Commit c3a3f12c authored by Dominic Hargreaves's avatar Dominic Hargreaves

Base ansible setup

parent 02ab4e63
[defaults]
hostfile = inventory
ansible_managed = Ansible managed
transport = paramiko
---
- name: Role which applies to all hosts
hosts: all
roles:
- { role: base, become: yes }
---
serial_console_index: 0
console_on_tty0: False
---
primary_ipv4: 185.73.44.171
primary_ipv6: 2001:ba8:0:2c77:0:4:0:1
ipv4_netmask: 255.255.252.0
ipv4_gateway: 185.73.44.1
[alioth-lists]
alioth-lists-01.debian.net
[kvm-guests]
alioth-lists-01.debian.net
---
resolvers:
- "2001:ba8:0:2c02::"
- "185.73.44.3"
- "2001:ba8:0:2c04::"
per_host_hosts: []
sshd_listeners: []
primary_network_interface: ens3
additional_ipv6_addresses: []
additional_ipv4_addresses: []
console_on_tty0: True
serial_console_speed: 115200
debian_sections:
- main
debian_release: stretch
debian_mirror: http://the.earth.li/debian/
---
- name: reload ssh
service: name=ssh state=reloaded
- name: update grub
command: update-grub
- name: apt-get update
apt: update_cache=yes
- name: reload fail2ban
service: name=fail2ban state=restarted
---
dependencies:
- { role: shorewall }
---
- user: name=dom groups=sudo,adm uid=1000
- authorized_key: user=dom key="{{ lookup('file', 'ssh_keys/dom-himalia') }}"
- authorized_key: user=dom key="{{ lookup('file', 'ssh_keys/dom-themisto') }}"
---
- apt: name={{item}}
with_items:
- sudo
- vim
- etckeeper
- ntp
- exim4
- fail2ban
- screen
- template: src=etc/sysctl.d/local.conf.j2 dest=/etc/sysctl.d/local.conf
- template: src=etc/resolv.conf.j2 dest=/etc/resolv.conf
- template: src=etc/apt/sources.list.j2 dest=/etc/apt/sources.list
notify:
- apt-get update
- template: src=etc/hosts.j2 dest=/etc/hosts
- template: src=etc/ssh/sshd_config.j2 dest=/etc/ssh/sshd_config
notify:
reload ssh
- template: src=etc/network/interfaces.j2 dest=/etc/network/interfaces
- template: src=etc/default/grub.j2 dest=/etc/default/grub
notify:
- update grub
- template: src=etc/fail2ban/jail.local.j2 dest=/etc/fail2ban/jail.local
notify:
- reload fail2ban
- template: src=etc/sudoers.j2 dest=/etc/sudoers mode=0440 owner=root group=root
# Ansible managed
deb {{ debian_mirror }} {{ debian_release }} {{ debian_sections|join(' ') }}
deb {{ debian_mirror }} {{ debian_release}}-updates {{ debian_sections|join(' ') }}
deb http://security.debian.org/ {{ debian_release }}/updates {{ debian_sections|join(' ') }}
# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
# info -f grub -n 'Simple configuration'
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
{% if serial_console_index is defined %}
{% if console_on_tty0 %}
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS{{ serial_console_index }},{{ serial_console_speed }}n8"
{% else %}
GRUB_CMDLINE_LINUX="console=ttyS{{ serial_console_index }},{{ serial_console_speed }}n8"
{% endif %}
{% endif %}
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
# Uncomment to disable graphical terminal (grub-pc only)
{% if serial_console_index is defined %}
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed={{ serial_console_speed }} --unit={{ serial_console_index }} --word=8 --parity=no --stop=1"
{% else %}
GRUB_TERMINAL=console
{% endif %}
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"
# {{ ansible_managed }}
#
# ACTIONS
#
[DEFAULT]
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
#banaction = iptables-multiport
banaction = shorewall
# Managed by ansible
127.0.0.1 localhost
{{ primary_ipv4 }} {{ inventory_hostname }} {{ ansible_hostname }}
{% for host in per_host_hosts %}
{{ host.ip }} {{ host.name }}
{% endfor %}
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
auto {{ primary_network_interface }}
iface {{ primary_network_interface }} inet static
address {{ primary_ipv4 }}
netmask {{ ipv4_netmask }}
gateway {{ ipv4_gateway }}
up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
iface {{ primary_network_interface }} inet6 static
address {{ primary_ipv6 }}
netmask 64
{% for addr in additional_ipv6_addresses %}
pre-up ip -6 addr add {{ addr }} dev $IFACE
pre-up ip -6 addr change {{ addr }} dev $IFACE preferred_lft 0
{% endfor %}
{% for addr in additional_ipv4_addresses %}
auto {{ primary_network_interface }}:{{ addr.index }}
iface {{ primary_network_interface }}:{{ addr.index }} inet static
address {{ addr.addr }}
netmask {{ ipv4_netmask }}
{% endfor %}
# Managed by ansible
search debian.net
{% for resolver in resolvers %}
nameserver {{ resolver }}
{% endfor %}
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
{% for listener in sshd_listeners %}
ListenAddress {{ listener.address }}:{{ listener.port }}
{% endfor %}
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# {{ ansible_managed }}
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL = (ALL) NOPASSWD: ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
# Managed by ansible
net.ipv4.conf.ens3.autoconf = 0
---
fw_interface_types: [ens]
shorewall_outbound_default_allow: no
shorewall_group_rule_includes: []
resolvconf_resolvers: []
resolvconf_resolvers_v6: []
trusted_ip4:
- 81.187.82.224/27
- 185.73.44.121
- 62.253.227.100
trusted_ip6:
- 2001:8b0:1bf::/64
- 2001:ba8:0:2c77:0:1:0:2
shorewall_enabled: True
# TODO: this is wrong; we should be using refresh but ansible
# doesn't support it. restarted can fail open
- name: reload shorewall
service: name=shorewall state=restarted
- name: reload shorewall6
service: name=shorewall6 state=restarted
---
- apt: name={{item}}
with_items:
- shorewall
- shorewall6
- file: path=/etc/shorewall/rules.d state=directory
- file: path=/etc/shorewall6/rules.d state=directory
- set_fact:
shorewall_variant: ip4
- template: src=etc/shorewall/hosts.j2 dest=/etc/shorewall/hosts
notify:
- reload shorewall
- template: src=etc/shorewall/interfaces.j2 dest=/etc/shorewall/interfaces
notify:
- reload shorewall
- template: src=etc/shorewall/policy.j2 dest=/etc/shorewall/policy
notify:
- reload shorewall
- template: src=etc/shorewall/rules.j2 dest=/etc/shorewall/rules
notify:
- reload shorewall
- template: src=etc/shorewall/zones.j2 dest=/etc/shorewall/zones
notify:
- reload shorewall
- template: src=etc/shorewall/rules.d/{{item}}.j2 dest=/etc/shorewall/rules.d/{{item}}.rules
when: item in group_names
with_items: "{{ shorewall_group_rule_includes }}"
notify:
- reload shorewall
- set_fact:
shorewall_variant: ip6
- template: src=etc/shorewall/hosts.j2 dest=/etc/shorewall6/hosts
notify:
- reload shorewall6
- template: src=etc/shorewall/interfaces.j2 dest=/etc/shorewall6/interfaces
notify:
- reload shorewall6
- template: src=etc/shorewall/policy.j2 dest=/etc/shorewall6/policy
notify:
- reload shorewall6
- template: src=etc/shorewall/rules.j2 dest=/etc/shorewall6/rules
notify:
- reload shorewall6
- template: src=etc/shorewall/zones.j2 dest=/etc/shorewall6/zones
notify:
- reload shorewall6
- template: src=etc/default/{{item}}.j2 dest=/etc/default/{{item}}
with_items:
- shorewall
- shorewall6
- template: src=etc/shorewall/rules.d/{{item}}.j2 dest=/etc/shorewall6/rules.d/{{item}}.rules
when: item in group_names
with_items: "{{ shorewall_group_rule_includes }}"
notify:
- reload shorewall6
# Managed by ansible
{% if shorewall_enabled %}
startup=1
{% else %}
startup=0
{% endif %}
# If your Shorewall configuration requires detection of the ip address of a ppp
# interface, you must list such interfaces in "wait_interface" to get Shorewall
# to wait until the interface is configured. Otherwise the script will fail
# because it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall/params
# wait_interface=
#
# Global start/restart options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
#
INITLOG=/dev/null
#
# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
# a safe state rather than to open it
#
SAFESTOP=0
# EOF
# Managed by ansible
# prevent startup with default configuration
# set the following varible to 1 in order to allow Shorewall6 to start
{% if shorewall_enabled %}
startup=1
{% else %}
startup=0
{% endif %}
# if your Shorewall6 configuration requires detection of the ip address of a
# ppp interface, you must list such interfaces in "wait_interface" to get
# Shorewall6 to wait until the interface is configured. Otherwise the script
# will fail because it won't be able to detect the IP address.
#
# Example:
# wait_interface="ppp0"
# or
# wait_interface="ppp0 ppp1"
# or, if you have defined in /etc/shorewall6/params
# wait_interface=
#
# Startup options
#
OPTIONS=""
#
# Start options
#
STARTOPTIONS=""
#
# Restart options
#
RESTARTOPTIONS=""
#
# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
#
INITLOG=/dev/null
#
# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
# a safe state rather than to open it
#
SAFESTOP=0
# EOF
# Managed by ansible
#
# Shorewall version 4 - Hosts file
#
# For information about entries in this file, type "man shorewall-hosts"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
#ZONE HOST(S) OPTIONS
{% for interface_type in fw_interface_types %}
{% if shorewall_variant == 'ip4' %}
net {{ interface_type }}+:0.0.0.0/0
trst {{ interface_type}}+:{{ trusted_ip4|join(',') }}
{% else %}
net {{ interface_type }}+:[::/0]
trst {{ interface_type}}+:[{{ trusted_ip6|join('],[') }}]
{% endif %}
{% endfor %}
# Managed by ansible
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
{% for interface_type in fw_interface_types %}
- {{ interface_type }}+
{% endfor %}
# Managed by ansible
#
# Shorewall version 4 - Policy File
#
# For information about entries in this file, type "man shorewall-policy"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
net all DROP info
all all REJECT info(uid)
# Managed by ansible
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT(S) PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
## Base rules
# XXX tighten up outbound SMTP - define hubs?
SMTP(ACCEPT) $FW all - - - - - root,Debian-exim
ACCEPT $FW all icmp
# For apt
HTTP(ACCEPT) $FW all - - - - - root
HTTPS(ACCEPT) $FW all - - - - - root
HTTP(ACCEPT) $FW all - - - - - _apt
HTTPS(ACCEPT) $FW all - - - - - _apt
{% if resolvconf_resolvers or resolvconf_resolvers_v6 %}
{% if resolvconf_resolvers and shorewall_variant == 'ip4' %}
DNS(ACCEPT) $FW all:{{ resolvconf_resolvers|join(',') }}
{% endif %}
{% if resolvconf_resolvers_v6 and shorewall_variant == 'ip6' %}
DNS(ACCEPT) $FW all:[{{ resolvconf_resolvers_v6|join('],[') }}]
{% endif %}
{% else %}
DNS(ACCEPT) $FW all
{% endif %}
NTP(ACCEPT) $FW all - - - - - root,ntp
Ping(ACCEPT) all $FW
SSH(ACCEPT) trst $FW
{% if shorewall_variant == 'ip4' %}
ACCEPT trst:185.73.44.121 $FW tcp 4949
{% endif %}
## Service-specific rules
{% if shorewall_variant == 'ip4' %}
SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true
{% else %}
SHELL cat /etc/shorewall6/rules.d/*.rules 2> /dev/null || true
{% endif %}
{% if shorewall_outbound_default_allow %}
ACCEPT $FW all
{% endif %}
# Managed by ansible
#
# Shorewall version 4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net -
trst:net -
---
- include: base.yml
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment