allineate master #1
25 changed files with 330 additions and 13 deletions
|
@ -1,2 +1,4 @@
|
|||
architecture_mapping: { "armv6l": "armhf", "armv7l": "armhf", "aarch64": "arm64", "x86_64": "amd64", "i386": "i386" }
|
||||
|
||||
sshd_port: 22
|
||||
ipfs_port: 4001
|
||||
|
|
|
@ -13,14 +13,14 @@
|
|||
tags: [firewall, ips, ids]
|
||||
- role: iptables-webserver
|
||||
tags: [firewall, webserver]
|
||||
- role: iptables-ipfs
|
||||
tags: [firewall, ipfs]
|
||||
|
||||
- role: fail2ban-basic
|
||||
tags: [fail2ban, ips, ids]
|
||||
|
||||
- yggdrasil
|
||||
- role: ipfs
|
||||
tags: [ipfs]
|
||||
- role: yggdrasil
|
||||
tags: [yggdrasil]
|
||||
|
||||
- role: snort-community
|
||||
tags: [snort, ips, ids]
|
||||
|
||||
|
|
|
@ -19,6 +19,8 @@ Role Variables
|
|||
- **hardening_sysctl_vm_swappiness** (integer): Set the value for sysctl vm.swappiness
|
||||
- **hardening_sysctl_disable_ipv6** (boolean): Enable or disable ipv6 though sysctl
|
||||
- **hardening_modprobe_disable_list** (dict): Array of sections. Each section contains an array of string: modules, protocols and so on that can be disabled through modprobe
|
||||
- **hardening_journald_system_max_use** (string): Example 250M
|
||||
- **hardening_journald_system_max_file_size** (string): Example 50M
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
|
|
@ -16,3 +16,6 @@ hardening_modprobe_disable_list:
|
|||
rare_filesystems: [cramfs,freevxfs,jffs2,hfs,hfsplus,squashfs,udf]
|
||||
rare_protocols: [dccp,sctp,rds,tipc,n-hdlc,ax25,netrom,x25,rose,decnet,econet,af_802154,ipx,appletalk,psnap,p8023,p8022,can,atm]
|
||||
vivid: [vivid]
|
||||
|
||||
hardening_journald_system_max_use: 250M
|
||||
hardening_journald_system_max_file_size: 50M
|
||||
|
|
14
roles/hardening-basic/tasks/harden_systemd.yml
Normal file
14
roles/hardening-basic/tasks/harden_systemd.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
- name: Create directory tree if not exists
|
||||
ansible.builtin.file:
|
||||
path: '/etc/{{ item.path }}'
|
||||
state: directory
|
||||
mode: '{{ item.mode }}'
|
||||
with_community.general.filetree: '../templates/systemd/etc/'
|
||||
when: item.state == 'directory'
|
||||
|
||||
- name: Create and copy files
|
||||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/etc/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/systemd/etc/'
|
||||
when: item.state == 'file'
|
|
@ -7,12 +7,18 @@
|
|||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/etc/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/etc/'
|
||||
with_community.general.filetree: '../templates/basic/etc/'
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Harden SSH Config
|
||||
when: 'hardening_sshd_enabled is true'
|
||||
block:
|
||||
- name: Create and copy hardening files
|
||||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/etc/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/ssh/etc/'
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Give 1700 permissions to .ssh folder
|
||||
ansible.builtin.file:
|
||||
|
@ -33,3 +39,7 @@
|
|||
ansible.builtin.systemd:
|
||||
state: restarted
|
||||
name: sshd
|
||||
|
||||
- name: Harden Service Manager (like Systemd)
|
||||
block:
|
||||
- include_tasks: "harden_{{ ansible_service_mgr }}.yml"
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
{% if hardening_sshd_enabled %}
|
||||
|
||||
Protocol 2 # Protocol 1 is fundamentally broken
|
||||
StrictModes yes # Protects from misconfiguration
|
||||
|
||||
|
@ -54,5 +52,3 @@ MaxStartups 2 # Max concurrent
|
|||
TCPKeepAlive yes # Do not use TCP keep-alive
|
||||
|
||||
AcceptEnv LANG LC_* # Allow client to pass locale environment variables
|
||||
|
||||
{% endif %}
|
|
@ -0,0 +1,3 @@
|
|||
[Journal]
|
||||
SystemMaxUse={{ hardening_journald_system_max_use }}
|
||||
SystemMaxFileSize={{ hardening_journald_system_max_file_size }}
|
29
roles/ipfs/.travis.yml
Normal file
29
roles/ipfs/.travis.yml
Normal file
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
language: python
|
||||
python: "2.7"
|
||||
|
||||
# Use the new container infrastructure
|
||||
sudo: false
|
||||
|
||||
# Install ansible
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- python-pip
|
||||
|
||||
install:
|
||||
# Install ansible
|
||||
- pip install ansible
|
||||
|
||||
# Check ansible version
|
||||
- ansible --version
|
||||
|
||||
# Create ansible.cfg with correct roles_path
|
||||
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
||||
|
||||
script:
|
||||
# Basic role syntax check
|
||||
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
38
roles/ipfs/README.md
Normal file
38
roles/ipfs/README.md
Normal file
|
@ -0,0 +1,38 @@
|
|||
ipfs
|
||||
=========
|
||||
|
||||
This role setup ipfs-update and ipfs, systemd related files and start iptables-ipfs role
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
- **ipfs_enabled** (boolean): Enable or disable IPFS support
|
||||
- **ipfs_setup** (boolean): If true will setup IPFS installation with updater for the first time
|
||||
- **ipfs_updater_version**: ipfs-update version
|
||||
- **ipfs_group**: IPFS dedicated group
|
||||
- **ipfs_user**: IPFS dedicated user
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
.
