add architecture_mapping; add harden systemd for basic hardening role; add ipfs dedicated role
This commit is contained in:
parent
ddbbb2f427
commit
eecdfefa26
18 changed files with 298 additions and 9 deletions
|
@ -1,2 +1,4 @@
|
||||||
|
architecture_mapping: { "armv6l": "armhf", "armv7l": "armhf", "aarch64": "arm64", "x86_64": "amd64", "i386": "i386" }
|
||||||
|
|
||||||
sshd_port: 22
|
sshd_port: 22
|
||||||
ipfs_port: 4001
|
ipfs_port: 4001
|
||||||
|
|
|
@ -13,14 +13,14 @@
|
||||||
tags: [firewall, ips, ids]
|
tags: [firewall, ips, ids]
|
||||||
- role: iptables-webserver
|
- role: iptables-webserver
|
||||||
tags: [firewall, webserver]
|
tags: [firewall, webserver]
|
||||||
- role: iptables-ipfs
|
|
||||||
tags: [firewall, ipfs]
|
|
||||||
|
|
||||||
- role: fail2ban-basic
|
- role: fail2ban-basic
|
||||||
tags: [fail2ban, ips, ids]
|
tags: [fail2ban, ips, ids]
|
||||||
|
|
||||||
- yggdrasil
|
- role: ipfs
|
||||||
|
tags: [ipfs]
|
||||||
|
- role: yggdrasil
|
||||||
|
tags: [yggdrasil]
|
||||||
|
|
||||||
- role: snort-community
|
- role: snort-community
|
||||||
tags: [snort, ips, ids]
|
tags: [snort, ips, ids]
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
with_community.general.filetree: '../templates/systemd/etc/'
|
with_community.general.filetree: '../templates/systemd/etc/'
|
||||||
when: item.state == 'directory'
|
when: item.state == 'directory'
|
||||||
|
|
||||||
- name: Create and copy hardening files
|
- name: Create and copy files
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: '{{ item.src }}'
|
src: '{{ item.src }}'
|
||||||
dest: '/etc/{{ item.path }}'
|
dest: '/etc/{{ item.path }}'
|
||||||
|
|
29
roles/ipfs/.travis.yml
Normal file
29
roles/ipfs/.travis.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
language: python
|
||||||
|
python: "2.7"
|
||||||
|
|
||||||
|
# Use the new container infrastructure
|
||||||
|
sudo: false
|
||||||
|
|
||||||
|
# Install ansible
|
||||||
|
addons:
|
||||||
|
apt:
|
||||||
|
packages:
|
||||||
|
- python-pip
|
||||||
|
|
||||||
|
install:
|
||||||
|
# Install ansible
|
||||||
|
- pip install ansible
|
||||||
|
|
||||||
|
# Check ansible version
|
||||||
|
- ansible --version
|
||||||
|
|
||||||
|
# Create ansible.cfg with correct roles_path
|
||||||
|
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
||||||
|
|
||||||
|
script:
|
||||||
|
# Basic role syntax check
|
||||||
|
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
||||||
|
|
||||||
|
notifications:
|
||||||
|
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
38
roles/ipfs/README.md
Normal file
38
roles/ipfs/README.md
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
Role Name
|
||||||
|
=========
|
||||||
|
|
||||||
|
A brief description of the role goes here.
|
||||||
|
|
||||||
|
Requirements
|
||||||
|
------------
|
||||||
|
|
||||||
|
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
||||||
|
|
||||||
|
Role Variables
|
||||||
|
--------------
|
||||||
|
|
||||||
|
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||||
|
|
||||||
|
Dependencies
|
||||||
|
------------
|
||||||
|
|
||||||
|
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
||||||
|
|
||||||
|
Example Playbook
|
||||||
|
----------------
|
||||||
|
|
||||||
|
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
||||||
|
|
||||||
|
- hosts: servers
|
||||||
|
roles:
|
||||||
|
- { role: username.rolename, x: 42 }
|
||||||
|
|
||||||
|
License
|
||||||
|
-------
|
||||||
|
|
||||||
|
BSD
|
||||||
|
|
||||||
|
Author Information
|
||||||
|
------------------
|
||||||
|
|
||||||
|
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
9
roles/ipfs/defaults/main.yml
Normal file
9
roles/ipfs/defaults/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
# defaults file for ipfs
|
||||||
|
|
||||||
|
ipfs_enabled: false
|
||||||
|
ipfs_setup: false
|
||||||
|
ipfs_updater_version: 1.9.0
|
||||||
|
|
||||||
|
ipfs_group: ipfs
|
||||||
|
ipfs_user: ipfs
|
2
roles/ipfs/handlers/main.yml
Normal file
2
roles/ipfs/handlers/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# handlers file for ipfs
|
52
roles/ipfs/meta/main.yml
Normal file
52
roles/ipfs/meta/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: your name
|
||||||
|
description: your role description
|
||||||
|
company: your company (optional)
|
||||||
|
|
||||||
|
# If the issue tracker for your role is not on github, uncomment the
|
||||||
|
# next line and provide a value
|
||||||
|
# issue_tracker_url: http://example.com/issue/tracker
|
||||||
|
|
||||||
|
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||||
|
# - BSD-3-Clause (default)
|
||||||
|
# - MIT
|
||||||
|
# - GPL-2.0-or-later
|
||||||
|
# - GPL-3.0-only
|
||||||
|
# - Apache-2.0
|
||||||
|
# - CC-BY-4.0
|
||||||
|
license: license (GPL-2.0-or-later, MIT, etc)
|
||||||
|
|
||||||
|
min_ansible_version: 2.1
|
||||||
|
|
||||||
|
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||||
|
# min_ansible_container_version:
|
||||||
|
|
||||||
|
#
|
||||||
|
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||||
|
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||||
|
# To view available platforms and versions (or releases), visit:
|
||||||
|
# https://galaxy.ansible.com/api/v1/platforms/
|
||||||
|
#
|
||||||
|
# platforms:
|
||||||
|
# - name: Fedora
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 25
|
||||||
|
# - name: SomePlatform
|
||||||
|
# versions:
|
||||||
|
# - all
|
||||||
|
# - 1.0
|
||||||
|
# - 7
|
||||||
|
# - 99.99
|
||||||
|
|
||||||
|
galaxy_tags: []
|
||||||
|
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||||
|
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||||
|
# remove the '[]' above, if you add tags to this list.
|
||||||
|
#
|
||||||
|
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||||
|
# Maximum 20 tags per role.
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||||
|
# if you add dependencies to this list.
|
16
roles/ipfs/tasks/install_systemd_service.yml
Normal file
16
roles/ipfs/tasks/install_systemd_service.yml
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
- name: Install systemd service for ipfs
|
||||||
|
become: true
|
||||||
|
become_user: root
|
||||||
|
block:
|
||||||
|
- name: Create and copy systemd files
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '/{{ item.path }}'
|
||||||
|
with_community.general.filetree: '../templates/systemd/'
|
||||||
|
when: item.state == 'file'
|
||||||
|
|
||||||
|
- name: Reload systemd services
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: ipfs
|
||||||
|
state: started
|
||||||
|
daemon_reload: yes
|
77
roles/ipfs/tasks/main.yml
Normal file
77
roles/ipfs/tasks/main.yml
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
---
|
||||||
|
# tasks file for ipfs
|
||||||
|
|
||||||
|
- name: Install IPFS if enabled
|
||||||
|
when:
|
||||||
|
- 'ipfs_enabled is true'
|
||||||
|
block:
|
||||||
|
- name: Setup ipfs-update
|
||||||
|
when: 'ipfs_setup is true'
|
||||||
|
block:
|
||||||
|
- name: Create ipfs group
|
||||||
|
group:
|
||||||
|
name: "{{ ipfs_group }}"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create ipfs user
|
||||||
|
user:
|
||||||
|
name: "{{ ipfs_user }}"
|
||||||
|
state: present
|
||||||
|
shell: /sbin/nologin
|
||||||
|
group: "{{ ipfs_group }}"
|
||||||
|
|
||||||
|
- name: Create working dir
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '/mnt/ipfs'
|
||||||
|
state: directory
|
||||||
|
owner: '{{ ipfs_user }}'
|
||||||
|
group: '{{ ipfs_group }}'
|
||||||
|
|
||||||
|
- name: Download ipfs-update for IPFS version control
|
||||||
|
ansible.builtin.unarchive:
|
||||||
|
src: 'https://dist.ipfs.tech/ipfs-update/v{{ ipfs_updater_version }}/ipfs-update_v{{ ipfs_updater_version }}_linux-{{ architecture_mapping[ansible_architecture] }}.tar.gz'
|
||||||
|
dest: /tmp
|
||||||
|
remote_src: yes
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Install ipfs-update
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: /tmp/ipfs-update/ipfs-update
|
||||||
|
dest: /usr/local/bin/ipfs-update
|
||||||
|
owner: ipfs
|
||||||
|
group: ipfs
|
||||||
|
mode: '1750'
|
||||||
|
remote_src: yes
|
||||||
|
|
||||||
|
- name: Install ipfs version specified
|
||||||
|
when: 'ipfs_version is defined'
|
||||||
|
become: true
|
||||||
|
become_user: '{{ ipfs_user }}'
|
||||||
|
block:
|
||||||
|
- name: Create directory tree if not exists
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: '~/{{ item.path }}'
|
||||||
|
state: directory
|
||||||
|
mode: '{{ item.mode }}'
|
||||||
|
with_community.general.filetree: '../templates/ipfs/'
|
||||||
|
when: item.state == 'directory'
|
||||||
|
|
||||||
|
- name: Create and copy hardening files
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: '{{ item.src }}'
|
||||||
|
dest: '~/{{ item.path }}'
|
||||||
|
with_community.general.filetree: '../templates/ipfs/'
|
||||||
|
when: item.state == 'file'
|
||||||
|
|
||||||
|
- name: Update ipfs-update version
|
||||||
|
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update versions
|
||||||
|
|
||||||
|
- name: Install version
|
||||||
|
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update install {{ ipfs_version }}
|
||||||
|
|
||||||
|
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
||||||
|
|
||||||
|
- name: Setup firewall
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-ipfs
|
0
roles/ipfs/templates/ipfs/.ipfs/api
Normal file
0
roles/ipfs/templates/ipfs/.ipfs/api
Normal file
57
roles/ipfs/templates/systemd/lib/systemd/system/ipfs.service
Normal file
57
roles/ipfs/templates/systemd/lib/systemd/system/ipfs.service
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
[Unit]
|
||||||
|
Description=IPFS Daemon
|
||||||
|
Documentation=https://docs.ipfs.io/
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
# hardening
|
||||||
|
ReadWritePaths=/home/ipfs /mnt/ipfs
|
||||||
|
NoNewPrivileges=true
|
||||||
|
ProtectSystem=strict
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
PrivateDevices=true
|
||||||
|
DevicePolicy=closed
|
||||||
|
ProtectControlGroups=true
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||||
|
ProtectHostname=true
|
||||||
|
PrivateTmp=true
|
||||||
|
ProtectClock=true
|
||||||
|
LockPersonality=true
|
||||||
|
RestrictNamespaces=true
|
||||||
|
RestrictRealtime=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
SystemCallFilter=@system-service
|
||||||
|
SystemCallFilter=~@privileged
|
||||||
|
#ProtectHome=true
|
||||||
|
RemoveIPC=true
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||||
|
|
||||||
|
LimitNOFILE=8192
|
||||||
|
#LimitNice=10
|
||||||
|
MemoryAccounting=true
|
||||||
|
#MemoryHigh=768M
|
||||||
|
#MemoryMax=1024M
|
||||||
|
MemorySwapMax=0
|
||||||
|
CPUAccounting=true
|
||||||
|
CPUQuota=40%
|
||||||
|
TimeoutStartSec=infinity
|
||||||
|
|
||||||
|
Type=notify
|
||||||
|
Environment="IPFS_PATH=/mnt/ipfs"
|
||||||
|
Environment=IPFS_LOGGING="error"
|
||||||
|
Environment=IPFS_FD_MAX=8192
|
||||||
|
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
|
||||||
|
User=ipfs
|
||||||
|
Group=ipfs
|
||||||
|
StateDirectory=ipfs
|
||||||
|
Restart=always
|
||||||
|
RestartSec=60
|
||||||
|
KillMode=process
|
||||||
|
KillSignal=SIGINT
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
2
roles/ipfs/tests/inventory
Normal file
2
roles/ipfs/tests/inventory
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
localhost
|
||||||
|
|
5
roles/ipfs/tests/test.yml
Normal file
5
roles/ipfs/tests/test.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
remote_user: root
|
||||||
|
roles:
|
||||||
|
- ipfs
|
2
roles/ipfs/vars/main.yml
Normal file
2
roles/ipfs/vars/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
---
|
||||||
|
# vars file for ipfs
|
|
@ -11,7 +11,7 @@ Requirements
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
- **iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules
|
- **ipfs_enabled** (boolean): Enable or disable IPFS rules
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -1,4 +1,2 @@
|
||||||
---
|
---
|
||||||
# defaults file for iptables-ipfs
|
# defaults file for iptables-ipfs
|
||||||
|
|
||||||
iptables_ipfs_enabled: false
|
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
- name: setup iptables for IPFS
|
- name: setup iptables for IPFS
|
||||||
when:
|
when:
|
||||||
- "is_docker is not true"
|
- "is_docker is not true"
|
||||||
- "iptables_ipfs_enabled is true"
|
- "ipfs_enabled is true"
|
||||||
block:
|
block:
|
||||||
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
|
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
|
|
Loading…
Reference in a new issue