cspark
/
Client-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modify .gitignore to ensure ansible_resources templates are able to be added

This commit is contained in:
cspark-dev 2024-02-22 12:12:01 +00:00
parent 26f9c17055
commit 261937e493
4 changed files with 335 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,4 +1,4 @@
**/*.enc
hosts
prox-server-firewall-setup.yml
prox-server-setup.yml
/hosts
/prox-server-firewall-setup.yml
/prox-server-setup.yml

6
ansible_resources/hosts Executable file
View File

@ -0,0 +1,6 @@
# {{ ansible_managed }}
all:
hosts:
{{ proxy_server_hostname }}:
{{ proxy_server_hostname }}-defaultport:

141
ansible_resources/prox-server-firewall-setup.yml Executable file
View File

@ -0,0 +1,141 @@
# {{ ansible_managed }}
- hosts:
- {{ proxy_server_hostname }}
- {{ proxy_server_hostname }}-defaultport
become: 'yes'
ignore_errors: true
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
- name: Allow all outbound SSH
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: "{{ proxy_server_ssh_port }}"
jump: ACCEPT
# - name: Create inbound SSH recent rule (Limits new inbound SSH to 60 per minute, any extra is dropped)
# ansible.builtin.shell: /sbin/iptables -C INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j DROP || /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j DROP && /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
- name: Accept inbound SSH
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: "{{ proxy_server_ssh_port }}"
jump: ACCEPT
# Currently issues with SSH and dropping all outgoing traffic policy by default despite the SSH allow rules, might be to do something with how network is routed from the KVM. Shall just allow everything for now (Ideally would be nice to set back to dropping by default though)
- name: Allow incoming traffic by default
ansible.builtin.iptables:
chain: INPUT
policy: ACCEPT
- name: Allow outgoing traffic by default
ansible.builtin.iptables:
chain: OUTPUT
policy: ACCEPT
- name: Allow forward traffic by default
ansible.builtin.iptables:
chain: FORWARD
policy: ACCEPT
- name: Allow previous inbound accepted/known connections to bypass firewall rules
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Allow previous outbound accepted/known connections to bypass firewall rules
ansible.builtin.iptables:
chain: OUTPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Allow inbound loopback traffic
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Allow outbound loopback traffic
ansible.builtin.iptables:
chain: OUTPUT
out_interface: lo
jump: ACCEPT
- name: Block known attacker IP's
ansible.builtin.iptables:
chain: "{{ '{{' }} item.chain {{ '}}' }}"
source: "{{ '{{' }} item.source {{ '}}' }}"
jump: DROP
loop:
- { chain: INPUT, source: 46.148.40.0/24 } # IP targetting mailserver
- { chain: OUTPUT, source: 46.148.40.0/24 }
- { chain: FORWARD, source: 46.148.40.0/24 }
# # These rules currently kind of obsolete
# # NGinx Service
# - name: Allow inbound HTTPS web traffic
# ansible.builtin.iptables:
# chain: INPUT
# protocol: tcp
# destination_port: 443
# jump: ACCEPT
# - name: Allow outbound HTTPS web traffic
# ansible.builtin.iptables:
# chain: OUTPUT
# protocol: tcp
# destination_port: 443
# jump: ACCEPT
# - name: Allow inbound HTTP web traffic
# ansible.builtin.iptables:
# chain: INPUT
# protocol: tcp
# destination_port: 80
# jump: ACCEPT
# - name: Allow outbound HTTP web traffic
# ansible.builtin.iptables:
# chain: OUTPUT
# protocol: tcp
# destination_port: 80
#
# # Invidious Service
# - name: Allow inbound network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: INPUT
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow outbound network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: OUTPUT
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# # Minecraft Service
# - name: Allow inbound local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: INPUT
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow outbound local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: OUTPUT
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!

185
ansible_resources/prox-server-setup.yml Executable file
View File

@ -0,0 +1,185 @@
# {{ ansible_managed }}
- hosts:
- {{ proxy_server_hostname }}
# - {{ proxy_server_hostname }}-defaultport
become: 'yes'
ignore_errors: true
vars:
# Packages to install
packages:
# System
- linux-headers-amd64
- build-essential
- ssh
- mount
- vim
- neofetch
- htop
# Reverse Proxy/Webserver
- nginx
- libnginx-mod-stream # Module allowing to proxy TCP, UDP (1.9.13), UNIX-domain sockets requests.
- libnginx-mod-mail # Module allowing to proxy IMAP, POP3 & SMTP.
- haproxy # Alternate dedicated Reverse Proxy, using for mail
# VPN Server
- wireguard
# TLS
- certbot
- python3-certbot-nginx
# Firewall
- iptables-persistent
tasks:
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
become: yes
replace:
path: /etc/doas.conf
regexp: 'persist'
replace: 'nopass'
# System Setup
- name: Ensure .bashrc is updated
template:
src: proxy_resources/.bashrc
dest: "~/.bashrc"
- name: Add contrib
replace:
dest: /etc/apt/sources.list
regexp: '^(deb(?!.* contrib).*)'
replace: '\1 contrib'
- name: Ensure list of packages is installed
apt:
name: '{{ "{{" }} packages {{ "}}" }}'
state: present
# SSH Server Setup
- name: Enable SSH
ansible.builtin.systemd:
name: ssh
state: started
- name: Ensure sshd configuration is updated
template:
src: proxy_resources/etc/ssh/sshd_config
dest: "/etc/ssh/sshd_config"
# Wireguard VPN Server Setup
- name: Ensure wireguard server configuration is updated
ansible.builtin.template:
src: proxy_resources/etc/wireguard/wg0.conf
dest: /etc/wireguard/wg0.conf
- name: Enable and persist ip forwarding
sysctl:
name: net.ipv4.ip_forward
value: "1"
state: present
sysctl_set: yes
reload: yes
- name: Enable wireguard server
systemd:
name: wg-quick@wg0
enabled: yes
state: started
# NGinx Reverse Proxy/Webserver Setup
- name: Ensure NGinx main config is updated
template:
src: proxy_resources/etc/nginx/nginx.conf
dest: /etc/nginx/nginx.conf
- name: Ensure NGinx sites config directory exists
ansible.builtin.file:
path: /etc/nginx/sites-available/
state: directory
- name: Ensure reverse proxy git domain config is updated
template:
src: proxy_resources/etc/nginx/sites-available/git.domain
dest: "/etc/nginx/sites-available/git.{{ domain_name }}"
- name: Enable the reverse proxy git domain config
ansible.builtin.file:
src: /etc/nginx/sites-available/git.{{ domain_name }}
dest: /etc/nginx/sites-enabled/git.{{ domain_name }}
state: link
# TODO : Overhaul all of this to use loops instead
# - name: Ensure reverse proxy invidious domain config is updated
# template:
# src: proxy_resources/etc/nginx/sites-available/invidious.domain
# dest: "/etc/nginx/sites-available/invidious.{{ domain_name }}"
# - name: Ensure reverse proxy mail domain config is updated
# template:
# src: proxy_resources/etc/nginx/sites-available/mail.domain
# dest: "/etc/nginx/sites-available/mail.{{ domain_name }}"
# - name: Ensure reverse proxy searxng domain config is updated
# template:
# src: proxy_resources/etc/nginx/sites-available/searxng.domain
# dest: "/etc/nginx/sites-available/searxng.{{ domain_name }}"
# - name: Ensure reverse proxy nextcloud domain config is updated
# template:
# src: proxy_resources/etc/nginx/sites-available/nextcloud.domain
# dest: "/etc/nginx/sites-available/nextcloud.{{ domain_name }}"
# - name: Ensure reverse proxy chat domain config is updated
# template:
# src: proxy_resources/etc/nginx/sites-available/chat.domain
# dest: "/etc/nginx/sites-available/chat.{{ domain_name }}"
# - name: Enable the reverse proxy invidious domain config
# ansible.builtin.file:
# src: /etc/nginx/sites-available/invidious.{{ domain_name }}
# dest: /etc/nginx/sites-enabled/invidious.{{ domain_name }}
# state: link
# - name: Enable the reverse proxy mail domain config
# ansible.builtin.file:
# src: /etc/nginx/sites-available/mail.{{ domain_name }}
# dest: /etc/nginx/sites-enabled/mail.{{ domain_name }}
# state: link
# - name: Enable the reverse proxy searxng domain config
# ansible.builtin.file:
# src: /etc/nginx/sites-available/searxng.{{ domain_name }}
# dest: /etc/nginx/sites-enabled/searxng.{{ domain_name }}
# state: link
# - name: Enable the reverse proxy nextcloud domain config
# ansible.builtin.file:
# src: /etc/nginx/sites-available/nextcloud.{{ domain_name }}
# dest: /etc/nginx/sites-enabled/nextcloud.{{ domain_name }}
# state: link
# - name: Enable the reverse proxy chat domain config
# ansible.builtin.file:
# src: /etc/nginx/sites-available/chat.{{ domain_name }}
# dest: /etc/nginx/sites-enabled/chat.{{ domain_name }}
# state: link
- name: Enable NGinx
ansible.builtin.systemd:
name: nginx
enabled: yes
state: started
# Experimental NGinx Email Proxy
# - name: Ensure Email Proxy Authentication Server is updated
# ansible.builtin.template:
# src: proxy_resources/home/mail-authserver.py
# dest: ~/mail-authserver.py
# HAProxy Reverse Proxy Setup
#- name: Ensure HAProxy configuration is updated
# template:
# src: proxy_resources/etc/haproxy/haproxy.cfg
# dest: "/etc/haproxy/haproxy.cfg"
#- name: Enable HAProxy
# ansible.builtin.systemd:
# name: haproxy
# state: started
- name: Reset doas configuration back to default
become: yes
template:
src: root_resources/etc/doas.conf
dest: "/etc/doas.conf"
# End
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!