Initial commit

.gitignore

@@ -0,0 +1 @@
+config/master.key

hosts

@@ -0,0 +1,13 @@
+---
+dns:
+  hosts:
+    dns_1:
+      ansible_host: 192.168.1.3
+      sync_target: 192.168.1.4
+    dns_2:
+      ansible_host: 192.168.1.4
+      sync_target: 192.168.1.3
+nginx:
+  hosts:
+    nginx_1:
+      ansible_host: 192.168.1.12

roles/administrators/files/atomaka.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETR1+I4hzK79yoQUvSbBZ3scdXaZvB/9ZOHtJ/rMqig me@atomaka.com

roles/administrators/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Allow passwordless sudo
+  lineinfile:
+    path: /etc/sudoers
+    regexp: '^%sudo'
+    line: '%sudo ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+    state: present
+
+- name: Add administrators
+  user:
+    name: "{{ item }}"
+    groups: sudo
+    shell: /bin/bash
+    state: present
+  with_items: "{{ users }}"
+
+- name: Add SSH keys
+  authorized_key:
+    user: "{{ item }}"
+    key: "{{ lookup('file', 'files/{{ item }}.pub') }}"
+    state: present
+  with_items: "{{ users }}"

roles/administrators/vars/main.yml

@@ -0,0 +1,3 @@
+---
+users:
+  - atomaka

roles/apt/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+- name: Install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+    state: present
+
+- name: Install repository tools
+  apt:
+    name:
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+      - ca-certificates
+      - gnupg
+    state: present
+
+- name: Ensure unattended-upgrades is runing
+  service:
+    name: unattended-upgrades
+    enabled: true

roles/firewall/handlers/main.yml

@@ -0,0 +1,3 @@
+- name: Persist iptables
+  shell:
+    cmd: iptables-save > /etc/iptables/rules.v4

roles/firewall/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+- name: Install iptables packages
+  apt:
+    name: iptables-persistent
+    state: present
+
+- name: Allow all loopback traffic
+  iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow port ping traffic
+  iptables:
+    chain: INPUT
+    jump: ACCEPT
+    protocol: icmp
+  notify: Persist iptables
+
+- name: Allow related and established connections
+  iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow SSH
+  iptables:
+    chain: INPUT
+    destination_port: 22
+    jump: ACCEPT
+    protocol: tcp
+  notify: Persist iptables
+
+- name: Allow web
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 80
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow dns
+  iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 53
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow dns (udp)
+  iptables:
+    chain: INPUT
+    protocol: udp
+    destination_port: 53
+    jump: ACCEPT
+  notify: Persist iptables
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+- name: Set the policy for the INPUT chain to DROP
+  iptables:
+    chain: INPUT
+    policy: DROP
+  notify: Persist iptables
+
+- name: Set the policy for the FORWARD chain to DROP
+  iptables:
+    chain: FORWARD
+    policy: DROP
+  notify: Persist iptables
+
+- name: Set the policy for the OUTPUT chain to ACCEPT
+  iptables:
+    chain: OUTPUT
+    policy: ACCEPT
+  notify: Persist iptables

roles/instance/tasks/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Set hostname
+  hostname:
+    name: '{{ inventory_hostname | replace("_", "-") }}'
+
+- name: Add hostname to /etc/hosts
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '^127\.0\.0\.1[ \t]+localhost'
+    line: '127.0.0.1 localhost {{ inventory_hostname | replace("_", "-") }}'
+    state: present
+
+- name: Install ansible pre-requisites
+  apt:
+    name:
+      - acl
+    state: present

roles/pihole/files/id_ed25519

@@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+65383462643264626136333163366264353039393537313264303835393537396664633539616534
+6664613531623666386661653330386538366466313133390a393562363835326136393664353334
+62383932373036303233306138366464323463303238316434383264306632653533623665343066
+3037326266326465300a653435646538613636336236343231376635646439663963346130656164
+31383238613230356661626230353933346563333939383238336164336362323939666561306433
+34353430633131663531333030636137396537643735666533633630393166363739663538363161
+35373234623763346661656562346339366531663432666132356132323161323934323262653538
+34626130383535396631646439303431363432383265636365633831626162656432333839326137
+34386235643132366532316234396635366438623235636630663033396638336337666431653138
+38343734663666343334616436363335353764366564376565313834326364646231303662643463
+61643932366438366339383032306366376537326665393331333463656262373134656234393264
+65626161656163396531313739323732313132623934336337386534366163313933613535323864
+30303532396236613836316133363862663764333231326261366235353264356535326334353265
+35313534616361316636383161363630393362333362623966373264393138646335316531633136
+32333832643836646165643865636566663331333033303839653938653837353063366566623364
+65636661623833376236613566623839633734333866393032613861646666333732386166633865
+30616237663439383131653836303738653538353162333731343938643765333532373237353336
+35363436643833643030663638333663633337326461663866386532396364313330656130653665
+31333564363362613330363461383637666366333832326437666435336331643332376339623732
+37363139666339313962633961363262343130323531313432623737663737643830316639623864
+38393737313838343666376538616334363037353165323039626235646139346361343432316539
+62303932306635303731646234633936373562656136623030656231616563623336393466616335
+38306162393433306631383432346532376134323034616663373066303932376438656238336361
+62336537383461343636

roles/pihole/files/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQu1fLqmEcru0rAk8hTJ59WA3sLO7KDFIc4RgxCI0UP pihole

roles/pihole/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: Restart dnsmasq
+  service:
+    name: dnsmasq
+    enabled: true
+    state: restarted
+  when: ansible_facts.services['dnsmasq.service'] is defined

roles/pihole/tasks/main.yml

@@ -0,0 +1,78 @@
+---
+- name: Create pihole user
+  user:
+    name: pihole
+    groups: sudo
+    shell: /bin/bash
+    state: present
+
+- name: Ensure .ssh directory exists.
+  file:
+    dest: /home/pihole/.ssh
+    mode: 0700
+    owner: pihole
+    state: directory
+
+- name: Install ssh key
+  copy:
+    src: files/id_ed25519
+    dest: /home/pihole/.ssh/id_ed25519
+    mode: 0600
+    owner: pihole
+
+- name: Set the authorized keys
+  authorized_key:
+    user: pihole
+    state: present
+    key: "{{ lookup('file', 'id_ed25519.pub') }}"
+
+- name: Create pihole directory
+  file:
+    path: /etc/pihole
+    state: directory
+
+- name: Configure pihole
+  template:
+    src: templates/setupVars.j2
+    dest: /etc/pihole/setupVars.conf
+  notify: Restart dnsmasq
+
+- name: Download pihole installer
+  become: yes
+  become_user: pihole
+  get_url:
+    url: https://install.pi-hole.net
+    dest: /tmp/basic-install.sh
+    mode: 0755
+
+- name: Install pihole
+  become: yes
+  become_user: pihole
+  command:
+    cmd: /tmp/basic-install.sh --unattended
+    creates: /usr/local/bin/pihole
+
+- name: Create gravity directory
+  file:
+    path: /etc/gravity-sync
+    state: directory
+
+- name: Configure gravity
+  template:
+    src: templates/gravity-sync.conf.j2
+    dest: /etc/gravity-sync/gravity-sync.conf
+
+- name: Download gravity installer
+  become: yes
+  become_user: pihole
+  get_url:
+    url: https://raw.githubusercontent.com/vmstan/gs-install/main/gs-install.sh
+    dest: /tmp/gravity-install.sh
+    mode: 0755
+
+- name: Install gravity
+  become: yes
+  become_user: pihole
+  command:
+    cmd: /tmp/gravity-install.sh --unattended
+    creates: /usr/local/bin/gravity-sync

roles/pihole/templates/gravity-sync.conf.j2

@@ -0,0 +1,4 @@
+REMOTE_HOST={{ sync_target }}
+REMOTE_USER=pihole
+
+GS_SSH_PKIF=/home/pihole/.ssh/id_ed25519

roles/pihole/templates/setupVars.j2

@@ -0,0 +1,16 @@
+IPV4_ADDRESS={{ ansible_host }}/24
+PIHOLE_INTERFACE=eth0
+QUERY_LOGGING=true
+INSTALL_WEB_SERVER=true
+INSTALL_WEB_INTERFACE=true
+LIGHTTPD_ENABLED=true
+CACHE_SIZE=10000
+DNS_FQDN_REQUIRED=true
+DNS_BOGUS_PRIV=true
+DNSMASQ_LISTENING=local
+WEBPASSWORD=998ed4d621742d0c2d85ed84173db569afa194d4597686cae947324aa58ab4bb
+BLOCKING_ENABLED=true
+DNSSEC=false
+REV_SERVER=false
+PIHOLE_DNS_1=8.8.8.8
+PIHOLE_DNS_2=8.8.4.4

roles/ssh/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: Restart ssh
+  service:
+    name: sshd
+    state: restarted
+
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted

roles/ssh/tasks/main.yml

@@ -0,0 +1,36 @@
+---
+- name: Block root and password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+    validate: 'sshd -T -f %s'
+    state: present
+  with_items:
+    - regexp: '^PasswordAuthentication'
+      line: 'PasswordAuthentication no'
+    - regexp: '^PermitRootLogin'
+      line: 'PermitRootLogin no'
+  notify: Restart ssh
+
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+    state: present
+
+- name: Configure fail2ban
+  blockinfile:
+    path: /etc/fail2ban/jail.local
+    create: yes
+    mode: 0644
+    block: |
+      [sshd]
+      enabled = true
+      filter = sshd
+  notify: Restart fail2ban
+
+- name: Start fail2ban on boot
+  service:
+    name: fail2ban
+    enabled: true
+    state: started

site.yml

@@ -0,0 +1,19 @@
+---
+- hosts: all
+  become: yes
+  pre_tasks:
+    - name: Update apt-get repo and cache
+      apt:
+        update_cache: yes
+        cache_valid_time: 3600
+  roles:
+    - role: instance
+    - role: apt
+    - role: firewall
+    - role: administrators
+    - role: ssh
+- hosts: dns
+  become: yes
+  roles:
+    - role: pihole
+      tags: pihole