commit df18c65a754cb85044a21b9979088d133b37511f Author: Claudio Maradonna Date: Fri Nov 18 18:33:37 2022 +0100 init repo with: iptables, pihole, snort, yggdrasil, basic hardening, os-updates diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..84ab838 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +inventory/* +host_vars/* +Dockerfile +docker-compose.yml diff --git a/Dockerfile.example b/Dockerfile.example new file mode 100644 index 0000000..bdc8d85 --- /dev/null +++ b/Dockerfile.example @@ -0,0 +1,21 @@ +FROM ubuntu + +RUN apt-get update + +RUN apt-get install -y openssh-server +RUN mkdir /var/run/sshd + +RUN echo 'root:root' |chpasswd + +RUN sed -ri 's/^#?PermitRootLogin\s+.*/PermitRootLogin yes/' /etc/ssh/sshd_config +RUN sed -ri 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config + +RUN mkdir /root/.ssh +RUN echo 'YOUR PUB KEY' > /root/.ssh/authorized_keys + +RUN apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +EXPOSE 22 + +CMD ["/usr/sbin/sshd", "-D"] diff --git a/docker-compose.yml.example b/docker-compose.yml.example new file mode 100644 index 0000000..492c33d --- /dev/null +++ b/docker-compose.yml.example @@ -0,0 +1,10 @@ +version: '3' + +services: + target: + build: + context: . + dockerfile: Dockerfile + image: ansible-test + ports: + - "2222:22" diff --git a/handbook.yml b/handbook.yml new file mode 100644 index 0000000..a453060 --- /dev/null +++ b/handbook.yml @@ -0,0 +1,23 @@ +--- + +- name: "Setup a GNU/Linux server" + hosts: "{{ target if target is defined else 'planets' }}" + + roles: + - role: iptables-persistent + tags: [firewall] + - role: iptables-basic + tags: [firewall] + - role: iptables-webserver + tags: [firewall, webserver] + - role: iptables-ipfs + tags: [firewall, ipfs] + + - fail2ban-basic + - hardening-basic + - yggdrasil + - role: snort-community + tags: snort + + - role: pi-hole + tags: pi-hole diff --git a/os-update.yml b/os-update.yml new file mode 100644 index 0000000..4660cb2 --- /dev/null +++ b/os-update.yml @@ -0,0 +1,5 @@ +- name: "Update OS of the target" + hosts: "{{ target if target is defined else 'planets' }}" + + roles: + - role: os-updates diff --git a/roles/fail2ban-basic/.travis.yml b/roles/fail2ban-basic/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/fail2ban-basic/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/fail2ban-basic/README.md b/roles/fail2ban-basic/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/fail2ban-basic/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/fail2ban-basic/defaults/main.yml b/roles/fail2ban-basic/defaults/main.yml new file mode 100644 index 0000000..4bf780d --- /dev/null +++ b/roles/fail2ban-basic/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for fail2ban-basic + +fail2ban_package_name_by_os_family: + Debian: fail2ban diff --git a/roles/fail2ban-basic/handlers/main.yml b/roles/fail2ban-basic/handlers/main.yml new file mode 100644 index 0000000..ddb3864 --- /dev/null +++ b/roles/fail2ban-basic/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for fail2ban-basic diff --git a/roles/fail2ban-basic/meta/main.yml b/roles/fail2ban-basic/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/fail2ban-basic/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/fail2ban-basic/tasks/main.yml b/roles/fail2ban-basic/tasks/main.yml new file mode 100644 index 0000000..00f2126 --- /dev/null +++ b/roles/fail2ban-basic/tasks/main.yml @@ -0,0 +1,16 @@ +--- +# tasks file for fail2ban-basic +# +- name: Fail2ban Configuration + block: + - name: Install Fail2ban + ansible.builtin.package: + name: "{{ fail2ban_package_name_by_os_family[ansible_os_family] }}" + + - name: Enable Fail2ban service + when: "is_docker is not true" + ansible.builtin.systemd: + name: fail2ban + enabled: yes + state: started + masked: no diff --git a/roles/fail2ban-basic/tests/inventory b/roles/fail2ban-basic/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/fail2ban-basic/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/fail2ban-basic/tests/test.yml b/roles/fail2ban-basic/tests/test.yml new file mode 100644 index 0000000..2372ab4 --- /dev/null +++ b/roles/fail2ban-basic/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - fail2ban-basic diff --git a/roles/fail2ban-basic/vars/main.yml b/roles/fail2ban-basic/vars/main.yml new file mode 100644 index 0000000..99d1e25 --- /dev/null +++ b/roles/fail2ban-basic/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for fail2ban-basic diff --git a/roles/hardening-basic/.travis.yml b/roles/hardening-basic/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/hardening-basic/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/hardening-basic/README.md b/roles/hardening-basic/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/hardening-basic/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/hardening-basic/defaults/main.yml b/roles/hardening-basic/defaults/main.yml new file mode 100644 index 0000000..4c0cb98 --- /dev/null +++ b/roles/hardening-basic/defaults/main.yml @@ -0,0 +1,12 @@ +--- +# defaults file for hardening-basic + +hardening_sshd_enabled: true +hardening_sshd_tcp_forward: false +hardening_sshd_permissions_set_sticky_bit: true + +hardening_modprobe_files: + - /etc/modprobe.d/disable-network-filesystems.conf + - /etc/modprobe.d/disable-rare-filesystems.conf + - /etc/modprobe.d/disable-rare-protocols.conf + - /etc/modprobe.d/disable-vivid.conf diff --git a/roles/hardening-basic/handlers/main.yml b/roles/hardening-basic/handlers/main.yml new file mode 100644 index 0000000..6ba7641 --- /dev/null +++ b/roles/hardening-basic/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for hardening-basic diff --git a/roles/hardening-basic/meta/main.yml b/roles/hardening-basic/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/hardening-basic/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/hardening-basic/tasks/main.yml b/roles/hardening-basic/tasks/main.yml new file mode 100644 index 0000000..e36a0e7 --- /dev/null +++ b/roles/hardening-basic/tasks/main.yml @@ -0,0 +1,73 @@ +--- +# tasks file for hardening-basic + +- name: Basic Hardening + block: + - name: Harden SSH Config + when: 'hardening_sshd_enabled is true' + block: + - name: Check if sshd_config/99-hardening exists + stat: + path: /etc/ssh/sshd_config.d/99-hardening.conf + register: file_name + + - name: Download sshd_config + when: not file_name.stat.exists + ansible.builtin.get_url: + url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/ssh/etc/ssh/sshd_config + dest: /etc/ssh/sshd_config.d/99-hardening.conf + + - name: Enable TCP SSH Forwarding + when: 'hardening_sshd_tcp_forward is true' + replace: + path: /etc/ssh/sshd_config.d/99-hardening.conf + regexp: 'AllowTcpForwarding no' + replace: 'AllowTcpForwarding yes' + backup: yes + + - name: Give 1700 permissions to .ssh folder + ansible.builtin.file: + path: /root/.ssh + owner: root + group: root + mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700" + + - name: Give 1600 permissions to .ssh/authorized_keys file + ansible.builtin.file: + path: /root/.ssh/authorized_keys + owner: root + group: root + mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600" + + - name: Restart sshd + when: "is_docker is not true" + ansible.builtin.systemd: + state: restarted + name: sshd + + - name: Create if not exists /etc/modprobe.d + file: + path: /etc/modprobe.d + state: directory + + - name: modprobe.d setup + include_tasks: modprobe.yml + loop: "{{ hardening_modprobe_files }}" + loop_control: + loop_var: file + + - name: Create if not exists /etc/sysctl.d + file: + path: /etc/sysctl.d + state: directory + + - name: Check if sysctl/99-hardening exists + stat: + path: /etc/sysctl.d/99-hardening.conf + register: file_name + + - name: Download sysctl.conf + when: not file_name.stat.exists + ansible.builtin.get_url: + url: https://git.unitoo.it/unitoo/configurations/raw/branch/master/sysctl/etc/sysctl.conf + dest: /etc/sysctl.d/99-hardening.conf diff --git a/roles/hardening-basic/tasks/modprobe.yml b/roles/hardening-basic/tasks/modprobe.yml new file mode 100644 index 0000000..d85c378 --- /dev/null +++ b/roles/hardening-basic/tasks/modprobe.yml @@ -0,0 +1,10 @@ +- name: Check if {{ file }} exists + stat: + path: "{{ file }}" + register: file_name + +- name: Download {{ file }} + when: not file_name.stat.exists + ansible.builtin.get_url: + url: "https://git.unitoo.it/unitoo/configurations/raw/branch/master/modprobe/{{file}}" + dest: "{{ file }}" diff --git a/roles/hardening-basic/tests/inventory b/roles/hardening-basic/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/hardening-basic/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/hardening-basic/tests/test.yml b/roles/hardening-basic/tests/test.yml new file mode 100644 index 0000000..2de2950 --- /dev/null +++ b/roles/hardening-basic/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - hardening-basic diff --git a/roles/hardening-basic/vars/main.yml b/roles/hardening-basic/vars/main.yml new file mode 100644 index 0000000..22f27c5 --- /dev/null +++ b/roles/hardening-basic/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for hardening-basic diff --git a/roles/iptables-basic/.travis.yml b/roles/iptables-basic/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/iptables-basic/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/iptables-basic/README.md b/roles/iptables-basic/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/iptables-basic/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/iptables-basic/defaults/main.yml b/roles/iptables-basic/defaults/main.yml new file mode 100644 index 0000000..8030734 --- /dev/null +++ b/roles/iptables-basic/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# defaults file for firewall + +iptables_basic_enabled: true +iptables_basic_reset_enabled: false +iptables_basic_ssh_port: 22 +iptables_basic_drop_unencrypted_smtp_port: true diff --git a/roles/iptables-basic/handlers/main.yml b/roles/iptables-basic/handlers/main.yml new file mode 100644 index 0000000..b2f0ee1 --- /dev/null +++ b/roles/iptables-basic/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for firewall diff --git a/roles/iptables-basic/meta/main.yml b/roles/iptables-basic/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/iptables-basic/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/iptables-basic/tasks/main.yml b/roles/iptables-basic/tasks/main.yml new file mode 100644 index 0000000..1081322 --- /dev/null +++ b/roles/iptables-basic/tasks/main.yml @@ -0,0 +1,73 @@ +--- +# tasks file for firewall + +- name: Setup iptables to standard configuration + when: + - "is_docker is not true" + - "iptables_basic_enabled is true" + block: + - name: Reset configuration if requested + when: + - "iptables_basic_reset_enabled is true" + block: + - name: Open Firewall just for a moment to flush iptables rules + ansible.builtin.iptables: + chain: INPUT + policy: ACCEPT + + - name: Iptables flush filter + ansible.builtin.iptables: + chain: "{{ item }}" + flush: yes + with_items: [ 'INPUT', 'FORWARD', 'OUTPUT' ] + + - name: Allow related and established connections + ansible.builtin.iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + + - name: Drop invalid connections + ansible.builtin.iptables: + chain: INPUT + ctstate: INVALID + jump: DROP + + - name: Allow lo incoming connections + ansible.builtin.iptables: + chain: INPUT + in_interface: lo + jump: ACCEPT + + - name: Allow new incoming SYN packets on TCP port 22 (SSH) + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ iptables_basic_ssh_port }}" + ctstate: NEW + syn: match + jump: ACCEPT + comment: Accept new SSH connections. + + - name: Set the policy for the INPUT chain to DROP + ansible.builtin.iptables: + chain: INPUT + policy: DROP + + - name: Set the policy for the FORWARD chain to DROP + ansible.builtin.iptables: + chain: FORWARD + policy: DROP + + - name: Drop unencrypted port 25 in output + when: "iptables_basic_drop_unencrypted_smtp_port is true" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + destination_port: 25 + jump: REJECT + reject_with: icmp-port-unreachable + + - name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-basic/tests/inventory b/roles/iptables-basic/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/iptables-basic/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/iptables-basic/tests/test.yml b/roles/iptables-basic/tests/test.yml new file mode 100644 index 0000000..bd83350 --- /dev/null +++ b/roles/iptables-basic/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - firewall diff --git a/roles/iptables-basic/vars/main.yml b/roles/iptables-basic/vars/main.yml new file mode 100644 index 0000000..c5faea3 --- /dev/null +++ b/roles/iptables-basic/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for firewall diff --git a/roles/iptables-ipfs/.travis.yml b/roles/iptables-ipfs/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/iptables-ipfs/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/iptables-ipfs/README.md b/roles/iptables-ipfs/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/iptables-ipfs/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/iptables-ipfs/defaults/main.yml b/roles/iptables-ipfs/defaults/main.yml new file mode 100644 index 0000000..c2496b6 --- /dev/null +++ b/roles/iptables-ipfs/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for iptables-ipfs + +iptables_ipfs_enabled: false +iptables_ipfs_port: 4001 diff --git a/roles/iptables-ipfs/handlers/main.yml b/roles/iptables-ipfs/handlers/main.yml new file mode 100644 index 0000000..7a06920 --- /dev/null +++ b/roles/iptables-ipfs/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for iptables-ipfs diff --git a/roles/iptables-ipfs/meta/main.yml b/roles/iptables-ipfs/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/iptables-ipfs/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/iptables-ipfs/tasks/main.yml b/roles/iptables-ipfs/tasks/main.yml new file mode 100644 index 0000000..1ccfd35 --- /dev/null +++ b/roles/iptables-ipfs/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# tasks file for iptables-ipfs + +- name: setup iptables for IPFS + when: + - "is_docker is not true" + - "iptables_ipfs_enabled is true" + block: + - name: Allow new, established packets on TCP/UDP port 4001 (IPFS) + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ iptables_ipfs_port }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + comment: IPFS dedicated port + + - name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-ipfs/tests/inventory b/roles/iptables-ipfs/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/iptables-ipfs/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/iptables-ipfs/tests/test.yml b/roles/iptables-ipfs/tests/test.yml new file mode 100644 index 0000000..a1ff521 --- /dev/null +++ b/roles/iptables-ipfs/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - iptables-ipfs diff --git a/roles/iptables-ipfs/vars/main.yml b/roles/iptables-ipfs/vars/main.yml new file mode 100644 index 0000000..3a8a977 --- /dev/null +++ b/roles/iptables-ipfs/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for iptables-ipfs diff --git a/roles/iptables-persistent/.travis.yml b/roles/iptables-persistent/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/iptables-persistent/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/iptables-persistent/README.md b/roles/iptables-persistent/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/iptables-persistent/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/iptables-persistent/defaults/main.yml b/roles/iptables-persistent/defaults/main.yml new file mode 100644 index 0000000..4d4f3cd --- /dev/null +++ b/roles/iptables-persistent/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# defaults file for iptables-persistent + +iptables_persistent_package_name_by_os_family: + Debian: iptables-persistent + +iptables_persistent_save_to_file: true diff --git a/roles/iptables-persistent/handlers/main.yml b/roles/iptables-persistent/handlers/main.yml new file mode 100644 index 0000000..70307cf --- /dev/null +++ b/roles/iptables-persistent/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for iptables-persistent diff --git a/roles/iptables-persistent/meta/main.yml b/roles/iptables-persistent/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/iptables-persistent/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/iptables-persistent/tasks/main.yml b/roles/iptables-persistent/tasks/main.yml new file mode 100644 index 0000000..d5f4d5e --- /dev/null +++ b/roles/iptables-persistent/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Handle iptables-persistent + when: + - "is_docker is not true" + block: + - name: Install iptables-persistent package + ansible.builtin.package: + name: "{{ iptables_persistent_package_name_by_os_family[ansible_os_family] }}" + + - name: Gather package facts + package_facts: + manager: auto + + - name: Save iptables rules into /etc/iptables folder + when: + - "'iptables-persistent' in ansible_facts.packages" + block: + - include_tasks: "save_rules_for_{{ ansible_os_family }}.yml" diff --git a/roles/iptables-persistent/tasks/save_rules_for_Debian.yml b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml new file mode 100644 index 0000000..7fec1f7 --- /dev/null +++ b/roles/iptables-persistent/tasks/save_rules_for_Debian.yml @@ -0,0 +1,8 @@ +- name: Save iptables rules + when: "iptables_persistent_save_to_file is true" + block: + - name: Save rules with iptables-persistent v4 + ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4 + + - name: Save rules with iptables-persistent v6 + ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 diff --git a/roles/iptables-persistent/tests/inventory b/roles/iptables-persistent/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/iptables-persistent/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/iptables-persistent/tests/test.yml b/roles/iptables-persistent/tests/test.yml new file mode 100644 index 0000000..097ef65 --- /dev/null +++ b/roles/iptables-persistent/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - iptables-persistent diff --git a/roles/iptables-persistent/vars/main.yml b/roles/iptables-persistent/vars/main.yml new file mode 100644 index 0000000..f33ebb3 --- /dev/null +++ b/roles/iptables-persistent/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for iptables-persistent diff --git a/roles/iptables-webserver/.travis.yml b/roles/iptables-webserver/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/iptables-webserver/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/iptables-webserver/README.md b/roles/iptables-webserver/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/iptables-webserver/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/iptables-webserver/defaults/main.yml b/roles/iptables-webserver/defaults/main.yml new file mode 100644 index 0000000..d5020d6 --- /dev/null +++ b/roles/iptables-webserver/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for iptables-webserver + +iptables_webserver_enabled: false +iptables_webserver_ports: [80,443] diff --git a/roles/iptables-webserver/handlers/main.yml b/roles/iptables-webserver/handlers/main.yml new file mode 100644 index 0000000..6790007 --- /dev/null +++ b/roles/iptables-webserver/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for iptables-webserver diff --git a/roles/iptables-webserver/meta/main.yml b/roles/iptables-webserver/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/iptables-webserver/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/iptables-webserver/tasks/main.yml b/roles/iptables-webserver/tasks/main.yml new file mode 100644 index 0000000..ad83382 --- /dev/null +++ b/roles/iptables-webserver/tasks/main.yml @@ -0,0 +1,21 @@ +--- +# tasks file for iptables-webserver + +- name: Setup iptables for webserver 80 and 443 + when: + - "is_docker is not true" + - "iptables_webserver_enabled is true" + block: + - name: Allow new, established packets on TCP ports 80/443 (Webserver) + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ port }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + comment: Webserver dedicated port + loop: "{{ iptables_webserver_ports }}" + + - name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-webserver/tests/inventory b/roles/iptables-webserver/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/iptables-webserver/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/iptables-webserver/tests/test.yml b/roles/iptables-webserver/tests/test.yml new file mode 100644 index 0000000..2d36d5e --- /dev/null +++ b/roles/iptables-webserver/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - iptables-webserver diff --git a/roles/iptables-webserver/vars/main.yml b/roles/iptables-webserver/vars/main.yml new file mode 100644 index 0000000..bd98ede --- /dev/null +++ b/roles/iptables-webserver/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for iptables-webserver diff --git a/roles/os-updates/.travis.yml b/roles/os-updates/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/os-updates/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/os-updates/README.md b/roles/os-updates/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/os-updates/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/os-updates/defaults/main.yml b/roles/os-updates/defaults/main.yml new file mode 100644 index 0000000..b441ab0 --- /dev/null +++ b/roles/os-updates/defaults/main.yml @@ -0,0 +1,8 @@ +--- +# defaults file for os-updates + +os_update_auto_reboot: false +os_update_reboot_delay: 60 + +os_update_auto_shutdown: false +os_update_shutdown_delay: 60 diff --git a/roles/os-updates/handlers/main.yml b/roles/os-updates/handlers/main.yml new file mode 100644 index 0000000..e889489 --- /dev/null +++ b/roles/os-updates/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for os-updates diff --git a/roles/os-updates/meta/main.yml b/roles/os-updates/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/os-updates/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/os-updates/tasks/main.yml b/roles/os-updates/tasks/main.yml new file mode 100644 index 0000000..a56a080 --- /dev/null +++ b/roles/os-updates/tasks/main.yml @@ -0,0 +1,6 @@ +--- +# tasks file for os-updates + +- name: Update all installed packages + block: + - include_tasks: "update_{{ ansible_os_family }}.yml" diff --git a/roles/os-updates/tasks/update_Debian.yml b/roles/os-updates/tasks/update_Debian.yml new file mode 100644 index 0000000..9eefebe --- /dev/null +++ b/roles/os-updates/tasks/update_Debian.yml @@ -0,0 +1,25 @@ +- name: Update all installed packages + apt: + name: '*' + state: latest + update_cache: yes + only_upgrade: yes + register: apt_update_status + +- name: Remove packages not needed anymore + apt: + autoremove: yes + +- name: Reboot when packages were updated + reboot: + post_reboot_delay: "{{ os_update_reboot_delay }}" + when: + - apt_update_status.changed + - "os_update_auto_reboot is true" + +- name: Shutdown when packages were updated + community.general.shutdown: + delay: "{{ os_update_shutdown_delay }}" + when: + - apt_update_status.changed + - "os_update_auto_shutdown is true" diff --git a/roles/os-updates/tests/inventory b/roles/os-updates/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/os-updates/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/os-updates/tests/test.yml b/roles/os-updates/tests/test.yml new file mode 100644 index 0000000..6a4511b --- /dev/null +++ b/roles/os-updates/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - os-updates diff --git a/roles/os-updates/vars/main.yml b/roles/os-updates/vars/main.yml new file mode 100644 index 0000000..008e5a5 --- /dev/null +++ b/roles/os-updates/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for os-updates diff --git a/roles/pi-hole/.travis.yml b/roles/pi-hole/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/pi-hole/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/pi-hole/README.md b/roles/pi-hole/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/pi-hole/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/pi-hole/defaults/main.yml b/roles/pi-hole/defaults/main.yml new file mode 100644 index 0000000..bcaef5d --- /dev/null +++ b/roles/pi-hole/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for pi-hole + +pihole_enabled: false diff --git a/roles/pi-hole/handlers/main.yml b/roles/pi-hole/handlers/main.yml new file mode 100644 index 0000000..0efc291 --- /dev/null +++ b/roles/pi-hole/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for pi-hole diff --git a/roles/pi-hole/meta/main.yml b/roles/pi-hole/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/pi-hole/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/pi-hole/tasks/main.yml b/roles/pi-hole/tasks/main.yml new file mode 100644 index 0000000..6c4d577 --- /dev/null +++ b/roles/pi-hole/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# tasks file for pi-hole + +- name: Pi-Hole setup + when: + - 'pihole_enabled is true' + block: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Start install process for pihole if service not found + when: "ansible_facts.services['pihole-FTL.service'] is not defined" + block: + - name: Install cURL if not present + ansible.builtin.package: + name: curl + + - name: Execute manually the automated install and follow instructions + ansible.builtin.debug: + msg: "curl -sSL https://install.pi-hole.net | bash" diff --git a/roles/pi-hole/tests/inventory b/roles/pi-hole/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/pi-hole/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/pi-hole/tests/test.yml b/roles/pi-hole/tests/test.yml new file mode 100644 index 0000000..4ab0fb4 --- /dev/null +++ b/roles/pi-hole/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - pi-hole diff --git a/roles/pi-hole/vars/main.yml b/roles/pi-hole/vars/main.yml new file mode 100644 index 0000000..1e0ef30 --- /dev/null +++ b/roles/pi-hole/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for pi-hole diff --git a/roles/snort-community/.travis.yml b/roles/snort-community/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/snort-community/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/snort-community/README.md b/roles/snort-community/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/snort-community/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/snort-community/defaults/main.yml b/roles/snort-community/defaults/main.yml new file mode 100644 index 0000000..73b8446 --- /dev/null +++ b/roles/snort-community/defaults/main.yml @@ -0,0 +1,13 @@ +--- +# defaults file for snort-community + +snort_community_enabled: false + +snort_package_name_by_os_family: + Debian: snort + +snort_community_group: snort +snort_community_user: snort + +snort_symlink_dest: /usr/sbin/snort +snort_home_net_address: 192.168.1.0/24 diff --git a/roles/snort-community/handlers/main.yml b/roles/snort-community/handlers/main.yml new file mode 100644 index 0000000..c979587 --- /dev/null +++ b/roles/snort-community/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for snort-community diff --git a/roles/snort-community/meta/main.yml b/roles/snort-community/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/snort-community/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/snort-community/tasks/main.yml b/roles/snort-community/tasks/main.yml new file mode 100644 index 0000000..3ca9c9a --- /dev/null +++ b/roles/snort-community/tasks/main.yml @@ -0,0 +1,75 @@ +--- +# tasks file for snort-community + +- name: Snort Community Edition setup + when: + - "snort_community_enabled is true" + block: + - name: Gather package facts + package_facts: + manager: auto + + - name: First time snort setup + when: "'snort_package_name_by_os_family[ansible_os_family]' not in ansible_facts.packages" + block: + - name: Install snort package + ansible.builtin.package: + name: "{{ snort_package_name_by_os_family[ansible_os_family] }}" + + - name: Check if snort symlink exists + stat: + path: "{{ snort_symlink_dest }}" + register: symlink_name + + - name: Symlink snort to /usr/sbin + when: not symlink_name.stat.exists + ansible.builtin.file: + src: /usr/local/bin/snort + dest: "{{ snort_symlink_dest }}" + state: link + + - name: Create snort group + group: + name: "{{ snort_community_group }}" + state: present + + - name: Create snort user + user: + name: "{{ snort_community_user }}" + state: present + shell: /sbin/nologin + group: "{{ snort_community_group }}" + + - name: Create config directory + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ snort_community_user }}" + group: "{{ snort_community_group }}" + mode: '5775' + loop: + - /etc/snort/rules + - /var/log/snort + - /usr/local/lib/snort_dynamicrules + + - name: Create file for local.rules + ansible.builtin.file: + path: /etc/snort/rules/local.rules + + - name: Configure snort with defaults + # when: "'snort_package_name_by_os_family[ansible_os_family]' not in ansible_facts.packages" + block: + - name: Set HOME_NET + ansible.builtin.replace: + path: /etc/snort/snort.conf + regexp: 'ipvar HOME_NET any' + replace: 'ipvar HOME_NET {{ snort_home_net_address }}' + + - name: Validate snort configuration + ansible.builtin.shell: snort -T -c /etc/snort/snort.conf + register: snort_output + + - name: Check successful state validation + failed_when: "snort_output is not search('Snort successfully validated')" + ansible.builtin.debug: + msg: "Snort configuration end" diff --git a/roles/snort-community/tests/inventory b/roles/snort-community/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/snort-community/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/snort-community/tests/test.yml b/roles/snort-community/tests/test.yml new file mode 100644 index 0000000..54cbdd6 --- /dev/null +++ b/roles/snort-community/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - snort-community diff --git a/roles/snort-community/vars/main.yml b/roles/snort-community/vars/main.yml new file mode 100644 index 0000000..3eb1883 --- /dev/null +++ b/roles/snort-community/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for snort-community diff --git a/roles/yggdrasil/.travis.yml b/roles/yggdrasil/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/yggdrasil/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/yggdrasil/README.md b/roles/yggdrasil/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/yggdrasil/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/yggdrasil/defaults/main.yml b/roles/yggdrasil/defaults/main.yml new file mode 100644 index 0000000..799167a --- /dev/null +++ b/roles/yggdrasil/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# defaults file for yggdrasil + +yggdrasil_enabled: false +yggdrasil_sshd_enabled: false diff --git a/roles/yggdrasil/handlers/main.yml b/roles/yggdrasil/handlers/main.yml new file mode 100644 index 0000000..c9bd953 --- /dev/null +++ b/roles/yggdrasil/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for yggdrasil diff --git a/roles/yggdrasil/meta/main.yml b/roles/yggdrasil/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/yggdrasil/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/yggdrasil/tasks/install_Debian.yml b/roles/yggdrasil/tasks/install_Debian.yml new file mode 100644 index 0000000..279eeb8 --- /dev/null +++ b/roles/yggdrasil/tasks/install_Debian.yml @@ -0,0 +1,35 @@ +- name: Create /usr/local/apt-keys directory + ansible.builtin.file: + path: /usr/local/apt-keys + state: directory + mode: '0755' + +- name: Download GPG key + ansible.builtin.shell: gpg --fetch-keys https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt + +- name: Install GPG key + ansible.builtin.shell: gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | sudo tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null + +- name: Add specified repository into sources list using specified filename + ansible.builtin.apt_repository: + repo: deb [signed-by=/usr/local/apt-keys/yggdrasil-keyring.gpg] http://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/ debian yggdrasil + state: present + filename: yggdrasil + +- name: Update repositories cache and install "yggdrasil" package + ansible.builtin.apt: + name: yggdrasil + update_cache: yes + +- name: Update yggdrasil.conf with peers + replace: + path: /etc/yggdrasil.conf + regexp: 'Peers:\s\[\]' + replace: 'Peers: [\n\ttls://[2001:470:1f13:e56::64]:39575\n\ttls://s2.i2pd.xyz:39575\n\ttls://51.255.223.60:54232\n\ttls://45.147.198.155:6010\n\ttls://ygg1.ezdomain.ru:11130\n\ttls://ygg.mkg20001.io:443\n ]' + +- name: Enable Yggdrasil service + ansible.builtin.systemd: + name: yggdrasil + enabled: yes + state: started + masked: no diff --git a/roles/yggdrasil/tasks/main.yml b/roles/yggdrasil/tasks/main.yml new file mode 100644 index 0000000..3b1136e --- /dev/null +++ b/roles/yggdrasil/tasks/main.yml @@ -0,0 +1,73 @@ +- name: Install and configure yggdrasil + when: "yggdrasil_enabled is true" + block: + - name: Gather package facts + package_facts: + manager: auto + + - name: Install yggdrasil if not present + when: "'yggdrasil' not in ansible_facts.packages" + block: + - include_tasks: "install_{{ ansible_os_family }}.yml" + + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Configure iptables + when: "ansible_facts.services['iptables.service'] is defined" + block: + - name: Allow related and established connections + ansible.builtin.iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + in_interface: tun0 + ip_version: ipv6 + + - name: Drop invalid connections + ansible.builtin.iptables: + chain: INPUT + ctstate: INVALID + jump: DROP + in_interface: tun0 + ip_version: ipv6 + + - name: Allow new incoming SYN packets on TCP port 22 (SSH) + when: 'yggdrasil_sshd_enabled is true' + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + ctstate: NEW + syn: match + jump: ACCEPT + ip_version: ipv6 + comment: Accept new SSH connections. + + - name: Set the policy for the INPUT chain to DROP + ansible.builtin.iptables: + chain: INPUT + policy: DROP + ip_version: ipv6 + + - name: Set the policy for the FORWARD chain to DROP + ansible.builtin.iptables: + chain: FORWARD + policy: DROP + ip_version: ipv6 + + - name: Save rules with iptables-persistent v6 + ansible.builtin.shell: ip6tables-save > /etc/iptables/rules.v6 + +- name: Remove yggdrasil if not enabled + when: "yggdrasil_enabled is false" + block: + - name: Gather package facts + package_facts: + manager: auto + + - name: Remove yggdrasil if present + when: "'yggdrasil' in ansible_facts.packages" + ansible.builtin.apt: + name: yggdrasil + state: absent diff --git a/roles/yggdrasil/tests/inventory b/roles/yggdrasil/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/yggdrasil/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/yggdrasil/tests/test.yml b/roles/yggdrasil/tests/test.yml new file mode 100644 index 0000000..f4b1519 --- /dev/null +++ b/roles/yggdrasil/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - yggdrasil diff --git a/roles/yggdrasil/vars/main.yml b/roles/yggdrasil/vars/main.yml new file mode 100644 index 0000000..3162683 --- /dev/null +++ b/roles/yggdrasil/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for yggdrasil