version: 6.10.17

nova/core/galaxy.yml

@@ -1,10 +1,11 @@
 namespace: nova
 name: core
-version: 6.10.4
+version: 6.10.17
 readme: README.md
 authors:
   - https://github.com/novateams
-description: This is a collection of public roles and plugins that are developed by the Nova team.
+description:
+  This is a collection of public roles and plugins that are developed by the Nova team.
   These roles go very well with Catapult https://github.com/ClarifiedSecurity/catapult but can be used separately.
 license:
   - AGPL-3.0-or-later

nova/core/roles/accounts/defaults/main.yml

@@ -27,7 +27,8 @@ pregenerated_password: >-
     + '/data/' + item.secrets_vault_secrets_path | default(secrets_vault_secrets_path)
     | default(project_fullname) + ':' + inventory_hostname + '_' + item.username) }}
   {%- else -%}
-  {{ lookup('password', '/dev/null length=17 chars=ascii_lowercase,ascii_uppercase,hexdigits,digits') }}
+  {{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_numeric=1, length=17, special=false, ignore_similar_chars=true,
+    similar_chars=(item.username | lower + item.username | upper)) }}
   {%- endif -%}
 
 # Windows defaults
@@ -77,3 +78,15 @@ unix_distro_sudoers_map:
   Parrot: /etc/sudoers.d/10-installer
 
 accounts_panos_temp_username: temp # The username to use for the temporary account to change the admin_accounts password(s) in PanOS
+
+# For training, lab and exercise environments in can be very common to have more than (the default accepted by sshd) 6 keys in an ssh agent.
+# If that's the case the SSH authentication will fail, so by default setting the MaxAuthTries sshd value to 20.
+# Currently this variable is applicable to Unix and Windows hosts
+accounts_configure_ssh_maxauthtries: true
+accounts_ssh_maxauthtries: 20
+
+# Since different OS families have different service names the sshd service name is set here
+accounts_os_family_service_name:
+  Debian: ssh
+  RedHat: sshd
+  Archlinux: sshd

nova/core/roles/accounts/tasks/create_accounts_lists.yml

@@ -47,7 +47,7 @@
   loop: "{{ domain_user_accounts }}"
   loop_control:
     label: "{{ item.username }}"
-  when: ansible_windows_domain_role == "Primary domain controller"
+  when: ansible_facts.windows_domain_role == "Primary domain controller"
 
 - name: Creating combined users lists...
   ansible.builtin.set_fact:

nova/core/roles/accounts/tasks/macos_remove.yml

@@ -12,8 +12,7 @@
 # Filtering out empty lines
 - name: Getting profiles not defined in accounts list...
   ansible.builtin.set_fact:
-    user_profiles_to_remove:
-      "{{ home_profiles.stdout_lines | select('string') | select('regex', '.+')
+    user_profiles_to_remove: "{{ home_profiles.stdout_lines | select('string') | select('regex', '.+')
       | difference(local_accounts_with_password | map(attribute='username')) }}"
 
 - name: Removing stale user accounts and profiles...

nova/core/roles/accounts/tasks/main.yml

@@ -31,51 +31,53 @@
       block:
         - name: Including Windows accounts creation tasks...
           ansible.builtin.include_tasks: windows_create.yml
-          when: ansible_system == 'Win32NT'
+          when: ansible_facts.system | default('') == 'Win32NT'
 
         - name: Including Unix accounts creation tasks...
           ansible.builtin.include_tasks: unix_create.yml
-          when: ansible_system in ["FreeBSD", "Linux"]
+          when: ansible_facts.system | default('') in ["FreeBSD", "Linux"]
 
         - name: Including MacOS accounts creation tasks...
           ansible.builtin.include_tasks: macos_create.yml
-          when: ansible_system == "Darwin"
+          when: ansible_facts.system | default('') == "Darwin"
+            or ansible_custom_facts.system | default('') == "Darwin"
 
     - name: Configuring Network OS accounts...
       when: ansible_network_os is defined
       block:
         - name: Configure RouterOS accounts...
           ansible.builtin.include_tasks: routeros.yml
-          when: ansible_network_os == 'community.routeros.routeros'
+          when: ansible_network_os | default('') == 'community.routeros.routeros'
 
         - name: Configure VyOS accounts...
           ansible.builtin.include_tasks: vyos.yml
-          when: ansible_network_os == 'vyos.vyos.vyos'
+          when: ansible_network_os | default('') == 'vyos.vyos.vyos'
 
         - name: Configure Cisco-IOS accounts...
           ansible.builtin.include_tasks: ios.yml
-          when: ansible_network_os == 'cisco.ios.ios'
+          when: ansible_network_os | default('') == 'cisco.ios.ios'
 
         - name: Configure pfSense accounts...
           ansible.builtin.include_tasks: pfsense.yml
-          when: ansible_network_os == 'pfsense'
+          when: ansible_network_os | default('') == 'pfsense'
 
         - name: Configure OPNsense accounts...
           ansible.builtin.include_tasks: opnsense.yml
-          when: ansible_network_os == 'opnsense'
+          when: ansible_network_os | default('') == 'opnsense'
 
         - name: Configure PanOS accounts...
           ansible.builtin.include_tasks: panos.yml
-          when: ansible_network_os == 'panos'
+          when: ansible_network_os | default('') == 'panos'
 
     - name: Setting {{ ansible_deployer_username }} as connection user...
       ansible.builtin.set_fact:
         ansible_user: "{{ ansible_deployer_username }}"
         ansible_password: "{{ ansible_deployer_password | default(omit) }}" # Updated ansible_deployer_password
 
-        # To avoid SSH MaxAuthTries limit in cloud environments with cloud templates
-        ansible_ssh_extra_args: "{{ accounts_custom_ansible_ssh_extra_args
-          | default('-o IdentitiesOnly=no' if fresh_deploy else omit) }}"
+        # Setting custom or restoring default SSH key and connection parameters
+        # This is mostly because initial connection parameters for cloud templates need to be customized to match specific VM template defaults
+        ansible_ssh_private_key_file: "{{ accounts_custom_ansible_ssh_private_key_file | default(default_ansible_private_key_file) | default('') }}"
+        ansible_ssh_extra_args: "{{ accounts_custom_ansible_ssh_extra_args | default(default_ansible_ssh_extra_args) | default('') }}"
 
     - name: Including gather_facts role... # Since the connection account changed and we need to gather facts with the new account
       ansible.builtin.include_role:
@@ -91,24 +93,25 @@
       block:
         - name: Including Unix accounts removal tasks...
           ansible.builtin.include_tasks: unix_remove.yml
-          when: ansible_system in ["FreeBSD", "Linux"]
+          when: ansible_facts.system | default('') in ["FreeBSD", "Linux"]
 
         - name: Including Windows accounts removal tasks...
           ansible.builtin.include_tasks: windows_remove.yml
-          when: ansible_system == 'Win32NT'
+          when: ansible_facts.system | default('') == 'Win32NT'
 
         - name: Including MacOS accounts removal tasks...
           ansible.builtin.include_tasks: macos_remove.yml
-          when: ansible_system == "Darwin"
+          when: ansible_facts.system | default('') == "Darwin"
+            or ansible_custom_facts.system | default('') == "Darwin"
 
     # Cloud temp keys removal
     - name: Removing {{ infra_env }} temp ssh key for {{ inventory_hostname }}...
       ansible.builtin.file:
-        path: "{{ vars['machine_operations_' ~ infra_env ~ '_temp_ssh_key_path'] }}"
+        path: "{{ lookup('vars', 'machine_operations_' ~ infra_env ~ '_temp_ssh_key_path') | default('') }}"
         state: absent
       delegate_to: localhost
       become: false
-      when: vars['machine_operations_' ~ infra_env ~ '_temp_ssh_key_path'] is defined
+      when: lookup('vars', 'machine_operations_' ~ infra_env ~ '_temp_ssh_key_path') is defined
 
 - name: Including following accounts post-roles...
   ansible.builtin.include_role:

nova/core/roles/accounts/tasks/unix_create.yml

@@ -1,7 +1,7 @@
 ---
-- name: Setting the correct sudo group for {{ ansible_distribution }}...
+- name: Setting the correct sudo group for {{ ansible_facts.distribution }}...
   ansible.builtin.set_fact:
-    root_group: "{{ unix_distro_root_group_map[ansible_distribution] }}"
+    root_group: "{{ unix_distro_root_group_map[ansible_facts.distribution] }}"
 
 - name: Making sure the sudo group exists...
   ansible.builtin.group:
@@ -10,20 +10,20 @@
 
 # This required so this role can clean up the default cloud users if they are not in the local_accounts_with_password list
 - name: Adding source creation flag for default cloud account...
-  when: vars[infra_env ~ '_template_username'] | default('') not in [admin_account, '']
+  when: lookup('vars', infra_env ~ '_template_username') | default('') not in [admin_account, '']
   block:
-    - name: Checking if {{ vars[infra_env ~ '_template_username'] | default('') }} user exists...
+    - name: Checking if {{ lookup('vars', infra_env ~ '_template_username') | default('') }} user exists...
       ansible.builtin.stat:
-        path: /home/{{ vars[infra_env ~ '_template_username'] | default('') }}
+        path: /home/{{ lookup('vars', infra_env ~ '_template_username') | default('') }}
       register: template_user
 
-    - name: Adding account creation source flag for {{ vars[infra_env ~ '_template_username'] | default('') }}...
+    - name: Adding account creation source flag for {{ lookup('vars', infra_env ~ '_template_username') | default('') }}...
       ansible.builtin.lineinfile:
-        dest: /home/{{ vars[infra_env ~ '_template_username'] | default('') }}/.created
+        dest: /home/{{ lookup('vars', infra_env ~ '_template_username') | default('') }}/.created
         line: This account was created with {{ ansible_role_name }} role
         state: present
         create: true
-        owner: "{{ vars[infra_env ~ '_template_username'] | default('') }}"
+        owner: "{{ lookup('vars', infra_env ~ '_template_username') | default('') }}"
         mode: "0600"
       when: template_user.stat.exists
 
@@ -34,8 +34,8 @@
     groups: "{{ item.groups | default(root_group if item.username in admin_accounts | map(attribute='username') else 'users') }}"
     name: "{{ item.username }}"
     password: "{{ item.password | password_hash('sha512') }}"
-    shell: "{{ item.shell | default(unix_distro_shell_map[ansible_distribution] | default('/bin/bash')) }}"
-    skeleton: "{{ unix_distro_skel_map[ansible_distribution] | default('/etc/skel') }}"
+    shell: "{{ item.shell | default(unix_distro_shell_map[ansible_facts.distribution] | default('/bin/bash')) }}"
+    skeleton: "{{ unix_distro_skel_map[ansible_facts.distribution] | default('/etc/skel') }}"
     uid: "{{ item.uid | default(omit) }}"
     update_password: "{{ item.update_password | default('always') }}" # always or on_create
   register: created_account
@@ -47,8 +47,7 @@
   ansible.builtin.set_fact:
     ansible_deployer_password: "{{ local_accounts_with_password
       | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
-  when:
-    created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username')
+  when: created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username')
     | list | intersect([ansible_deployer_username]) | length > 0
 
 - name: Adding account creation source flag...
@@ -78,7 +77,7 @@
 
 - name: Enabling password requirement for sudo...
   ansible.builtin.lineinfile:
-    dest: "{{ unix_distro_sudoers_map[ansible_distribution] | default('/etc/sudoers') }}"
+    dest: "{{ unix_distro_sudoers_map[ansible_facts.distribution] | default('/etc/sudoers') }}"
     state: present
     regexp: ^%{{ root_group }}
     line: "%{{ root_group }} ALL=(ALL:ALL) ALL"
@@ -87,7 +86,7 @@
 
 - name: Disabling password requirement for sudo...
   ansible.builtin.lineinfile:
-    dest: "{{ unix_distro_sudoers_map[ansible_distribution] | default('/etc/sudoers') }}"
+    dest: "{{ unix_distro_sudoers_map[ansible_facts.distribution] | default('/etc/sudoers') }}"
     state: present
     regexp: ^%{{ root_group }}
     line: "%{{ root_group }} ALL=(ALL) NOPASSWD: ALL"
@@ -103,5 +102,23 @@
     state: present
   when:
     - use_ssh_agent_for_sudo
-    - ansible_system == 'Linux'
-    - ansible_os_family != 'Alpine'
+    - ansible_facts.system == 'Linux'
+    - ansible_facts.os_family != 'Alpine'
+
+- name: Configuring SSHD in cloud environments...
+  when: accounts_configure_ssh_maxauthtries
+  block:
+    # This to avoid errors when someone has more that 6 SSH keys in their agent
+    - name: Setting SSHD MaxAuthTries to {{ accounts_ssh_maxauthtries }}...
+      ansible.builtin.replace:
+        dest: /etc/ssh/sshd_config
+        regexp: .*MaxAuthTries.*
+        replace: MaxAuthTries {{ accounts_ssh_maxauthtries }}
+      register: maxauthtries
+      become: true
+
+    - name: Restarting SSHD... # noqa: no-handler
+      ansible.builtin.systemd:
+        name: "{{ accounts_os_family_service_name[ansible_facts.os_family] | default('sshd') }}"
+        state: restarted
+      when: maxauthtries.changed

nova/core/roles/accounts/tasks/windows_create.yml

@@ -1,33 +1,33 @@
 ---
 # This required so this role can clean up the default cloud users if they are not in the local_accounts_with_password list
 - name: Adding source creation flag for default cloud account...
-  when: vars[infra_env ~ '_template_username'] | default('') not in [admin_account, '']
+  when: lookup('vars', infra_env ~ '_template_username') | default('') not in [admin_account, '']
   block:
-    - name: Checking if {{ vars[infra_env ~ '_template_username'] | default('') }} user exists...
+    - name: Checking if {{ lookup('vars', infra_env ~ '_template_username') | default('') }} user exists...
       ansible.windows.win_stat:
-        path: C:\Users\{{ vars[infra_env ~ '_template_username'] | default('') }}
+        path: C:\Users\{{ lookup('vars', infra_env ~ '_template_username') | default('') }}
       register: template_user
 
