commit d6bd3862eb68b0bee749e7d99a074a0fecdaed5c Author: Andrew Tomaka Date: Wed Dec 21 22:56:39 2022 -0500 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..be33fa2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +config/master.key diff --git a/config/.gitinclude b/config/.gitinclude new file mode 100644 index 0000000..e69de29 diff --git a/hosts b/hosts new file mode 100644 index 0000000..77588da --- /dev/null +++ b/hosts @@ -0,0 +1,13 @@ +--- +dns: + hosts: + dns_1: + ansible_host: 192.168.1.3 + sync_target: 192.168.1.4 + dns_2: + ansible_host: 192.168.1.4 + sync_target: 192.168.1.3 +nginx: + hosts: + nginx_1: + ansible_host: 192.168.1.12 diff --git a/roles/administrators/files/atomaka.pub b/roles/administrators/files/atomaka.pub new file mode 100644 index 0000000..4276d43 --- /dev/null +++ b/roles/administrators/files/atomaka.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIETR1+I4hzK79yoQUvSbBZ3scdXaZvB/9ZOHtJ/rMqig me@atomaka.com diff --git a/roles/administrators/tasks/main.yml b/roles/administrators/tasks/main.yml new file mode 100644 index 0000000..ebca775 --- /dev/null +++ b/roles/administrators/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Allow passwordless sudo + lineinfile: + path: /etc/sudoers + regexp: '^%sudo' + line: '%sudo ALL=(ALL) NOPASSWD: ALL' + validate: 'visudo -cf %s' + state: present + +- name: Add administrators + user: + name: "{{ item }}" + groups: sudo + shell: /bin/bash + state: present + with_items: "{{ users }}" + +- name: Add SSH keys + authorized_key: + user: "{{ item }}" + key: "{{ lookup('file', 'files/{{ item }}.pub') }}" + state: present + with_items: "{{ users }}" diff --git a/roles/administrators/vars/main.yml b/roles/administrators/vars/main.yml new file mode 100644 index 0000000..ae25ee6 --- /dev/null +++ b/roles/administrators/vars/main.yml @@ -0,0 +1,3 @@ +--- +users: + - atomaka diff --git a/roles/apt/tasks/main.yml b/roles/apt/tasks/main.yml new file mode 100644 index 0000000..a21f38d --- /dev/null +++ b/roles/apt/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Install unattended-upgrades + apt: + name: unattended-upgrades + state: present + +- name: Install repository tools + apt: + name: + - debian-keyring + - debian-archive-keyring + - apt-transport-https + - ca-certificates + - gnupg + state: present + +- name: Ensure unattended-upgrades is runing + service: + name: unattended-upgrades + enabled: true diff --git a/roles/firewall/handlers/main.yml b/roles/firewall/handlers/main.yml new file mode 100644 index 0000000..5c58746 --- /dev/null +++ b/roles/firewall/handlers/main.yml @@ -0,0 +1,3 @@ +- name: Persist iptables + shell: + cmd: iptables-save > /etc/iptables/rules.v4 diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..5ba553d --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,82 @@ +--- +- name: Install iptables packages + apt: + name: iptables-persistent + state: present + +- name: Allow all loopback traffic + iptables: + chain: INPUT + in_interface: lo + jump: ACCEPT + notify: Persist iptables + +- name: Allow port ping traffic + iptables: + chain: INPUT + jump: ACCEPT + protocol: icmp + notify: Persist iptables + +- name: Allow related and established connections + iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + notify: Persist iptables + +- name: Allow SSH + iptables: + chain: INPUT + destination_port: 22 + jump: ACCEPT + protocol: tcp + notify: Persist iptables + +- name: Allow web + iptables: + chain: INPUT + protocol: tcp + destination_port: 80 + jump: ACCEPT + notify: Persist iptables + +- name: Allow dns + iptables: + chain: INPUT + protocol: tcp + destination_port: 53 + jump: ACCEPT + notify: Persist iptables + +- name: Allow dns (udp) + iptables: + chain: INPUT + protocol: udp + destination_port: 53 + jump: ACCEPT + notify: Persist iptables + +- name: Allow related and established connections + ansible.builtin.iptables: + chain: INPUT + ctstate: ESTABLISHED,RELATED + jump: ACCEPT + +- name: Set the policy for the INPUT chain to DROP + iptables: + chain: INPUT + policy: DROP + notify: Persist iptables + +- name: Set the policy for the FORWARD chain to DROP + iptables: + chain: FORWARD + policy: DROP + notify: Persist iptables + +- name: Set the policy for the OUTPUT chain to ACCEPT + iptables: + chain: OUTPUT + policy: ACCEPT + notify: Persist iptables diff --git a/roles/instance/tasks/main.yml b/roles/instance/tasks/main.yml new file mode 100644 index 0000000..789254f --- /dev/null +++ b/roles/instance/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: Set hostname + hostname: + name: '{{ inventory_hostname | replace("_", "-") }}' + +- name: Add hostname to /etc/hosts + lineinfile: + dest: /etc/hosts + regexp: '^127\.0\.0\.1[ \t]+localhost' + line: '127.0.0.1 localhost {{ inventory_hostname | replace("_", "-") }}' + state: present + +- name: Install ansible pre-requisites + apt: + name: + - acl + state: present diff --git a/roles/pihole/files/id_ed25519 b/roles/pihole/files/id_ed25519 new file mode 100644 index 0000000..5b4d130 --- /dev/null +++ b/roles/pihole/files/id_ed25519 @@ -0,0 +1,25 @@ +$ANSIBLE_VAULT;1.1;AES256 +65383462643264626136333163366264353039393537313264303835393537396664633539616534 +6664613531623666386661653330386538366466313133390a393562363835326136393664353334 +62383932373036303233306138366464323463303238316434383264306632653533623665343066 +3037326266326465300a653435646538613636336236343231376635646439663963346130656164 +31383238613230356661626230353933346563333939383238336164336362323939666561306433 +34353430633131663531333030636137396537643735666533633630393166363739663538363161 +35373234623763346661656562346339366531663432666132356132323161323934323262653538 +34626130383535396631646439303431363432383265636365633831626162656432333839326137 +34386235643132366532316234396635366438623235636630663033396638336337666431653138 +38343734663666343334616436363335353764366564376565313834326364646231303662643463 +61643932366438366339383032306366376537326665393331333463656262373134656234393264 +65626161656163396531313739323732313132623934336337386534366163313933613535323864 +30303532396236613836316133363862663764333231326261366235353264356535326334353265 +35313534616361316636383161363630393362333362623966373264393138646335316531633136 +32333832643836646165643865636566663331333033303839653938653837353063366566623364 +65636661623833376236613566623839633734333866393032613861646666333732386166633865 +30616237663439383131653836303738653538353162333731343938643765333532373237353336 +35363436643833643030663638333663633337326461663866386532396364313330656130653665 +31333564363362613330363461383637666366333832326437666435336331643332376339623732 +37363139666339313962633961363262343130323531313432623737663737643830316639623864 +38393737313838343666376538616334363037353165323039626235646139346361343432316539 +62303932306635303731646234633936373562656136623030656231616563623336393466616335 +38306162393433306631383432346532376134323034616663373066303932376438656238336361 +62336537383461343636 diff --git a/roles/pihole/files/id_ed25519.pub b/roles/pihole/files/id_ed25519.pub new file mode 100644 index 0000000..392e223 --- /dev/null +++ b/roles/pihole/files/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQu1fLqmEcru0rAk8hTJ59WA3sLO7KDFIc4RgxCI0UP pihole diff --git a/roles/pihole/handlers/main.yml b/roles/pihole/handlers/main.yml new file mode 100644 index 0000000..82ba484 --- /dev/null +++ b/roles/pihole/handlers/main.yml @@ -0,0 +1,6 @@ +- name: Restart dnsmasq + service: + name: dnsmasq + enabled: true + state: restarted + when: ansible_facts.services['dnsmasq.service'] is defined diff --git a/roles/pihole/tasks/main.yml b/roles/pihole/tasks/main.yml new file mode 100644 index 0000000..b0c23e5 --- /dev/null +++ b/roles/pihole/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Create pihole user + user: + name: pihole + groups: sudo + shell: /bin/bash + state: present + +- name: Ensure .ssh directory exists. + file: + dest: /home/pihole/.ssh + mode: 0700 + owner: pihole + state: directory + +- name: Install ssh key + copy: + src: files/id_ed25519 + dest: /home/pihole/.ssh/id_ed25519 + mode: 0600 + owner: pihole + +- name: Set the authorized keys + authorized_key: + user: pihole + state: present + key: "{{ lookup('file', 'id_ed25519.pub') }}" + +- name: Create pihole directory + file: + path: /etc/pihole + state: directory + +- name: Configure pihole + template: + src: templates/setupVars.j2 + dest: /etc/pihole/setupVars.conf + notify: Restart dnsmasq + +- name: Download pihole installer + become: yes + become_user: pihole + get_url: + url: https://install.pi-hole.net + dest: /tmp/basic-install.sh + mode: 0755 + +- name: Install pihole + become: yes + become_user: pihole + command: + cmd: /tmp/basic-install.sh --unattended + creates: /usr/local/bin/pihole + +- name: Create gravity directory + file: + path: /etc/gravity-sync + state: directory + +- name: Configure gravity + template: + src: templates/gravity-sync.conf.j2 + dest: /etc/gravity-sync/gravity-sync.conf + +- name: Download gravity installer + become: yes + become_user: pihole + get_url: + url: https://raw.githubusercontent.com/vmstan/gs-install/main/gs-install.sh + dest: /tmp/gravity-install.sh + mode: 0755 + +- name: Install gravity + become: yes + become_user: pihole + command: + cmd: /tmp/gravity-install.sh --unattended + creates: /usr/local/bin/gravity-sync diff --git a/roles/pihole/templates/gravity-sync.conf.j2 b/roles/pihole/templates/gravity-sync.conf.j2 new file mode 100644 index 0000000..e6ea729 --- /dev/null +++ b/roles/pihole/templates/gravity-sync.conf.j2 @@ -0,0 +1,4 @@ +REMOTE_HOST={{ sync_target }} +REMOTE_USER=pihole + +GS_SSH_PKIF=/home/pihole/.ssh/id_ed25519 diff --git a/roles/pihole/templates/setupVars.j2 b/roles/pihole/templates/setupVars.j2 new file mode 100644 index 0000000..172e0e0 --- /dev/null +++ b/roles/pihole/templates/setupVars.j2 @@ -0,0 +1,16 @@ +IPV4_ADDRESS={{ ansible_host }}/24 +PIHOLE_INTERFACE=eth0 +QUERY_LOGGING=true +INSTALL_WEB_SERVER=true +INSTALL_WEB_INTERFACE=true +LIGHTTPD_ENABLED=true +CACHE_SIZE=10000 +DNS_FQDN_REQUIRED=true +DNS_BOGUS_PRIV=true +DNSMASQ_LISTENING=local +WEBPASSWORD=998ed4d621742d0c2d85ed84173db569afa194d4597686cae947324aa58ab4bb +BLOCKING_ENABLED=true +DNSSEC=false +REV_SERVER=false +PIHOLE_DNS_1=8.8.8.8 +PIHOLE_DNS_2=8.8.4.4 diff --git a/roles/ssh/handlers/main.yml b/roles/ssh/handlers/main.yml new file mode 100644 index 0000000..7666423 --- /dev/null +++ b/roles/ssh/handlers/main.yml @@ -0,0 +1,9 @@ +- name: Restart ssh + service: + name: sshd + state: restarted + +- name: Restart fail2ban + service: + name: fail2ban + state: restarted diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml new file mode 100644 index 0000000..e866029 --- /dev/null +++ b/roles/ssh/tasks/main.yml @@ -0,0 +1,36 @@ +--- +- name: Block root and password authentication + lineinfile: + path: /etc/ssh/sshd_config + regexp: '{{ item.regexp }}' + line: '{{ item.line }}' + validate: 'sshd -T -f %s' + state: present + with_items: + - regexp: '^PasswordAuthentication' + line: 'PasswordAuthentication no' + - regexp: '^PermitRootLogin' + line: 'PermitRootLogin no' + notify: Restart ssh + +- name: Install fail2ban + apt: + name: fail2ban + state: present + +- name: Configure fail2ban + blockinfile: + path: /etc/fail2ban/jail.local + create: yes + mode: 0644 + block: | + [sshd] + enabled = true + filter = sshd + notify: Restart fail2ban + +- name: Start fail2ban on boot + service: + name: fail2ban + enabled: true + state: started diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..0d3ebe2 --- /dev/null +++ b/site.yml @@ -0,0 +1,19 @@ +--- +- hosts: all + become: yes + pre_tasks: + - name: Update apt-get repo and cache + apt: + update_cache: yes + cache_valid_time: 3600 + roles: + - role: instance + - role: apt + - role: firewall + - role: administrators + - role: ssh +- hosts: dns + become: yes + roles: + - role: pihole + tags: pihole