14 files changed, 399 insertions, 0 deletions

diff --git a/chaos-at-home/ch-greenbone.yml b/chaos-at-home/ch-greenbone.yml
new file mode 100644
index 00000000..f04effbc
--- /dev/null
+++ b/chaos-at-home/ch-greenbone.yml
@@ -0,0 +1,18 @@
+---
+- name: Basic Setup
+  hosts: ch-greenbone
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+
+- name: Payload Setup
+  hosts: ch-greenbone
+  roles:
+  - role: storage/lvm/base
+  - role: nginx/base
+  - role: x509/static-ca/base
+  - role: docker/engine
+  - role: greenbone/server
diff --git a/chaos-at-home/ch-mon.yml b/chaos-at-home/ch-mon.yml
index bb0100c7..547bd77e 100644
--- a/chaos-at-home/ch-mon.yml
+++ b/chaos-at-home/ch-mon.yml
@@ -14,6 +14,7 @@
   - role: network/nftables/base
   - role: storage/lvm/base
   - role: nginx/base
+  - role: x509/static-ca/base
   - role: apt-repo/spreadspace
   - role: nginx/auth/whawty-sso/base
   - role: nginx/auth/whawty-sso/auth
diff --git a/chaos-at-home/ch-testvm-phoebe.yml b/chaos-at-home/ch-testvm-phoebe.yml
index e791839b..bcb4d92e 100644
--- a/chaos-at-home/ch-testvm-phoebe.yml
+++ b/chaos-at-home/ch-testvm-phoebe.yml
@@ -7,3 +7,8 @@
   - role: core/sshd/base
   - role: core/zsh
   - role: core/ntp
+
+- name: Payload Setup
+  hosts: ch-testvm-phoebe
+  roles:
+  - role: greenbone/target
diff --git a/chaos-at-home/host_vars/ch-greenbone.yml b/chaos-at-home/host_vars/ch-greenbone.yml
new file mode 100644
index 00000000..ff72e0f5
--- /dev/null
+++ b/chaos-at-home/host_vars/ch-greenbone.yml
@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.2;AES256;chaos-at-home
+32373931633332336638643137633863323734343737313464656330653064323135386638386330
+6665386131366531633637356231303630653663383832310a623766626331353038356638663562
+63643761383761313161343061323834333366353438663837323965323439633737383335393266
+6365343162303033370a613234306338346530663563363638313166336239323932333364353338
+32316237313432356566353531613638656337396333306630303231303336386239616137366335
+35646535373764343638626264393731333430643535376132306134363332613137323062343763
+37356434343666616165303930393736306537386362366536346639306239306634336538663537
+35353865633265376365
diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml
index a4db5907..3e007657 100644
--- a/inventory/group_vars/chaos-at-home/network.yml
+++ b/inventory/group_vars/chaos-at-home/network.yml
@@ -90,6 +90,7 @@ network_zones:
       __svc_http__: 80
       __svc_imap__: 143
       ch-mon: 230
+      ch-greenbone: 231
       ch-router-obsd: 253
       ch-router: 254
       #############
diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml
index 2b9cdbf9..76b1fab7 100644
--- a/inventory/group_vars/chaos-at-home/vars.yml
+++ b/inventory/group_vars/chaos-at-home/vars.yml
@@ -47,3 +47,7 @@ chaos_at_home_internal_ca_cert: |
   N+KMguLblXN36LvwTK5l4iWAfMO77F6dZUzi6VrAY1jF/Sff+V6o/vDhBFEJFzZG
   5AV4fhfS7jK1Fg3k
   -----END CERTIFICATE-----
+
+
+greenbone_target_user_ssh_keys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDk9vk5cRy4LYRViNnmNEQ+8YY3g3DwOG7m9drHJDB6a/l1OFKx1OeRFEUMN5FFVw8uehhhRZCg/9RiGzWL24YL5Rg1BgfFWqMaih0IDlzM2Od/AgU8rTCTZKaRAejvYDY0uYJUP4A4WBt5S7QxpJWVO0c67ldTI8XxuAm3WqsNdblC3Titiz7MVpzsF08KjgyDPIetBfV8bm9AXHRe3NzUGgeSzGu10QAxe3FoAevR/VmNUTsH9t0TEhMtnAG2rtYEVi7iZUYjBGWnZ/iuC3o5pKSvVUnSsraqxTjgp234na016RTkcHM2dwDHydIrXjWzocsV5mGQ0L4qKJZXpbqYX2e4hCLi4jy0x+QviPi6kL+plDOdBFMEeRtVfT9p/zcAs3VbA/hKB0W9vRNj+JLVgDgS4Hz9nDbS/8zAsGC6dPS4VPolsr0uVFgMizDOVc//9WkUA7iz4lBmtj/OLU5wKcUCQbo8NVevnHgqiZf68nHJB7VXuZz5z6WAAST0Cgc=
diff --git a/inventory/host_vars/ch-greenbone.yml b/inventory/host_vars/ch-greenbone.yml