-    - name: Adding account creation source flag for {{ vars[infra_env ~ '_template_username'] | default('') }}...
+    - name: Adding account creation source flag for {{ lookup('vars', infra_env ~ '_template_username') | default('') }}...
       community.windows.win_lineinfile:
-        path: C:\Users\{{ vars[infra_env ~ '_template_username'] | default('') }}\.created
+        path: C:\Users\{{ lookup('vars', infra_env ~ '_template_username') | default('') }}\.created
         line: This account was created with {{ ansible_role_name }} role
         state: present
         create: true
       when: template_user.stat.exists
 
 - name: Configuring Domain Organizational Units...
   ansible.builtin.include_tasks: create_domain_ous.yml
-  when: ansible_windows_domain_role == "Primary domain controller"
+  when: ansible_facts.windows_domain_role == "Primary domain controller"
 
 - name: Configuring Domain groups...
   ansible.builtin.include_tasks: create_domain_groups.yml
-  when: ansible_windows_domain_role == "Primary domain controller"
+  when: ansible_facts.windows_domain_role == "Primary domain controller"
 
 - name: Configuring local accounts...
   when:
-    - ansible_windows_domain_role != "Primary domain controller"
-    - ansible_windows_domain_role != "Backup domain controller"
+    - ansible_facts.windows_domain_role != "Primary domain controller"
+    - ansible_facts.windows_domain_role != "Backup domain controller"
   block:
     - name: Creating following local accounts...
       ansible.windows.win_user:
@@ -47,12 +47,11 @@
       ansible.builtin.set_fact:
         ansible_deployer_password: "{{ admin_accounts_with_password
           | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
-      when:
-        created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username')
+      when: created_account.results | selectattr('changed', 'equalto', true) | map(attribute='item.username')
         | list | intersect([ansible_deployer_username]) | length > 0
 
 - name: Checking and creating domain accounts...
-  when: ansible_windows_domain_role == "Primary domain controller"
+  when: ansible_facts.windows_domain_role == "Primary domain controller"
   block:
     - name: DC post-reboot availability check... # Sometimes DCs are not available right after initial deployment if they are not sysprepped
       ansible.builtin.include_role:
@@ -84,16 +83,15 @@
       ansible.builtin.set_fact:
         ansible_deployer_password: "{{ admin_accounts_with_password
           | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
-      when:
-        win_domain_user.results | selectattr('changed', 'equalto', true) | map(attribute='item.username')
+      when: win_domain_user.results | selectattr('changed', 'equalto', true) | map(attribute='item.username')
         | list | intersect([ansible_deployer_username]) | length > 0
 
 # To make sure that we are setting the password for the correct account on non-primary domain controller
 - name: Setting correct password for {{ ansible_deployer_username }}...
   ansible.builtin.set_fact:
     ansible_deployer_password: "{{ admin_accounts_with_password
       | selectattr('username', 'equalto', ansible_deployer_username) | map(attribute='password') | first }}"
-  when: ansible_windows_domain_role == "Backup domain controller"
+  when: ansible_facts.windows_domain_role == "Backup domain controller"
 
 - name: Creating a profiles for...
   ansible.windows.win_user_profile:
@@ -169,3 +167,20 @@
 
 - name: Setting correct administrators_authorized_keys permissions...
   ansible.windows.win_shell: icacls.exe C:\ProgramData\ssh\administrators_authorized_keys /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
+
+- name: Configuring SSHD in cloud environments...
+  when: accounts_configure_ssh_maxauthtries
+  block:
+    # This to avoid errors when someone has more that 6 SSH keys in their agent
+    - name: Increasing SSHD MaxAuthTries to {{ accounts_ssh_maxauthtries }}...
+      community.windows.win_lineinfile:
+        path: C:\ProgramData\ssh\sshd_config
+        regexp: .*MaxAuthTries.*
+        line: MaxAuthTries {{ accounts_ssh_maxauthtries }}
+      register: maxauthtries
+
+    - name: Restarting SSHD... # noqa: no-handler
+      ansible.windows.win_service:
+        name: sshd
+        state: restarted
+      when: maxauthtries.changed