Merge branch 'main' into i5200_allsearch_banner

.github/workflows/molecule_tests.yml

@@ -96,6 +96,7 @@ jobs:
           - timezone
           - tippecanoe
           - towerdeploy
+          - ufw_firewall
           - video_reserves
           - vips
           # - zookeeper

group_vars/abid/staging.yml

@@ -1,4 +1,21 @@
 ---
+# firewall
+ufw_firewall_rules:
+  - service: ssh
+    port: 22
+    protocol: tcp
+    allowed_cidrs:
+      - 10.249.64.0/18
+      - 10.249.0.0/18
+      - 128.112.0.0/16
+      - 172.20.95.0/24
+      - 172.20.192.0/19
+  - service: http
+    port: 80
+    protocol: tcp
+    allowed_cidrs:
+      - 128.112.200.0/21
+      - 128.112.0.0/16
 postgres_host: "lib-postgres-staging1.princeton.edu"
 postgres_version: 15
 postgresql_is_local: false

group_vars/crowdstrike/vault.yml

@@ -1,8 +1,18 @@
 $ANSIBLE_VAULT;1.1;AES256
-66313262353430383663643734616264316630346662373630326264643261663737373836313764
-6534396535383733383834376634383031633832643931320a623536616134353333643932303436
-65666331306166306232663234623163653339316635336634313961306338356630613034393761
-3163336562393435660a396235363835353534623838666166613237646164663962363365353166
-63666131626136656632636265336133323836613035613465393066643666363837356533343865
-37383237333066373965616437373865336238653533373162643964346138636238646535623763
-313935613765663631376533386234636665
+32343739356133353166333634656236623262653930633561396335653933396232396530653737
+3266643139643339626334343335346336616166363738640a366262343862393233626462376662
+37326132396636633561346562636532663037376666643865386535613965353135383464396536
+6335613037643339630a333132313636376437626530323031346237666665373239353439363337
+38666538653331366166623062306430646666633839623362623231633763386464313466333164
+64636134383461646133336665646130363364363436623234383134336661656637353339666666
+65623531393339366630646332633937623162363261303261373962383234373832373765623433
+38343030623432393030306433363336366261643134333336633330313063373833666136326235
+62313963353636356638313531353133393136386431633337663538386135663536636336336234
+39313762363633656130313765376263643863646434376537316662326338613237333063306662
+65306465663961383264303864616363653631623538636632613033643136386636633366356465
+38666165356132353763653565666332616438643865636437646230613862333335343561653464
+61303832323831613262623631616335303534313366653232663463636536623832326565636537
+32626662343364393334616466373631303136666431326336376165366238333632376338363136
+62356164663734666631393038613961633139323063343166346230393361623536353666336233
+65396133363030393333333962616666393632303366326134303035383961386135353233333633
+63316161623637633035653139363964393862333831363334623733646238393930

group_vars/gitlab/vault.yml

@@ -1,29 +1,29 @@
 $ANSIBLE_VAULT;1.1;AES256
-34393763653934633532386366376138386134313266653464643836653235323436393566643937
-6433373830646435393434316566326262613961366139390a353138356661313935333533643632
-66393932323939666638633138646665323964653236633563653164633566643962343565613833
-6263366666623131360a333633643064633639626334623933353964643431626335373666653537
-64336565626166323135343934636665396230313732636232386334366664316130366232303866
-38333437623763346137336437313365366334613232616636656663336363336365336164386532
-64636235653334636233363638363061623433653031663063353833356562373965333763636336
-30613439313734666438393662323533326233376463643539653537386239613663386231633535
-32663732336232393762303731653438353064613236646564326265666235616534316530663161
-33343264393035623465666636346561386466303038313336393239643630333963386339343632
-36353036323764383466613432663137646634646162636564396439393034656239383464396438
-33366266653430353964643734646261663835643132616331316365663239623035346431323761
-65386561613566636530633132376436323832666438323231656239636563386136656565636361
-38393934353536373562646332643336383333353634313630346662653162303635356362396165
-63346434386164633762663261333435663435636531663263306337643565633365323364636132
-34386436356364643339346235366634336636306465316263653832333835303138663031343433
-63383663316535323361643432393136613738616535653339376133316164313330663262303833
-33373737666331343935613963366266396138633837626238326263616466333136313834373038
-63333031313432633163646361353961336132376433653936333039656235393163346133343430
-34323037336264643766643364363063303031613163653535393761396365623039346230393261
-33313566373030353535313164363538393763613036366665663132303233313631386565633461
-38396331363138646432363337336630356237343963376231373732633238653263383861303730
-63306331616163333237366364373665303834386266313261646534643630363861646565326565
-30616437663937373433333832323633306335383061653938393762333938626632333633386639
-36346265343831386566373432336134663035636333333765633566613364383233633233376433
-62663432363634643639346533393964336432636565633733366430363238323036613530373864
-39393533653437646433326231303466366166343933613130653132356166303635306632343061
-35353838316432653565
+32376636666536333665633561653865653234316465303639633862643639386630353166333533
+3237636633353232333933643239323431623961663836340a346633633030323836343530643133
+37653737626539346134643665633165346637363834323532626463323861653163363637306164
+6435326230363031340a316134326163383035383736666338336362376332383237616464633664
+65326530633235643730353264633235613164633433376636383734353861303630613465303134
+65393264613262623061326661393232316139343335666330303166346131383561386532383761
+31316639303737623562323232376239323862646361336466363937393830303338626266626337
+33383038373532323635303337396538373962383338616662366634653936663464343439663331
+38616130616533373330656462663164353130346438396562663235373732383934646562353835
+35333862643837396435333330656461623430396261636333343636313865336433633866366430
+65383438393839396634313361623535316635626463373065616534336635366434313138306131
+38656663613839303336323431323832373238616163626366363932303437373434383537363636
+39306162366565323366636462366461653165333339306262376332643863343966323733343230
+31643762353363623132336562626437393064616163636463633831633964326539626132313937
+31646231643633303532386533393662626466303062653937356537643661356236613938323961
+61643139333765323265343837656531336430663132653661376665343965353332353865383230
+64396431366538363462316637343863333762396133633732616539386430666664396139306631
+64646165316563663031383836356633343239376533616331636166303530613961303831653632
+31626439356135333161306132623339626534396132613633306363356630653931363562306636
+64343830376338623835616635353834303463326333376562313364636562303334643361336362
+64383739636562346332323132386439663061376438623964373266636330663337393337346233
+66373730366335396130323231326330323331663930616333346339376661323639363131653731
+36353139613334303337396338353263356362663864633636376663633061363632626337666238
+32636139643263336133323665356236643034633235666131333364346466643361373261383039
+62643230396330383366326265346564306637616638666538643063623134306462643466333239
+39373936666339653331613061356631333437623236643233653162663464663632333936343334
+66616461626131386634636564303538633861626462346366636663353832376566346239386461
+35656436633332626438

group_vars/nfsserver/staging.yml

@@ -32,7 +32,7 @@ prds_staging1: "128.112.200.237"
 prds_staging2: "128.112.203.122"
 recap_www_staging1: "128.112.203.230"
 recap_www_staging2: "128.112.203.131"
-slavery_staging1: "128.112.202.236"
+slavery_staging1: "172.20.80.74"
 slavery_staging2: "128.112.203.152"
 slavery_staging_upgrade1: "172.20.80.68"
 slavery_staging_upgrade2: "172.20.80.69"

group_vars/nomad/dpulc/staging.yml

@@ -8,11 +8,14 @@ dpul_c_postgres_admin_user: "postgres"
 dpul_c_staging_figgy_db_host: "figgy-db-staging1.princeton.edu"
 dpul_c_staging_figgy_db_name: "figgy_staging"
 dpul_c_staging_figgy_db_password: "{{ vault_dpul_c_staging_figgy_db_password }}"
+dpul_c_production_figgy_db_host: "figgy-db-prod1.princeton.edu"
+dpul_c_production_figgy_db_name: "figgy_production"
+dpul_c_production_figgy_db_password: "{{ vault_dpul_c_production_figgy_db_password }}"
 dpul_c_nomad_env_vars:
   DB_NAME: '{{ dpul_c_db_name }}'
   DB_USER: '{{ dpul_c_db_user }}'
   DB_PASSWORD: '{{ dpul_c_db_password }}'
   POSTGRES_HOST: '{{ dpul_c_postgres_host }}'
   SECRET_KEY_BASE: '{{ vault_dpul_c_secret_key_base }}'
   SOLR_URL: 'http://lib-solr8d-staging.princeton.edu:8983/solr/dpulc-staging'
-  FIGGY_DATABASE_URL: 'ecto://dpulc_staging:{{ dpul_c_staging_figgy_db_password }}@{{ dpul_c_staging_figgy_db_host }}/{{ dpul_c_staging_figgy_db_name }}'
+  FIGGY_DATABASE_URL: 'ecto://dpulc_staging:{{ dpul_c_production_figgy_db_password }}@{{ dpul_c_production_figgy_db_host }}/{{ dpul_c_production_figgy_db_name }}'

group_vars/nomad/dpulc/vault.yml

@@ -1,17 +1,21 @@
 $ANSIBLE_VAULT;1.1;AES256
-63636438363930626363653233343036616165326137643766666434353866366364353534393063
-6434383035643037393439353537356438393337316465630a346539343536373065316362353433
-38656261316139623364373064366439643937616466616230303538333235303562303035373364
-3461663163663461360a366134363531656234633663396235643962343530333964653733646136
-62373532356534643264336538386335346239343035666535646638333739316639316466633164
-62663761333136306463623861346665316165343561363461316664356233313630333630333433
-62626234623938663934643239653733366234636236386637396463663635386666643938313263
-37643038653238646363313537386162383634336365363066646432386134303630393563303765
-64636337653433393130343035373861396165623463333837333734356331323432346330663564
-35376362363338613862366561653233636661323662353036346165353732323635396364373065
-65333737313934346165336661633035666564306336626563643035633434333361336131333133
-35633631393236666236353033333439613335653562383766646334366337653430616538306633
-32373636636361316233336433326331663335323734363364376533353866363363333436363462
-35373539303333633936386162633336363330393032653733656233303630636665356664663834
-35333235383865323531303962653961356661373233353731303232363437633436376364646538
-39663432346562343637
+33366231336536626433396436666233376138363135333133376332383538613837343330393031
+3764373330613038623135393661323131316639363333330a383630396365393762663033313138
+61396238353364653339343166656139363166646365383633623932353334623230663866623231
+6363663530336435320a636331656530623138613835306239626636396261326531313661393466
+37326334323332656430326561626134346434343032363632386637633466636130396261373333
+65633838383037353432343337653835383333383637373965616464613263323733613066363661
+36326163343263633939356132633636326438316266303262383837653034373539386266323730
+64323034643466393565316135386630346135373763373037346338383439353765336439376262
+62636562386430346364353563646166353835616165373237383539633230336530326165383131
+31623766363133666333636538396363623930323666353166616535306435353265353661356633
+62363534333234353030316663306464393963313362316663323362316564373933613862643735
+66636433633663313033353763663833633433626436333037323831356339626131303738383961
+61653835333839303463363538386632323536336138356338316537633033653832383165333262
+31373935373633663732633934303237636533353365373236336261363135666466383830643566
+61626536326139646435303764316565343161323835663839383136666132333161363666663562
+66303361653161633533306132366263316264353531353038373865373933383166376336383865
+31626335376431363363396432613137316132386534653763326566366664353234633139633066
+61326565373762636633333738326539323063633431343038613839646238333533396465626161
+30663838383362646235373532363865356630333334646538383939656363313738636336396233
+32313830373264653164

group_vars/nomad_cluster.yml

@@ -27,3 +27,15 @@ deploy_user_uid: 1004
 nomad_podman_version: '0.5.2'
 nomad_server_consul_token: "{{ vault_nomad_server_consul_token }}"
 nomad_client_consul_token: "{{ vault_nomad_client_consul_token }}"
+nomad_plugins:
+  nomad-driver-podman:
+    config:
+      volumes:
+        enabled: true
+        selinuxlabel: "z"
+      extra_labels:
+        - "job_name"
+        - "task_group_name"
+        - "task_name"
+        - "namespace"
+        - "node_name"

group_vars/pdc_describe/main.yml

@@ -34,7 +34,7 @@ bundler_version: "2.5.14"
 passenger_extra_http_config:
   - "passenger_preload_bundler on;"
 
-sidekiq_worker_threads: 10
+sidekiq_worker_threads: 15
 
 rails_app_vars:
   - name: SECRET_KEY_BASE
@@ -92,4 +92,4 @@ rails_app_vars:
   - name: EZID_DEFAULT_SHOULDER
     value: "ark:/88435/"
   - name: RAILS_MAX_THREADS
-    value: 10
+    value: 15

playbooks/abid.yml

@@ -10,6 +10,8 @@
     - ../group_vars/abid/{{ runtime_env | default('staging') }}.yml
     - ../group_vars/abid/vault.yml
   roles:
+    - role: roles/ufw_firewall
+      when: runtime_env == "staging"
     - role: roles/abid
 
   post_tasks:

playbooks/utils/replace_vm_host.yml

@@ -35,9 +35,14 @@
 
     - name: set the vm network to the private network if the IP starts with 172.20
       ansible.builtin.set_fact:
-        vm_network: "VM Network - LibNetPvt"
+        vm_network: "VM Network - ip4-library-servers"
       when: old_vm_info.virtual_machines[0].ip_address is match("172.20.*")
 
+    - name: set the vm network to the public network if the IP starts with 128.112
+      ansible.builtin.set_fact:
+        vm_network: "Virtual Machine Network"
+      when: old_vm_info.virtual_machines[0].ip_address is match("128.112.*")
+
     - name: Print out warning
       ansible.builtin.debug:
         msg: Ansible will now move and power off the current {{ old_vm_info.virtual_machines[0].guest_name }} VM, then create a replacement in the {{ vm_network }} network.
@@ -92,7 +97,7 @@
             unit_number: 0
             state: present
         networks:
-          - name: "{{ vm_network | default('Virtual Machine Network')}}"
+          - name: "{{ vm_network }}"
         wait_for_ip_address: true
       register: new_vm_deets
 
@@ -120,7 +125,7 @@
         datacenter: "{{ vcenter_datacenter }}"
         # new VM var does not include UUID; use moid, which is unique in each vCenter instance
         moid: "{{ new_vm_deets.instance.moid }}"
-        network_name: "{{ vm_network | default('Virtual Machine Network')}}"
+        network_name: "{{ vm_network }}"
         state: absent
         mac_address: "{{ new_vm_deets.instance.hw_eth0.macaddress }}"
 
@@ -134,7 +139,7 @@
         # new VM var does not include UUID; use moid, which is unique in each vCenter instance
         moid: "{{ new_vm_deets.instance.moid }}"
         folder: "{{ old_vm_info.virtual_machines[0].folder }}"
-        network_name: "{{ vm_network | default('Virtual Machine Network')}}"
+        network_name: "{{ vm_network }}"
         device_type: "vmxnet3"
         connected: true
         mac_address: "{{ old_vm_info.virtual_machines[0].mac_address[0] }}"
@@ -170,6 +175,7 @@
              The VM you replaced had
              an UUID of {{ old_vm_info.virtual_machines[0].uuid }}
              a mac address of {{ old_vm_info.virtual_machines[0].mac_address[0] }}
+             in the {{ vm_network }} network
              {{ old_vm_info.virtual_machines[0].allocated.cpu }} CPUs
              {{ (old_vm_info.virtual_machines[0].allocated.memory | int / 1024) }} GB of memory
              {{ old_vm_info.virtual_machines[0].allocated.storage | human_readable }} of disk allocated
@@ -182,6 +188,7 @@
              The VM you just created has
              an UUID of {{ new_vm_info.virtual_machines[0].uuid }}
              a mac address of {{ new_vm_info.virtual_machines[0].mac_address[0] }}
+             in the {{ vm_network }} network
              {{ new_vm_info.virtual_machines[0].allocated.cpu }} CPUs
              {{ (new_vm_info.virtual_machines[0].allocated.memory | int / 1024) }} GB of memory
              {{ new_vm_info.virtual_machines[0].allocated.storage | human_readable }} of disk allocated

playbooks/utils/security_theater.yml

@@ -3,16 +3,29 @@
 # By default this playbook runs on all hosts in the three environment groups. To run against a single host or group, use '--limit <group_or_host_name>'. For example '--limit qa' or '--limit figgy-web-staging1.princeton.edu'."
 #
 - name: install OIT Security Tools on a host
-  hosts: staging:qa:production
+  hosts: all
   remote_user: pulsys
   serial: "{{ concurrent_vms | default('5') }}"
-  become: true
   vars_files:
     - ../../group_vars/crowdstrike/vault.yml
     - ../../group_vars/crowdstrike/vars.yml
     - ../../group_vars/all/vars.yml
     - ../../group_vars/all/vault.yml
 
