From 9e107d4a7511a1cdcdbb6c329fc8916fd3d82fea Mon Sep 17 00:00:00 2001 From: Tom Alexander Date: Mon, 1 Jul 2024 22:01:07 -0400 Subject: [PATCH] Add bastion and certificate jails. --- .gitattributes | 2 + .../environments/home/host_vars/homeserver | 7 ++ ansible/environments/jail/host_vars/bastion | 1 + .../environments/jail/host_vars/certificate | 1 + ansible/environments/jail/hosts | 2 + ansible/playbook.yaml | 11 +++ .../roles/firewall/files/homeserver_pf.conf | 20 +++-- ansible/roles/jail/files/fstab_bastion | 4 + ansible/roles/jail/files/jails/bastion.conf | 15 ++++ .../roles/jail/files/jails/certificate.conf | 15 ++++ .../roles/jail_bastion/files/headers.include | 12 +++ ansible/roles/jail_bastion/files/htpasswd | Bin 0 -> 74 bytes .../roles/jail_bastion/files/newsyslog.conf | 2 + ansible/roles/jail_bastion/files/nginx.conf | 52 +++++++++++ .../roles/jail_bastion/files/nginx_rc.conf | 1 + .../roles/jail_bastion/files/proxy.include | 7 ++ .../jail_bastion/files/tls_settings.include | 3 + ansible/roles/jail_bastion/meta/main.yaml | 2 + ansible/roles/jail_bastion/tasks/common.yaml | 55 ++++++++++++ ansible/roles/jail_bastion/tasks/freebsd.yaml | 81 ++++++++++++++++++ ansible/roles/jail_bastion/tasks/linux.yaml | 29 +++++++ ansible/roles/jail_bastion/tasks/main.yaml | 2 + ansible/roles/jail_bastion/tasks/peruser.yaml | 29 +++++++ .../jail_bastion/tasks/peruser_freebsd.yaml | 0 .../jail_bastion/tasks/peruser_linux.yaml | 0 .../roles/jail_certificate/files/credentials | Bin 0 -> 503 bytes ansible/roles/jail_certificate/meta/main.yaml | 2 + .../roles/jail_certificate/tasks/common.yaml | 55 ++++++++++++ .../roles/jail_certificate/tasks/freebsd.yaml | 44 ++++++++++ .../roles/jail_certificate/tasks/linux.yaml | 29 +++++++ .../roles/jail_certificate/tasks/main.yaml | 2 + .../roles/jail_certificate/tasks/peruser.yaml | 29 +++++++ .../tasks/peruser_freebsd.yaml | 0 .../jail_certificate/tasks/peruser_linux.yaml | 0 .../roles/jail_nat_dhcp/files/kea-dhcp4.conf | 5 ++ ansible/roles/public_dns/files/master.db | 1 + ansible/roles/public_dns/tasks/freebsd.yaml | 4 + ansible/run.bash | 4 + 38 files changed, 523 insertions(+), 5 deletions(-) create mode 100644 ansible/environments/jail/host_vars/bastion create mode 100644 ansible/environments/jail/host_vars/certificate create mode 100644 ansible/roles/jail/files/fstab_bastion create mode 100644 ansible/roles/jail/files/jails/bastion.conf create mode 100644 ansible/roles/jail/files/jails/certificate.conf create mode 100644 ansible/roles/jail_bastion/files/headers.include create mode 100644 ansible/roles/jail_bastion/files/htpasswd create mode 100644 ansible/roles/jail_bastion/files/newsyslog.conf create mode 100644 ansible/roles/jail_bastion/files/nginx.conf create mode 100644 ansible/roles/jail_bastion/files/nginx_rc.conf create mode 100644 ansible/roles/jail_bastion/files/proxy.include create mode 100644 ansible/roles/jail_bastion/files/tls_settings.include create mode 100644 ansible/roles/jail_bastion/meta/main.yaml create mode 100644 ansible/roles/jail_bastion/tasks/common.yaml create mode 100644 ansible/roles/jail_bastion/tasks/freebsd.yaml create mode 100644 ansible/roles/jail_bastion/tasks/linux.yaml create mode 100644 ansible/roles/jail_bastion/tasks/main.yaml create mode 100644 