Compare commits
3 commits
2410885737
...
46bbe11161
Author | SHA1 | Date | |
---|---|---|---|
46bbe11161 | |||
b7c5c87319 | |||
9ed1ddfc97 |
18 changed files with 153 additions and 25 deletions
|
@ -1,2 +1,3 @@
|
||||||
|
---
|
||||||
skip_list:
|
skip_list:
|
||||||
- '403' # Package installs should not use latest.
|
- "403" # Package installs should not use latest.
|
||||||
|
|
21
ansible/deploy.yml
Normal file
21
ansible/deploy.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- name: Configure base
|
||||||
|
hosts: all
|
||||||
|
become: true
|
||||||
|
roles:
|
||||||
|
- role: dnf
|
||||||
|
when: ansible_facts['os_family'] == "RedHat"
|
||||||
|
- auditd
|
||||||
|
- fail2ban
|
||||||
|
- journald
|
||||||
|
- sshd
|
||||||
|
- role: timesyncd
|
||||||
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
|
- role: ufw
|
||||||
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
|
|
||||||
|
- name: Resolver
|
||||||
|
hosts: resolver
|
||||||
|
become: true
|
||||||
|
roles:
|
||||||
|
- knot_resolver
|
2
ansible/group_vars/all/all.yml
Normal file
2
ansible/group_vars/all/all.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
resolver_ip: 10.20.0.42
|
4
ansible/group_vars/resolver/all.yml
Normal file
4
ansible/group_vars/resolver/all.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
kresd_allow:
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- 172.16.0.0/12
|
8
ansible/hosts.yml
Normal file
8
ansible/hosts.yml
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
all:
|
||||||
|
hosts:
|
||||||
|
resolver-1:
|
||||||
|
ansible_host: 10.20.0.42
|
||||||
|
children:
|
||||||
|
resolver:
|
||||||
|
hosts:
|
||||||
|
resolver-1:
|
|
@ -10,8 +10,10 @@
|
||||||
- journald
|
- journald
|
||||||
- sshd
|
- sshd
|
||||||
- role: timesyncd
|
- role: timesyncd
|
||||||
when: ansible_facts['os_family'] == "Ubuntu"
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
|
- role: ufw
|
||||||
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
post_tasks:
|
post_tasks:
|
||||||
- name: Clean cloud-init
|
- name: Clean cloud-init
|
||||||
ansible.builtin.command: "cloud-init clean"
|
ansible.builtin.command: cloud-init clean
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
|
@ -19,6 +19,6 @@
|
||||||
|
|
||||||
- name: Add rules
|
- name: Add rules
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: 'custom.rules'
|
src: custom.rules
|
||||||
dest: '/etc/audit/rules.d/custom.rules'
|
dest: /etc/audit/rules.d/custom.rules
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
|
|
@ -6,5 +6,5 @@
|
||||||
|
|
||||||
- name: Install epel
|
- name: Install epel
|
||||||
ansible.builtin.dnf:
|
ansible.builtin.dnf:
|
||||||
name: "epel-release"
|
name: epel-release
|
||||||
state: "latest"
|
state: latest
|
||||||
|
|
|
@ -1,20 +1,20 @@
|
||||||
---
|
---
|
||||||
- name: Install fail2ban
|
- name: Install fail2ban
|
||||||
ansible.builtin.apt:
|
ansible.builtin.apt:
|
||||||
name: "fail2ban"
|
name: fail2ban
|
||||||
state: latest
|
state: latest
|
||||||
when: ansible_facts['os_family'] == "Debian"
|
when: ansible_facts['os_family'] == "Debian"
|
||||||
|
|
||||||
- name: Install fail2ban
|
- name: Install fail2ban
|
||||||
ansible.builtin.dnf:
|
ansible.builtin.dnf:
|
||||||
name: "fail2ban"
|
name: fail2ban
|
||||||
state: latest
|
state: latest
|
||||||
when: ansible_facts['os_family'] == "RedHat"
|
when: ansible_facts['os_family'] == "RedHat"
|
||||||
|
|
||||||
- name: Copy sshd.conf
|
- name: Copy sshd.conf
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: 'sshd.conf.j2'
|
src: sshd.conf.j2
|
||||||
dest: '/etc/fail2ban/jail.d/sshd.conf'
|
dest: /etc/fail2ban/jail.d/sshd.conf
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
notify:
|
notify:
|
||||||
- Restart fail2ban
|
- Restart fail2ban
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
enabled = true
|
enabled = true
|
||||||
bantime = -1
|
bantime = -1
|
||||||
maxretry = 3
|
maxretry = 3
|
||||||
{% if ansible_facts['os_family'] == "RedHat" %}
|
|
||||||
backend = systemd
|
backend = systemd
|
||||||
|
{% if ansible_facts['os_family'] == "RedHat" %}
|
||||||
banaction = firewallcmd-ipset
|
banaction = firewallcmd-ipset
|
||||||
{% endif %}
|
{% endif %}
|
|
@ -1,14 +1,14 @@
|
||||||
---
|
---
|
||||||
- name: Create /etc/systemd/journald.conf.d
|
- name: Create /etc/systemd/journald.conf.d
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: '/etc/systemd/journald.conf.d'
|
path: /etc/systemd/journald.conf.d
|
||||||
state: 'directory'
|
state: directory
|
||||||
mode: "0750"
|
mode: "0750"
|
||||||
|
|
||||||
- name: Copy retention-time.conf
|
- name: Copy retention-time.conf
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: 'retention-time.conf'
|
src: retention-time.conf
|
||||||
dest: '/etc/systemd/journald.conf.d'
|
dest: /etc/systemd/journald.conf.d
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
notify:
|
notify:
|
||||||
- Restart journald
|
- Restart journald
|
||||||
|
|
19
ansible/roles/knot_resolver/handlers/main.yml
Normal file
19
ansible/roles/knot_resolver/handlers/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- name: Package cache update
|
||||||
|
become: true
|
||||||
|
ansible.builtin.package:
|
||||||
|
update_cache: true
|
||||||
|
|
||||||
|
- name: Restart knot resolver
|
||||||
|
become: true
|
||||||
|
ansible.builtin.service:
|
||||||
|
state: restarted
|
||||||
|
name: kresd@{{ item }}.service
|
||||||
|
with_sequence: count={{ ansible_processor_vcpus }}
|
||||||
|
|
||||||
|
- name: Enable knot resolver
|
||||||
|
become: true
|
||||||
|
ansible.builtin.service:
|
||||||
|
enabled: true
|
||||||
|
name: kresd@{{ item }}.service
|
||||||
|
with_sequence: count={{ ansible_processor_vcpus }}
|
30
ansible/roles/knot_resolver/tasks/main.yml
Normal file
30
ansible/roles/knot_resolver/tasks/main.yml
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
- name: Install knot repository
|
||||||
|
ansible.builtin.apt:
|
||||||
|
deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
|
||||||
|
notify:
|
||||||
|
- Package cache update
|
||||||
|
|
||||||
|
- name: Install knot resolver
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: knot-resolver
|
||||||
|
notify:
|
||||||
|
- Enable knot resolver
|
||||||
|
- Restart knot resolver
|
||||||
|
|
||||||
|
- name: Configure
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: kresd.conf.j2
|
||||||
|
dest: /etc/knot-resolver/kresd.conf
|
||||||
|
mode: "0644"
|
||||||
|
notify:
|
||||||
|
- Restart knot resolver
|
||||||
|
|
||||||
|
- name: Allow port 53 (DNS)
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ item.port }}"
|
||||||
|
proto: "{{ item.proto }}"
|
||||||
|
with_items:
|
||||||
|
- { port: "53", proto: "tcp" }
|
||||||
|
- { port: "53", proto: "udp" }
|
26
ansible/roles/knot_resolver/templates/kresd.conf.j2
Normal file
26
ansible/roles/knot_resolver/templates/kresd.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
|
