From 4b2410ef8b4a26c83f1e322ffe9029ceb9811d06 Mon Sep 17 00:00:00 2001
From: Rafael Laszlo <rlacko99@gmail.com>
Date: Fri, 19 Nov 2021 16:50:37 +0100
Subject: [PATCH] Refactor router ansible config

---
 ansible/router/README.md                      |  7 --
 ansible/router/ansible.cfg                    |  6 ++
 ansible/router/bootstrap.sh                   | 26 +-------
 ansible/router/install.yaml                   | 32 ----------
 ansible/router/main/base.yaml                 | 11 ++++
 .../main/templates/etc/iptables/rules.v4.j2   | 48 ++++++++++++++
 .../main/templates/etc/iptables/rules.v6.j2   | 21 ++++++
 ansible/router/main/vars/base.yaml            | 52 +++++++++++++++
 ansible/router/requirements.galaxy.yaml       | 10 ++-
 ansible/router/tasks/firewall.yaml            | 22 -------
 ansible/router/tasks/main.yaml                | 38 -----------
 ansible/router/tasks/packages.yaml            | 35 ----------
 ansible/router/tasks/users.yaml               | 54 ----------------
 ansible/router/templates/etc/nftables.conf.j2 | 64 -------------------
 .../router/templates/etc/ssh/sshd_config.j2   | 36 -----------
 15 files changed, 150 insertions(+), 312 deletions(-)
 delete mode 100644 ansible/router/README.md
 create mode 100644 ansible/router/ansible.cfg
 delete mode 100644 ansible/router/install.yaml
 create mode 100644 ansible/router/main/base.yaml
 create mode 100644 ansible/router/main/templates/etc/iptables/rules.v4.j2
 create mode 100644 ansible/router/main/templates/etc/iptables/rules.v6.j2
 create mode 100644 ansible/router/main/vars/base.yaml
 delete mode 100644 ansible/router/tasks/firewall.yaml
 delete mode 100644 ansible/router/tasks/main.yaml
 delete mode 100644 ansible/router/tasks/packages.yaml
 delete mode 100644 ansible/router/tasks/users.yaml
 delete mode 100644 ansible/router/templates/etc/nftables.conf.j2
 delete mode 100644 ansible/router/templates/etc/ssh/sshd_config.j2

diff --git a/ansible/router/README.md b/ansible/router/README.md
deleted file mode 100644
index 9d85e59..0000000
--- a/ansible/router/README.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# MAIN VMs ansible
-
-First run:  
-`ansible-playbook -i inventory.yaml install.yaml --user root`
-
-After first run:  
-`ansible-playbook -i inventory.yaml install.yaml --become --user rlacko`
\ No newline at end of file
diff --git a/ansible/router/ansible.cfg b/ansible/router/ansible.cfg
new file mode 100644
index 0000000..cdeb744
--- /dev/null
+++ b/ansible/router/ansible.cfg
@@ -0,0 +1,6 @@
+[defaults]
+ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
+inventory = inventory.yaml
+
+[ssh_connection]
+ssh_args = -o StrictHostKeyChecking=accept-new
diff --git a/ansible/router/bootstrap.sh b/ansible/router/bootstrap.sh
index a6212cd..67f34a5 100755
--- a/ansible/router/bootstrap.sh
+++ b/ansible/router/bootstrap.sh
@@ -1,34 +1,14 @@
 #!/usr/bin/env bash
 
-########################### Virtualenv setup ####################################
+# This script creates a Python env, enters it and installs
+# ansible and requirements from the requirements.galaxy.yaml
 
-# create virtualenv if not present
 [[ ! -d .venv ]] && python3 -m venv .venv
-
 source .venv/bin/activate
 
 pip3 install ansible ansible-lint
 
-########################### Ansible setup ####################################
-
-ansible-galaxy install --force -r requirements.galaxy.yaml
-
-########################### Help ####################################
-
-echo
-echo "########################################"
-echo
-echo "Your playbooks:"
-
-find . -maxdepth 1 -type f -name "*.yaml" | grep -v inventory
-
-echo
-echo "Recommendation: Set up your OpenSSH config based on inventory.yml"
-
-echo
-echo "You can run playbook with:"
-printf "\tansible-playbook your-playbook.yaml"
-echo
+ansible-galaxy install "$1" -r requirements.galaxy.yaml
 
