From 4ddb7d334ad9d41007ae75c8b90f00dd36c48504 Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Fri, 13 Jan 2023 18:01:41 +0100 Subject: [PATCH] add some debug messages; cleanup of some blocks; update some README with missing useful informations --- handbook.yml | 3 +- roles/auditd/tasks/main.yml | 6 +- roles/dns-filter/tasks/main.yml | 20 ++++- roles/fail2ban-basic/tasks/main.yml | 10 ++- roles/hardening-basic/tasks/main.yml | 82 +++++++++---------- roles/ipfs/tasks/main.yml | 16 ++-- roles/iptables-basic/tasks/main.yml | 8 +- roles/iptables-ipfs/tasks/main.yml | 9 +- roles/iptables-kdeconnect/tasks/main.yml | 43 +++++----- roles/iptables-persistent/tasks/main.yml | 8 +- .../tasks/save_rules_for_Debian.yml | 2 + roles/iptables-samba/tasks/main.yml | 47 ++++++----- roles/iptables-webserver/tasks/main.yml | 8 +- roles/pi-hole/tasks/main.yml | 11 +-- roles/samba/tasks/main.yml | 2 +- roles/snort-community/tasks/main.yml | 6 +- roles/unattended-upgrades/tasks/main.yml | 8 +- roles/wakeonlan/tasks/main.yml | 6 +- roles/yggdrasil/tasks/main.yml | 12 ++- roles/zabov/README.md | 7 +- roles/zabov/tasks/main.yml | 2 +- 21 files changed, 180 insertions(+), 136 deletions(-) diff --git a/handbook.yml b/handbook.yml index 5e2468f..9594505 100644 --- a/handbook.yml +++ b/handbook.yml @@ -1,8 +1,9 @@ --- -- name: "Setup a GNU/Linux target with standards or defined tags" +- name: "Unitoo Handbook" hosts: "{{ target if target is defined else 'planets' }}" + tags: always roles: # --- Hardening --- # Basic rules or good practises to apply diff --git a/roles/auditd/tasks/main.yml b/roles/auditd/tasks/main.yml index f018420..1cd2a8a 100644 --- a/roles/auditd/tasks/main.yml +++ b/roles/auditd/tasks/main.yml @@ -1,8 +1,10 @@ --- # tasks file for auditd -- name: Install and setup rules Auditd if enabled - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ auditd_enabled }}; auditd role" + +- when: - 'auditd_enabled is true' - "'global.update_only' not in ansible_run_tags" block: diff --git a/roles/dns-filter/tasks/main.yml b/roles/dns-filter/tasks/main.yml index e719188..add6d70 100644 --- a/roles/dns-filter/tasks/main.yml +++ b/roles/dns-filter/tasks/main.yml @@ -1,9 +1,25 @@ --- # tasks file for dns-filter -- name: Install selected DNS filter if enabled - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server" + +- when: - "dns_filter_enabled is true" - "dns_filter_selected in dns_filter_list" ansible.builtin.include_role: name: "{{ dns_filter_selected }}" + +- name: Allow/ disallow port 53 for DNS querying + ansible.builtin.iptables: + chain: INPUT + state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}" + protocol: '{{ item }}' + destination_port: 53 + jump: ACCEPT + comment: Accept DNS connections + loop: [tcp,udp] + +- name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/fail2ban-basic/tasks/main.yml b/roles/fail2ban-basic/tasks/main.yml index 8a0961a..16c47d9 100644 --- a/roles/fail2ban-basic/tasks/main.yml +++ b/roles/fail2ban-basic/tasks/main.yml @@ -1,9 +1,11 @@ --- # tasks file for fail2ban-basic -# -- name: Fail2ban Configuration - when: - - fail2ban_enabled is true + +- ansible.builtin.debug: + msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role" + +- when: + - 'fail2ban_enabled is true' - "'global.update_only' not in ansible_run_tags" block: - name: Install Fail2ban diff --git a/roles/hardening-basic/tasks/main.yml b/roles/hardening-basic/tasks/main.yml index f69a529..f64f958 100644 --- a/roles/hardening-basic/tasks/main.yml +++ b/roles/hardening-basic/tasks/main.yml @@ -1,61 +1,61 @@ --- # tasks file for hardening-basic -- name: Basic Hardening +- ansible.builtin.debug: + msg: "hardening-basic role" + +- name: Create directory structure + ansible.builtin.file: + path: '/etc/{{ item.path }}' + state: directory + mode: '{{ item.mode }}' + with_community.general.filetree: '../templates/basic/etc/' + when: item.state == 'directory' + +- name: Create and copy hardening files + ansible.builtin.template: + src: '{{ item.src }}' + dest: '/etc/{{ item.path }}' + with_community.general.filetree: '../templates/basic/etc/' + when: item.state == 'file' + +- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config + when: 'hardening_sshd_enabled is true' block: - name: Create directory structure ansible.builtin.file: path: '/etc/{{ item.path }}' state: directory mode: '{{ item.mode }}' - with_community.general.filetree: '../templates/basic/etc/' + with_community.general.filetree: '../templates/ssh/etc/' when: item.state == 'directory' - name: Create and copy hardening files ansible.builtin.template: src: '{{ item.src }}' dest: '/etc/{{ item.path }}' - with_community.general.filetree: '../templates/basic/etc/' + with_community.general.filetree: '../templates/ssh/etc/' when: item.state == 'file' - - name: Harden SSH Config - when: 'hardening_sshd_enabled is true' - block: - - name: Create directory structure - ansible.builtin.file: - path: '/etc/{{ item.path }}' - state: directory - mode: '{{ item.mode }}' - with_community.general.filetree: '../templates/ssh/etc/' - when: item.state == 'directory' + - name: Give 1700 permissions to .ssh folder + ansible.builtin.file: + path: /root/.ssh + owner: root + group: root + mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" - - name: Create and copy hardening files - ansible.builtin.template: - src: '{{ item.src }}' - dest: '/etc/{{ item.path }}' - with_community.general.filetree: '../templates/ssh/etc/' - when: item.state == 'file' + - name: Give 1600 permissions to .ssh/authorized_keys file + ansible.builtin.file: + path: /root/.ssh/authorized_keys + owner: root + group: root + mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" - - name: Give 1700 permissions to .ssh folder - ansible.builtin.file: - path: /root/.ssh - owner: root - group: root - mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" + - name: Restart sshd + when: "is_docker is not true" + ansible.builtin.systemd: + state: restarted + name: sshd - - name: Give 1600 permissions to .ssh/authorized_keys file - ansible.builtin.file: - path: /root/.ssh/authorized_keys - owner: root - group: root - mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" - - - name: Restart sshd - when: "is_docker is not true" - ansible.builtin.systemd: - state: restarted - name: sshd - - - name: Harden Service Manager (like Systemd) - block: - - include_tasks: "harden_{{ ansible_service_mgr }}.yml" +- name: Harden Service Manager (like Systemd) + include_tasks: "harden_{{ ansible_service_mgr }}.yml" diff --git a/roles/ipfs/tasks/main.yml b/roles/ipfs/tasks/main.yml index 0ba7ce1..b7de0af 100644 --- a/roles/ipfs/tasks/main.yml +++ b/roles/ipfs/tasks/main.yml @@ -1,12 +1,16 @@ --- # tasks file for ipfs -- name: Install IPFS if enabled - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node" + +- when: - 'ipfs_enabled is true' block: - name: Setup ipfs-update - when: 'ipfs_setup is true' + when: + - 'ipfs_setup is true' + - "'global.update_only' not in ansible_run_tags" block: - name: Create ipfs group group: @@ -72,6 +76,6 @@ - include_tasks: "install_{{ ansible_service_mgr }}_service.yml" - - name: Setup firewall - ansible.builtin.include_role: - name: iptables-ipfs +- name: Setup IPFS firewall + ansible.builtin.include_role: + name: iptables-ipfs diff --git a/roles/iptables-basic/tasks/main.yml b/roles/iptables-basic/tasks/main.yml index e3bf23d..c416bf6 100644 --- a/roles/iptables-basic/tasks/main.yml +++ b/roles/iptables-basic/tasks/main.yml @@ -1,14 +1,16 @@ --- # tasks file for firewall -- name: Setup iptables to standard configuration - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration" + +- when: - "is_docker is not true" - "iptables_basic_enabled is true" block: - name: Reset configuration if requested when: - - "iptables_basic_reset_enabled is true" + - "'global.uninstall' in ansible_run_tags" block: - name: Open Firewall just for a moment to flush iptables rules ansible.builtin.iptables: diff --git a/roles/iptables-ipfs/tasks/main.yml b/roles/iptables-ipfs/tasks/main.yml index ead1d32..1666991 100644 --- a/roles/iptables-ipfs/tasks/main.yml +++ b/roles/iptables-ipfs/tasks/main.yml @@ -1,14 +1,17 @@ --- # tasks file for iptables-ipfs -- name: setup iptables for IPFS - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role" + +- when: - "is_docker is not true" block: - - name: Allow new, established packets on TCP/UDP port 4001 (IPFS) + - name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS) ansible.builtin.iptables: chain: INPUT protocol: tcp + state: "{{ 'present' if ipfs_enabled is true else 'absent' }}" destination_port: "{{ ipfs_port }}" ctstate: NEW,ESTABLISHED jump: ACCEPT diff --git a/roles/iptables-kdeconnect/tasks/main.yml b/roles/iptables-kdeconnect/tasks/main.yml index cb14eb1..d5b7429 100644 --- a/roles/iptables-kdeconnect/tasks/main.yml +++ b/roles/iptables-kdeconnect/tasks/main.yml @@ -1,24 +1,27 @@ --- # tasks file for iptables-kdeconnect -- name: Setup iptables for kdeconnect - when: 'kdeconnect_enabled is true' - block: - - name: Allow new, established packets on TCP Kdeconnect ports - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ kdeconnect_ports }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT - - name: Allow new, established packets on UDP Kdeconnect ports - ansible.builtin.iptables: - chain: INPUT - protocol: udp - destination_port: "{{ kdeconnect_ports }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT +- ansible.builtin.debug: + msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role" - - name: iptables-persistent - ansible.builtin.include_role: - name: iptables-persistent +- name: Allow/ disallow new, established packets on TCP Kdeconnect ports + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}" + destination_port: "{{ kdeconnect_ports }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + +- name: Allow/ disallow new, established packets on UDP Kdeconnect ports + ansible.builtin.iptables: + chain: INPUT + protocol: udp + state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}" + destination_port: "{{ kdeconnect_ports }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + +- name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-persistent/tasks/main.yml b/roles/iptables-persistent/tasks/main.yml index 486db9c..be52ecf 100644 --- a/roles/iptables-persistent/tasks/main.yml +++ b/roles/iptables-persistent/tasks/main.yml @@ -1,5 +1,9 @@ -- name: Handle iptables-persistent - when: +--- + +- ansible.builtin.debug: + msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role" + +- when: - "is_docker is not true" - "iptables_persistent_save_to_file is true" block: diff --git a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml index cc24cc7..e830847 100644 --- a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml +++ b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml @@ -1,3 +1,5 @@ +--- + - name: Save iptables rules block: - name: Save rules with iptables-persistent v4 diff --git a/roles/iptables-samba/tasks/main.yml b/roles/iptables-samba/tasks/main.yml index a7274cc..2de5c1f 100644 --- a/roles/iptables-samba/tasks/main.yml +++ b/roles/iptables-samba/tasks/main.yml @@ -1,26 +1,29 @@ --- # tasks file for iptables-samba -- name: Setup iptables for Samba - when: 'samba_enabled is true' - block: - - name: Allow new, established packets on TCP Samba ports - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT - with_items: '{{ samba_ports }}' - - name: Allow new, established packets on UDP Samba ports - ansible.builtin.iptables: - chain: INPUT - protocol: udp - destination_port: "{{ item }}" - ctstate: NEW,ESTABLISHED - jump: ACCEPT - with_items: '{{ samba_ports }}' +- ansible.builtin.debug: + msg: "ENABLED = {{ samba_enabled }}; iptables-samba role" - - name: iptables-persistent - ansible.builtin.include_role: - name: iptables-persistent +- name: Allow/ disallow new, established packets on TCP Samba ports + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + state: "{{ 'present' if samba_enabled is true else 'absent' }}" + destination_port: "{{ item }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + with_items: '{{ samba_ports }}' + +- name: Allow/ disallow new, established packets on UDP Samba ports + ansible.builtin.iptables: + chain: INPUT + protocol: udp + state: "{{ 'present' if samba_enabled is true else 'absent' }}" + destination_port: "{{ item }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + with_items: '{{ samba_ports }}' + +- name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-webserver/tasks/main.yml b/roles/iptables-webserver/tasks/main.yml index 58e18ab..fb8d1ac 100644 --- a/roles/iptables-webserver/tasks/main.yml +++ b/roles/iptables-webserver/tasks/main.yml @@ -1,15 +1,17 @@ --- # tasks file for iptables-webserver -- name: Setup iptables for webserver 80 and 443 - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role" + +- when: - "is_docker is not true" - - "iptables_webserver_enabled is true" block: - name: Allow new, established packets on TCP ports 80/443 (Webserver) ansible.builtin.iptables: chain: INPUT protocol: tcp + state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}" destination_port: "{{ item }}" ctstate: NEW,ESTABLISHED jump: ACCEPT diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml index 58e2a59..19612ce 100644 --- a/roles/pi-hole/tasks/main.yml +++ b/roles/pi-hole/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for pi-hole -- name: Pi-Hole setup +- name: pi-hole role; setup the target as DNS server with Pi-Hole when: "'global.update_only' not in ansible_run_tags" block: - name: Populate service facts @@ -22,15 +22,6 @@ ansible.builtin.include_role: name: iptables-webserver - - name: Setup iptables rules - ansible.builtin.iptables: - chain: INPUT - protocol: '{{ item }}' - destination_port: 53 - jump: ACCEPT - comment: Accept DNS connections - loop: [tcp,udp] - - name: iptables-persistent ansible.builtin.include_role: name: iptables-persistent diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml index 05419ac..039afa3 100644 --- a/roles/samba/tasks/main.yml +++ b/roles/samba/tasks/main.yml @@ -1,6 +1,6 @@ --- -- name: Setup target as a Samba server +- name: samba role; setup the target as SMB server using an external role when: 'samba_enabled is true' include_role: name: vladgh.samba.server diff --git a/roles/snort-community/tasks/main.yml b/roles/snort-community/tasks/main.yml index 824b04b..28cf950 100644 --- a/roles/snort-community/tasks/main.yml +++ b/roles/snort-community/tasks/main.yml @@ -1,8 +1,10 @@ --- # tasks file for snort-community -- name: Snort Community Edition setup - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup" + +- when: - "snort_community_enabled is true" block: - name: Gather package facts diff --git a/roles/unattended-upgrades/tasks/main.yml b/roles/unattended-upgrades/tasks/main.yml index d888c46..b1141d8 100644 --- a/roles/unattended-upgrades/tasks/main.yml +++ b/roles/unattended-upgrades/tasks/main.yml @@ -1,9 +1,7 @@ --- # tasks file for unattended-upgrades -- name: Check if host need unattended-upgrades +- name: Check if host need unattended-upgrades and install package when: "unattended_upgrades_enabled is true" - block: - - name: Install unattended-upgrades - ansible.builtin.package: - name: unattended-upgrades + ansible.builtin.package: + name: unattended-upgrades diff --git a/roles/wakeonlan/tasks/main.yml b/roles/wakeonlan/tasks/main.yml index 205b3a6..67c9413 100644 --- a/roles/wakeonlan/tasks/main.yml +++ b/roles/wakeonlan/tasks/main.yml @@ -1,8 +1,10 @@ --- # tasks file for wakeonlan -- name: Install and configure wakeonlan - when: +- ansible.builtin.debug: + msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself" + +- when: - "wakeonlan_enabled is true" block: - name: Gather package facts diff --git a/roles/yggdrasil/tasks/main.yml b/roles/yggdrasil/tasks/main.yml index 81e46d7..de5fee4 100644 --- a/roles/yggdrasil/tasks/main.yml +++ b/roles/yggdrasil/tasks/main.yml @@ -1,5 +1,9 @@ -- name: Install and configure yggdrasil - when: +--- + +- ansible.builtin.debug: + msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network" + +- when: - "yggdrasil_enabled is true" - "'global.update_only' not in ansible_run_tags" block: @@ -64,6 +68,7 @@ - name: Remove yggdrasil if not enabled when: - "yggdrasil_enabled is false" + - "'yggdrasil' in ansible_run_tags" - "'global.uninstall' in ansible_run_tags" - "'global.update_only' not in ansible_run_tags" block: @@ -79,5 +84,4 @@ - when: - "yggdrasil_enabled is true" - block: - - include_tasks: "update_peers.yml" + include_tasks: "update_peers.yml" diff --git a/roles/zabov/README.md b/roles/zabov/README.md index 7724743..06f699e 100644 --- a/roles/zabov/README.md +++ b/roles/zabov/README.md @@ -1,16 +1,19 @@ zabov ========= -This role setup Zabov DNS filter +This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov + Requirements ------------ -. +- golang >= 1.13 Role Variables -------------- +- **go_path** (string) + - **zabov_git_url** (string): Git valid url of Zabov - **zabov_git_branch** (string): Zabov Git branch - **zabov_installation_path** (string): Zabov installation path diff --git a/roles/zabov/tasks/main.yml b/roles/zabov/tasks/main.yml index 0ec0024..e0c4605 100644 --- a/roles/zabov/tasks/main.yml +++ b/roles/zabov/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for zabov -- name: Install zabov from sources +- name: zabov role; install zabov from sources when: 'go_path is defined' block: - name: Install git if needed