unitoo
/
configurations-ansible
1
0
Fork 1
Code Issues 2 Pull Requests Packages Releases Activity

init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates

This commit is contained in:
Claudio Maradonna 2022-11-18 18:33:37 +01:00
commit df18c65a75
Signed by: claudiomaradonna
GPG Key ID: 0CBA58694C5680D9
99 changed files with 1906 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
inventory/*
host_vars/*
Dockerfile
docker-compose.yml

21
Dockerfile.example Normal file
View File

@ -0,0 +1,21 @@
FROM ubuntu
RUN apt-get update
RUN apt-get install -y openssh-server
RUN mkdir /var/run/sshd
RUN echo 'root:root' |chpasswd
RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config
RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config
RUN mkdir /root/.ssh
RUN echo 'YOUR PUB KEY' > /root/.ssh/authorized_keys
RUN apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

10
docker-compose.yml.example Normal file
View File

@ -0,0 +1,10 @@
version: '3'
services:
target:
build:
context: .
dockerfile: Dockerfile
image: ansible-test
ports:
- "2222:22"

23
handbook.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: "Setup a GNU/Linux server"
hosts: "{{ target if target is defined else 'planets' }}"
roles:
- role: iptables-persistent
tags: [firewall]
- role: iptables-basic
tags: [firewall]
- role: iptables-webserver
tags: [firewall, webserver]
- role: iptables-ipfs
tags: [firewall, ipfs]
- fail2ban-basic
- hardening-basic
- yggdrasil
- role: snort-community
tags: snort
- role: pi-hole
tags: pi-hole

5
os-update.yml Normal file
View File

@ -0,0 +1,5 @@
- name: "Update OS of the target"
hosts: "{{ target if target is defined else 'planets' }}"
roles:
- role: os-updates

29
roles/fail2ban-basic/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/fail2ban-basic/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

5
roles/fail2ban-basic/defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# defaults file for fail2ban-basic
fail2ban_package_name_by_os_family:
Debian: fail2ban

2
roles/fail2ban-basic/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for fail2ban-basic

52
roles/fail2ban-basic/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

16
roles/fail2ban-basic/tasks/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
# tasks file for fail2ban-basic
#
- name: Fail2ban Configuration
block:
- name: Install Fail2ban
ansible.builtin.package:
name: "{{ fail2ban_package_name_by_os_family[ansible_os_family] }}"
- name: Enable Fail2ban service
when: "is_docker is not true"
ansible.builtin.systemd:
name: fail2ban
enabled: yes
state: started
masked: no

2
roles/fail2ban-basic/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/fail2ban-basic/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- fail2ban-basic

2
roles/fail2ban-basic/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for fail2ban-basic

29
roles/hardening-basic/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/hardening-basic/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

12
roles/hardening-basic/defaults/main.yml Normal file
View File

@ -0,0 +1,12 @@
---
# defaults file for hardening-basic
hardening_sshd_enabled: true
hardening_sshd_tcp_forward: false
hardening_sshd_permissions_set_sticky_bit: true
hardening_modprobe_files:
- /etc/modprobe.d/disable-network-filesystems.conf
- /etc/modprobe.d/disable-rare-filesystems.conf
- /etc/modprobe.d/disable-rare-protocols.conf
- /etc/modprobe.d/disable-vivid.conf

2
roles/hardening-basic/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for hardening-basic

52
roles/hardening-basic/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

73
roles/hardening-basic/tasks/main.yml Normal file
View File

@ -0,0 +1,73 @@
---
# tasks file for hardening-basic
- name: Basic Hardening
block:
- name: Harden SSH Config
when: 'hardening_sshd_enabled is true'
block:
- name: Check if sshd_config/99-hardening exists
stat:
path: /etc/ssh/sshd_config.d/99-hardening.conf
register: file_name
- name: Download sshd_config
when: not file_name.stat.exists
ansible.builtin.get_url:
url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config
dest: /etc/ssh/sshd_config.d/99-hardening.conf
- name: Enable TCP SSH Forwarding
when: 'hardening_sshd_tcp_forward is true'
replace:
path: /etc/ssh/sshd_config.d/99-hardening.conf
regexp: 'AllowTcpForwarding no'
replace: 'AllowTcpForwarding yes'
backup: yes
- name: Give 1700 permissions to .ssh folder
ansible.builtin.file:
path: /root/.ssh
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"
- name: Give 1600 permissions to .ssh/authorized_keys file
ansible.builtin.file:
path: /root/.ssh/authorized_keys
owner: root
group: root
mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"
- name: Restart sshd
when: "is_docker is not true"
ansible.builtin.systemd:
state: restarted
name: sshd
- name: Create if not exists /etc/modprobe.d
file:
path: /etc/modprobe.d
state: directory
- name: modprobe.d setup
include_tasks: modprobe.yml
loop: "{{ hardening_modprobe_files }}"
loop_control:
loop_var: file
- name: Create if not exists /etc/sysctl.d
file:
path: /etc/sysctl.d
state: directory
- name: Check if sysctl/99-hardening exists
stat:
path: /etc/sysctl.d/99-hardening.conf
register: file_name
- name: Download sysctl.conf
when: not file_name.stat.exists
ansible.builtin.get_url:
url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf
dest: /etc/sysctl.d/99-hardening.conf

10
roles/hardening-basic/tasks/modprobe.yml Normal file
View File

@ -0,0 +1,10 @@
- name: Check if {{ file }} exists
stat:
path: "{{ file }}"
register: file_name
- name: Download {{ file }}
when: not file_name.stat.exists
ansible.builtin.get_url:
url: "https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/{{file}}"
dest: "{{ file }}"

2
roles/hardening-basic/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/hardening-basic/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- hardening-basic

2
roles/hardening-basic/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for hardening-basic

29
roles/iptables-basic/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/iptables-basic/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

7
roles/iptables-basic/defaults/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
# defaults file for firewall
iptables_basic_enabled: true
iptables_basic_reset_enabled: false
iptables_basic_ssh_port: 22
iptables_basic_drop_unencrypted_smtp_port: true

2
roles/iptables-basic/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for firewall

52
roles/iptables-basic/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

73
roles/iptables-basic/tasks/main.yml Normal file
View File

@ -0,0 +1,73 @@
---
# tasks file for firewall
- name: Setup iptables to standard configuration
when:
- "is_docker is not true"
- "iptables_basic_enabled is true"
block:
- name: Reset configuration if requested
when:
- "iptables_basic_reset_enabled is true"
block:
- name: Open Firewall just for a moment to flush iptables rules
ansible.builtin.iptables:
chain: INPUT
policy: ACCEPT
- name: Iptables flush filter
ansible.builtin.iptables:
chain: "{{ item }}"
flush: yes
with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ]
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Drop invalid connections
ansible.builtin.iptables:
chain: INPUT
ctstate: INVALID
jump: DROP
- name: Allow lo incoming connections
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Allow new incoming SYN packets on TCP port 22 (SSH)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ iptables_basic_ssh_port }}"
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new SSH connections.
- name: Set the policy for the INPUT chain to DROP
ansible.builtin.iptables:
chain: INPUT
policy: DROP
- name: Set the policy for the FORWARD chain to DROP
ansible.builtin.iptables:
chain: FORWARD
policy: DROP
- name: Drop unencrypted port 25 in output
when: "iptables_basic_drop_unencrypted_smtp_port is true"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 25
jump: REJECT
reject_with: icmp-port-unreachable
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent

2
roles/iptables-basic/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/iptables-basic/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- firewall

2
roles/iptables-basic/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for firewall

29
roles/iptables-ipfs/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/iptables-ipfs/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

5
roles/iptables-ipfs/defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# defaults file for iptables-ipfs
iptables_ipfs_enabled: false
iptables_ipfs_port: 4001

2
roles/iptables-ipfs/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for iptables-ipfs

52
roles/iptables-ipfs/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

20
roles/iptables-ipfs/tasks/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
# tasks file for iptables-ipfs
- name: setup iptables for IPFS
when:
- "is_docker is not true"
- "iptables_ipfs_enabled is true"
block:
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ iptables_ipfs_port }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
comment: IPFS dedicated port
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent

2
roles/iptables-ipfs/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/iptables-ipfs/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- iptables-ipfs

2
roles/iptables-ipfs/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for iptables-ipfs

29
roles/iptables-persistent/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/iptables-persistent/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

7
roles/iptables-persistent/defaults/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
# defaults file for iptables-persistent
iptables_persistent_package_name_by_os_family:
Debian: iptables-persistent
iptables_persistent_save_to_file: true

2
roles/iptables-persistent/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for iptables-persistent

52
roles/iptables-persistent/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

17
roles/iptables-persistent/tasks/main.yml Normal file
View File

@ -0,0 +1,17 @@
- name: Handle iptables-persistent
when:
- "is_docker is not true"
block:
- name: Install iptables-persistent package
ansible.builtin.package:
name: "{{ iptables_persistent_package_name_by_os_family[ansible_os_family] }}"
- name: Gather package facts
package_facts:
manager: auto
- name: Save iptables rules into /etc/iptables folder
when:
- "'iptables-persistent' in ansible_facts.packages"
block:
- include_tasks: "save_rules_for_{{ ansible_os_family }}.yml"

8
roles/iptables-persistent/tasks/save_rules_for_Debian.yml Normal file
View File

@ -0,0 +1,8 @@
- name: Save iptables rules
when: "iptables_persistent_save_to_file is true"
block:
- name: Save rules with iptables-persistent v4
ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4
- name: Save rules with iptables-persistent v6
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6

2
roles/iptables-persistent/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/iptables-persistent/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- iptables-persistent

2
roles/iptables-persistent/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for iptables-persistent

29
roles/iptables-webserver/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/iptables-webserver/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

5
roles/iptables-webserver/defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# defaults file for iptables-webserver
iptables_webserver_enabled: false
iptables_webserver_ports: [80,443]

2
roles/iptables-webserver/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for iptables-webserver

52
roles/iptables-webserver/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

21
roles/iptables-webserver/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
# tasks file for iptables-webserver
- name: Setup iptables for webserver 80 and 443
when:
- "is_docker is not true"
- "iptables_webserver_enabled is true"
block:
- name: Allow new, established packets on TCP ports 80/443 (Webserver)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ port }}"
ctstate: NEW,ESTABLISHED
jump: ACCEPT
comment: Webserver dedicated port
loop: "{{ iptables_webserver_ports }}"
- name: iptables-persistent
ansible.builtin.include_role:
name: iptables-persistent

2
roles/iptables-webserver/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/iptables-webserver/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- iptables-webserver

2
roles/iptables-webserver/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for iptables-webserver

29
roles/os-updates/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/os-updates/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

8
roles/os-updates/defaults/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# defaults file for os-updates
os_update_auto_reboot: false
os_update_reboot_delay: 60
os_update_auto_shutdown: false
os_update_shutdown_delay: 60

2
roles/os-updates/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for os-updates

52
roles/os-updates/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

6
roles/os-updates/tasks/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
# tasks file for os-updates
- name: Update all installed packages
block:
- include_tasks: "update_{{ ansible_os_family }}.yml"

25
roles/os-updates/tasks/update_Debian.yml Normal file
View File

@ -0,0 +1,25 @@
- name: Update all installed packages
apt:
name: '*'
state: latest
update_cache: yes
only_upgrade: yes
register: apt_update_status
- name: Remove packages not needed anymore
apt:
autoremove: yes
- name: Reboot when packages were updated
reboot:
post_reboot_delay: "{{ os_update_reboot_delay }}"
when:
- apt_update_status.changed
- "os_update_auto_reboot is true"
- name: Shutdown when packages were updated
community.general.shutdown:
delay: "{{ os_update_shutdown_delay }}"
when:
- apt_update_status.changed
- "os_update_auto_shutdown is true"

2
roles/os-updates/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/os-updates/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- os-updates

2
roles/os-updates/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for os-updates

29
roles/pi-hole/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/pi-hole/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

4
roles/pi-hole/defaults/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
# defaults file for pi-hole
pihole_enabled: false

2
roles/pi-hole/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for pi-hole

52
roles/pi-hole/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

20
roles/pi-hole/tasks/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
# tasks file for pi-hole
- name: Pi-Hole setup
when:
- 'pihole_enabled is true'
block:
- name: Populate service facts
ansible.builtin.service_facts:
- name: Start install process for pihole if service not found
when: "ansible_facts.services['pihole-FTL.service'] is not defined"
block:
- name: Install cURL if not present
ansible.builtin.package:
name: curl
- name: Execute manually the automated install and follow instructions
ansible.builtin.debug:
msg: "curl -sSL https://install.pi-hole.net | bash"

2
roles/pi-hole/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/pi-hole/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- pi-hole

2
roles/pi-hole/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for pi-hole

29
roles/snort-community/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/snort-community/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

13
roles/snort-community/defaults/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
# defaults file for snort-community
snort_community_enabled: false
snort_package_name_by_os_family:
Debian: snort
snort_community_group: snort
snort_community_user: snort
snort_symlink_dest: /usr/sbin/snort
snort_home_net_address: 192.168.1.0/24

2
roles/snort-community/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for snort-community

52
roles/snort-community/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

75
roles/snort-community/tasks/main.yml Normal file
View File

@ -0,0 +1,75 @@
---
# tasks file for snort-community
- name: Snort Community Edition setup
when:
- "snort_community_enabled is true"
block:
- name: Gather package facts
package_facts:
manager: auto
- name: First time snort setup
when: "'snort_package_name_by_os_family[ansible_os_family]' not in ansible_facts.packages"
block:
- name: Install snort package
ansible.builtin.package:
name: "{{ snort_package_name_by_os_family[ansible_os_family] }}"
- name: Check if snort symlink exists
stat:
path: "{{ snort_symlink_dest }}"
register: symlink_name
- name: Symlink snort to /usr/sbin
when: not symlink_name.stat.exists
ansible.builtin.file:
src: /usr/local/bin/snort
dest: "{{ snort_symlink_dest }}"
state: link
- name: Create snort group
group:
name: "{{ snort_community_group }}"
state: present
- name: Create snort user
user:
name: "{{ snort_community_user }}"
state: present
shell: /sbin/nologin
group: "{{ snort_community_group }}"
- name: Create config directory
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ snort_community_user }}"
group: "{{ snort_community_group }}"
mode: '5775'
loop:
- /etc/snort/rules
- /var/log/snort
- /usr/local/lib/snort_dynamicrules
- name: Create file for local.rules
ansible.builtin.file:
path: /etc/snort/rules/local.rules
- name: Configure snort with defaults
# when: "'snort_package_name_by_os_family[ansible_os_family]' not in ansible_facts.packages"
block:
- name: Set HOME_NET
ansible.builtin.replace:
path: /etc/snort/snort.conf
regexp: 'ipvar HOME_NET any'
replace: 'ipvar HOME_NET {{ snort_home_net_address }}'
- name: Validate snort configuration
ansible.builtin.shell: snort -T -c /etc/snort/snort.conf
register: snort_output
- name: Check successful state validation
failed_when: "snort_output is not search('Snort successfully validated')"
ansible.builtin.debug:
msg: "Snort configuration end"

2
roles/snort-community/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/snort-community/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- snort-community

2
roles/snort-community/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for snort-community

29
roles/yggdrasil/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/yggdrasil/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

5
roles/yggdrasil/defaults/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# defaults file for yggdrasil
yggdrasil_enabled: false
yggdrasil_sshd_enabled: false

2
roles/yggdrasil/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for yggdrasil

52
roles/yggdrasil/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

35
roles/yggdrasil/tasks/install_Debian.yml Normal file
View File

@ -0,0 +1,35 @@
- name: Create /usr/local/apt-keys directory
ansible.builtin.file:
path: /usr/local/apt-keys
state: directory
mode: '0755'
- name: Download GPG key
ansible.builtin.shell: gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt
- name: Install GPG key
ansible.builtin.shell: gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null
- name: Add specified repository into sources list using specified filename
ansible.builtin.apt_repository:
repo: deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil
state: present
filename: yggdrasil
- name: Update repositories cache and install "yggdrasil" package
ansible.builtin.apt:
name: yggdrasil
update_cache: yes
- name: Update yggdrasil.conf with peers
replace:
path: /etc/yggdrasil.conf
regexp: 'Peers:\s\[\]'
replace: 'Peers: [\n\ttls://[2001:470:1f13:e56::64]:39575\n\ttls://s2.i2pd.xyz:39575\n\ttls://51.255.223.60:54232\n\ttls://45.147.198.155:6010\n\ttls://ygg1.ezdomain.ru:11130\n\ttls://ygg.mkg20001.io:443\n ]'
- name: Enable Yggdrasil service
ansible.builtin.systemd:
name: yggdrasil
enabled: yes
state: started
masked: no

73
roles/yggdrasil/tasks/main.yml Normal file
View File

@ -0,0 +1,73 @@
- name: Install and configure yggdrasil
when: "yggdrasil_enabled is true"
block:
- name: Gather package facts
package_facts:
manager: auto
- name: Install yggdrasil if not present
when: "'yggdrasil' not in ansible_facts.packages"
block:
- include_tasks: "install_{{ ansible_os_family }}.yml"
- name: Populate service facts
ansible.builtin.service_facts:
- name: Configure iptables
when: "ansible_facts.services['iptables.service'] is defined"
block:
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
in_interface: tun0
ip_version: ipv6
- name: Drop invalid connections
ansible.builtin.iptables:
chain: INPUT
ctstate: INVALID
jump: DROP
in_interface: tun0
ip_version: ipv6
- name: Allow new incoming SYN packets on TCP port 22 (SSH)
when: 'yggdrasil_sshd_enabled is true'
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 22
ctstate: NEW
syn: match
jump: ACCEPT
ip_version: ipv6
comment: Accept new SSH connections.
- name: Set the policy for the INPUT chain to DROP
ansible.builtin.iptables:
chain: INPUT
policy: DROP
ip_version: ipv6
- name: Set the policy for the FORWARD chain to DROP
ansible.builtin.iptables:
chain: FORWARD
policy: DROP
ip_version: ipv6
- name: Save rules with iptables-persistent v6
ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6
- name: Remove yggdrasil if not enabled
when: "yggdrasil_enabled is false"
block:
- name: Gather package facts
package_facts:
manager: auto
- name: Remove yggdrasil if present
when: "'yggdrasil' in ansible_facts.packages"
ansible.builtin.apt:
name: yggdrasil
state: absent

2
roles/yggdrasil/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/yggdrasil/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- yggdrasil

2
roles/yggdrasil/vars/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# vars file for yggdrasil