handbook.yml

@@ -4,23 +4,28 @@
   hosts: "{{ target if target is defined else 'planets' }}"
 
   roles:
+    # Hardening
+    # - role: iptables-persistent
+    #   tags: [firewall, ips, ids]
+
     - role: hardening-basic
       tags: [hardening, ips, ids]
-
-    - role: iptables-persistent
-      tags: [firewall, ips, ids]
     - role: iptables-basic
       tags: [firewall, ips, ids]
+    - role: fail2ban-basic
+      tags: [fail2ban, ips, ids]
+    - role: auditd
+      tags: [auditd]
+
     - role: iptables-webserver
       tags: [firewall, webserver]
 
-    - role: fail2ban-basic
-      tags: [fail2ban, ips, ids]
-
+    # Services
     - role: ipfs
       tags: [ipfs]
     - role: yggdrasil
       tags: [yggdrasil]
-
     - role: snort-community
       tags: [snort, ips, ids]
+    - role: dns-filter
+      tags: [dns_filter]

roles/ansible-node/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/ansible-node/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/ansible-node/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for ansible-node

roles/ansible-node/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for ansible-node

roles/ansible-node/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/ansible-node/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+# tasks file for ansible-node
+
+- name: Setup node with ansible for given user
+  when: 'ansible_node_user is defined'
+  block:
+    - name: Install python3-pip if not present
+      ansible.builtin.package:
+        name: python3-pip
+
+    - name: Install ansible with pip
+      become: true
+      become_user: '{{ ansible_node_user }}'
+      ansible.builtin.shell: python3 -m pip install --user ansible

roles/ansible-node/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/ansible-node/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - ansible-node

roles/ansible-node/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for ansible-node

roles/auditd/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/auditd/README.md

@@ -0,0 +1,35 @@
+auditd
+=========
+
+This role install and setup auditd rules for services
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+- **auditd_enabled** (boolean): Enable or disable auditd support
+- **auditd_rules** (array): List of services to install rules
+
+Dependencies
+------------
+
+.
+
+Example Playbook
+----------------
+
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target" --tags auditd`
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)

roles/auditd/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for auditd
+
+auditd_enabled: false
+auditd_rules:
+  - docker

roles/auditd/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for auditd

roles/auditd/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/auditd/tasks/install_rules.yml

@@ -0,0 +1,14 @@
+- name: Install rules for {{ item }}
+  ansible.builtin.file:
+    path: '/{{ item.path }}'
+    state: directory
+    mode: '{{ item.mode }}'
+  with_community.general.filetree: '../templates/{{ item }}/'
+  when: item.state == 'directory'
+
+- name: Create and copy rules files
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '/{{ item.path }}'
+  with_community.general.filetree: '../templates/{{ item }}/'
+  when: item.state == 'file'

roles/auditd/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+# tasks file for auditd
+
+- name: Install and setup rules Auditd if enabled
+  when: 'auditd_enabled is true'
+  block:
+    - name: Install auditd
+      ansible.builtin.package:
+        name: auditd
+
+    - name: Create directory tree if not exists
+      include_tasks: install_rules.yml
+      loop: '{{ auditd_rules }}'

roles/auditd/templates/docker/etc/audit/rules.d/docker.rules

@@ -0,0 +1,13 @@
+-w /etc/docker -k docker
+-w /etc/default/docker -k docker
+-w /etc/docker/daemon.json -k docker
+-w /etc/containerd/config.toml -k docker
+-w /lib/systemd/system/docker.service -k docker
+-w /lib/systemd/system/docker.socket -k docker
+-w /run/containerd -k docker
+-w /usr/bin/containerd -k docker
+-w /usr/bin/containerd-shim -k docker
+-w /usr/bin/containerd-shim-runc-v1 -k docker
+-w /usr/bin/containerd-shim-runc-v2 -k docker
+-w /usr/bin/runc -k docker
+-w /var/lib/docker -k docker

roles/auditd/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/auditd/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - auditd

roles/auditd/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for auditd

roles/dns-filter/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/dns-filter/README.md

@@ -0,0 +1,35 @@
+dns-filter
+=========
+
+This role setup selected dns-filter
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+- **dns_filter_enabled** (boolean): if true enable dns filter
+- **dns_filter_selected** (string): selectable dns filter, check filter list
+
+Dependencies
+------------
+
+.
+
+Example Playbook
+----------------
+
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target go_path=/opt/go/bin" --tags dns_filter`
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)

roles/dns-filter/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# defaults file for dns-filter
+
+dns_filter_enabled: false
+dns_filter_list: ['pi-hole', 'zabov']
+dns_filter_selected: zabov

roles/dns-filter/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for dns-filter

roles/dns-filter/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/dns-filter/tasks/main.yml

@@ -0,0 +1,11 @@
+---
+# tasks file for dns-filter
+
+- name: Install selected DNS filter if enabled
+  when:
+    - "dns_filter_enabled is true"
+    - "dns_filter_selected in dns_filter_list"
+  block:
+    - name: Call DNS filter role
+      ansible.builtin.include_role:
+        name: "{{ dns_filter_selected }}"

roles/dns-filter/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/dns-filter/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - dns-filter

roles/dns-filter/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for dns-filter

roles/iptables-persistent/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: Handle iptables-persistent
   when:
     - "is_docker is not true"
+    - "iptables_persistent_save_to_file is true"
   block:
     - name: Install iptables-persistent package
       ansible.builtin.package:

roles/iptables-persistent/tasks/save_rules_for_Debian.yml

@@ -1,5 +1,4 @@
 - name: Save iptables rules
-  when: "iptables_persistent_save_to_file is true"
   block:
     - name: Save rules with iptables-persistent v4
       ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4

roles/zabov/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/zabov/README.md

@@ -0,0 +1,38 @@
+zabov
+=========
+
+This role setup Zabov DNS filter
+
+Requirements
+------------
+
+.
+
+Role Variables
+--------------
+
+- **zabov_git_url** (string): Git valid url of Zabov
+- **zabov_git_branch** (string): Zabov Git branch
+- **zabov_installation_path** (string): Zabov installation path
+- **zabov_user** (string): Zabov dedicated user
+- **zabov_group** (string): Zabov dedicated group
+
+Dependencies
+------------
+
+.
+
+Example Playbook
+----------------
+
+`ansible-playbook -i inventory/example.yml handbook.yml --extra-vars="target=your_target go_path=/opt/go/bin" --tags dns_filter`
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- [Claudio Maradonna](https://social.unitoo.it/claudio)

roles/zabov/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+# defaults file for zabov
+
+zabov_git_url: "https://git.keinpfusch.net/loweel/zabov"
+zabov_installation_path: "/home/zabov/zabov"
+zabov_git_branch: "master"
+zabov_user: zabov
+zabov_group: zabov

roles/zabov/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for zabov

roles/zabov/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/zabov/tasks/install_systemd_service.yml

@@ -0,0 +1,15 @@
+- name: Setup systemd
+  when: 'is_docker is not true'
+  block:
+    - name: Install systemd files
+      ansible.builtin.template:
+        src: '{{ item.src }}'
+        dest: '/{{ item.path }}'
+      with_community.general.filetree: '../templates/systemd/'
+      when: item.state == 'file'
+
+    - name: Enable service
+      ansible.builtin.systemd:
+        name: zabov
+        state: started
+        daemon_reload: yes

roles/zabov/tasks/main.yml

@@ -0,0 +1,74 @@
+---
+# tasks file for zabov
+
+- name: Install zabov from sources
+  when: 'go_path is defined'
+  block:
+    - name: Install git if needed
+      ansible.builtin.package:
+        name: git
+
+    - name: Create zabov group
+      group:
+        name: "{{ zabov_group }}"
+        state: present
+
+    - name: Create zabov user
+      user:
+        name: "{{ zabov_user }}"
+        state: present
+        shell: /sbin/nologin
+        group: "{{ zabov_group }}"
+
+    - name: Official repo print url
+      debug:
+        msg: "{{ zabov_git_url }}"
+
+    - name: Compile zabov
+      become: true
+      become_user: "{{ zabov_user }}"
+      block:
+        - name: Check if repo is cloned
+          stat:
+            path: "{{ zabov_installation_path }}"
+          register: installation_path
+
+        - name: Clone repo
+          when: 'not installation_path.stat.exists'
+          ansible.builtin.git:
+            repo: "{{ zabov_git_url }}"
+            dest: "{{ zabov_installation_path }}"
+            single_branch: yes
+            version: "{{ zabov_git_branch }}"
+
+        - name: Update repo
+          ansible.builtin.git:
+            repo: "{{ zabov_git_url }}"
+            dest: "{{ zabov_installation_path }}"
+            update: yes
+
+        - name: Get $PATH
+          ansible.builtin.shell:
+            cmd: "echo $PATH"
+          register: path_env
+
+        - name: Get go dependencies
+          ansible.builtin.shell:
+            cmd: "go get"
+            chdir: "{{ zabov_installation_path }}"
+          environment:
+              PATH: '{{ go_path }}:{{ path_env }}'
+          args:
+              executable: /bin/bash
+
+        - name: Build executable
+          ansible.builtin.shell:
+            cmd: "go build -mod=vendor"
+            chdir: "{{ zabov_installation_path }}"
+          environment:
+              PATH: '{{ go_path }}:{{ path_env }}'
+          args:
+              executable: /bin/bash
+
+- include_tasks: "install_{{ ansible_service_mgr }}_service.yml"
+  ignore_errors: true

roles/zabov/templates/systemd/lib/systemd/system/zabov.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Zabov Daemon
+Documentation=https://git.keinpfusch.net/loweel/zabov
+Wants=network.target
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory={{ zabov_installation_path }}
+ExecStart={{ zabov_installation_path }}/zabov
+User={{ zabov_user }}
+Group={{ zabov_group }}
+StateDirectory=zabov
+Restart=always
+RestartSec=60
+KillMode=process
+KillSignal=SIGINT
+ProtectSystem=true
+SecureBits=keep-caps
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target

roles/zabov/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/zabov/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - zabov

roles/zabov/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for zabov

setup-node.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "Setup the target for pi-hole"
+- name: "Setup a node as ansible-able"
   hosts: "{{ target if target is defined else 'planets' }}"
   roles:
-    - role: pi-hole
+    - role: ansible-node

ssh-copy-id.yml

@@ -0,0 +1,12 @@
+---
+
+- hosts: "{{ target if target is defined else 'planets' }}"
+  tasks:
+    - name: "Copy ssh-copy-id given key and target user"
+      when:
+        - 'ssh_user is defined'
+        - 'ssh_copy_id is defined'
+      ansible.posix.authorized_key:
+        user: "{{ ssh_user }}"
+        state: present
+        key: "{{ ssh_copy_id }}"