||||||
|
cache.size = 128 * MB
|
||||||
|
modules = {
|
||||||
|
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
|
||||||
|
'predict', -- Prefetch expiring/frequent records
|
||||||
|
}
|
||||||
|
|
||||||
|
modules.load('prefill')
|
||||||
|
prefill.config({
|
||||||
|
['.'] = {
|
||||||
|
url = 'https://www.internic.net/domain/root.zone',
|
||||||
|
interval = 86400, -- seconds
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
modules.load('view')
|
||||||
|
view:addr('127.0.0.0/8', policy.all(policy.PASS))
|
||||||
|
view:addr('::1/128', policy.all(policy.PASS))
|
||||||
|
{% for prefix in kresd_allow %}
|
||||||
|
view:addr('{{ prefix }}', policy.all(policy.PASS))
|
||||||
|
{% endfor %}
|
||||||
|
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||||
|
view:addr('::/0', policy.all(policy.DROP))
|
||||||
|
|
||||||
|
log_target('stdout')
|
||||||
|
log_level('debug')
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
- name: Restart SSH
|
- name: Restart SSH
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: sshd
|
name: sshd
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
- name: Disable Password Authentication
|
- name: Disable Password Authentication
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^PasswordAuthentication'
|
regexp: ^PasswordAuthentication
|
||||||
line: "PasswordAuthentication no"
|
line: PasswordAuthentication no
|
||||||
state: present
|
state: present
|
||||||
backup: true
|
backup: true
|
||||||
notify:
|
notify:
|
||||||
|
@ -12,8 +12,8 @@
|
||||||
- name: Disable Root Login
|
- name: Disable Root Login
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '^PermitRootLogin'
|
regexp: ^PermitRootLogin
|
||||||
line: "PermitRootLogin no"
|
line: PermitRootLogin no
|
||||||
state: present
|
state: present
|
||||||
backup: true
|
backup: true
|
||||||
notify:
|
notify:
|
||||||
|
@ -22,8 +22,8 @@
|
||||||
- name: Restrict host key
|
- name: Restrict host key
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/ssh/sshd_config
|
dest: /etc/ssh/sshd_config
|
||||||
regexp: '#HostKey /etc/ssh/ssh_host_ed25519_key'
|
regexp: "#HostKey /etc/ssh/ssh_host_ed25519_key"
|
||||||
line: "HostKey /etc/ssh/ssh_host_ed25519_key"
|
line: HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
state: present
|
state: present
|
||||||
backup: true
|
backup: true
|
||||||
notify:
|
notify:
|
||||||
|
@ -31,8 +31,8 @@
|
||||||
|
|
||||||
- name: Configure sshd
|
- name: Configure sshd
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: "crypto.conf"
|
src: crypto.conf
|
||||||
dest: "/etc/ssh/sshd_config.d/"
|
dest: /etc/ssh/sshd_config.d/
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0640"
|
mode: "0640"
|
||||||
|
|
|
@ -4,5 +4,5 @@
|
||||||
name: Europe/Brussels
|
name: Europe/Brussels
|
||||||
|
|
||||||
- name: Enable ntp
|
- name: Enable ntp
|
||||||
ansible.builtin.command: 'timedatectl set-ntp true'
|
ansible.builtin.command: timedatectl set-ntp true
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
14
ansible/roles/ufw/tasks/main.yml
Normal file
14
ansible/roles/ufw/tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
- name: Install UFW
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: ufw
|
||||||
|
|
||||||
|
- name: Allow 22/tcp (SSH)
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "22"
|
||||||
|
proto: tcp
|
||||||
|
|
||||||
|
- name: Enable UFW
|
||||||
|
community.general.ufw:
|
||||||
|
state: enabled
|
Loading…
Reference in a new issue