add architecture_mapping; add harden systemd for basic hardening role; add ipfs dedicated role

This commit is contained in:
Claudio Maradonna 2022-11-22 15:04:17 +01:00
parent ddbbb2f427
commit eecdfefa26
Signed by untrusted user who does not match committer: claudiomaradonna
GPG key ID: 0CBA58694C5680D9
18 changed files with 298 additions and 9 deletions

View file

@ -1,2 +1,4 @@
architecture_mapping: { "armv6l": "armhf", "armv7l": "armhf", "aarch64": "arm64", "x86_64": "amd64", "i386": "i386" }
sshd_port: 22 sshd_port: 22
ipfs_port: 4001 ipfs_port: 4001

View file

@ -13,14 +13,14 @@
tags: [firewall, ips, ids] tags: [firewall, ips, ids]
- role: iptables-webserver - role: iptables-webserver
tags: [firewall, webserver] tags: [firewall, webserver]
- role: iptables-ipfs
tags: [firewall, ipfs]
- role: fail2ban-basic - role: fail2ban-basic
tags: [fail2ban, ips, ids] tags: [fail2ban, ips, ids]
- yggdrasil - role: ipfs
tags: [ipfs]
- role: yggdrasil
tags: [yggdrasil]
- role: snort-community - role: snort-community
tags: [snort, ips, ids] tags: [snort, ips, ids]

View file

@ -6,7 +6,7 @@
with_community.general.filetree: '../templates/systemd/etc/' with_community.general.filetree: '../templates/systemd/etc/'
when: item.state == 'directory' when: item.state == 'directory'
- name: Create and copy hardening files - name: Create and copy files
ansible.builtin.template: ansible.builtin.template:
src: '{{ item.src }}' src: '{{ item.src }}'
dest: '/etc/{{ item.path }}' dest: '/etc/{{ item.path }}'

29
roles/ipfs/.travis.yml Normal file
View file

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/ipfs/README.md Normal file
View file

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

View file

@ -0,0 +1,9 @@
---
# defaults file for ipfs
ipfs_enabled: false
ipfs_setup: false
ipfs_updater_version: 1.9.0
ipfs_group: ipfs
ipfs_user: ipfs

View file

@ -0,0 +1,2 @@
---
# handlers file for ipfs

52
roles/ipfs/meta/main.yml Normal file
View file

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,16 @@
- name: Install systemd service for ipfs
become: true
become_user: root
block:
- name: Create and copy systemd files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/{{ item.path }}'
with_community.general.filetree: '../templates/systemd/'
when: item.state == 'file'
- name: Reload systemd services
ansible.builtin.systemd:
name: ipfs
state: started
daemon_reload: yes

77
roles/ipfs/tasks/main.yml Normal file
View file

@ -0,0 +1,77 @@
---
# tasks file for ipfs
- name: Install IPFS if enabled
when:
- 'ipfs_enabled is true'
block:
- name: Setup ipfs-update
when: 'ipfs_setup is true'
block:
- name: Create ipfs group
group:
name: "{{ ipfs_group }}"
state: present
- name: Create ipfs user
user:
name: "{{ ipfs_user }}"
state: present
shell: /sbin/nologin
group: "{{ ipfs_group }}"
- name: Create working dir
ansible.builtin.file:
path: '/mnt/ipfs'
state: directory
owner: '{{ ipfs_user }}'
group: '{{ ipfs_group }}'
- name: Download ipfs-update for IPFS version control
ansible.builtin.unarchive:
src: 'https://dist.ipfs.tech/ipfs-update/v{{ ipfs_updater_version }}/ipfs-update_v{{ ipfs_updater_version }}_linux-{{ architecture_mapping[ansible_architecture] }}.tar.gz'
dest: /tmp
remote_src: yes
owner: root
group: root
- name: Install ipfs-update
ansible.builtin.copy:
src: /tmp/ipfs-update/ipfs-update
dest: /usr/local/bin/ipfs-update
owner: ipfs
group: ipfs
mode: '1750'
remote_src: yes
- name: Install ipfs version specified
when: 'ipfs_version is defined'
become: true
become_user: '{{ ipfs_user }}'
block:
- name: Create directory tree if not exists
ansible.builtin.file:
path: '~/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/ipfs/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '~/{{ item.path }}'
with_community.general.filetree: '../templates/ipfs/'
when: item.state == 'file'
- name: Update ipfs-update version
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update versions
- name: Install version
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update install {{ ipfs_version }}
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
- name: Setup firewall
ansible.builtin.include_role:
name: iptables-ipfs

View file

View file

@ -0,0 +1,57 @@
[Unit]
Description=IPFS Daemon
Documentation=https://docs.ipfs.io/
After=network.target
[Service]
# hardening
ReadWritePaths=/home/ipfs /mnt/ipfs
NoNewPrivileges=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
PrivateDevices=true
DevicePolicy=closed
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
ProtectHostname=true
PrivateTmp=true
ProtectClock=true
LockPersonality=true
RestrictNamespaces=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
#ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LimitNOFILE=8192
#LimitNice=10
MemoryAccounting=true
#MemoryHigh=768M
#MemoryMax=1024M
MemorySwapMax=0
CPUAccounting=true
CPUQuota=40%
TimeoutStartSec=infinity
Type=notify
Environment="IPFS_PATH=/mnt/ipfs"
Environment=IPFS_LOGGING="error"
Environment=IPFS_FD_MAX=8192
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
User=ipfs
Group=ipfs
StateDirectory=ipfs
Restart=always
RestartSec=60
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,2 @@
localhost

View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- ipfs

2
roles/ipfs/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for ipfs

View file

@ -11,7 +11,7 @@ Requirements
Role Variables Role Variables
-------------- --------------
- **iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules - **ipfs_enabled** (boolean): Enable or disable IPFS rules
Dependencies Dependencies
------------ ------------

View file

@ -1,4 +1,2 @@
--- ---
# defaults file for iptables-ipfs # defaults file for iptables-ipfs
iptables_ipfs_enabled: false

View file

@ -4,7 +4,7 @@
- name: setup iptables for IPFS - name: setup iptables for IPFS
when: when:
- "is_docker is not true" - "is_docker is not true"
- "iptables_ipfs_enabled is true" - "ipfs_enabled is true"
block: block:
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS) - name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
ansible.builtin.iptables: ansible.builtin.iptables: