diff --git a/extra-playbooks/pi-hole.yml b/extra-playbooks/pi-hole.yml deleted file mode 100644 index c6533ae..0000000 --- a/extra-playbooks/pi-hole.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: "Setup the target for pi-hole" - hosts: "{{ target if target is defined else 'planets' }}" - roles: - - role: pi-hole diff --git a/handbook.yml b/handbook.yml index 0939496..735bc03 100644 --- a/handbook.yml +++ b/handbook.yml @@ -4,26 +4,28 @@ hosts: "{{ target if target is defined else 'planets' }}" roles: + # Hardening + # - role: iptables-persistent + # tags: [firewall, ips, ids] + - role: hardening-basic tags: [hardening, ips, ids] - - - role: iptables-persistent - tags: [firewall, ips, ids] - role: iptables-basic tags: [firewall, ips, ids] + - role: fail2ban-basic + tags: [fail2ban, ips, ids] + - role: auditd + tags: [auditd] + - role: iptables-webserver tags: [firewall, webserver] - - role: fail2ban-basic - tags: [fail2ban, ips, ids] - + # Services - role: ipfs tags: [ipfs] - role: yggdrasil tags: [yggdrasil] - - role: snort-community tags: [snort, ips, ids] - - - role: auditd - tags: [auditd] + - role: dns-filter + tags: [dns_filter] diff --git a/extra-playbooks/os-update.yml b/os-update.yml similarity index 100% rename from extra-playbooks/os-update.yml rename to os-update.yml diff --git a/roles/dns-filter/.travis.yml b/roles/dns-filter/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/dns-filter/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/dns-filter/README.md b/roles/dns-filter/README.md new file mode 100644 index 0000000..ee56a3a --- /dev/null +++ b/roles/dns-filter/README.md @@ -0,0 +1,35 @@ +dns-filter +========= + +This role setup selected dns-filter + +Requirements +------------ + +. + +Role Variables +-------------- + +- **dns_filter_enabled** (boolean): if true enable dns filter +- **dns_filter_selected** (string): selectable dns filter, check filter list + +Dependencies +------------ + +. + +Example Playbook +---------------- + +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target go_path=/opt/go/bin" --tags dns_filter` + +License +------- + +GPLv3 + +Author Information +------------------ + +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/dns-filter/defaults/main.yml b/roles/dns-filter/defaults/main.yml new file mode 100644 index 0000000..15f8a5b --- /dev/null +++ b/roles/dns-filter/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# defaults file for dns-filter + +dns_filter_enabled: false +dns_filter_list: ['pi-hole', 'zabov'] +dns_filter_selected: zabov diff --git a/roles/dns-filter/handlers/main.yml b/roles/dns-filter/handlers/main.yml new file mode 100644 index 0000000..aa9ff4a --- /dev/null +++ b/roles/dns-filter/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for dns-filter diff --git a/roles/dns-filter/meta/main.yml b/roles/dns-filter/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/dns-filter/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/dns-filter/tasks/main.yml b/roles/dns-filter/tasks/main.yml new file mode 100644 index 0000000..64a0146 --- /dev/null +++ b/roles/dns-filter/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# tasks file for dns-filter + +- name: Install selected DNS filter if enabled + when: + - "dns_filter_enabled is true" + - "dns_filter_selected in dns_filter_list" + block: + - name: Call DNS filter role + ansible.builtin.include_role: + name: "{{ dns_filter_selected }}" diff --git a/roles/dns-filter/tests/inventory b/roles/dns-filter/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/dns-filter/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/dns-filter/tests/test.yml b/roles/dns-filter/tests/test.yml new file mode 100644 index 0000000..c68f1bd --- /dev/null +++ b/roles/dns-filter/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - dns-filter diff --git a/roles/dns-filter/vars/main.yml b/roles/dns-filter/vars/main.yml new file mode 100644 index 0000000..21b6b89 --- /dev/null +++ b/roles/dns-filter/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for dns-filter diff --git a/roles/iptables-persistent/tasks/main.yml b/roles/iptables-persistent/tasks/main.yml index d5f4d5e..486db9c 100644 --- a/roles/iptables-persistent/tasks/main.yml +++ b/roles/iptables-persistent/tasks/main.yml @@ -1,6 +1,7 @@ - name: Handle iptables-persistent when: - "is_docker is not true" + - "iptables_persistent_save_to_file is true" block: - name: Install iptables-persistent package ansible.builtin.package: diff --git a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml index 7fec1f7..cc24cc7 100644 --- a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml +++ b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml @@ -1,5 +1,4 @@ - name: Save iptables rules - when: "iptables_persistent_save_to_file is true" block: - name: Save rules with iptables-persistent v4 ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4 diff --git a/roles/zabov/.travis.yml b/roles/zabov/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/zabov/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/zabov/README.md b/roles/zabov/README.md new file mode 100644 index 0000000..7724743 --- /dev/null +++ b/roles/zabov/README.md @@ -0,0 +1,38 @@ +zabov +========= + +This role setup Zabov DNS filter + +Requirements +------------ + +. + +Role Variables +-------------- + +- **zabov_git_url** (string): Git valid url of Zabov +- **zabov_git_branch** (string): Zabov Git branch +- **zabov_installation_path** (string): Zabov installation path +- **zabov_user** (string): Zabov dedicated user +- **zabov_group** (string): Zabov dedicated group + +Dependencies +------------ + +. + +Example Playbook +---------------- + +`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target go_path=/opt/go/bin" --tags dns_filter` + +License +------- + +GPLv3 + +Author Information +------------------ + +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/zabov/defaults/main.yml b/roles/zabov/defaults/main.yml new file mode 100644 index 0000000..362d00c --- /dev/null +++ b/roles/zabov/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# defaults file for zabov + +zabov_git_url: "https://git.keinpfusch.net/loweel/zabov" +zabov_installation_path: "/home/zabov/zabov" +zabov_git_branch: "master" +zabov_user: zabov +zabov_group: zabov diff --git a/roles/zabov/handlers/main.yml b/roles/zabov/handlers/main.yml new file mode 100644 index 0000000..a9931b4 --- /dev/null +++ b/roles/zabov/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for zabov diff --git a/roles/zabov/meta/main.yml b/roles/zabov/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/zabov/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/zabov/tasks/install_systemd_service.yml b/roles/zabov/tasks/install_systemd_service.yml new file mode 100644 index 0000000..14b6550 --- /dev/null +++ b/roles/zabov/tasks/install_systemd_service.yml @@ -0,0 +1,15 @@ +- name: Setup systemd + when: 'is_docker is not true' + block: + - name: Install systemd files + ansible.builtin.template: + src: '{{ item.src }}' + dest: '/{{ item.path }}' + with_community.general.filetree: '../templates/systemd/' + when: item.state == 'file' + + - name: Enable service + ansible.builtin.systemd: + name: zabov + state: started + daemon_reload: yes diff --git a/roles/zabov/tasks/main.yml b/roles/zabov/tasks/main.yml new file mode 100644 index 0000000..0ec0024 --- /dev/null +++ b/roles/zabov/tasks/main.yml @@ -0,0 +1,74 @@ +--- +# tasks file for zabov + +- name: Install zabov from sources + when: 'go_path is defined' + block: + - name: Install git if needed + ansible.builtin.package: + name: git + + - name: Create zabov group + group: + name: "{{ zabov_group }}" + state: present + + - name: Create zabov user + user: + name: "{{ zabov_user }}" + state: present + shell: /sbin/nologin + group: "{{ zabov_group }}" + + - name: Official repo print url + debug: + msg: "{{ zabov_git_url }}" + + - name: Compile zabov + become: true + become_user: "{{ zabov_user }}" + block: + - name: Check if repo is cloned + stat: + path: "{{ zabov_installation_path }}" + register: installation_path + + - name: Clone repo + when: 'not installation_path.stat.exists' + ansible.builtin.git: + repo: "{{ zabov_git_url }}" + dest: "{{ zabov_installation_path }}" + single_branch: yes + version: "{{ zabov_git_branch }}" + + - name: Update repo + ansible.builtin.git: + repo: "{{ zabov_git_url }}" + dest: "{{ zabov_installation_path }}" + update: yes + + - name: Get $PATH + ansible.builtin.shell: + cmd: "echo $PATH" + register: path_env + + - name: Get go dependencies + ansible.builtin.shell: + cmd: "go get" + chdir: "{{ zabov_installation_path }}" + environment: + PATH: '{{ go_path }}:{{ path_env }}' + args: + executable: /bin/bash + + - name: Build executable + ansible.builtin.shell: + cmd: "go build -mod=vendor" + chdir: "{{ zabov_installation_path }}" + environment: + PATH: '{{ go_path }}:{{ path_env }}' + args: + executable: /bin/bash + +- include_tasks: "install_{{ ansible_service_mgr }}_service.yml" + ignore_errors: true diff --git a/roles/zabov/templates/systemd/lib/systemd/system/zabov.service b/roles/zabov/templates/systemd/lib/systemd/system/zabov.service new file mode 100644 index 0000000..15c4ae7 --- /dev/null +++ b/roles/zabov/templates/systemd/lib/systemd/system/zabov.service @@ -0,0 +1,24 @@ +[Unit] +Description=Zabov Daemon +Documentation=https://git.keinpfusch.net/loweel/zabov +Wants=network.target +After=network.target + +[Service] +Type=simple +WorkingDirectory={{ zabov_installation_path }} +ExecStart={{ zabov_installation_path }}/zabov +User={{ zabov_user }} +Group={{ zabov_group }} +StateDirectory=zabov +Restart=always +RestartSec=60 +KillMode=process +KillSignal=SIGINT +ProtectSystem=true +SecureBits=keep-caps +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target diff --git a/roles/zabov/tests/inventory b/roles/zabov/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/zabov/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/zabov/tests/test.yml b/roles/zabov/tests/test.yml new file mode 100644 index 0000000..d22dc7c --- /dev/null +++ b/roles/zabov/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - zabov diff --git a/roles/zabov/vars/main.yml b/roles/zabov/vars/main.yml new file mode 100644 index 0000000..9edd659 --- /dev/null +++ b/roles/zabov/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for zabov diff --git a/extra-playbooks/setup-node.yml b/setup-node.yml similarity index 100% rename from extra-playbooks/setup-node.yml rename to setup-node.yml diff --git a/extra-playbooks/ssh-copy-id.yml b/ssh-copy-id.yml similarity index 100% rename from extra-playbooks/ssh-copy-id.yml rename to ssh-copy-id.yml