Compare commits

...

3 commits

Author SHA1 Message Date
Ada
46bbe11161
Add UFW firewall for debian based distro
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2024-04-17 11:26:47 +02:00
Ada
b7c5c87319
Fix fail2ban backend 2024-04-17 11:23:06 +02:00
Ada
9ed1ddfc97
Add knot roles 2024-04-17 11:23:04 +02:00
18 changed files with 153 additions and 25 deletions

View file

@ -1,2 +1,3 @@
---
skip_list: skip_list:
- '403' # Package installs should not use latest. - "403" # Package installs should not use latest.

21
ansible/deploy.yml Normal file
View file

@ -0,0 +1,21 @@
---
- name: Configure base
hosts: all
become: true
roles:
- role: dnf
when: ansible_facts['os_family'] == "RedHat"
- auditd
- fail2ban
- journald
- sshd
- role: timesyncd
when: ansible_facts['os_family'] == "Debian"
- role: ufw
when: ansible_facts['os_family'] == "Debian"
- name: Resolver
hosts: resolver
become: true
roles:
- knot_resolver

View file

@ -0,0 +1,2 @@
---
resolver_ip: 10.20.0.42

View file

@ -0,0 +1,4 @@
---
kresd_allow:
- 10.0.0.0/8
- 172.16.0.0/12

8
ansible/hosts.yml Normal file
View file

@ -0,0 +1,8 @@
all:
hosts:
resolver-1:
ansible_host: 10.20.0.42
children:
resolver:
hosts:
resolver-1:

View file

@ -10,8 +10,10 @@
- journald - journald
- sshd - sshd
- role: timesyncd - role: timesyncd
when: ansible_facts['os_family'] == "Ubuntu" when: ansible_facts['os_family'] == "Debian"
- role: ufw
when: ansible_facts['os_family'] == "Debian"
post_tasks: post_tasks:
- name: Clean cloud-init - name: Clean cloud-init
ansible.builtin.command: "cloud-init clean" ansible.builtin.command: cloud-init clean
changed_when: false changed_when: false

View file

@ -19,6 +19,6 @@
- name: Add rules - name: Add rules
ansible.builtin.copy: ansible.builtin.copy:
src: 'custom.rules' src: custom.rules
dest: '/etc/audit/rules.d/custom.rules' dest: /etc/audit/rules.d/custom.rules
mode: "0640" mode: "0640"

View file

@ -6,5 +6,5 @@
- name: Install epel - name: Install epel
ansible.builtin.dnf: ansible.builtin.dnf:
name: "epel-release" name: epel-release
state: "latest" state: latest

View file

@ -1,20 +1,20 @@
--- ---
- name: Install fail2ban - name: Install fail2ban
ansible.builtin.apt: ansible.builtin.apt:
name: "fail2ban" name: fail2ban
state: latest state: latest
when: ansible_facts['os_family'] == "Debian" when: ansible_facts['os_family'] == "Debian"
- name: Install fail2ban - name: Install fail2ban
ansible.builtin.dnf: ansible.builtin.dnf:
name: "fail2ban" name: fail2ban
state: latest state: latest
when: ansible_facts['os_family'] == "RedHat" when: ansible_facts['os_family'] == "RedHat"
- name: Copy sshd.conf - name: Copy sshd.conf
ansible.builtin.template: ansible.builtin.template:
src: 'sshd.conf.j2' src: sshd.conf.j2
dest: '/etc/fail2ban/jail.d/sshd.conf' dest: /etc/fail2ban/jail.d/sshd.conf
mode: "0640" mode: "0640"
notify: notify:
- Restart fail2ban - Restart fail2ban

View file

@ -2,7 +2,7 @@
enabled = true enabled = true
bantime = -1 bantime = -1
maxretry = 3 maxretry = 3
{% if ansible_facts['os_family'] == "RedHat" %}
backend = systemd backend = systemd
{% if ansible_facts['os_family'] == "RedHat" %}
banaction = firewallcmd-ipset banaction = firewallcmd-ipset
{% endif %} {% endif %}