ansible/roles/jail_bastion/tasks/peruser.yaml create mode 100644 ansible/roles/jail_bastion/tasks/peruser_freebsd.yaml create mode 100644 ansible/roles/jail_bastion/tasks/peruser_linux.yaml create mode 100644 ansible/roles/jail_certificate/files/credentials create mode 100644 ansible/roles/jail_certificate/meta/main.yaml create mode 100644 ansible/roles/jail_certificate/tasks/common.yaml create mode 100644 ansible/roles/jail_certificate/tasks/freebsd.yaml create mode 100644 ansible/roles/jail_certificate/tasks/linux.yaml create mode 100644 ansible/roles/jail_certificate/tasks/main.yaml create mode 100644 ansible/roles/jail_certificate/tasks/peruser.yaml create mode 100644 ansible/roles/jail_certificate/tasks/peruser_freebsd.yaml create mode 100644 ansible/roles/jail_certificate/tasks/peruser_linux.yaml diff --git a/.gitattributes b/.gitattributes index cf5db54..c010a4f 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,3 +1,5 @@ cargo_credentials.toml filter=git-crypt diff=git-crypt **/wireguard_configs/** filter=git-crypt diff=git-crypt *.key filter=git-crypt diff=git-crypt +credentials filter=git-crypt diff=git-crypt +htpasswd filter=git-crypt diff=git-crypt diff --git a/ansible/environments/home/host_vars/homeserver b/ansible/environments/home/host_vars/homeserver index ad60530..aa8e4de 100644 --- a/ansible/environments/home/host_vars/homeserver +++ b/ansible/environments/home/host_vars/homeserver @@ -57,6 +57,13 @@ jail_list: conf: src: sftp fstab: sftp_fstab + - name: bastion + conf: + src: bastion + fstab: fstab_bastion + - name: certificate + conf: + src: certificate # - name: mumble # conf: # src: mumble diff --git a/ansible/environments/jail/host_vars/bastion b/ansible/environments/jail/host_vars/bastion new file mode 100644 index 0000000..466c910 --- /dev/null +++ b/ansible/environments/jail/host_vars/bastion @@ -0,0 +1 @@ +os_flavor: freebsd diff --git a/ansible/environments/jail/host_vars/certificate b/ansible/environments/jail/host_vars/certificate new file mode 100644 index 0000000..466c910 --- /dev/null +++ b/ansible/environments/jail/host_vars/certificate @@ -0,0 +1 @@ +os_flavor: freebsd diff --git a/ansible/environments/jail/hosts b/ansible/environments/jail/hosts index 0a9b89d..0e22aa2 100644 --- a/ansible/environments/jail/hosts +++ b/ansible/environments/jail/hosts @@ -6,3 +6,5 @@ nat_dhcp@172.16.16.2 ansible_connection=sshjail admin_git ansible_ssh_host=admin_git@10.217.2.1 ansible_connection=sshjail public_dns ansible_ssh_host=public_dns@10.217.2.1 ansible_connection=sshjail sftp ansible_ssh_host=sftp@homeserver ansible_connection=sshjail +bastion ansible_ssh_host=bastion@homeserver ansible_connection=sshjail +certificate ansible_ssh_host=certificate@homeserver ansible_connection=sshjail diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml index 2f78e2e..b90d853 100644 --- a/ansible/playbook.yaml +++ b/ansible/playbook.yaml @@ -143,3 +143,14 @@ - users - sftp +- hosts: bastion + vars: + ansible_become: True + roles: + - jail_bastion + +- hosts: certificate + vars: + ansible_become: True + roles: + - jail_certificate diff --git a/ansible/roles/firewall/files/homeserver_pf.conf b/ansible/roles/firewall/files/homeserver_pf.conf index 4d33944..0606623 100644 --- a/ansible/roles/firewall/files/homeserver_pf.conf +++ b/ansible/roles/firewall/files/homeserver_pf.conf @@ -17,23 +17,32 @@ unifi_ports = "{ 8443 3478 10001 8080 1900 8843 8880 6789 5514 }" # options set skip on lo +# queueing +# altq on wlan0 cbq queue { def, stuff } +# queue def cbq(default borrow) +# queue stuff bandwidth 8Mb cbq { dagger } +# queue dagger cbq(borrow) + # redirections nat pass on $ext_if inet from $jail_nat_v4 to $not_jail_nat_v4 -> (wlan0) -rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 1.1.1.1 port 53 +rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.1.1 port 53 -> 172.16.0.1 port 53 # cloak nat pass on $ext_if inet from 10.215.2.0/24 to !10.215.2.0/24 -> (wlan0) -rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 1.1.1.1 port 53 +rdr pass on $not_ext_if proto {tcp, udp} from any to 10.215.2.1 port 53 -> 172.16.0.1 port 53 + +# bastion +rdr pass on $ext_if inet proto tcp from { any, !10.215.1.0/24, !10.215.2.0/24 } to any port 8081 -> 10.215.1.217 port 443 +nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.217 port 443 -> 10.215.1.1 +nat pass on restricted_nat proto {tcp, udp} from 10.215.1.217/32 to 10.215.2.2 port 8081 -> 10.215.2.1 -# cloak -> dagger -rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8081 -> 10.215.2.2 port 8081 -nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8081 -> 10.215.2.1 # cloak -> olddagger rdr pass on $ext_if inet proto tcp from $not_restricted_nat_v4 to any port 8082 -> 10.215.2.2 port 8082 nat pass on restricted_nat proto {tcp, udp} from any to 10.215.2.2 port 8082 -> 10.215.2.1 # -> sftp +# TODO: Limit bandwidth for sftp rdr pass on $ext_if inet proto tcp from $not_jail_nat_v4 to any port 8022 -> 10.215.1.216 port 22 nat pass on jail_nat proto {tcp, udp} from any to 10.215.1.216 port 22 -> 10.215.1.1 @@ -51,6 +60,7 @@ pass out on jail_nat from $jail_nat_v4 pass out on jail_nat proto {udp, tcp} from any to 10.215.1.202 port $unifi_ports pass out on restricted_nat proto {udp, tcp} from any to 10.215.2.2 port 8081 +# TODO: limit bandwidth for dagger here pass in on restricted_nat proto {udp, tcp} from any to any port { 53 51820 } # We pass on the interfaces listed in allow rather than skipping on diff --git a/ansible/roles/jail/files/fstab_bastion b/ansible/roles/jail/files/fstab_bastion new file mode 100644 index 0000000..dcc33c6 --- /dev/null +++ b/ansible/roles/jail/files/fstab_bastion @@ -0,0 +1,4 @@ +tmpfs /jail/bastion/tmp tmpfs rw,mode=777 0 0 +tmpfs /jail/bastion/var/run tmpfs rw,mode=755 0 0 + +/jail/certificate/usr/local/etc/letsencrypt/archive/stuff.fizz.buzz /jail/bastion/stuff.fizz.buzz nullfs ro,noexec 0 0 diff --git a/ansible/roles/jail/files/jails/bastion.conf b/ansible/roles/jail/files/jails/bastion.conf new file mode 100644 index 0000000..f7b2868 --- /dev/null +++ b/ansible/roles/jail/files/jails/bastion.conf @@ -0,0 +1,15 @@ +bastion { + path = "/jail/${name}"; + vnet; + exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24"; + exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}"; + vnet.interface += "jail${name}"; + + devfs_ruleset = 14; + mount.devfs; + mount.fstab = "/etc/fstab.${name}"; + + exec.start += "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown jail"; + exec.consolelog = "/var/log/jail_${name}_console.log"; +} diff --git a/ansible/roles/jail/files/jails/certificate.conf b/ansible/roles/jail/files/jails/certificate.conf new file mode 100644 index 0000000..610a4c4 --- /dev/null +++ b/ansible/roles/jail/files/jails/certificate.conf @@ -0,0 +1,15 @@ +certificate { + path = "/jail/${name}"; + vnet; + exec.prestart += "/usr/local/bin/jail_netgraph_bridge start jail_nat jail${name} 10.215.1.1/24"; + exec.poststop += "/usr/local/bin/jail_netgraph_bridge stop jail_nat jail${name}"; + vnet.interface += "jail${name}"; + + devfs_ruleset = 14; + mount.devfs; + mount.fstab = "/etc/fstab.${name}"; + + exec.start += "/bin/sh /etc/rc"; + exec.stop = "/bin/sh /etc/rc.shutdown jail"; + exec.consolelog = "/var/log/jail_${name}_console.log"; +} diff --git a/ansible/roles/jail_bastion/files/headers.include b/ansible/roles/jail_bastion/files/headers.include new file mode 100644 index 0000000..ffb49b9 --- /dev/null +++ b/ansible/roles/jail_bastion/files/headers.include @@ -0,0 +1,12 @@ +# Enable HTTP Strict Transport Security (HSTS) to force clients to +# always connect via HTTPS (do not use if only testing) +add_header Strict-Transport-Security "max-age=31536000;" always; +# Enable cross-site filter (XSS) and tell browser to block detected +# attacks +add_header X-XSS-Protection "1; mode=block" always; +# Prevent some browsers from MIME-sniffing a response away from the +# declared Content-Type +add_header X-Content-Type-Options "nosniff" always; +# Disallow the site to be rendered within a frame (clickjacking +# protection) +add_header X-Frame-Options "DENY" always; diff --git a/ansible/roles/jail_bastion/files/htpasswd b/ansible/roles/jail_bastion/files/htpasswd new file mode 100644 index 0000000000000000000000000000000000000000..af2807024bd00f66146915ec5f70d044a8816418 GIT binary patch literal 74 zcmV-Q0JZ-BM@dveQdv+`0D>uMqp@YKp#8UNKkS9)-9-Av73x?YMulDh6{-D!SMXH< g^|w--?}z)t(=*-8<0Rg%Wyof;9>S~MfA7Y#2RUFTQUCw| literal 0 HcmV?d00001 diff --git a/ansible/roles/jail_bastion/files/newsyslog.conf b/ansible/roles/jail_bastion/files/newsyslog.conf new file mode 100644 index 0000000..78a612b --- /dev/null +++ b/ansible/roles/jail_bastion/files/newsyslog.conf @@ -0,0 +1,2 @@ +# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num] +/var/log/nginx/*.log 640 5 1000 @T00 GYC /var/run/nginx.pid SIGUSR1 diff --git a/ansible/roles/jail_bastion/files/nginx.conf b/ansible/roles/jail_bastion/files/nginx.conf new file mode 100644 index 0000000..13eafd2 --- /dev/null +++ b/ansible/roles/jail_bastion/files/nginx.conf @@ -0,0 +1,52 @@ +worker_processes auto; +user www www; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + types { + text/plain log; + } + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + gzip on; + + include conf.d/headers.include; + + upstream inner { + server 10.215.2.2:8081; + keepalive 4; + } + + server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name stuff.fizz.buzz; + + include conf.d/tls_settings.include; + # RSA + ssl_certificate /stuff.fizz.buzz/fullchain1.pem; + ssl_certificate_key /stuff.fizz.buzz/privkey1.pem; + + # Nginx by default only allows file uploads up to 1M in size + client_max_body_size 50M; + + location / { + auth_basic "Stuff"; + auth_basic_user_file conf.d/htpasswd; + + + proxy_pass http://inner; + include conf.d/proxy.include; + } + } +} diff --git a/ansible/roles/jail_bastion/files/nginx_rc.conf b/ansible/roles/jail_bastion/files/nginx_rc.conf new file mode 100644 index 0000000..c104d8b --- /dev/null +++ b/ansible/roles/jail_bastion/files/nginx_rc.conf @@ -0,0 +1 @@ +nginx_enable="YES" diff --git a/ansible/roles/jail_bastion/files/proxy.include b/ansible/roles/jail_bastion/files/proxy.include new file mode 100644 index 0000000..aa2a42a --- /dev/null +++ b/ansible/roles/jail_bastion/files/proxy.include @@ -0,0 +1,7 @@ +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-Proto $scheme; +# Settings for keepalive module for upstreams +proxy_http_version 1.1; +proxy_set_header Connection ""; diff --git a/ansible/roles/jail_bastion/files/tls_settings.include b/ansible/roles/jail_bastion/files/tls_settings.include new file mode 100644 index 0000000..e26fde8 --- /dev/null +++ b/ansible/roles/jail_bastion/files/tls_settings.include @@ -0,0 +1,3 @@ +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; diff --git a/ansible/roles/jail_bastion/meta/main.yaml b/ansible/roles/jail_bastion/meta/main.yaml new file mode 100644 index 0000000..ecea872 --- /dev/null +++ b/ansible/roles/jail_bastion/meta/main.yaml @@ -0,0 +1,2 @@ +dependencies: + - syslog diff --git a/ansible/roles/jail_bastion/tasks/common.yaml b/ansible/roles/jail_bastion/tasks/common.yaml new file mode 100644 index 0000000..f146487 --- /dev/null +++ b/ansible/roles/jail_bastion/tasks/common.yaml @@ -0,0 +1,55 @@ +# - name: Create directories +# file: +# name: "{{ item }}" +# state: directory +# mode: 0755 +# owner: root +# group: wheel +# loop: +# - /foo/bar + +# - name: Install scripts +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# mode: 0755 +# owner: root +# group: wheel +# loop: +# - src: foo.bash +# dest: /usr/local/bin/foo + +# - name: Install Configuration +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# mode: 0600 +# owner: root +# group: wheel +# loop: +# - src: foo.conf +# dest: /usr/local/etc/foo.conf + +# - name: Clone Source +# git: +# repo: "https://foo.bar/baz.git" +# dest: /foo/bar +# version: "v1.0.2" +# force: true +# diff: false + +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +# - include_tasks: +# file: tasks/peruser.yaml +# apply: +# become: yes +# become_user: "{{ initialize_user }}" +# when: users is defined +# loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" +# loop_control: +# loop_var: initialize_user diff --git a/ansible/roles/jail_bastion/tasks/freebsd.yaml b/ansible/roles/jail_bastion/tasks/freebsd.yaml new file mode 100644 index 0000000..5ca8860 --- /dev/null +++ b/ansible/roles/jail_bastion/tasks/freebsd.yaml @@ -0,0 +1,81 @@ +- name: Create www group + group: + name: www + +- name: Create www user + user: + name: www + home: /srv/http + createhome: false + group: www + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /stuff.fizz.buzz + - /etc/rc.conf.d + - /usr/local/etc/nginx/conf.d + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: www + group: www + loop: + - /srv/http + +- name: Install packages + package: + name: + - nginx + state: present + +# validate fails because nginx config relies on a local mime.types +- name: Install Configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0644 + owner: root + group: wheel + loop: + - src: nginx.conf + dest: /usr/local/etc/nginx/nginx.conf + - src: headers.include + dest: /usr/local/etc/nginx/conf.d/headers.include + - src: proxy.include + dest: /usr/local/etc/nginx/conf.d/proxy.include + - src: tls_settings.include + dest: /usr/local/etc/nginx/conf.d/tls_settings.include + # Generate htpasswd with `htpasswd -c files/htpasswd user1` + # or `printf "USER:$(openssl passwd)\n" >> files/htpasswd` + - src: htpasswd + dest: /usr/local/etc/nginx/conf.d/htpasswd + +- name: Install newsyslog configuration + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0600 + owner: root + group: wheel + loop: + - src: newsyslog.conf + dest: /usr/local/etc/newsyslog.conf.d/nginx.conf + +- name: Install service configuration + copy: + src: "files/{{ item }}_rc.conf" + dest: "/etc/rc.conf.d/{{ item }}" + mode: 0644 + owner: root + group: wheel + loop: + - nginx diff --git a/ansible/roles/jail_bastion/tasks/linux.yaml b/ansible/roles/jail_bastion/tasks/linux.yaml new file mode 100644 index 0000000..bbbb096 --- /dev/null +++ b/ansible/roles/jail_bastion/tasks/linux.yaml @@ -0,0 +1,29 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present + +# - name: Enable services +# systemd: +# enabled: yes +# name: "{{ item }}" +# daemon_reload: yes +# loop: +# - foo.service diff --git a/ansible/roles/jail_bastion/tasks/main.yaml b/ansible/roles/jail_bastion/tasks/main.yaml new file mode 100644 index 0000000..6805b9d --- /dev/null +++ b/ansible/roles/jail_bastion/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + # when: foo is defined diff --git a/ansible/roles/jail_bastion/tasks/peruser.yaml b/ansible/roles/jail_bastion/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/jail_bastion/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/jail_bastion/tasks/peruser_freebsd.yaml b/ansible/roles/jail_bastion/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/jail_bastion/tasks/peruser_linux.yaml b/ansible/roles/jail_bastion/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/jail_certificate/files/credentials b/ansible/roles/jail_certificate/files/credentials new file mode 100644 index 0000000000000000000000000000000000000000..df93e60d448413679d6a0bcf360e4a57fd949f33 GIT binary patch literal 503 zcmV?Guvzy2i`diOJwkQTW)5CilN=U@lDyK9i}-$7fqxGX zl>e;osY-3T0Fv(0w9HTA`#=Yl?(Ik|3P1}IZ7}3rA%Y8|83=~U{pY8o$?- z$Fm4C2$UhKf+lFyrDp?qPy>e^ZAgv(qu|Em@?TB-ahRH=bcYoTn5?4uE`q3cTDil_ zIT)0B9IaWy+?6$_KDmsp28CHmw{1ATu@0qC5Maf=TronD^ER&F0<$anNsKe3g7ebu tJ>}d;D|sW8HbLpH`X6Lhmr2LrW~rYf%@nQjEO$8~l=Fz4mV8zwtdKs9`B(q| literal 0 HcmV?d00001 diff --git a/ansible/roles/jail_certificate/meta/main.yaml b/ansible/roles/jail_certificate/meta/main.yaml new file mode 100644 index 0000000..43e965e --- /dev/null +++ b/ansible/roles/jail_certificate/meta/main.yaml @@ -0,0 +1,2 @@ +# dependencies: +# - users diff --git a/ansible/roles/jail_certificate/tasks/common.yaml b/ansible/roles/jail_certificate/tasks/common.yaml new file mode 100644 index 0000000..f146487 --- /dev/null +++ b/ansible/roles/jail_certificate/tasks/common.yaml @@ -0,0 +1,55 @@ +# - name: Create directories +# file: +# name: "{{ item }}" +# state: directory +# mode: 0755 +# owner: root +# group: wheel +# loop: +# - /foo/bar + +# - name: Install scripts +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# mode: 0755 +# owner: root +# group: wheel +# loop: +# - src: foo.bash +# dest: /usr/local/bin/foo + +# - name: Install Configuration +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ item.dest }}" +# mode: 0600 +# owner: root +# group: wheel +# loop: +# - src: foo.conf +# dest: /usr/local/etc/foo.conf + +# - name: Clone Source +# git: +# repo: "https://foo.bar/baz.git" +# dest: /foo/bar +# version: "v1.0.2" +# force: true +# diff: false + +- import_tasks: tasks/freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/linux.yaml + when: 'os_flavor == "linux"' + +# - include_tasks: +# file: tasks/peruser.yaml +# apply: +# become: yes +# become_user: "{{ initialize_user }}" +# when: users is defined +# loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}" +# loop_control: +# loop_var: initialize_user diff --git a/ansible/roles/jail_certificate/tasks/freebsd.yaml b/ansible/roles/jail_certificate/tasks/freebsd.yaml new file mode 100644 index 0000000..cc59988 --- /dev/null +++ b/ansible/roles/jail_certificate/tasks/freebsd.yaml @@ -0,0 +1,44 @@ +- name: Install packages + package: + name: + - py311-certbot + - py311-certbot-dns-rfc2136 + state: present + +- name: Enable periodic renew + community.general.sysrc: + name: weekly_certbot_enable + value: "YES" + path: /etc/periodic.conf.local + +- name: Create directories + file: + name: "{{ item }}" + state: directory + mode: 0755 + owner: root + group: wheel + loop: + - /certbot + +- name: Install Configuration + diff: false + copy: + src: "files/{{ item.src }}" + dest: "{{ item.dest }}" + mode: 0600 + owner: root + group: wheel + loop: + - src: credentials + dest: /certbot/credentials + +# For each domain, run: +# certbot certonly -v --register-unsafely-without-email \ +# --dns-rfc2136 \ +# --dns-rfc2136-credentials /certbot/credentials \ +# --dns-rfc2136-propagation-seconds 400 \ +# -d example.com \ +# -d www.example.com +# +# Add --test-cert for staging environment diff --git a/ansible/roles/jail_certificate/tasks/linux.yaml b/ansible/roles/jail_certificate/tasks/linux.yaml new file mode 100644 index 0000000..bbbb096 --- /dev/null +++ b/ansible/roles/jail_certificate/tasks/linux.yaml @@ -0,0 +1,29 @@ +# - name: Build aur packages +# register: buildaur +# become_user: "{{ build_user.name }}" +# command: "aurutils-sync --no-view {{ item }}" +# args: +# creates: "/var/cache/pacman/custom/{{ item }}-*.pkg.tar.*" +# loop: +# - foo + +# - name: Update cache +# when: buildaur.changed +# pacman: +# name: [] +# state: present +# update_cache: true + +# - name: Install packages +# package: +# name: +# - foo +# state: present + +# - name: Enable services +# systemd: +# enabled: yes +# name: "{{ item }}" +# daemon_reload: yes +# loop: +# - foo.service diff --git a/ansible/roles/jail_certificate/tasks/main.yaml b/ansible/roles/jail_certificate/tasks/main.yaml new file mode 100644 index 0000000..6805b9d --- /dev/null +++ b/ansible/roles/jail_certificate/tasks/main.yaml @@ -0,0 +1,2 @@ +- import_tasks: tasks/common.yaml + # when: foo is defined diff --git a/ansible/roles/jail_certificate/tasks/peruser.yaml b/ansible/roles/jail_certificate/tasks/peruser.yaml new file mode 100644 index 0000000..111e886 --- /dev/null +++ b/ansible/roles/jail_certificate/tasks/peruser.yaml @@ -0,0 +1,29 @@ +- include_role: + name: per_user + +# - name: Create directories +# file: +# name: "{{ account_homedir.stdout }}/{{ item }}" +# state: directory +# mode: 0700 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - ".config/foo" + +# - name: Copy files +# copy: +# src: "files/{{ item.src }}" +# dest: "{{ account_homedir.stdout }}/{{ item.dest }}" +# mode: 0600 +# owner: "{{ account_name.stdout }}" +# group: "{{ group_name.stdout }}" +# loop: +# - src: foo.conf +# dest: .config/foo/foo.conf + +- import_tasks: tasks/peruser_freebsd.yaml + when: 'os_flavor == "freebsd"' + +- import_tasks: tasks/peruser_linux.yaml + when: 'os_flavor == "linux"' diff --git a/ansible/roles/jail_certificate/tasks/peruser_freebsd.yaml b/ansible/roles/jail_certificate/tasks/peruser_freebsd.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/jail_certificate/tasks/peruser_linux.yaml b/ansible/roles/jail_certificate/tasks/peruser_linux.yaml new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf index 5f09f16..9a42389 100644 --- a/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf +++ b/ansible/roles/jail_nat_dhcp/files/kea-dhcp4.conf @@ -83,6 +83,11 @@ // sftp "hw-address": "58:9c:fc:10:ff:ab", "ip-address": "10.215.1.216" + }, + { + // bastion + "hw-address": "58:9c:fc:10:ff:a2", + "ip-address": "10.215.1.217" } ] } diff --git a/ansible/roles/public_dns/files/master.db b/ansible/roles/public_dns/files/master.db index cc0daff..5d2834a 100644 --- a/ansible/roles/public_dns/files/master.db +++ b/ansible/roles/public_dns/files/master.db @@ -71,3 +71,4 @@ _caldavs._tcp IN SRV 0 1 443 caldav.fastmail.com home IN A 68.197.252.22 opstunnel IN CNAME home.fizz.buzz. stream IN CNAME home.fizz.buzz. +stuff IN CNAME home.fizz.buzz. diff --git a/ansible/roles/public_dns/tasks/freebsd.yaml b/ansible/roles/public_dns/tasks/freebsd.yaml index 34a4843..c35ee4b 100644 --- a/ansible/roles/public_dns/tasks/freebsd.yaml +++ b/ansible/roles/public_dns/tasks/freebsd.yaml @@ -110,6 +110,10 @@ command: pdnsutil add-meta fizz.buzz ALLOW-DNSUPDATE-FROM 10.215.1.0/24 when: '"10.215.1.0/24" not in allowdnsupdatefrom.stdout' +- name: Allow IP addresses + command: pdnsutil add-meta fizz.buzz ALLOW-DNSUPDATE-FROM 68.197.252.15/32 + when: '"68.197.252.15/32" not in allowdnsupdatefrom.stdout' + - name: Allow AXFR from the externaldns tsig key command: pdnsutil add-meta fizz.buzz TSIG-ALLOW-AXFR externaldns when: '"externaldns" not in tsigaxfr.stdout' diff --git a/ansible/run.bash b/ansible/run.bash index 2fcf067..9191007 100755 --- a/ansible/run.bash +++ b/ansible/run.bash @@ -30,6 +30,10 @@ elif [ "$target" = "jail_homeserver_nat_dhcp" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit homeserver_nat_dhcp "${@}" elif [ "$target" = "sftp" ]; then ansible-playbook -v -i environments/jail playbook.yaml --diff --limit sftp "${@}" +elif [ "$target" = "certificate" ]; then + ansible-playbook -v -i environments/jail playbook.yaml --diff --limit certificate "${@}" +elif [ "$target" = "bastion" ]; then + ansible-playbook -v -i environments/jail playbook.yaml --diff --limit bastion "${@}" elif [ "$target" = "vm_poudriereodo" ]; then ansible-playbook -v -i environments/vm playbook.yaml --diff --limit poudriereodo "${@}" elif [ "$target" = "vm_poudrieremrmanager" ]; then