new file mode 100644
index 00000000..674b102e
--- /dev/null
+++ b/inventory/host_vars/ch-greenbone.yml
@@ -0,0 +1,87 @@
+---
+install_jumphost: ch-jump
+
+install:
+  vm:
+    memory: 8G
+    numcpus: 4
+    autostart: False
+  disks:
+    primary: /dev/sda
+    scsi:
+      sda:
+        type: zfs
+        name: root
+        size: 30g
+        properties:
+          'syncoid:sync': 'false'
+  interfaces:
+  - bridge: br-svc
+    name: svc0
+
+network:
+  nameservers: "{{ network_zones.svc.dns }}"
+  domain: "{{ host_domain }}"
+  systemd_link:
+    interfaces: "{{ install.interfaces }}"
+  primary: &_network_primary_
+    name: svc0
+    address: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets[inventory_hostname]) }}"
+    gateway: "{{ network_zones.svc.gateway }}"
+    static_routes:
+    - destination: "{{ network_zones.lan.prefix }}"
+      gateway: "{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-gw-lan']) | ansible.utils.ipaddr('address') }}"
+  interfaces:
+  - *_network_primary_
+
+ntp_variant: systemd-timesyncd
+
+
+docker_pkg_provider: docker-com
+docker_plugins:
+  - compose
+
+docker_storage:
+  type: lvm
+  vg: "{{ host_name }}"
+  lv: docker
+  size: 20G
+  fs: ext4
+
+
+greenbone_server_version: 22.4
+greenbone_server_hostname: "{{ host_name }}.{{ host_domain }}"
+greenbone_server_tls:
+  certificate_provider: static-ca
+  certificate_config:
+    mode: "0750"
+    owner: root
+    group: www-data
+    ca:
+      key_content: "{{ chaos_at_home_internal_ca_key }}"
+      cert_content: "{{ chaos_at_home_internal_ca_cert }}"
+    key:
+      mode: "0640"
+      owner: root
+      group: www-data
+      type: RSA
+      size: 4096
+    cert:
+      mode: "0644"
+      owner: root
+      group: www-data
+      common_name: "{{ host_name }}"
+      san_extra: "{{ ['IP:'] | product(ansible_all_ipv4_addresses) | map('join') | list }}"
+      key_usage:
+      - digitalSignature
+      - keyAgreement
+      key_usage_critical: yes
+      extended_key_usage:
+      - serverAuth
+      extended_key_usage_critical: yes
+      create_subject_key_identifier: yes
+      not_before: +0h
+      not_after: +365d
+      renew_margin: +70d
+
+greenbone_server_admin_password: "{{ vault_greenbone_server_admin_password }}"
diff --git a/inventory/host_vars/ch-testvm-phoebe.yml b/inventory/host_vars/ch-testvm-phoebe.yml
index d15e4142..df89e810 100644
--- a/inventory/host_vars/ch-testvm-phoebe.yml
+++ b/inventory/host_vars/ch-testvm-phoebe.yml
@@ -39,3 +39,7 @@ network:
     address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}"
 
 ntp_variant: systemd-timesyncd
+
+
+####
+sshd_allowusers_host: "{{ admin_users_host + ['greenbone'] }}"
diff --git a/inventory/hosts.ini b/inventory/hosts.ini
index 90240b52..0bc9c91d 100644
--- a/inventory/hosts.ini
+++ b/inventory/hosts.ini
@@ -35,6 +35,7 @@ ch-installsmb host_name=installsmb
 ch-iot host_name=iot
 ch-vpn host_name=vpn
 ch-mon host_name=mon
+ch-greenbone host_name=greenbone
 ch-epimetheus host_name=epimetheus
 ch-mclr host_name=mclr
 ch-mcbr host_name=mcbr
@@ -401,6 +402,7 @@ ch-vpn
 ch-mon
 ch-k8s-ctrl
 ch-installsmb
+ch-greenbone
 [vmhost-ch-prometheus]
 ch-prometheus
 [vmhost-ch-prometheus:children]
diff --git a/roles/greenbone/server/defaults/main.yml b/roles/greenbone/server/defaults/main.yml
new file mode 100644
index 00000000..9844fdbb
--- /dev/null
+++ b/roles/greenbone/server/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+greenbone_server_version: 22.4
+
+# greenbone_server_hostname: greenbone.example.com
+
+# greenbone_server_tls:
+#   certificate_provider: ...