View file

@ -1,14 +1,14 @@
--- ---
- name: Create /etc/systemd/journald.conf.d - name: Create /etc/systemd/journald.conf.d
ansible.builtin.file: ansible.builtin.file:
path: '/etc/systemd/journald.conf.d' path: /etc/systemd/journald.conf.d
state: 'directory' state: directory
mode: "0750" mode: "0750"
- name: Copy retention-time.conf - name: Copy retention-time.conf
ansible.builtin.copy: ansible.builtin.copy:
src: 'retention-time.conf' src: retention-time.conf
dest: '/etc/systemd/journald.conf.d' dest: /etc/systemd/journald.conf.d
mode: "0640" mode: "0640"
notify: notify:
- Restart journald - Restart journald

View file

@ -0,0 +1,19 @@
---
- name: Package cache update
become: true
ansible.builtin.package:
update_cache: true
- name: Restart knot resolver
become: true
ansible.builtin.service:
state: restarted
name: kresd@{{ item }}.service
with_sequence: count={{ ansible_processor_vcpus }}
- name: Enable knot resolver
become: true
ansible.builtin.service:
enabled: true
name: kresd@{{ item }}.service
with_sequence: count={{ ansible_processor_vcpus }}

View file

@ -0,0 +1,30 @@
---
- name: Install knot repository
ansible.builtin.apt:
deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
notify:
- Package cache update
- name: Install knot resolver
ansible.builtin.apt:
name: knot-resolver
notify:
- Enable knot resolver
- Restart knot resolver
- name: Configure
ansible.builtin.template:
src: kresd.conf.j2
dest: /etc/knot-resolver/kresd.conf
mode: "0644"
notify:
- Restart knot resolver
- name: Allow port 53 (DNS)
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto }}"
with_items:
- { port: "53", proto: "tcp" }
- { port: "53", proto: "udp" }

View file

@ -0,0 +1,26 @@
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
cache.size = 128 * MB
modules = {
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
'predict', -- Prefetch expiring/frequent records
}
modules.load('prefill')
prefill.config({
['.'] = {
url = 'https://www.internic.net/domain/root.zone',
interval = 86400, -- seconds
}
})
modules.load('view')
view:addr('127.0.0.0/8', policy.all(policy.PASS))
view:addr('::1/128', policy.all(policy.PASS))
{% for prefix in kresd_allow %}
view:addr('{{ prefix }}', policy.all(policy.PASS))
{% endfor %}
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
log_target('stdout')
log_level('debug')

View file

@ -1,3 +1,4 @@
---
- name: Restart SSH - name: Restart SSH
ansible.builtin.service: ansible.builtin.service:
name: sshd name: sshd

View file

@ -2,8 +2,8 @@
- name: Disable Password Authentication - name: Disable Password Authentication
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication' regexp: ^PasswordAuthentication
line: "PasswordAuthentication no" line: PasswordAuthentication no
state: present state: present
backup: true backup: true
notify: notify:
@ -12,8 +12,8 @@
- name: Disable Root Login - name: Disable Root Login
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '^PermitRootLogin' regexp: ^PermitRootLogin
line: "PermitRootLogin no" line: PermitRootLogin no
state: present state: present
backup: true backup: true
notify: notify:
@ -22,8 +22,8 @@
- name: Restrict host key - name: Restrict host key
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config
regexp: '#HostKey /etc/ssh/ssh_host_ed25519_key' regexp: "#HostKey /etc/ssh/ssh_host_ed25519_key"
line: "HostKey /etc/ssh/ssh_host_ed25519_key" line: HostKey /etc/ssh/ssh_host_ed25519_key
state: present state: present
backup: true backup: true
notify: notify:
@ -31,8 +31,8 @@
- name: Configure sshd - name: Configure sshd
ansible.builtin.copy: ansible.builtin.copy:
src: "crypto.conf" src: crypto.conf
dest: "/etc/ssh/sshd_config.d/" dest: /etc/ssh/sshd_config.d/
owner: root owner: root
group: root group: root
mode: "0640" mode: "0640"

View file

@ -4,5 +4,5 @@
name: Europe/Brussels name: Europe/Brussels
- name: Enable ntp - name: Enable ntp
ansible.builtin.command: 'timedatectl set-ntp true' ansible.builtin.command: timedatectl set-ntp true
changed_when: false changed_when: false

View file

@ -0,0 +1,14 @@
---
- name: Install UFW
ansible.builtin.apt:
name: ufw
- name: Allow 22/tcp (SSH)
community.general.ufw:
rule: allow
port: "22"
proto: tcp
- name: Enable UFW
community.general.ufw:
state: enabled