From 4b2410ef8b4a26c83f1e322ffe9029ceb9811d06 Mon Sep 17 00:00:00 2001 From: Rafael Laszlo <rlacko99@gmail.com> Date: Fri, 19 Nov 2021 16:50:37 +0100 Subject: [PATCH] Refactor router ansible config --- ansible/router/README.md | 7 -- ansible/router/ansible.cfg | 6 ++ ansible/router/bootstrap.sh | 26 +------- ansible/router/install.yaml | 32 ---------- ansible/router/main/base.yaml | 11 ++++ .../main/templates/etc/iptables/rules.v4.j2 | 48 ++++++++++++++ .../main/templates/etc/iptables/rules.v6.j2 | 21 ++++++ ansible/router/main/vars/base.yaml | 52 +++++++++++++++ ansible/router/requirements.galaxy.yaml | 10 ++- ansible/router/tasks/firewall.yaml | 22 ------- ansible/router/tasks/main.yaml | 38 ----------- ansible/router/tasks/packages.yaml | 35 ---------- ansible/router/tasks/users.yaml | 54 ---------------- ansible/router/templates/etc/nftables.conf.j2 | 64 ------------------- .../router/templates/etc/ssh/sshd_config.j2 | 36 ----------- 15 files changed, 150 insertions(+), 312 deletions(-) delete mode 100644 ansible/router/README.md create mode 100644 ansible/router/ansible.cfg delete mode 100644 ansible/router/install.yaml create mode 100644 ansible/router/main/base.yaml create mode 100644 ansible/router/main/templates/etc/iptables/rules.v4.j2 create mode 100644 ansible/router/main/templates/etc/iptables/rules.v6.j2 create mode 100644 ansible/router/main/vars/base.yaml delete mode 100644 ansible/router/tasks/firewall.yaml delete mode 100644 ansible/router/tasks/main.yaml delete mode 100644 ansible/router/tasks/packages.yaml delete mode 100644 ansible/router/tasks/users.yaml delete mode 100644 ansible/router/templates/etc/nftables.conf.j2 delete mode 100644 ansible/router/templates/etc/ssh/sshd_config.j2 diff --git a/ansible/router/README.md b/ansible/router/README.md deleted file mode 100644 index 9d85e59..0000000 --- a/ansible/router/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# MAIN VMs ansible - -First run: -`ansible-playbook -i inventory.yaml install.yaml --user root` - -After first run: -`ansible-playbook -i inventory.yaml install.yaml --become --user rlacko` \ No newline at end of file diff --git a/ansible/router/ansible.cfg b/ansible/router/ansible.cfg new file mode 100644 index 0000000..cdeb744 --- /dev/null +++ b/ansible/router/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} +inventory = inventory.yaml + +[ssh_connection] +ssh_args = -o StrictHostKeyChecking=accept-new diff --git a/ansible/router/bootstrap.sh b/ansible/router/bootstrap.sh index a6212cd..67f34a5 100755 --- a/ansible/router/bootstrap.sh +++ b/ansible/router/bootstrap.sh @@ -1,34 +1,14 @@ #!/usr/bin/env bash -########################### Virtualenv setup #################################### +# This script creates a Python env, enters it and installs +# ansible and requirements from the requirements.galaxy.yaml -# create virtualenv if not present [[ ! -d .venv ]] && python3 -m venv .venv - source .venv/bin/activate pip3 install ansible ansible-lint -########################### Ansible setup #################################### - -ansible-galaxy install --force -r requirements.galaxy.yaml - -########################### Help #################################### - -echo -echo "########################################" -echo -echo "Your playbooks:" - -find . -maxdepth 1 -type f -name "*.yaml" | grep -v inventory - -echo -echo "Recommendation: Set up your OpenSSH config based on inventory.yml" - -echo -echo "You can run playbook with:" -printf "\tansible-playbook your-playbook.yaml" -echo +ansible-galaxy install "$1" -r requirements.galaxy.yaml # to stay in our comfy virtualenv exec "${SHELL:bash}" diff --git a/ansible/router/install.yaml b/ansible/router/install.yaml deleted file mode 100644 index ff8a481..0000000 --- a/ansible/router/install.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- - -- hosts: all - roles: - - name: yatesr.timezone - vars: - timezone: Europe/Budapest - tasks: - - name: Setup Router Container - import_tasks: tasks/main.yaml - - vars: - users: - - name: rlacko - sudo: yes - passwordless_sudo: yes - keys_url: https://git.sch.bme.hu/rlacko.keys - ssh: - port: 10022 - permitRootLogin: 'no' - pubkeyAuthentication: 'yes' - passwordAuthentication: 'no' - allow: - users: 'rlacko' - nftables: - snat_to: 152.66.211.122 - snat_from: 192.168.96.0/22 - dnat: - - dport: 80 - to: 192.168.96.101:80 - - dport: 443 - to: 192.168.96.101:443 diff --git a/ansible/router/main/base.yaml b/ansible/router/main/base.yaml new file mode 100644 index 0000000..e9d5502 --- /dev/null +++ b/ansible/router/main/base.yaml @@ -0,0 +1,11 @@ +--- + +- hosts: all + roles: + - role: kszk.base + tags: ["base"] + - role: kszk.iptables + tags: ["iptables"] + vars_files: + - "vars/base.yaml" + tasks: [] diff --git a/ansible/router/main/templates/etc/iptables/rules.v4.j2 b/ansible/router/main/templates/etc/iptables/rules.v4.j2 new file mode 100644 index 0000000..a90f6e1 --- /dev/null +++ b/ansible/router/main/templates/etc/iptables/rules.v4.j2 @@ -0,0 +1,48 @@ +# +# !!! +# {{ ansible_managed }} +# !!! + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] + +-A POSTROUTING -o wan0 -j MASQUERADE + +COMMIT + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +## INPUT + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lan0 -j ACCEPT + +-A INPUT -p tcp -m tcp --dport {{ base_ssh.port }} --src 152.66.0.0/8,10.0.0.0/8 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT + + +-A INPUT -j DROP + +## FORWARD + +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -p icmp -j ACCEPT +-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT +-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT +-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT + +# Accept everything from inside +-A FORWARD -i lan0 -j ACCEPT + +-A FORWARD -j DROP + +COMMIT diff --git a/ansible/router/main/templates/etc/iptables/rules.v6.j2 b/ansible/router/main/templates/etc/iptables/rules.v6.j2 new file mode 100644 index 0000000..c099c76 --- /dev/null +++ b/ansible/router/main/templates/etc/iptables/rules.v6.j2 @@ -0,0 +1,21 @@ +# +# !!! +# {{ ansible_managed }} +# !!! + +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +## Input + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT + +-A INPUT -p tcp -m tcp --dport {{ base_ssh.port }} --src 2001:738:2001::/48 -j ACCEPT + +-A INPUT -j DROP + +COMMIT diff --git a/ansible/router/main/vars/base.yaml b/ansible/router/main/vars/base.yaml new file mode 100644 index 0000000..751c142 --- /dev/null +++ b/ansible/router/main/vars/base.yaml @@ -0,0 +1,52 @@ +# KSZK Base role +base_motd_playbook_url: https://git.sch.bme.hu/kszk/sysadmin/kubernetes/cluster-setup +base_hostname: k8s-mgmt +base_motd_text: "k8s mgmt" + +base_users: + - name: rlacko + sudo: yes + passwordless_sudo: yes + ssh_key: https://git.sch.bme.hu/rlacko.keys + - name: k8s-01 + sudo: yes + passwordless_sudo: yes + +base_ssh: + port: 22 + permitRootLogin: "no" + pubkeyAuthentication: "yes" + passwordAuthentication: "no" + allow: + users: "rlacko" + +base_netplan: + network: + version: 2 + renderer: networkd + ethernets: + wan: + optional: false + match: + macaddress: 7a:d5:a2:fc:e8:b4 + set-name: wan0 + dhcp4: true + + lan: + optional: false + match: + macaddress: 7a:9c:f7:a8:5d:1c + set-name: lan0 + addresses: + - 192.168.99.254/22 + +# IPTables base role + +## Use own iptables files +iptables_enable_ip_forward: true +iptables_rules_v4_file: etc/iptables/rules.v4.j2 +iptables_rules_v6_file: etc/iptables/rules.v6.j2 + +# Playbook vars + +# nope diff --git a/ansible/router/requirements.galaxy.yaml b/ansible/router/requirements.galaxy.yaml index 67cbeea..facdff4 100644 --- a/ansible/router/requirements.galaxy.yaml +++ b/ansible/router/requirements.galaxy.yaml @@ -2,7 +2,15 @@ collections: - community.general + - community.crypto - ansible.posix roles: - - src: yatesr.timezone \ No newline at end of file + - src: git@git.sch.bme.hu:kszk/ansible/roles/base.git + scm: git + version: master + name: kszk.base + - src: git@git.sch.bme.hu:kszk/ansible/roles/iptables.git + scm: git + version: master + name: kszk.iptables diff --git a/ansible/router/tasks/firewall.yaml b/ansible/router/tasks/firewall.yaml deleted file mode 100644 index 3bcb73d..0000000 --- a/ansible/router/tasks/firewall.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: Enable IP Forwarding - ansible.posix.sysctl: - name: net.ipv4.ip_forward - value: '1' - state: present - -- name: Ensure nftables runs and enabled - service: - name: nftables - state: started - enabled: yes - -- name: Place nftables configuration file. - template: - src: etc/nftables.conf.j2 - dest: /etc/nftables.conf - mode: 0755 - -- name: Load config - command: nft -f /etc/nftables.conf diff --git a/ansible/router/tasks/main.yaml b/ansible/router/tasks/main.yaml deleted file mode 100644 index c0cc55c..0000000 --- a/ansible/router/tasks/main.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- - -- name: Setup Admin users - include_tasks: users.yaml - loop: "{{ users }}" - loop_control: - loop_var: user - -- name: Update and upgrade apt packages - become: true - apt: - upgrade: "yes" - update_cache: yes - cache_valid_time: 86400 # One day - -- name: Install packages - include_tasks: packages.yaml - -- name: Place sshd configuration file. - template: - src: etc/ssh/sshd_config.j2 - dest: /etc/ssh/sshd_config - mode: 0600 - -# disable the ssh.socket, otherwise it will collide with ssh.service -- name: Ensure ssh socket is disabled - service: - name: ssh.socket - enabled: no - -- name: Ensure ssh is restarted and enabled to start at boot. - service: - name: ssh - state: restarted - enabled: yes - -- name: Setup firewall - include_tasks: firewall.yaml diff --git a/ansible/router/tasks/packages.yaml b/ansible/router/tasks/packages.yaml deleted file mode 100644 index 7477db3..0000000 --- a/ansible/router/tasks/packages.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -- name: Install basic packages - package: - state: present - name: - # Debug tools - - sudo - - tmux - - htop - - dnsutils - - net-tools - - psmisc - - strace - - tcpdump - - xxd - - # Editors - - nano - - vim - - # Admin helpers - - rsync - - tree - - molly-guard - - # Dependencies for scripting - - python3 - - unzip - - curl - - wget - - jq - - git - - # Firewall - - nftables diff --git a/ansible/router/tasks/users.yaml b/ansible/router/tasks/users.yaml deleted file mode 100644 index 23de97a..0000000 --- a/ansible/router/tasks/users.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- debug: - msg: "{{ user }}" - -- name: "Create group for user" - group: - name: "{{ user.name }}" - -- name: "Create user" - user: - name: "{{ user.name }}" - comment: "{{ user.comment | default('') }}" - group: "{{ user.name }}" - shell: "/bin/{{ user.shell | default('bash') }}" - -- name: "SUDO" - user: - name: "{{ user.name }}" - append: true - groups: - - sudo - when: user.sudo - -- set_fact: - sudoer_file: "/etc/sudoers.d/{{ user.name }}" - -- name: sudoers file for the user - file: - path: "{{ sudoer_file }}" - state: touch - mode: "0600" - owner: root - group: root - modification_time: preserve - access_time: preserve - -- name: Insert sudoer file content - copy: - dest: "{{ sudoer_file }}" - content: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL" - when: user.passwordless_sudo - -- name: "Set password to be expired" - command: passwd --delete '{{ user.name }}' - when: not user.passwordless_sudo - -- name: Set authorized keys - ansible.posix.authorized_key: - user: "{{ user.name }}" - state: present - key: "{{ user.keys_url }}" - manage_dir: yes - exclusive: yes diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2 deleted file mode 100644 index dff6892..0000000 --- a/ansible/router/templates/etc/nftables.conf.j2 +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/nft -f - -# !!! -# {{ ansible_managed }} -# !!! - -flush ruleset - -define wan = eth0 -define lan = eth1 - -table inet filter { - chain input { - type filter hook input priority 0; policy drop; - - ct state {established, related} accept - ct state invalid drop - - iif lo accept - - iif $lan accept - - ip protocol icmp accept - - tcp dport 10022 accept comment "SSH in" - } - - chain forward { - type filter hook forward priority 0; - - oif $wan accept - - ct status dnat accept - iif $wan ct state related, established accept - - # Drop everything else - iif $wan drop - } - - # Allow all packets sent by the firewall - chain output { - type filter hook output priority 100; policy accept; - } -} - -table ip nat { - chain prerouting { - type nat hook prerouting priority -100; - - # Port forwarding -{% if nftables.dnat is defined %} -{% for dnat in nftables.dnat %} - iif $wan tcp dport {{ dnat.dport }} dnat {{ dnat.to }} -{% endfor %} -{% endif %} - } - - chain postrouting { - type nat hook postrouting priority 100; - - # SNAT outgoing traffic - ip saddr {{ nftables.snat_from }} oif $wan snat to {{ nftables.snat_to }} - } -} diff --git a/ansible/router/templates/etc/ssh/sshd_config.j2 b/ansible/router/templates/etc/ssh/sshd_config.j2 deleted file mode 100644 index a85b408..0000000 --- a/ansible/router/templates/etc/ssh/sshd_config.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# !!! -# {{ ansible_managed }} -# !!! - -Protocol 2 -Port {{ ssh.port }} - -HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_ed25519_key - -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com - -PermitRootLogin {{ ssh.permitRootLogin }} -PubkeyAuthentication {{ ssh.pubkeyAuthentication }} -PasswordAuthentication {{ ssh.passwordAuthentication }} - -ChallengeResponseAuthentication no -KerberosAuthentication no -GSSAPIAuthentication no -UsePAM yes -AllowAgentForwarding yes -X11Forwarding yes -PrintMotd no - -AcceptEnv LANG LC_* - -Subsystem sftp /usr/lib/openssh/sftp-server - -{% if ssh.allow.users is defined %} -AllowUsers {{ ssh.allow.users }} -{% endif %} -{% if ssh.allow.groups is defined %} -AllowGroups {{ ssh.allow.groups }} -{% endif %} -- GitLab