SEC 480 Milestone 6 - DefiantCoder/Tech-Journals GitHub Wiki

Ansible

  • Run the following to install Ansible
sudo apt install sshpass python3-paramiko git
sudo apt-add-repository ppa:ansible/ansible
sudo apt update
sudo apt install ansible
ansible --version

cat >> ~/.ansible.cfg << EOF                                                               
[defaults]
host_key_checking = false
EOF
  • Vyos inventory
[vyos]
IP Address 10.0.17.103 Hostname = blue1-fw Mac = 00:50:56:8d:c3:0e wan_ip=10.0.17.200 lan_ip=10.0.5.2 lan=10.0.5.0/24 name_server=10.0.17.4 gateway=10.0.17.2

[vyos:vars]
ansible_python_interpreter=/usr/bin/python3

ansible vyos -m ping -i inventories/fw-blue1-vars.txt --user vyos --ask-pass

image

# This playbook performs the initial configuration of the bluex-fw
- name: vyos network config
  hosts: vyos
  vars_prompt:
  - name: password
    prompt: enter your new vyos password
    private: true
  tasks:
    - name: set the password hash fact
      set_fact:
        password_hash: "{{ password | password_hash('sha512') }}"
    - name: load vyos config from template
      become: yes
      template:
        src: config.boot.j2
        dest: /config/config.boot
        mode: "0775"
        owner: root
        group: vyattacfg
    - name: bounce and end
      become: yes
      shell: nohup bash -c "/usr/bin/sleep 5 && /usr/sbin/shutdown -r now" &
      ignore_errors: yes


ansible-playbook -i ansible/inventories/fw-blue1-vars.txt --user vyos --ask-pass ansible/vyos-config.yml

image

interfaces {
    ethernet eth0 {
        address {{ wan_ip }}/24
    }
    ethernet eth1 {
        address {{ lan_ip }}/24
    }
    loopback lo {

    }
}
nat {
    source {
        rule 10 {
            outbound-interface eth0
            source {
                address {{ lan }}
            }
            translation {
                address masquerade
            }
        }
    }
}
protcols {
    static {
        route 0.0.0.0/0 {
            next-hop {{ gateway }} {
            }
        }
    }
}
service {
    dns {
        forwarding {
            allow-from {{ lan }}
            listen-address {{ lan_ip }}
            name-server {{ name_server }}
            system
        }
    }
    ssh {
        listen-address 0.0.0.0
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name {{ hostname }}
    login {
        user vyos {
            authentication {
                encrypted-password {{ password_hash }}
                plaintext-password ""
            }
        }
    }
    name-server {{ name_server }}
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
}

Reflection: I had difficulties in creating the portgroup part of 480 utils and ultimately decided to scrap it for time reasons, a minor difficulty I had was forgetting my dns records which I had to go back and configure for blue fw. this lab was a great way to increase my experience with ansible something i'm sure I will use in the future.