+#   ...
+
+# greenbone_server_admin_password: secret
diff --git a/roles/greenbone/server/tasks/main.yml b/roles/greenbone/server/tasks/main.yml
new file mode 100644
index 00000000..e66d0418
--- /dev/null
+++ b/roles/greenbone/server/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- name: create base directory
+  file:
+    path: "/var/lib/greenbone/{{ greenbone_server_hostname }}"
+    state: directory
+
+- name: copy docker compose file
+  template:
+    src: "docker-compose-{{ greenbone_server_version }}.yml.j2"
+    dest: "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml"
+
+## TODO: replace this with proper ansible modules once the v2 modules get released
+- name: get list of running compose projects
+  check_mode: no
+  command: "docker compose ls --format json --filter 'name=^{{ greenbone_server_hostname }}$'"
+  changed_when: False
+  register: greenbone_server_compose_list
+
+- name: initial compose setup
+  when: (greenbone_server_compose_list.stdout | from_json | length) == 0
+  block:
+  - name: pull greenbone images
+    command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" pull
+
+  - name: start greenbone
+    command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" up -d
+
+  - name: set admin password
+    command: docker compose -f "/var/lib/greenbone/{{ greenbone_server_hostname }}/docker-compose.yml" -p "{{ greenbone_server_hostname | replace('.', '_') }}" exec -u gvmd gvmd gvmd --user=admin --new-password="{{ greenbone_server_admin_password }}"
+    register: greenbone_server_set_admin_password
+    until: "greenbone_server_set_admin_password is not failed"
+    retries: 15
+    delay: 5
+
+- name: compute nginx vhost config
+  vars:
+    greenbone_server_vhost_base:
+      name: greenbone
+      mode: "0600"
+      template: generic
+      hostnames:
+      - "{{ greenbone_server_hostname }}"
+      locations:
+        '/':
+          proxy_pass: "http://127.0.0.1:9392"
+    greenbone_server_vhost_override__yaml: |
+      {% if greenbone_server_tls is defined %}
+      tls:
+        {{ greenbone_server_tls | to_nice_yaml(indent=2) | indent(2) }}
+      {% endif %}
+  set_fact:
+    greenbone_server_vhost: "{{ greenbone_server_vhost_base | combine(greenbone_server_vhost_override__yaml | from_yaml, recursive=True) }}"
+
+- name: configure nginx vhost
+  vars:
+    nginx_vhost:
+      "{{ greenbone_server_vhost }}"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/greenbone/server/templates/docker-compose-22.4.yml.j2 b/roles/greenbone/server/templates/docker-compose-22.4.yml.j2
new file mode 100644
index 00000000..85742836
--- /dev/null
+++ b/roles/greenbone/server/templates/docker-compose-22.4.yml.j2
@@ -0,0 +1,179 @@
+services:
+  vulnerability-tests:
+    image: greenbone/vulnerability-tests
+    environment:
+      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
+    volumes:
+      - vt_data_vol:/mnt
+
+  notus-data:
+    image: greenbone/notus-data
+    volumes:
+      - notus_data_vol:/mnt
+
+  scap-data:
+    image: greenbone/scap-data
+    volumes:
+      - scap_data_vol:/mnt
+
+  cert-bund-data:
+    image: greenbone/cert-bund-data
+    volumes:
+      - cert_data_vol:/mnt
+
+  dfn-cert-data:
+    image: greenbone/dfn-cert-data
+    volumes:
+      - cert_data_vol:/mnt
+    depends_on:
+      - cert-bund-data
+
+  data-objects:
+    image: greenbone/data-objects
+    volumes:
+      - data_objects_vol:/mnt
+
+  report-formats:
+    image: greenbone/report-formats
+    volumes:
+      - data_objects_vol:/mnt
+    depends_on:
+      - data-objects
+
+  gpg-data:
+    image: greenbone/gpg-data
+    volumes:
+      - gpg_data_vol:/mnt
+
+  redis-server:
+    image: greenbone/redis-server
+    restart: on-failure
+    volumes:
+      - redis_socket_vol:/run/redis/
+
+  pg-gvm:
+    image: greenbone/pg-gvm:stable
+    restart: on-failure
+    volumes:
+      - psql_data_vol:/var/lib/postgresql
+      - psql_socket_vol:/var/run/postgresql
+
+  gvmd:
+    image: greenbone/gvmd:stable
+    restart: on-failure
+    volumes:
+      - gvmd_data_vol:/var/lib/gvm
+      - scap_data_vol:/var/lib/gvm/scap-data/
+      - cert_data_vol:/var/lib/gvm/cert-data
+      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
+      - vt_data_vol:/var/lib/openvas/plugins
+      - psql_data_vol:/var/lib/postgresql
+      - gvmd_socket_vol:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+      - psql_socket_vol:/var/run/postgresql
+    depends_on:
+      pg-gvm:
+        condition: service_started
+      scap-data:
+        condition: service_completed_successfully
+      cert-bund-data:
+        condition: service_completed_successfully
+      dfn-cert-data:
+        condition: service_completed_successfully
+      data-objects:
+        condition: service_completed_successfully
+      report-formats:
+        condition: service_completed_successfully
+
+  gsa:
+    image: greenbone/gsa:stable
+    restart: on-failure
+    ports:
+      - 127.0.0.1:9392:80
+    volumes:
+      - gvmd_socket_vol:/run/gvmd
+    depends_on:
+      - gvmd
+
+  ospd-openvas:
+    image: greenbone/ospd-openvas:stable
+    restart: on-failure
+    hostname: ospd-openvas.local
+    cap_add:
+      - NET_ADMIN # for capturing packages in promiscuous mode
+      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
+    security_opt:
+      - seccomp=unconfined
+      - apparmor=unconfined
+    command:
+      [
+        "ospd-openvas",
+        "-f",
+        "--config",
+        "/etc/gvm/ospd-openvas.conf",
+        "--mqtt-broker-address",
+        "mqtt-broker",
+        "--notus-feed-dir",
+        "/var/lib/notus/advisories",
+        "-m",
+        "666"
+      ]
+    volumes:
+      - gpg_data_vol:/etc/openvas/gnupg
+      - vt_data_vol:/var/lib/openvas/plugins
+      - notus_data_vol:/var/lib/notus
+      - ospd_openvas_socket_vol:/run/ospd
+      - redis_socket_vol:/run/redis/
+    depends_on:
+      redis-server:
+        condition: service_started
+      gpg-data:
+        condition: service_completed_successfully
+      vulnerability-tests:
+        condition: service_completed_successfully
+
+  mqtt-broker:
+    restart: on-failure
+    image: greenbone/mqtt-broker
+    networks:
+      default:
+        aliases:
+          - mqtt-broker
+          - broker
+
+  notus-scanner:
+    restart: on-failure
+    image: greenbone/notus-scanner:stable
+    volumes:
+      - notus_data_vol:/var/lib/notus
+      - gpg_data_vol:/etc/openvas/gnupg
+    environment:
+      NOTUS_SCANNER_MQTT_BROKER_ADDRESS: mqtt-broker
+      NOTUS_SCANNER_PRODUCTS_DIRECTORY: /var/lib/notus/products
+    depends_on:
+      - mqtt-broker
+      - gpg-data
+      - vulnerability-tests
+
+  gvm-tools:
+    image: greenbone/gvm-tools
+    volumes:
+      - gvmd_socket_vol:/run/gvmd
+      - ospd_openvas_socket_vol:/run/ospd
+    depends_on:
+      - gvmd
+      - ospd-openvas
+
+volumes:
+  gpg_data_vol:
+  scap_data_vol:
+  cert_data_vol:
+  data_objects_vol:
+  gvmd_data_vol:
+  psql_data_vol:
+  vt_data_vol:
+  notus_data_vol:
+  psql_socket_vol:
+  gvmd_socket_vol:
+  ospd_openvas_socket_vol:
+  redis_socket_vol:
diff --git a/roles/greenbone/target/defaults/main.yml b/roles/greenbone/target/defaults/main.yml
new file mode 100644
index 00000000..4bb8bd24
--- /dev/null
+++ b/roles/greenbone/target/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+greenbone_target_username: greenbone
+
+#greenbone_target_user_ssh_keys:
+#  - ssh-rsa ...
diff --git a/roles/greenbone/target/tasks/main.yml b/roles/greenbone/target/tasks/main.yml
new file mode 100644
index 00000000..8acc10cb
--- /dev/null
+++ b/roles/greenbone/target/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: create user for greenbone local security checks
+  user:
+    name: "{{ greenbone_target_username }}"
+    home: /var/lib/greenbone
+    create_home: yes
+    shell: /bin/bash
+    system: yes
+    state: present
+
+- name: install ssh keys for greenbone local security checks
+  authorized_key:
+    user: "{{ greenbone_target_username }}"
+    key: "{{ greenbone_target_user_ssh_keys | join('\n') }}"
+    exclusive: yes