Added default IPv4 iptables rules

a4922267 · Chris Croome · 72af8e0f · a4922267 · a4922267 · a4922267
Commit a4922267 authored 7 years ago by Chris Croome
--- a/README.md
+++ b/README.md
@@ -5,16 +5,29 @@ These Playbooks are designed to be used on Debian Stretch virtual servers.
 ## Discourse

 Login to the console, install `python`, enable root ssh access using keys and
-then these playbooks can be run (the second one needs to be run after the first
-installs Discourse and you get the API key from
-`https://$SERVERNAME/admin/api/keys`):
+then run the first Playbook:

 ```bash
 export SERVERNAME="community.coops.tech"
 ansible-playbook -u root discourse.yml -i "${SERVERNAME}," -e "hostname=${SERVERNAME}"
+```
+
+Then login to the site, get the API key from
+`https://$SERVERNAME/admin/api/keys` and run the second Playbook, adding the
+API key when prompted:
+
+```bash
+export SERVERNAME="community.coops.tech"
 ansible-playbook -u root discourse_api.yml -i "${SERVERNAME}," -e "hostname=${SERVERNAME}"
 ```

+Then check these settings for email:
+
+* **Required : notification email** set this to `discourse@$SERVERNAME` (use the actual domain name not $SERVERNAME)
+* **Email : reply by email enabled** tick *"Enable replying to topics via email."* 
+* **Email : reply by email address** set this to `discourse+%{reply_key}@$SERVERNAME`
+* **Email : manual polling enabled** rick *"Push emails using the API for email replies."*
+
 The email setup is based on the
 [mail-reciever](https://github.com/discourse/mail-receiver) Docker container
 plus the [outstanding pull
@@ -22,6 +35,11 @@ request](https://github.com/discourse/mail-receiver/pull/2) and the [Postfix
 notes](https://meta.discourse.org/t/emails-with-local-smtp/23645/28) for using
 the host for outgoing email.

+Tighten some security settings:
+
+* **Security : force https** tick *"Force your site to use HTTPS only. WARNING: do NOT enable this until you verify HTTPS is fully set up and working absolutely everywhere! Did you check your CDN, all social logins, and any external logos / dependencies to make sure they are all HTTPS compatible, too?"*
+* **Security : same site cookies** select *"Strict"*
+ 
 TODO:

 * Test the email setup

--- a/roles/email/tasks/main.yml
+++ b/roles/email/tasks/main.yml
@@ -76,6 +76,12 @@
 - name: Postfix set for ipv4 only
  command: postconf -e "inet_protocols = ipv4"

+- name: Postfix stopped for inet_protocols change
+  command: postfix stop
+
+- name: Postfix started after inet_protocols change
+  command: postfix start
+
 - name: Postfix opportunistic TLS enabled
  command: postconf -e "smtp_tls_security_level = may"


--- a/roles/iptables/tasks/main.yml
+++ b/roles/iptables/tasks/main.yml
@@ -7,9 +7,16 @@
  with_items:
    - iptables-persistent

+- name: Get the app container IP address
+  command: "docker inspect --format '{''{ .NetworkSettings.IPAddress }''}' app"
+  register: app_ip_address
+
+- debug:
+    msg: "The Discourse app Docker container has the IP address {{ app_ip_address.stdout }}"
+
 - name: Ipv4 iptables rules in place
-  copy:
-    src: files/rules.v4
+  template:
+    src: templates/rules.v4.j2
    dest: /etc/iptables/rules.v4

 - name: Firewall reloaded

--- a/roles/iptables/templates/rules.v4.j2
+++ b/roles/iptables/templates/rules.v4.j2
+# Ansible Generated 
+*nat
+:PREROUTING ACCEPT [1480:146319]
+:INPUT ACCEPT [935:55070]
+:OUTPUT ACCEPT [882:64367]
+:POSTROUTING ACCEPT [932:67303]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
+-A POSTROUTING -s {{ app_ip_address }}/32 -d {{ app_ip_address }}/32 -p tcp -m tcp --dport 443 -j MASQUERADE
+-A POSTROUTING -s {{ app_ip_address }}/32 -d {{ app_ip_address }}/32 -p tcp -m tcp --dport 80 -j MASQUERADE
+-A DOCKER -i docker0 -j RETURN
+-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination {{ app_ip_address }}:443
+-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination {{ app_ip_address }}:80
+COMMIT
+# 
+*filter
+:INPUT ACCEPT [17670:3342836]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [16386:2417598]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION - [0:0]
+-A FORWARD -j DOCKER-ISOLATION
+-A FORWARD -o docker0 -j DOCKER
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A DOCKER -d {{ app_ip_address }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
+-A DOCKER -d {{ app_ip_address }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
+-A DOCKER-ISOLATION -j RETURN
+COMMIT
+#