The kstraat.casa Ansible automation!

parents
This diff is collapsed.
[[source]]
url = "https://pypi.org/simple"
name = "pypi"
verify_ssl = true
[packages]
ansible = "*"
[dev-packages]
This diff is collapsed.
# kstraat-casa-plays
The Ansible playbooks for the [kstraat.casa] homebrew setup.
[kstraat.casa]: https://kstraat.casa/
## Automation <3
```bash
$ pip install --user pipenv
$ pipenv install --dev --three
```
Then, for example, you can run the ping health check with:
```bash
$ pipenv run ansible-playbook playbooks/healthchecks/ping.yml
```
[defaults]
forks=10
internal_poll_interval=0.004
inventory=hosts
retry_files_enabled=false
roles_path=roles
vault_password_file=bin/open-vault
timeout=30
[privilege_escalation]
become=False
become_method=sudo
[ssh_connection]
pipelining=True
#!/bin/bash
pass show homebrew/vault_password
[homebrew]
kstraat.casa
AnonIPLimit = 10
ConnectDelay = 5
HideVersion = false
LoadModule = webadmin
MaxBufferSize = 500
ProtectWebSessions = true
SSLCertFile = /home/znc/.znc/znc.pem
ServerThrottle = 30
Version = 1.6.5
<Listener listener0>
AllowIRC = true
AllowWeb = true
IPv4 = true
IPv6 = true
Port = {{ znc_port }}
SSL = true
URIPrefix = /
</Listener>
<User {{ znc_user }}>
Admin = true
AltNick = {{ znc_user }}_
AppendTimestamp = false
AutoClearChanBuffer = true
AutoClearQueryBuffer = true
Buffer = 50
DenyLoadMod = false
DenySetBindHost = false
Ident = {{ znc_user }}
JoinTries = 10
LoadModule = chansaver
LoadModule = controlpanel
MaxJoins = 0
MaxNetworks = 1
MaxQueryBuffers = 50
MultiClients = true
Nick = decentral1se
PrependTimestamp = true
QuitMsg = %znc%
RealName = {{ znc_user }}
StatusPrefix = *
TimestampFormat = [%H:%M:%S]
<Network freenode>
FloodBurst = 4
FloodRate = 1.00
IRCConnectEnabled = true
JoinDelay = 0
LoadModule = simple_away
Server = chat.freenode.net +6697
</Network>
<Pass password>
Hash = {{ znc_pass_hash }}
Method = {{ znc_pass_method }}
Salt = {{ znc_pass_salt }}
</Pass>
</User>
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: znc
znc_domain: znc.kstraat.casa
znc_config: templates/znc.conf.j2
znc_user: !vault |
$ANSIBLE_VAULT;1.1;AES256
34666531343239353032383966663264396333313536356363326335623637326230323634353830
3937633437666666303461323065613135616238643832380a623866336337373065643963616266
64333536633131313239323834623630303633633339303739396261383338656539336137313564
3837356534343163310a623764626465663438653562313065303938643232616430643534666163
6434
znc_pass_hash: !vault |
$ANSIBLE_VAULT;1.1;AES256
32326339666263386134363563336636316234663333373364376336633062313631343535346532
6531646432663932646434616665376535376339663265300a613034323065336639386239633131
65663930333966333533633133383236326132666364613964313333366530323436303135316139
3666343430616662370a366237316638666366313438656237363639363361303938343962646566
34376435633031626664326665373331396566653436333263633134386533396532373035323037
64386266313763383035656266366434396134616465373536616336323464396333666530373631
34366435353461376135363766323031383533633165616236633633613139636532336331633665
35396536653631636437
znc_pass_salt: !vault |
$ANSIBLE_VAULT;1.1;AES256
31623261323533616634366232343734373166663731356235643431386164313839643133656536
3032643939303136616230326362653338346635326334350a643365613862313230636466663931
34363164323631356365383737633938613230373036376435633165353333373261336638653738
6433333465303166390a303133633561616139316533323234616533613033333938333163626438
62333964653364323762383633343837393965656133663435633437663137653161
znc_pass_method: !vault |
$ANSIBLE_VAULT;1.1;AES256
30373262656636396431343238633666663030356363393836656132623761303763653936343930
3432616538616536633462323030613231633137666530380a333963666130643736373637613630
34363530336337343136623465663564396238363438626264376538636563656363383865656464
3962353535316633360a613261373164306434663161343534313932343234316265653135366232
3662
znc_port: !vault |
$ANSIBLE_VAULT;1.1;AES256
62613533643130313065363863626238313962653163313430663166613031353263383633653830
3430663736393764636263306339353064353436316263620a643732623134323439663262326532
32613762366537613438646166383234363535383930336163373230303564336538363361303363
3938373332636261380a323364626666643934356337343336383537646661623438366362313636
6438
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: hdyndns
hdyndns_config: templates/hdyndns.ini.j2
hdyndns_api_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
63663030633834656565623161653036366562363863383462346432313962373335383863386663
3335383836396237616331616362666666323665313034650a323834386131616131333232363230
63313930313465316234656136396130373736313039663537616633393061636138306138346537
6230323739656437330a316263393637663662623938363066613039313861386533353839353865
35663734386264653763653731663432326138376137306433306366633464303363
[kstraat.casa]
provider = gandi
api_secret = {{ hdyndns_api_secret }}
subdomains = znc,netdata
---
- hosts: "kstraat.casa"
gather_facts: false
tasks:
- name: Ensure that the host is up and accepting ping requests.
ping:
---
- hosts: "kstraat.casa"
tasks:
- name: Gather some facts about the running services.
service_facts:
- name: Make sure that services we need are up and running.
assert:
that:
- "{{ ansible_facts.services['fail2ban']['state'] == 'running' }}"
- "{{ ansible_facts.services['ufw']['state'] == 'running' }}"
- "{{ ansible_facts.services['ssh']['state'] == 'running' }}"
- "{{ ansible_facts.services['nginx']['state'] == 'running' }}"
---
# TODO
# https://github.com/netdata/netdata/wiki/Installation
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: fail2ban
fail2ban_jail_local: templates/fail2ban/jail.local
fail2ban_jail_specs:
- templates/fail2ban/nginx-noscript.conf
- templates/fail2ban/nginx-nohome.conf
- templates/fail2ban/nginx-noproxy.conf
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: ufw
ufw_rules:
- {'port': '80', 'rule': 'allow', 'proto': 'tcp', 'direction': 'in'}
- {'port': '80', 'rule': 'allow', 'proto': 'tcp', 'direction': 'out'}
- {'port': '443', 'rule': 'allow', 'proto': 'tcp', 'direction': 'in'}
- {'port': '443', 'rule': 'allow', 'proto': 'tcp', 'direction': 'out'}
- {'port': '48001', 'rule': 'allow', 'proto': 'tcp', 'direction': 'in'}
- {'port': '19999', 'rule': 'allow', 'proto': 'tcp', 'direction': 'in'}
- {'port': '65534', 'rule': 'allow', 'proto': 'tcp', 'direction': 'in'}
- {'port': '6660:7000', 'rule': 'allow', 'proto': 'tcp', 'direction': 'in'}
- {'port': '6660:7000', 'rule': 'allow', 'proto': 'tcp', 'direction': 'out'}
ufw_logging: low
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: letsencrypt
letsencrypt_email: !vault |
$ANSIBLE_VAULT;1.1;AES256
63313665636539366635313665663235663938373731373034323233393964623434376138643265
3661643862343335323364386537336536316537656630350a646639333764373933643432656532
33353035343266326162663432653262313238323538663364303764393631323766653638326332
3538303365623133650a363738616133663665373237613837646535353364336366333530666363
62666461303961623139653638646131393163383166366261613461393239383763
letsencrypt_domains:
- kstraat.casa
- www.kstraat.casa
- znc.kstraat.casa
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: ssh
ssh_allowed_users:
- pi
ssh_port: 48001
[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
[sshd]
enabled = true
port = ssh,48001
logpath = /var/log/auth.log
[sshd-ddos]
enabled = true
port = ssh,48001
logpath = /var/log/auth.log
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
[nginx-limit-req]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/error.log
maxretry = 2
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/access.log
maxretry = 6
[nginx-nohome]
enabled = true
port = http,https
filter = nginx-nohome
logpath = /var/log/nginx/access.log
maxretry = 2
[nginx-noproxy]
enabled = true
port = http,https
filter = nginx-noproxy
logpath = /var/log/nginx/access.log
maxretry = 2
[Definition]
failregex = ^<HOST> -.*GET .*/~.*
ignoreregex =
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)
ignoreregex =
---
- hosts: "kstraat.casa"
gather_facts: false
tasks:
- name: Create the site directory.
become: true
file:
path: /var/www/kstraat.casa
state: directory
owner: root
group: root
mode: 0755
- name: Clone the static site.
become: true
git:
repo: 'https://git.coop/decentral1se/kstraat-casa-static.git'
dest: /var/www/kstraat.casa
version: master
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: users
users_ssh_keys_path: ssh-keys
users_usernames:
- pi
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAElXenUUJiRUaZ0anpcrzxxYijbRVs0Nhb0xilZbJ5bTHU8xWJrHCZHF0AjvMQJdU9HGgIoea6l0L31GqD0bwnlkAC2JUN781kQOeZXTkpWiD3TRTPLRtavCHPhIrT33EnVvauQ/ThK9ziqRPyvbNfakODyB6Y0vZP8WyrdZsGWlc0XpA== decentral1se@lostatsea
---
- hosts: "kstraat.casa"
gather_facts: false
roles:
- role: nginx
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
# fail2ban
A role to install and configure [fail2ban].
[fail2ban]: https://www.fail2ban.org/wiki/index.php/Main_Page
# Supported Operating Systems
* Raspbian Stretch Lite 2018-10-09
* Debian Stretch
# Role Variables
* `fail2ban_jail_local`: Path to your local `jail.local` configuration.
* `fail2ban_jail_specs`: A list of file paths for your jail specifications.
* Defaults to `[]` (not used if not specified).
---
fail2ban_jail_specs: []
---
- name: Restart fail2ban.
become: true
systemd:
name: fail2ban
state: restarted
---
galaxy_info:
author: decentral1se
description: A role to install and configure fail2ban.
license: GPLv3
min_ansible_version: 2.7
---
- name: Ensure mandatory variables are configured.
assert:
that: fail2ban_jail_local is defined
- name: Install fail2ban.
become: true
apt:
name: fail2ban
state: present
- name: Ensure fail2ban is running and enabled.
become: true
systemd:
name: fail2ban
state: started
enabled: true
- name: Ensure the /etc/fail2ban/filter.d folder exists.
become: true
file:
path: /etc/fail2ban/filter.d/
state: directory
- name: Copy over the jail specifications.
become: true
template:
src: "{{ item }}"
dest: /etc/fail2ban/filter.d/{{ item | basename }}
force: true
mode: 0644
loop: "{{ fail2ban_jail_specs }}"
when: fail2ban_jail_specs
- name: Copy over the /etc/fail2ban/jail.local configuration.
become: true
template:
src: "{{ fail2ban_jail_local }}"
dest: /etc/fail2ban/jail.local
force: true
mode: 0644
notify: Restart fail2ban.
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
[[source]]
url = "https://pypi.org/simple"
name = "pypi"
verify_ssl = true
[packages]
[dev-packages]
molecule = "*"
docker = "*"
This diff is collapsed.
# hdyndns
A role to install and configure [homebrew-dyndns].
[homebrew-dyndns]: https://pypi.org/project/hdyndns/
<