 # to stay in our comfy virtualenv
 exec "${SHELL:bash}"
diff --git a/ansible/router/install.yaml b/ansible/router/install.yaml
deleted file mode 100644
index ff8a481..0000000
--- a/ansible/router/install.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-  
-- hosts: all
-  roles:
-    - name: yatesr.timezone
-      vars:
-        timezone: Europe/Budapest
-  tasks:
-    - name: Setup Router Container
-      import_tasks: tasks/main.yaml
-  
-  vars:
-    users: 
-      - name: rlacko
-        sudo: yes
-        passwordless_sudo: yes
-        keys_url: https://git.sch.bme.hu/rlacko.keys
-    ssh:
-      port: 10022
-      permitRootLogin: 'no'
-      pubkeyAuthentication: 'yes'
-      passwordAuthentication: 'no'
-      allow:
-        users: 'rlacko'
-    nftables:
-      snat_to: 152.66.211.122
-      snat_from: 192.168.96.0/22
-      dnat:
-        - dport: 80
-          to: 192.168.96.101:80
-        - dport: 443
-          to: 192.168.96.101:443
diff --git a/ansible/router/main/base.yaml b/ansible/router/main/base.yaml
new file mode 100644
index 0000000..e9d5502
--- /dev/null
+++ b/ansible/router/main/base.yaml
@@ -0,0 +1,11 @@
+---
+  
+- hosts: all
+  roles:
+    - role: kszk.base
+      tags: ["base"]
+    - role: kszk.iptables
+      tags: ["iptables"]
+  vars_files:
+    - "vars/base.yaml"
+  tasks: []
diff --git a/ansible/router/main/templates/etc/iptables/rules.v4.j2 b/ansible/router/main/templates/etc/iptables/rules.v4.j2
new file mode 100644
index 0000000..a90f6e1
--- /dev/null
+++ b/ansible/router/main/templates/etc/iptables/rules.v4.j2
@@ -0,0 +1,48 @@
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+-A POSTROUTING -o wan0 -j MASQUERADE
+
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+## INPUT
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lan0 -j ACCEPT
+
+-A INPUT -p tcp -m tcp --dport {{ base_ssh.port }} --src 152.66.0.0/8,10.0.0.0/8 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+
+
+-A INPUT -j DROP
+
+## FORWARD
+
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -p icmp -j ACCEPT
+-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m tcp --dport 443 -j ACCEPT
+-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
+
+# Accept everything from inside
+-A FORWARD -i lan0 -j ACCEPT
+
+-A FORWARD -j DROP
+
+COMMIT
diff --git a/ansible/router/main/templates/etc/iptables/rules.v6.j2 b/ansible/router/main/templates/etc/iptables/rules.v6.j2
new file mode 100644
index 0000000..c099c76
--- /dev/null
+++ b/ansible/router/main/templates/etc/iptables/rules.v6.j2
@@ -0,0 +1,21 @@
+#
+# !!!
+# {{ ansible_managed }}
+# !!!
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+## Input
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+
+-A INPUT -p tcp -m tcp --dport {{ base_ssh.port }} --src 2001:738:2001::/48 -j ACCEPT
+
+-A INPUT -j DROP
+
+COMMIT
diff --git a/ansible/router/main/vars/base.yaml b/ansible/router/main/vars/base.yaml
new file mode 100644
index 0000000..751c142
--- /dev/null
+++ b/ansible/router/main/vars/base.yaml
@@ -0,0 +1,52 @@
+# KSZK Base role
+base_motd_playbook_url: https://git.sch.bme.hu/kszk/sysadmin/kubernetes/cluster-setup
+base_hostname: k8s-mgmt
+base_motd_text: "k8s mgmt"
+
+base_users:
+  - name: rlacko
+    sudo: yes
+    passwordless_sudo: yes
+    ssh_key: https://git.sch.bme.hu/rlacko.keys
+  - name: k8s-01
+    sudo: yes
+    passwordless_sudo: yes
+
+base_ssh:
+  port: 22
+  permitRootLogin: "no"
+  pubkeyAuthentication: "yes"
+  passwordAuthentication: "no"
+  allow:
+    users: "rlacko"
+
+base_netplan:
+  network:
+    version: 2
+    renderer: networkd
+    ethernets:
+      wan:
+        optional: false
+        match:
+          macaddress: 7a:d5:a2:fc:e8:b4
+        set-name: wan0
+        dhcp4: true
+
+      lan:
+        optional: false
+        match:
+          macaddress: 7a:9c:f7:a8:5d:1c
+        set-name: lan0
+        addresses:
+          - 192.168.99.254/22
+
+# IPTables base role
+
+## Use own iptables files
+iptables_enable_ip_forward: true
+iptables_rules_v4_file: etc/iptables/rules.v4.j2
+iptables_rules_v6_file: etc/iptables/rules.v6.j2
+
+# Playbook vars
+
+# nope
diff --git a/ansible/router/requirements.galaxy.yaml b/ansible/router/requirements.galaxy.yaml
index 67cbeea..facdff4 100644
--- a/ansible/router/requirements.galaxy.yaml
+++ b/ansible/router/requirements.galaxy.yaml
@@ -2,7 +2,15 @@
 
