roles/burp-server: Deploy BURP server

The *burp-server* role installs and configures a BURP server. It is adapted from a previous iteration, and should support CentOS/RHEL/Fedora and Gentoo, as well as both BURP 1.x and 2.x (depending on which version gets installed by the system package manager). To manage the certificate authority, the *burp-server* role uses the `burp_ca` command. This has the advantage of not requiring any external certificate management, but effectively binds the CA to a specific machine.
2018-08-08 20:06:31 -05:00
parent 241f9d6afa
commit ddd7031624
13 changed files with 430 additions and 0 deletions
--- a/roles/burp-server/tasks/burp-defaults.yml
+++ b/roles/burp-server/tasks/burp-defaults.yml
@@ -0,0 +1 @@
+burp_script_path: /usr/share/burp/scripts
--- a/roles/burp-server/tasks/burp1.yml
+++ b/roles/burp-server/tasks/burp1.yml
@@ -0,0 +1 @@
+burp_script_path: /etc/burp
--- a/roles/burp-server/tasks/ca.yml
+++ b/roles/burp-server/tasks/ca.yml
@@ -0,0 +1,41 @@
+- name: ensure burp ca is configured
+  template:
+    src=CA.cnf.j2
+    dest=/etc/burp/CA.cnf
+    mode=0644
+- name: ensure burp ca is initialized
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --init
+    creates={{ burp_ca_dir }}/CA_burpCA.crt
+- name: ensure burp server private key exists
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --request --key --name {{ burp_ca_server_name }} --batch
+    creates={{ burp_ca_dir }}/{{ burp_ca_server_name }}.key
+- name: ensure burp server certificate exists
+  become: true
+  become_user: burp
+  command:
+    burp_ca --ca burpCA --dir {{ burp_ca_dir }}
+    --config /etc/burp/CA.cnf
+    --sign --name {{ burp_ca_server_name }} --batch
+    creates={{ burp_ca_dir }}/{{ burp_ca_server_name }}.crt
+- name: ensure burp certificate symlinks exist
+  file:
+    path=/etc/burp/{{ item.path }}
+    src={{ burp_ca_dir }}/{{ item.src }}
+    state=link
+  with_items:
+  - path: ssl_cert_ca.pem
+    src: CA_burpCA.crt
+  - path: ssl_cert-server.key
+    src: '{{ burp_ca_server_name }}.key'
+  - path: ssl_cert-server.pem
+    src: '{{ burp_ca_server_name }}.crt'
--- a/roles/burp-server/tasks/main.yml
+++ b/roles/burp-server/tasks/main.yml
@@ -0,0 +1,108 @@
+- name: load distribution-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - '{{ ansible_distribution }}.yml'
+  - '{{ ansible_os_family }}.yml'
+  - defaults.yml
+  tags:
+  - always
+
+- name: ensure burp server is installed
+  package:
+    name={{ burp_server_package }}
+    state=present
+  tags:
+  - install
+- name: check burp version
+  burp_version:
+- debug: var=burp_version
+- name: load burp version-specific variables
+  include_vars: '{{ item }}'
+  with_first_found:
+  - burp{{ burp_version[0] }}.yml
+  - burp-defaults.yml
+
+- name: ensure burp user exists
+  user:
+    name=burp
+    system=yes
+    home=/dev/null
+    createhome=no
+    shell=/sbin/nologin
+  tags:
+  - user
+
+- name: ensure tmpfiles.d directory exists
+  file:
+    path=/etc/tmpfiles.d
+    mode=0755
+    state=directory
+- name: ensure burp tmpfiles are configured
+  copy:
+    src=burp.tmpfiles.conf
+    dest=/etc/tmpfiles.d/burp.conf
+    mode=0644
+  notify: process tmpfiles
+- meta: flush_handlers
+- name: ensure burp persistent state directory exists
+  file:
+    path=/var/lib/burp
+    owner=root
+    group=burp
+    mode=0770
+    state=directory
+- name: ensure burp volume is mounted
+  mount:
+    name=/var/spool/burp
+    src={{ burp_backup_volume }}
+    fstype={{ burp_backup_volume_fstype }}
+    opts=noatime
+    state=mounted
+  when: burp_backup_volume is defined
+- name: ensure burp directory permissions are correct
+  file:
+    path=/var/spool/burp
+    owner=root
+    group=burp
+    mode=0770
+    state=directory
+- name: ensure burp server is configured
+  template:
+    src=burp-server.conf.j2
+    dest=/etc/burp/burp-server.conf
+    owner=root
+    group=burp
+    mode=0640
+  notify: restart burp server
+- name: ensure burp dh params are set
+  command:
+    burp_ca --dhfile /etc/burp/dhfile.pem
+    creates=/etc/burp/dhfile.pem
+- name: ensure burp dh params file permissions are correct
+  file:
+    path=/etc/burp/dhfile.pem
+    mode=0600
+    owner=burp
+    group=burp
+
+- import_tasks: ca.yml
+
+- name: ensure burp server starts at boot
+  service:
+    name=burp
+    enabled=yes
+- meta: flush_handlers
+- name: ensure burp server is running
+  service:
+    name=burp
+    state=started
+
+- name: ensure burp is allowed through the firewall
+  firewalld:
+    port=4971/tcp
+    immediate=yes
+    permanent=no
+    state=enabled
+  notify: save firewalld configuration
+  tags:
+  - firewalld