Compare commits

...

4 commits

25 changed files with 330 additions and 13 deletions

View file

@ -1,2 +1,4 @@
architecture_mapping: { "armv6l": "armhf", "armv7l": "armhf", "aarch64": "arm64", "x86_64": "amd64", "i386": "i386" }
sshd_port: 22
ipfs_port: 4001

View file

@ -13,14 +13,14 @@
tags: [firewall, ips, ids]
- role: iptables-webserver
tags: [firewall, webserver]
- role: iptables-ipfs
tags: [firewall, ipfs]
- role: fail2ban-basic
tags: [fail2ban, ips, ids]
- yggdrasil
- role: ipfs
tags: [ipfs]
- role: yggdrasil
tags: [yggdrasil]
- role: snort-community
tags: [snort, ips, ids]

View file

@ -19,6 +19,8 @@ Role Variables
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
- **hardening_journald_system_max_use** (string): Example 250M
- **hardening_journald_system_max_file_size** (string): Example 50M
Dependencies
------------

View file

@ -16,3 +16,6 @@ hardening_modprobe_disable_list:
rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
vivid: [vivid]
hardening_journald_system_max_use: 250M
hardening_journald_system_max_file_size: 50M

View file

@ -0,0 +1,14 @@
- name: Create directory tree if not exists
ansible.builtin.file:
path: '/etc/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/systemd/etc/'
when: item.state == 'directory'
- name: Create and copy files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/systemd/etc/'
when: item.state == 'file'

View file

@ -7,12 +7,18 @@
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/etc/'
with_community.general.filetree: '../templates/basic/etc/'
when: item.state == 'file'
- name: Harden SSH Config
when: 'hardening_sshd_enabled is true'
block:
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/etc/{{ item.path }}'
with_community.general.filetree: '../templates/ssh/etc/'
when: item.state == 'file'
- name: Give 1700 permissions to .ssh folder
ansible.builtin.file:
@ -33,3 +39,7 @@
ansible.builtin.systemd:
state: restarted
name: sshd
- name: Harden Service Manager (like Systemd)
block:
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"

View file

@ -1,5 +1,3 @@
{% if hardening_sshd_enabled %}
Protocol 2 # Protocol 1 is fundamentally broken
StrictModes yes # Protects from misconfiguration
@ -54,5 +52,3 @@ MaxStartups 2 # Max concurrent
TCPKeepAlive yes # Do not use TCP keep-alive
AcceptEnv LANG LC_* # Allow client to pass locale environment variables
{% endif %}

View file

@ -0,0 +1,3 @@
[Journal]
SystemMaxUse={{ hardening_journald_system_max_use }}
SystemMaxFileSize={{ hardening_journald_system_max_file_size }}

29
roles/ipfs/.travis.yml Normal file
View file

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/ipfs/README.md Normal file
View file

@ -0,0 +1,38 @@
ipfs
=========
This role setup ipfs-update and ipfs, systemd related files and start iptables-ipfs role
Requirements
------------
.
Role Variables
--------------
- **ipfs_enabled** (boolean): Enable or disable IPFS support
- **ipfs_setup** (boolean): If true will setup IPFS installation with updater for the first time
- **ipfs_updater_version**: ipfs-update version
- **ipfs_group**: IPFS dedicated group
- **ipfs_user**: IPFS dedicated user
Dependencies
------------
.
Example Playbook
----------------
ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target ipfs_version=latest" --tags ipfs
License
-------
GPLv3
Author Information
------------------
- [Claudio Maradonna](https://social.unitoo.it/claudio)

View file

@ -0,0 +1,9 @@
---
# defaults file for ipfs
ipfs_enabled: false
ipfs_setup: false
ipfs_updater_version: 1.9.0
ipfs_group: ipfs
ipfs_user: ipfs

View file

@ -0,0 +1,2 @@
---
# handlers file for ipfs

52
roles/ipfs/meta/main.yml Normal file
View file

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

View file

@ -0,0 +1,16 @@
- name: Install systemd service for ipfs
become: true
become_user: root
block:
- name: Create and copy systemd files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '/{{ item.path }}'
with_community.general.filetree: '../templates/systemd/'
when: item.state == 'file'
- name: Reload systemd services
ansible.builtin.systemd:
name: ipfs
state: started
daemon_reload: yes

77
roles/ipfs/tasks/main.yml Normal file
View file

@ -0,0 +1,77 @@
---
# tasks file for ipfs
- name: Install IPFS if enabled
when:
- 'ipfs_enabled is true'
block:
- name: Setup ipfs-update
when: 'ipfs_setup is true'
block:
- name: Create ipfs group
group:
name: "{{ ipfs_group }}"
state: present
- name: Create ipfs user
user:
name: "{{ ipfs_user }}"
state: present
shell: /sbin/nologin
group: "{{ ipfs_group }}"
- name: Create working dir
ansible.builtin.file:
path: '/mnt/ipfs'
state: directory
owner: '{{ ipfs_user }}'
group: '{{ ipfs_group }}'
- name: Download ipfs-update for IPFS version control
ansible.builtin.unarchive:
src: 'https://dist.ipfs.tech/ipfs-update/v{{ ipfs_updater_version }}/ipfs-update_v{{ ipfs_updater_version }}_linux-{{ architecture_mapping[ansible_architecture] }}.tar.gz'
dest: /tmp
remote_src: yes
owner: root
group: root
- name: Install ipfs-update
ansible.builtin.copy:
src: /tmp/ipfs-update/ipfs-update
dest: /usr/local/bin/ipfs-update
owner: ipfs
group: ipfs
mode: '1750'
remote_src: yes
- name: Install ipfs version specified
when: 'ipfs_version is defined'
become: true
become_user: '{{ ipfs_user }}'
block:
- name: Create directory tree if not exists
ansible.builtin.file:
path: '~/{{ item.path }}'
state: directory
mode: '{{ item.mode }}'
with_community.general.filetree: '../templates/ipfs/'
when: item.state == 'directory'
- name: Create and copy hardening files
ansible.builtin.template:
src: '{{ item.src }}'
dest: '~/{{ item.path }}'
with_community.general.filetree: '../templates/ipfs/'
when: item.state == 'file'
- name: Update ipfs-update version
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update versions
- name: Install version
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update install {{ ipfs_version }}
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
- name: Setup firewall
ansible.builtin.include_role:
name: iptables-ipfs

View file

View file

@ -0,0 +1,57 @@
[Unit]
Description=IPFS Daemon
Documentation=https://docs.ipfs.io/
After=network.target
[Service]
# hardening
ReadWritePaths=/home/ipfs /mnt/ipfs
NoNewPrivileges=true
ProtectSystem=strict
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
PrivateDevices=true
DevicePolicy=closed
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
ProtectHostname=true
PrivateTmp=true
ProtectClock=true
LockPersonality=true
RestrictNamespaces=true
RestrictRealtime=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
#ProtectHome=true
RemoveIPC=true
RestrictSUIDSGID=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LimitNOFILE=8192
#LimitNice=10
MemoryAccounting=true
#MemoryHigh=768M
#MemoryMax=1024M
MemorySwapMax=0
CPUAccounting=true
CPUQuota=40%
TimeoutStartSec=infinity
Type=notify
Environment="IPFS_PATH=/mnt/ipfs"
Environment=IPFS_LOGGING="error"
Environment=IPFS_FD_MAX=8192
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
User=ipfs
Group=ipfs
StateDirectory=ipfs
Restart=always
RestartSec=60
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,2 @@
localhost

View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- ipfs

2
roles/ipfs/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for ipfs

View file

@ -11,7 +11,7 @@ Requirements
Role Variables
--------------
- **iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules
- **ipfs_enabled** (boolean): Enable or disable IPFS rules
Dependencies
------------

View file

@ -1,4 +1,2 @@
---
# defaults file for iptables-ipfs
iptables_ipfs_enabled: false

View file

@ -4,7 +4,7 @@
- name: setup iptables for IPFS
when:
- "is_docker is not true"
- "iptables_ipfs_enabled is true"
- "ipfs_enabled is true"
block:
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
ansible.builtin.iptables: