updating some roles with README

This commit is contained in:
Claudio Maradonna 2022-11-21 16:52:36 +01:00
parent 634ec86744
commit f69b9be3a2
Signed by: claudiomaradonna
GPG key ID: 0CBA58694C5680D9
19 changed files with 92 additions and 75 deletions

2
.gitignore vendored
View file

@ -1,4 +1,6 @@
inventory/*
host_vars/*
group_vars/*
!group_vars/all.yml
Dockerfile
docker-compose.yml

2
group_vars/all.yml Normal file
View file

@ -0,0 +1,2 @@
sshd_port: 22
ipfs_port: 4001

View file

@ -1,25 +1,26 @@
---
- name: "Setup a GNU/Linux server"
- name: "Setup a GNU/Linux target with standards or defined tags"
hosts: "{{ target if target is defined else 'planets' }}"
roles:
- role: hardening-basic
tags: [hardening, ips, ids]
- role: iptables-persistent
tags: [firewall]
tags: [firewall, ips, ids]
- role: iptables-basic
tags: [firewall]
tags: [firewall, ips, ids]
- role: iptables-webserver
tags: [firewall, webserver]
- role: iptables-ipfs
tags: [firewall, ipfs]
- role: fail2ban-basic
tags: [hardening]
- role: hardening-basic
tags: [hardening]
- yggdrasil
- role: snort-community
tags: snort
tags: [fail2ban, ips, ids]
- yggdrasil
- role: snort-community
tags: [snort, ips, ids]
- role: pi-hole
tags: pi-hole

6
pi-hole.yml Normal file
View file

@ -0,0 +1,6 @@
---
- name: "Setup the target for pi-hole"
hosts: "{{ target if target is defined else 'planets' }}"
roles:
- role: pi-hole

View file

@ -1,38 +1,35 @@
Role Name
fail2ban-basic
=========
A brief description of the role goes here.
This role install fail2ban into the target.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
- **fail2ban_enabled** (boolean): Enable of disable fail2ban setup
- **fail2ban_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags fail2ban`
License
-------
BSD
GPLv3
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
- [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -1,5 +1,6 @@
---
# defaults file for fail2ban-basic
fail2ban_enabled: true
fail2ban_package_name_by_os_family:
Debian: fail2ban

View file

@ -2,6 +2,7 @@
# tasks file for fail2ban-basic
#
- name: Fail2ban Configuration
when: fail2ban_enabled is true
block:
- name: Install Fail2ban
ansible.builtin.package:

View file

@ -11,15 +11,14 @@ Requirements
Role Variables
--------------
- *hardening_sshd_enabled* (boolean): Enable or disable ssh hardening
- *hardening_sshd_port* (integer): Set the SSHD port
- *hardening_sshd_authorized_key_file* (string): Set the relative path for sshd authorized_key_file
- *hardening_sshd_tcp_forward* (boolean): Enable or disable sshd tcp forwarding
- *hardening_sshd_legal_banner* (boolean): Enable or disable sshd legal banner (/etc/issue.net)
- *hardening_sshd_permissions_set_sticky_bit* (boolean): Enable or disable the sticky bit for sshd directory and files (root)
- *hardening_sysctl_vm_swappiness* (integer): Set the value for sysctl vm.swappiness
- *hardening_sysctl_disable_ipv6* (boolean): Enable or disable ipv6 though sysctl
- *hardening_modprobe_disable_list* (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
- **hardening_sshd_enabled** (boolean): Enable or disable ssh hardening
- **hardening_sshd_authorized_key_file** (string): Set the relative path for sshd authorized_key_file
- **hardening_sshd_tcp_forward** (boolean): Enable or disable sshd tcp forwarding
- **hardening_sshd_legal_banner** (boolean): Enable or disable sshd legal banner (/etc/issue.net)
- **hardening_sshd_permissions_set_sticky_bit** (boolean): Enable or disable the sticky bit for sshd directory and files (root)
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
Dependencies
------------

View file

@ -2,7 +2,6 @@
# defaults file for hardening-basic
hardening_sshd_enabled: true
hardening_sshd_port: 22
hardening_sshd_authorized_key_file: .ssh/authorized_keys
hardening_sshd_tcp_forward: false
hardening_sshd_legal_banner: false

View file

@ -4,7 +4,7 @@ Protocol 2 # Protocol 1 is
StrictModes yes # Protects from misconfiguration
#ListenAddress [ip-here] # Listening address
Port {{ hardening_sshd_port }} # Listening port. Normal 22
Port {{ sshd_port }} # Listening port. Normal 22
AuthenticationMethods publickey # Only public key authentication allowed
AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }}

View file

@ -1,38 +1,36 @@
Role Name
iptables-basic
=========
A brief description of the role goes here.
This role setup iptables with good defaults
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
- **iptables_basic_enabled** (boolean): Enable or disable iptable setup
- **iptables_basic_reset_enabled** (boolean): Enable or disable iptables flush
- **iptables_basic_drop_unencrypted_smtp_port** (boolean): If true drop the standard SMTP port (25)
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall`
License
-------
BSD
GPLv3
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
- [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -3,5 +3,4 @@
iptables_basic_enabled: true
iptables_basic_reset_enabled: false
iptables_basic_ssh_port: 22
iptables_basic_drop_unencrypted_smtp_port: true

View file

@ -43,7 +43,7 @@
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ iptables_basic_ssh_port }}"
destination_port: "{{ sshd_port }}"
ctstate: NEW
syn: match
jump: ACCEPT

View file

@ -1,38 +1,34 @@
Role Name
iptables-ipfs
=========
A brief description of the role goes here.
This role setup iptables rules for IPFS
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
**iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall`
License
-------
BSD
GPLv3
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
- [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -2,4 +2,3 @@
# defaults file for iptables-ipfs
iptables_ipfs_enabled: false
iptables_ipfs_port: 4001

View file

@ -10,7 +10,7 @@
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ iptables_ipfs_port }}"
destination_port: "{{ ipfs_port }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
comment: IPFS dedicated port

View file

@ -1,38 +1,36 @@
Role Name
iptables-persistent
=========
A brief description of the role goes here.
This role setup iptables-persistent and execute rules saving
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
**iptables_persistent_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed
**iptables_persistent_save_to_file** (boolean): If true enable file saving with rules
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
This role aims to be used by other roles.
License
-------
BSD
GPLv3
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
- [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -3,6 +3,7 @@
pihole_enabled: false
pihole_install_custom_list: false
pihole_update_gravity: false
pihole_custom_list:
- https://blocklistproject.github.io/Lists/ads.txt

View file

@ -20,7 +20,7 @@
msg: "curl -sSL https://install.pi-hole.net | bash"
- name: Check if can install custom list
when: pihole_install_custom_list is true
when: 'pihole_install_custom_list is true'
block:
- name: Check if pi-hole db exists
stat:
@ -38,4 +38,22 @@
loop: "{{ pihole_custom_list }}"
- name: Update Gravity
when: 'pihole_update_gravity is true'
ansible.builtin.shell: pihole updateGravity
- name: iptables-webserver
ansible.builtin.include_role:
name: iptables-webserver
- name: Setup iptables rules
ansible.builtin.iptables:
chain: INPUT
protocol: '{{ item }}'
destination_port: 53
jump: ACCEPT
comment: Accept DNS connections
loop: [tcp,udp]
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent