add some debug messages; cleanup of some blocks; update some README with missing useful informations
This commit is contained in:
parent
082d6ed47e
commit
4ddb7d334a
21 changed files with 180 additions and 136 deletions
|
@ -1,8 +1,9 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Setup a GNU/Linux target with standards or defined tags"
|
- name: "Unitoo Handbook"
|
||||||
hosts: "{{ target if target is defined else 'planets' }}"
|
hosts: "{{ target if target is defined else 'planets' }}"
|
||||||
|
|
||||||
|
tags: always
|
||||||
roles:
|
roles:
|
||||||
# --- Hardening ---
|
# --- Hardening ---
|
||||||
# Basic rules or good practises to apply
|
# Basic rules or good practises to apply
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
# tasks file for auditd
|
# tasks file for auditd
|
||||||
|
|
||||||
- name: Install and setup rules Auditd if enabled
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ auditd_enabled }}; auditd role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- 'auditd_enabled is true'
|
- 'auditd_enabled is true'
|
||||||
- "'global.update_only' not in ansible_run_tags"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -1,9 +1,25 @@
|
||||||
---
|
---
|
||||||
# tasks file for dns-filter
|
# tasks file for dns-filter
|
||||||
|
|
||||||
- name: Install selected DNS filter if enabled
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ dns_filter_enabled }}; FILTER = {{ dns_filter_selected }}; dns-filter role; setup the target as DNS server"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "dns_filter_enabled is true"
|
- "dns_filter_enabled is true"
|
||||||
- "dns_filter_selected in dns_filter_list"
|
- "dns_filter_selected in dns_filter_list"
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: "{{ dns_filter_selected }}"
|
name: "{{ dns_filter_selected }}"
|
||||||
|
|
||||||
|
- name: Allow/ disallow port 53 for DNS querying
|
||||||
|
ansible.builtin.iptables:
|
||||||
|
chain: INPUT
|
||||||
|
state: "{{ 'present' if dns_filter_enabled is true else 'absent' }}"
|
||||||
|
protocol: '{{ item }}'
|
||||||
|
destination_port: 53
|
||||||
|
jump: ACCEPT
|
||||||
|
comment: Accept DNS connections
|
||||||
|
loop: [tcp,udp]
|
||||||
|
|
||||||
|
- name: iptables-persistent
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-persistent
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
---
|
---
|
||||||
# tasks file for fail2ban-basic
|
# tasks file for fail2ban-basic
|
||||||
#
|
|
||||||
- name: Fail2ban Configuration
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ fail2ban_enabled }}; fail2ban-basic role"
|
||||||
- fail2ban_enabled is true
|
|
||||||
|
- when:
|
||||||
|
- 'fail2ban_enabled is true'
|
||||||
- "'global.update_only' not in ansible_run_tags"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Install Fail2ban
|
- name: Install Fail2ban
|
||||||
|
|
|
@ -1,8 +1,9 @@
|
||||||
---
|
---
|
||||||
# tasks file for hardening-basic
|
# tasks file for hardening-basic
|
||||||
|
|
||||||
- name: Basic Hardening
|
- ansible.builtin.debug:
|
||||||
block:
|
msg: "hardening-basic role"
|
||||||
|
|
||||||
- name: Create directory structure
|
- name: Create directory structure
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: '/etc/{{ item.path }}'
|
path: '/etc/{{ item.path }}'
|
||||||
|
@ -18,7 +19,7 @@
|
||||||
with_community.general.filetree: '../templates/basic/etc/'
|
with_community.general.filetree: '../templates/basic/etc/'
|
||||||
when: item.state == 'file'
|
when: item.state == 'file'
|
||||||
|
|
||||||
- name: Harden SSH Config
|
- name: ENABLED = {{ hardening_sshd_enabled }}; Harden SSH Config
|
||||||
when: 'hardening_sshd_enabled is true'
|
when: 'hardening_sshd_enabled is true'
|
||||||
block:
|
block:
|
||||||
- name: Create directory structure
|
- name: Create directory structure
|
||||||
|
@ -57,5 +58,4 @@
|
||||||
name: sshd
|
name: sshd
|
||||||
|
|
||||||
- name: Harden Service Manager (like Systemd)
|
- name: Harden Service Manager (like Systemd)
|
||||||
block:
|
include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
||||||
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
|
||||||
|
|
|
@ -1,12 +1,16 @@
|
||||||
---
|
---
|
||||||
# tasks file for ipfs
|
# tasks file for ipfs
|
||||||
|
|
||||||
- name: Install IPFS if enabled
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ ipfs_enabled }}; ipfs role; setup the target as IPFS node"
|
||||||
|
|
||||||
|
- when:
|
||||||
- 'ipfs_enabled is true'
|
- 'ipfs_enabled is true'
|
||||||
block:
|
block:
|
||||||
- name: Setup ipfs-update
|
- name: Setup ipfs-update
|
||||||
when: 'ipfs_setup is true'
|
when:
|
||||||
|
- 'ipfs_setup is true'
|
||||||
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Create ipfs group
|
- name: Create ipfs group
|
||||||
group:
|
group:
|
||||||
|
@ -72,6 +76,6 @@
|
||||||
|
|
||||||
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
||||||
|
|
||||||
- name: Setup firewall
|
- name: Setup IPFS firewall
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-ipfs
|
name: iptables-ipfs
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
---
|
---
|
||||||
# tasks file for firewall
|
# tasks file for firewall
|
||||||
|
|
||||||
- name: Setup iptables to standard configuration
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ iptables_basic_enabled }}; iptables-basic role; setup iptables with standard/ good-default configuration"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_basic_enabled is true"
|
- "iptables_basic_enabled is true"
|
||||||
block:
|
block:
|
||||||
- name: Reset configuration if requested
|
- name: Reset configuration if requested
|
||||||
when:
|
when:
|
||||||
- "iptables_basic_reset_enabled is true"
|
- "'global.uninstall' in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Open Firewall just for a moment to flush iptables rules
|
- name: Open Firewall just for a moment to flush iptables rules
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
|
|
|
@ -1,14 +1,17 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-ipfs
|
# tasks file for iptables-ipfs
|
||||||
|
|
||||||
- name: setup iptables for IPFS
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ ipfs_enabled }}; iptables-ipfs role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
block:
|
block:
|
||||||
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
|
- name: allow/ disallow established packets on TCP/UDP port 4001 (IPFS)
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if ipfs_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ ipfs_port }}"
|
destination_port: "{{ ipfs_port }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -1,20 +1,23 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-kdeconnect
|
# tasks file for iptables-kdeconnect
|
||||||
- name: Setup iptables for kdeconnect
|
|
||||||
when: 'kdeconnect_enabled is true'
|
- ansible.builtin.debug:
|
||||||
block:
|
msg: "ENABLED = {{ kdeconnect_enabled }}; iptables-kdeconnect role"
|
||||||
- name: Allow new, established packets on TCP Kdeconnect ports
|
|
||||||
|
- name: Allow/ disallow new, established packets on TCP Kdeconnect ports
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ kdeconnect_ports }}"
|
destination_port: "{{ kdeconnect_ports }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
||||||
- name: Allow new, established packets on UDP Kdeconnect ports
|
- name: Allow/ disallow new, established packets on UDP Kdeconnect ports
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: udp
|
protocol: udp
|
||||||
|
state: "{{ 'present' if kdeconnect_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ kdeconnect_ports }}"
|
destination_port: "{{ kdeconnect_ports }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
- name: Handle iptables-persistent
|
---
|
||||||
when:
|
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
msg: "ENABLED = {{ iptables_persistent_save_to_file }}; iptables-persistent role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_persistent_save_to_file is true"
|
- "iptables_persistent_save_to_file is true"
|
||||||
block:
|
block:
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
---
|
||||||
|
|
||||||
- name: Save iptables rules
|
- name: Save iptables rules
|
||||||
block:
|
block:
|
||||||
- name: Save rules with iptables-persistent v4
|
- name: Save rules with iptables-persistent v4
|
||||||
|
|
|
@ -1,21 +1,24 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-samba
|
# tasks file for iptables-samba
|
||||||
- name: Setup iptables for Samba
|
|
||||||
when: 'samba_enabled is true'
|
- ansible.builtin.debug:
|
||||||
block:
|
msg: "ENABLED = {{ samba_enabled }}; iptables-samba role"
|
||||||
- name: Allow new, established packets on TCP Samba ports
|
|
||||||
|
- name: Allow/ disallow new, established packets on TCP Samba ports
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if samba_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ item }}"
|
destination_port: "{{ item }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
with_items: '{{ samba_ports }}'
|
with_items: '{{ samba_ports }}'
|
||||||
|
|
||||||
- name: Allow new, established packets on UDP Samba ports
|
- name: Allow/ disallow new, established packets on UDP Samba ports
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: udp
|
protocol: udp
|
||||||
|
state: "{{ 'present' if samba_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ item }}"
|
destination_port: "{{ item }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -1,15 +1,17 @@
|
||||||
---
|
---
|
||||||
# tasks file for iptables-webserver
|
# tasks file for iptables-webserver
|
||||||
|
|
||||||
- name: Setup iptables for webserver 80 and 443
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ iptables_webserver_enabled }}; PORTS = {{ iptables_webserver_ports }}; iptables-webserver role"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_webserver_enabled is true"
|
|
||||||
block:
|
block:
|
||||||
- name: Allow new, established packets on TCP ports 80/443 (Webserver)
|
- name: Allow new, established packets on TCP ports 80/443 (Webserver)
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
state: "{{ 'present' if iptables_webserver_enabled is true else 'absent' }}"
|
||||||
destination_port: "{{ item }}"
|
destination_port: "{{ item }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
# tasks file for pi-hole
|
# tasks file for pi-hole
|
||||||
|
|
||||||
- name: Pi-Hole setup
|
- name: pi-hole role; setup the target as DNS server with Pi-Hole
|
||||||
when: "'global.update_only' not in ansible_run_tags"
|
when: "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
- name: Populate service facts
|
- name: Populate service facts
|
||||||
|
@ -22,15 +22,6 @@
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-webserver
|
name: iptables-webserver
|
||||||
|
|
||||||
- name: Setup iptables rules
|
|
||||||
ansible.builtin.iptables:
|
|
||||||
chain: INPUT
|
|
||||||
protocol: '{{ item }}'
|
|
||||||
destination_port: 53
|
|
||||||
jump: ACCEPT
|
|
||||||
comment: Accept DNS connections
|
|
||||||
loop: [tcp,udp]
|
|
||||||
|
|
||||||
- name: iptables-persistent
|
- name: iptables-persistent
|
||||||
ansible.builtin.include_role:
|
ansible.builtin.include_role:
|
||||||
name: iptables-persistent
|
name: iptables-persistent
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Setup target as a Samba server
|
- name: samba role; setup the target as SMB server using an external role
|
||||||
when: 'samba_enabled is true'
|
when: 'samba_enabled is true'
|
||||||
include_role:
|
include_role:
|
||||||
name: vladgh.samba.server
|
name: vladgh.samba.server
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
# tasks file for snort-community
|
# tasks file for snort-community
|
||||||
|
|
||||||
- name: Snort Community Edition setup
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ snort_community_enabled }}; Snort Community Edition setup"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "snort_community_enabled is true"
|
- "snort_community_enabled is true"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
|
|
|
@ -1,9 +1,7 @@
|
||||||
---
|
---
|
||||||
# tasks file for unattended-upgrades
|
# tasks file for unattended-upgrades
|
||||||
|
|
||||||
- name: Check if host need unattended-upgrades
|
- name: Check if host need unattended-upgrades and install package
|
||||||
when: "unattended_upgrades_enabled is true"
|
when: "unattended_upgrades_enabled is true"
|
||||||
block:
|
|
||||||
- name: Install unattended-upgrades
|
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: unattended-upgrades
|
name: unattended-upgrades
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
# tasks file for wakeonlan
|
# tasks file for wakeonlan
|
||||||
|
|
||||||
- name: Install and configure wakeonlan
|
- ansible.builtin.debug:
|
||||||
when:
|
msg: "ENABLED = {{ wakeonlan_enabled }}; wakeonlan role; install and configure wakeonlan on target; REQUIRES BIOS CONFIGURATION ON TARGET itself"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "wakeonlan_enabled is true"
|
- "wakeonlan_enabled is true"
|
||||||
block:
|
block:
|
||||||
- name: Gather package facts
|
- name: Gather package facts
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
- name: Install and configure yggdrasil
|
---
|
||||||
when:
|
|
||||||
|
- ansible.builtin.debug:
|
||||||
|
msg: "ENABLED = {{ yggdrasil_enabled }}; yggdrasil-role; install and configure yggdrasil overlay network"
|
||||||
|
|
||||||
|
- when:
|
||||||
- "yggdrasil_enabled is true"
|
- "yggdrasil_enabled is true"
|
||||||
- "'global.update_only' not in ansible_run_tags"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
|
@ -64,6 +68,7 @@
|
||||||
- name: Remove yggdrasil if not enabled
|
- name: Remove yggdrasil if not enabled
|
||||||
when:
|
when:
|
||||||
- "yggdrasil_enabled is false"
|
- "yggdrasil_enabled is false"
|
||||||
|
- "'yggdrasil' in ansible_run_tags"
|
||||||
- "'global.uninstall' in ansible_run_tags"
|
- "'global.uninstall' in ansible_run_tags"
|
||||||
- "'global.update_only' not in ansible_run_tags"
|
- "'global.update_only' not in ansible_run_tags"
|
||||||
block:
|
block:
|
||||||
|
@ -79,5 +84,4 @@
|
||||||
|
|
||||||
- when:
|
- when:
|
||||||
- "yggdrasil_enabled is true"
|
- "yggdrasil_enabled is true"
|
||||||
block:
|
include_tasks: "update_peers.yml"
|
||||||
- include_tasks: "update_peers.yml"
|
|
||||||
|
|
|
@ -1,16 +1,19 @@
|
||||||
zabov
|
zabov
|
||||||
=========
|
=========
|
||||||
|
|
||||||
This role setup Zabov DNS filter
|
This role setup Zabov DNS filter. More information here: https://git.keinpfusch.net/loweel/zabov
|
||||||
|
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
.
|
- golang >= 1.13
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
|
- **go_path** (string)
|
||||||
|
|
||||||
- **zabov_git_url** (string): Git valid url of Zabov
|
- **zabov_git_url** (string): Git valid url of Zabov
|
||||||
- **zabov_git_branch** (string): Zabov Git branch
|
- **zabov_git_branch** (string): Zabov Git branch
|
||||||
- **zabov_installation_path** (string): Zabov installation path
|
- **zabov_installation_path** (string): Zabov installation path
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
# tasks file for zabov
|
# tasks file for zabov
|
||||||
|
|
||||||
- name: Install zabov from sources
|
- name: zabov role; install zabov from sources
|
||||||
when: 'go_path is defined'
|
when: 'go_path is defined'
|
||||||
block:
|
block:
|
||||||
- name: Install git if needed
|
- name: Install git if needed
|
||||||
|
|
Loading…
Reference in a new issue