumes:
+      - data_objects_vol:/mnt
+
+  report-formats:
+    image: greenbone/report-formats
+    volumes:
+      - data_objects_vol:/mnt
+    depends_on:
+      - data-objects
+
+  gpg-data:
+    image: greenbone/gpg-data
+    volumes:
+      - gpg_data_vol:/mnt
+
+  redis-server:
+    image: greenbone/redis-server
+    restart: on-failure
+    volumes:
+      - redis_socket_vol:/run/redis/
+
+  pg-gvm:
+    image: greenbone/pg-gvm:stable
+    restart: on-failure
+    volumes:
+      - psql_data_vol:/var/lib/postgresql
+      - psql_socket_vol:/var/run/postgresql
+
+  gvmd:
+    image: greenbone/gvmd:stable
+    restart: on-failure
+    volumes:
+      - gvmd_data_vol:/var/lib/gvm
+      - scap_data_vol:/var/lib/gvm/scap-data/
+      - cert_data_vol:/var/lib/gvm/cert-data
+      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
+      - vt_data_vol:/var/lib/openvas/plugins
+      - psql_data_vol:/var/lib/postgresql
+      - gvmd_socket_vol:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+      - psql_socket_vol:/var/run/postgresql
+    depends_on:
+      pg-gvm:
+        condition: service_started
+      scap-data:
+        condition: service_completed_successfully
+      cert-bund-data:
+        condition: service_completed_successfully
+      dfn-cert-data:
+        condition: service_completed_successfully
+      data-objects:
+        condition: service_completed_successfully
+      report-formats:
+        condition: service_completed_successfully
+
+  gsa:
+    image: greenbone/gsa:stable
+    restart: on-failure
+    ports:
+      - 127.0.0.1:9392:80
+    volumes:
+      - gvmd_socket_vol:/run/gvmd
+    depends_on:
+      - gvmd
+
+  ospd-openvas:
+    image: greenbone/ospd-openvas:stable
+    restart: on-failure
+    hostname: ospd-openvas.local
+    cap_add:
+      - NET_ADMIN # for capturing packages in promiscuous mode
+      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
+    command:
+      [
+        "ospd-openvas",
+        "-f",
+        "--config",
+        "/etc/gvm/ospd-openvas.conf",
+        "--mqtt-broker-address",
+        "mqtt-broker",
+        "--notus-feed-dir",
+        "/var/lib/notus/advisories",
+        "-m",
+        "666"
+      ]
+    volumes:
+      - gpg_data_vol:/etc/openvas/gnupg
+      - vt_data_vol:/var/lib/openvas/plugins
+      - notus_data_vol:/var/lib/notus
+      - ospd_openvas_socket_vol:/run/ospd
+      - redis_socket_vol:/run/redis/
+    depends_on:
+      redis-server:
+        condition: service_started
+      gpg-data:
+        condition: service_completed_successfully
+      vulnerability-tests:
+        condition: service_completed_successfully
+
+  mqtt-broker:
+    restart: on-failure
+    image: greenbone/mqtt-broker
+    networks:
+      default:
+        aliases:
+          - mqtt-broker
+          - broker
+
+  notus-scanner:
+    restart: on-failure
+    image: greenbone/notus-scanner:stable
+    volumes:
+      - notus_data_vol:/var/lib/notus
+      - gpg_data_vol:/etc/openvas/gnupg
+    environment:
+      NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker
+      NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products
+    depends_on:
+      - mqtt-broker
+      - gpg-data
+      - vulnerability-tests
+
+  gvm-tools:
+    image: greenbone/gvm-tools
+    volumes:
+      - gvmd_socket_vol:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+    depends_on:
+      - gvmd
+      - ospd-openvas
+
+volumes:
+  gpg_data_vol:
+  scap_data_vol:
+  cert_data_vol:
+  data_objects_vol:
+  gvmd_data_vol:
+  psql_data_vol:
+  vt_data_vol:
+  notus_data_vol:
+  psql_socket_vol:
+  gvmd_socket_vol:
+  ospd_openvas_socket_vol:
+  redis_socket_vol:
diff --git a/roles/greenbone/target/defaults/main.yml b/roles/greenbone/target/defaults/main.yml
new file mode 100644
index 00000000..4bb8bd24
--- /dev/null
+++ b/roles/greenbone/target/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+greenbone_target_username: greenbone
+
+#greenbone_target_user_ssh_keys:
+#  - ssh-rsa ...
diff --git a/roles/greenbone/target/tasks/main.yml b/roles/greenbone/target/tasks/main.yml
new file mode 100644
index 00000000..8acc10cb
--- /dev/null
+++ b/roles/greenbone/target/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: create user for greenbone local security checks
+  user:
+    name: "{{ greenbone_target_username }}"
+    home: /var/lib/greenbone
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+    state: present
+
+- name: install ssh keys for greenbone local security checks
+  authorized_key:
+    user: "{{ greenbone_target_username }}"
+    key: "{{ greenbone_target_user_ssh_keys | join('\n') }}"
+    exclusive: yes
author	Christian Pointner <equinox@spreadspace.org>	2024-01-19 19:36:18 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2024-01-19 19:36:18 +0100
commit	84c32cb662aa057ed3504e22c94ad22c4650b592 (patch)
tree	ac00e1cd1ee969333951703b7b1b6fc9b0d4ffb5 /roles/greenbone
parent	vm/guest: minor fix for ubuntu (diff)