 collections:
   - community.general
+  - community.crypto
   - ansible.posix
 
 roles:
-  - src: yatesr.timezone
\ No newline at end of file
+  - src: git@git.sch.bme.hu:kszk/ansible/roles/base.git
+    scm: git
+    version: master
+    name: kszk.base
+  - src: git@git.sch.bme.hu:kszk/ansible/roles/iptables.git
+    scm: git
+    version: master
+    name: kszk.iptables
diff --git a/ansible/router/tasks/firewall.yaml b/ansible/router/tasks/firewall.yaml
deleted file mode 100644
index 3bcb73d..0000000
--- a/ansible/router/tasks/firewall.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-
-- name: Enable IP Forwarding
-  ansible.posix.sysctl:
-    name: net.ipv4.ip_forward
-    value: '1'
-    state: present
-
-- name: Ensure nftables runs and enabled
-  service:
-    name: nftables
-    state: started
-    enabled: yes
-
-- name: Place nftables configuration file.
-  template:
-    src: etc/nftables.conf.j2
-    dest: /etc/nftables.conf
-    mode: 0755
-
-- name: Load config
-  command: nft -f /etc/nftables.conf
diff --git a/ansible/router/tasks/main.yaml b/ansible/router/tasks/main.yaml
deleted file mode 100644
index c0cc55c..0000000
--- a/ansible/router/tasks/main.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-
-- name: Setup Admin users
-  include_tasks: users.yaml
-  loop: "{{ users }}"
-  loop_control:
-    loop_var: user
-
-- name: Update and upgrade apt packages
-  become: true
-  apt:
-    upgrade: "yes"
-    update_cache: yes
-    cache_valid_time: 86400 # One day
-
-- name: Install packages
-  include_tasks: packages.yaml
-
-- name: Place sshd configuration file.
-  template:
-    src: etc/ssh/sshd_config.j2
-    dest: /etc/ssh/sshd_config
-    mode: 0600
- 
-# disable the ssh.socket, otherwise it will collide with ssh.service
-- name: Ensure ssh socket is disabled
-  service:
-    name: ssh.socket
-    enabled: no
-
-- name: Ensure ssh is restarted and enabled to start at boot.
-  service:
-    name: ssh
-    state: restarted
-    enabled: yes
-
-- name: Setup firewall
-  include_tasks: firewall.yaml
diff --git a/ansible/router/tasks/packages.yaml b/ansible/router/tasks/packages.yaml
deleted file mode 100644
index 7477db3..0000000
--- a/ansible/router/tasks/packages.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
----
-- name: Install basic packages
-  package:
-    state: present
-    name:
-      # Debug tools
-      - sudo
-      - tmux
-      - htop
-      - dnsutils
-      - net-tools
-      - psmisc
-      - strace
-      - tcpdump
-      - xxd
-
-      # Editors
-      - nano
-      - vim
-
-      # Admin helpers
-      - rsync
-      - tree
-      - molly-guard
-
-      # Dependencies for scripting
-      - python3
-      - unzip
-      - curl
-      - wget
-      - jq
-      - git
-
-      # Firewall
-      - nftables
diff --git a/ansible/router/tasks/users.yaml b/ansible/router/tasks/users.yaml
deleted file mode 100644
index 23de97a..0000000
--- a/ansible/router/tasks/users.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
----
-
-- debug:
-    msg: "{{ user }}"
-
-- name: "Create group for user"
-  group:
-    name: "{{ user.name }}"
-
-- name: "Create user"
-  user:
-    name: "{{ user.name }}"
-    comment: "{{ user.comment | default('') }}"
-    group: "{{ user.name }}"
-    shell: "/bin/{{ user.shell | default('bash') }}"