+  roles:
+  - role: crowdstrike.falcon.falcon_install
+    vars:
+      falcon_client_id: "{{ vault_crowdstrike_client_id }}"
+      falcon_client_secret: "{{ vault_crowdstrike_secret }}"
+      falcon_sensor_version_decrement: 2
+      # be sure to add this so we don't download if we don't need to
+      falcon_api_sensor_download_path: /opt/
+
+  - role: crowdstrike.falcon.falcon_configure
+    vars:
+      falcon_client_id: "{{ vault_crowdstrike_client_id }}"
+      falcon_client_secret: "{{ vault_crowdstrike_secret }}"
+
   tasks:
   - name: Populate service facts
     ansible.builtin.service_facts:
@@ -66,28 +79,6 @@
      - "ansible_facts.services['besclient.service'] is not defined"
      - ansible_os_family == "RedHat"
 
-  - name: Download the Falcon sensor deb file (Ubuntu)
-    ansible.builtin.get_url:
-      url: "https://isoshare.cpaneldev.princeton.edu/isoShares/Agents/Falcon/Latest/linux/Ubuntu/14_16_18_20_22/falcon-sensor_7.05.0-16004_amd64.deb"
-      dest: "/tmp/falcon-sensor_7.05.0-16004_amd64.deb"
-      owner: pulsys
-      group: pulsys
-      mode: "0644"
-    when:
-      - "'falcon-sensor' not in ansible_facts.packages"
-      - ansible_os_family == "Debian"
-
-  - name: Download the Falcon sensor rpm file (RedHat)
-    ansible.builtin.get_url:
-      url: "https://isoshare.cpaneldev.princeton.edu/isoShares/Agents/Falcon/Latest/linux/RHEL/Oracle/9/falcon-sensor-7.02.0-15705.el9.x86_64.rpm"
-      dest: "/tmp/falcon-sensor_7.05.0-16004_el9.x86_64.rpm"
-      owner: pulsys
-      group: pulsys
-      mode: "0644"
-    when:
-      - "'falcon-sensor' not in ansible_facts.packages"
-      - ansible_os_family == "RedHat"
-
   - name: install BESClient agent (Ubuntu)
     ansible.builtin.apt:
       deb: "/tmp/BESAgent-10.0.7.52-debian6.amd64.deb"
@@ -107,36 +98,6 @@
     ansible.builtin.command: /etc/init.d/besclient start
     when: "ansible_facts.services['besclient.service'] is not defined"
 
-  - name: install crowdstrike falcon sensor agent (Ubuntu)
-    ansible.builtin.apt:
-      deb: "/tmp/falcon-sensor_7.05.0-16004_amd64.deb"
-    when:
-      - "'falcon-sensor' not in ansible_facts.packages"
-      - ansible_os_family == "Debian"
-
-  - name: install crowdstrike falcon sensor agent (RedHat)
-    ansible.builtin.dnf:
-      name: "/tmp/falcon-sensor_7.05.0-16004_el9.x86_64.rpm"
-      disable_gpg_check: true      
-      state: present
-    when:
-      - "'falcon-sensor' not in ansible_facts.packages"
-      - ansible_os_family == "RedHat"
-
-  - name: launch crowdstrike falcon agent
-    command: /opt/CrowdStrike/falconctl -s --cid={{ princeton_cid }}
-    become: true
-    when:
-      - "'falcon-sensor' not in ansible_facts.packages"
-
-  - name: start and enable crowdstrike falcon agent
-    ansible.builtin.systemd_service:
-      name: "falcon-sensor"
-      enabled: true
-      state: started
-    when:
-      - "'falcon-sensor' not in ansible_facts.packages"
-
   - name: Check for rapid7 path
     ansible.builtin.stat:
       path: /opt/rapid7
@@ -172,7 +133,7 @@
     when:
       - not rapid7_home.stat.exists
 
-  post_tasks:
-    - name: send information to slack
-      ansible.builtin.include_tasks:
-        file: slack_tasks_end_of_playbook.yml
+  # post_tasks:
+  #   - name: send information to slack
+  #     ansible.builtin.include_tasks:
+  #       file: slack_tasks_end_of_playbook.yml