initial commit

2024-10-16 21:13:17 +02:00 · 2024-10-16 21:13:17 +02:00 · 6f50de798b
commit 6f50de798b
24 changed files with 1082 additions and 0 deletions
--- a/roles/baseline/handlers/main.yml
+++ b/roles/baseline/handlers/main.yml
@ -0,0 +1,8 @@
+- name: Restart firewall
+  ansible.builtin.command: /etc/network/if-pre-up.d/firewall
+  changed_when: true
+
+- name: Restart sshd
+  ansible.builtin.systemd:
+    name: ssh
+    state: restarted
--- a/roles/baseline/tasks/firewall.yml
+++ b/roles/baseline/tasks/firewall.yml
@ -0,0 +1,16 @@
+- name: Directory for firewall parts
+  ansible.builtin.file:
+    group: root
+    owner: root
+    name: /etc/firewall.d/
+    mode: "0700"
+    state: directory
+
+- name: Firewall template
+  ansible.builtin.template:
+    dest: /etc/network/if-pre-up.d/firewall
+    group: root
+    owner: root
+    mode: "0755"
+    src: firewall.j2
+  notify: Restart firewall
--- a/roles/baseline/tasks/main.yml
+++ b/roles/baseline/tasks/main.yml
@ -0,0 +1,11 @@
+- name: Manage apt packages
+  ansible.builtin.import_tasks: packages.yml
+
+- name: Manage global firewall
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Manage root user
+  ansible.builtin.import_tasks: rootuser.yml
+
+- name: Ensure handlers have ran
+  ansible.builtin.meta: flush_handlers
--- a/roles/baseline/tasks/packages.yml
+++ b/roles/baseline/tasks/packages.yml
@ -0,0 +1,47 @@
+- name: Keep apt repository list uptodate
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+  # Even if we "changed it", it's merely a cache, so ignore
+  changed_when: false
+
+- name: Update system packages to lates
+  ansible.builtin.apt:
+    upgrade: dist
+
+- name: Remove unused packages
+  ansible.builtin.apt:
+    autoremove: true
+
+# The following is a list of utilities that I personally use
+# to make my life easier.  It is opiniated and not needed...
+- name: Install utilities to make life easier
+  ansible.builtin.apt:
+    pkg:
+      - apt-dater
+      - mosh
+      - mc
+      - vim
+      - curl
+      - jq
+      - host
+      - telnet
+      - screen
+      - tmux
+      - tcpdump
+      - sqlite3
+      - bash-completion
+      - mtr-tiny
+      - iotop
+      - iftop
+      - htop
+      - ncdu
+
+- name: Firewall for mosh
+  ansible.builtin.template:
+    dest: /etc/firewall.d/mosh
+    group: root
+    owner: root
+    mode: "0755"
+    src: mosh.j2
+  notify: Restart firewall
--- a/roles/baseline/tasks/rootuser.yml
+++ b/roles/baseline/tasks/rootuser.yml
@ -0,0 +1,27 @@
+- name: Set root password
+  ansible.builtin.user:
+    name: root
+    password: "{{ root_password }}"
+
+- name: Ensure ssh directory for root
+  ansible.builtin.file:
+    state: directory
+    path: /root/.ssh
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Set authorized keys for root
+  ansible.builtin.copy:
+    content: "{{ root_sshkeys | join('\n') }}"
+    dest: /root/.ssh/authorized_keys
+    owner: root
+    group: root
+    mode: "0600"
+
+- name: Only allow root ssh
+  ansible.builtin.lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "PermitRootLogin prohibit-password"
+    regexp: "^PermitRootLogin "
+  notify: Restart sshd
--- a/roles/baseline/templates/firewall.j2
+++ b/roles/baseline/templates/firewall.j2
@ -0,0 +1,78 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+# IPv4:
+iptables -F
+iptables -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t nat -F
+iptables -t nat -X
+
+iptables -P INPUT ACCEPT
+iptables -P OUTPUT ACCEPT
+iptables -P FORWARD ACCEPT
+
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -m state --state INVALID -j DROP
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
+iptables -A INPUT -p icmp -j ACCEPT
+
+{% for range in firewall_ssh_ranges %}
+{%if range.type=="ipv4" %}
+iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
+{%endif%}
+{%endfor%}
+
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m state --state INVALID -j DROP
+
+# IPv6:
+ip6tables -F
+ip6tables -X
+ip6tables -t mangle -F
+ip6tables -t mangle -X
+ip6tables -t nat -F
+ip6tables -t nat -X
+
+ip6tables -P INPUT ACCEPT
+ip6tables -P OUTPUT ACCEPT
+ip6tables -P FORWARD ACCEPT
+
+ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A INPUT -m state --state INVALID -j DROP
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
+ip6tables -A INPUT -p icmpv6 -j ACCEPT
+
+{% for range in firewall_ssh_ranges %}
+{%if range.type=="ipv6" %}
+ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
+{%endif%}
+{%endfor%}
+
+ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A OUTPUT -m state --state INVALID -j DROP
+
+
+# Disable all forwarding
+echo 0 > /proc/sys/net/ipv4/ip_forward
+echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+
+# Customisation:
+{# we use run-parts as it guarantees order and ignores backups etc.  We use --list as it would otherwise run them concurently, causing iptables to exit with EAGAIN as changing the firewall is not possible by 2 prococesses #}
+for i in $(run-parts --list /etc/firewall.d/)
+do
+    $i
+done
+
+# Finish off with a block
+iptables -A INPUT -j REJECT
+ip6tables -A INPUT -j REJECT
+iptables -A FORWARD -j REJECT
+ip6tables -A FORWARD -j REJECT
+
+# {{ansible_managed}}
--- a/roles/baseline/templates/mosh.j2
+++ b/roles/baseline/templates/mosh.j2
@ -0,0 +1,6 @@
+#!/bin/sh
+# {{ansible_managed}}
+# Firewall to allow mosh sessions
+
+ip6tables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT
+iptables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT