updating some roles with README
This commit is contained in:
parent
634ec86744
commit
f69b9be3a2
19 changed files with 92 additions and 75 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,4 +1,6 @@
|
||||||
inventory/*
|
inventory/*
|
||||||
host_vars/*
|
host_vars/*
|
||||||
|
group_vars/*
|
||||||
|
!group_vars/all.yml
|
||||||
Dockerfile
|
Dockerfile
|
||||||
docker-compose.yml
|
docker-compose.yml
|
||||||
|
|
2
group_vars/all.yml
Normal file
2
group_vars/all.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
sshd_port: 22
|
||||||
|
ipfs_port: 4001
|
23
handbook.yml
23
handbook.yml
|
@ -1,25 +1,26 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "Setup a GNU/Linux server"
|
- name: "Setup a GNU/Linux target with standards or defined tags"
|
||||||
hosts: "{{ target if target is defined else 'planets' }}"
|
hosts: "{{ target if target is defined else 'planets' }}"
|
||||||
|
|
||||||
roles:
|
roles:
|
||||||
|
- role: hardening-basic
|
||||||
|
tags: [hardening, ips, ids]
|
||||||
|
|
||||||
- role: iptables-persistent
|
- role: iptables-persistent
|
||||||
tags: [firewall]
|
tags: [firewall, ips, ids]
|
||||||
- role: iptables-basic
|
- role: iptables-basic
|
||||||
tags: [firewall]
|
tags: [firewall, ips, ids]
|
||||||
- role: iptables-webserver
|
- role: iptables-webserver
|
||||||
tags: [firewall, webserver]
|
tags: [firewall, webserver]
|
||||||
- role: iptables-ipfs
|
- role: iptables-ipfs
|
||||||
tags: [firewall, ipfs]
|
tags: [firewall, ipfs]
|
||||||
|
|
||||||
- role: fail2ban-basic
|
- role: fail2ban-basic
|
||||||
tags: [hardening]
|
tags: [fail2ban, ips, ids]
|
||||||
- role: hardening-basic
|
|
||||||
tags: [hardening]
|
- yggdrasil
|
||||||
- yggdrasil
|
|
||||||
- role: snort-community
|
- role: snort-community
|
||||||
tags: snort
|
tags: [snort, ips, ids]
|
||||||
|
|
||||||
- role: pi-hole
|
|
||||||
tags: pi-hole
|
|
||||||
|
|
6
pi-hole.yml
Normal file
6
pi-hole.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: "Setup the target for pi-hole"
|
||||||
|
hosts: "{{ target if target is defined else 'planets' }}"
|
||||||
|
roles:
|
||||||
|
- role: pi-hole
|
|
@ -1,38 +1,35 @@
|
||||||
Role Name
|
fail2ban-basic
|
||||||
=========
|
=========
|
||||||
|
|
||||||
A brief description of the role goes here.
|
This role install fail2ban into the target.
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
.
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
- **fail2ban_enabled** (boolean): Enable of disable fail2ban setup
|
||||||
|
- **fail2ban_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
.
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags fail2ban`
|
||||||
|
|
||||||
- hosts: servers
|
|
||||||
roles:
|
|
||||||
- { role: username.rolename, x: 42 }
|
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
||||||
BSD
|
GPLv3
|
||||||
|
|
||||||
Author Information
|
Author Information
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
- [Claudio Maradonna](https://social.unitoo.it/claudio)
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
---
|
---
|
||||||
# defaults file for fail2ban-basic
|
# defaults file for fail2ban-basic
|
||||||
|
|
||||||
|
fail2ban_enabled: true
|
||||||
fail2ban_package_name_by_os_family:
|
fail2ban_package_name_by_os_family:
|
||||||
Debian: fail2ban
|
Debian: fail2ban
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
# tasks file for fail2ban-basic
|
# tasks file for fail2ban-basic
|
||||||
#
|
#
|
||||||
- name: Fail2ban Configuration
|
- name: Fail2ban Configuration
|
||||||
|
when: fail2ban_enabled is true
|
||||||
block:
|
block:
|
||||||
- name: Install Fail2ban
|
- name: Install Fail2ban
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
|
|
|
@ -11,15 +11,14 @@ Requirements
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
- *hardening_sshd_enabled* (boolean): Enable or disable ssh hardening
|
- **hardening_sshd_enabled** (boolean): Enable or disable ssh hardening
|
||||||
- *hardening_sshd_port* (integer): Set the SSHD port
|
- **hardening_sshd_authorized_key_file** (string): Set the relative path for sshd authorized_key_file
|
||||||
- *hardening_sshd_authorized_key_file* (string): Set the relative path for sshd authorized_key_file
|
- **hardening_sshd_tcp_forward** (boolean): Enable or disable sshd tcp forwarding
|
||||||
- *hardening_sshd_tcp_forward* (boolean): Enable or disable sshd tcp forwarding
|
- **hardening_sshd_legal_banner** (boolean): Enable or disable sshd legal banner (/etc/issue.net)
|
||||||
- *hardening_sshd_legal_banner* (boolean): Enable or disable sshd legal banner (/etc/issue.net)
|
- **hardening_sshd_permissions_set_sticky_bit** (boolean): Enable or disable the sticky bit for sshd directory and files (root)
|
||||||
- *hardening_sshd_permissions_set_sticky_bit* (boolean): Enable or disable the sticky bit for sshd directory and files (root)
|
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
|
||||||
- *hardening_sysctl_vm_swappiness* (integer): Set the value for sysctl vm.swappiness
|
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
|
||||||
- *hardening_sysctl_disable_ipv6* (boolean): Enable or disable ipv6 though sysctl
|
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
|
||||||
- *hardening_modprobe_disable_list* (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
|
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
# defaults file for hardening-basic
|
# defaults file for hardening-basic
|
||||||
|
|
||||||
hardening_sshd_enabled: true
|
hardening_sshd_enabled: true
|
||||||
hardening_sshd_port: 22
|
|
||||||
hardening_sshd_authorized_key_file: .ssh/authorized_keys
|
hardening_sshd_authorized_key_file: .ssh/authorized_keys
|
||||||
hardening_sshd_tcp_forward: false
|
hardening_sshd_tcp_forward: false
|
||||||
hardening_sshd_legal_banner: false
|
hardening_sshd_legal_banner: false
|
||||||
|
|
|
@ -4,7 +4,7 @@ Protocol 2 # Protocol 1 is
|
||||||
StrictModes yes # Protects from misconfiguration
|
StrictModes yes # Protects from misconfiguration
|
||||||
|
|
||||||
#ListenAddress [ip-here] # Listening address
|
#ListenAddress [ip-here] # Listening address
|
||||||
Port {{ hardening_sshd_port }} # Listening port. Normal 22
|
Port {{ sshd_port }} # Listening port. Normal 22
|
||||||
|
|
||||||
AuthenticationMethods publickey # Only public key authentication allowed
|
AuthenticationMethods publickey # Only public key authentication allowed
|
||||||
AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }}
|
AuthorizedKeysFile {{ hardening_sshd_authorized_key_file }}
|
||||||
|
|
|
@ -1,38 +1,36 @@
|
||||||
Role Name
|
iptables-basic
|
||||||
=========
|
=========
|
||||||
|
|
||||||
A brief description of the role goes here.
|
This role setup iptables with good defaults
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
.
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
- **iptables_basic_enabled** (boolean): Enable or disable iptable setup
|
||||||
|
- **iptables_basic_reset_enabled** (boolean): Enable or disable iptables flush
|
||||||
|
- **iptables_basic_drop_unencrypted_smtp_port** (boolean): If true drop the standard SMTP port (25)
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
.
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall`
|
||||||
|
|
||||||
- hosts: servers
|
|
||||||
roles:
|
|
||||||
- { role: username.rolename, x: 42 }
|
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
||||||
BSD
|
GPLv3
|
||||||
|
|
||||||
Author Information
|
Author Information
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
- [Claudio Maradonna](https://social.unitoo.it/claudio)
|
||||||
|
|
|
@ -3,5 +3,4 @@
|
||||||
|
|
||||||
iptables_basic_enabled: true
|
iptables_basic_enabled: true
|
||||||
iptables_basic_reset_enabled: false
|
iptables_basic_reset_enabled: false
|
||||||
iptables_basic_ssh_port: 22
|
|
||||||
iptables_basic_drop_unencrypted_smtp_port: true
|
iptables_basic_drop_unencrypted_smtp_port: true
|
||||||
|
|
|
@ -43,7 +43,7 @@
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
destination_port: "{{ iptables_basic_ssh_port }}"
|
destination_port: "{{ sshd_port }}"
|
||||||
ctstate: NEW
|
ctstate: NEW
|
||||||
syn: match
|
syn: match
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
|
|
|
@ -1,38 +1,34 @@
|
||||||
Role Name
|
iptables-ipfs
|
||||||
=========
|
=========
|
||||||
|
|
||||||
A brief description of the role goes here.
|
This role setup iptables rules for IPFS
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
.
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
**iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
.
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags firewall`
|
||||||
|
|
||||||
- hosts: servers
|
|
||||||
roles:
|
|
||||||
- { role: username.rolename, x: 42 }
|
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
||||||
BSD
|
GPLv3
|
||||||
|
|
||||||
Author Information
|
Author Information
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
- [Claudio Maradonna](https://social.unitoo.it/claudio)
|
||||||
|
|
|
@ -2,4 +2,3 @@
|
||||||
# defaults file for iptables-ipfs
|
# defaults file for iptables-ipfs
|
||||||
|
|
||||||
iptables_ipfs_enabled: false
|
iptables_ipfs_enabled: false
|
||||||
iptables_ipfs_port: 4001
|
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
ansible.builtin.iptables:
|
ansible.builtin.iptables:
|
||||||
chain: INPUT
|
chain: INPUT
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
destination_port: "{{ iptables_ipfs_port }}"
|
destination_port: "{{ ipfs_port }}"
|
||||||
ctstate: NEW,ESTABLISHED
|
ctstate: NEW,ESTABLISHED
|
||||||
jump: ACCEPT
|
jump: ACCEPT
|
||||||
comment: IPFS dedicated port
|
comment: IPFS dedicated port
|
||||||
|
|
|
@ -1,38 +1,36 @@
|
||||||
Role Name
|
iptables-persistent
|
||||||
=========
|
=========
|
||||||
|
|
||||||
A brief description of the role goes here.
|
This role setup iptables-persistent and execute rules saving
|
||||||
|
|
||||||
Requirements
|
Requirements
|
||||||
------------
|
------------
|
||||||
|
|
||||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
.
|
||||||
|
|
||||||
Role Variables
|
Role Variables
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
**iptables_persistent_package_name_by_os_family** (array): Each key correspond to [OS family](https://docs.ansible.com/ansible/2.6/user_guide/playbooks_conditionals.html#ansible-os-family), the value correspond to the package name to be installed
|
||||||
|
**iptables_persistent_save_to_file** (boolean): If true enable file saving with rules
|
||||||
|
|
||||||
|
|
||||||
Dependencies
|
Dependencies
|
||||||
------------
|
------------
|
||||||
|
|
||||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
.
|
||||||
|
|
||||||
Example Playbook
|
Example Playbook
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
This role aims to be used by other roles.
|
||||||
|
|
||||||
- hosts: servers
|
|
||||||
roles:
|
|
||||||
- { role: username.rolename, x: 42 }
|
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
||||||
BSD
|
GPLv3
|
||||||
|
|
||||||
Author Information
|
Author Information
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
- [Claudio Maradonna](https://social.unitoo.it/claudio)
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
|
|
||||||
pihole_enabled: false
|
pihole_enabled: false
|
||||||
pihole_install_custom_list: false
|
pihole_install_custom_list: false
|
||||||
|
pihole_update_gravity: false
|
||||||
|
|
||||||
pihole_custom_list:
|
pihole_custom_list:
|
||||||
- https://blocklistproject.github.io/Lists/ads.txt
|
- https://blocklistproject.github.io/Lists/ads.txt
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
msg: "curl -sSL https://install.pi-hole.net | bash"
|
msg: "curl -sSL https://install.pi-hole.net | bash"
|
||||||
|
|
||||||
- name: Check if can install custom list
|
- name: Check if can install custom list
|
||||||
when: pihole_install_custom_list is true
|
when: 'pihole_install_custom_list is true'
|
||||||
block:
|
block:
|
||||||
- name: Check if pi-hole db exists
|
- name: Check if pi-hole db exists
|
||||||
stat:
|
stat:
|
||||||
|
@ -38,4 +38,22 @@
|
||||||
loop: "{{ pihole_custom_list }}"
|
loop: "{{ pihole_custom_list }}"
|
||||||
|
|
||||||
- name: Update Gravity
|
- name: Update Gravity
|
||||||
|
when: 'pihole_update_gravity is true'
|
||||||
ansible.builtin.shell: pihole updateGravity
|
ansible.builtin.shell: pihole updateGravity
|
||||||
|
|
||||||
|
- name: iptables-webserver
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-webserver
|
||||||
|
|
||||||
|
- name: Setup iptables rules
|
||||||
|
ansible.builtin.iptables:
|
||||||
|
chain: INPUT
|
||||||
|
protocol: '{{ item }}'
|
||||||
|
destination_port: 53
|
||||||
|
jump: ACCEPT
|
||||||
|
comment: Accept DNS connections
|
||||||
|
loop: [tcp,udp]
|
||||||
|
|
||||||
|
- name: iptables-persistent
|
||||||
|
ansible.builtin.include_role:
|
||||||
|
name: iptables-persistent
|
||||||
|
|
Loading…
Reference in a new issue