-
-- name: "SUDO"
-  user:
-    name: "{{ user.name }}"
-    append: true
-    groups:
-      - sudo
-  when: user.sudo
-
-- set_fact:
-    sudoer_file: "/etc/sudoers.d/{{ user.name }}"
-
-- name: sudoers file for the user
-  file:
-    path: "{{ sudoer_file }}"
-    state: touch
-    mode: "0600"
-    owner: root
-    group: root
-    modification_time: preserve
-    access_time: preserve
-
-- name: Insert sudoer file content
-  copy:
-    dest: "{{ sudoer_file }}"
-    content: "{{ user.name }} ALL=(ALL) NOPASSWD:ALL"
-  when: user.passwordless_sudo
-
-- name: "Set password to be expired"
-  command: passwd --delete '{{ user.name }}'
-  when: not user.passwordless_sudo
-
-- name: Set authorized keys
-  ansible.posix.authorized_key:
-    user: "{{ user.name }}"
-    state: present
-    key: "{{ user.keys_url }}"
-    manage_dir: yes
-    exclusive: yes
diff --git a/ansible/router/templates/etc/nftables.conf.j2 b/ansible/router/templates/etc/nftables.conf.j2
deleted file mode 100644
index dff6892..0000000
--- a/ansible/router/templates/etc/nftables.conf.j2
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/nft -f
-
-# !!!
-# {{ ansible_managed }}
-# !!!
-
-flush ruleset
-
-define wan = eth0
-define lan = eth1
-
-table inet filter {
-  chain input {
-    type filter hook input priority 0; policy drop;
-
-    ct state {established, related} accept
-    ct state invalid drop
-
-    iif lo accept
-
-    iif $lan accept
-
-    ip protocol icmp accept
-
-    tcp dport 10022 accept comment "SSH in"
-  }
-
-  chain forward {
-    type filter hook forward priority 0;
-
-    oif $wan accept
-
-    ct status dnat accept
-    iif $wan ct state related, established accept
-
-    # Drop everything else
-    iif $wan drop
-  }
-
-  # Allow all packets sent by the firewall
-  chain output {
-    type filter hook output priority 100; policy accept;
-  }
-}
-
-table ip nat {
-  chain prerouting {
-    type nat hook prerouting priority -100;
-
-    # Port forwarding
-{% if nftables.dnat is defined %}
-{% for dnat in nftables.dnat %}
-    iif $wan tcp dport {{ dnat.dport }} dnat {{ dnat.to }}
-{% endfor %}
-{% endif %}
-  }
-
-  chain postrouting {
-    type nat hook postrouting priority 100;
-
-    # SNAT outgoing traffic
-    ip saddr {{ nftables.snat_from }} oif $wan snat to {{ nftables.snat_to }}
-  }
-}
diff --git a/ansible/router/templates/etc/ssh/sshd_config.j2 b/ansible/router/templates/etc/ssh/sshd_config.j2
deleted file mode 100644
index a85b408..0000000
--- a/ansible/router/templates/etc/ssh/sshd_config.j2
+++ /dev/null
@@ -1,36 +0,0 @@
-# !!!
-# {{ ansible_managed }}
-# !!!
-
-Protocol 2
-Port {{ ssh.port }}
-
-HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-
-PermitRootLogin {{ ssh.permitRootLogin }}
-PubkeyAuthentication {{ ssh.pubkeyAuthentication }}
-PasswordAuthentication {{ ssh.passwordAuthentication }}
-
-ChallengeResponseAuthentication no
-KerberosAuthentication no
-GSSAPIAuthentication no
-UsePAM yes
-AllowAgentForwarding yes
-X11Forwarding yes
-PrintMotd no
-
-AcceptEnv LANG LC_*
-
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-
-{% if ssh.allow.users is defined %}
-AllowUsers {{ ssh.allow.users }}
-{% endif %}
-{% if ssh.allow.groups is defined %}
-AllowGroups {{ ssh.allow.groups }}
-{% endif %}
-- 
GitLab