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target ipfs_version=latest" --tags ipfs
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
GPLv3
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
- [Claudio Maradonna](https://social.unitoo.it/claudio)
|
9
roles/ipfs/defaults/main.yml
Normal file
9
roles/ipfs/defaults/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
# defaults file for ipfs
|
||||
|
||||
ipfs_enabled: false
|
||||
ipfs_setup: false
|
||||
ipfs_updater_version: 1.9.0
|
||||
|
||||
ipfs_group: ipfs
|
||||
ipfs_user: ipfs
|
2
roles/ipfs/handlers/main.yml
Normal file
2
roles/ipfs/handlers/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# handlers file for ipfs
|
52
roles/ipfs/meta/main.yml
Normal file
52
roles/ipfs/meta/main.yml
Normal file
|
@ -0,0 +1,52 @@
|
|||
galaxy_info:
|
||||
author: your name
|
||||
description: your role description
|
||||
company: your company (optional)
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||
# - BSD-3-Clause (default)
|
||||
# - MIT
|
||||
# - GPL-2.0-or-later
|
||||
# - GPL-3.0-only
|
||||
# - Apache-2.0
|
||||
# - CC-BY-4.0
|
||||
license: license (GPL-2.0-or-later, MIT, etc)
|
||||
|
||||
min_ansible_version: 2.1
|
||||
|
||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||
# min_ansible_container_version:
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
# platforms:
|
||||
# - name: Fedora
|
||||
# versions:
|
||||
# - all
|
||||
# - 25
|
||||
# - name: SomePlatform
|
||||
# versions:
|
||||
# - all
|
||||
# - 1.0
|
||||
# - 7
|
||||
# - 99.99
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
16
roles/ipfs/tasks/install_systemd_service.yml
Normal file
16
roles/ipfs/tasks/install_systemd_service.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
- name: Install systemd service for ipfs
|
||||
become: true
|
||||
become_user: root
|
||||
block:
|
||||
- name: Create and copy systemd files
|
||||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/systemd/'
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Reload systemd services
|
||||
ansible.builtin.systemd:
|
||||
name: ipfs
|
||||
state: started
|
||||
daemon_reload: yes
|
77
roles/ipfs/tasks/main.yml
Normal file
77
roles/ipfs/tasks/main.yml
Normal file
|
@ -0,0 +1,77 @@
|
|||
---
|
||||
# tasks file for ipfs
|
||||
|
||||
- name: Install IPFS if enabled
|
||||
when:
|
||||
- 'ipfs_enabled is true'
|
||||
block:
|
||||
- name: Setup ipfs-update
|
||||
when: 'ipfs_setup is true'
|
||||
block:
|
||||
- name: Create ipfs group
|
||||
group:
|
||||
name: "{{ ipfs_group }}"
|
||||
state: present
|
||||
|
||||
- name: Create ipfs user
|
||||
user:
|
||||
name: "{{ ipfs_user }}"
|
||||
state: present
|
||||
shell: /sbin/nologin
|
||||
group: "{{ ipfs_group }}"
|
||||
|
||||
- name: Create working dir
|
||||
ansible.builtin.file:
|
||||
path: '/mnt/ipfs'
|
||||
state: directory
|
||||
owner: '{{ ipfs_user }}'
|
||||
group: '{{ ipfs_group }}'
|
||||
|
||||
- name: Download ipfs-update for IPFS version control
|
||||
ansible.builtin.unarchive:
|
||||
src: 'https://dist.ipfs.tech/ipfs-update/v{{ ipfs_updater_version }}/ipfs-update_v{{ ipfs_updater_version }}_linux-{{ architecture_mapping[ansible_architecture] }}.tar.gz'
|
||||
dest: /tmp
|
||||
remote_src: yes
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install ipfs-update
|
||||
ansible.builtin.copy:
|
||||
src: /tmp/ipfs-update/ipfs-update
|
||||
dest: /usr/local/bin/ipfs-update
|
||||
owner: ipfs
|
||||
group: ipfs
|
||||
mode: '1750'
|
||||
remote_src: yes
|
||||
|
||||
- name: Install ipfs version specified
|
||||
when: 'ipfs_version is defined'
|
||||
become: true
|
||||
become_user: '{{ ipfs_user }}'
|
||||
block:
|
||||
- name: Create directory tree if not exists
|
||||
ansible.builtin.file:
|
||||
path: '~/{{ item.path }}'
|
||||
state: directory
|
||||
mode: '{{ item.mode }}'
|
||||
with_community.general.filetree: '../templates/ipfs/'
|
||||
when: item.state == 'directory'
|
||||
|
||||
- name: Create and copy hardening files
|
||||
ansible.builtin.template:
|
||||
src: '{{ item.src }}'
|
||||
dest: '~/{{ item.path }}'
|
||||
with_community.general.filetree: '../templates/ipfs/'
|
||||
when: item.state == 'file'
|
||||
|
||||
- name: Update ipfs-update version
|
||||
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update versions
|
||||
|
||||
- name: Install version
|
||||
ansible.builtin.shell: PATH=$PATH:$HOME/.local/bin ipfs-update install {{ ipfs_version }}
|
||||
|
||||
- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
|
||||
|
||||
- name: Setup firewall
|
||||
ansible.builtin.include_role:
|
||||
name: iptables-ipfs
|
0
roles/ipfs/templates/ipfs/.ipfs/api
Normal file
0
roles/ipfs/templates/ipfs/.ipfs/api
Normal file
57
roles/ipfs/templates/systemd/lib/systemd/system/ipfs.service
Normal file
57
roles/ipfs/templates/systemd/lib/systemd/system/ipfs.service
Normal file
|
@ -0,0 +1,57 @@
|
|||
[Unit]
|
||||
Description=IPFS Daemon
|
||||
Documentation=https://docs.ipfs.io/
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
# hardening
|
||||
ReadWritePaths=/home/ipfs /mnt/ipfs
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
PrivateDevices=true
|
||||
DevicePolicy=closed
|
||||
ProtectControlGroups=true
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
||||
ProtectHostname=true
|
||||
PrivateTmp=true
|
||||
ProtectClock=true
|
||||
LockPersonality=true
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
MemoryDenyWriteExecute=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged
|
||||
#ProtectHome=true
|
||||
RemoveIPC=true
|
||||
RestrictSUIDSGID=true
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
|
||||
LimitNOFILE=8192
|
||||
#LimitNice=10
|
||||
MemoryAccounting=true
|
||||
#MemoryHigh=768M
|
||||
#MemoryMax=1024M
|
||||
MemorySwapMax=0
|
||||
CPUAccounting=true
|
||||
CPUQuota=40%
|
||||
TimeoutStartSec=infinity
|
||||
|
||||
Type=notify
|
||||
Environment="IPFS_PATH=/mnt/ipfs"
|
||||
Environment=IPFS_LOGGING="error"
|
||||
Environment=IPFS_FD_MAX=8192
|
||||
ExecStart=/home/ipfs/.local/bin/ipfs daemon --init --enable-gc --migrate
|
||||
User=ipfs
|
||||
Group=ipfs
|
||||
StateDirectory=ipfs
|
||||
Restart=always
|
||||
RestartSec=60
|
||||
KillMode=process
|
||||
KillSignal=SIGINT
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
2
roles/ipfs/tests/inventory
Normal file
2
roles/ipfs/tests/inventory
Normal file
|
@ -0,0 +1,2 @@
|
|||
localhost
|
||||
|
5
roles/ipfs/tests/test.yml
Normal file
5
roles/ipfs/tests/test.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- ipfs
|
2
roles/ipfs/vars/main.yml
Normal file
2
roles/ipfs/vars/main.yml
Normal file
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# vars file for ipfs
|
|
@ -11,7 +11,7 @@ Requirements
|
|||
Role Variables
|
||||
--------------
|
||||
|
||||
- **iptables_ipfs_enabled** (boolean): Enable or disable IPFS rules
|
||||
- **ipfs_enabled** (boolean): Enable or disable IPFS rules
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
|
|
@ -1,4 +1,2 @@
|
|||
---
|
||||
# defaults file for iptables-ipfs
|
||||
|
||||
iptables_ipfs_enabled: false
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
- name: setup iptables for IPFS
|
||||
when:
|
||||
- "is_docker is not true"
|
||||
- "iptables_ipfs_enabled is true"
|
||||
- "ipfs_enabled is true"
|
||||
block:
|
||||
- name: Allow new, established packets on TCP/UDP port 4001 (IPFS)
|
||||
ansible.builtin.iptables:
|
||||
|
|
Loading…
Reference in a new issue