updating some roles with README

This commit is contained in:
Claudio Maradonna 2022-11-21 16:52:36 +01:00
parent 634ec86744
commit f69b9be3a2
Signed by: claudiomaradonna
GPG key ID: 0CBA58694C5680D9
19 changed files with 92 additions and 75 deletions

2
.gitignore vendored
View file

@ -1,4 +1,6 @@
inventory/* inventory/*
host_vars/* host_vars/*
group_vars/*
!group_vars/all.yml
Dockerfile Dockerfile
docker-compose.yml docker-compose.yml

2
group_vars/all.yml Normal file
View file

@ -0,0 +1,2 @@
sshd_port: 22
ipfs_port: 4001

View file

@ -1,25 +1,26 @@
--- ---
- name: "Setup a GNU/Linux server" - name: "Setup a GNU/Linux target with standards or defined tags"
hosts: "{{ target if target is defined else 'planets' }}" hosts: "{{ target if target is defined else 'planets' }}"
roles: roles:
- role: hardening-basic
tags: [hardening, ips, ids]
- role: iptables-persistent - role: iptables-persistent
tags: [firewall] tags: [firewall, ips, ids]
- role: iptables-basic - role: iptables-basic
tags: [firewall] tags: [firewall, ips, ids]
- role: iptables-webserver - role: iptables-webserver
tags: [firewall, webserver] tags: [firewall, webserver]
- role: iptables-ipfs - role: iptables-ipfs
tags: [firewall, ipfs] tags: [firewall, ipfs]
- role: fail2ban-basic - role: fail2ban-basic
tags: [hardening] tags: [fail2ban, ips, ids]
- role: hardening-basic
tags: [hardening] - yggdrasil
- yggdrasil
- role: snort-community - role: snort-community
tags: snort tags: [snort, ips, ids]
- role: pi-hole
tags: pi-hole

6
pi-hole.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: "Setup the target for pi-hole"
hosts: "{{ target if target is defined else 'planets' }}"
roles:
- role: pi-hole

View file

@ -1,38 +1,35 @@
Role Name fail2ban-basic
========= =========
A brief description of the role goes here. This role install fail2ban into the target.
Requirements Requirements
------------ ------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. .
Role Variables Role Variables
-------------- --------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - **fail2ban_enabled** (boolean): Enable of disable fail2ban setup
- **fail2ban_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed
Dependencies Dependencies
------------ ------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. .
Example Playbook Example Playbook
---------------- ----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: `ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags fail2ban`
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License License
------- -------
BSD GPLv3
Author Information Author Information
------------------ ------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed). - [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -1,5 +1,6 @@
--- ---
# defaults file for fail2ban-basic # defaults file for fail2ban-basic
fail2ban_enabled: true
fail2ban_package_name_by_os_family: fail2ban_package_name_by_os_family:
Debian: fail2ban Debian: fail2ban

View file

@ -2,6 +2,7 @@
# tasks file for fail2ban-basic # tasks file for fail2ban-basic
# #
- name: Fail2ban Configuration - name: Fail2ban Configuration
when: fail2ban_enabled is true
block: block:
- name: Install Fail2ban - name: Install Fail2ban
ansible.builtin.package: ansible.builtin.package:

View file

@ -11,15 +11,14 @@ Requirements
Role Variables Role Variables
-------------- --------------
- *hardening_sshd_enabled* (boolean): Enable or disable ssh hardening - **hardening_sshd_enabled** (boolean): Enable or disable ssh hardening
- *hardening_sshd_port* (integer): Set the SSHD port - **hardening_sshd_authorized_key_file** (string): Set the relative path for sshd authorized_key_file
- *hardening_sshd_authorized_key_file* (string): Set the relative path for sshd authorized_key_file - **hardening_sshd_tcp_forward** (boolean): Enable or disable sshd tcp forwarding
- *hardening_sshd_tcp_forward* (boolean): Enable or disable sshd tcp forwarding - **hardening_sshd_legal_banner** (boolean): Enable or disable sshd legal banner (/etc/issue.net)
- *hardening_sshd_legal_banner* (boolean): Enable or disable sshd legal banner (/etc/issue.net) - **hardening_sshd_permissions_set_sticky_bit** (boolean): Enable or disable the sticky bit for sshd directory and files (root)
- *hardening_sshd_permissions_set_sticky_bit* (boolean): Enable or disable the sticky bit for sshd directory and files (root) - **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
- *hardening_sysctl_vm_swappiness* (integer): Set the value for sysctl vm.swappiness - **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
- *hardening_sysctl_disable_ipv6* (boolean): Enable or disable ipv6 though sysctl - **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
- *hardening_modprobe_disable_list* (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
Dependencies Dependencies
------------ ------------

View file

@ -2,7 +2,6 @@
# defaults file for hardening-basic # defaults file for hardening-basic
hardening_sshd_enabled: true hardening_sshd_enabled: true
hardening_sshd_port: 22
hardening_sshd_authorized_key_file: .ssh/authorized_keys hardening_sshd_authorized_key_file: .ssh/authorized_keys
hardening_sshd_tcp_forward: false hardening_sshd_tcp_forward: false
hardening_sshd_legal_banner: false hardening_sshd_legal_banner: false

View file

@ -4,7 +4,7 @@ Protocol 2 # Protocol 1 is
StrictModes yes # Protects from misconfiguration StrictModes yes # Protects from misconfiguration
#ListenAddress [ip-here] # Listening address #ListenAddress [ip-here] # Listening address
Port {{ hardening_sshd_port }} # Listening port. Normal 22 Port {{ sshd_port }} # Listening port. Normal 22
AuthenticationMethods publickey # Only public key authentication allowed AuthenticationMethods publickey # Only public key authentication allowed
AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }} AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }}

View file

@ -1,38 +1,36 @@
Role Name iptables-basic
========= =========
A brief description of the role goes here. This role setup iptables with good defaults
Requirements Requirements
------------ ------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. .
Role Variables Role Variables
-------------- --------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - **iptables_basic_enabled** (boolean): Enable or disable iptable setup
- **iptables_basic_reset_enabled** (boolean): Enable or disable iptables flush
- **iptables_basic_drop_unencrypted_smtp_port** (boolean): If true drop the standard SMTP port (25)
Dependencies Dependencies
------------ ------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. .
Example Playbook Example Playbook
---------------- ----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: `ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall`
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License License
------- -------
BSD GPLv3
Author Information Author Information
------------------ ------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed). - [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -3,5 +3,4 @@
iptables_basic_enabled: true iptables_basic_enabled: true
iptables_basic_reset_enabled: false iptables_basic_reset_enabled: false
iptables_basic_ssh_port: 22
iptables_basic_drop_unencrypted_smtp_port: true iptables_basic_drop_unencrypted_smtp_port: true

View file

@ -43,7 +43,7 @@
ansible.builtin.iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
destination_port: "{{ iptables_basic_ssh_port }}" destination_port: "{{ sshd_port }}"
ctstate: NEW ctstate: NEW
syn: match syn: match
jump: ACCEPT jump: ACCEPT

View file

@ -1,38 +1,34 @@
Role Name iptables-ipfs
========= =========
A brief description of the role goes here. This role setup iptables rules for IPFS
Requirements Requirements
------------ ------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. .
Role Variables Role Variables
-------------- --------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. **iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules
Dependencies Dependencies
------------ ------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. .
Example Playbook Example Playbook
---------------- ----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: `ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall`
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License License
------- -------
BSD GPLv3
Author Information Author Information
------------------ ------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed). - [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -2,4 +2,3 @@
# defaults file for iptables-ipfs # defaults file for iptables-ipfs
iptables_ipfs_enabled: false iptables_ipfs_enabled: false
iptables_ipfs_port: 4001

View file

@ -10,7 +10,7 @@
ansible.builtin.iptables: ansible.builtin.iptables:
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
destination_port: "{{ iptables_ipfs_port }}" destination_port: "{{ ipfs_port }}"
ctstate: NEW,ESTABLISHED ctstate: NEW,ESTABLISHED
jump: ACCEPT jump: ACCEPT
comment: IPFS dedicated port comment: IPFS dedicated port

View file

@ -1,38 +1,36 @@
Role Name iptables-persistent
========= =========
A brief description of the role goes here. This role setup iptables-persistent and execute rules saving
Requirements Requirements
------------ ------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. .
Role Variables Role Variables
-------------- --------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. **iptables_persistent_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed
**iptables_persistent_save_to_file** (boolean): If true enable file saving with rules
Dependencies Dependencies
------------ ------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. .
Example Playbook Example Playbook
---------------- ----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: This role aims to be used by other roles.
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License License
------- -------
BSD GPLv3
Author Information Author Information
------------------ ------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed). - [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -3,6 +3,7 @@
pihole_enabled: false pihole_enabled: false
pihole_install_custom_list: false pihole_install_custom_list: false
pihole_update_gravity: false
pihole_custom_list: pihole_custom_list:
- https://blocklistproject.github.io/Lists/ads.txt - https://blocklistproject.github.io/Lists/ads.txt

View file

@ -20,7 +20,7 @@
msg: "curl -sSL https://install.pi-hole.net | bash" msg: "curl -sSL https://install.pi-hole.net | bash"
- name: Check if can install custom list - name: Check if can install custom list
when: pihole_install_custom_list is true when: 'pihole_install_custom_list is true'
block: block:
- name: Check if pi-hole db exists - name: Check if pi-hole db exists
stat: stat:
@ -38,4 +38,22 @@
loop: "{{ pihole_custom_list }}" loop: "{{ pihole_custom_list }}"
- name: Update Gravity - name: Update Gravity
when: 'pihole_update_gravity is true'
ansible.builtin.shell: pihole updateGravity ansible.builtin.shell: pihole updateGravity
- name: iptables-webserver
ansible.builtin.include_role:
name: iptables-webserver
- name: Setup iptables rules
ansible.builtin.iptables:
chain: INPUT
protocol: '{{ item }}'
destination_port: 53
jump: ACCEPT
comment: Accept DNS connections
loop: [tcp,udp]
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent