Compare commits

..

3 commits

Author SHA1 Message Date
Ada
cb50373b94
WIP
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/pr/woodpecker Pipeline failed
2024-03-25 00:51:16 +01:00
Ada
97ab23e625
WIP
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
ci/woodpecker/pr/woodpecker Pipeline failed
2024-03-25 00:32:09 +01:00
Ada
2410885737
Add knot roles
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-03-24 22:12:56 +01:00
31 changed files with 21 additions and 416 deletions

1
.gitignore vendored
View file

@ -1 +0,0 @@
venv/

View file

@ -10,8 +10,6 @@
- journald - journald
- sshd - sshd
- role: timesyncd - role: timesyncd
when: ansible_facts['os_family'] == "Debian"
- role: ufw
when: ansible_facts['os_family'] == "Ubuntu" when: ansible_facts['os_family'] == "Ubuntu"
- name: Resolver - name: Resolver
@ -19,15 +17,3 @@
become: true become: true
roles: roles:
- knot_resolver - knot_resolver
- name: DHCP
hosts: kea-dhcp
become: true
roles:
- kea_dhcp
- name: Knot
hosts: dns-authoritative
become: true
roles:
- knot

View file

@ -1,11 +0,0 @@
---
acls:
- id: ddns
action: update
address: 10.20.0.42/32
zones:
- domain: lab.r4.pm
acl: ddns
listen_ip: 10.20.0.44

View file

@ -1,19 +0,0 @@
---
domain: r4.pm
domain_search:
- lab.r4.pm
- r4.pm
networks:
- subnet: 10.15.0.0/24
start: 10.15.0.200
end: 10.15.0.254
routers: 10.15.0.1
- subnet: 10.20.0.0/24
start: 10.20.0.200
end: 10.20.0.254
routers: 10.20.0.1
- subnet: 10.30.0.0/24
start: 10.30.0.200
end: 10.30.0.254
routers: 10.30.0.1

View file

@ -2,8 +2,3 @@
kresd_allow: kresd_allow:
- 10.0.0.0/8 - 10.0.0.0/8
- 172.16.0.0/12 - 172.16.0.0/12
forward:
- zone: lab.r4.pm.
address: 10.20.0.44
ds: "lab.r4.pm. DS 61454 13 4 c510acc4a85ee8cfd93205b0cdc8d65a9e5376cf45517e5bd7db7fc836d076df688b11cf7f3a3b33a9b1011d74d00e74"

View file

@ -1,28 +1,8 @@
<<<<<<< HEAD
---
=======
>>>>>>> 2410885 (Add knot roles)
all: all:
hosts: hosts:
resolver-1: resolver-1:
ansible_host: 10.20.0.42 ansible_host: 10.20.0.42
<<<<<<< HEAD
dhcp-1:
ansible_host: 10.20.0.43
authoritative-1:
ansible_host: 10.20.0.44
=======
>>>>>>> 2410885 (Add knot roles)
children: children:
resolver: resolver:
hosts: hosts:
resolver-1: resolver-1:
<<<<<<< HEAD
kea-dhcp:
hosts:
dhcp-1:
dns-authoritative:
hosts:
authoritative-1:
=======
>>>>>>> 2410885 (Add knot roles)

View file

@ -10,9 +10,7 @@
- journald - journald
- sshd - sshd
- role: timesyncd - role: timesyncd
when: ansible_facts['os_family'] == "Debian" when: ansible_facts['os_family'] == "Ubuntu"
- role: ufw
when: ansible_facts['os_family'] == "Debian"
post_tasks: post_tasks:
- name: Clean cloud-init - name: Clean cloud-init
ansible.builtin.command: cloud-init clean ansible.builtin.command: cloud-init clean

0
ansible/roles/auditd/files/custom.rules Normal file → Executable file
View file

0
ansible/roles/auditd/handlers/main.yml Normal file → Executable file
View file

0
ansible/roles/auditd/tasks/main.yml Normal file → Executable file
View file

View file

@ -7,37 +7,26 @@
force: true force: true
- name: Build front - name: Build front
ansible.builtin.shell: ansible.builtin.shell: |
executable: /bin/bash
cmd: |
export NODE_ENV=production
cd /opt/authentik/src/website cd /opt/authentik/src/website
npm ci --include=dev npm i
npm run build-docs-only npm run build-docs-only
cd /opt/authentik/src/web cd /opt/authentik/src/web
npm ci --include=dev npm i
npm run build npm run build
- name: Build go proxy
ansible.builtin.shell:
executable: /bin/bash
cmd: |
cd /opt/authentik/src/
go mod download
CGO_ENABLED=0 go build -o /opt/authentik/server ./cmd/server
- name: Create virtualenv - name: Create virtualenv
ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv
- name: Installl poetry and dependencies - name: Installl poetry and dependencies
ansible.builtin.shell: ansible.builtin.shell: |
executable: /bin/bash cd /opt/authentik/src/
cmd: | venv/bin/pip install poetry
cd /opt/authentik/src
source /opt/authentik/src/venv/bin/activate
export VENV_PATH=/opt/authentik/src/venv
export POETRY_VIRTUALENVS_CREATE=false
venv/bin/pip3 install --upgrade pip
venv/bin/pip3 install poetry
venv/bin/poetry venv use venv/python3.12
venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root
- name: Build go proxy
ansible.builtin.shell: |-
cd /opt/authentik/src/
sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go
go build -o /opt/authentik/src/authentik-server ./cmd/server/

View file

@ -1,13 +1,9 @@
--- ---
- name: Install roles dependencies - name: Install roles dependencies
ansible.builtin.apt: ansible.builtin.apt:
install_recommends: false
name: "{{ item }}" name: "{{ item }}"
with_items: with_items:
- git - git
- build-essential
- pkg-config
- zlib1g-dev
- libpq-dev - libpq-dev
- libxmlsec1-dev - libxmlsec1-dev

View file

@ -11,22 +11,3 @@
tags: tags:
- build - build
become_user: authentik become_user: authentik
- name: Create useful directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0755"
owner: authentik
with_items:
- /opt/authentik/certs
- /opt/authentik/media
- /etc/authentik
- name: Test
ansible.builtin.copy:
remote_src: true
src: /opt/authentik/src/blueprints
dest: /opt/authentik/blueprints
owner: authentik
become: true

0
ansible/roles/fail2ban/handlers/main.yml Normal file → Executable file
View file

0
ansible/roles/fail2ban/tasks/main.yml Normal file → Executable file
View file

2
ansible/roles/fail2ban/templates/sshd.conf.j2 Normal file → Executable file
View file

@ -2,7 +2,7 @@
enabled = true enabled = true
bantime = -1 bantime = -1
maxretry = 3 maxretry = 3
backend = systemd
{% if ansible_facts['os_family'] == "RedHat" %} {% if ansible_facts['os_family'] == "RedHat" %}
backend = systemd
banaction = firewallcmd-ipset banaction = firewallcmd-ipset
{% endif %} {% endif %}

0
ansible/roles/journald/files/retention-time.conf Normal file → Executable file
View file

0
ansible/roles/journald/handlers/main.yml Normal file → Executable file
View file

0
ansible/roles/journald/tasks/main.yml Normal file → Executable file
View file

View file

@ -1,11 +0,0 @@
---
- name: Restart isc-kea-dhcp4-server
become: true
ansible.builtin.service:
state: restarted
name: isc-kea-dhcp4-server
- name: Enable isc-kea-dhcp4-server
ansible.builtin.service:
enabled: true
name: isc-kea-dhcp4-server

View file

@ -1,40 +0,0 @@
---
- name: Add kea dhcp pgp key
ansible.builtin.get_url:
url: https://dl.cloudsmith.io/public/isc/kea-2-4/gpg.0D9D9A1439E23DB9.key
dest: /usr/share/keyrings/kea-archive-keyring.asc
mode: "0644"
validate_certs: true
checksum: sha512:f58db6baa7f7147c3280275b6f7cc11e34836fb904604d587c1883e6b4a8e89377046809203e2f1a1a87a7f28556728a9ecdb740d62e753592d2dbab0d2e87c8
changed_when: false
no_log: false
- name: Add kea dhcp repository
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/kea-archive-keyring.asc]
https://dl.cloudsmith.io/public/isc/kea-2-4/deb/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} main"
state: present
filename: isc-kea-dhcp
- name: Install isc-kea-dhcp
ansible.builtin.apt:
name: isc-kea-dhcp4-server
notify:
- Enable isc-kea-dhcp4-server
- name: Configure isc-kea-dhcp
ansible.builtin.template:
src: kea-dhcp4.conf.j2
dest: /etc/kea/kea-dhcp4.conf
owner: _kea
mode: '0640'
notify:
- Restart isc-kea-dhcp4-server
- name: Open required ports
community.general.ufw:
rule: allow
port: "{{ item }}"
proto: udp
with_items:
- '67'

View file

@ -1,79 +0,0 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "eth0" ],
},
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea4-ctrl-socket"
},
"lease-database": {
// Memfile is the simplest and easiest backend to use. It's an in-memory
// C++ database that stores its state in CSV file.
"type": "memfile",
"lfc-interval": 3600
},
"expired-leases-processing": {
"reclaim-timer-wait-time": 10,
"flush-reclaimed-timer-wait-time": 25,
"hold-reclaimed-time": 3600,
"max-reclaim-leases": 100,
"max-reclaim-time": 250,
"unwarned-reclaim-cycles": 5
},
"renew-timer": 900,
"rebind-timer": 1800,
"valid-lifetime": 3600,
"option-data": [
{
"name": "domain-name-servers",
"data": "{{ resolver_ip }}"
},
{
"code": 15,
"data": "{{ domain }}"
},
{
"name": "domain-search",
"data": "{{ domain_search|join(', ') }}"
},
],
"subnet4": [
{% for network in networks %}
{
"subnet": "{{ network.subnet }}",
"pools": [ { "pool": "{{ network.start }} - {{ network.end }}" } ],
"option-data": [
{
"name": "routers",
"data": "{{ network.routers }}"
}
],
}{% if not loop.last %},{% endif %}
{% endfor %}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [
{
"output": "stdout",
}
],
"severity": "INFO",
"debuglevel": 0
}
]
}
}

View file

@ -1,12 +0,0 @@
$ORIGIN lab.r4.pm.
$TTL 3600
@ IN SOA knot.lab.r4.pm. admin.r4.pm. (
2024041800 ; serial number
12h ; refresh
15m ; update retry
3w ; expiry
2h ; minimum
)
@ 86400 IN NS knot.lab.r4.pm.
knot.lab.r4.pm. 86400 IN A 10.20.0.44

View file

@ -1,15 +0,0 @@
---
- name: Restart knot
ansible.builtin.service:
state: restarted
name: knot
- name: Reload knot
ansible.builtin.service:
state: reloaded
name: knot
- name: Enable knot
ansible.builtin.service:
enabled: true
name: knot

View file

@ -1,57 +0,0 @@
---
- name: Add knot pgp key
ansible.builtin.get_url:
url: https://pkg.labs.nic.cz/gpg
dest: /usr/share/keyrings/cznic-labs-pkg.gpg
mode: "0644"
validate_certs: true
checksum: sha512:e78a1404feff1040c86f4a199495e4a2cf82684b8ff22ffc318a9bffa0ddf45136e484bc17e4440660c089e1c186af77008c76fb463434611b1f60709b57ee52
changed_when: false
no_log: false
- name: Add knot repository
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns {{ ansible_distribution_release }} main"
state: present
filename: knot-dns
- name: Install knot
ansible.builtin.apt:
name: knot
notify:
- Enable knot
- Restart knot
- name: Configure knot
ansible.builtin.template:
src: knot.conf.j2
dest: /etc/knot/knot.conf
owner: knot
mode: '0640'
notify: Restart knot
- name: Allow port 53 (DNS)
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto }}"
with_items:
- { port: "53", proto: tcp }
- { port: "53", proto: udp }
- name: Create knot zones directory
ansible.builtin.file:
path: /var/lib/knot/zones/
state: directory
mode: '0750'
owner: knot
- name: Copy zone
ansible.builtin.copy:
src: "{{ item }}"
dest: /var/lib/knot/zones/
owner: knot
mode: '0640'
with_fileglob:
- zones/*
notify: Reload knot

View file

@ -1,32 +0,0 @@
server:
rundir: "/run/knot"
user: knot:knot
automatic-acl: on
listen: [ {{ listen_ip }}@53 ]
log:
- target: syslog
any: info
database:
storage: "/var/lib/knot"
acl:
{% for acl in acls %}
- id: {{ acl.id }}
address: {{ acl.address }}
action: {{ acl.action }}
{% endfor %}
template:
- id: default
storage: "/var/lib/knot/zones"
file: "%s.zone"
dnssec-signing: on
serial-policy: dateserial
zone:
{% for zone in zones %}
- domain: {{ zone.domain }}
acl: {{ zone.acl }}
{% endfor %}

View file

@ -19,12 +19,3 @@
mode: "0644" mode: "0644"
notify: notify:
- Restart knot resolver - Restart knot resolver
- name: Allow port 53 (DNS)
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto }}"
with_items:
- { port: "53", proto: tcp }
- { port: "53", proto: udp }

View file

@ -22,9 +22,5 @@ view:addr('{{ prefix }}', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP)) view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP)) view:addr('::/0', policy.all(policy.DROP))
{% for zones in forward %}
policy.add(policy.suffix(policy.FORWARD('{{ zones.address }}'), {todname('{{ zones.zone }}')}))
trust_anchors.add('{{ zones.ds }}')
{% endfor %}
log_target('stdout') log_target('stdout')
log_level('info') log_level('debug')

0
ansible/roles/timesyncd/tasks/main.yml Normal file → Executable file
View file

View file

@ -1,14 +0,0 @@
---
- name: Install UFW
ansible.builtin.apt:
name: ufw
- name: Allow 22/tcp (SSH)
community.general.ufw:
rule: allow
port: "22"
proto: tcp
- name: Enable UFW
community.general.ufw:
state: enabled

View file

@ -1,16 +0,0 @@
---
- name: Upgreade
hosts: all
become: true
tasks:
- name: Ugrade debian based
ansible.builtin.apt:
update_cache: true
upgrade: true
when: ansible_facts['os_family'] == "Debian"
- name: Upgrade all packages
ansible.builtin.dnf:
name: "*"
state: latest
when: ansible_facts['os_family'] == "RedHat"